### On the Quantum Security of OCB

##### Abstract

The OCB mode of operation for block ciphers has three variants, OCB1, OCB2 and OCB3. OCB1 and OCB3 can be used as secure authenticated encryption schemes whereas OCB2 has been shown to be classically insecure (Inoue et al., Crypto 2019). Even further, in the presence of quantum queries to the encryption functionality, a series of works by Kaplan et al. (Crypto 2016), Bhaumik et al. (Asiacrypt 2021) and Bonnetain et al. (Asiacrypt 2021) have shown how to break the existential unforgeability of the OCB modes. However, these works did not consider the confidentiality of OCB in the presence of quantum queries. We fill this gap by presenting the first formal analysis of the IND-qCPA security of OCB. In particular, we show the first attacks breaking the IND-qCPA security of the OCB modes. Surprisingly, we are able to prove that OCB2 is IND-qCPA secure when used without associated data, while relying on the assumption that the underlying block cipher is a quantum-secure pseudorandom permutation. Additionally, we present new quantum attacks breaking the universal unforgeability of OCB. Our analysis of OCB has implications for the post-quantum security of XTS, a well-known disk encryption standard, that was considered but mostly left open by Anand et al. (PQCrypto 2016).

Available format(s)
Category
Secret-key cryptography
Publication info
Keywords
OCB IND-qCPA security Universal Forgeability Simon’s Algorithm Deutsch’s Algorithm XTS
Contact author(s)
vmaram @ inf ethz ch
daniel masny @ rub de
sikharpatranabis @ gmail com
srraghur @ visa com
History
2022-06-02: approved
See all versions
Short URL
https://ia.cr/2022/699

CC BY

BibTeX

@misc{cryptoeprint:2022/699,
author = {Varun Maram and Daniel Masny and Sikhar Patranabis and Srinivasan Raghuraman},
title = {On the Quantum Security of OCB},
howpublished = {Cryptology ePrint Archive, Paper 2022/699},
year = {2022},
note = {\url{https://eprint.iacr.org/2022/699}},
url = {https://eprint.iacr.org/2022/699}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.