Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

On the Post-quantum Security of Classical Authenticated Encryption Schemes

  • Conference paper
  • First Online:
Progress in Cryptology - AFRICACRYPT 2023 (AFRICACRYPT 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14064))

Included in the following conference series:

  • 399 Accesses

Abstract

We study the post-quantum security of authenticated encryption (AE) schemes, designed with classical security in mind. Under superposition attacks, many CBC-MAC variants have been broken, and AE modes employing those variants, such as EAX and GCM, thus fail at authenticity. As we show, the same modes are IND-qCPA insecure, i.e., they fail to provide privacy under superposition attacks. However, a constrained version of GCM is IND-qCPA secure, and a nonce-based variant of the CBC-MAC is secure under superposition queries. Further, the combination of classical authenticity and classical chosen-plaintext privacy thwarts attacks with superposition chosen-ciphertext and classical chosen-plaintext queries – a security notion that we refer to as IND-qdCCA. And nonce-based key derivation allows generically turning an IND-qdCCA secure scheme into an IND-qCCA secure scheme.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    This seems to be good news for many practical instantiations of GCM, which often employ \(n=128\) and 96-bit nonces. But the attack from [KLLN16] still applies, i.e., even that variant is qPO insecure.

  2. 2.

    \(\mathcal{A} \) is constrained to choose unique nonces for forward learning and challenge queries. This will be formalized in Definition 8 below.

  3. 3.

    Prohibiting superposition nonces is the established approach in the related work since the nonce, even though we model it as chosen by the adversary, is a counter, a timestamp, or a random value generated by the sender’s communication machinery.

  4. 4.

    Similarly, a Q2e (“Q2 encrypt”) adversary can make superposition forward learning queries, but only classical backward learning queries. Though, we do not need Q2e adversaries in our context.

  5. 5.

    \(N_i \ne N_j\) is well-defined, even in the Q2 model with forward learning queries in superposition, since the nonces \(N_i\) and \(N_j\) are always classical.

  6. 6.

    The design of a quantum interface for the superposition of messages of different lengths may not be obvious. For concreteness, assume a maximum message length \(\mu \), and a message of length \(m = |M| \le \mu \) is encoded as a \((\mu +\log _2(\mu ))\)-qubit string \(|{M}\rangle |{0^{\mu -m}}\rangle |{m}\rangle \) of message, padding and message length.

  7. 7.

    We would like to point out that there is no need for \(N_i\) to be in superposition since the attack already works for classical nonces.

  8. 8.

    Here, the query length is counted in bits.

  9. 9.

    The chosen messages \(|{M_i}\rangle \) can be in superposition, but all messages \(|{M_i}\rangle \) in superposition are of the same length \(m_i\).

References

  1. Alagic, G., Gagliardoni, T., Majenz, C.: Can you sign a quantum state? CoRR, abs/1811.11858 (2018)

    Google Scholar 

  2. Alagic, G., Gagliardoni, T., Majenz, C.: Unforgeable quantum encryption. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 489–519. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_16

    Chapter  Google Scholar 

  3. Ambainis, A., Hamburg, M., Unruh, D.: Quantum security proofs using semi-classical oracles. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 269–295. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_10

    Chapter  Google Scholar 

  4. Alagic, G., Majenz, C., Russell, A., Song, F.: Quantum-access-secure message authentication via blind-unforgeability. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 788–817. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_27

    Chapter  Google Scholar 

  5. Anand, M.V., Targhi, E.E., Tabia, G.N., Unruh, D.: Post-quantum security of the CBC, CFB, OFB, CTR, and XTS modes of operation. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 44–63. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29360-8_4

    Chapter  MATH  Google Scholar 

  6. Bhaumik, R., et al.: QCB: efficient quantum-secure authenticated encryption. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13090, pp. 668–698. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92062-3_23

    Chapter  Google Scholar 

  7. Bonnetain, X., Leurent, G., Naya-Plasencia, M., Schrottenloher, A.: Quantum linearization attacks. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13090, pp. 422–452. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92062-3_15

    Chapter  Google Scholar 

  8. Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_41

    Chapter  Google Scholar 

  9. Bonnetain, X., Schrottenloher, A., Sibleyras, F.: Beyond quadratic speedups in quantum attacks on symmetric schemes. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022. LNCS, vol. 13277, pp. 315–344. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07082-2_12

    Chapter  MATH  Google Scholar 

  10. Boneh, D., Zhandry, M.: Quantum-secure message authentication codes. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 592–608. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_35

    Chapter  Google Scholar 

  11. Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum computing world. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 361–379. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_21

    Chapter  MATH  Google Scholar 

  12. Carstens, T.V., Ebrahimi, E., Tabia, G.N., Unruh, D.: On quantum indistinguishability under chosen plaintext attack. IACR Cryptology ePrint Archive, p. 596 (2020)

    Google Scholar 

  13. Chen, L., et al.: Breaking the quadratic barrier: quantum cryptanalysis of milenage, telecommunications’ cryptographic backbone (2016)

    Google Scholar 

  14. Hosoyamada, A., Iwata, T.: On tight quantum security of HMAC and NMAC in the quantum random oracle model. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 585–615. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_21

    Chapter  MATH  Google Scholar 

  15. Iwata, T., Minematsu, K.: Stronger security variants of GCM-SIV. IACR Trans. Symmetric Cryptol. 2016(1), 134–157 (2016)

    Article  Google Scholar 

  16. Jonsson, J.: On the security of CTR + CBC-MAC. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 76–93. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36492-7_7

    Chapter  Google Scholar 

  17. Janson, C., Struck, P.: Sponge-based authenticated encryption: Security against quantum attackers. IACR Cryptology ePrint Archive, p. 139 (2022)

    Google Scholar 

  18. Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Breaking symmetric cryptosystems using quantum period finding. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 207–237. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_8

    Chapter  Google Scholar 

  19. Lang, N., Lucks, S.: On the post-quantum security of classical authenticated encryption schemes. Cryptology ePrint Archive, Paper 2023/218 (2023). https://eprint.iacr.org/2023/218

  20. Maram, V., Masny, D., Patranabis, S., Raghuraman, S.: On the quantum security of OCB. IACR Cryptology ePrint Archive, p. 699 (2022)

    Google Scholar 

  21. Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_23

    Chapter  Google Scholar 

  22. Rogaway, P., Wagner, D.A.: A critique of CCM. IACR Cryptology ePrint Archive, p. 70 (2003)

    Google Scholar 

  23. Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, Santa Fe, New Mexico, USA, 20–22 November 1994, pp. 124–134. IEEE Computer Society (1994)

    Google Scholar 

  24. Simon, D.: On the power of quantum computation. SIAM J. Comput. 26(5), 1474–1483 (1997)

    Article  MathSciNet  MATH  Google Scholar 

  25. Song, F., Yun, A.: Quantum security of NMAC and related constructions. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 283–309. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_10

    Chapter  Google Scholar 

  26. Unruh, D.: Revocable quantum timed-release encryption. J. ACM 62(6), 49:1–49:76 (2015)

    Google Scholar 

  27. Ulitzsch, V., Seifert, J.-P.: IARR eprint 2022/733 (2022)

    Google Scholar 

  28. Whiting, D., Housley, R., Ferguson, N.: Counter with CBC-MAC (CCM). RFC 3610, 1–26 (2003)

    Google Scholar 

  29. Zhandry, M.: How to record quantum queries, and applications to quantum indifferentiability. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 239–268. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_9

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Bauhaus-Universität Weimar, Weimar, Germany

    Nathalie Lang & Stefan Lucks

Authors
  1. Nathalie Lang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stefan Lucks
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nathalie Lang .

Editor information

Editors and Affiliations

  1. EMSE, Saint-Étienne, France

    Nadia El Mrabet

  2. IBM Research Europe, Rüschlikon, Switzerland

    Luca De Feo

  3. Université de Rennes 1, Rennes Cedex, France

    Sylvain Duquesne

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lang, N., Lucks, S. (2023). On the Post-quantum Security of Classical Authenticated Encryption Schemes. In: El Mrabet, N., De Feo, L., Duquesne, S. (eds) Progress in Cryptology - AFRICACRYPT 2023. AFRICACRYPT 2023. Lecture Notes in Computer Science, vol 14064. Springer, Cham. https://doi.org/10.1007/978-3-031-37679-5_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-37679-5_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-37678-8

  • Online ISBN: 978-3-031-37679-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation