Abstract
Plenty of permutation-based pseudorandom functions (PRFs) were proposed. In order to analyze their quantum security uniformly, we proposed three general frameworks F1, F2, and F3 for n-to-n-bit PRFs with one, two parallel, and two serial public permutation calls respectively, where every permutation is preceded and followed by any bitwise linear mappings. We analyze them in the Q2 model where attackers have quantum-query access to PRFs and permutations. Our results show F1 is not secure with \(\mathcal {O}(n)\) quantum queries while its PRFs achieve n/2-bit security in the classical setting, and F2, F3 are not secure with \(\mathcal {O}(2^{n/2}n)\) quantum queries while their PRFs, such as SoEM, PDMMAC, and pEDM, achieve 2n/3-bit security in the classical setting. Besides, we attack three general instantiations XopEM, EDMEM, and EDMDEM of F2, F3 with at most \(\mathcal {O}(2^{n/2}n)\) quantum queries, which derive from replacing the two PRPs in Xop, EDM, and EDMD with two independent EM constructions. We also attack pre-existing concrete PRF instantiations of F2, F3: DS-SoEM, PDMMAC, pEDM, and SoKAC21, with at most \(\mathcal {O}(2^{n/2}n)\) quantum queries.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: FOCS 1997, pp. 394–403. IEEE Computer Society (1997). https://doi.org/10.1109/SFCS.1997.646128
Bellare, M., Impagliazzo, R.: A tool for obtaining tighter security analyses of pseudorandom function based constructions, with applications to PRP to PRF conversion. IACR Cryptol. ePrint Arch. 1999, 24 (1999). https://eprint.iacr.org/1999/024
Bellare, M., Krovetz, T., Rogaway, P.: Luby-Rackoff backwards: increasing security by making block ciphers non-invertible. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 266–280. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054132
Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_25
Bernstein, D.J.: Stronger security bounds for wegman-carter-shoup authenticators. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 164–180. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_10
Bhattacharjee, A., List, E., Nandi, M.: CENCPP - beyond-birthday-secure encryption from public permutations. IACR Cryptol. ePrint Arch. 2020, 602 (2020). https://eprint.iacr.org/2020/602
Bogdanov, A., Knudsen, L.R., Leander, G., Standaert, F.-X., Steinberger, J., Tischhauser, E.: Key-alternating ciphers in a provable setting: encryption using a small number of public permutations. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 45–62. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_5
Bonnetain, X.: Tight Bounds for Simon’s algorithm. In: Longa, P., Ràfols, C. (eds.) LATINCRYPT 2021. LNCS, vol. 12912, pp. 3–23. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-88238-9_1
Bonnetain, X., Hosoyamada, A., Naya-Plasencia, M., Sasaki, Yu., Schrottenloher, A.: Quantum attacks without superposition queries: the offline Simon’s algorithm. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 552–583. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_20
Brassard, Gilles: On computationally secure authentication tags requiring short secret shared keys. In: Chaum, David, Rivest, Ronald L.., Sherman, Alan T.. (eds.) Advances in Cryptology, pp. 79–86. Springer, Boston, MA (1983). https://doi.org/10.1007/978-1-4757-0602-4_7
Brassard, G., Hoyer, P., Mosca, M., Tapp, A.: Quantum amplitude amplification and estimation. Contemp. Math. 305, 53–74 (2002)
Brassard, G., Hoyer, P., Tapp, A.: Quantum algorithm for the collision problem. arXiv preprint quant-ph/9705002 (1997)
Chakraborti, A., Nandi, M., Talnikar, S., Yasuda, K.: On the composition of single-keyed tweakable Even-Mansour for achieving BBB security. IACR Trans. Symmetric Cryptol. 2020(2), 1–39 (2020). https://doi.org/10.13154/tosc.v2020.i2.1-39
Chen, Y.L., Lambooij, E., Mennink, B.: How to build pseudorandom functions from public random permutations. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 266–293. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_10
Chen, Y.L., Mennink, B., Preneel, B.: Categorization of faulty nonce misuse resistant message authentication. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13092, pp. 520–550. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92078-4_18
Cogliati, B., Seurin, Y.: EWCDM: an efficient, beyond-birthday secure, nonce-misuse resistant MAC. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 121–149. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_5
Dutta, A., Nandi, M., Talnikar, S.: Permutation based EDM: an inverse free BBB secure PRF. IACR Trans. Symmetric Cryptol. 2021(2), 31–70 (2021). https://doi.org/10.46586/tosc.v2021.i2.31-70
Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151–162 (1997). https://doi.org/10.1007/s001459900025
Gilboa, S., Gueron, S.: The advantage of truncated permutations. CoRR abs/1610.02518 (2016). https://arxiv.org/abs/1610.02518
Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, 1996. pp. 212–219 (1996). https://doi.org/10.1145/237814.237866
Guo, T., Wang, P., Hu, L., Ye, D.: Attacks on beyond-birthday-bound MACs in the quantum setting. In: Cheon, J.H., Tillich, J.-P. (eds.) PQCrypto 2021 2021. LNCS, vol. 12841, pp. 421–441. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81293-5_22
Hall, C., Wagner, D., Kelsey, J., Schneier, B.: Building PRFs from PRPs. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 370–389. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055742
Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 8–26. Springer, New York (1990). https://doi.org/10.1007/0-387-34799-2_2
Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Breaking symmetric cryptosystems using quantum period finding. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 207–237. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_8
Kuwakado, H., Morii, M.: Security on the quantum-type Even-Mansour cipher. In: ISITA 2012, pp. 312–316. IEEE (2012). https://ieeexplore.ieee.org/document/6400943/
Leander, G., May, A.: Grover meets Simon – quantumly attacking the FX-construction. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 161–178. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_6
McGrew, D.A., Viega, J.: The security and performance of the Galois/Counter Mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30556-9_27
Mennink, B., Neves, S.: Encrypted Davies-Meyer and its dual: towards optimal security using mirror theory. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 556–583. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_19
Nandi, M.: Mind the composition: birthday bound attacks on EWCDMD and SoKAC21. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 203–220. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_8
Patarin, J.: A proof of security in O(2n) for the Xor of Two Random Permutations. In: Safavi-Naini, R. (ed.) ICITS 2008. LNCS, vol. 5155, pp. 232–248. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85093-9_22
Patarin, J.: Introduction to mirror theory: Analysis of systems of linear equalities and linear non equalities for cryptography. IACR Cryptol. ePrint Arch. 2010, 287 (2010). https://eprint.iacr.org/2010/287
Patarin, J.: Generic attacks for the XOR of k random permutations. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 154–169. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38980-1_10
Shinagawa, K., Iwata, T.: Quantum attacks on sum of Even-Mansour pseudorandom functions. Inf. Process. Lett. 173, 106172 (2022). https://doi.org/10.1016/j.ipl.2021.106172
Shoup, V.: On fast and provably secure message authentication based on universal hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 313–328. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_24
Simon, D.R.: On the power of quantum computation. SIAM J. Comput. 26(5), 1474–1483 (1997). https://doi.org/10.1137/S0097539796298637
Wegman, M.N., Carter, L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981). https://doi.org/10.1016/0022-0000(81)90033-7
Zhang, P.: Quantum attacks on sum of Even-Mansour construction with linear key schedules. Entropy 24(2), 153 (2022)
Acknowledgments
The authors thank the anonymous reviewers for many helpful comments. This paper was supported by the NSFC of China (61732021 and 62202460) and the National Key R &D Program of China (2018YFA0704704).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Proof of \(\varepsilon (f)\le 1/2\) in Subcase 3.2) in Sect. 3
In fact, we can prove \(\varepsilon (f)\) is at most \(\frac{1}{2}\), i.e., for any \(t\in \{0,1\}^{n}\backslash \{0^n,s\}\) that
By \(t\not \in \{0^{n},s\}\) we know the four inputs of \(l_{22}\pi \), i.e., \(l_{12}(M) \oplus l_{11}(K_{1}), l_{12}(M)\), \(l_{12}(M\oplus t) \oplus l_{11}(K_{1}),\) and \(l_{12}(M\oplus t)\), are different from each other. Then by the randomness of \(\pi \), the four inputs of \(l_{22}(\cdot )\) are four distinct random values in \(\{0,1\}^n\). By \(l_{22}\ne \hat{0}\), we obtain the range of \(l_{22}(\cdot )\) has at least two elements and the probability of \(l_{22}(x)=y\) for any random \(x\in \{0,1\}^n\) and y in the range is at most \(\frac{1}{2}\). Thus the Eq. (3) happens with probability no more than \(\frac{1}{2}\).
B Proof of Pr\([test(u)=1]\le \frac{1}{2^{2n}}\) for Any \(u\notin \mathcal {U}\) in Subcase 4.1) in Sect. 4.1
and \(y^1_i:=l_{22}(M_i)\oplus l_{21}(K_2), y^2_i:=l_{22}(M_i\oplus a)\oplus l_{21}(K_2), y^3_i:=l_{22}(M_i)\oplus u, y^4_i:=l_{22}(M_i\oplus a)\oplus u,\) for \(i=1,2,\ldots ,q\). By \(l_{22}(a)\ne 0^n,u\notin \mathcal {U}\) we get for any function \(f_i\), the \(y^1_i,y^2_i,y^3_i\), and \(y^4_i\) are different from each other. To calculate the probability of these q equations \(f_i(u)=0^n\) where \(u\notin \mathcal {U}\), we consider sampling about \(\pi _2\). If \(y^1_i, y^2_i,y^3_i\), and \(y^4_i\), who are the inputs of \(\pi _2\) in ith equation, all have appeared in the other \(q-1\) equations, then we don’t sample in the ith equation. By any \(M_i\) that \(l_{22}(M_i),l_{22}(M_i\oplus a)\notin \{l_{22}(M_j),l_{22}(M_j\oplus a): M_j\in \mathcal {M}\setminus \{M_i\}\}\), we get \(y^1_i,y^2_i\notin \{y^1_j,y^2_j: j\in \{1,2,\ldots ,q\}\setminus \{i\}\}\). However, if \(u=l_{22}(M_i)\oplus l_{22}(M_j)\oplus l_{21}(K_2)\) then \(y^1_i=y^3_j,y^2_i=y^4_j,y^3_i=y^1_j,y^4_i=y^2_j\). Or if \(u=l_{22}(M_i)\oplus l_{22}(M_j)\oplus l_{21}(K_2)\oplus l_{22}(a)\) then \(y^1_i=y^4_j,y^2_i=y^3_j,y^3_i=y^2_j,y^4_i=y^1_j\). Therefore, even in the worst case we have to sample \(\pi _2\) in at least \(\lfloor \frac{q}{2}\rfloor \) equations among q. For every equation needing sample, by the randomness of \(\pi _2\), it holds with probability at most \(\frac{1}{2}\). Therefore, for any \(u\notin \mathcal {U}\), we have \(\text {Pr}[test(u)=1]\le (\frac{1}{2})^{\lfloor \frac{q}{2}\rfloor }\). We have \(\text {Pr}[test(u)=1]\le 1/2^{2n}\) for \(q\ge 4n\). We notice that this attack requires \(l_{22}\) with at least 4n different images. When \(4n\le 2^{n/2}\), that is to say, \(n\ge 6\), it works.
C Proof of \({\varepsilon }({\boldsymbol{f}})\le 7/8\) in Subcase 4.2) in Sect. 4.1
Let \(\mathcal {U}_t=\{0,1\}^n\times \{0,1\}^n\backslash (\{(l_{21}(K_2),s),(l_{22} l_{12}^{-1}l_{11}(K_1) \oplus l_{21}(K_2),s)\}\cup \{0,1\}^n\times \{0^n\}).\) In this case, \(\varepsilon (f)=\max \limits _{(u,t)\in \mathcal {U}_t}\text {Pr}_M[f(u,M)=f(u,M\oplus t)].\) The function \(f(u,M)=f(u,M\oplus t)\) equals
1) \(\boldsymbol{u\in \mathcal {U},t\notin \{ 0^n,s\}}\). By \(l_{11}(K_1)\ne 0^n, t\notin \{ 0^n,s\}\) we get the four inputs of \(l_{32}\pi _1\) in Eq. (4) are different. By the randomness of \(\pi _1\) the Eq. (4) holds with probability at most 1/2.
2) \(\boldsymbol{u\notin \mathcal {U},t=s}\). Now the Eq. (4) equals
By \(u\notin \mathcal {U},l_{22} l_{12}^{-1}l_{11}(K_1)\ne 0^n\), we get the four inputs of \(l_{34}\pi _2\) in Eq. (4) are different. By the randomness of \(\pi _2\) the Eq. (4) holds with probability at most 1/2.
3) \(\boldsymbol{u\notin \mathcal {U},t\notin \{ 0^n,s\}}\). We can prove the Eq. (4) holds with probability at most 1/2 the same as 1), so we omit it.
D Proof of \(\varepsilon ({\boldsymbol{f}})\le 7/8\) in Case 4) of Sect. 4.2
Let \(\mathcal {U}_t=\{0,1\}^n\times \{0,1\}^n\backslash (\{(u^{**},s)\}\cup \{0,1\}^n\times \{0^n\}).\) In this case, \( \varepsilon (f)=\max \limits _{(u,t)\in \mathcal {U}_t}\text {Pr}_M[f(u,M)=f(u,M\oplus t)]. \) we take \(l_{33}l_{27}=l_{24}l_{14}=O\) as an example. The other cases when \(l_{33}l_{27}\ne O,l_{24}l_{14}\ne O\) are similar. We divide \((u,t)\in \mathcal {U}_t\) into the following cases, which cover all sceneries.
1) \(\boldsymbol{u=u^{**},t\notin \{0^n,s\}}\). Now the equation \(f(u,M)=f(u,M\oplus t)\) equals
wherec \(y_1=l_{23} \pi _{1}(l_{12}(M)\oplus l_{11}(K_1))\oplus u^{**},y_2=l_{23} \pi _{1}(l_{12}(M)) \oplus u^{**}\), \(y_3=l_{23} \pi _{1}(l_{12}(M\oplus t)\oplus l_{11}(K_1))\oplus u^{**}, y_4=l_{23} \pi _{1}(l_{12}(M\oplus t)) \oplus u^{**}.\) If \(y_1=y_2,y_3=y_4\) or \(y_1=y_3,y_2=y_4\) or \(y_1=y_4,y_2=y_3\), then Eq. (5) holds. We observe that four inputs of \(l_{23}\pi _1\): \(y_1,y_2,y_3\), and \(y_4\) are distinct from each other by \(l_{11}(K_1)\ne 0^n\) and \(t\notin \{0^n,s\}\). So this case happens with probability at most 3/4 by the randomness of \(\pi _1\). Otherwise, there is at least one \(y_i(i\in \{1,2,3,4\})\) is different from the other three. In this case, by the randomness of \(\pi _2\), the Eq. (5) holds with probability at most 1/2. So the Eq. (5) holds with a bound \(3/4+1/4\cdot 1/2=7/8\).
2) \(\boldsymbol{u\ne u^{**},t=s}\). Now the equation \(f(u,M)=f(u,M\oplus t)\) is equal to
where \(y_1=l_{23} \pi _{1}(l_{12}(M)\oplus l_{11}(K_1))\oplus u^{**},y_2=l_{23} \pi _{1}(l_{12}(M)) \oplus u, y_3=\) \(l_{23} \pi _{1}(l_{12}(M))\oplus u^{**}, y_4=l_{23} \pi _{1}(l_{12}(M)\oplus l_{11}(K_1)) \oplus u.\) By \(u\ne u^{**}\), we get \(y_1\ne y_4\). And we observe that \([y_1=y_2\Leftrightarrow y_3=y_4]\) (resp. \([y_1=y_3\Leftrightarrow y_2=y_4]\)). So \(y_1=y_2\) and \(y_1=y_3\) don’t hold simultaneously, or it leads to \(y_1=y_4\). If \(y_1=y_2\), the Eq. (6) holds. This case holds with probability at most 1/2 by the randomness of \(\pi _1\). Otherwise, if \(y_1\ne y_2\) and \(y_1=y_3\), the Eq. (6) holds as well. This case holds with probability at most \(1/2\cdot 1/2=1/4\) by the randomness of \(\pi _1\). At last, if \(y_1\ne y_2\) and \(y_1\ne y_3\), then \(y_1,y_2,y_3\), and \(y_4\) are different from each other, the Eq. (6) holds with probability of \(1/2\cdot 1/2\cdot 1/2=1/8\) by the randomness of \(\pi _2\). So the Eq. (6) holds with a bound 7/8.
3) \(\boldsymbol{u\ne u^{**},t\notin \{0^n,s\}}\). This case is similar to 1), so we omit it.
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Guo, T., Wang, P., Hu, L., Ye, D. (2022). Quantum Attacks on PRFs Based on Public Random Permutations. In: Isobe, T., Sarkar, S. (eds) Progress in Cryptology – INDOCRYPT 2022. INDOCRYPT 2022. Lecture Notes in Computer Science, vol 13774. Springer, Cham. https://doi.org/10.1007/978-3-031-22912-1_25
Download citation
DOI: https://doi.org/10.1007/978-3-031-22912-1_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22911-4
Online ISBN: 978-3-031-22912-1
eBook Packages: Computer ScienceComputer Science (R0)