International Association for Cryptologic Research

International Association
for Cryptologic Research


Paper: On the Quantum Security of OCB

Varun Maram , Department of Computer Science, ETH Zürich, Zürich, Switzerland
Daniel Masny , Meta Research, Menlo Park, USA
Sikhar Patranabis , IBM Research, Bangalore, India
Srinivasan Raghuraman , Visa Research, Palo Alto, USA
DOI: 10.46586/tosc.v2022.i2.379-414
Search ePrint
Search Google
Abstract: The OCB mode of operation for block ciphers has three variants, OCB1, OCB2 and OCB3. OCB1 and OCB3 can be used as secure authenticated encryption schemes whereas OCB2 has been shown to be classically insecure (Inoue et al., Crypto 2019). Even further, in the presence of quantum queries to the encryption functionality, a series of works by Kaplan et al. (Crypto 2016), Bhaumik et al. (Asiacrypt 2021) and Bonnetain et al. (Asiacrypt 2021) have shown how to break the unforgeability of the OCB modes. However, these works did not consider the confidentiality of OCB in the presence of quantum queries.We fill this gap by presenting the first formal analysis of the IND-qCPA security of OCB. In particular, we show the first attacks breaking the IND-qCPA security of the OCB modes. Surprisingly, we are able to prove that OCB2 is IND-qCPA secure when used without associated data, while relying on the assumption that the underlying block cipher is a quantum-secure pseudorandom permutation. Additionally, we present new quantum attacks breaking the universal unforgeability of OCB. Our analysis of OCB has implications for the post-quantum security of XTS, a well-known disk encryption standard, that was considered but mostly left open by Anand et al. (PQCrypto 2016).
  title={On the Quantum Security of OCB},
  journal={IACR Transactions on Symmetric Cryptology},
  publisher={Ruhr-Universität Bochum},
  volume={2022, Issue 2},
  author={Varun Maram and Daniel Masny and Sikhar Patranabis and Srinivasan Raghuraman},