Attacks on Beyond-Birthday-Bound MACs in the Quantum Setting

Abstract

We systematically study the security of twelve Beyond-Birthday-Bound Message Authentication Codes (BBB MACs) in the Q2 model where attackers have quantum-query access to MACs. Assuming the block size of the underlying (tweakable) block cipher is n bits, the security proofs show that they are secure at least up to \(\mathcal {O}(2^ {2n/3}) \) queries in the classical setting. The best classical attacks need \(\mathcal {O}(2^ {3n/4}) \) queries. We consider secret state recovery against SUM-ECBC-like and PMAC_Plus-like MACs and key recovery against PMAC_Plus-like MACs. Both attacks lead to successful forgeries. The first attack costs \(\mathcal {O}(2^{n/2}n)\) quantum queries by applying Grover-meet-Simon algorithm. The second attack costs \(\mathcal {O}(2^{m/2})\) quantum queries by applying Grover’s algorithm, assuming the key size of (tweakable) block cipher is m bits. As far as we know, these are the first quantum attacks against BBB MACs. It is remarkable that our attacks are suitable even for some optimally secure MACs, such as mPMAC+-f, mPMAC+-p1, and mPMAC+-p2.

Appendices

A Proof of \(\boldsymbol{\varepsilon (f)\le \frac{1}{2}}\) for SUM-ECBC

In this case, \(\mathcal {U}_s=\{(s_1,s_1\oplus s_2),(s_2,s_1\oplus s_2)\}\),

$$\begin{aligned} \begin{aligned} \varepsilon (f)=\max \limits _{(u,t)\in \{0,1\}^n\times \{0,1\}^n\backslash (\mathcal {U}_s\cup \{0,1\}^n\times \{0^n\})}\text {Pr}_{x}[f(u,x)=f(u,x\oplus t)]. \end{aligned} \end{aligned}$$

We consider \(u=s_1\) as an example and the other situation is similar. In this case \(f(u,x)=f(s_1,x)=E_4(E_3(x\oplus E_3(\alpha _0))\oplus E_4(E_3(x\oplus s_1 \oplus E_3(\alpha _1))\). We will prove \(\varepsilon (f(s_1,\cdot ))\le \frac{1}{2}\) with overwhelming probability. Otherwise, there is \(t\not \in \{0^{n},s_{1}\oplus s_{2}\}\) such that \(\text {Pr}_{x}[f(s_1,x)=f(s_1,x\oplus t)]> 1/2\), i.e.,

$$\begin{aligned} \begin{aligned} \text {Pr}_x \left[ \begin{array}{c}E_4(E_3(x\oplus E_3(\alpha _0)))\oplus E_4(E_3(x\oplus s_1\oplus E_3(\alpha _1)))\oplus \\ E_4(E_3(x\oplus t\oplus E_3(\alpha _0)))\oplus E_4(E_3(x\oplus t\oplus s_1\oplus E_3(\alpha _1))) \end{array} \right] >1/2. \end{aligned} \end{aligned}$$

(3)

When \(t\not \in \{0^{n},s_{1}\oplus s_{2}\}\) and \(s_{1}\ne s_{2}\), we know the four inputs of \(E_4(E_3(\cdot ))\) are different from each other. If \(E_4\) is a random function and \(E_3\) is a permutation, the Eq. (3) happens with negligible probability.

B Proof of \(\boldsymbol{\varepsilon (f)\le \frac{1}{2}}\) for PMAC_Plus

In this case, \(\mathcal {U}_s=\{(u^*,1\Vert \alpha _0\oplus \alpha _1)\}\). Let \(\mathcal {U}_t:=\{0,1\}^n\times \{0,1\}\times \{0,1\}^n\backslash (\mathcal {U}_s\cup \{0,1\}^n\times \{0^{n+1}\})\), then

$$\begin{aligned} \begin{aligned} \varepsilon (f)=\max \limits _{(u,t_1,t_2)\in \mathcal {U}_t}\text {Pr}_{b,x}[f(u,b,x)=f(u,b\oplus t_1,x\oplus t_2)]. \end{aligned} \end{aligned}$$

We consider \(u=u^*\) as example and the other is similar. Firstly, we divide the scope \(t_1\Vert t_2\in \{0,1\}^{n+1}\backslash \{0^{n+1},1\Vert \alpha _0\oplus \alpha _1\}\) into two parts \(t_1=0,t_2\ne 0^n\) and \(t_1=1,t_2\ne \alpha _0\oplus \alpha _1\). We take the former as example. In fact, when \(u=u^*,t_1=0,t_2\ne 0^n\), the equation \(f(u,b,x)=f(u,b\oplus t_1,x\oplus t_2)\) equals

$$\begin{aligned} E_2(E_1(x\oplus \alpha _b))\oplus E_2(E_1(x\oplus t_2\oplus \alpha _b))\oplus E_3(E_1(x\oplus \alpha _b))\oplus E_3(E_1(x\oplus t_2\oplus \alpha _b))=0^n. \end{aligned}$$

(4)

When \(t_2\ne 0^n\) and \(E_1\) is a random permutation, we obtain both the two inputs of \(E_2\) and the two inputs of \(E_3\) are different respectively. Therefore, by the randomness of \(E_2,E_3\), the Eq. (4) holds with probability at most 1/2 with overwhelming probability.

C Proof of \(\boldsymbol{\max _{u\in \{0,1\}^n\backslash \{u^*\}}\text {Pr}[test(u)=1]\le 2^{-2n}}\) for 3kf9

The deviation

$$\begin{aligned} \begin{aligned}&\max _{u\in \{0,1\}^n\backslash \{u^*\}}\text {Pr}[test(u)=1]\\ =&\max _{u\in \{0,1\}^n\backslash \{u^*\}}\text {Pr}[f(u,0,x_1)=f(u,1,x_1),\ldots ,f(u,0,x_q)=f(u,1,x_q)]. \end{aligned} \end{aligned}$$

Here, the equation system

$$f(u,0,x_i)=f(u,1,x_i),i=1,2,\ldots ,q,$$

equals

$$E_{2}(y^{1}_{i})\oplus E_{2}(y^{2}_{i})\oplus E_{3}(y^{3}_{i})\oplus E_{3}(y^{4}_{i})=0^n,i=1,2,\ldots ,q,$$

where \(y^{1}_{i}=E_{1}(x_i),y^{2}_{i}=E_{1}(x_i\oplus E_{1}(u)), y^{3}_{i}=E_{1}(x_i),y^{4}_{i}=E_1(x_i\oplus E_{1}(u))\oplus E_{1}(u).\) To calculate the probability of these q equations, we consider sampling about \(E_2\). If \(y^1_i, y^2_i\), who are the inputs of \(E_2\) in the i’th equation, have all appeared in the other \(q-1\) equations, then we don’t sample in the i’th equation. In fact, if \(x_i\oplus x_j=E_1(u)\) then \(y^1_i=y^2_j,y^2_i=y^1_j\). Therefore, we have to sample \(E_2\) in at least \(\lfloor \frac{q+1}{2}\rfloor \) equations among q. For every equation, by the randomness of \(E_2\), it holds with probability at most \(\frac{1}{2^n-2q}\). Therefore, for any \(u\in \{0,1\}^n\backslash \{u^*\}\), we have \(\text {Pr}[test(u)=1]\le (\frac{1}{2^n-2q})^{\frac{q-1}{2}}\). When \(q=7\), we have \(\text {Pr}[test(u)=1]\le 2^{-2n}\) for \(n\ge 4\).

Fig. 6.

PMAC_Plus with three-block message \(M=(M[1], M[2], M[3])\).

D Deviation Estimation in Key Recovery Attacks

1.1 D.1 Deviation Estimation for PMAC_Plus

We have introduced PMAC_Plus in Sect. 3.2. Assume the three independent keys are \((k_{1},k_{2},k_{3})\in (\{0,1\}^m)^3\). The construction with three-block message \(M=(M[1], M[2], M[3])\) is shown in Fig. 6, where \(t^{j}_{k_{1}}=2^{j}E_{k_{1}}(0^n)\oplus 2^{2j}E_{k_{1}}(0^{n-1}\parallel 1), j=1,2,3\).

Estimation of \(\boldsymbol{\max _{k\in \{0,1\}^m\backslash \{k_1\}}\text {Pr}[test(k)=1]}\). The deviation is equals to

$$\max _{k\in \{0,1\}^m\backslash \{k_1\}}\text {Pr}[f(k,C^1_0)=f(k,C^1_1),\ldots ,f(k,C^q_0)=f(k,C^q_1)].$$

Here, the equation system

$$\begin{aligned} f(k,C^i_0)=f(k,C^i_1),i=1,2,\ldots ,q, \end{aligned}$$

(5)

equals \(E_{k_{2}}(\varSigma (Y^{i}_0))\oplus E_{k_{3}}(\varTheta (Y^{i}_0))=E_{k_{2}}(\varSigma (Y^{i}_1))\oplus E_{k_{3}}(\varTheta (Y^{i}_1)),i=1,2,\ldots ,q,\) where

$$\begin{aligned} \begin{aligned} \varSigma (Y^i_b)=&E_{k_{1}}(X^i_b[1])\oplus E_{k_{1}}(X^i_b[2])\oplus E_{k_{1}}(X^i_b[3]),b=0,1,\\ \varTheta (Y^i_b)=&2^{2}E_{k_{1}}(X^i_b[1])\oplus 2E_{k_{1}}(X^i_b[2])\oplus E_{k_{1}}(X^i_b[3]),b=0,1, \end{aligned} \end{aligned}$$

and

$$X^i_b[1]=E^{-1}_{k}(C^i_b[1])\oplus t^{1}_{k}\oplus t^{1}_{k_1},$$

$$X^i_b[2]=E^{-1}_{k}(C^i_b[2])\oplus t^{2}_{k}\oplus t^{2}_{k_1},$$

$$X^i_b[3]=E^{-1}_{k}(C^i_b[3])\oplus t^{3}_{k}\oplus t^{3}_{k_1}.$$

We assume all \(C^i_b[a],i=1,\ldots ,q,b=0,1,a=1,2,3\) are different. This can be realized easily. Then all \(X^i_b[j],i=1,\ldots ,q,b=0,1\) are different where \(j\in \{1,2,3\}\).

In the following, we only consider the equations which have new sample of \(E_{k_1}\) among the q equations in (5). If \(X^i_b[a],b=0,1,j=1,2,3\), who are the inputs of \(E_{k_1}\) in the i’th equation, have all appeared in the other \(q-1\) equations, then we don’t sample in the i’th equation. In fact, there may be \(X^i_b[a_1]=X^{i'}_{b'}[a_2]=X^{i''}_{b''}[a_3]\), where \(a_1,a_2,a_3\) are three different values belong to \(\{1,2,3\},b,b',b''\in \{0,1\},i',i''\in \{1,\ldots ,q\}\). Take \(X^i_0[1]\) as example, there may be \(b',b''\in \{0,1\},i',i''\in \{1,\ldots ,q\}\) such that \(X^i_0[1]=X^{i'}_{b'}[2]=X^{i''}_{b''}[3]\). Therefore, it is easily to obtain that we have to sample \(E_{k_1}\) in at least \(\lfloor \frac{q+2}{3}\rfloor \) equations among q. Then we consider the probability of the i’th equation \(f(k,C^i_0)=f(k,C^i_1)\) where we have new sample of \(E_{k_1}\).

1. 1)

   If

   $$\begin{aligned} \varSigma (Y^{i}_0)=\varSigma (Y^{i}_1),\varTheta (Y^{i}_0)=\varTheta (Y^{i}_1), \end{aligned}$$

   (6)

   then the ith equation holds. We want to know the upper bound of the probability of this case. So we only consider \(\varSigma (Y^{i}_0)=\varSigma (Y^{i}_1)\). It means

   $$E_{k_{1}}(X^{i}_0[1])\oplus E_{k_{1}}(X^{i}_0[2])\oplus E_{k_{1}}(X^{i}_0[3])=E_{k_{1}}(X^{i}_1[1])\oplus E_{k_{1}}(X^{i}_1[2])\oplus E_{k_{1}}(X^{i}_1[3]).$$

   By the randomness of \(E_{k_{1}}\), the probability to make the above equation holds by sampling \(E_{k_{1}}\) is at most \(\frac{1}{2^n-6q}\).

2. 2)

   When the equation set (6) doesn’t holds but

   $$\begin{aligned} E_{k_{2}}(\varSigma (Y^{i}_0))\oplus E_{k_{3}}(\varTheta (Y^{i}_0))=E_{k_{2}}(\varSigma (Y^{i}_1))\oplus E_{k_{3}}(\varTheta (Y^{i}_1)), \end{aligned}$$

   (7)

   then the ith equation holds as well. Firstly, we exclude the case that \(\varSigma (Y^{i}_0)\),\(\varTheta (Y^{i}_0)\), \(\varSigma (Y^{i}_1)\),\(\varTheta (Y^{i}_1)\) in the i’th equation have all appeared in other \(q-1\) equations, whose probability is at most \((\frac{2q}{2^n-6q})^4\). Then we assume that in the i’th equation that at least \(\varSigma (Y^{i}_0)\) hasn’t been appeared in other \(q-1\) equations, which means \(E_{k_{2}}(\varSigma (Y^{i}_0))\) is a new sample. Thus the i’th equation holds with probability at most \(\frac{1}{2^n-2q}\). Overall, this case happens with probability at most \((\frac{2q}{2^n-6q})^4+\frac{1}{2^n-2q}\).

Sum of case 1) and 2), the i’th equation holds with probability at most \(\frac{1}{2^n-6q}+(\frac{2q}{2^n-6q})^4+\frac{1}{2^n-2q}\le \frac{q}{2^{n-3}}\) assuming \(6q\le 2^{n-1}\). Therefore, the q equations happens with probability at most \((\frac{q}{2^{n-3}})^{\frac{q-1}{3}}\). For PMAC_Plus, the key length \(m\le 2n\). Then when \(q=16\), we have \(\text {Pr}[test(k)=1]\le 2^{-2m}\) for \(m\ge 42\) and any \(k\in \{0,1\}^m\backslash \{k_1\}\).

1.2 D.2 Deviation Estimation for 3kf9

We have introduced 3kf9 in Sect. 3.2. Assume the three keys are \((k_{1},k_{2},k_{3})\in (\{0,1\}^m)^3\). The construction with massage \(M=( M[1], M[2], M[3])\) is defined as in Fig. 7.

Fig. 7.

3kf9 with three-block message \(M=(M[1], M[2], M[3])\).

Estimation of \(\boldsymbol{\max _{k\in \{0,1\}^m\backslash \{k_1\}}\text {Pr}[test(k)=1]}\). The deviation is equals to

$$\max _{k\in \{0,1\}^m\backslash \{k_1\}}\text {Pr}[f(k,C^1_0)=f(k,C^1_1),\ldots ,f(k,C^q_0)=f(k,C^q_1)].$$

Here, the equation system

$$\begin{aligned} f(k,C^i_0)=f(k,C^i_1),i=1,2,\ldots ,q, \end{aligned}$$

(8)

equals

$$E_{k_{2}}(\varSigma (Y^{i}_0))\oplus E_{k_{3}}(\varTheta (Y^{i}_0))=E_{k_{2}}(\varSigma (Y^{i}_1))\oplus E_{k_{3}}(\varTheta (Y^{i}_1)),i=1,2,\ldots ,q,$$

where

$$\begin{aligned} \begin{aligned} \varSigma (Y^i_b)=&E_{k_{1}}(X^i_b[3]),b=0,1,\\ \varTheta (Y^i_b)=&E_{k_{1}}(X^i_b[1])\oplus E_{k_{1}}(X^i_b[2])\oplus E_{k_{1}}(X^i_b[3]),b=0,1, \end{aligned} \end{aligned}$$

and

$$\begin{aligned} \begin{aligned}&X^i_b[1]=E^{-1}_{k}(C^i_b[1]),\\&X^i_b[2]=E_{k_1}(X^i_b[1])\oplus C^i_b[1] \oplus E^{-1}_{k}(C^i_b[2]),\\&X^i_b[3]=E_{k_1}(X^i_b[2])\oplus C^i_b[2]\oplus E^{-1}_{k}(C^i_b[3]). \end{aligned} \end{aligned}$$

We assume all \(C^i_b[1],i=1,\ldots ,q,b=0,1\) are different. This can be realized easily. Then all \(X^i_b[1],i=1,\ldots ,q,b=0,1\) are different from each other, which means we have to sample for \(E_{k_{1}}(X^i_0[1])\) in every equation in (8). Similar as the PMAC_Plus in Appendix D.1, every equation \(f(k,C^i_0)=f(k,C^i_1)\) holds with probability at most \(\frac{q}{2^{n-3}}\). Therefore, the q equations happens with probability at most \((\frac{q}{2^{n-3}})^{q}\). For 3kf9, the key length \(m\le 2n\). Then when \(q=5\), we have \(\text {Pr}[test(k)=1]\le 2^{-2m}\) for \(m\ge 24\) and any \(k\in \{0,1\}^m\backslash \{k_1\}\).

E Key Recovery Attack for SUM-ECBC

Let \(b\in \{0,1\},x\in \{0,1\}^n\). Similar as introduction (Sect. 1, strategy 1), we construct \(C^{\text {MAC}_{k_1,k_2,k_3,k_4}}(b,x)=g_{k_1,k_2}(b,x)\oplus h_{k_3,k_4}(b,x)\) from SUM-ECBC through method C, where \(g_{k_1,k_2}(b,x)\) and \(h_{k_3,k_4}(b,x)\) have periods \(1\Vert s_1\) and \(1\Vert s_2\) respectively and \(k_1,k_2,k_3,k_4\) are keys. Then we construct a function \(f:\{0,1\}^m\times \{0,1\}^m\times \{0,1\}\times \{0,1\}^n\rightarrow \{0,1\}^n\) as

$$\begin{aligned} \begin{aligned} f_{k_1,k_2,k_3,k_4}(k'_3,k'_4,b,x)\,=\,&C^{\text {MAC}_{k_1,k_2,k_3,k_4}}(b,x)\oplus h_{k'_3,k'_4}(b,x)\\ =\,&g_{k_1,k_2}(b,x)\oplus h_{k_3,k_4}(b,x)\oplus h_{k'_3,k'_4}(b,x). \end{aligned} \end{aligned}$$

When \((k'_3,k'_4)=(k_3,k_4)\), f equals \(g_{k_1,k_2}(b,x)\) and have a period \(1\Vert s_1\). By applying Grover-meet-Simon algorithm, we can recover \(k_3,k_4,s_1\), which leads to a forgery attack. After recover \(k_3,k_4\), it is easily to recover \(k_1,k_2\) by Grover’s search. Either the forgery attack or full key recover attack costs \(\mathcal {O}(2^{m}n)\) quantum queries with \(\mathcal {O}(m+n^2)\) qubits by Theorem 3 and Theorem 1.