Post-quantum Security of the CBC, CFB, OFB, CTR, and XTS Modes of Operation

We examine the IND-qCPA security of the wide-spread block cipher modes of operation CBC, CFB, OFB, CTR, and XTS (i.e., security against quantum adversaries doing queries in superposition). We show that OFB and CTR are secure assuming that the underlying block cipher is a standard secure PRF (a pseudorandom function secure under classical queries). We give counterexamples that show that CBC, CFB, and XTS are not secure under the same assumption. And we give proofs that CBC and CFB mode are secure if we assume a quantum secure PRF (secure under queries in superposition)

Characterizing the qIND-qCPA (in)security of the CBC, CFB, OFB and CTR modes of operation

We fully characterize the post-quantum security of the $\mathsf{CBC}$, $\mathsf{CFB}$, $\mathsf{OFB}$ and $\mathsf{CTR}$ modes of operation by considering all possible notions of $\textsf{qIND-qCPA}$ security defined by Carstens, Ebrahimi, Tabia and Unruh (TCC 2021), thus extending the work performed by Anand, Targhi, Tabia and Unruh (PQCrypto 2016). We show that the results obtained by Anand et al. for the $\textsf{qIND-qCPA-P6}$ security of these modes carry on to the other $\textsf{IND-qCPA}$ notions, namely the $\textsf{qIND-qCPA-P10}$ and $\textsf{qIND-qCPA-P11}$ ones. We also show that all of these modes are insecure according to all of the other notions, regardless of the block cipher they are used with. We also provide two general results concerning the insecurity of commonly used properties of block ciphers, namely those preserving the length of their input and those using the $\texttt{XOR}$ operation as a way to randomize the encryption. Finally, we use these results to highlight the need for new quantum semantic security notions

Hardware Design of an Advanced-Feature Cryptographic Tile within the European Processor Initiative

This work describes the hardware implementation of a cryptographic accelerators suite, named Crypto-Tile, in the framework of the European Processor Initiative (EPI) project. The EPI project traced the roadmap to develop the first family of low-power processors with the design fully made in Europe, for Big Data, supercomputers and automotive. Each of the coprocessors of Crypto-Tile is dedicated to a specific family of cryptographic algorithms, offering functions for symmetric and public-key cryptography, computation of digests, generation of random numbers, and Post-Quantum cryptography. The performances of each coprocessor outperform other available solutions, offering innovative hardware-native services, such as key management, clock randomisation and access privilege mechanisms. The system has been synthesised on a 7 nm standard-cell technology, being the first Cryptoprocessor to be characterised in such an advanced silicon technology. The post-synthesis netlist has been employed to assess the resistance of Crypto-Tile to power analysis side-channel attacks. Finally, a demoboard has been implemented, integrating a RISC-V softcore processor and the Crypto-Tile module, and drivers for hardware abstraction layer, bare-metal applications and drivers for Linux kernel in C language have been developed. Finally, we exploited them to compare in terms of execution speed the hardware-accelerated algorithms against software-only solutions

Breaking Symmetric Cryptosystems Using Quantum Period Finding

Due to Shor's algorithm, quantum computers are a severe threat for public key cryptography. This motivated the cryptographic community to search for quantum-safe solutions. On the other hand, the impact of quantum computing on secret key cryptography is much less understood. In this paper, we consider attacks where an adversary can query an oracle implementing a cryptographic primitive in a quantum superposition of different states. This model gives a lot of power to the adversary, but recent results show that it is nonetheless possible to build secure cryptosystems in it. We study applications of a quantum procedure called Simon's algorithm (the simplest quantum period finding algorithm) in order to attack symmetric cryptosystems in this model. Following previous works in this direction, we show that several classical attacks based on finding collisions can be dramatically sped up using Simon's algorithm: finding a collision requires $\Omega(2^{n/2})$ queries in the classical setting, but when collisions happen with some hidden periodicity, they can be found with only $O(n)$ queries in the quantum model. We obtain attacks with very strong implications. First, we show that the most widely used modes of operation for authentication and authenticated encryption e.g. CBC-MAC, PMAC, GMAC, GCM, and OCB) are completely broken in this security model. Our attacks are also applicable to many CAESAR candidates: CLOC, AEZ, COPA, OTR, POET, OMD, and Minalpher. This is quite surprising compared to the situation with encryption modes: Anand et al. show that standard modes are secure with a quantum-secure PRF. Second, we show that Simon's algorithm can also be applied to slide attacks, leading to an exponential speed-up of a classical symmetric cryptanalysis technique in the quantum model.Comment: 31 pages, 14 figure

Tighter Post-quantum Secure Encryption Schemes Using Semi-classical Oracles

Krüpteerimisprotokollide analüüsimiseks kasutatakse tihti juhusliku oraakli mudelit (JOM), aga postkvant turvaliste protokollide analüüs tuleb läbi viiakvant juhusliku oraakli mudelis (KJOM). Kuna paljudel tõestamise tehnikatel ei ole kvant juhusliku oraakli mudelis analoogi, on KJOMis raske töötada. Seda probleemi aitab lahendada One-Way to Hiding (O2H) Teoreem, mille Unruh tõestas 2015. aastal.Ambainis, Hamburg ja Unruh esitasid teoreemi täiustatud versiooni 2018. aastal. See kasutab poolklassikalisi oraakleid, millel on suurem paindlikkus ja tihedamad piirid. Täiustatud versioon võimaldab tugevdada kõigi protokollide turvalisust, mis kasutasid vana versiooni. Me võtame ühe artikli, kus kasutati vana O2H Teoreemi versiooni, ja tõestame protokollide turvalisuse uuesti kasutades poolklassikalisi oraakleid.The random oracle model (ROM) has been widely used for analyzing cryptographic schemes. In the real world, a quantum adversary equipped with a quantum computer can execute hash functions on an arbitrary superposition of inputs. Therefore, one needs to analyze the post-quantum security in the quantum random oracle model (QROM). Unfortunately, working in the QROM is quite difficult because many proof techniques in the ROM have no analogue in the QROM. A technique that can help solve this problem is the One-Way to Hiding (O2H) Theorem, which was first proven in 2015 by Unruh. In 2018, Ambainis, Hamburg and Unruh presented an improved version of the O2H Theorem which uses so called semi-classical oracles and has higher flexibilityand tighter bounds. This improvement of the O2H Theorem should allow us to derive better security bounds for most schemes that used the old version. We take one paper that used the old version of the O2H Theorem to prove the security of different schemes in the QROM and give new proofs using semi-classical oracles

Quantum Key-Recovery on full AEZ

International audienceAEZ is an authenticated encryption algorithm, submitted to the CAESAR competition. It has been selected for the third round of the competition. While some classical analysis on the algorithm have been published, the cost of these attacks is beyond the security claimed by the designers. In this paper, we show that all the versions of AEZ are completely broken against a quantum adversary. For this, we propose a generalisation of Simon's algorithm for quantum period finding that allows to build efficient attacks

QCB: Efficient Quantum-secure Authenticated Encryption

It was long thought that symmetric cryptography was only mildly affected by quantum attacks, and that doubling the key length was sufficient to restore security. However, recent works have shown that Simon\u27s quantum period finding algorithm breaks a large number of MAC and authenticated encryption algorithms when the adversary can query the MAC/encryption oracle with a quantum superposition of messages. In particular, the OCB authenticated encryption mode is broken in this setting, and no quantum-secure mode is known with the same efficiency (rate-one and parallelizable). In this paper we generalize the previous attacks, show that a large class of OCB-like schemes is unsafe against superposition queries, and discuss the quantum security notions for authenticated encryption modes. We propose a new rate-one parallelizable mode named QCB inspired by TAE and OCB and prove its security against quantum superposition queries

QCB: Efficient Quantum-Secure Authenticated Encryption

International audienceIt was long thought that symmetric cryptography was only mildly affected by quantum attacks, and that doubling the key length was sufficient to restore security. However, recent works have shown that Simon's quantum period finding algorithm breaks a large number of MAC and authenticated encryption algorithms when the adversary can query the MAC/encryption oracle with a quantum superposition of messages. In particular, the OCB authenticated encryption mode is broken in this setting, and no quantum-secure mode is known with the same efficiency (rate-one and parallelizable). In this paper we generalize the previous attacks, show that a large class of OCB-like schemes is unsafe against superposition queries, and discuss the quantum security notions for authenticated encryption modes. We propose a new rate-one parallelizable mode named QCB inspired by TAE and OCB and prove its security against quantum superposition queries

QCB: Efficient quantum-secure authenticated encryption

It was long thought that symmetric cryptography was only mildly affected by quantum attacks, and that doubling the key length was sufficient to restore security. However, recent works have shown that Simon’s quantum period finding algorithm breaks a large number of MAC and authenticated encryption algorithms when the adversary can query the MAC/encryption oracle with a quantum superposition of messages. In particular, the OCB authenticated encryption mode is broken in this setting, and no quantum-secure mode is known with the same efficiency (rate-one and parallelizable). In this paper we generalize the previous attacks, show that a large class of OCB-like schemes is unsafe against superposition queries, and discuss the quantum security notions for authenticated encryption modes. We propose a new rate-one parallelizable mode named QCB inspired by TAE and OCB and prove its security against quantum superposition queries

Recherche de collisions et cryptanalyse symétrique quantique

National audienceDepuis la découverte décisive de l'algorithme de Shor ([Sho94]), le monde de la cryptographie s'est intéressé de près aux capacités d'un éventuel ordinateur quantique, dont l'émergence mettrait à bas la plupart des primitives asymétriques utilisées aujourd'hui. La situation en cryptographie symétrique est plus ambiguë : la croyance générale veut qu'un doublement de la taille des clés suffise à protéger les systèmes actuels. En effet, l'algorithme de Grover ([Gro96]) promet une accélération quadratique de tout type de recherche exhaustive. Cependant, de récents travaux ont appelé à discuter de cette affirmation péremptoire ([Kap+16a]). Mon stage s'inscrit dans la continuité de ces travaux