Quantum-Access-Secure Message Authentication via Blind-Unforgeability

Alagic, Gorjan; Majenz, Christian; Russell, Alexander; Song, Fang

doi:10.1007/978-3-030-45727-3_27

Cited by 32 publications

(23 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Countering these attacks using ad hoc methods, for instance by enforcing an input measure that would make the superposition collide, does not seem easy to guarantee nor simple to implement for now. Due to all these reasons, Q2 is the most-widely used model in quantum security proofs, e.g., for quantum proofs of MAC constructions [BZ13b,AMRS], and we have chosen to build primitives offering security in this model.…”

Section: Post-quantum Symmetric Cryptographymentioning

confidence: 99%

Saturnin: a suite of lightweight symmetric algorithms for post-quantum security

Canteaut

Duval

Leurent

et al. 2020

ToSC

View full text Add to dashboard Cite

The cryptographic algorithms needed to ensure the security of our communications have a cost. For devices with little computing power, whose number is expected to grow significantly with the spread of the Internet of Things (IoT), this cost can be a problem. A simple answer to this problem is a compromise on the security level: through a weaker round function or a smaller number of rounds, the security level can be decreased in order to cheapen the implementation of the cipher. At the same time, quantum computers are expected to disrupt the state of the art in cryptography in the near future. For public-key cryptography, the NIST has organized a dedicated process to standardize new algorithms. The impact of quantum computing is harder to assess in the symmetric case but its study is an active research area.In this paper, we specify a new block cipher, Saturnin, and its usage in different modes to provide hashing and authenticated encryption in such a way that we can rigorously argue its security in the post-quantum setting. Its security analysis follows naturally from that of the AES, while our use of components that are easily implemented in a bitsliced fashion ensures a low cost for our primitives. Our aim is to provide a new lightweight suite of algorithms that performs well on small devices, in particular micro-controllers, while providing a high security level even in the presence of quantum computers. Saturnin is a 256-bit block cipher with a 256-bit key and an additional 9-bit parameter for domain separation. Using it, we built two authenticated ciphers and a hash function.• Saturnin-CTR-Cascade is an authenticated cipher using the counter mode and a separate MAC. It requires two passes over the data but its implementation does not require the inverse block cipher.• Saturnin-Short is an authenticated cipher intended for messages with a length strictly smaller than 128 bits which uses only one call to Saturnin to providenconfidentiality and integrity.• Saturnin-Hash is a 256-bit hash function. In this paper, we specify this suite of algorithms and argue about their security in both the classical and the post-quantum setting. https://project.inria.fr/saturnin/

show abstract

Section: Post-quantum Symmetric Cryptographymentioning

confidence: 99%

Saturnin: a suite of lightweight symmetric algorithms for post-quantum security

Canteaut

Duval

Leurent

et al. 2020

ToSC

View full text Add to dashboard Cite

show abstract

“…An important property is that the Hadamard transform is involutive. For better readability, we often omit global amplitude factors such as the 1 2 n/2 above, as quantum states are always normalized.…”

Section: On Quantum Computingmentioning

confidence: 99%

“…The first notion of quantum unforgeability for MACs was defined by Boneh and Zhandry [13]. We will name it plus-one unforgeability (PO), following [1]. The idea is that an adversary making q quantum queries to the construction, where q is polynomial, should not be able to produce q + 1 valid {message, tag} pairs.…”

Section: Attack Scenariosmentioning

confidence: 99%

“…The idea is that an adversary making q quantum queries to the construction, where q is polynomial, should not be able to produce q + 1 valid {message, tag} pairs. A more recent definition is blind-unforgeability (BU), proposed in [1]. It is strictly stronger than PO-unforgeability.…”

Section: Attack Scenariosmentioning

confidence: 99%

“…It is still possible to obtain an unforgeable IVor nonce-based MAC of this form, as shown in [9], but the security then relies on the non-repetition of IVs. We do not know if an attack applies when we use a modular addition instead of a XOR in (1). If this was the case, then it would clearly mean that one has to rely on sequentiality or on nonlinear operations.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Quantum Linearization Attacks

Bonnetain

Leurent

Naya-Plasencia

et al. 2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Recent works have shown that quantum period-finding can be used to break many popular constructions (some block ciphers such as Even-Mansour, multiple MACs and AEs. . . ) in the superposition query model. So far, all the constructions broken exhibited a strong algebraic structure, which enables to craft a periodic function of a single input block. Recovering the secret period allows to recover a key, distinguish, break the confidentiality or authenticity of these modes. In this paper, we introduce the quantum linearization attack, a new way of using Simon's algorithm to target MACs in the superposition query model. Specifically, we use inputs of multiple blocks as an interface to a function hiding a linear structure. Recovering this structure allows to perform forgeries. We also present some variants of this attack that use other quantum algorithms, which are much less common in quantum symmetric cryptanalysis: Deutsch's, Bernstein-Vazirani's, and Shor's. To the best of our knowledge, this is the first time these algorithms have been used in quantum forgery or key-recovery attacks. Our attack breaks many parallelizable MACs such as LightMac, PMAC, and numerous variants with (classical) beyond-birthday-bound security (LightMAC+, PMAC+) or using tweakable block ciphers (ZMAC). More generally, it shows that constructing parallelizable quantum-secure PRFs might be a challenging task.

show abstract

Quantum-Access-Secure Message Authentication via Blind-Unforgeability

Alagic

Majenz

Russell

et al. 2020

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Formulating and designing authentication of classical messages in the presence of adversaries with quantum query access has been a longstanding challenge, as the familiar classical notions of unforgeability do not directly translate into meaningful notions in the quantum setting. A particular difficulty is how to fairly capture the notion of "predicting an unqueried value" when the adversary can query in quantum superposition. We propose a natural definition of unforgeability against quantum adversaries called blind unforgeability. This notion defines a function to be predictable if there exists an adversary who can use "partially blinded" oracle access to predict values in the blinded region. We support the proposal with a number of technical results. We begin by establishing that the notion coincides with EUF-CMA in the classical setting and go on to demonstrate that the notion is satisfied by a number of simple guiding examples, such as random functions and quantum-query-secure pseudorandom functions. We then show the suitability of blind unforgeability for supporting canonical constructions and reductions. We prove that the "hash-and-MAC" paradigm and the Lamport one-time digital signature scheme are indeed unforgeable according to the definition. To support our analysis, we additionally define and study a new variety of quantumsecure hash functions called Bernoulli-preserving. Finally, we demonstrate that blind unforgeability is strictly stronger than a previous definition of Boneh and Zhandry [EUROCRYPT '13, CRYPTO '13] and resolve an open problem concerning this previous definition by constructing an explicit function family which is forgeable yet satisfies the definition.

show abstract

Quantum-Access-Secure Message Authentication via Blind-Unforgeability

Cited by 32 publications

References 25 publications

Saturnin: a suite of lightweight symmetric algorithms for post-quantum security

Saturnin: a suite of lightweight symmetric algorithms for post-quantum security

Quantum Linearization Attacks

Quantum-Access-Secure Message Authentication via Blind-Unforgeability

Contact Info

Product

Resources

About