Validating IGE Mode of Block Cipher from Quantum Adversaries

Transcription

1 Copyright c 018 The Institute of Electronics, Information and Communication Engineers SCIS Symposium on Cryptography and Information Security Niigata, Japan, Jan. 3-6, 018 The Institute of Electronics, Information and Communication Engineers Validating IGE Mode of Block Cipher from Quantum Adversaries Sungsook Kim Jeeun Lee Rakyong Choi Kwangjo Kim Astract: The Telegram which is a very popular messenger uses a special mode called IGE(Infinite Garle Extension). IGE mode is not included in standard mode of operation recommended y National Institute of Standards and Technology(NIST) in 001. Block cipher encrypts fixed length of plaintext into the corresponding fixed-length of ciphertext using a secret key shared y two parties and utilizes lots of mode of operation for various length of plaintext. Even though Telegram uses non-standard IGE mode, Telegram is claimed to e secure and demonstrate their security is stronger than other IM s. Thus, we need to verify the security of IGE mode depending on underlying lock ciphers. In this paper, we show that IGE mode lock cipher used in Telegram assuming sprf is not IND-qCPA, ut assuming qprf is IND-qCPA. Keywords: post-quantum cryptography, infinite garle extension (IGE) mode, Telegram, IND-qCPA 1 Introduction 1.1 Post-quantum cryptography Quantum computers can perform quantum computation using quantum-mechanics happend in quantum states like superposition and entanglement different to the classical computers. Quantum computation uses quantum its ( i.e., quits) compared to inary its in classical computations. In general, a quantum computer with n quits can e in an aritrary superposition of up to n different state simultaneously [1]. This indicates that quits can hold exponentially more information than their classical counterpart. Though the actual quantum computer is not developed yet, many experiments executing on small numer of quantum its imply that the quantum computer will e realized soon. In real, quantum computer is expected to e developed within 15 years. Quantum computers are ecoming more and more likely including the recent success of IBM in uilding 50 quits. Modern cryptosystem such as AES, RSA, Diffie-Hellman (DH) and Elliptic Curve Cryptosystem(ECC) are very popular and widely used for secure applications. The computational security of pulic key cryptosystem ased on the difficulty of the numer theory relies on mathematical hard prolems such as the integer factorization prolem(ifp), the discrete logarithm prolem(dlp), and the elliptic-curve discrete logarithm prolem(ecdlp). However these prolems can e solved within polynomial time using a powerful quantum computer y Shor s algorithm []. Thus we need to prepare for cryptosystem secure against the quantum computing attack which we say quantum-safe cryptosystem such like lattice-ased, hash-ased, code-ased, multivariate, and isogeny cryptography. In symmetric key cyrptosystem, data search algorithm called Grover s algorithm [3] can find the correct memer School of Computing, KAIST. 91, Daehakro, Yuseong-gu, Daejeon, South Korea {kusino, jeeun.lee, thepride, kkj}@kaist.ac.kr) given unstructured dataase in complexity O( N) compared to O(N) in classical world. The suggested countermeasure against quantum computer attack needs to doule the key size; use 56 it key instead of 18 it key in AES. 1. Motivation Block ciphers, one of the symmetric key cryptosystem, can only encrypt a fixed length of a message. But for practice we need to encrypt or decrypt for aritrary-length of message. To meet this, lock cipher offers lots of mode of operation like Electronic Codeook(ECB), Output Feedack(OFB), Cipher Feedack(CFB), Cipher Block Chaining(CBC), and XEX-ased tweaked-codeook mode with ciphertext stealing(xts), etc. Some mode of operations can increase the message space or provide semantic security depending on the mode of operation. Telegram, one of the famous instant messaging(im) services, uses Infinite Garle Extension(IGE) [4] mode in their customized protocol called MTProto. IGE mode is not classified as standard mode of operation y National Institute of Standards and Technology(NIST) [5]. However, this Telegram is claimed to e secure even though they use IGE mode. Even Telegram got great score y Electronic Frontier Foundation(EFF) in 014 [6] y evaluating the security requirements among secure IM s. Different to other IM s, Telegram has special policy to open their source code, protocol, and API in order to e made y the pulic scrutiny of the security experts from the world. This demonstrates indirectly to show that their security is sufficiently strong than other IM s. However the overall security of Telegram can e vulnerale against the quantum adversaries. Thus we need to verify the security of Telegram against the quantum adversaries, especially IGE mode used for underlying lock ciphers. In this paper, we focus on the quantum security of IGE mode in lock cipher. We will show that (i) if the lock cipher is assumed to e standard-secure Pseudo Random Function(sPRF), the lock cipher of IGE mode is not IND- 1

2 qcpa(similar with IND-CPA in classical setting except that the adversary A has the quantum access). (ii) if the lock cipher is assumed to e quantum-secure Pseudo Random Function(qPRF), the lock cipher of IGE mode is IND-qCPA. 1.3 Organization The rest of this paper is organized as follows: Chapter descries preliminaries aout our definitions and notation used in this paper. The overview of Telegram, its IGE mode and security are descried in Chapter 3. The security proof for sprf and qprf is explained in Chapters 4 and 5, respectively. Finally, the conclusion and future work are discussed in Chapter 6. Preliminaries.1 Notation y A(x) means an algorithm A that takes the input x outputs a value and this value is assigned to y. We write A H when A can access to an oracle H. (A B) denotes the set of all function from A to B. We write x A if x is uniformly randomly chosen from the set A. a represents concatenations of two strings and {0, 1} n represents the n- it strings. a means the inner product of two vectors a and. We use η(t) to denote a function with a security parameter t. If we say a quantity is negligile(denoted negl.) we mean that it is in o(η c ) or 1 o(η c ) for all c > 0. We use the notation A B to say that quantity A has negl. difference with quantity B. For an n-it string a and inary variale, a = a if = 1 else a = 0 n. For a string x = x 1 x x 3 x n where x i is the i-th it, we use function lastit(x) = (x n ), droplastit(x) = x 1 x x 3 x n 1.. Quantum Computation A quantum system A is a complex Hilert space H with inner product. The state of a quantum system is given y a vector ψ of unit norm ( ψ ψ = 1). Given quantum systems H 1 and H, the joint quantum system is given y the tensor product H 1 H. Given ψ 1 H 1 and ψ H, the product state is given y ψ 1 ψ H 1 H. Given a quantum state ψ and an orthonormal asis B = 0,..., d 1 for H, a measurement of ψ in the asis B results in the value i with proaility i ψ, and the quantum state collapses to the asis vector i. If ψ actually a state in a joint system H H, then ψ can e written as d 1 ψ = α i i ψ i i=0 for some complex values α i and states ψ i over H. Then, the measurement over H otains the value i with proaility α i and in this case the resulting quantum state is i ψ i. A unitary transformation over a d-dimensional Hilert space H is a d d matrix U such that UU = I d, where U represents the conjugate transpose. A quantum algorithm operates on a product space H in H out H work and consists of n unitary transformations U 1,..., U n in this space. H in represents the input to the algorithm, H out the output, and H work the work space. A classical input x to the quantum algorithm is converted to the quantum state x, 0, 0. Then, the unitary transformations are applied oney-one, resulting in the final state ψ x = U n... U i x, 0, 0. The final state is then measured, otaining the tuple (a,, c) with proaility a,, c ψ x. The output of the algorithm is. We say that a quantum algorithm is efficient if each of the unitary matrices U i come from some fixed asis set, and n, the numer of unitary matrices, is polynomial in the size of the input. Quantum-accessile Oracles. We will implement an oracle O : X Y y a unitary transformation O where O x, y, z i = x, y + O(x), z where + : X X X is some group operation on X. Suppose we have a quantum algorithm that makes quantum queries to oracles O 1,..., O q. Let ψ 0 e the input state of the algorithm, and let U 0,..., U q e the unitary transformations applied etween queries. Note that the transformations U is can e the products of many simpler unitary transformations. The final state of the algorithm will e U q O q... U 1 O 1 U 0 ψ 0 We can also have an algorithm that makes classical queries to O i. In this case, the input to the oracle is measured efore applying the transformation O i. We call a quantum oracle algorithm efficient if the numer of queries q is polynomial, and each of the transformations U i etween queries can e written as the product polynomially many unitary transformations from some fixed asis set..3 IND-CPA, IND-qCPA Definition 1 (IND-CPA). A symmetric encryption scheme Π IGE =(Gen,Enc,Dec) is indistinguishale under chosen message attack(ind-cpa secure) if no classical polynomial time adversary A can win in the P rivka,π CP A game, except with proaility at most 1/ + negl. P rivka,π CP A (t) game: Key Gen: The challenger picks a random key k Gen and a random it. Query: Adversary A chooses two messages m 0, m 1 and sends them to the challenger. Challenger chooses r {0, 1} and responds with c = Enc k (m ; r) Guess: Adversary A produces a it, and wins if = There are different kinds of definition of IND-qCPA, ut we use one in [7]. In the IND-qCPA, the quantum adversary can queries in superposition ut the challenge queries are classical as in classical world.

3 Definition (IND-qCPA [7]). A symmetric encryption scheme Π IGE =(Gen,Enc,Dec) is indistinguishale under a quantum chosen message attack(ind-qcpa secure) if no efficient quantum adversary A can win in the P rivk qcp A A,π game, except with proaility at most 1/ + negl. P rivk qcp A A,π (t) game: Key Gen: The challenger picks a random key k Gen and a random it. Queries A is allowed to make two types of queries: - Challenge Queries: A sends two messages m 0, m 1 to challenger and challenger responds with c = Enc k (m ; r). - Encryption Queries: For each query, the challenger chooses randomness r {0, 1}, and encrypts each message in the superposition using r as randomness: m, c Enc k (m; r) m,c ψ m,c m, c m,c Guess: Adversary A produces a it, and wins if =.4 Standard and quantum security Definition 3 (Standard-secure PRF [8]). A function PRF is a standard-secure PRF if no efficient quantum adversary A making classical queries can distinguish etween a truly random function and a function PRF k for a random k. That is, for every such A, there exist a negligile function ɛ = ɛ(t) such that Pr k K [A PRF k () = 1] Pr O K X [A O () = 1] < ɛ Definition 4 (Quantum-secure PRF [8]). A function PRF is a standard-secure PRF if no poly-time quantum adversary A making quantum queries can distinguish etween a truly random function and a function PRF k for a random k..5 One way to hiding(oh) Lemma This lemma elow is devised from Unruh in 015 [9]. This lemma shows that given a uniformly random value s, to show that H(x) is also uniformly random (indistinguishale from random) we need to show that : when adversary queries to oracle, aort the query to H at random point, measure the input to that query(disturing superposition in quantum), then the proaility the input equals x is negligile. This lemma is used in Section 5. to set up the oundary of proaility. Lemma 1 (One way to hiding(oh) Lemma [9]). Let H : {0, 1} t {0, 1} t e a random oracle. Consider an oracle algorithm A OH that makes at most q oh queries to H. Let B e an oracle algorithm that on input x does the following: pick i {1,, q oh } and y {0, 1} t, run A H OH (x, y) until (just efore) the ith query, measure the argument of the query in the computational asis, output the measurement outcome. (When A OH makes less than i queries, B outputs / {0, 1} t.) Let, P 1 A OH := Pr[ = 1 : H ({0, 1} t {0, 1} t ), x {0, 1} t, A H OH (x, H(x))], PA OH := Pr[ = 1 : H ({0, 1} t {0, 1} t ), x {0, 1} t, y {0, 1} t, A H OH (x, y)], P B := Pr[x = x : H ({0, 1} t {0, 1} t ), x {0, 1} t, x B H (x, i)]. Then, 3 Telegram 3.1 Overview P 1 A OH P A OH q oh PB. Telegram is known as one of the most popular non-profit cloud-ased instant messaging(im) services for secure communications. Telegram had 100 million monthly active users sending 15 illion messages per day in 016 [10]. People can send messages and exchange photos, video and other files. They offers two modes; regular chat and secret chat mode. In regular chat mode, all messages can e read y server and stored. But secret chat uses an end-to-end encryption(eee). In this mode, ecause all messages are encrypted y the end users, server can t read original messages and the messages is not stored in the middle. Telegram uses a symmetric encryption scheme called MTProto. MT- Proto uses Diffie-Hellman (DH) key exchange, Secure Hash Algorithm 1(SHA-1), Key Derivation Function(KDF), and AES-56 in IGE [4] mode. 3. Infinite Garle ExtensionIGE mode IGE [4] mode was initially introduced y Campell in 1978 to prevent spoofing attacks. It has the property that errors are propagated forward, that is, any difference in ciphertext changes (i.e., garles) the decryption of all susequent ciphertext. Definition 5 (IGE scheme). For a given function E : K {0, 1} t {0, 1} t we define the symmetric encryption scheme Π IGE =(Gen,Enc,Dec) as follows: Gen: Pick a random key k K. Enc: For a given message M = m 0 m 1 m n, where m 0 {0, 1} t and n is a polynomial in t; Enc k (M) := c 0 c 1 c n, where c 0 {0, 1} t and c i = E(k, c i 1 m i ) m i 1 for 0 < i n. Dec: For a given cipher-text C = c 0 c 1 c n and the key k; m i := E 1 (k, c i m i 1 ) c i 1 for 0 < i n. When encrypt the message m 0, the initialisation vector(iv) can e defined using a second key k 0 then the ciphertext will e c 0 = E(k 0, m 0 ) or a random value like definition 5. But we just take the latter without loss of generality. 3.3 Security of Telegram Since the lack of privacy protection has een issued constantly, now the majority of IM services provide EEE ased on verified cryptographic protocols. Telegram is particularly regarded as one of the most secure services in pulic and has over 100 million active users. Based on Telegram s 3

4 Figure 1: Diagram of IGE mode for encryption. [11] tacks on IGE irrelevant. IGE mode itself is vulnerale to adaptive CPA, however, the adaptive attack is impossile in Telegram. Because the adaptive attacks are only for the case when the same key is used in several messages, ut the key is dependent on the message content in Telegram. Also, Electronic Frontier Foundation(EFF) announced Secure Messaging Scorecard [6] in 014 depicted in Figure 3, and Telegram got 4 out of 7 in cloud chat and 7 out of 7 in secret chat whereas Faceook chat got only out of 7. Telegram opens their source code, protocol and API and holds crypto contest to crack Telegram s encryption so that people can see how everything works and welcome security experts to audit their system and get feedack. 4 Insecurity of IGE mode assuming sprf BC 4.1 Standard-secure PRF For the first step to construct a sprf, Anand et al. [13] construct a specific lock cipher as follows: Figure : Diagram of IGE mode for decryption. [11] customized protocol called MTProto, it provides client-toserver encryption in cloud chats for syncing all connected devices and EEE in secret chats for only two devices that used to initiate or accept the secret chat. Meanwhile, Telegram s MTProto has een criticized until now and Jakosen et al. [11, 1] theoretically demonstrated Telegram.7.0 (visited GitHu in April 015) is not indistinguishaility under chosen-ciphertext attack (IND-CCA) and integrity of ciphertexts (INT-CTXT). From the fact that MTProto does not check neither the length nor the content of the padding during lock cipher decryption, two attacks were tried: (a) adding a random lock at the end of the ciphertext and () replacing the last lock with a random lock. The first weakness can e fixed easily y adding the process to check the length of the padding during decryption and discard the message when it is longer than expected. As for mitigating the second weakness, the encryption process should e changed, which makes communications etween patched and unpatched clients difficult. Thus, it is desirale to replace the current scheme with the entirely different, etter one that guarantees authenticated encryption(ae). However still Telegram is claimed secure protocol. Though they use IGE mode, it is not roken in their implementation. The fact that they do not use IGE as MAC together with other properties of their system makes the known at- Figure 3: Secure messaging scorecard. [6] BC k (x) := E H(k) (droplastit(x (k 1) lastit(x))) where E is a sprf and H refers to a random oracle. Actually this lock cipher is not a lock cipher ecause it is not decryptale. (This lock cipher s input is x and key k which is n and n 1 it respectively, ut the outcome is n 1 it in oth cases. But we will use some trick to change this incomplete construction to complete lock cipher explained later in the second step.) This lock cipher has the special property, which is important in next section, (k 1)-periodic: - Case 1 : x is even, lastit(x) = 0, lastit(x (k 1)) = 1, BC k (x (k 1)) = E H(k) (droplastit(x (k 1) (k 1))) = E H(k) (droplastit(x)) = E H(k) (droplastit(x (k 1) lastit(x))) = BC k (x) - Case : x is odd, lastit(x) = 1, lastit(x (k 1)) = 0, BC k (x (k 1)) = E H(k) (droplastit(x (k 1))) = E H(k) (droplastit(x (k 1) lastit(x))) = BC k (x) Thus we can use this property: BC k (x) = BC k (x (k 1)) (1) The second step for sprf is to make that BC k (x) to e decryptale. To do that, additional function t is appended in following construction. Construction 1: BC k (x) := E H(k)1 (droplastit(x (k 1) lastit(x))) t H(k) (x (k 1) lastit(x)) lastit(x) where E : {0, 1} n 1 {0, 1} n 1 {0, 1} n 1 is a sprf, t : {0, 1} n {0, 1} n {0, 1} is a sprf, H : {0, 1} n {0, 1} n {0, 1} n is a random oracle, and the key k {0, 1} n 1 4

5 Figure 4: Attack on 1 lock IGE using Simon s algorithm We can easily know this construction is permutation y proving that given BC k (x) = y and k, we can recover x: z := x (k 1) lastit(x), then lastit(z) = 0 (if x is even, lastit(x) = 0, z = x, lastit(z) = 0, else lastit(x) = 1, z = x (k 1), lastit(z) = 0) Since the function E is sprf, we can get the input of E using droplastit(y) and H(k) 1. Of course the input of E is droplastit(x (k 1) lastit(x)) = droplastit(z). By simply appending 0-it to droplastit(z), we can get z. And z is fed into t with key H(k) to get 1 it: t H(k) (z (k 1) lastit(z)) = t H(k) (z) This 1 it is xored with lastit(y), we can get lastit(x): t H(k) (z) lastit(y) = t H(k) (z) t H(k) (z) lastit(x) = lastit(x) So we can finally compute x from z = x (k 1) lastit(x) and lastit(x). Thus this construction is injective and invertile. The remaining part is to prove the construction is a sprf and it is proved in [13] 4. Attack on IGE Mode using Quantum Circuit We will use the lock cipher BC as descried in Section 4.1 (Construction 1) for the Π IGE scheme. As proved, this BC is sprf, not qprf. That is, the BC is secure under the condition that quantum adversary has only classical access to the BC. In this section, we will show the attack using Simon s algorithm to recover the key k. Lemma. There exists a standard-secure pseudo-random function such that Π IGE is not IND-qCPA secure.(in the quantum random oracle model) Proof. Let the Π IGE scheme use the lock cipher BC. And we know that the quantum adversary can attack Π IGE using the encryption queries on messages with two locks. First, the quantum adversary stores random n-it strings, n-zero strings(0 n ) and equal superposition of messages in m 0, m 1 and m locks of register M, respectively. The quantum adversary initializes the quantum ciphertext register C with string 0 3n 1 +. Now the adversary can make encryption queries to the Π IGE scheme and will get responses with the corresponding ciphertext in quantum register C. This attack is descried in Figure 4. After the quantum register M and C are applied encryption algorithm Enc of Π IGE, the message and ciphertext registers ecomes(up to normalization): M, C = m m 0 0 n m c 0 BC k (c 0 ) m 0 droplastit{bc k (BC k (c 0 ) m 0 m )} + Put y := BC k (c 0 ) m 0, then we have : m m 0 0 n m c 0 y droplastit{bc k (y m )} + The quantum adversary now xors c 0 to the message register y using a CNOT gate(m is xored with c 1 ). Then the quantum registers change: m 0 0 n m y c 0 y m droplastit{bc k (y m )} + () Also BC k is (k 1)-periodic, we can use the property mentioned in Section 4.1 : BC k (x) = BC k (x (k 1)) Then the quantum registers are : m m 0 0 n m y c 0 y droplastit{bc k (y m (k 1))} + We can modified aove equation, we get : = m m 0 0 n m y (k 1) c 0 y droplastit{bc k (y m )} + (3) Put γ = m y in Eqs. () and (3) change Eqs. (4) and (5) respectively : m 0 0 n γ c 0 y droplastit{bc k (γ)} + (4) γ m 0 0 n γ (k 1) c 0 y droplastit{bc k (γ)} + γ (5) Hence the adversary has the state(up to normalization), γ m 0 0 n ( γ + γ (k 1) ) c 0 y droplastit{bc k (γ)} + Now the adversary applies n Hadamard gates to the third lock of plaintext(m ) and get the following state(up to normalization): γ z (( 1)γ z + ( 1) {γ (k 1)} z ) m 0 0 n z c 0 y droplastit{bc k (γ)} + = γ z ( 1)γ z (1 + ( 1) (k 1) z ) m 0 0 n z c 0 y droplastit{bc k (γ)} + Now if the adversary measures n-it of message register result is two cases. One is that the adversary can get a vector z such that (k 1) z = 0. The other is when (k 1) z = 1, the superposition collapses to 0 thus the adversary can get nothing. By doing this attack repeatedly, adversary can get n independent vectors v i s. Remaining part is that using the Gaussian elimination, adversary can retrieve n 1 its of k, therey reaks the Π IGE scheme. 5

6 Figure 5: IGE mode using random function H 5 Security of IGE mode assuming qprf BC 5.1 Techniques In the previous section, the IGE mode assuming sprf can e roken y Simon s algorithm and even the adversary can retrieve the secret key. Thus assuming only the sprf is weak in quantum setting. However, if we use the qprf we can overcome this prolem which will e descried in this section. When proving the random property in cryptography, we usually use the hyrid-game method. That is the one part of the cryptosystem that we want to prove randomness is changed with random one, and show this change is so small that we can ignore in the whole cryptosystem.by repeating this, we change original one step-y-step with randomness. Because the change is very small, the total change is also small thus we can prove that the cryptosystem is indistinguishale from truly random function. When proving IND-qCPA security, the quantum Adversary A has to distinguish etween IGE mode lock cipher and truly random function in the challenge queries. That means, the adversary A has to distinguish etween Enc(m 0 ) and Enc(m 1 ) : First, the function that is used in lock cipher is quantum secure PRF, we can sustitute the PRF with truly random function H as shown in Figure 5. Second, when the quantum adversary A makes challenge queries, we replace the ciphertext with random one one y one. Last, we show the difference is negligile, thus the quantum adversary A gains only negligile advantage. But the prolem is that how we can show the last one, proving the difference is negligile. For example, we have to show that c = H(m c 1 ) m 1 (c 1 is random) is indistinguishale from randomly chosen c. In the classical setting, we can say that since c 1 is random, m c 1 is also random, the proaility that m c 1 collides with other H-queries is negligile, so H(m c 1 ) is random, the H(m c 1 ) m 1 is random. However this is not in quantum setting; The quantum adversary A queries in superposition, we can not say H was not queried efore. Instead, we use other method, One-way to Hiding(OH) Lemma mentioned in Section IND-qCPA security of IGE mode Define Enc i,h IGE (M) := c t 0c 1 c n, where c j {0, 1} for j i and c j = H(m j c j 1 ) m j 1 for i < j n. We want to prove using OH lemma that for the quantum Adversary A who can access to oracle Enc i,h IGE, the proaility the A distinguish the output of Enc i,h IGE from Enci+1,H IGE is negligile in t, where t is the security parameter. For the sake of simplicity, we use Enc i,h instead of Enc i,h IGE. Figure 6: Adversary has to distinguish outputs of (a) and () in Eq.(6). R represents randomly chosen value. Lemma 3. For any i with i : 0 i p(t) 1, and every quantum adversary A that makes at most q A queries, Pr[ = : H ({0, 1} t {0, 1} t ), {0, 1}; M 0, M 1 A Enci,H ; A Enci,H (Enc i,h (M ))] Pr[ = : H ({0, 1} t {0, 1} t ), {0, 1}; M 0, M 1 A Enci,H ; A Enci,H (Enc i+1,h (M ))] O( p(t)3 3 q A ) t where p(t) is the maximum numer of locks in the message M and t is the length of each message lock. Put ε(t) = Pr[ = : H ({0, 1} t {0, 1} t ), {0, 1}; M 0, M 1 A Enci,H ; A Enci,H (Enc i,h (M ))] Pr[ = : H ({0, 1} t {0, 1} t ), {0, 1}; M 0, M 1 A Enci,H ; A Enci,H (Enc i+1,h (M ))] For a given message M = m 0 m 1 m n, let Ẽnc i H(M, c 0,..., c i ) := ĉ 1 ĉ cˆ n where { cj 0 j i ĉ j = H( c j 1 ˆ m j ) m j 1 i < j n Then we have, ε(t) = Pr[ = : H ({0, 1} t {0, 1} t ), {0, 1}; M 0, M 1 A Enci,H ; c 0,..., c i {0, 1} t ; A Enci,H (Ẽnci H(M, c 0,..., c i ))] Pr[ = : H ({0, 1} t {0, 1} t ), {0, 1}; M 0, M 1 A Enci,H ; c 0,..., c i+1 {0, 1} t ; Enci,H A (Ẽnci+1 H (M, c 0,..., c i+1 ))] We put c i := x m i+1, c i+1 := y m i where mi, mi+1 is the i th, (i + 1) th lock of the message M respectively and x, y {0, 1} t. This means that c i, c i+1 are uniformly random as x, y are randomly chosen. Therefore, ε(t) = (6) Pr[ = : H ({0, 1} t {0, 1} t ), {0, 1}; M 0, M 1 A Enci,H ; c 0,..., c i 1 {0, 1} t, x {0, 1} t, c i := x m i+1 ; A Enci,H (Ẽnci H(M, c 0,..., c i ))] 6

7 Pr[ = : H ({0, 1} t {0, 1} t ), {0, 1}; M 0, M 1 A Enci,H ; c 0,..., c i 1 {0, 1} t ; x {0, 1} t, c i := x m i+1, y {0, 1} t, c i+1 := y m i, Enci,H A (Ẽnci+1 H (M, c 0,..., c i+1 ))] Figure 7: Adversary has to distinguish outputs of (a) and () in Eq.(7) (7) By definition of Ẽnci H, we have Ẽnci H(M, c 0,..., c i ) = Ẽnc i+1 H ε(t) = (M, c 0,..., c i+1 ) with c i+1 := H(x) m i. Hence, Pr[ = : H ({0, 1} t {0, 1} t ), {0, 1}; M 0, M 1 A Enci,H ; c 0,..., c i 1 {0, 1} t, x {0, 1} t, c i := x m i+1, c i+1 := H(x) m i ; Enci,H A (Ẽnci+1(M, c 0,..., c i+1 ))] H Pr[ = : H ({0, 1} t {0, 1} t ), {0, 1}; M 0, M 1 A Enci,H ; c 0,..., c i 1 {0, 1} t ; x {0, 1} t, c i := x m i+1, y {0, 1} t, c i+1 := y m i, Enci,H A (Ẽnci+1 H (M, c 0,..., c i+1 ))] (8) c 0,..., c i 1 {0, 1} t ; c i = x m i+1 ; c i+1 = y m i ; compute C := Ẽnci+1 H (M, c 0,..., c i+1 ) A Enci,H (C) return = Because the A OH can query to H, A OH also can answer the adversary A s query. Let q e a numer that A OH query, then q p(t)q A. Also, let q 1, q, q 3 e a numer that A OH query efore the challenge query, during challenge query and after challenge query, respectively. Then we can get another equation elow from Eq. (8). ε(t) = Pr[ = 1 : H ({0, 1} t {0, 1} t ), x {0, 1} t, A H OH (x, H(x)] Pr[ = 1 : H ({0, 1} t {0, 1} t ), x {0, 1} t, y {0, 1} t, A H OH(x, y)] Let B e an oracle algorithm descried in the OH Lemma, then we have that ε(t) q P B : (9) P B = Pr[x = x : j {1,..., q}, x {0, 1} t, H ({0, 1} t {0, 1} t ), x B H (x, j)] = 1 q Pr[x = x : x {0, 1} t, H ({0, 1} t {0, 1} t ), x B H (x, j)] = 1 q P j B P j B is different depending on when is the j-th queries to H(efore, during, or after challenge query). And this proaility can e calculated similarly as descried in [13] except that the quantum encryption oracle when j q 1 + q is different from original depicted in Figure 9. Following [13], we have P j B = O(j3 t ), hence y the definition of P B we have, P B O( q3 ). Therefore, we have : t Figure 8: Adversary has to distinguish outputs of (a) and () in Eq.(8). Now, the difference is when c i+1 is H(x) or uniformly random value y, and we can use the OH lemma. We define an adversary A OH that makes oracle queries to random function H ({0, 1} t {0, 1} t ) with given input x and y does the following: AdversaryA H OH (x, y) : M 0, M 1 A Enci,H, {0, 1} Figure 9: Composition of Encryption Oracle using H oracle. 7

8 ɛ(t) q P B q O( q3 t ) = O(q3 t ) Theorem 1. If the function E is a quantum-secure PRF then Π IGE is IND-qCPA secure. Proof. For any efficient adversary A making q A encryption queries using Lemma 3 and triangle inequality we have, Pr[ = : H ({0, 1} t {0, 1} t ), {0, 1}; M 0, M 1 A Enc0,H ; A Enc0,H (Enc 0,H (M ))] Pr[ = : H ({0, 1} t {0, 1} t ), {0, 1}; M 0, M 1 A Enc0,H ; A Enc0,H (Enc p(t),h (M ))] no( p(t)3 q A 3 t ) Outputs of Enc p(t),h (M ) are the case when the ciphertext are chosen completely randomly. Therefore, Pr[ = : H ({0, 1} t {0, 1} t ), {0, 1}; M 0, M 1 A Enc0,H ; A Enc0,H (Enc 0,H (M ))] 1 p(t) O( p(t)3 q A 3 t ) The adversary can t distinguish Enc 0,H from Enc function of Π y definition of qprf. Therefore, Pr[P rivk qcp A A,Π (t) = 1] 1 O( p(t)3 3 q A ) + negl(t). t as q A is polynomial in t we deduce that, Pr[P rivk qcp A A,Π (t) = 1] 1 negl(t). 6 Conclusion and future work We have shown that quantum security of the IGE mode in lock cipher against the quantum adversary A. When assuming sprf, the IGE mode lock cipher does not satisfy IND-qCPA. But assuming qprf, the IGE mode lock cipher is proven IND-qCPA. When we assume the sprf, especially periodic, we can even recover the secret key k in polynomial time using Simon s algorithm. By making query to oracle, we can get easily information aout the secret key. Assuming qprf, however, the lock cipher of IGE mode is proven secure thus the quantum adversary A can not distinguish the lock cipher from truly random function efficiently. Acknowledgement This work was partly supported y Institute for Information & communications Technology Promotion (IITP) grant funded y the Korea government (MSIT)(No , Towards Provale-secure Multi-party Authenticated Key Exchange Protocol ased on Lattices in a Quantum World) and National Research Foundation of Korea (NRF) grant funded y the Korea government (MSIT)(No. NRF- 015R1AAA , Design and Security Analysis of Novel Lattice-ased Fully Homomorphic Signatures Roust to Quantum Computing Attack). References [1] M. A. Nielsen and I. Chuang, Quantum computation and quantum information, 00. [] P. W. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM review, vol. 41, no., pp , [3] L. K. Grover, A fast quantum mechanical algorithm for dataase search, in Proceedings of the twentyeighth annual ACM symposium on Theory of computing, pp. 1 19, ACM, [4] C. Campell, Design and specification of cryptographic capailities, IEEE Communications Society Magazine, vol. 16, no. 6, pp , [5] Recommendation for lock cipher modes of operation. methods and techniques. National Institute of Standards and Technology(NIST), 001. Special Pulication A. [6] Secure messaging scorecard. eff.org/node/8654, 014. [7] D. Boneh and M. Zhandry, Secure signatures and chosen ciphertext security in a quantum computing world, in Advances in Cryptology CRYPTO 013, pp , Springer, 013. [8] M. Zhandry, How to construct quantum random functions, in Foundations of Computer Science (FOCS), 01 IEEE 53rd Annual Symposium on, pp , IEEE, 01. [9] D. Unruh, Revocale quantum timed-release encryption, Journal of the ACM (JACM), vol. 6, no. 6, p. 49, 015. [10] M. Burns, Encrypted messaging app telegram hits 100m monthly active users, 350k new users each day, TechCrunch, Fe [11] J. B. Jakosen and C. Orlandi, A practical cryptanalysis of the Telegram messaging protocol. PhD thesis, Master Thesis, Aarhus University (Availale on request), 015. [1] J. Jakosen and C. Orlandi, On the cca (in) security of mtproto, in Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Moile Devices, pp , ACM, 016. [13] M. V. Anand, E. E. Targhi, G. N. Taia, and D. Unruh, Post-quantum security of the cc, cf, of, ctr, and xts modes of operation, in International Workshop on Post-Quantum Cryptography, pp , Springer,