Quantum Attacks on HCTR and its Variants

Recently, in Asiacrypt 2019, Bonnetain et al. have shown attacks by quantum adversaries on FX construction and Even-Mansour Cipher without using superposition queries to the encryption oracle. In this work, we use a similar approach to mount new attacks on HCTR and HCH construction. In addition, we mount attacks on HCTR , Tweakable-HCTR and HCH using the superposition queries to the encryption oracle using strategies proposed by Leander and May in Asiacrypt 2017 and Kaplan et al. in Crypto 2016.


Introduction
The polynomial-time solvability of integer factorization problem and discrete logarithm problem introduced by Shor's algorithm [16] causes a major threat to public key cryptographic primitives against quantum adversaries.In the case of symmetric key schemes, for a long time, the Grover's algorithm [7] has been considered to provide the best attack by speeding up the exhaustive search of the private key by a quadratic factor.Thus, doubling the key-length resists such attacks by upgrading the quantum security of the schemes to that of the classical ones.Leveraging on the power of Simon's algorithm [17], chosen plaintext attack on 3-round Feistel [13] and the quantum attack on Even-Mansour cipher [14] by Kuwakado and Mori has opened up a new direction for cryptanalysis of symmetric key schemes in the quantum setting.
One of the major questions in the analysis of quantum attacks is what should be the adversarial model.In this regard, there are mainly two types of adversarial models, mainly Q1 and Q2 models, which are used extensively in the literature for mounting quantum attacks on cryptographic schemes [1,5,2,12,10,6].In the Q1 model, the attacker is allowed to make classical queries to the encryption oracle but has access to a quantum computer for making offline computations.In the Q2 model, in addition of having an access to a quantum computer, the attacker is allowed to make superposition queries to the oracle.In Q2 model, Kaplan et al. have shown attacks on mode of operation for authentication and authenticated encryption by using the Simon's algorithm [11].Leander and May have shown how to combine Grover's algorithm with Simon's algorithm to mount attacks on FX construction [15].These attacks are also based on quantum superposition queries to the quantum oracle.Recently, Bonnetain et al. have given attacks on several schemes without making superposition queries to the oracle [1].
Our Contributions.The attacks presented in this paper have considered both Q1 and Q2 models.The procedures proposed by Leander and May [15] are used to combine Grover's search algorithm with Simon's algorithm for mounting attacks in Q1 model.The methods proposed in [1] are also used to mount attacks without making superposition queries to the oracle.These results are combined to mount quantum attacks on HCTR [18] and HCH [3].Attacks in Q2 model are mounted for HCTR, Tweakable-HCTR and HCH by following the approaches proposed by Kaplan et al. [11].All the attacks are presented with their corresponding complexities.
The rest of the paper is organized as follows.Initially, a preliminary discussion on necessary quantum algorithms and their impact on cryptography is presented.Then the method of truncating outputs of quantum oracles is described in Section 3. In Section 4, our attacks on various schemes are described.First, attacks on HCTR in both Q 1 and Q 2 model are proposed.Then attacks on HCT R are illustrated upon considering only Q 2 model.Finally, attacks on HCH in Q1 and Q2 model are discussed.Then the paper is summarized furnishing with concluding remarks.

Preliminaries
Here, some quantum algorithms and how they have been used in cryptanalysis are discussed.First, a brief description about Simon's algorithm is given and how it was applied in [11] is discussed.Next, Grover's search algorithm is briefly mentioned.Finally, the results in [15] and [1] are illustrated upon.

Simon's Algorithm
In discussion of Simon's algorithm [17], first of all, the problem that it solves needs to be defined.The problem is popularly known as Simon's Problem.
Problem 1: Simon's Problem: Given a boolean function f : {0, 1} n → {0, 1} n and the promise that there exists s ∈{0, 1} n (Simon's promise) such that for any (x, y) Classically, this problem can be solved in Θ(2 n/2 ).Using Simon's algorithm this problem can be solved in O(n) quantum complexity.The steps of Simon's algorithm are given in Algorithm 1.
Simon's Algorithm in Cryptography.In cryptographic applications, it is not the case that always Simon's algorithm can be applied directly.The reason is that sometimes the function that needs to be analyzed has some partial period apart from having a full period.Kaplan  5 Measuring the first register collapses it to a random vector y such that y.s = 0.The y vectors with y.s = 1 have 0 amplitude; so, the first register never collapses to such values.6 Steps 1 to 4 are repeated O(n) times which produce n − 1 random vectors orthogonal to s.These can be solved to retrieve the value of s.
conditions where ∃t such that f (x) = f (x ⊕ t), t / ∈ {0, s}.They have used (f, s) for computing the success probability of the Simon's algorithm based on rate of collision, where The following theorems in [11] handles the conditions when Simon's promise does not hold precisely.
If there is no bound on (f, s), then it is not possible to recover s always.But we can find a t such that P r x [f (x) = f (x ⊕ t)] is very high.The following theorem dictates that.
Theorem 2 (Simon's Algorithm without Promise).[11] After the execution of cn steps of Simon's algorithm, if t is orthogonal to all vectors u i returned by each step of the algorithm, then (1−p0) then the probabilities become high.

Grover's Search Algorithm
Consider an unordered set X with N elements.To perform a search on this set, classically it would take O(N ) time.While using a quantum computer, Grover's algorithm [7] searches an element in X in O( √ N ) time.It is a quadratic speed up over the classical brute force search, i.e., a 128-bit keyspace search can be performed in 2 64 iterations.

Simon's Algorithm with Asymmetric Queries
Leander et al. have combined Grover's search algorithm with Simon's algorithm to recover keys for FX construction [15].This combination of algorithms for finding a period has huge impact on cryptographic schemes and Bonnetain et al. have formally defined the problem as Asymmetric Search of a Period [1].
Problem 2: Asymmetric Search of a Period [1]: Consider a family of functions F indexed by {0, 1} m , denoted by F (i, •) = f i (•) and a function g; they are defined as The problem is to find an i 0 and a s such that ∀x ∈ {0, ) for a certain s, under the following assumptions, -Quantum oracle access to F is given.
-In Q1 model, classical oracle access to g is given whereas in Q2 setting g is accessed as quantum oracle.-There is exactly one i ∈ {0, 1} m such that f i ⊕ g has a hidden period.
Bonnetain et al. have observed that while testing whether f i ⊕ g have period or not; the function g always remains same.Leveraging on that the number of queries to g is reduced and is used several times.In Q2 model, g is queried using superposition queries; whereas in Q1 only classical queries are allowed to make is formed by making quantum superposition queries to f i .
In our work, we have used the existing techniques in [1] to attack encryption schemes.A brief overview of all algorithms and their corresponding complexities introduced in [1] to solve the problem of Asymmetric Search of a Period is given here (For details, refer to [1]).
-Alg-PolyQ2-Solves the problem of Asymmetric Search of a Period in Q2 model.It is allowed to make quantum superposition queries to g for online computations.-Alg-ExpQ1-Solves the problem of Asymmetric Search of a Period in Q1 model.It is allowed to make classical queries to g for online computations.
During offline computations both Alg-PolyQ2 and Alg-ExpQ1 find an i using Grover's search algorithm, such that for that fixed i, f i ⊕g has a period.Note that, both algorithms never returns the actual period of f i ⊕ g.For finding the period, Simon's algorithm is applied on f i ⊕ g.In Q1 model, for finding period Simon's algorithm is applied by making classical queries to the oracle.In regard to this Alg-SimQ1 has been defined in [1].
Cost Estimation.The attacks, presented in this work, make use of Alg-ExpQ1 and Alg-SimQ1.The following two propositions (proposed in [1]) are regarding the cost estimation when these algorithms are applied to mount attacks.
Proposition 1 (Proposition 3 in [1]) Let c be a sufficiently large constant, m is in O(n) and g ⊕ f i0 has a period for a good i 0 .Assume that holds.Then a good i ∈ {0, 1} m with probability Θ(1) is found by Alg-ExpQ1 by making classical and quantum queries to g and F respectively.The number of classical and quantum queries are O(2 n ) and O(n2 m/2 ) respectively.If for evaluating F once T F is the required time, then Alg-ExpQ1 executes the offline computations in time O (n 3 + nT F )2 m/2 .Note that, in offline computation the time required for preparing the state |ψ g is not included.
Proposition 2 (Proposition 4 in [1]) Suppose that, f i0 ⊕ g has a period s = 0 and satisfies Then Alg-SimQ1 makes O(2 n ) classical queries to g and cn queries to f i0 and returns the period s with a probability at least 1 − 2 n .(3/4)cn .If T f is the required time for evaluating f i0 once, then the offline computation of Alg-SimQ1 runs in time O(n 3 + nT f ).
For performing attacks in Q1 model, to form |ψ g whole codebook of g should be queried.In order to reduce the number of queries to g, a trade-off between online classical queries to g (Data complexity) and offline quantum computations (Time complexity) exists.In the rest of the paper, number of online classical queries is denoted by D and number of offline computations is denoted by T .

Output Truncation of Quantum Oracles
In the attack on 3-round Feistel cipher, Kuwakado and Morii [13] use the right half of the output from the quantum oracle to mount distinguishing attacks.In [11], it is mentioned that the output in the left half and the right half are entangled, but SIMON algorithm requires a completely unentangled input.In [9,8], it is shown how to truncate the right half of the output from the complete output when a quantum oracle is queried.
The attacks presented in this paper are on the modes of operation of block ciphers.Essentially, a part of the ciphertexts are exploited to mount attacks.The truncation technique mentioned in [9,8] Suppose, the p-th ciphertext c p needs to be considered for further operation.Therefore, we want to simulate an (3) This is similar to the simulation of the oracle Let H ⊗n is an n-bit Hadamard gate and |+ := H ⊗n (0 n ).Considering y 1 , • • • , y p−1 , y p+1 , • • • , y s = 0 n and applying Hadamard on them, the oracle representation in (3) can be rewritten as Let swap(p) be a function that swaps (s + 1)-th output with (s + p)-th.Now, the oracle O k {p} can be defined as It can be verified that O k {p} can be applied to truncate p-th ciphertext block when a quantum access to O k is given.Figure 1 shows how O k {p} is constructed from O k .Based on the previous theoretical explanations, it is possible to mount attacks on HCTR, Tweakable-HCTR( HCT R) and HCH constructions in Q1 and Q2 model.The attacks on HCTR has been discussed extensively.The remaining two attacks are quite similar with the attack on HCTR, and thus they have been briefly described.HCTR can encrypt a n-block message For mounting attack, the second ciphertext block C 2 has been used.Instead of C 2 , any C i (2 ≤ i ≤ n) can be used in order to perform the attack.Similar strategies has been followed for HCT R and HCH.

Attack on HCTR
Our first attack is on HCTR or Hash-Counter which is a tweakable enciphering scheme proposed by Wang, Feng and Wu [18].It is a strong tweakable pseudorandom permutation and hash-encipher-hash based construction where the middle layer uses counter mode.It is a length preserving tweakable enciphering scheme which supports input with arbitrary variable length.Fig. 2 shows the HCTR construction.HCTR uses a block cipher E : {0, 1} m × {0, 1} n → {0, 1} n and a universal hash function where T ∈ {0, 1} t is a tweak and K ∈ {0, 1} m is the key of underlying block cipher.To consider only the i-th ciphertext block, we introduce the operator Π i .Note that, as all the blocks in ciphertexts are entangled; it is not trivial to truncate the i-th ciphertext block.In this regard, the method described in Section 3 can be followed for truncating a specific block of cipher.
In the original construction, the tweak length is fixed and can be zero.In the following attacks, the tweak length is considered non-zero and each message block is n-bit.The attack is performed using two message blocks, which can be easily extended for arbitrary number of message blocks.Consider, HCTR is used to encrypt a message M 1 ||M 2 using a tweak t to obtain C 1 ||C 2 and K is the key of the underlying block cipher.Then, Attack in Q2 Model.In Q2 model, quantum superposition queries can be made to HCTR oracle.x||M 2 is queried with tweak T 0 , T 1 and output C 2 is used to construct g(x).
Clearly, g(x) is a periodic function with period H h (T 0 ||M 2 ) ⊕ H h (T 1 ||M 2 ) and it can be recovered by applying Simon's algorithm on g(x) by making O(n) queries.Therefore, g(x) = g(x ⊕ . Figure 3 shows how the simon function g(x) is constructed.P i 2 (HCT R) returns the second ciphertext block for the corresponding message blocks that are queried to the oracle.Note that, in Section 3 it is discussed that given a quantum oracle access to HCTR, P i 2 (HCT R) can be constructed.
Attack in Q1 Model.In the Q1 model, a quantum superposition state is formed from classical oracle queries.While mounting such kind of attacks, the enciphering scheme needed to be reduced to Problem 2.3.g(x) can be classically queried (online) to obtain |ψ g and then f i ⊕ g can be tested offline whether periodic or not using Simon's and Grover's search algorithm.As mentioned in [1], instead of querying the whole classical codebook, the advantage of algebraic structures has been taken into account while mounting the attack.
Attack Description.Like previous attack, here also two message blocks have been considered.The last message block and last (n − u) bits of first message block are kept constant.The queries to the oracle is of the form (x||0 n−u )||M 2 , where x||0 n−u and M 2 are the first and second message block respectively and 0 ≤ u ≤ n.For constructing a periodic function, the second ciphertext block C 2 is considered.The value of M 2 is fixed and by varying the value of x, 2 u classical queries are made to HCTR oracle to form |ψ g .Define Let first u bits of H h (T ||M 2 ) is denoted by l (1) and last n − u bits are denoted by l (2) .Then g(x) can be rewritten as g(x) = E K (l (1) ||l (2) ) ⊕ (x||0 n−u ) ⊕ E K (l (1) ||l (2) ) ⊕ (x||0 n−u ) ⊕ 1 = E K (l (1) ⊕ x)||l (2) ⊕ E K (l (1) ⊕ x)||l (2) ⊕ 1 .(11) the function F (i||j, x) ⊕ g(x).It has a hidden period l (1) for F (K||l (2) , x) ⊕ g(x).The attack steps are listed below.
1. Alg-ExpQ1 is run for F and g to recover K and l (2) .2. Alg-SimQ1 is run on f K||l (2) ⊕ g to recover l (1) .Note that, by the above approach key of the underlying block cipher can be recovered.Although, it is unable to recover hash key h, but using l (1) and l (2) , H h (T ||M 2 ) can be constructed.The attack can be extended for arbitrary number of message blocks.
Analysis.The analysis of the attack is similar with the analysis of the attack on Even-Mansour cipher in [1].First, it is assumed that the size of keyspace of the underlying block cipher is in O(n).In the attack, if u is kept too small, although too few queries are required to construct |ψ g , but the cost of Grover's search increases significantly.Under the constraints that u is not too small and E is a secure block cipher, we can assume that holds for (i||j) = (K||l (2) ).By virtue of this, Proposition 1 and 2 holds for Alg-ExpQ1 and Alg-SimQ1 respectively.Overall, the key of underlying block cipher and l (1) ||l (2) is recovered by following this attack using D = O(2 u ) classical queries to HCTR T K and performing T = O(n 3 2 m+n−u 2 ) offline computations.Here, it is also assumed that one evaluation of F is in O(1) which makes T F = O(1).The trade-off DT 2 = n 3 2 m+n is applied; data and time complexity balances at D = O(2 m+n 3 ) and T = O(n 3 2 m+n 3 ).As mentioned in [1], by construction of Alg-ExpQ1 and Alg-SimQ1 our attack uses qubits in the order of polynomial and negligible classical bits.Note that, generic attacks takes O(2 m 2 ) time.So, this attack is better than generic attacks when n 3 2

Attack on Tweakable-HCTR
Tweakable-HCTR or HCT R was proposed by Dutta and Nandi [4] which is a variant of HCTR where each block cipher call is replaced by tweakable block cipher (TBC).Another major difference between HCTR and HCT R is the use of tweak.In HCT R instead of using the tweak in upper and lower hash functions, it is used in an independent keyed (n + t)-bit hash function H L .The output of H L is divided into two parts: n-bit H 1 which is masked with the input and the output of leftmost TBC and t-bit H 2 which acts as tweak for the underlying TBC.Underlying TBC , where T ∈ {0, 1} * is a tweak and K ∈ {0, 1} m is the key of underlying block cipher.The Q1 and Q2 attacks for HCT R are quite similar with the attacks on HCTR.For the sake of simplicity, only corresponding periodic functions are mentioned here.Consider the encryption of two n-bit message blocks.Then Attack in Q2 Model.Consider the function g(x) constructed from second ciphertext block and Clearly, g(x) is a periodic function with period H K h (M 2 ) ⊕ H K h (M 2 ).Applying Simon's algorithm on g(x) recovers the period in O(n) queries.

Attack on HCH
Another variant of HCTR is HCH or Hash-Counter-Hash, proposed by Chakraborty and Sarkar which is based on hash-encrypt-hash paradigm [3].In HCH, tweak T is not directly used by the polynomial hash; instead it is encrypted twice to obtain R and Q which are used with the hash function H (In HCH, the hash function is denoted by H R,Q ). Figure 4 shows the construction of HCH.In the attacks presented, as generation of R and Q is not used, the fact that for a fixed T , R and Q remains fixed is considered.In the counter-mode, instead of IV , S is used for initialization which is obtained by encrypting the input and output of leftmost block cipher.
, where K is the key of underlying block cipher E : {0, 1} m × {0, 1} n → {0, 1} n denoted by E K (.) and T is the tweak.Our attack is based on the second ciphertext block, which is given as where In the following attacks, only the periodic functions are mentioned as the attacks are almost same as the attacks on HCTR.The analysis of this attack is similar with the analysis of the attack on HCTR and hence the details are omitted.The data and time complexity of this attack is O(2 m+n 3 ) and O(n 3 2 m+n 3 ) respectively.

Conclusion
In this paper, we analyzed the HCTR, Tweakable-HCTR and HCH in quantum adversarial model.The work presented here developes upon the previous works in [11,1,15].All our attacks have made use of encryption oracle only.This arises a question whether the availability of decryption oracle can make a significant benefit in terms of the complexity of mounting such attacks.
can be employed to take a part of the ciphertext.Let E k encrypts m 1 || • • • ||m s to c 1 || • • • ||c s where m i 's, c i 's are n-bit messages and y 1 || • • • ||y s are ancilla qubits.Then the corresponding quantum oracle O k can be represented as

Fig. 1 :
Fig. 1: Construction of O k {p} from O k

Fig. 4 :
Fig. 4: Construction of HCH et al.. have also shown the application of Simon's algorithm under such constraints.This particularly handles the Algorithm 1: Simon's Algorithm 1 Let's consider a unitary map U f given by |x, y → |x, y ⊕ f (x) .Two registers are initialized with n-qubit state |0 each.Hadamard transform H ⊗n is applied to the first register to obtain quantum