Post-Quantum Security of COPA

Abstract

COPA is a notable authenticated online cipher and was one of the winning proposals for the CAESAR competition. Current works describe how to break the existentially unforgeable under quantum chosen message attack (EUF-qCMA) of COPA. However, these works do not demonstrate the confidentiality of COPA in the quantum setting. This paper fills this gap, considers the indistinguishable under quantum chosen-plaintext attack (IND-qCPA) security for privacy, and presents the first IND-qCPA security analysis of COPA. In addition, in order to effectively avoid the problems of quantum existential forgery attack and quantum distinguishing attack, we introduce an intermediate state doubling-point technology into COPA, restrict the associated data non-emptiness, and present an enhanced variant, called COPA-ISDP, to support the IND-qCPA and EUF-qCMA security. Our work is of great significance, as it provides a simple and effective post-quantum secure design idea to resist Simon’s attack.

1. Introduction

The rapid development of quantum technology in the Noisy Intermediate-Scale Quantum (NISQ) era poses significant threats to existing cryptographic schemes. Public-key cryptosystems based on integer factorization and discrete logarithm problems become vulnerable with Shor’s algorithm [1], accelerating the post-quantum cryptography standardization process. In contrast, symmetric-key cryptosystems are generally considered resistant to quantum attacks; consequently, research on their quantum security has remained limited until recently.

In recent years, as Simon’s algorithm [2], Bernstein-Vazirani algorithm [3], Deutsch-Jozsa algorithm [4], and other quantum algorithms [5,6,7,8] have realized the key recovery attacks and existential forgery attacks of structured symmetric-key ciphers, people have paid more attention to the quantum security of symmetric-key ciphers. Quantum algorithm is an important tool for carrying out quantum cryptanalysis. For example, Simon’s algorithm can find out the period of a function and carry out polynomial-time attack on the symmetric-key cipher or mode of operation with a special structure, so as to achieve exponential acceleration [2]. The Bernstein–Vazirani algorithm can determine the linear structure of symmetric-key cryptography and attack symmetric-key cryptography with a linear structure in polynomial time, so as to achieve exponential acceleration [3].

Existing studies on the post-quantum security of symmetric-key cryptography mainly focus on block ciphers and modes of operation on block ciphers. Post-quantum security analysis of block ciphers mainly focuses on Feistel [9,10,11], generalized Feistel [12], (tweakable) Even-Mansour cipher [13,14], Key-Alternating Ciphers (KACs) [15], Tweakable Block Ciphers (TBCs) [16], LRW [17], and other structures. Post-quantum security analysis of modes of operation on block ciphers mainly focuses on encryption modes, authentication modes or message authentication codes, and authenticated encryption (AE) modes [6,16,17,18,19,20,21,22].

The quantum security analysis is based on quantum superposition model, where the adversary is allowed to access quantum oracles with quantum superposition states (i.e., the quantum adversary has access to the quantum encryption oracle with quantum superposition states of the plaintext and returns the superposition states of the ciphertext). In 2016, Anand et al. considered some encryption modes of operation (including CBC, CFB, OFB, CTR, and XTS), presented a quantum security definition called IND-qCPA for privacy (which is unlike the classical IND-CPA security and allows for quantum encryption queries), and showed that most of these modes exhibit classical IND-CPA security but IND-qCPA insecurity [23]. In 2017, Kaplan et al. considered authentication modes and AE modes, focused on the authenticity (existential unforgeability under quantum chosen-message attacks, EUF-qCMA) security, and implemented quantum forgery attacks on authentication modes (such as CBC-MAC, PMAC and GMAC) and AE modes (such as GCM, OCB, CLOC, AEZ, COPA, OTR, POET, OMD, and Minalpher) by Simon’s algorithm [17]. In 2021, Guo et al. used Grover’s algorithm and the Grover-meets-Simon algorithm to realize quantum forgery attacks on many beyond-birthday-bound secure MACs (such as SUM-ECBC-like MAC, and PMAC-Plus-like MAC) [6]. In 2022, Maram et al. considered the quantum security of OCB, and presented the IND-qCPA security and universal unforgeability of OCB variants [19]. In 2023, Nan et al. used Simon’s algorithm and the Grover-meets-Simon algorithm to implement quantum forgery attacks on pEDM, PDM* and nEHtMp [24]. Lang and Lucks focused on the post-quantum security of classical authenticated encryption schemes, including the generic SIV mode, GCM mode, and EAX mode [22]. In 2025, Zhang et al. proposed a novel quantum query model tailored for AE with associated data (AEAD) and analyzed the relationships between different quantum IND-CPA security notions [20].

COPA, designed by Andreeva et al., is a classical authenticated encryption (AE) scheme supporting associated data and a winner of the prestigious CAESAR competition [25]. It offers parallelizable processing with birthday-bound security when instantiated with a strong pseudorandom permutation. However, its security guarantees were fundamentally challenged by Xu et al. (2021) [26], who demonstrated quantum existential forgery attacks on both COPA and AES-COPA. By leveraging Simon’s algorithm to identify periods in the tag generation function through superposition queries, they successfully forged valid tags for new messages. Critically, while this work exposed vulnerabilities in authenticity under quantum attacks, it left a significant gap: the confidentiality of COPA in quantum settings remained unexplored. This omission is particularly consequential given that

• Post-quantum security demands joint guarantees for both privacy (IND-qCPA) and integrity (EUF-qCMA);
• NIST’s migration guidelines explicitly require quantum-resistant confidentiality;
• No prior work has established whether COPA’s encryption mechanism resists quantum plaintext recovery attacks.

Our contribution. Our work directly addresses this critical knowledge gap by providing the first formal analysis of COPA’s privacy in quantum settings. Our contribution includes

• The first IND-qCPA security analysis of COPA in quantum settings, establishing its confidentiality guarantees under quantum chosen-plaintext attacks.
• COPA-ISDP: An enhanced variant achieving joint IND-qCPA and EUF-qCMA security via a mandatory non-empty associated data and a novel intermediate state doubling-point technique.
• Efficient security hardening that
  • Preserves COPA’s parallelizability and efficiency.
  • Breaks input/tag invariance using finite field double-multiplication.
  • Mitigates quantum attacks (e.g., Simon’s algorithm).

Compared with Xu et al.’s prior work [26], our work fundamentally differs in both scope and methodology, and provides significant advancements beyond their results:

• Distinct Security Goals: Confidentiality vs. Authenticity—Xu et al. (2021) [26] focused exclusively on EUF-qCMA security (authenticity), demonstrating how Simon’s algorithm can forge authentication tags via superposition queries. Our work addresses the critical gap they left: IND-qCPA security (confidentiality). We provide the first formal proof that COPA’s encryption mechanism fails to achieve IND-qCPA under quantum chosen-plaintext attacks. This establishes that COPA leaks plaintext information in quantum settings—a vulnerability that has not been addressed by prior work.
• Formalized Security Framework vs. Concrete Attacks—Xu et al. employed an attack-driven approach: They designed a specific quantum forgery attack but did not generalize COPA’s security properties. Our work develops a rigorous reductionist framework: We prove IND-qCPA insecurity via a game-based reduction to the quantum pseudorandom permutation (qPRP) security of the underlying block cipher (Section 3).
• Constructive Remedy with Provable Guarantees—Xu et al. exposed a vulnerability (authenticity), but they proposed no solution. In contrast, we introduce COPA-ISDP, an enhanced variant that achieves both IND-qCPA and EUF-qCMA security via intermediate state doubling-point and mandatory non-empty associated data. In addition, we provide joint security proofs for IND-qCPA and EUF-qCMA in the quantum random oracle model.
• Broader Impact: A Design Paradigm—Our work transcends COPA-specific analysis. The ISDP technique offers a generic countermeasure against quantum invariance attacks, and this is validated in our repair of COPA and can be extended to symmetric primitives.

The comparison between Xu et al.’s work [26] and our work is shown in

Table 1. Comparison between Xu et al.’s work and our work.

Aspect	Xu et al.’s Work [26]	Our Work
Security Focus	EUF-qCMA only	IND-qCPA + EUF-qCMA
Methodology	Concrete attack	Formal reduction proofs
Technical Contribution	Vulnerability demonstration	Provably secure construction
Security Guarantees	Attack-specific	Generalized bounds
Practical Impact	Highlighted problem	Solution + design paradigm

.

Organization of this paper. Section 2 presents some preliminaries. Section 3 shows quantum attacks on COPA. Section 4 introduces an enhanced variant of COPA. Section 5 concludes this paper.

2. Preliminaries

This section introduces some basic syntax, including permutation, block cipher, and authenticated encryption with associated data (AEAD); some basic quantum circuit models, including the permutation circuit, block cipher circuit, and AEAD circuit; and some quantum security models, including the IND-qCPA security model for privacy and the EUF-qCMA security model for authenticity.

2.1. Basic Syntax

Let $P:{\{0,1\}}^n\to {\{0,1\}}^n$ be an n-bit permutation and $P^{-1}$ be the inverse of P. Let $R:{\{0,1\}}^n\to {\{0,1\}}^n$ be an n-bit function.

A block cipher with a key space $\mathcal{K}={\{0,1\}}^k$ and a message space ${\{0,1\}}^n$ is a map $E:{\{0,1\}}^k\times {\{0,1\}}^n\to {\{0,1\}}^n$ such that for any key $K\in \mathcal{K}$, $E_K(·)$ is an n-bit permutation and $D_K=E_K^{-1}$ is the inverse of $E_K$.

An AEAD scheme consists of the encryption algorithm $\mathcal{E}$ and decryption algorithm $\mathcal{D}$. The syntax is shown as follows:

$$\begin{array}{cc}\hfill & (C,T)\leftarrow \mathcal{E}(K,N,A,M)={\mathcal{E}}_K(N,A,M)\hfill \\ \hfill & M/\perp \leftarrow \mathcal{D}(K,N,A,C,T)={\mathcal{D}}_K(N,A,C,T),\hfill \end{array}$$

where $K,N,A,M,C,T$ are the key, nonce, associated data, plaintext, ciphertext, and authentication tag, respectively. Moreover, for any $N,A$, and M, ${\mathcal{D}}_K(N,A,{\mathcal{E}}_K(N,A,M))=M$ holds.

2.2. Quantum Circuit Models

Unitary Circuit Model: Let f be any function. In the superposition query, the adversary chooses $|x\rangle |y\rangle$ and receives $|x\rangle |y\oplus f\left(x\right)\rangle$, i.e.,

$$\begin{array}{c}\hfill U_f:|x\rangle |y\rangle \to |x\rangle |y\oplus f\left(x\right)\rangle .\end{array}$$

If f is a permutation P or a block cipher $E_K$, the circuit is also called as quantum permutation circuit or block cipher circuit.

AEAD Circuit Model: Let $\Pi =(\mathcal{E},\mathcal{D})$ be an AEAD which consists of encryption and decryption unitary circuits. In the superposition query to $\mathcal{E}$, the adversary chooses $|K\rangle |N\rangle |A\rangle |M\rangle |y\rangle$ and receives $|K\rangle |N\rangle |A\rangle |M\rangle |y\oplus {\mathcal{E}}_K(N,A,M)\rangle$, i.e.,

$$\begin{array}{c}\hfill U_{\mathcal{E}}:|K\rangle |N\rangle |A\rangle |M\rangle |y\rangle \to |K\rangle |N\rangle |A\rangle |M\rangle |y\oplus {\mathcal{E}}_K(N,A,M)\rangle .\end{array}$$

In the superposition query to $\mathcal{D}$, the adversary chooses $|K\rangle |N\rangle |A\rangle |C\rangle |T\rangle |y\rangle$ and receives $|K\rangle |N\rangle |A\rangle |C\rangle |T\rangle |y\oplus {\mathcal{D}}_K(N,A,C,T)\rangle$, i.e.,

$$\begin{array}{c}\hfill U_{\mathcal{D}}:|K\rangle |N\rangle |A\rangle |C\rangle |T\rangle |y\rangle \to |K\rangle |N\rangle |A\rangle |C\rangle |T\rangle |y\oplus {\mathcal{D}}_K(N,A,C,T)\rangle .\end{array}$$

2.3. Simon’s Algorithm

Simon’s algorithm (Simon, 1997 [2]) is an efficient quantum algorithm for settling the following Simon’s problem, with a complexity of $O\left(n\right)$:

Simon’s Problem: Given a function $f:{\{0,1\}}^n\to {\{0,1\}}^n$ and a promise that there exists a non-zero $s\in {\{0,1\}}^n$ such that, for any two distinct $x,y\in {\{0,1\}}^n$, $f\left(x\right)=f\left(y\right)⟺x=y\oplus s$, the goal is to find s.

2.4. Quantum Security Models

For block cipher, we consider quantum-secure pseudorandom permutation (qPRP) and quantum-secure pseudorandom function (qPRF) models [19].

Definition 1

(qPRP [19]). A block cipher $E_K:{\{0,1\}}^n\to {\{0,1\}}^n$ is a quantum-secure pseudorandom permutation (qPRP) if no efficient quantum adversary $\mathcal{A}$ making quantum queries can distinguish between a truly random permutation $P:{\{0,1\}}^n\to {\{0,1\}}^n$ and $E_K$ for a uniformly random secret key $K\stackrel{\$}{\leftarrow }{\{0,1\}}^k$.

The advantage of $\mathcal{A}$ in distinguishing $E_K$ from the random permutation π is defined as

$$\begin{array}{c}\hfill Ad{v}_E^{qPRP}\left(\mathcal{A}\right)=|Pr[{\mathcal{A}}^{E_K}=1]-Pr[{\mathcal{A}}^P=1]|,\end{array}$$

where ${\mathcal{A}}^O$ denotes that $\mathcal{A}$ has quantum oracle access to $O\in \{E_K,P\}$. Then, we have $E_K$ as a qPRP if $Ad{v}_E^{qPRP}\left(\mathcal{A}\right)$ is negligible for any polynomial-time quantum adversary $\mathcal{A}$.

Definition 2

(qPRF [19]). A function $E_K:{\{0,1\}}^n\to {\{0,1\}}^n$ is a quantum-secure pseudorandom function (qPRF) if no efficient quantum adversary $\mathcal{A}$ making quantum queries can distinguish between a truly random function $R:{\{0,1\}}^n\to {\{0,1\}}^n$ and the function $E_K$ for a uniformly random secret key $K\stackrel{\$}{\leftarrow }{\{0,1\}}^k$.

The advantage of $\mathcal{A}$ in distinguishing $E_K$ from the random function R is defined as

$$\begin{array}{c}\hfill Ad{v}_E^{qPRF}\left(\mathcal{A}\right)=|Pr[{\mathcal{A}}^{E_K}=1]-Pr[{\mathcal{A}}^R=1]|,\end{array}$$

where ${\mathcal{A}}^O$ denotes that $\mathcal{A}$ has quantum oracle access to $O\in \{E_K,R\}$. Then, we have $E_K$ as a quantum-secure PRF if $Ad{v}_E^{qPRF}\left(\mathcal{A}\right)$ is negligible for any polynomial-time quantum adversary $\mathcal{A}$.

Lemma 1

(qPRP-qPRF Switching Lemma [27]). Let R and P denote quantum oracles of a random function from ${\{0,1\}}^n$ to ${\{0,1\}}^n$ and an n-bit random permutation, respectively. Let $\mathcal{A}$ be an oracle-aided quantum algorithm that makes, at most, q quantum queries. Then, it holds that

$$\begin{array}{c}\hfill Ad{v}_E^{qPRP}\left(\mathcal{A}\right)\le Ad{v}_E^{qPRF}\left(\mathcal{A}\right)+O(q^3/2^n).\end{array}$$

For AEAD, we consider indistinguishable under quantum chosen-plaintext attack (IND-qCPA) for privacy and existentially unforgeable under chosen message attack (EUF-qCMA) for authenticity [19].

Definition 3

(IND-qCPA [19]). An AEAD scheme $\Pi =(\mathcal{E},\mathcal{D})$ is indistinguishable under quantum chosen-plaintext attack (IND-qCPA secure) if there is not an efficient quantum adversary that is able to win the following game, except with ${\displaystyle \frac{1}{2}}+ϵ$ probability, where ϵ is a negligible value.

• Key generation stage. $K\stackrel{\$}{\leftarrow }\mathcal{K}$ and $b\stackrel{\$}{\leftarrow }\{0,1\}$ are randomly drawn by the challenge.
• Query stage. The quantum adversary $\mathcal{A}$ is allowed to make two types of queries in any order.
  • Encryption queries. The challenge first randomly chooses a nonce N and forwards it to $\mathcal{A}$. The adversary $\mathcal{A}$ chooses a plaintext-AD pair $(M,A)$ in superposition, and the challenger encrypts $(N,A,M)$ with the classical nonce N and returns the output $(C,T)$ to $\mathcal{A}$.
  • Challenge query. The challenger picks a random nonce N once more and forwards it to $\mathcal{A}$. Afterwards, $\mathcal{A}$ chooses two same size classical plaintext-AD pairs $(M_0,A_0)\ne (M_1,A_1)$ and forwards them to the challenger, which in turn encrypts $(N,A_b,M_b)$ with the previous chosen classical nonce N. The output $(C^{*},T^{*})$ is returned to $\mathcal{A}$.
• Guess stage. The adversary decides whether $(C^{*},T^{*})$ is encrypted from $(N,A_0,$ $M_0)$ or $(N,A_1,M_1)$, outputs a bit $b^{\prime }$, and wins if $b=b^{\prime }$.

The IND-qCPA advantage of an adversary $\mathcal{A}$ against an AEAD scheme Π is defined as

$$\begin{array}{c}\hfill Ad{v}_{\Pi }^{IND-qCPA}\left(\mathcal{A}\right)=|Pr\left[\mathcal{A}wins\right]-{\displaystyle \frac{1}{2}}|.\end{array}$$

Definition 4

(EUF-qCMA [19]). An AEAD scheme $\Pi =(\mathcal{E},\mathcal{D})$ is existentially unforgeable under chosen message attack (EUF-qCMA secure) if there is no efficient quantum adversary that is able to win the following game, except with with a negligible probability.

• Key generation stage. $K\stackrel{\$}{\leftarrow }\mathcal{K}$ is randomly drawn by the challenge.
• Query stage. The quantum adversary $\mathcal{A}$ is allowed to make encryption queries.
  • Encryption queries. The challenge first randomly chooses a nonce N and forwards it to $\mathcal{A}$. The adversary $\mathcal{A}$ chooses a plaintext–AD pair $(M,A)$ in superposition, and the challenger encrypts $(N,A,M)$ with the classical nonce N and returns the output $(C,T)$ to $\mathcal{A}$.
• Forgery stage. After making q encryption queries, $\mathcal{A}$ produces $q+1$ classical tuples $(N,A,C,T)$ with any nonce N of its choice, and wins if, for each tuple, we have ${\mathcal{D}}_K(N,A,C,T)\ne \perp$.

The EUF-qCMA advantage of an adversary $\mathcal{A}$ against an AEAD scheme Π is defined as

$$\begin{array}{c}\hfill Ad{v}_{\Pi }^{EUF-qCMA}\left(\mathcal{A}\right)=Pr\left[\mathcal{A}wins\right].\end{array}$$

3. Quantum Attacks on COPA

COPA, designed by Andreeva et al., is a classical birthday-bound secure block-cipher-based AEAD mode offering nonce-misuse resistance [25]. However, classical forgery attacks against COPA have been identified by scholars, though with limited success probability. Subsequently, Xu et al. demonstrated quantum forgery attacks on COPA using Simon’s algorithm, reducing the query complexity to $O\left(n\right)$ and achieving near-100% success probability [26].

While existing works compromise COPA’s unforgeability in the quantum setting, they do not address its confidentiality under quantum attacks. This section provides a comprehensive post-quantum security analysis of COPA, covering both confidentiality and authenticity.

3.1. Specifications of COPA

Let K, A, M, C, and T denote the key, associated data, plaintext, ciphertext, and authentication tag, respectively. Define $E_K$ as a block cipher under key K. The associated data A is partitioned into a n-bit blocks $A\left[1\right],\dots ,A\left[a\right]$ or $A\left[a\right]\left|\right|{10}^{*}$ and the plaintext M is divided into d n-bit blocks $M\left[1\right],\dots ,M\left[d\right]$. Compute $L=E_K\left(0^n\right)$, and let $V={\mathrm{PMAC}1}_K\left(A\right)$ (where $V=0$ if A is empty). In addition to this, the generation of the mask sequence ${\{2^i·3^j·L\}}_{i,j\in \mathbf{N}}$ is implemented using the doubling-point technique. The so-called doubling-point technique involves using the double-multiplication operation of elements on a finite field to calculate new elements so that the operation speed is fast and highly efficient. For example, for $3·a=2·a\oplus a,2·3·a=2·(2·a\oplus a),2^2·a=2·2a,\cdots$.

The COPA encryption algorithm takes $(K,A,M)$ as input and outputs $(C,T)$, while the decryption algorithm takes $(K,A,C,T)$ as input and outputs M or ⊥ (indicating failure). Figure 1 illustrates the COPA structure, with detailed procedures for PMAC1, encryption, and decryption provided in Algorithms 1, 2, and 3, respectively.

Algorithm 1 PMAC1 Algorithm: $PMAC{1}_K\left(A\right)$

Input: Key K and associated data A Output: MAC tag V if A is empty    return $V=0$ else    $L\leftarrow E_K\left(0^n\right)$    Partition A into $A\left[1\right]\parallel \cdots \parallel A\left[a\right]$, where $\left|A\right[i\left]\right|=n$ for $1\le i\le a-1,0<\left|A\right[a\left]\right|\le n$    for $i=1$ to $a-1$        $X\left[i\right]\leftarrow A\left[i\right]\oplus 2^{i-1}·3^3·L$        $S\left[i\right]\leftarrow E_K\left(X\left[i\right]\right)$    if $\left|A\right[a\left]\right|=n$        $\Sigma \leftarrow S_1\oplus S_2\oplus \cdots \oplus S_{a-1}\oplus A\left[a\right]$        $V=E_K(\Sigma \oplus 2^{a-1}·3^4·L)$    else        $\Sigma \leftarrow S_1\oplus S_2\oplus \cdots \oplus S_{a-1}\oplus A\left[a\right]{10}^{*}$        $V=E_K(\Sigma \oplus 2^{a-1}·3^5·L)$    return V

Algorithm 2 The encryption algorithm: $COPA.{\mathcal{E}}_K(A,M)$

Input: Key K, associated data A, and plaintext M Output: Ciphertext C and tag T Partition M into $M\left[1\right]\parallel \cdots \parallel M\left[d\right]$, where $\left|M\right[i\left]\right|=n,1\le i\le d$ $V=PMAC{1}_K\left(A\right)$ $L=E_K\left(0^n\right)$ $U\left[0\right]=V\oplus L$ for $i=1$ to d     $S\left[i\right]\leftarrow E_K(M\left[i\right]\oplus 2^{i-1}·3·L)$     $U\left[i\right]\leftarrow U\left[0\right]\oplus S\left[1\right]\oplus S\left[2\right]\oplus \cdots \oplus S\left[i\right]$     $C\left[i\right]\leftarrow E_K\left(U\left[i\right]\right)\oplus 2^i·L$ $C\leftarrow C\left[1\right]C\left[2\right]\cdots C\left[d\right]$ $S=U\left[d\right]$ $\Sigma ={⨁}_{1\le i\le d}M\left[i\right]$ $T=E_K(E_K(\Sigma \oplus 2^{d-1}·3^2·L)\oplus S)\oplus 2^{d-1}·7·L$ return $C\left|\right|T$

Algorithm 3 The decryption algorithm: $COPA.{\mathcal{D}}_K(A,C|\left|T\right)$

Input: Key K, associated data A, ciphertext C, and tag T Output: Plaintext M or ⊥ Partition C into $C\left[1\right]\parallel \cdots \parallel C\left[d\right]$, where $\left|C\right[i\left]\right|=n,1\le i\le d$ $V=PMAC{1}_K\left(A\right)$ $L=E_K\left(0^n\right)$ $U\left[0\right]=V\oplus L$ for $i=1$ to d     $U\left[i\right]\leftarrow E_K^{-1}(C\left[i\right]\oplus 2^i·L)$     $M\left[i\right]\leftarrow E_K^{-1}(U\left[i\right]\oplus U[i-1])\oplus 2^{i-1}·3·L$ $M\leftarrow M\left[1\right]M\left[2\right]\cdots M\left[d\right]$ $S=U\left[d\right]$ $\Sigma ={⨁}_{1\le i\le d}M\left[i\right]$ $T^{\prime }=E_K(E_K(\Sigma \oplus 2^{d-1}·3^2·L)\oplus S)\oplus 2^{d-1}·7·L$ if $T^{\prime }=T$     return M else     return ⊥

3.2. IND-qCPA Security Analysis of COPA

If quantum superposition queries are allowed, a polynomial time attack is proposed against the confidentiality of COPA.

Considering a function $f_A:{\{0,1\}}^n\to {\{0,1\}}^n$, for input $(K,A,M|\left|M\right)$ and its output $\left(C\right[1\left]\right|\left|C\right[2],T)$, one has

$$\begin{array}{c}\hfill C\left[2\right]=f_A\left(M\right)=E_K(E_K(M\oplus 3·L)\oplus V\oplus L\oplus E_K(M\oplus 2·3·L))\oplus 2^2·L.\end{array}$$

We found that $f_A$ is a periodic function with period $s=3·L\oplus 2·3·L=5·L$. Using Simon’s algorithm, we can recover the state L in a polynomial time $O\left(n\right)$.

Through observation, we found that if $M\left[1\right]=3·L$, according to $L=E_K\left(0^n\right)$ and let $V=0^n$, we have $C\left[1\right]=L\oplus 2·L=3·L$.

Therefore, to achieve IND-qCPA attack, we perform the following steps:

In the challenge query stage, the challenge chooses a single-block message $M_0=3·L$ and a random message $M_1\ne M_0$ (no associated data).

Upon receiving the response $(C^{*},T^{*})$ from the challenger, the adversary $\mathcal{A}$ outputs bit $b^{\prime }=0$ if $C^{*}=3·L$, and outputs $b^{\prime }=1$ otherwise.

In the guess stage, the adversary $\mathcal{A}$ easily decides whether $(C^{*},T^{*})$ is encrypted from $M_0$ or $M_1$, i.e., the probability that $\mathcal{A}$ wins is 1. This is because of the following factors:

If $M_0=3·L$ was encrypted by the challenger, then $C^{*}=E_K(E_K\left(0^n\right)\oplus L)\oplus 2·L=3·L$.

If $M_1\ne M_0$ was encrypted by the challenger, then $C^{*}=E_K(E_K(M_1\oplus 3·L)\oplus L)\oplus 2·L$. According to PRP/qPRP security, $Pr[C^{*}=3·L]$ is negligible.

It follows that the IND-qCPA advantage of an adversary $\mathcal{A}$ against COPA is

$$\begin{array}{c}\hfill Ad{v}_{COPA}^{IND-qCPA}\left(\mathcal{A}\right)=|Pr\left[\mathcal{A}wins\right]-{\displaystyle \frac{1}{2}}|={\displaystyle \frac{1}{2}}.\end{array}$$

Therefore, our attack succeeds with high probability.

3.3. EUF-qCMA Security Analysis of COPA

Xu et al. found the function period of the authentication tag of COPA using Simon’s algorithm and presented an unforgeability attack that breaks the EUF-qCMA security of COPA [26]. We briefly describe the attack process as follows:

In the query stage, the quantum adversary $\mathcal{A}$ makes one encryption query $(A,M|\left|M\right)$ and utilizes it to construct a periodic function $f_A\left(M\right)$. Then, using Simon’s algorithm, we obtain $L=E_K\left(0^n\right)=s/5$, where s is the period of $f_A\left(M\right)$. (In fact, Xu et al. utilized one encryption query to construct a periodic function of the authentication tag, and then recovered $L=E_K\left(0^n\right)$. Please refer to their paper for details). Furthermore, $\mathcal{A}$ chooses associated data $A=A\left[1\right]\left|\right|A\left[2\right]\left|\right|\cdots \left|\right|A\left[a\right]\left(A\left[a\right]\right|\left|{10}^{*}\right)$ and a message $M=M\left[1\right]\left|\right|M\left[2\right]\left|\right|\cdots \left|\right|M\left[d\right]$ in the superposition, and the challenger encrypts $(M,A)$ and returns the output $(C=C[1\left]\right|\left|C\right[2\left]\right||\cdots |\left|C\right[d],T)$ to $\mathcal{A}$, where $C\left[i\right]=E_K({⨁}_{1\le j\le i}{E}_K(M\left[j\right]\oplus 2^{j-1}·3·L)\oplus V\oplus L)\oplus 2^i·L$ and $V=PMAC{1}_K\left(A\right)$.

In the forgery stage, $\mathcal{A}$ produces two forgeries $(A,C^{\prime }=C^{\prime }\left[1\right]|\left|C\left[2\right]\right||\cdots ||C\left[d\right],T)$ and $(A^{\prime }=A\left[2\right]\oplus 17·L\left|\right|A\left[1\right]\oplus 17·L\left|\right|\cdots \left|\right|A\left[a\right]\left(A\left[a\right]\right||{10}^{*}),C^{\prime },T)$, and wins as ${\mathcal{D}}_K(A,C^{\prime },T)=M\left[2\right]\oplus 5·L\left|\right|M\left[1\right]\oplus 5·L\left|\right|\cdots \left|\right|M\left[d\right]\ne \perp$ and ${\mathcal{D}}_K(A^{\prime },C^{\prime },T)=M\left[2\right]\oplus 5·L\left|\right|M\left[1\right]\oplus 5·L\left|\right|\cdots \left|\right|M\left[d\right]\ne \perp$, where $C^{\prime }\left[1\right]=E_K(E_K(M\left[2\right]\oplus 2·3·L)\oplus V\oplus L)\oplus 2·L$.

It follows that the EUF-qCMA advantage of an adversary $\mathcal{A}$ against COPA is

$$\begin{array}{c}\hfill Ad{v}_{COPA}^{EUF-qCMA}\left(\mathcal{A}\right)=Pr\left[\mathcal{A}wins\right]=1.\end{array}$$

Therefore, our attack succeeds with probability 1.

4. COPA-ISDP: COPA with Intermediate-State Doubling Point

After careful observation, we found that 1. The IND-qCPA insecurity of COPA is due to the fact that we can construct a periodic function that calculates the intermediate state $L=E_K\left(0^n\right)$ and then use an empty associated data in the query phase to launch attacks; 2. The EUF-qCMA insecurity of COPA is due to the fact that you can control the two inputs, generating the last authentication tag to be unchanged to ensure that the last authentication tag is unchanged.

To fix post-quantum security of COPA, we require that associated data used in all stages cannot be empty and introduce an intermediate state doubling-point technique into COPA to break the intermediate state or authentication tag invariance. We refer to it as COPA with an intermediate-state doubling-point (COPA-ISDP). COPA-ISDP makes only minor changes on the basis of COPA to ensure that it inherits all the benefits of COPA. The so-called intermediate-state doubling-point (ISDP) technique uses the double-multiplication operation on a finite field to intermediate states, so that the operation breaks the quantum insecurity of direct XOR construction (ISDP induces provable algebraic nonlinearity, which is sufficient to disrupt quantum period-finding attacks while maintaining efficiency).

The overview of COPA-ISDP is shown in Figure 2. The PMAC1-ISDP, encryption, and decryption algorithms of COPA-ISDP are respectively shown in Algorithms 4, 5, and 6.

Algorithm 4 PMAC1-ISDP Algorithm: $PMAC1-ISD{P}_K\left(A\right)$

Input: Key K and associated data A Output: MAC tag V Partition A into $A\left[1\right]\parallel \cdots \parallel A\left[a\right]$, where $\left|A\right[i\left]\right|=n,1\le i\le a-1,0<\left|A\right[a\left]\right|\le n$ for $i=1$ to $a-1$        $S\left[i\right]\leftarrow E_K(A\left[i\right]\oplus 2^{a-2}·3^3·L)$ if $\left|A\right[a\left]\right|=n$        $\Sigma \leftarrow 2^a·S_1\oplus 2^{a-1}·S_2\oplus \cdots \oplus 2·S_{a-1}\oplus A\left[a\right]$        $V=E_K(\Sigma \oplus 2^{a-1}·3^4·L)$ else        $\Sigma \leftarrow 2^a·S_1\oplus 2^{a-1}·S_2\oplus \cdots \oplus 2·S_{a-1}\oplus A\left[a\right]{10}^{*}$        $V=E_K(\Sigma \oplus 2^{a-1}·3^5·L)$ return V

Algorithm 5 The encryption algorithm: $COPA-ISDP.{\mathcal{E}}_K(A,M)$

Input: Key K, associated data A, and plaintext M Output: Ciphertext C and tag T Partition M into $M\left[1\right]\parallel \cdots \parallel M\left[d\right]$, where $\left|M\right[i\left]\right|=n,1\le i\le d$ $V=PMAC1-ISD{P}_K\left(A\right)$ $L=E_K\left(0^n\right)$ for $i=1$ to d         $S\left[i\right]\leftarrow E_K(M\left[i\right]\oplus 2^{i-1}·3·L)$         $C\left[i\right]\leftarrow E_K(3^{i-1}·(V\oplus L\oplus S\left[1\right])\oplus 3^{i-2}·S\left[2\right]\oplus \cdots \oplus S\left[i\right])\oplus 2^i·L$ $C\leftarrow C\left[1\right]C\left[2\right]\cdots C\left[d\right]$ ${\Sigma }_1\leftarrow 3^d·(V\oplus L\oplus S\left[1\right])\oplus 3^{d-2}·S\left[2\right]\oplus \cdots \oplus 3·S\left[d\right]$ ${\Sigma }_2={⨁}_{1\le i\le d}M\left[i\right]$ $T=E_K(E_K({\Sigma }_2\oplus 2^{d-1}·3^2·L)\oplus {\Sigma }_1)\oplus 2^{d-1}·7·L$ return $C\left|\right|T$

Algorithm 6 The decryption algorithm: $COPA-ISDP.{\mathcal{D}}_K(A,C|\left|T\right)$

Input: Key K, associated data A, ciphertext C, and tag T Output: Plaintext M or ⊥ Partition C into $C\left[1\right]\parallel \cdots \parallel C\left[d\right]$, where $\left|C\right[i\left]\right|=n,1\le i\le d$ $V=PMAC1-ISD{P}_K\left(A\right)$ $L=E_K\left(0^n\right)$ for $i=2$ to d        $U\left[i\right]\leftarrow E_K^{-1}(C\left[i\right]\oplus 2^i·L)$        $M\left[i\right]\leftarrow E_K^{-1}(U\left[i\right]\oplus 3·U[i-1])\oplus 2^{i-1}·3·L$ $U\left[1\right]\leftarrow E_K^{-1}(C\left[1\right]\oplus 2·L)$ $M\left[1\right]\leftarrow E_K^{-1}(U\left[1\right]\oplus V\oplus L)\oplus 3·L$ $M\leftarrow M\left[1\right]M\left[2\right]\cdots M\left[d\right]$ ${\Sigma }_1=3·U\left[d\right]$ ${\Sigma }_2={⨁}_{1\le i\le d}M\left[i\right]$ $T^{\prime }=E_K(E_K({\Sigma }_2\oplus 2^{d-1}·3^2·L)\oplus {\Sigma }_1)\oplus 2^{d-1}·7·L$ if $T^{\prime }=T$        return M else        return ⊥

Next, we present the post-quantum security analysis of COPA-ISDP. We prove that COPA-ISDP ensures IND-qCPA security and EUF-qCMA security if the underlying block cipher is a secure qPRP or qPRF.

Theorem 1.

Let $\mathcal{A}$ be an IND-qCPA adversary against COPA-ISDP which makes q encryption and challenge queries in total, with d being the maximum length (in blocks) of messages in each query. Let $\sigma =q(a+2d+2)$. Then there exists a qPRP adversary $\mathcal{B}$ against the underlying block cipher $E_K$ with at most σ quantum queries such that

$$\begin{array}{c}\hfill Ad{v}_{COPA-ISDP}^{IND-qCPA}\left(\mathcal{A}\right)\le Ad{v}_E^{qPRP}\left(\mathcal{B}\right)+2q\sigma \sqrt{2^{-n}+{\displaystyle \frac{2q}{2^{n/2}}}}+{\displaystyle \frac{2q}{2^{n/2}}}.\end{array}$$

Proof: The security proof includes two steps. First, we replace $E_K$ with a random permutation $P\stackrel{\$}{\leftarrow }Perm\left(n\right)$, which costs

$$\begin{array}{c}\hfill Ad{v}_{COPA-ISDP}^{IND-qCPA}\left(\mathcal{A}\right)\le Ad{v}_E^{qPRF}\left(\mathcal{B}\right)+Ad{v}_{COPA-ISDP\left[P\right]}^{IND-qCPA}\left(\mathcal{A}\right).\end{array}$$

Then, consider an adversary $\mathcal{A}$ playing an IND-qCPA game with $COPA-ISDP\left[P\right]$. In the challenge phase, $\mathcal{A}$ picks two classical plaintext-associated data pairs $(M_0,A_0)$ and $(M_1,A_1)$ with $d+a$ being the maximum length, after which the challenger picks a random bit b and gives $(C_b,T_b)$ to $\mathcal{A}$.

We utilize the hybrid argument and define a sequence of hybrid games.

$G_0$: COPA-ISDP[P] with q superposition queries.

$G_1$: Firstly, we replace V with $V\stackrel{\$}{\leftarrow }{\{0,1\}}^n$ for each superposition query.

$G_{2i}$: We then replace $C\left[1\right]\left|\right|\cdots \left|\right|C\left[i\right]$ with ${\{0,1\}}^{ni}$ for each superposition query, where $1\le i\le d$ and $G_{20}=G_1$.

$G_3$: We replace C with $C\stackrel{\$}{\leftarrow }{\{0,1\}}^{dn}$ for each superposition query.

$G_4$: Finally, we replace T with $T\stackrel{\$}{\leftarrow }{\{0,1\}}^n$ for each superposition query.

In $G_4$, the distribution of $(C_b,T_b)$ is independent of the distribution of the responses received by $\mathcal{A}$ during the query phase. Since b is a random bit, if $b^{\prime }$ is the bit output by $\mathcal{A}$, the probability that $b=b^{\prime }$ is always 1/2. Thus, one has

$$\begin{array}{cc}\hfill Ad{v}_{COPA-ISDP\left[P\right]}^{IND-qCPA}\left(\mathcal{A}\right)=& |Pr\left[\mathcal{A}wins\right]-{\displaystyle \frac{1}{2}}|\hfill \\ \hfill \le & |Pr[{\mathcal{A}}^{G_0}=1]-Pr[{\mathcal{A}}^{G_1}=1]|\hfill \\ \hfill & +|Pr[{\mathcal{A}}^{G_1}=1]-Pr[{\mathcal{A}}^{G_3}=1]|\hfill \\ \hfill & +|Pr[{\mathcal{A}}^{G_3}=1]-Pr[{\mathcal{A}}^{G_4}=1]|\hfill \\ \hfill \le & |Pr[{\mathcal{A}}^{G_0}=1]-Pr[{\mathcal{A}}^{G_1}=1]|\hfill \\ \hfill & +\sum _{0\le i\le qd}|Pr[{\mathcal{A}}^{G_{2(i+1)}}=1]-Pr[{\mathcal{A}}^{G_{2i}}=1]|\hfill \\ \hfill & +\left|Pr\right[{\mathcal{A}}^{G_3}=1]-Pr[{\mathcal{A}}^{G_4}=1]|.\hfill \end{array}$$

According to the One-way to Hiding (O2H) lemma [19], we have

$$\begin{array}{c}\hfill |Pr[{\mathcal{A}}^{G_0}=1]-Pr[{\mathcal{A}}^{G_1}=1]|\le 2q\sqrt{2^{-n}+{\displaystyle \frac{2q}{2^{n/2}}}},\\ \hfill |Pr[{\mathcal{A}}^{G_{2(i+1)}}=1]-Pr[{\mathcal{A}}^{G_{2i}}=1]|\le 2q\sqrt{2^{-n}+{\displaystyle \frac{2q}{2^{n/2}}}},\\ \hfill |Pr[{\mathcal{A}}^{G_3}=1]-Pr[{\mathcal{A}}^{G_4}=1]|\le {\displaystyle \frac{2q}{2^{n/2}}}.\end{array}$$

Therefore, the IND-qCPA advantage of $\mathcal{A}$ against COPA-ISDP is at least

$$\begin{array}{c}\hfill Ad{v}_{COPA-ISDP}^{IND-qCPA}\left(\mathcal{A}\right)\le Ad{v}_E^{qPRP}\left(\mathcal{B}\right)+2q\sigma \sqrt{2^{-n}+{\displaystyle \frac{2q}{2^{n/2}}}}+{\displaystyle \frac{2q}{2^{n/2}}}.\end{array}$$

Theorem 2.

Let $\mathcal{A}$ be an EUF-qCMA adversary against COPA-ISDP which makes q encryption queries in total, with d being the maximum length (in blocks) of messages in each query, and outputs $q+1$ valid quadruples $(A,C,T)$. Let $\sigma =q(a+2d+2)$. Then, there exists a qPRF adversary $\mathcal{B}$ against the underlying block cipher $E_K$ with at most σ quantum queries, such that

$$\begin{array}{c}\hfill Ad{v}_{COPA-ISDP}^{EUF-qCMA}\left(\mathcal{A}\right)\le Ad{v}_E^{qPRF}\left(\mathcal{B}\right)+2q\sigma \sqrt{2^{-n}+{\displaystyle \frac{2q}{2^{n/2}}}}+{\displaystyle \frac{2q}{2^{n/2}}}+{\displaystyle \frac{q}{2^{n/3}}}+{\displaystyle \frac{q+1}{2^n}}.\end{array}$$

Proof: The security proof includes two steps. First, we replace $E_K$ with a random function $R\stackrel{\$}{\leftarrow }Func\left(n\right)$, which costs

$$\begin{array}{c}\hfill Ad{v}_{COPA-ISDP}^{EUF-qCMA}\left(\mathcal{A}\right)\le Ad{v}_E^{qPRF}\left(\mathcal{B}\right)+Ad{v}_{COPA-ISDP\left[R\right]}^{EUF-qCMA}\left(\mathcal{A}\right).\end{array}$$

Then, consider an adversary $\mathcal{A}$ playing an EUF-qCMA game with $COPA-ISDP\left[R\right]$. Recall that in the encryption phase, $\mathcal{A}$ picks q classical plaintext/AD pairs $(M^1,A^1),\cdots ,(M^q,A^q)$ with $d+a$ being the maximum length and giving $(C^1,T^1),\cdots ,(C^q,T^q)$ to $\mathcal{A}$.

In the query phase, according to the IND-qCPA advantage and qPRP-qPRF switching lemma, the probability that $\mathcal{A}$ wins is upper bounded by $2q\sigma \sqrt{2^{-n}+{\displaystyle \frac{2q}{2^{n/2}}}}+{\displaystyle \frac{2q}{2^{n/2}}}+{\displaystyle \frac{q}{2^{n/3}}}$.

In the forgery phase, $\mathcal{A}$ picks $q+1$ classical valid quadruples $(A,C,T)$. Since R is a random function, the probability that $\mathcal{D}(A,C,T)\ne \perp$ is always ${\displaystyle \frac{1}{2^n}}$. Thus, one has

$$\begin{array}{c}\hfill Ad{v}_{COPA-ISDP\left[R\right]}^{EUF-qCMA}\left(\mathcal{A}\right)=Pr\left[\mathcal{A}wins\right]={\displaystyle \frac{q+1}{2^n}}.\end{array}$$

Therefore, the EUF-qCMA advantage of $\mathcal{A}$ against COPA-ISDP is at least

$$\begin{array}{c}\hfill Ad{v}_{COPA-ISDP}^{EUF-qCMA}\left(\mathcal{A}\right)\le Ad{v}_E^{qPRF}\left(\mathcal{B}\right)+2q\sigma \sqrt{2^{-n}+{\displaystyle \frac{2q}{2^{n/2}}}}+{\displaystyle \frac{2q}{2^{n/2}}}+{\displaystyle \frac{q}{2^{n/3}}}+{\displaystyle \frac{q+1}{2^n}}.\end{array}$$

Theorems 1 and 2 show that COPA-ISDP supports the IND-qCPA and EUF-qCMA security if the underlying block cipher is a secure qPRF.

5. Conclusions and Future Work

This paper focuses on the post-quantum security of COPA, and presents the first IND-qCPA security analysis of COPA. Besides that, in order to effectively avoid the problems of quantum existential forgery attack and quantum distinguishing attack, we restrict the associated data non-emptiness, introduce a novel intermediate state doubling-point technology into COPA, and present an enhanced variant, called COPA-ISDP, to support the IND-qCPA and EUF-qCMA security. However, the universal unforgeability under quantum chosen-message-attacks (UUF-qCMAs) does not considered. We leave it as an open problem to present the UUF-qCMA attack on COPA. Besides that, this paper just considers IND-qCPA security for privacy. The qIND-qCPA and other stronger quantum security notions were presented recently. It is an interesting open problem to extend the IND-qCPA security analysis to the qIND-qCPA and other stronger quantum security analyses.