Skip to main content
View expanded cover

Annual International Cryptology Conference

CRYPTO 2021: Advances in Cryptology – CRYPTO 2021 pp 585–615Cite as

On Tight Quantum Security of HMAC and NMAC in the Quantum Random Oracle Model

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12825)

Abstract

HMAC and NMAC are the most basic and important constructions to convert Merkle-Damgård hash functions into message authentication codes (MACs) or pseudorandom functions (PRFs). In the quantum setting, at CRYPTO 2017, Song and Yun showed that HMAC and NMAC are quantum pseudorandom functions (qPRFs) under the standard assumption that the underlying compression function is a qPRF. Their proof guarantees security up to \(O(2^{n/5})\) or \(O(2^{n/8})\) quantum queries when the output length of HMAC and NMAC is n bits. However, there is a gap between the provable security bound and a simple distinguishing attack that uses \(O(2^{n/3})\) quantum queries. This paper settles the problem of closing the gap. We show that the tight bound of the number of quantum queries to distinguish HMAC or NMAC from a random function is \(\Theta (2^{n/3})\) in the quantum random oracle model, where compression functions are modeled as quantum random oracles. To give the tight quantum bound, based on an alternative formalization of Zhandry’s compressed oracle technique, we introduce a new proof technique focusing on the symmetry of quantum query records.

Keywords

  • Symmetric-key cryptography
  • Post-quantum cryptography
  • Provable security
  • Quantum security
  • Compressed oracle technique
  • HMAC
  • NMAC

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-84242-0_21
  • Chapter length: 31 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-84242-0
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Learn about institutional subscriptions
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.

Notes

  1. 1.

    Please do not confuse the notions of standard/quantum security with the standard model or the quantum random oracle model. The two notions are independent of the models, and it is possible that a scheme has quantum security in the standard model or standard security in the quantum random oracle model.

  2. 2.

    n is the length of chaining values, and m is the length of message blocks.

  3. 3.

    Note that there is no IV involved in NMAC and the key-length is always \(n+n=2n\).

  4. 4.

    Actually, the previous work [32] did not give concrete security bound, but we can reasonably deduce that the security is guaranteed up to \(O(2^{n/8})\) quantum queries. We have the bound \(O(2^{n/5})\) instead of \(O(2^{n/8})\) if we assume a conjecture. See Section A of this paper’s full version [20] for details. .

  5. 5.

    In [34] Zhandry showed that \(F^h_1\) is indifferentiable from a QRO when h and g are QROs. His result implies qPRF security of \(F^h_1\) up to \(O(2^{n/4})\) quantum queries, while Proposition 1 guarantees security up to \(O(2^{n/3})\) queries. .

  6. 6.

    We consider \(F_2\) instead of \(\mathsf{RF}\) so that there exists a useful correspondence between “good” databases for \(F^h_1\) and those for \(F_2\), which we will elaborate later.

  7. 7.

    We use the symbols u and \(\zeta \) to denote n-bit strings and v to denote an m-bit string.

  8. 8.

    In Zhandry’s paper that introduced the compressed oracle technique, quantum indifferentiability of the fixed-input-length Merkle-Damgåd construction is proved [34]. Note that the variable-input-length Merkle-Damgåd construction that is used in HMAC and NMAC is not indifferentiable in the random oracle model even in the classical setting [13]. In addition, the security bound of the indifferentiability is proved up to \(O(2^{n/4})\) (but not \(O(2^{n/3})\)) quantum queries in [34]. Thus, we start from the proof technique used in [18, 19] instead of [34].

  9. 9.

    Some technical errors are contained in the Asiacrypt version of the previous work [18], which are corrected in the revised version [19]. Our technical overview in this section and formal proofs in later sections are based on the revised version. For completeness, we do not rely on any propositions in [18, 19] that is related to the technical errors in [18]. The propositions from [18, 19] that we use in this paper are the ones of which correctness can be confirmed just by straightforward algebraic calculation (Proposition 2 and Proposition 3).

  10. 10.

    This may seem somewhat strange, but some differences between quantum oracles and classical oracles are explained by using this strange property.

  11. 11.

    This holds due to the following reasoning. For simplicity, assume that nothing has been directly queried to h before, and \(D_f\) has \((i-1)\) entries \((u_1,\alpha _1),\dots ,(u_{i-1},\alpha _{i-1})\) (other cases can be shown similarly). Then \(|\mathsf {Equiv}(D_f,D_h)|\) is equal to the number of choices of the tuple \((\alpha _1,\dots ,\alpha _{i-1})\) such that \(\alpha _j \ne \alpha _k\) for \(j \ne k\). Hence \(|\mathsf {Equiv}(D_f,D_h)| = \left( {\begin{array}{c}2^n\\ i-1\end{array}}\right) \). In addition, the number of \((D'_f,D'_h) \in {\mathsf {Equiv}}(D_f,D_h)\) such that \(\alpha _j = \tilde{\zeta }\) for some j is \((i-1)\cdot \left( {\begin{array}{c}2^n\\ i-2\end{array}}\right) \). Thus the ratio is \((i-1)\cdot \left( {\begin{array}{c}2^n\\ i-2\end{array}}\right) / \left( {\begin{array}{c}2^n\\ i-1\end{array}}\right) = \frac{(i-1)}{(2^n-i+2)} \le O(i/2^n)\).

  12. 12.

    Here, the bit “0” concatenated with each f(i) is redundant, but it is necessary so that the notation for \(\mathsf{stO}\) is compatible with that for the recording standard oracle with errors introduced later.

  13. 13.

    The proposition is a formal restatement of Proposition 1 in Sect. 1.2 for the case \(u\in \{0,1\}^{n+m'}\).

  14. 14.

    To be precise, we have to use the symbol \((v,\zeta )\) instead of (uv) when \(j=2i\) since we always use the symbol \(v||\zeta \) to denote an input to h. However, here we use (uv) to simplify notations. In the proof we use the symbol \(a^{(2i)}_{v{\zeta }yzD_fD_gD_h}\) instead of \(a^{(2i)}_{uvyzD_fD_gD_h}\).

  15. 15.

    Pre-good databases are defined in the complete proof of Proposition 5 presented in Section C of this paper’s full version [20].

  16. 16.

    To be more precise, we sometimes include small “good” terms into the new bad vector so that the analysis will be easier.

  17. 17.

    Actually the proof for offline queries are even simpler because the offline oracle is just a single random oracle h while the online oracles consist of two random functions.

  18. 18.

    These conditions are satisfied for usual concrete hash functions such as SHA-2. Recall that \((\{0,1\}^m)^+\) is the set of bit strings of length positive multiple of m bits.

  19. 19.

    \({\mathcal O}^h\) will be \(\mathsf {HMAC}^h_K\), \(\mathsf {NMAC}^h_{K_1,K_2}\), or a random function.

References

  1. Alagic, G., Majenz, C., Russell, A., Song, F.: Quantum-access-secure message authentication via blind-unforgeability. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, Part III, vol. 12107, pp. 788–817. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_27

    CrossRef  Google Scholar 

  2. Alagic, G., Russell, A.: Quantum-secure symmetric-key cryptography based on hidden shifts. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, Part III, vol. 10212, pp. 65–93. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_3

    CrossRef  Google Scholar 

  3. ANSI: Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques. ANSI X9.24-1-2017 (2017)

    Google Scholar 

  4. Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_1

    CrossRef  Google Scholar 

  5. Bellare, M., Kilian, J., Rogaway, P.: The security of cipher block chaining message authentication code. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 341–358. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_32

    CrossRef  Google Scholar 

  6. Bindel, N., Hamburg, M., Hövelmanns, K., Hülsing, A., Persichetti, E.: Tighter proofs of CCA security in the quantum random oracle model. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, Part II, vol. 11892, pp. 61–90. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_3

    CrossRef  MATH  Google Scholar 

  7. Black, J., Rogaway, P.: CBC MACs for arbitrary-length messages: the three-key constructions. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 197–215. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_12

    CrossRef  Google Scholar 

  8. Black, J., Rogaway, P.: A block-cipher mode of operation for parallelizable message authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384–397. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_25

    CrossRef  Google Scholar 

  9. Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3

    CrossRef  MATH  Google Scholar 

  10. Boneh, D., Zhandry, M.: Quantum-secure message authentication codes. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 592–608. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_35

    CrossRef  Google Scholar 

  11. Brassard, G., HØyer, P., Tapp, A.: Quantum cryptanalysis of hash and claw-free functions. In: Lucchesi, C.L., Moura, A.V. (eds.) LATIN 1998. LNCS, vol. 1380, pp. 163–169. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054319

    CrossRef  Google Scholar 

  12. Chiesa, A., Manohar, P., Spooner, N.: Succinct arguments in the quantum random oracle model. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, Part II, vol. 11892, pp. 1–29. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_1

    CrossRef  Google Scholar 

  13. Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård revisited: how to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_26

    CrossRef  Google Scholar 

  14. Czajkowski, J., Hülsing, A., Schaffner, C.: Quantum indistinguishability of random sponges. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, Part II, vol. 11693, pp. 296–325. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_11

    CrossRef  Google Scholar 

  15. Garg, S., Yuen, H., Zhandry, M.: New security notions and feasibility results for authentication of quantum data. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, Part II, vol. 10402, pp. 342–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_12

    CrossRef  Google Scholar 

  16. Gaži, P., Pietrzak, K., Rybár, M.: The exact PRF security of NMAC and HMAC. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, Part I, vol. 8616, pp. 113–130. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_7

    CrossRef  Google Scholar 

  17. Grover, L.K.: A fast quantum mechanical algorithm for database search. In: ACM STOC 1996, Proceedings, pp. 212–219 (1996)

    Google Scholar 

  18. Hosoyamada, A., Iwata, T.: 4-round Luby-Rackoff construction is a qPRP. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, Part I, vol. 11921, pp. 145–174. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_6

    CrossRef  Google Scholar 

  19. Hosoyamada, A., Iwata, T.: 4-round Luby-Rackoff construction is a qPRP: tight quantum security bound. IACR Cryptol. ePrint Arch. 2019/243, version 20200720:101411 (2020). (A revised version of [18].)

    Google Scholar 

  20. Hosoyamada, A., Iwata, T.: On tight quantum security of HMAC and NMAC in the quantum random oracle model (2021). to appear on IACR Cryptology ePrint Archive

    Google Scholar 

  21. Hosoyamada, A., Yasuda, K.: Building quantum-one-way functions from block ciphers: Davies-Meyer and Merkle-Damgård constructions. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 275–304. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_10

    CrossRef  Google Scholar 

  22. Iwata, T., Kurosawa, K.: OMAC: one-key CBC MAC. In: FSE 2003, Proceedings, pp. 129–153 (2003)

    Google Scholar 

  23. Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Breaking symmetric cryptosystems using quantum period finding. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, Part II, vol. 9815, pp. 207–237. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_8

    CrossRef  Google Scholar 

  24. Liu, Q., Zhandry, M.: On finding quantum multi-collisions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, Part III, vol. 11478, pp. 189–218. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_7

    CrossRef  Google Scholar 

  25. Liu, Q., Zhandry, M.: Revisiting post-quantum Fiat-Shamir. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, Part II, vol. 11693, pp. 326–355. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_12

    CrossRef  Google Scholar 

  26. NIST: Secure Hash Standard (SHS). NIST FIPS PUB 180–4 (2015)

    Google Scholar 

  27. NIST: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. NIST FIPS PUB 202 (2015)

    Google Scholar 

  28. NIST: Announcing request for nominations for public-key post-quantum cryptographic algorithms. National Institute of Standards and Technology (2016)

    Google Scholar 

  29. Patarin, J.: The “coefficients H’’ technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_21

    CrossRef  Google Scholar 

  30. Saito, T., Xagawa, K., Yamakawa, T.: Tightly-secure key-encapsulation mechanism in the quantum random oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, Part III, vol. 10822, pp. 520–551. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_17

    CrossRef  MATH  Google Scholar 

  31. Sanchez, I.A., Fischer, D.: Authenticated encryption in civilian space missions: context and requirements. DIAC - Directions in Authenticated Ciphers (2012)

    Google Scholar 

  32. Song, F., Yun, A.: Quantum security of NMAC and related constructions. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, Part II, vol. 10402, pp. 283–309. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_10

    CrossRef  Google Scholar 

  33. Zhandry, M.: How to construct quantum random functions. In: FOCS 2012, Proceedings, pp. 679–687. IEEE (2012)

    Google Scholar 

  34. Zhandry, M.: How to record quantum queries, and applications to quantum indifferentiability. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, Part II, vol. 11693, pp. 239–268. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_9

    CrossRef  Google Scholar 

Download references

Acknowledgements

The second author was supported in part by JSPS KAKENHI Grant Number JP20K11675.

Author information

Authors and Affiliations

  1. NTT Secure Platform Laboratories, Tokyo, Japan

    Akinori Hosoyamada

  2. Nagoya University, Nagoya, Japan

    Akinori Hosoyamada & Tetsu Iwata

Authors
  1. Akinori Hosoyamada
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tetsu Iwata
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Akinori Hosoyamada .

Editor information

Editors and Affiliations

  1. Columbia University, New York City, NY, USA

    Tal Malkin

  2. University of Michigan, Ann Arbor, MI, USA

    Chris Peikert

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 International Association for Cryptologic Research

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Hosoyamada, A., Iwata, T. (2021). On Tight Quantum Security of HMAC and NMAC in the Quantum Random Oracle Model. In: Malkin, T., Peikert, C. (eds) Advances in Cryptology – CRYPTO 2021. CRYPTO 2021. Lecture Notes in Computer Science(), vol 12825. Springer, Cham. https://doi.org/10.1007/978-3-030-84242-0_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-84242-0_21

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-84241-3

  • Online ISBN: 978-3-030-84242-0

  • eBook Packages: Computer ScienceComputer Science (R0)