 Hi, everyone. Welcome to this presentation, which will be about quantum linearization attacks. This is a joint work with Xavier Bonthein, Kate-Anne Laurent, and Maya Naya-Pleasantian. So I will start this presentation by a little introduction of some context on quantum attacks in symmetric cryptography. Then we're going to see precisely what we do here, quantum forgery attacks on message authentication codes. And then I introduce the new attack. So in symmetric crypto, when we come to the security against quantum adversaries, there are actually two main kind of attackers we can consider. In the first setting, let's say what we call the Q1 model, the adversary can do quantum computations, but he can only make classical queries to our black box, for example, a safer with a secret key. This is the more realistic model. And this is also the model in which, for example, you can take off applying Grover's algorithm to recovery of the key. And this situation, so far, we have complained on the polynomial speedups on our symmetric crypto attacks. Now, there is a stronger model, strictly stronger, in which the adversary can do quantum computations, but he can also query this black box from inside a quantum algorithm, which means this black box, which contains a secret, can become a quantum oracle or a superposition oracle. And this allows new attacks. In particular, this allows some breaks and some exponential speedups and attacks that didn't exist classically. This is also a model in which, basically, you don't put any restriction on what the adversary can do with this oracle. With this oracle, so perhaps it's also actually more suited if you want to prove the security of these constructions, of some constructions in the quantum world. So this quantum superposition attacks work, usually, this way. You have a symmetric construction, and you're going to target its structure. So usually, you can abstract out all the subcomponents that are used in there. It's really the structure that is attacked. And it has a classical security proof, but there is a way to use a quantum hidden shift or hidden period algorithm, a dedicated one, to break this construction using superposition queries. So basically, you translate this, the key recovery problem or state recovery problem, into a hidden period problem. And then you use a dedicated quantum algorithm to solve this problem. And this is where we need superposition queries to the construction. A typical tool that we use and the one that we're going to use today is Simon's algorithm. It solves the following problem. You have a function, and the function has a period. Or let's say it is either injective, or it is 2 to 1 with a period, a Boolean period. So if you take x, and if you take x, so your period, you have the same image. And you want to determine the case or to find the period if it exists. Now, Simon's algorithm is really powerful. With a single superposition query to f, you can sample a random vector that is orthogonal to the period. And of course, if you do that n times or a linear number of times, you can have enough information to recover the period with a linear system. Now, what we mean by superposition query is you actually apply f on a quantum state. And this quantum state can be an arbitrary superposition of all possible input values. This is why we say superposition queries. But we're not going to enter into any more details of the quantum algorithms. Since you can use Simon's algorithm as a backbox. It's important to note that the original problem wasn't a cryptographic problem, because the function was 2 to 1. But if f is a random function with the only promise that it has a period, the algorithm is still going to work. So in this paper, we introduce an attack which we call the quantum linearization attack. And it's a new way to use period finding and algorithms such as Simon's to target symmetric constructions in a particular max. So we create new for-gear attacks on many mac constructions. We also end up using more algorithms than just Simon's. We use Deutsch's algorithm, Schwarz's algorithm. And there are many targets that are concerned by this. Many max that parallelize a bold max and also beyond burst-dependent max and so on. We also obtain, for example, the new superposition attack on 21.305. The previous one had 2 to the 38 queries. And this one has about 32 queries. OK. But let's see the cryptographic context now for these attacks. So we're studying max. Mostly, and a mac, a message authentication code, is simply a function that, given a certain secret key k and on a message of any length, produces an authentication tag. So what we want of this mac is that it must be unforgeable. So an adversary that is making chosen message queries and is querying the mac with chosen messages shouldn't be able to come up with a valid tag for a message he hasn't queried. Now, we can also consider a max that admits an additional input of the initial value, IV, or a nonce. And the role of this input is to be a random value or a non-repeated value that the adversary is not going to control. And then the definition adapts easily because we just say the adversary should end up with a valid triple IV message tag for a new IV message he hasn't queried before. We can consider a max with IVs or without IVs. But for now, we will start with max that use IVs. What does a new message mean in the quantum setting? This is the main question because the adversary now is making superposition queries to the mac. And a superposition query possibly contains all the messages in superposition. Fortunately, there are appropriate definitions in the quantum setting. The first one was what we call plus one and forability by Baudet & Zandri. And there, we just say the adversary makes Q queries. And he shouldn't be able to output Q plus 1 valid message tags. There is a stronger definition, which was developed at Eurocrack 20, and it's blinded for durability. So the adversary is making blinded mac queries. So he can only query the mac basically on the subset of the messages. And he shouldn't be able to output the tag of a message that is outside this subset. And even stronger, there is the security as a quantum pseudo-order function. In there, the adversary really cannot distinguish at all the mac from a random function. So all these notions, well, being a pseudo-order function implies blinded for durability implies plus one. So we just focus on breaking plus one. And this breaks all the other notions. So let's take an example. And this would be the tag part, the tag computation in OCP. OCP is a mode in which you do the encryption and also the authentication at the same time. But then we only consider here the authentication. So it's based on the block cipher. You have all the associated data blocks which are controlled. They're part of the queries. The n-bit blocks, we absorb them to offset values, which are secret values. We encrypt through EK. And we store everything. And then we add a message checksum. And we obtain our n-bit tag. So the assets should be secret. And also each time we do a query, we change the IV. OK? So what kind of quantum adversary do all that? Well, let's take an empty message. So we don't have to care about the message. And then we take two n-bit blocks, which are equal. Two n-bits equal 80 blocks. And we look at the input. And we look at the MAC with these two blocks. And they're both are equal. And we observe that, actually, there is an equality between coding the MAC with these two blocks, x, and coding the MAC with these two blocks, x plus s, where s would be the XOR of the two offsets, of delta 0 and delta 1. Because XORing the two offsets just means we're basically exchanging the blocks, but the blocks are equals. We're exchanging two equal blocks, so it gives the same value. And then we have that. We have this periodicity. That's nice. And then you can say, well, the IV is changing at each query. But it's not really a problem, because salmon subroutine uses a single query anyway. And once you have done that, you obtain a vector orthogonal to the period. So what really matters is that the period stays always the same. And just making new queries to different functions, but since it's always the same period, you can still end up recovering it. So after making a few queries to the MAC, a few quantum queries, we find the period s. And once we know s, we can actually double the number of tags that we output by making queries. Because we know that any message that starts with a 0, a 1, and any message that starts with a 1 plus s, a 0 plus s, we have the same tag, because s corresponds to exchanging the two offsets. So we cannot put, from a single query, two valid triples, in that case, message, IV, and tag. And of course, we break the plus 1 and forjability. So all these previous attacks on MACs, they did all that consisted all in finding out a hidden period problem. And this usually happens because there is a control value, in our case, the AD blocks, which is absorbed to a secret value, in our case, the offsets. And you can use this hidden period problem as a recovery of this internal secret value. And once you have that, then usually this can yield some internal collision, which increases the number of tags you can produce by MAC queries and completely breaks the forjability, which brings us to the idea of our new attack. And to see how it happens, we're going to start by trying to avoid the attack that I just presented on OCB. Let's remove the offsets to make life difficult for a quantum adversary. And this would bring us to TETA-CB, which is an abstraction of OCB in which instead of having offsets and block cipher cores, you have a tweakable block cipher instead. This tweakable block cipher is just a family of block ciphers indexed by the tweak. They make all these block ciphers independent. And while now you don't have a core with the offset anymore, and so you don't have the nice periodicity property that we observed, the previous attack doesn't work. But actually, on this precise construction, there is an easier attack that is based on Deutsch's algorithm, which sounds a bit weird. Because Deutsch's algorithm is actually the simplest quantum algorithm there is. It just solves the following problem. With a constant speedup, you are going to find out if a function from one bit to one bit is constant or balanced with a single query. Classically, of course, you need two queries to find out. And there, basically, you're computing the exor of the two outputs of F with a single superposition query. This is exactly what Deutsch's algorithm does. And let's use that with our MAC function here. So we're going to take a single block, and this is going to be either a 0 or 1. And we have a function of this block, of this block 0, 1. And we truncate the output to a single bit. So now we have a function from one bit to one bit. And with a single superposition query to this MAC, we can obtain one bit of, well, we obtain the exor of the two outputs. So the part that depends on the IV simply exores out. And we obtain one bit of encryption of 0 plus encryption of 1. And we do that for all the bits. So we can reconstruct the value. And once we have this complete value here, we can simply switch a 0 block in the first 80 block for a 1 block, which means we can query the tag of anything that starts with a 0. And force the tag of anything that starts with a 1. What happens here is that exoring with an AV-dependent value was a sufficient protection, classically. But it's not a sufficient protection for a quantum adversary. And this is what Deutsch's algorithm allows to bypass completely. OK, so this is our first attack. Still, it's not the complete linearization attack. Let's try to make life even more difficult for a quantum adversary. And instead of just exoring with an AV-dependent value, we're going to post-compute with an AV-dependent function. So now we have independent two-cable look-safe rule that just process all message blocks, we exor everything, and then we post-process with a function. And there, on this construction, which actually abstracts out many classically secret max, many parallel max, such as like Mac, for example. So on this construction, Simon's algorithm can be used to make forgeries again. It's going to be used in a different way. So we're going to start a bit lacking the attack with Deutsch's algorithm. And we're going to take two values for each block. So either 0 or 1. So basically, we replace, instead of calling the Mac with any messages, we're going to restrict the inputs to a single-bit blocks. So this single-bit input is here, B1 to BL. And so we will consider this restricted Mac as a function of an L-bit input. And our L-bit input here is x. And so this is a function that composes the post-processing and the internal sum. And now let's have a look at the internal sum. We're going to remark that this internal function that I named h here is an affine function of the input x. The reason for that is you can see that if we flip one bit of the input x, then we end up just absorbing an in-bit value to the output of h. Because we're just swapping one of the, for example, we're swapping a 0 block for a 1 block. So we just have to absorb an input. So algebraically, you can write this down as this. h of x is simply a binary matrix times our L-bit input plus a colon vector. So this is an affine function of the L-bit input x. But affine function means that if there are too many blocks, because we have the choice of the number of blocks that we query, so if, let's say, there are more than n or more than n plus 1 block, then we can expect that this matrix ML is going to have a non-trivial kernel. And there are going to be L-bit strings such that for each x, x plus alpha has the same output by this function h as x. So it's simply this alpha here is simply going to be a choice of input bits, such that if you flip all these input bits, then you re-obtain the same value just before post-processing in this set. Anyway, there is a period here, because this h was an affine function. And so even when you post-process by the function f, you still have a periodic function. And we can recover this period using Sam and Sargariva. The only change is that the data complexity has increased, because now each of our queries contains a linear number of blocks. So instead of having a data complexity of the order of n, we have order of n squared. But once we have obtained this period alpha, then we can, as before, we can make queries and produce two valid tags for each query we make. So this is, again, a break of the plus 1 and 4 stability. There is even more with this technique. So actually, when we can attack max of the form that I presented, we can also attack beyond-burst-debound variance. So beyond-burst-debound secure max, we are proposed to offer more security against forgery attacks. Because usually, the max such as let make the offer n over 2 bits of security against forgery attacks. And we can do better than that. Very classical approach is double hashed-in-sum approach, where you process your message block independently in two pipes of size n, and then the results are absorbed in the end. Now it's possible to apply, I would say, standard Simon-based attacks on these constructions. But the problem is, if you're able to embed a period on one of the pipes, then you don't control the other one anymore, basically. So your complexity is going to be time of applying Simon's algorithm multiplied by doing some kind of Grover search on the second pipe. And it's an n-bit value, so it's going to be of the order to do the n over 2, basically. In our case, in this context, we can still have a polynomial time attack. So a second example, and that would be like mic plus. Here, you process all the message blocks. And then, in one branch, you just absorb them as before. And in the other one, you compute a different linear function, because there are multiplications by two all the time. And in the end, you post process, and you absorb to obtain the tag. If we abstract this a bit, we have this. So we compute independently all the blocks, and then we sum them, and then we have another linear function. But we can apply the same reasoning as before, except that now, when we respect our inputs to single bits, we will have, first, a fine function of our L-bit input. And we have a second fine function of our L-bit input, which is different, because it's a differently linear mapping of the blocks. But although there are two different defined functions now, we are ensured that, as soon as there are enough blocks, let's say two end blocks, there will be a non-trivial vector, which is going to be a period of this, a fine function, and of this, a fine function. And so there are going to be periods for the full Mac. And the attack applies again. The only difference is that we just had to increase a little the data complexity, but just by a constant factor. So this is going to apply to many examples. And you can see it applies as soon as we process the input blocks independently, and then we compute some linear functions of these blocks. And then, again, we compute the tag from the outputs of these functions. This is all what we need to be able to apply this. Which means that, conversely, if you want plus 1 and 4 stability, then you need some sequentiality. And we know that, actually, NMAC, for example, is quantum secure. You can also use constructions that are IV based. And that used the IV in the processing of all the blocks, not only in the final function. And we also know that this works. Now, potentially, but we don't know about that yet, there could be some security if instead of using XOR to sum all these blocks, you use, for example, the modular additions. It's just that with a modular addition, the attack doesn't work anymore. But we really don't know what the security would be in the end. So to conclude, there are different ways in which you can see this attack. In this presentation, I adopted more of the quantum cryptanalysis perspective. You have a procedure that is based on Simon's algorithm that is different from the previous approaches. And that allows to break many MACs, the unforgability of many MACs, and practically, all the deterministic and palatable MAC constructions that we had so far. You can also view this from a probable security perspective. Because the fact that we have broken these MACs means that we can't prove the security in the code upsetting. And now the question remains whether we can design actual efficient, palatable quantum pseudo-alarm functions, for example, and quantum secure MACs. Also from a concrete security perspective, well, we have attacks in the superposition setting. But it would be interesting to know whether this has consequences when the queries are only classical, of course. So these are interesting open questions. And my presentation ends here. Thank you for your attention.