Post-quantum Security of Tweakable Even-Mansour, and Applications

Abstract

The tweakable Even-Mansour construction yields a tweakable block cipher from a public random permutation. We prove post-quantum security of tweakable Even-Mansour when attackers have quantum access to the random permutation but only classical access to the secretly-keyed construction, the relevant setting for most real-world applications. We then use our results to prove post-quantum security—in the same model—of the symmetric-key schemes Chaskey (an ISO-standardized MAC), Elephant (an AEAD finalist of NIST’s lightweight cryptography standardization effort), and a variant of Minalpher (an AEAD second-round candidate of the CAESAR competition).

J. Katz—Work done in part while at the University of Maryland.

A Proof of New Resampling Lemma

We now restate and prove Lemma 3.

Lemma 7

Let \(F\subset \mathcal {P}(n)\). Consider the following experiment involving a quantum distinguisher \(\mathcal {D}\):

• Phase 1: Choose uniform \(P \in \mathcal {P}(n)\), and give \(\mathcal {D}\) quantum access to P. \(\mathcal {D}\) outputs \((D,\tau )\), where D is a distribution on \(\{0,1\}^n\) and \(\tau \in F\).

• Phase 2: Sample \(\hat{s}\leftarrow D\), set \(s_0=\tau \circ P(\hat{s})\), and choose \(s_1 \leftarrow \{0,1\}^n\). Let \(P^{(0)}=P\) and define \(P^{(1)} = P \circ \textsf{swap}_{s_0,\,s_1} \).

Let \(\varepsilon =2 \cdot \mathbb E_{(D,\tau )\leftarrow \mathcal D^P}\left[ \max _{x \in \{0,1\}^n} \Pr _{x' \leftarrow D}[x'=x]\right] \). For any \(\mathcal {D}\) making at most q queries to P in phase 1,

$$\begin{aligned} &\left| \Pr [\mathcal {D} \text{ outputs } \text{1 } \mid b=1] - \Pr [\mathcal {D} \text{ outputs } \text{1 } \mid b=0]\right| \\ &\le \sqrt{\varepsilon }\cdot \left( 1+\sqrt{q+\log \left( \frac{11\,F|}{\sqrt{\varepsilon }}\right) }\right) . \end{aligned}$$

Proof

Note that \(s_1=s_0\) then \(P^{(0)}=P^{(1)}\). Thus, the distinguishing advantage of \(\mathcal {D}\) is upper bounded by its distinguishing advantage conditioned on \(s_1\ne s_0\), and this is what we analyze in the rest of the proof.

Given \(s_1 \ne s_0\), let \(H \subset \{0,1\}^n\) be a set of size \(2^{n-1}\) containing \(s_0\) but not \(s_1\), and let M be a bijection between H and \(\{0,1\}^n\setminus H\) that maps \(s_0\) to \(s_1\). Define

$$\begin{aligned} \langle x\rangle ={\left\{ \begin{array}{ll} \{x, M(x)\}&{}\text { if }x\in H\\ \{x, M^{-1}(x)\}&{}\text { if }x\notin H \end{array}\right. } . \end{aligned}$$

We use the plain superposition oracle for permutations as defined, e.g., by Alagic et al. [1] to simulate the permutation P. The resampling experiment with a superposition in place of P acts on quantum registers X (query input), Y (query output), E (adversary memory), and F (the oracle simulation’s internal register). The oracle register F is partitioned into \(2^n\) registers \(F_x\), indexed by permutation inputs x. The initial state is

$$\begin{aligned} |\eta \rangle _F = \left( 2^n !\right) ^{-1/2}\sum _{\pi \in \mathcal {P}(n)}|\pi \rangle _F , \end{aligned}$$

where \(|\pi \rangle _F = \bigotimes _x |\pi (x)\rangle _{F_x}\).

We begin by defining a basis \(B_{M}\) of \(\mathbb {C}\mathcal {P}(n)=\textrm{span}\{|\pi \rangle : \pi \in \mathcal {P}(n)\}\). Define the relation \(R_M\subset \mathcal {P}(n)\times \mathcal {P}(n)\) such that

$$\begin{aligned} (\pi ,\sigma )\in R_M \Leftrightarrow \{\pi (x), \pi (M(x))\}=\left\{ \sigma (x), \sigma (M(x))\right\} \text { for all }x\in H , \end{aligned}$$

with the corresponding equivalence classes

$$\begin{aligned}{}[\pi ]_M =\{\sigma \in \mathcal {P}(n) : (\pi ,\sigma )\in R_M\} . \end{aligned}$$

We denote the set of all equivalence classes by \(\mathcal {P}(n)/R_M\). For any \(x, x' \in \{0,1\}^n\) and \(c \in \{0,1\}\), define the quantum state

$$\begin{aligned} |\varPsi ^c_{x,x'}\rangle =\frac{1}{\sqrt{2}}\left( |x\rangle |x'\rangle +(-1)^c|x'\rangle |x\rangle \right) . \end{aligned}$$

Define \(\varGamma _M = \mathcal {P}(n)/R_M\times \{0,1\}^H\). Although \(\varGamma _M\) and the equivalence classes \([\pi ]_M\) depend on M, we will sometimes suppress this in the notation.

For each pair \(([\pi ], y) \in \varGamma \) we define a vector \(|([\pi ], y)\rangle _F\) as follows. Let \(\pi \) be such that \(\pi (x)>\pi (M(x))\) for all \(x\in H\), where “<” denotes lexicographic order; we call this \(\pi \) the canonical representative of \([\pi ]\). Define

$$\begin{aligned} |([\pi ], y)\rangle _F {:}{=}\bigotimes _{x\in H}\Big |{\varPsi ^{y_x}_{\pi (x),\pi (M(x))}}\Big \rangle _{F_xF_{M(x)}} . \end{aligned}$$

Observe that if \([\pi ]=[\sigma ]\) and \(y=y'\) then \(\left\langle ([\pi ], y) \mid ([\sigma ], y') \right\rangle =1\), and otherwise \(\left\langle ([\pi ], y) \mid ([\sigma ], y') \right\rangle =0\). The set

$$\begin{aligned} B_{M}=\left\{ |([\pi ], y)\rangle : ([\pi ], y) \in \varGamma \right\} \end{aligned}$$

is thus an orthonormal set. To see that it forms a basis of \(\mathbb {C}\mathcal {P}(n)\), observe that \(|B_M|=|\mathcal {P}(n)|\). It follows that any state \(|\varphi \rangle _{XYEF}\) can be decomposed as

$$\begin{aligned} |\varphi \rangle _{XYEF}=\sum _{([\pi ], y)\in \varGamma }|\varphi ([\pi ], y)\rangle _{XYE}\otimes |([\pi ], y)\rangle _F , \end{aligned}$$

where \(|\varphi ([\pi ], y)\rangle \) are subnormalized such that

$$\begin{aligned} \sum _{([\pi ], y)\in \varGamma }\Vert |\varphi ([\pi ], y)\rangle \Vert ^2=1 . \end{aligned}$$

Define \(\varGamma _j =\{ ([\pi ], y) \in \varGamma : |y| \le j\}\), where |y| denotes Hamming weight.

Claim

Let \(|\phi _q\rangle _{XYEF}\) be the global state after the (unitary part of the) distinguisher has made q queries in phase 1 to a superposition oracle initialized in any state \(|\tilde{\tau }\rangle \) such that \(\left\langle ([\pi ],y) \mid \tilde{\tau } \right\rangle =0\) for all \(y\ne 0\). Then for all y with \(|y|>q\), we have \(|\,\phi _q([\pi ]_M, y)\,\rangle =0\).

Proof

We prove the claim by induction on q. The base case \(q=0\) holds by assumption. For the inductive step, say the claim holds for \(q-1\), and recall that

$$\begin{aligned} |\phi _q\rangle _{XYEF}=U_{XYE}O_{XYF}|\phi _{q-1}\rangle _{XYEF} . \end{aligned}$$

By the induction hypothesis we can decompose

$$\begin{aligned} |\phi _{q-1}\rangle _{XYEF}=\sum _{([\pi ], y)\in \varGamma _{q-1}}|\psi _{q-1}([\pi ], y)\rangle _{XYE}\otimes |([\pi ], y)\rangle _F . \end{aligned}$$

Using this decomposition and a linearity argument, it suffices to show that for \(|y|\le q-1\), the state \(O_{XYF}|x\rangle _X|y\rangle _Y|([\pi ], y)\rangle _F\) is supported on basis vectors \(|([\pi '], y')\rangle _F\) with \(|y'| \le q\). This follows from the fact that

$$\begin{aligned} O_{XYF}|x\rangle _X = |x\rangle _X\otimes O^{(x)}_{YF_x} . \end{aligned}$$

for some operator \(O^{(x)}\). This establishes the claim.    \(\square \)

Next, define the projector

$$\begin{aligned} \varPi ^{\le q}_F {:}{=}\sum _{([\pi ], y)\in \varGamma _q}|([\pi ], y)\rangle \langle ([\pi ], y)|_F \end{aligned}$$

and let \(\varPi ^{\pm }=\frac{1}{2}(\mathbbm {1}\pm \textsf{Swap})\) be the projectors onto the symmetric and antisymmetric subspaces of \(\mathbb {C}^{2^n}\otimes \mathbb {C}^{2^n}\).

We will rely on the following claim:

Claim

For any \(m\in \mathbb {N}\) we have

$$\begin{aligned} \mathop {\textrm{Pr}}\limits _{\sigma \leftarrow \mathcal {P}(n)}\left[ \exists \tau \in F, S\subset \{0,1\}^n\; \forall x\in S : |S|=m\wedge \tau \circ \sigma (x)\in \langle x\rangle \right] \le 11\cdot 2^{-m}\cdot |F| , \end{aligned}$$

Proof

For fixed \(\tau \in F\) and \(S\subset \{0,1\}^n\) of size m, the number of permutations P for which \(P(x) \in \langle x \rangle \) for all \(x \in S\) is at most \(2^m \cdot (2^n-m)!\). Thus,

$$\begin{aligned} \mathop {\textrm{Pr}}\limits _{\sigma \leftarrow \mathcal {P}(n)}\left[ \forall x\in S:\tau \circ \sigma (x)\in \langle x\rangle \right] \le 2^m\frac{(2^n-m)!}{2^n!} . \end{aligned}$$

A union bound over all \(\tau \) and S yields

$$\begin{aligned} \mathop {\textrm{Pr}}\limits _{\sigma \leftarrow \mathcal {P}(n)}\left[ \exists \tau \in F, S\subset \{0,1\}^n \text { with } |S|=m\; \forall x\in S:\tau \circ \sigma (x)\in \langle x\rangle \right] \le \frac{|F|2^m}{m!} . \end{aligned}$$

Using \(11 m!\ge 4^m\) proves the claim.    \(\square \)

We now return to the proof of Lemma 3. Let \(\Sigma ^{\le m}_F\) be the projector onto the subspace of \(\mathbb {C}\mathcal {P}(n)\) spanned by the permutations \(\pi \) such that

$$\begin{aligned} \left| \left\{ x\in \{0,1\}^n \mid \forall \tau \in F: \tau \circ \pi (x)\in \langle x\rangle \right\} \right| \le m . \end{aligned}$$

The claim implies

$$\begin{aligned} \left\| |\eta \rangle -\frac{1}{\sqrt{\Vert \Sigma ^{\le m}_F|\eta \rangle \Vert }}\Sigma ^{\le m}_F|\eta \rangle \right\| \le 2\cdot \sqrt{11\cdot 2^{-m}|F|} . \end{aligned}$$

Note that \(\varPi ^{\le 0}\Sigma ^{\le m}|\eta \rangle =\Sigma ^{\le m}|\eta \rangle \). We analyze the resampling experiment where the random permutation is replaced by a superposition oracle initialized with \(\frac{1}{\sqrt{\Vert \Sigma ^{\le m}_F|\eta \rangle \Vert }}\Sigma ^{\le m}_F|\eta \rangle _F\).

Let \(|\psi \rangle _{XYEF}\) denote the global state after phase 1, conditioned on a particular pair \((D,\tau )\) output by the distinguisher. As in [7], we can relax the task of the distinguisher as follows: instead of merely providing access to an oracle interface acting on \(|\psi \rangle _{XYEF}\) for \(b=0\) and \(\textsf{Swap}_{F_{s_0}F_{s_1}}|\psi \rangle _{XYEF}\) for \(b=1\), we give the distinguisher arbitrary access to all registers; the distinguisher’s task is then to distinguish those quantum states.

For \(x\in \{0,1\}^n\), define the projector \(Q^{\langle x\rangle }=\sum _{y\in \langle x\rangle }|y\rangle \langle y|\). In the following, z is a variable that corresponds to the result of measuring \(F_{\hat{s}}\), i.e., \(\tau (z)=s_0\). Setting

$$\begin{aligned} \varPi _{\psi ,\hat{s},z} = \frac{1}{\left\| |z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle _{XYEF}\right\| ^2}|z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle \langle \psi |_{XYEF}|z\rangle \langle z|_{F_{\hat{s}}} , \end{aligned}$$

it follows that

$$\begin{aligned} & 2\Pr [b=b'\mid (D,H,M),s_0]-1\\ &\le \frac{1}{2} \left\| \varPi _{\psi ,\hat{s},z} - \textsf{Swap}_{F_{\langle \tau (z)\rangle }}\varPi _{\psi ,\hat{s},z}\textsf{Swap}_{F_{\langle \tau (z)\rangle }}\right\| _1\\ &=\frac{1}{2}\left\| \varPi _{\psi ,\hat{s},z}\left( \mathbbm {1}-\textsf{Swap}\right) _{F_{\langle \tau (z)\rangle }}+\left( \mathbbm {1}-\textsf{Swap}\right) _{F_{\langle \tau (z)\rangle }}\varPi _{\psi ,\hat{s},z}\textsf{Swap}_{F_{\langle \tau (z)\rangle }}\right\| _1\\ &\le \left\| \varPi _{\psi ,\hat{s},z}\varPi ^-_{F_{\langle \tau (z)\rangle }}\right\| _1+\left\| \varPi ^-_{F_{\langle \tau (z)\rangle }}\varPi _{\psi ,\hat{s},z}\textsf{Swap}_{F_{\langle \tau (z)\rangle }}\right\| _1\\ &=\frac{2}{\left\| |z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle _{XYEF}\right\| }\left\| \varPi ^-_{F_{\langle \tau (z)\rangle }}|z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle _{XYEF}\right\| _2 . \end{aligned}$$

(The second inequality is the triangle inequality.) Taking the expectation over \(\hat{s}\leftarrow D\) and z, we get

$$\begin{aligned} &2\Pr [b=b'\mid (D,H,M)]-1 \nonumber \\ &\le 2\mathbb E_{\hat{s},z}\frac{1}{\left\| |z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle _{XYEF}\right\| }\left\| \varPi ^-_{F_{\langle \tau (z)\rangle }}|z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle _{XYEF}\right\| _2 \nonumber \\ &\le 2\sqrt{\mathbb E_{\hat{s},z}\frac{1}{\left\| |z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle _{XYEF}\right\| }\left\| \varPi ^-_{F_{\langle \tau (z)\rangle }}|z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle _{XYEF}\right\| ^2} \nonumber \\ &=2\sqrt{\sum _{\hat{s}, z}D(\hat{s})\left\| \varPi ^-_{F_{\langle \tau (z)\rangle }}|z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle _{XYEF}\right\| ^2} , \end{aligned}$$

(6)

where the first inequality is Jensen’s inequality.

It remains to prove the following claim:

Claim

For any pair \((D,\tau )\) and any normalized state \(|\varphi \rangle _{XYEF}\) such that

$$\begin{aligned} \varPi ^{\le q}_F|\varphi \rangle _{XYEF}=|\varphi \rangle _{XYEF} \;\; \text{ and } \;\; \Sigma ^{\le m}_F|\varphi \rangle _{XYEF}=|\varphi \rangle _{XYEF} , \end{aligned}$$

we have

$$\begin{aligned} \sum _{\hat{s}, z}D(\hat{s})\left\| \varPi ^-_{F_{\langle \tau (z)\rangle }}|z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle _{XYEF}\right\| ^2 \le (m+ q) \varepsilon _D . \end{aligned}$$

Proof

Observe that

$$\begin{aligned} \varPi ^-\Big |{\varPsi ^{0}_{\pi (x),\pi (M(x))}}\Big \rangle =0 \;\; \text {and} \;\; \varPi ^-\Big |{\varPsi ^{1}_{\pi (x),\pi (M(x))}}\Big \rangle =\Big |{\varPsi ^{1}_{\pi (x),\pi (M(x))}}\Big \rangle \end{aligned}$$

for all x and all canonical representatives \(\pi \). It follows that

$$\begin{aligned} \varPi ^-_{F_{s_0}F_{s_1}}|\varphi \rangle _{XYEF}=\sum _{\begin{array}{c} ([\pi ], y)\in \varGamma _q:\\ y_{s_0}=1 \end{array}}|\varphi ([\pi ], y)\rangle _{XYE}\otimes |([\pi ], y)\rangle _F . \end{aligned}$$

We can now bound

$$\begin{aligned} & \sum _{\hat{s}, z}D(\hat{s})\left\| \varPi ^-_{F_{\langle \tau (z)\rangle }}|z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle _{XYEF}\right\| ^2\\ &\le \sum _{\hat{s}}\sum _{z: \hat{s}\in \langle \hat{\tau }(z)\rangle }D(\hat{s})\left\| |z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle _{XYEF}\right\| ^2\\ &+ \sum _{\hat{s}}\sum _{z: \hat{s}\notin \langle \hat{\tau }(z)\rangle }D(\hat{s})\left\| \left( \varPi ^-_{F_{\langle \tau (z)\rangle }}\otimes |z\rangle \langle z|_{F_{\hat{s}}}\right) |\psi \rangle _{XYEF}\right\| ^2 . \end{aligned}$$

We bound the two terms separately, beginning with the second. We decompose

$$\begin{aligned} |\psi \rangle _{XYEF}=\sum _{([\pi ],y)\in \varGamma _q}|\psi ([\pi ], y)\rangle _{XYE}\otimes |([\pi ], y)\rangle _F \end{aligned}$$

and denote the only element of \(\langle x\rangle \cap H\) by \(\tilde{x}\). We have

$$\begin{aligned} {} & {} {\sum _{\hat{s}}\sum _{z: \hat{s}\notin \langle \hat{\tau }(z)\rangle }D(\hat{s})\left\| \left( \varPi ^-_{F_{\langle \tau (z)\rangle }}\otimes |z\rangle \langle z|_{F_{\hat{s}}}\right) |\psi \rangle _{XYEF}\right\| ^2} \\ {} & {} \,\,\,=\sum _{\hat{s}}\sum _{z: \hat{s}\notin \langle \hat{\tau }(z)\rangle }D(\hat{s})\sum _{([\pi ],y)\in \varGamma _q}\left\| \left( \varPi ^-_{F_{\langle \tau (z)\rangle }}\otimes |z\rangle \langle z|_{F_{\hat{s}}}\right) |\psi ([\pi ], y)\rangle _{XYE}\otimes |([\pi ], y)\rangle _F\right\| ^2\\ {} & {} \,\,\,=\sum _{([\pi ],y)\in \varGamma _q}\sum _{\begin{array}{c} \hat{s}\notin \langle \tau \circ \pi (x)\rangle :\\ y_{\tilde{\pi (x)}}=1 \end{array}}D(\hat{s})\left\| |\psi ([\pi ], y)\rangle _{XYE}\right\| ^2\\ {} & {} \,\,\,\le \sum _{([\pi ],y)\in \varGamma _q}q\varepsilon _D\left\| |\psi ([\pi ], y)\rangle _{XYE}\right\| ^2 \; = \; q\cdot \varepsilon _D . \end{aligned}$$

For the first term, we have \(\Sigma ^{\le m}_F|\varphi \rangle _{XYEF}=|\varphi \rangle _{XYEF}\), i.e., for any permutation \(\pi \) in the support of this state there are at most m values x such that \(\tau \circ \pi (x)\in \langle x\rangle \). For the second term, we have \(\Sigma ^{\le m}_F|\varphi \rangle _{XYEF}=|\varphi \rangle _{XYEF}\), i.e., \(|\varphi \rangle \) is supported on basis states \(|[\pi ],y\rangle \) where \(\pi \) has at most m fixed points. Using essentially the same chain of inequalities as for the second term, we get

$$\begin{aligned} \sum _{\hat{s}}\sum _{z: \hat{s}\in \langle \hat{\tau }(z)\rangle }D(\hat{s})\left\| |z\rangle \langle z|_{F_{\hat{s}}}|\psi \rangle _{XYEF}\right\| ^2 \le m\varepsilon _D . \end{aligned}$$

This completes the proof.    \(\square \)

Combining the above claim with (6), taking the expectation over \((D,\tau )\), and applying Jensen’s inequality one more time results in the bound

$$\begin{aligned} \left| \Pr [\mathcal {D} \text{ outputs } \text{1 } \mid b=1] - \Pr [\mathcal {D} \text{ outputs } \text{1 } \mid b=0]\right| \le \sqrt{(q+m)\varepsilon } \end{aligned}$$

for the modified resampling experiment and thus

$$\begin{aligned} \left| \Pr [\mathcal {D} \text{ outputs } \text{1 } \mid b=1] - \Pr [\mathcal {D} \text{ outputs } \text{1 } \mid b=0]\right| \le \sqrt{(q+m)\varepsilon }+11\cdot 2^{-m}|F| . \end{aligned}$$

Setting \(m=\log \left( \frac{11 |F|}{\sqrt{\varepsilon }}\right) \) we get

$$\begin{aligned} {} & {} {\left| \Pr [\mathcal {D} \text{ outputs } \text{1 } \mid b=1] - \Pr [\mathcal {D} \text{ outputs } \text{1 } \mid b=0]\right| } \\ {} & {} \qquad \qquad \qquad \qquad \qquad \quad \,\,\, \le \sqrt{\varepsilon }\left( 1+\sqrt{q+\log \left( 11\frac{|F|}{\sqrt{\varepsilon }}\right) }\right) , \end{aligned}$$

matching the lemma.    \(\square \)