Quantum Attacks on PRFs Based on Public Random Permutations

Abstract

Plenty of permutation-based pseudorandom functions (PRFs) were proposed. In order to analyze their quantum security uniformly, we proposed three general frameworks F1, F2,  and F3 for n-to-n-bit PRFs with one, two parallel, and two serial public permutation calls respectively, where every permutation is preceded and followed by any bitwise linear mappings. We analyze them in the Q2 model where attackers have quantum-query access to PRFs and permutations. Our results show F1 is not secure with \(\mathcal {O}(n)\) quantum queries while its PRFs achieve n/2-bit security in the classical setting, and F2, F3 are not secure with \(\mathcal {O}(2^{n/2}n)\) quantum queries while their PRFs, such as SoEM, PDMMAC, and pEDM, achieve 2n/3-bit security in the classical setting. Besides, we attack three general instantiations XopEM, EDMEM, and EDMDEM of F2, F3 with at most \(\mathcal {O}(2^{n/2}n)\) quantum queries, which derive from replacing the two PRPs in Xop, EDM, and EDMD with two independent EM constructions. We also attack pre-existing concrete PRF instantiations of F2, F3: DS-SoEM, PDMMAC, pEDM, and SoKAC21, with at most \(\mathcal {O}(2^{n/2}n)\) quantum queries.

Appendices

A Proof of \(\varepsilon (f)\le 1/2\) in Subcase 3.2) in Sect. 3

In fact, we can prove \(\varepsilon (f)\) is at most \(\frac{1}{2}\), i.e., for any \(t\in \{0,1\}^{n}\backslash \{0^n,s\}\) that

$$\begin{aligned} \begin{aligned} \text {Pr}_M \left[ \begin{array}{c}l_{22} \pi (l_{12}(M) \oplus l_{11}(K_{1})) \oplus l_{22} \pi (l_{12}(M)) \\ l_{22} \pi (l_{12}(M\oplus t) \oplus l_{11}(K_{1})) \oplus l_{22} \pi (l_{12}(M\oplus t))=0^n \end{array} \right] \le 1/2. \end{aligned} \end{aligned}$$

(3)

By \(t\not \in \{0^{n},s\}\) we know the four inputs of \(l_{22}\pi \), i.e., \(l_{12}(M) \oplus l_{11}(K_{1}), l_{12}(M)\), \(l_{12}(M\oplus t) \oplus l_{11}(K_{1}),\) and \(l_{12}(M\oplus t)\), are different from each other. Then by the randomness of \(\pi \), the four inputs of \(l_{22}(\cdot )\) are four distinct random values in \(\{0,1\}^n\). By \(l_{22}\ne \hat{0}\), we obtain the range of \(l_{22}(\cdot )\) has at least two elements and the probability of \(l_{22}(x)=y\) for any random \(x\in \{0,1\}^n\) and y in the range is at most \(\frac{1}{2}\). Thus the Eq. (3) happens with probability no more than \(\frac{1}{2}\).

B Proof of Pr\([test(u)=1]\le \frac{1}{2^{2n}}\) for Any \(u\notin \mathcal {U}\) in Subcase 4.1) in Sect. 4.1

$$\begin{aligned} \begin{aligned} \text {Let } f_i(u):=&F2(M_i)\oplus h(M_i)\oplus F2(M_i\oplus a) \oplus h(M_i\oplus a)\oplus l_{34}\pi _2(l_{22}(M_i)\oplus u) \oplus \\ {}&l_{34}\pi _2(l_{22}(M_i\oplus a)\oplus u)\\ =&l_{34}\pi _2(l_{22}(M_i)\oplus l_{21}(K_2))\oplus l_{34}\pi _2(l_{22}(M_i\oplus a)\oplus l_{21}(K_2)) \oplus \\&l_{34}\pi _2(l_{22}(M_i)\oplus u)\oplus l_{34}\pi _2(l_{22}(M_i\oplus a)\oplus u), \end{aligned} \end{aligned}$$

and \(y^1_i:=l_{22}(M_i)\oplus l_{21}(K_2), y^2_i:=l_{22}(M_i\oplus a)\oplus l_{21}(K_2), y^3_i:=l_{22}(M_i)\oplus u, y^4_i:=l_{22}(M_i\oplus a)\oplus u,\) for \(i=1,2,\ldots ,q\). By \(l_{22}(a)\ne 0^n,u\notin \mathcal {U}\) we get for any function \(f_i\), the \(y^1_i,y^2_i,y^3_i\), and \(y^4_i\) are different from each other. To calculate the probability of these q equations \(f_i(u)=0^n\) where \(u\notin \mathcal {U}\), we consider sampling about \(\pi _2\). If \(y^1_i, y^2_i,y^3_i\), and \(y^4_i\), who are the inputs of \(\pi _2\) in ith equation, all have appeared in the other \(q-1\) equations, then we don’t sample in the ith equation. By any \(M_i\) that \(l_{22}(M_i),l_{22}(M_i\oplus a)\notin \{l_{22}(M_j),l_{22}(M_j\oplus a): M_j\in \mathcal {M}\setminus \{M_i\}\}\), we get \(y^1_i,y^2_i\notin \{y^1_j,y^2_j: j\in \{1,2,\ldots ,q\}\setminus \{i\}\}\). However, if \(u=l_{22}(M_i)\oplus l_{22}(M_j)\oplus l_{21}(K_2)\) then \(y^1_i=y^3_j,y^2_i=y^4_j,y^3_i=y^1_j,y^4_i=y^2_j\). Or if \(u=l_{22}(M_i)\oplus l_{22}(M_j)\oplus l_{21}(K_2)\oplus l_{22}(a)\) then \(y^1_i=y^4_j,y^2_i=y^3_j,y^3_i=y^2_j,y^4_i=y^1_j\). Therefore, even in the worst case we have to sample \(\pi _2\) in at least \(\lfloor \frac{q}{2}\rfloor \) equations among q. For every equation needing sample, by the randomness of \(\pi _2\), it holds with probability at most \(\frac{1}{2}\). Therefore, for any \(u\notin \mathcal {U}\), we have \(\text {Pr}[test(u)=1]\le (\frac{1}{2})^{\lfloor \frac{q}{2}\rfloor }\). We have \(\text {Pr}[test(u)=1]\le 1/2^{2n}\) for \(q\ge 4n\). We notice that this attack requires \(l_{22}\) with at least 4n different images. When \(4n\le 2^{n/2}\), that is to say, \(n\ge 6\), it works.

C Proof of \({\varepsilon }({\boldsymbol{f}})\le 7/8\) in Subcase 4.2) in Sect. 4.1

Let \(\mathcal {U}_t=\{0,1\}^n\times \{0,1\}^n\backslash (\{(l_{21}(K_2),s),(l_{22} l_{12}^{-1}l_{11}(K_1) \oplus l_{21}(K_2),s)\}\cup \{0,1\}^n\times \{0^n\}).\) In this case, \(\varepsilon (f)=\max \limits _{(u,t)\in \mathcal {U}_t}\text {Pr}_M[f(u,M)=f(u,M\oplus t)].\) The function \(f(u,M)=f(u,M\oplus t)\) equals

$$\begin{aligned} \begin{aligned} \left. \begin{array}{l} l_{34}\pi _{2}(l_{22} (M)\oplus l_{21}(K_2)) \oplus l_{34} \pi _{2}(l_{22} (M)\oplus u) \oplus \\ l_{34} \pi _{2}(l_{22} (M\oplus t)\oplus l_{21}(K_2)) \oplus l_{34} \pi _{2}(l_{22} (M\oplus t)\oplus u) \oplus \\ l_{32} \pi _{1}(l_{12}(M)\oplus l_{11}(K_1))\oplus l_{32} \pi _{1}(l_{12}(M))\oplus \\ l_{32} \pi _{1}(l_{12}(M\oplus t)\oplus l_{11}(K_1))\oplus l_{32} \pi _{1}(l_{12}(M\oplus t))=0^n \end{array} \right. \end{aligned} \end{aligned}$$

(4)

 1) \(\boldsymbol{u\in \mathcal {U},t\notin \{ 0^n,s\}}\). By \(l_{11}(K_1)\ne 0^n, t\notin \{ 0^n,s\}\) we get the four inputs of \(l_{32}\pi _1\) in Eq. (4) are different. By the randomness of \(\pi _1\) the Eq. (4) holds with probability at most 1/2.

 2) \(\boldsymbol{u\notin \mathcal {U},t=s}\). Now the Eq. (4) equals

$$\begin{aligned} \begin{aligned}&l_{34} \pi _{2}(l_{22} (M)\oplus l_{21}(K_2)) \oplus l_{34} \pi _{2}(l_{22} (M)\oplus u) \oplus \\ {}&l_{34} \pi _{2}(l_{22} (M\oplus l^{-1}_{12}l_{11}(K_1))\oplus l_{21}(K_2)) \oplus l_{34} \pi _{2}(l_{22} (M\oplus l^{-1}_{12}l_{11}(K_1))\oplus u)=0^n \end{aligned} \end{aligned}$$

By \(u\notin \mathcal {U},l_{22} l_{12}^{-1}l_{11}(K_1)\ne 0^n\), we get the four inputs of \(l_{34}\pi _2\) in Eq. (4) are different. By the randomness of \(\pi _2\) the Eq. (4) holds with probability at most 1/2.

 3) \(\boldsymbol{u\notin \mathcal {U},t\notin \{ 0^n,s\}}\). We can prove the Eq. (4) holds with probability at most 1/2 the same as 1), so we omit it.

D Proof of \(\varepsilon ({\boldsymbol{f}})\le 7/8\) in Case 4) of Sect. 4.2

Let \(\mathcal {U}_t=\{0,1\}^n\times \{0,1\}^n\backslash (\{(u^{**},s)\}\cup \{0,1\}^n\times \{0^n\}).\) In this case, \( \varepsilon (f)=\max \limits _{(u,t)\in \mathcal {U}_t}\text {Pr}_M[f(u,M)=f(u,M\oplus t)]. \) we take \(l_{33}l_{27}=l_{24}l_{14}=O\) as an example. The other cases when \(l_{33}l_{27}\ne O,l_{24}l_{14}\ne O\) are similar. We divide \((u,t)\in \mathcal {U}_t\) into the following cases, which cover all sceneries.

 1) \(\boldsymbol{u=u^{**},t\notin \{0^n,s\}}\). Now the equation \(f(u,M)=f(u,M\oplus t)\) equals

$$\begin{aligned} \begin{aligned} l_{32} \pi _{2}(y_1) \oplus l_{32} \pi _{2}(y_2) \oplus l_{32} \pi _{2}(y_3) \oplus l_{32} \pi _{2}(y_4) =0^n, \end{aligned} \end{aligned}$$

(5)

wherec \(y_1=l_{23} \pi _{1}(l_{12}(M)\oplus l_{11}(K_1))\oplus u^{**},y_2=l_{23} \pi _{1}(l_{12}(M)) \oplus u^{**}\), \(y_3=l_{23} \pi _{1}(l_{12}(M\oplus t)\oplus l_{11}(K_1))\oplus u^{**}, y_4=l_{23} \pi _{1}(l_{12}(M\oplus t)) \oplus u^{**}.\) If \(y_1=y_2,y_3=y_4\) or \(y_1=y_3,y_2=y_4\) or \(y_1=y_4,y_2=y_3\), then Eq. (5) holds. We observe that four inputs of \(l_{23}\pi _1\): \(y_1,y_2,y_3\), and \(y_4\) are distinct from each other by \(l_{11}(K_1)\ne 0^n\) and \(t\notin \{0^n,s\}\). So this case happens with probability at most 3/4 by the randomness of \(\pi _1\). Otherwise, there is at least one \(y_i(i\in \{1,2,3,4\})\) is different from the other three. In this case, by the randomness of \(\pi _2\), the Eq. (5) holds with probability at most 1/2. So the Eq. (5) holds with a bound \(3/4+1/4\cdot 1/2=7/8\).

 2) \(\boldsymbol{u\ne u^{**},t=s}\). Now the equation \(f(u,M)=f(u,M\oplus t)\) is equal to

$$\begin{aligned} \begin{aligned} l_{32} \pi _{2}(y_1 ) \oplus l_{32} \pi _{2}(y_2) \oplus l_{32} \pi _{2}(y_3) \oplus l_{32} \pi _{2}(l_{23} \pi _{1}(y_4) =0^n, \end{aligned} \end{aligned}$$

(6)

where \(y_1=l_{23} \pi _{1}(l_{12}(M)\oplus l_{11}(K_1))\oplus u^{**},y_2=l_{23} \pi _{1}(l_{12}(M)) \oplus u, y_3=\) \(l_{23} \pi _{1}(l_{12}(M))\oplus u^{**}, y_4=l_{23} \pi _{1}(l_{12}(M)\oplus l_{11}(K_1)) \oplus u.\) By \(u\ne u^{**}\), we get \(y_1\ne y_4\). And we observe that \([y_1=y_2\Leftrightarrow y_3=y_4]\) (resp. \([y_1=y_3\Leftrightarrow y_2=y_4]\)). So \(y_1=y_2\) and \(y_1=y_3\) don’t hold simultaneously, or it leads to \(y_1=y_4\). If \(y_1=y_2\), the Eq. (6) holds. This case holds with probability at most 1/2 by the randomness of \(\pi _1\). Otherwise, if \(y_1\ne y_2\) and \(y_1=y_3\), the Eq. (6) holds as well. This case holds with probability at most \(1/2\cdot 1/2=1/4\) by the randomness of \(\pi _1\). At last, if \(y_1\ne y_2\) and \(y_1\ne y_3\), then \(y_1,y_2,y_3\), and \(y_4\) are different from each other, the Eq. (6) holds with probability of \(1/2\cdot 1/2\cdot 1/2=1/8\) by the randomness of \(\pi _2\). So the Eq. (6) holds with a bound 7/8.

 3) \(\boldsymbol{u\ne u^{**},t\notin \{0^n,s\}}\). This case is similar to 1), so we omit it.