Quantum forgery attacks against OTR structures based on Simon's algorithm

TL;DR

This paper introduces a quantum forgery attack on OTR structures using Simon's algorithm, enabling efficient and high-probability forgery of ciphertexts and tags with minimal plaintext data.

Contribution

It presents the first quantum forgery attack on OTR structures leveraging Simon's algorithm, improving attack efficiency and success probability over classical methods.

Findings

Query complexity is $O(n)$

Success probability is close to 1

Effective forgery of ciphertexts and tags

Abstract

Classical forgery attacks against Offset Two-round (OTR) structures require some harsh conditions, such as some plaintext and ciphertext pairs need to be known, and the success probability is not too high. To solve these problems, a quantum forgery attack on OTR structure using Simon's algorithm is proposed. The attacker intercept the ciphertext-tag pair $(C,T)$ between the sender and receiver, while Simon's algorithm is used to find the period of the tag generation function in OTR, then we can successfully forge new ciphertext $C'$ ($C'\ne C$) for intercepted tag $T$. For a variant of OTR structure (Pr{/o}st-OTR-Even-Mansour structure), a universal forgery attack, in which it is easy to generate the correct tag of any given message if the attacker is allowed to change a single block in it, is proposed. It first obtains the secret parameter L using Simon's algorithm, then the secret parameter L is used to find the keys $k_1$ and $k_2$, so that an attacker can forge the changed messages. It only needs several plaintext blocks to help obtain the keys to forge any messages. Performance analysis shows that the query complexity of our attack is $O(n)$, and its success probability is very close to 1.