Abstract
HMAC and NMAC are the most basic and important constructions to convert Merkle-Damgård hash functions into message authentication codes (MACs) or pseudorandom functions (PRFs). In the quantum setting, at CRYPTO 2017, Song and Yun showed that HMAC and NMAC are quantum pseudorandom functions (qPRFs) under the standard assumption that the underlying compression function is a qPRF. Their proof guarantees security up to \(O(2^{n/5})\) or \(O(2^{n/8})\) quantum queries when the output length of HMAC and NMAC is n bits. However, there is a gap between the provable security bound and a simple distinguishing attack that uses \(O(2^{n/3})\) quantum queries. This paper settles the problem of closing the gap. We show that the tight bound of the number of quantum queries to distinguish HMAC or NMAC from a random function is \(\Theta (2^{n/3})\) in the quantum random oracle model, where compression functions are modeled as quantum random oracles. To give the tight quantum bound, based on an alternative formalization of Zhandry’s compressed oracle technique, we introduce a new proof technique focusing on the symmetry of quantum query records.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Please do not confuse the notions of standard/quantum security with the standard model or the quantum random oracle model. The two notions are independent of the models, and it is possible that a scheme has quantum security in the standard model or standard security in the quantum random oracle model.
- 2.
n is the length of chaining values, and m is the length of message blocks.
- 3.
Note that there is no IV involved in NMAC and the key-length is always \(n+n=2n\).
- 4.
Actually, the previous work [32] did not give concrete security bound, but we can reasonably deduce that the security is guaranteed up to \(O(2^{n/8})\) quantum queries. We have the bound \(O(2^{n/5})\) instead of \(O(2^{n/8})\) if we assume a conjecture. See Section A of this paper’s full version [20] for details. .
- 5.
- 6.
We consider \(F_2\) instead of \(\mathsf{RF}\) so that there exists a useful correspondence between “good” databases for \(F^h_1\) and those for \(F_2\), which we will elaborate later.
- 7.
We use the symbols u and \(\zeta \) to denote n-bit strings and v to denote an m-bit string.
- 8.
In Zhandry’s paper that introduced the compressed oracle technique, quantum indifferentiability of the fixed-input-length Merkle-Damgåd construction is proved [34]. Note that the variable-input-length Merkle-Damgåd construction that is used in HMAC and NMAC is not indifferentiable in the random oracle model even in the classical setting [13]. In addition, the security bound of the indifferentiability is proved up to \(O(2^{n/4})\) (but not \(O(2^{n/3})\)) quantum queries in [34]. Thus, we start from the proof technique used in [18, 19] instead of [34].
- 9.
Some technical errors are contained in the Asiacrypt version of the previous work [18], which are corrected in the revised version [19]. Our technical overview in this section and formal proofs in later sections are based on the revised version. For completeness, we do not rely on any propositions in [18, 19] that is related to the technical errors in [18]. The propositions from [18, 19] that we use in this paper are the ones of which correctness can be confirmed just by straightforward algebraic calculation (Proposition 2 and Proposition 3).
- 10.
This may seem somewhat strange, but some differences between quantum oracles and classical oracles are explained by using this strange property.
- 11.
This holds due to the following reasoning. For simplicity, assume that nothing has been directly queried to h before, and \(D_f\) has \((i-1)\) entries \((u_1,\alpha _1),\dots ,(u_{i-1},\alpha _{i-1})\) (other cases can be shown similarly). Then \(|\mathsf {Equiv}(D_f,D_h)|\) is equal to the number of choices of the tuple \((\alpha _1,\dots ,\alpha _{i-1})\) such that \(\alpha _j \ne \alpha _k\) for \(j \ne k\). Hence \(|\mathsf {Equiv}(D_f,D_h)| = \left( {\begin{array}{c}2^n\\ i-1\end{array}}\right) \). In addition, the number of \((D'_f,D'_h) \in {\mathsf {Equiv}}(D_f,D_h)\) such that \(\alpha _j = \tilde{\zeta }\) for some j is \((i-1)\cdot \left( {\begin{array}{c}2^n\\ i-2\end{array}}\right) \). Thus the ratio is \((i-1)\cdot \left( {\begin{array}{c}2^n\\ i-2\end{array}}\right) / \left( {\begin{array}{c}2^n\\ i-1\end{array}}\right) = \frac{(i-1)}{(2^n-i+2)} \le O(i/2^n)\).
- 12.
Here, the bit “0” concatenated with each f(i) is redundant, but it is necessary so that the notation for \(\mathsf{stO}\) is compatible with that for the recording standard oracle with errors introduced later.
- 13.
- 14.
To be precise, we have to use the symbol \((v,\zeta )\) instead of (u, v) when \(j=2i\) since we always use the symbol \(v||\zeta \) to denote an input to h. However, here we use (u, v) to simplify notations. In the proof we use the symbol \(a^{(2i)}_{v{\zeta }yzD_fD_gD_h}\) instead of \(a^{(2i)}_{uvyzD_fD_gD_h}\).
- 15.
- 16.
To be more precise, we sometimes include small “good” terms into the new bad vector so that the analysis will be easier.
- 17.
Actually the proof for offline queries are even simpler because the offline oracle is just a single random oracle h while the online oracles consist of two random functions.
- 18.
These conditions are satisfied for usual concrete hash functions such as SHA-2. Recall that \((\{0,1\}^m)^+\) is the set of bit strings of length positive multiple of m bits.
- 19.
\({\mathcal O}^h\) will be \(\mathsf {HMAC}^h_K\), \(\mathsf {NMAC}^h_{K_1,K_2}\), or a random function.
References
Alagic, G., Majenz, C., Russell, A., Song, F.: Quantum-access-secure message authentication via blind-unforgeability. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, Part III, vol. 12107, pp. 788–817. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_27
Alagic, G., Russell, A.: Quantum-secure symmetric-key cryptography based on hidden shifts. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, Part III, vol. 10212, pp. 65–93. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_3
ANSI: Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques. ANSI X9.24-1-2017 (2017)
Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_1
Bellare, M., Kilian, J., Rogaway, P.: The security of cipher block chaining message authentication code. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 341–358. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_32
Bindel, N., Hamburg, M., Hövelmanns, K., Hülsing, A., Persichetti, E.: Tighter proofs of CCA security in the quantum random oracle model. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, Part II, vol. 11892, pp. 61–90. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_3
Black, J., Rogaway, P.: CBC MACs for arbitrary-length messages: the three-key constructions. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 197–215. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_12
Black, J., Rogaway, P.: A block-cipher mode of operation for parallelizable message authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384–397. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_25
Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3
Boneh, D., Zhandry, M.: Quantum-secure message authentication codes. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 592–608. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_35
Brassard, G., HØyer, P., Tapp, A.: Quantum cryptanalysis of hash and claw-free functions. In: Lucchesi, C.L., Moura, A.V. (eds.) LATIN 1998. LNCS, vol. 1380, pp. 163–169. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054319
Chiesa, A., Manohar, P., Spooner, N.: Succinct arguments in the quantum random oracle model. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, Part II, vol. 11892, pp. 1–29. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_1
Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård revisited: how to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_26
Czajkowski, J., Hülsing, A., Schaffner, C.: Quantum indistinguishability of random sponges. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, Part II, vol. 11693, pp. 296–325. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_11
Garg, S., Yuen, H., Zhandry, M.: New security notions and feasibility results for authentication of quantum data. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, Part II, vol. 10402, pp. 342–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_12
Gaži, P., Pietrzak, K., Rybár, M.: The exact PRF security of NMAC and HMAC. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, Part I, vol. 8616, pp. 113–130. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_7
Grover, L.K.: A fast quantum mechanical algorithm for database search. In: ACM STOC 1996, Proceedings, pp. 212–219 (1996)
Hosoyamada, A., Iwata, T.: 4-round Luby-Rackoff construction is a qPRP. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, Part I, vol. 11921, pp. 145–174. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_6
Hosoyamada, A., Iwata, T.: 4-round Luby-Rackoff construction is a qPRP: tight quantum security bound. IACR Cryptol. ePrint Arch. 2019/243, version 20200720:101411 (2020). (A revised version of [18].)
Hosoyamada, A., Iwata, T.: On tight quantum security of HMAC and NMAC in the quantum random oracle model (2021). to appear on IACR Cryptology ePrint Archive
Hosoyamada, A., Yasuda, K.: Building quantum-one-way functions from block ciphers: Davies-Meyer and Merkle-Damgård constructions. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 275–304. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_10
Iwata, T., Kurosawa, K.: OMAC: one-key CBC MAC. In: FSE 2003, Proceedings, pp. 129–153 (2003)
Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Breaking symmetric cryptosystems using quantum period finding. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, Part II, vol. 9815, pp. 207–237. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_8
Liu, Q., Zhandry, M.: On finding quantum multi-collisions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, Part III, vol. 11478, pp. 189–218. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_7
Liu, Q., Zhandry, M.: Revisiting post-quantum Fiat-Shamir. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, Part II, vol. 11693, pp. 326–355. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_12
NIST: Secure Hash Standard (SHS). NIST FIPS PUB 180–4 (2015)
NIST: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. NIST FIPS PUB 202 (2015)
NIST: Announcing request for nominations for public-key post-quantum cryptographic algorithms. National Institute of Standards and Technology (2016)
Patarin, J.: The “coefficients H’’ technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_21
Saito, T., Xagawa, K., Yamakawa, T.: Tightly-secure key-encapsulation mechanism in the quantum random oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, Part III, vol. 10822, pp. 520–551. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_17
Sanchez, I.A., Fischer, D.: Authenticated encryption in civilian space missions: context and requirements. DIAC - Directions in Authenticated Ciphers (2012)
Song, F., Yun, A.: Quantum security of NMAC and related constructions. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, Part II, vol. 10402, pp. 283–309. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_10
Zhandry, M.: How to construct quantum random functions. In: FOCS 2012, Proceedings, pp. 679–687. IEEE (2012)
Zhandry, M.: How to record quantum queries, and applications to quantum indifferentiability. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, Part II, vol. 11693, pp. 239–268. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_9
Acknowledgements
The second author was supported in part by JSPS KAKENHI Grant Number JP20K11675.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Hosoyamada, A., Iwata, T. (2021). On Tight Quantum Security of HMAC and NMAC in the Quantum Random Oracle Model. In: Malkin, T., Peikert, C. (eds) Advances in Cryptology – CRYPTO 2021. CRYPTO 2021. Lecture Notes in Computer Science(), vol 12825. Springer, Cham. https://doi.org/10.1007/978-3-030-84242-0_21
Download citation
DOI: https://doi.org/10.1007/978-3-030-84242-0_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-84241-3
Online ISBN: 978-3-030-84242-0
eBook Packages: Computer ScienceComputer Science (R0)