 Hello everyone. Welcome to this talk. I am Ritam Bhomek from India, Paris and today I'll be talking about our paper QCB, Efficient Quantum Secure Authenticated Encryption at Asia Crypt 2021. And this is joint work with Xavier Bonta, Andres Hayou, Gaito Lohan, Maria Nyablasensia, Andres Shrutan Lohan, and Yannick Soho. We begin with the block cipher, which is a secure, fixed-width encryption scheme. And we want to build, on top of it, an authenticated encryption mode. Now, what is an authenticated encryption mode? It takes in an initial value IV, a message M, and some associated data A, and it computes a cipher text C and the tag T. And it comes with two promises. One is a promise of confidentiality, that is, C is indistinguishable from some random function of M, or some random permutation of M. And the other is authenticity, that Ct should not be forcible. That is, an adversary who has not worried a particular triple IVMA should not be able to produce a Ct, which like such that IVMA encrypts to Ct. So this is an authenticated encryption mode. Now, one way to achieve it is to handle the encryption and authentication tasks separately, like in the encrypt NMAC paradigm, where we first encrypt the message securely into a cipher text C using some mode like the counter mode. And then we authenticate C with a secure MAC, like the NMAC or HMAC. And this gives us a secure A mode. But the problem is that it is not lightweight. It is read 2. That is, we need two block cipher calls for every message block. And what we want here is a rate 1 A mode. That is, it should only spend about one block cipher call for every message block. So that is the goal here. And a popular A mode which achieves this goal, which is rate 1, is the offset code book or OCB. And here we look at its present variant, OCB 3. What it does is it takes the design of the ECB electronic code book. But before and after each block cipher call, it adds an offset. And this offset depends on the IV and it depends on the block number. But the interesting thing about OCB 3 is that the IV of a certain block, like the offset delta of a certain block, like the delta IVI, is the XOR of two components, one which comes from the IV and one which comes from the block. Now we want to examine the quantum security of OCB. But before that, we would have to decide on a model. And in general, there are two broad models for examining quantum security or security against the quantum adversary. One is the classical query model, where the adversary is only allowed to make classical queries to the construction. But they can do offline computations on a quantum computer. And this is a very realistic scenario, but it's less powerful because you do not get any superposition access to the construction. And for some cases, in public encryption, such an adversary is powerful enough to completely break the system. But this is usually not the case in symmetric systems. And so far only quadratic speed-ups have been found or very recently a bit more than quadratic, but not something, not for instance, exponential speed-ups. So this is the classical query model. And more theoretical, but like more suited to this provable security scenario is the superposition query model, where the adversary can do quantum computations offline, but also can access certain registers of the system quantum as in superposition. And this can actually allow very powerful attacks on some symmetric systems, as we'll see. So in this paper, we consider this superposition query model. And as it turns out, OCB, which is, by the way, classically proven to be secure, is broken in the superposition query model. And so before going into that, we should specify that here we only consider the messages to be quantumly accessible. That is, you can, the adversary can query the construction with messages which are in superposition. But the IV is still considered classical because the IV is not generally not controlled by the adversary. So there can be a more general model where even the IV is quantumly accessible, but we do not consider that here. Here we consider the case where the IV is always classical. Now, again, if we are happy with rate two, if we do not want lightweight, then the counter plus N-MACH-MAC mode still works. It gives us an AE mode which is secure in the superposition query model we just described. But as mentioned before, we want a rate one model. And so we want some way to fix OCB to make it quantum resistant without spending extra black ciphercalls. And that is what we'll explore in the rest of this paper. So one of the very important tools in these superposition query models to attack and break symmetric systems is the Simon's algorithm. And what it does is that given a periodic function F, that is a function with some hidden period S such that F of X, X or S is always equal to FX. And given some superposition query access to such a function F, Simon's attack can recover the secret period S in polynomial time. And this is something that cannot be done in a classical scenario. And this gives us access to some new attacks, some very interesting attacks on symmetric systems. For instance, on OCB 3, now it's not unnatural that OCB 3 has cipher designed with classical adversary in mind. We have, we leave vulnerabilities such as hidden periods because it is usually not a vulnerability when the adversary is just classical. And as it turns out, in OCB 3, there are hidden periods everywhere. So for instance, in the ciphering part, if we take the encryption of the two equal message blocks and then XOR the outputs, it gives us an FX with a hidden period of delta 0, XOR delta 1. And this happens because this, this period would actually have been delta 0 IV, XOR delta 1 IV. But as mentioned before, this delta 0 IV is just the XOR of delta IV and delta 0. So the delta IV part cancels out from the two offsets. And we are just left with delta 0, XOR delta 1, which is not dependent on the IV. Thus, we can just repeatedly query this and then use Simon's attack to recover delta 0, XOR delta 1. And even if we do not look at the ciphering part, we can just look at the tag part instead and query it with an empty message and, and two equal AD blocks. And then we can see that FX, the output, the tag X is, has a component which is dependent on the IV, but then it has this function which is, the rest of it is this function which has this hidden period of delta 0, XOR delta 1. Now, this is not strictly periodic because if you cannot repeat the IV, then this function changes each time and for, for each different IV, but for Simon's attack, it's sufficient that the period is constant. And how it works is by sampling vectors orthogonal to the period. And so Simon's attack can still be used in this case to recover delta 0, XOR delta 1. And so just to mention that why is this an attack? Because once you have delta 0, XOR delta 1, it's very simple to make a forgery. We can just take any two blocks, A0, A1, which are, which do not XOR to delta 0, XOR delta 1. And then for some IV and some M, we can query IV, A0, A1, M to get some CT. And then we can swap A0 and A1 being A1 to the first block, A0 to the second block, but, and then add to each this difference delta 0, XOR delta 1. And it's easy to check that this is of, then CT is a valid forge for this particular triple IV and A1, XOR delta 0, XOR delta 1 is 0, XOR delta 0, XOR delta 1 and M. So with this, once this sum of offsets has been recovered, it's quite easy to attack OCB3. Now, it may seem that the real problem here is that this delta 0 IV, XOR delta 1 IV, is independent of IV, because the IV components get cancelled out. And one attempt to fix this could be just to make this delta 0 IV, just to make this XOR of the two offsets, IV dependent. For instance, we can take delta 0 IV to be I dot EKIV. And then this same attack doesn't work because IV changes each time. But we show in this paper that this construction is still vulnerable to a similar attack because we can, so in the same query, we can take these non-overlapping pairs, I1, I2, for instance, 1, 2, 3, 4, and so on, up 10 minus 1n. And take the same X there, so X1 equals, so M1 equals M2, M3 equals M4 and so on. And then we take this XOR, C1, XOR, C2, C3, C3, XOR, C4. And with this, we can find vectors, like using Simon's algorithm, we can find vectors, which are up to one or two, these differences here, the periods of these functions, C1, XOR, C2, and so on. And with this, we can find enough data to solve for EKIV. So this is one of the first results we find in this paper because the earlier attacks are already well known. So this is not enough to fix OCP. And what we can guess from here is that it is the offsets, which is the problem here. I mean, Simon is very powerful against many kinds of offsets, and it's quite difficult to fix this without changing this very structure of adding the offsets. We can turn instead to ThetaCB. So what is ThetaCB? So this is OCB3, but here we can abstract out this entire middle part of this XORing the offset and then passing through the block cipher pole and XORing the offset again. And we can say that this is a pre-cable block cipher where this offset acts as a tweak. And this is actually used. So this ThetaCB name is given by the authors of the OCB paper, and they use it as an intermediate construction for the proof of OCB3. But what we can say is that ThetaCB itself does not have so many problems, but so we can say that we use ThetaCB, but we do not use these offsets. We process the tweak differently. We do not use them as offsets, and that is the direction we look for trying to fix OCB. And so we come up with QCB, which is the construction we propose in this paper. And in the encryption part, this is actually similar to ThetaCB, and we assume for now this E tilde is a secure, quantumly secure tweakable block cipher, and I'll explain soon what I mean by that. So this encryption part of QCB is the same as ThetaCB, because I mean, this is secure enough. But for the tag part, there is an important change. In OCB3, we do not use the IV for getting the tags. They process these offsets, which are not dependent on IVs. But here, we need the IVs to go into the tweaks for processing the associated. So this is one important change, and so this is the QCB construction. Now we turn to proving it secure. And before that, we have to define its security, which is one of the tricky bits. So first, we need a secure TBC. Now, what do we mean by that? So ideally, a quantum secure TBC should withstand the following game, where the adversary is trying to distinguish EKT from a family of random permutations, PiT. And the tweak inputs are classical, but the messages are super post. But these classical tweaks can be chosen adaptively. So there is no restriction on that. This is the ideal TBC, ideal definition of TBC. And then with this, when we instantiate the QCB with this ideal TBC, we can make the following claims. In confidentiality, we can show an int QCPA security, what we mean by that. So in the int QCPA game, there is a query phase where the adversary makes Q encryption queries with adaptive classical IVs and some MA, which can be in superposition. Then there is a challenge phase where the adversary has to distinguish between the encryptions of two classical messages. This part is important. So in the challenge, the challenges have to be classical. And for authenticity, we use the Bones-Andre definition, where in the query phase, the adversary makes Q encryption queries with, again, with adaptive classical IVs and MA possible in superposition. And in the forging phase, the adversary must output Q plus one valid tuples, AIVCT. This is the Bones-Andre definition. And we can show that QCB achieves both these goals when instantiated with an ideal TBC. And how do you prove that? Well, first, we replace all the tweakable buck ciphers with ideal random permutations and which are independent for different tweaks. And then it's simple to argue, because in confidentiality, since the IVs are not repeated, when we move on to the challenge phase, and so the permutations which appear in the challenge phase do not appear in the query phase. And their outputs are independent of anything, any information the adversary may obtain in the query phase. So the adversary can never get better than random. And for authenticity, we can say that we actually classify this 4G attempt, this Q plus one tuple which the adversary submits as a 4G attempt. And we classify it based on whether it contains a new IV or a new ciphertext block or some new associated data. And in each case, we show that one of the two must be true, that either the adversary produces an input-output pair for some random permutation which it has never queried, or the adversary produces two input-output pairs for random permutation which has only been queried once. And we can claim that both of these are difficult to do better than a random guess. And this gives us a proof of the security of QCB with ideal TBC. But we want to make it, I mean, we want to go further because an ideal TBC may not be rated one. And for instance, there is a construction by Hoso Yamada and Iwata which needs three block ciphercalls for every TBC call. But this does not help us because if we instantiate QCB with a TBC which does not, which spends more than one block cipher call for every TBC call, then QCB does not remain rated one anymore. And our original purpose is to fit it. So, we want to look for a TBC which is rated one. And we found the key tweak insertion TBC where the tweak is just exorbed with the key. And this in many cases is not a very ideal construction for a TBC, but we find that it serves our purpose very well. But so now we need to prove the security of this TBC. But unfortunately, we will not prove its ideal TBC security which we promised before. And instead we prove its security under a slightly more restrictive condition, but the tweaks are non-adaptive. So, the adversary has to declare a set of tweaks beforehand and then the rest of the game is the same. But this is the only restriction we need. And since this is not an ideal TBC, we also modify the security goals of QCB accordingly. And in fact, in this TBC security definition, we make one other small claim, small change, but I'll come to that later. So, for the QCB security, the modified goals look as follows. There is this modified int QCPA where the IVs are either random or specified in advance. So, they are not adversary controlled. And the query phase and challenge phase are as before. And then for authenticity, we have the modified BZ definition where again the IVs are random or specified in advance. And then the query phase and fourth gene phase are before. So, we make these modifications to take into account our modified security goal of security def, I mean, our modified security of the TBC we are using to instantiate this particular QCB. So, here, just to clarify, you are talking about QCB when instantiated with the key-to-inconsertion TBC. And how do you prove this security? Well, it mostly follows the proof for the ideal TBC case. We can show that once, I mean, once we put this restriction on the IVs, it's we can just reduce it to the security of the TBC under our modified definition. But there is one caveat. And as we recall, for proof of BZ, we need, we need to verify the forging attempts. And for that, we'll need additional TBC queries and which may be with fresh tweaks which are not declared in advance. So, this is not strictly captured by the non-adaptive tweaks scenario we discussed before. But for this, we can just make a simple change that after the, in the TBC security game, after the quantum query phase, there is a classical query phase where there is a, where the adversary can ask a number of classical queries, non-adaptive, of course, because the forging attempts have to be made all at once. But these can use tweaks which are not predicted. So, it can be, which do not belong to the predicted list. So, we make this definition and with that, we can prove this modified is, like the modified BZ for QCB. So, that is the, that is all we find in this paper. So, in conclusion, what we show is that if the TBC is perfect, if it's ideal, then QCB has this full end QCB security and BZ authenticity. And it's also rate one. But we did not, we did not manage to instantiate it with some TBC because we could not prove this ideal quantum security for our TBC, our rate one TBC. So, instead, we show that with the modified definition where the tweaks are predicted, then QCB has this modified in QCB and BZ securities. And these, but these are, these all follow the, follow the ideal Cypher model. So, you do not have any results in the standard model. So, that is all we found in this paper. And there are several open questions. For instance, can we properly define in QCCA security for AE and then can we maybe explore in QCCA security of rate one constructions like QCB? And can we say something about the BU authenticity, which is the blind unforgeability and more recent definition, but can we say anything about BU's, BU unforgeability of rate one constructions? And of course, can we prove that the key tweak in session is like has full quantum security, like we don't know, we need the adaptive tweak case. And if we can show that then QCB is shown to be for linked QCB and BZ secure without the modifications. And finally, can we say anything without the ideal Cypher model? Like about the quantum security or the rate one, parallelizable. So, that is all. Thank you for listening to this recorded talk. And the full version of this paper can be found on ePrint. And maybe see you at AsiaPrint. Thank you.