Quantum Security of NMAC and Related Constructions

PRF Domain Extension Against Quantum attacks
  • Fang SongEmail author
  • Aaram YunEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10402)


We prove the security of NMAC, HMAC, AMAC, and the cascade construction with fixed input-length as quantum-secure pseudo-random functions (PRFs). Namely, they are indistinguishable from a random oracle against any polynomial-time quantum adversary that can make quantum superposition queries. In contrast, many blockcipher-based PRFs including CBC-MAC were recently broken by quantum superposition attacks.

Classical proof strategies for these constructions do not generalize to the quantum setting, and we observe that they sometimes even fail completely (e.g., the universal-hash then PRF paradigm for proving security of NMAC). Instead, we propose a direct hybrid argument as a new proof strategy (both classically and quantumly). We first show that a quantum-secure PRF is secure against key-recovery attacks, and remains secure under random leakage of the key. Next, as a key technical tool, we extend the oracle indistinguishability framework of Zhandry in two directions: we consider distributions on functions rather than strings, and we also consider a relative setting, where an additional oracle, possibly correlated with the distributions, is given to the adversary as well. This enables a hybrid argument to prove the security of NMAC. Security proofs for other constructions follow similarly.


Cascade construction NMAC HMAC Augmented cascade AMAC PRF domain extension Quantum query Quantum security Post-quantum cryptography 



We would like to thank the anonymous reviewers of Crypto 2017 for many helpful comments. The second author was supported by Samsung Research Funding Center of Samsung Electronics under Project Number SRFC-IT1601-07.


  1. 1.
    Bellare, M.: New proofs for NMAC and HMAC: security without collision-resistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602–619. Springer, Heidelberg (2006). doi: 10.1007/11818175_36 CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Bernstein, D.J., Tessaro, S.: Hash-function based PRFs: AMAC and its multi-user security. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 566–595. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49890-3_22 CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996). doi: 10.1007/3-540-68697-5_1 Google Scholar
  4. 4.
    Bellare, M., Canetti, R., Krawczyk, H.: Pseudorandom functions revisited: the cascade construction and its concrete security. In: FOCS 1996, pp. 514–523. IEEE Computer Society (1996)Google Scholar
  5. 5.
    Boneh, D., Zhandry, M.: Quantum-secure message authentication codes. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 592–608. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-38348-9_35 CrossRefGoogle Scholar
  6. 6.
    Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum computing world. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 361–379. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40084-1_21 CrossRefGoogle Scholar
  7. 7.
    Gaži, P., Pietrzak, K., Rybár, M.: The exact PRF-security of NMAC and HMAC. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 113–130. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-44371-2_7 CrossRefGoogle Scholar
  8. 8.
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Breaking symmetric cryptosystems using quantum period finding. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 207–237. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53008-5_8 CrossRefGoogle Scholar
  10. 10.
    Kuwakado, H., Morii, M.: Quantum distinguisher between the 3-round Feistel cipher and the random permutation. In: ISIT 2010, pp. 2682–2685. IEEE (2010)Google Scholar
  11. 11.
    Kuwakado, H., Morii, M.: Security on the quantum-type Even-Mansour cipher. In: ISITA 2012, pp. 312–316. IEEE (2012)Google Scholar
  12. 12.
    Rötteler, M., Steinwandt, R.: A note on quantum related-key attacks. Inf. Process. Lett. 115(1), 40–44 (2015)CrossRefzbMATHGoogle Scholar
  13. 13.
    Santoli, T., Schaffner, C.: Using Simon’s algorithm to attack symmetric-key cryptographic primitives. Quantum Inf. Comput. 17(1&2), 65–78 (2017)Google Scholar
  14. 14.
    Song, F.: A note on quantum security for post-quantum cryptography. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 246–265. Springer, Cham (2014). doi: 10.1007/978-3-319-11659-4_15 Google Scholar
  15. 15.
    Song, F., Yun, A.: Quantum security of NMAC and related constructions. Cryptology ePrint Archive, Report 2017/509, full version of this paper (2017).
  16. 16.
    Unruh, D.: Quantum proofs of knowledge. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 135–152. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-29011-4_10 CrossRefGoogle Scholar
  17. 17.
    Unruh, D.: Revocable quantum timed-release encryption. J. ACM 62(6), 49:1–49:76 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Vadhan, S.P.: Pseudorandomness. Foundations and trends® in theoretical computer science. Theoret. Comput. Sci. 7(1–3), 1–336 (2012)Google Scholar
  19. 19.
    Watrous, J.: Zero-knowledge against quantum attacks. SIAM J. Comput. 39(1), 25–58 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Zhandry, M.: How to construct quantum random functions. In: FOCS 2012, pp. 679–687. IEEE Computer Society (2012)Google Scholar
  21. 21.
    Zhandry, M.: Secure identity-based encryption in the quantum random oracle model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 758–775. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-32009-5_44 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  1. 1.Portland State UniversityPortlandUSA
  2. 2.Ulsan National Institute of Science and Technology (UNIST)UlsanKorea

Personalised recommendations