Quantum-secure message authentication via blind-unforgeability

Quantum-access-secure message authentication

via blind-unforgeability

Gorjan Alagic

_{, Christian Majenz}

_{, Alexander Russell}

_{, and Fang Song}

2_{QuSoft and Centrum Wiskunde & Informatica, Amsterdam}

3_{Department of Computer Science and Engineering, University of Connecticut} 4_{Department of Computer Science, Portland State University}

July 3, 2020

Abstract

Formulating and designing authentication of classical messages in the presence of adversaries with quantum query access has been a longstanding challenge, as the familiar classical notions of unforgeability do not directly translate into meaningful notions in the quantum setting. A particular difficulty is how to fairly capture the notion of “predicting an unqueried value” when the adversary can query in quantum superposition.

We propose a natural definition of unforgeability against quantum adversaries calledblind unforgeability. This notion defines a function to be predictable if there exists an adversary who can use “partially blinded” oracle access to predict values in the blinded region. We support the proposal with a number of technical results. We begin by establishing that the notion coincides with EUF-CMA in the classical setting and go on to demonstrate that the notion is satisfied by a number of simple guiding examples, such as random functions and quantum-query-secure pseudorandom functions. We then show the suitability of blind unforgeability for supporting canonical constructions and reductions. We prove that the “hash-and-MAC” paradigm and the Lamport one-time digital signature scheme are indeed unforgeable according to the definition. To support our analysis, we additionally define and study a new variety of quantum-secure hash functions calledBernoulli-preserving.

Finally, we demonstrate that blind unforgeability is strictly stronger than a previous definition of Boneh and Zhandry [EUROCRYPT ’13, CRYPTO ’13] and resolve an open problem concerning this previous definition by constructing an explicit function family which is forgeable yet satisfies the definition.

1

Introduction

Large-scale quantum computers will break widely-deployed public-key cryptography, and may even threaten certain post-quantum candidates [22,8, 9,11,5]. Even elementary symmetric-key constructions like Feistel ciphers and CBC-MACs become vulnerable in quantum attack models where the adversary is presumed to have quantum query access to some part of the cryptosystem [16,17,15,21]. As an example, consider encryption in the setting where the adversary has access to the unitary operator |xi|yi 7→ |xi|y⊕fk(x)i,

where fk is the encryption or decryption function with secret keyk. While it is debatable if this model

In this article, we study authentication of classical information in the quantum-secure model. Here, the adversary is granted quantum query access to the signing algorithm of a message authentication code (MAC) or a digital signature scheme, and is tasked with producing valid forgeries. In the purely classical setting, we insist that the forgeries are fresh, i.e., distinct from previous queries to the oracle. When the function may be queried in superposition, however, it’s unclear how to meaningfully reflect this constraint that a forgery was previously “unqueried.” For example, it is clear that an adversary that simply queries with a uniform superposition and then measures a forgery—a feasible attack against any function—should not be considered successful. On the other hand, an adversary that uses the same query to discover some structural property (e.g., a superpolynomial-size period in the MAC) should be considered a break. Examples like these indicate the difficulty of the problem. How do we correctly “price” the queries? How do we decide if a forgery is fresh? Furthermore, how can this be done in a manner that is consistent with these guiding examples? In fact, this problem has a natural interpretation that goes well beyond cryptography: What does it mean for a classical function to appear unpredictable to a quantum oracle algorithm?1

1.1

Previous approaches

The first approach to this problem was suggested by Boneh and Zhandry [6]. They define a MAC to be unforgeable if, after makingq queries to the MAC, no adversary can produceq+ 1 valid input-output pairs except with negligible probability. We will refer to this notion as “POsecurity” (POfor “plus one,” and

k-POwhen the adversary is permitted a maximum ofkqueries). Among a number of results, Boneh and Zhandry prove that this notion can be realized by a quantum-secure pseudorandom function (qPRF).

Another approach, due to Garg, Yuen and Zhandry [13] (GYZ), considers a functionone-timeunforgeable if only a trivial “query, measure in computational basis, output result” attack2is allowed. Unfortunately, it is not clear how to extendGYZto two or more queries. Furthermore, the single query is allowed in a limited query model with an non-standard restriction.3 Zhandry recently showed a separation betweenPOandGYZ

by means of the powerful tool of obfuscation [30].

It is interesting to note that similar problems arise in encryption schemes ofquantumdata and a convincing solution was recently found [3,2]. However, it relies on the fact that for quantum messages,authentication implies secrecy. This enables “tricking” the adversary by replacing their queries with “trap” plaintexts to detect replays. As unforgeability and secrecy are orthogonal in the classical world, adversaries would easily recognize the spoofed oracle. This renders the approach of [3, 2] inapplicable in this case.

1.2

Unresolved issues

POsecurity, the only candidate definition of quantum-secure unforgeability in the general, multi-query setting, appears to be insufficient for several reasons. First, as observed in [13], it is a priori unclear ifPOsecurity rules out forging on a message region Awhile making queries to a signing oracle supported on a disjoint message regionB. Second, there may be unique features of quantum information, such as the destructiveness of quantum measurement, whichPOdoes not capture. In particular, quantum algorithms must sometimes “consume” (i.e., fully measure) a state to extract some useful information, such as a symmetry in the oracle.

There might be an adversary that makes one or more quantum queries but then must consume the post-query states completely in order to make a single, but convincing, forgery.

Surprisingly, prior to this work none of these plausible attack strategies have been exploited to give a separation betweenPOand “intuitive security.”

1_{The related notion of “appearingrandomto quantum oracle algorithms” has a satisfying definition, which can be fulfilled}

efficiently [28].

2_{Technically, theStinespring dilation[24] of a computational basis measurement is the most general attack.}

3_{Compared to the standard quantum oracle for a classical function, GYZ require the output register to be empty prior to the}

2

Summary of results

2.1

A new definition: Blind-unforgeability

To address the abovementioned issues, and in light of the concrete “counterexample” presented below as

Construction 1, we develop a new definition of many-time unforgeability we call “blind-unforgeability” (or

BU). In this approach we examine the behavior of adversaries in the following experiment. The adversary is granted quantum oracle access to the MAC, “blinded” at a random regionB. Specifically, we setB to be a random-fraction of the message space, and declare that the oracle function will output⊥on all ofB.

BMack(x) :=

(

⊥ ifx∈B, Mack(x) otherwise.

Given a MAC (Mac,Ver), an adversaryA, and A-selected parameter , the “blind forgery experiment” is: 1. Generate keyk and random blindingB;

2. Produce candidate forgery (m, t)← ABMack₍₁n_).

3. OutputwinifVerk(m, t) =acc andm∈B; otherwise outputrej.

Definition 1. A MAC is blind-unforgeable (BU)if for every adversary(A, ), the probability of winning the blind forgery experiment is negligible.

In this work,BUwill typically refer to the case whereAis an efficient quantum algorithm (QPT) and the oracle is quantum, i.e.,|xi|yi 7→ |xi|y⊕BMack(x)i. We will also considerq-BU, the information-theoretic variant where the total number of queries is a priori fixed toq. We remark that the above definition is also easy to adapt to other settings, e.g., classical security against PPT adversaries, quantum or classical security for digital signatures, etc.

We remark that one could define a variant of the above where the adversary is allowed to describe the blinding distribution, rather than it being uniform. However, this is not a stronger notion. By a straightforward argument, an adversary wins in the chosen-blinding BU game if and only if it wins with a uniform-blinding for inverse-polynomial. Indeed, the adversary can just simulate its chosen blinding herself, and this still succeeds with inverse polynomial probability when interacting with a standard-blinded oracle (seeTheorem 2below).

2.2

Results about blind-unforgeability

To solidify our confidence in the new notion, we collect a series of results which we believe establish BU

as a definition of unforgeability that captures the desired intuitive security requirement. In particular, we show thatBUis strictly stronger than previous candidate definitions, and that it classifies a wide range of representative examples (in fact, all examples examined thus far) as either forgeable or unforgeable in a way that agrees with cryptographic intuition.

Relations and characterizations. First, we show thatBUcorrectly classifies unforgeability in the classical-query setting: it is equivalent to the classical unforgeability notion ofEUF-CMA(existential unforgeability against chosen-message attack). Then, we show that it impliesPO.

Theorem 1. If a function family isBU-unforgeable, then it is PO-unforgeable.

One key technical component of the proof is a general simulation theorem, which tightly controls the deviation in the behavior of an algorithm when subjected to theBUexperiment.

Theorem 2. Let Abe a quantum query algorithm making at mostT queries. Let f :X →Y be a function,

B a random -blinding subset of X, and for each B⊂X, letgB be a function with supportB. Then

E B

Af(1n)− Af⊕gB(1n) ₁≤2T

√

This result can be viewed as strong evidence that algorithms that produce “good forgeries” in any reasonable sense will also win theBUexperiment. Specifically, adversaries that produce “good forgeries” will not be disturbed too much by blinding, and will thus in fact also win theBUexperiment with non-negligible probability.

We can formulate and prove this intuition explicitly for a wide class of adversaries, as follows. Given an oracle algorithmA, we letsupp(A) denote the union of the supports of all the queries ofA, taken over all choices of oracle function.

Theorem 3 (informal). Let A be QPT and supp(A)∩R= ∅ for some R6=∅. Let Mac be a MAC, and suppose AMack₍₁n_{) outputs a valid pair(m,Mack(m))withm∈R with noticeable probability. ThenMacis}

notBU secure.

Blind-unforgeable MACs. Next, we show that several natural constructions satisfyBU. We first show that a random function is blind-unforgeable.

Theorem 4. LetR:X →Y be a random function such that1/|Y|is negligible. ThenRis a blind-unforgeable MAC.

By means of results of Zhandry [28] and Boneh and Zhandry [6], this leads to efficient BU-secure constructions.

Corollary 1. Quantum-secure pseudorandom functions (qPRF) are BU-secure MACs, and (4q+1)-wise independent functions areq-BU-secure MACs.

We can then invoke a recent result about the quantum-security of domain-extension schemes such as NMAC and HMAC [23], and obtain variable-lengthBU-secure MACs from anyqPRF.

In the setting of public verification, we show that the one-time Lamport signature scheme [18] isBU-secure, provided that the underlying hash function familyR:X →Y is modeled as a random oracle.

Theorem 5. Let R:X →Y be a random function family. Then the Lamport scheme LR is BU against

adversaries which make one quantum query toLR and poly-many quantum queries toR.

Hash-and-MAC. Consider the following natural variation on the blind-forgery experiment. To blind

F :X →Y, we first select a hash functionh:X →Z and a blinding setB⊆Z; we then declare thatF will

be blinded onx∈X wheneverh(x)∈B. We refer to this as “hash-blinding.” We say that a hash function

his a Bernoulli-preserving hash if, for every oracle functionF, no QPT can distinguish between an oracle that has been hash-blinded withh, and an oracle that has been blinded in the usual sense. Recall the notion ofcollapsing from [26].

Theorem 6. Let h:X →Y be a hash function. Ifhis Bernoulli-preserving hash, then it is also collapsing. Moreover, against adversaries with classical oracle access,his a Bernoulli-preserving hash if and only if it is collision-resistant.

We apply this new notion to show security of the Hash-and-MAC construction Πh_{= (Mac}h

,Verh) with

Mach_k(m) :=Mack(h(m)).

Theorem 7. Let Π = (Mack,Verk) be a BU-secure MAC with Mack : X → Y, and let h : Z → X a Bernoulli-preserving hash. ThenΠh is aBU-secure MAC.

2.3

A concrete “counterexample” for

PO

Supporting our motivation to devise a new unforgeability definition, we present a construction of a MAC which is forgeable (in a strong intuitive sense) and yet is classified byPOas secure.

Construction 1. Given k= (p, f, g, h)wherep∈ {0,1}n _{is a random period andf, g, h:{0,1}}n_{→ {0,1}}n

are random functions, defineMk :{0,1}n+1→ {0,1}2n by

Mk(x) =

    

g(x0modp)kf(x0) x= 1kx0,

0n_kh(x0_{) x= 0kx}0_{, x}0 _{6=p ,}

02n x= 0kp .

Definegp(x) :=g(xmodp) and consider an adversary that queries only on messages starting with 1, as

follows:

X

x,y

|1, xiX|0niY₁|yiY₂ 7−→X x,y

|1, xiX|gp(x)iY1|y⊕f(x)iY2; (1)

discarding the first qubit andY2 then yieldsP_x|xi|gp(x)i, asP_y|y⊕f(x)iY2 =

P

y|yiY2. One can then recover pvia period-finding and output (0kp,02n_{). We emphasize that the forgery was queried withzero}

amplitude. In practice, we can interpret it as, e.g., the attacker queries only on messages starting with “From: Alice” and then forges a message starting with “From: Bob”. Despite this, we can show that it isPO-secure.

Theorem 8. The familyMk (for uniformly random k= (p, f, g, h)) isPO-secure.

The POsecurity ofM relies on a dilemma the adversary faces at each query: either learn an output off, or obtain a superposition of (x, g(x))-pairs for Fourier sampling. Our proof shows that, once the adversary commits to one of these two choices, the other option is irrevocably lost. Our result can thus be understood as a refinement of an observation of Aaronson: quantumly learning a property sometimes requiresuncomputing some information [1]. Note that, while Aaronson could rely on standard (asymptotic) query complexity techniques, our problem is quite fragile: POsecurity describes a task which should be hard with qqueries, but is completely trivial givenq+ 1 queries. Our proof makes use of a new quantum random oracle technique of Zhandry [29].

A straightforward application of Theorem 3shows thatConstruction 1isBU-insecure. In particular, we have the following.

Corollary 2. There exists aPO-secure MAC which isBU-insecure.

The relationship betweenBU,POand a number of other notions are visualized in Figure 1.

EUF-CMA ⇐⇒[6] PO Proposition 2⇐⇒ BU

Unforgeability against classical adversaries

PO

Corollary 2

6

=⇒ ⇐=

Theorem 1

BU

Observation

6

=⇒ ⇐=

Corollary 1

qPRF

Unforgeability against quantum adversaries

Figure 1: Relationship between different unforgeability notions

2.4

Acknowledgements

3

Preliminaries

Basic notation and conventions. Given a finite set X, the notation x∈R X will mean that x is a

uniformly random element ofX. Given a subsetB of a setX, letχB:X → {0,1} denote the characteristic

function of B, i.e., χB(x) = 1 ifx∈B andχB(x) = 0 otherwise. When we say that a classical function

F is efficiently computable, we mean that there exists a uniform family of deterministic classical circuits which computes F. We will consider three classes of algorithms: (i.) unrestricted algorithms, modeling computationally unbounded adversaries, (ii.) probabilistic poly-time algorithms (PPTs), modeling classical adversaries, and (iii.) quantum poly-time algorithms (QPTs), modeling quantum adversaries. We assume that the latter two are given as polynomial-time uniform families of circuits. For PPTs, these are probabilistic circuits. For QPTs, they are quantum circuits, which may contain both unitary gates and measurements. We will often assume (without loss of generality) that the measurements are postponed to the end of the circuit, and that they take place in the computational basis. Given an algorithmA, we let A(x) denote the (in general, mixed) state output by Aon input x. In particular, if Ahas classical output, thenA(x) denotes a probability distribution. Unless otherwise stated, the probability is taken over all random coins and measurements ofAand any randomness used to select the inputx. IfAis an oracle algorithm andF

a classical function, thenAF_{(x) is the mixed state output byAequipped with oracleF and input x; the}

probability is now also taken over any randomness used to generateF.

We will distinguish between two ways of presenting a functionF :{0,1}n_{→ {0,1}}m_{as an oracle. First,}

the usual “classical oracle access” simply means that each oracle call grants one classical invocationx7→F(x). This will always be the oracle model for PPTs. Second, “quantum oracle access” will mean that each oracle call grants an invocation of the (n+m)-qubit unitary gate|xi|yi 7→ |xi|y⊕F(x)i.This will always be the oracle model for QPTs. Note that both QPTs and unrestricted algorithms could in principle receive either oracle type.

We will need the following lemma. We use the formulation from [7, Lemma 2.1], which is a special case of a more general “pinching lemma” of Hayashi [14].

Lemma 1. Let Abe a quantum algorithm andx∈ {0,1}∗_{. Let A}

0 be another quantum algorithm obtained

fromA by pausingAat an arbitrary stage of execution, performing a partial measurement that obtains one ofk outcomes, and then resuming A. ThenPr[A0(1n) =x]≥Pr[A(1n) =x]/k.

We denote the trace distance between states ρandσbyδ(ρ, σ). Recall that this is simply half the trace norm of the difference, i.e.,δ(ρ, σ) = (1/2)kρ−σk1. When ρandσare classical probability distributions, the

trace distance is equal to the total variation distance.

3.1

Quantum-secure pseudorandomness

A quantum-secure pseudorandom function (qPRF) is a family of classical, deterministic, efficiently-computable functions which appear random to QPT adversaries with quantum oracle access.

Definition 2. An efficiently computable function familyf :K×X→Y is a quantum-secure pseudorandom function (qPRF)if, for all QPTsD,

_k∈RKPr

Dfk₍₁n_{) = 1}

− Pr

g∈RFY X

Dg₍₁n_{) = 1}

≤negl(n).

HereFY

X denotes the set of all functions fromX to Y. The standard “GGM+GL” construction of aPRF

yields aqPRF when instantiated with a quantum-secure one-way function [28]. One can also construct a

qPRFdirectly from the Learning with Errors assumption [28]. If we have an a priori bound on the number of allowed queries, then a computational assumption is not needed.

Theorem 9 (Lemma 6.4 in [6]). Letq, c≥0be integers, andf :K×X →Y a (2q+c)-wise independent family of functions. LetD be an algorithm making no more thanq quantum oracle queries andc classical oracle queries. Then

Pr

k∈RK

Dfk₍₁n_{) = 1= Pr} g∈RFY

X

Dg₍₁n_{) = 1}

3.2

PO

-unforgeability

Boneh and Zhandry define unforgeability (against quantum queries) for classical MACs as follows [6]. They also show that random functions satisfy this notion.

Definition 3. LetΠ = (KeyGen,Mac,Ver)be a MAC with message setX. Consider the following experiment with an algorithmA:

1. Generate key: k←KeyGen(1n_).

2. Generate forgeries: Areceives quantum oracle for Mack, makesq queries, and outputs a strings;

3. Outcome: output winifs containsq+ 1 distinct input-output pairs of Mack, andfailotherwise.

We say thatΠ isPO-secure if no adversary can succeed at the above experiment with better than negligible probability.

3.3

The Fourier Oracle

Our separation proof will make use of a new technique of Zhandry [29] for analyzing random oracles. We briefly describe this framework.

A random functionf fromnbits to mbits can be viewed as the outcome of a quantum measurement. More precisely, letHF =N

x∈{0,1}nHFx, whereHFx∼=C

2m_{. Then set f(x)← MF}

x(ηF), where

ηF =|φ0ihφ0|⊗2

n

, |φ0i= 2−

m

2 X

y∈{0,1}m |yi,

andMFxdenotes the measurement of the registerFxin the computational basis. This measurement commutes

with any CNOTA:B gate with control qubitAinFx and target qubitB outsideFx. It follows that, for any

quantum algorithm making queries to a random oracle, the output distribution is identical if the algorithm is instead run with the following oracle:

1. Setup: Prepare the stateηF.

2. Upon a query with query registersX andY, controlled onX being in state |xi, apply (CNOT⊗m)Fx:Y.

3. After the algorithm has finished, measureF to determine the success of the computation.

We denote the oracle unitary defined in step 2 above by UO

XY F. Having defined this oracle representation,

we are free to apply any unitary UH to the oracle state, so long as we then also apply the conjugated query

unitary

UH(CNOT⊗m)Fx:YU † H

in place ofU_{XY F}O . We choose UH=H⊗m2 n

, which means that the oracle register starts in the all-zero state now. Applying Hadamard to both qubits reverses the direction of CNOT, i.e.,

HA⊗HBCNOTA:BHA⊗HB= CNOTB:A,

so the adversary-oracle-state after a first query with query state|xiX|φyiY is

|xiX|φyiY|0mi⊗2 n

7−→ |xiX|φyiY|0mi⊗(lex(x)−1)|yiFx|0mi⊗(2 n_−lex(x))

, (2)

where lex(x) denotes the position ofxin the lexicographic ordering of {0,1}n_{, and we defined the Fourier}

basis state|φyi=H⊗m|yi. In the rest of this section, we freely change the order in which tensor products are written, and keep track of the tensor factors through the use of subscripts. This adjusted representation is called theFourier oracle (FO), and we denote its oracle unitary by

U_{XY F}FO =H⊗m2n

FU

O

XY F

H⊗m2n

An essential fact about the FO is that each query can only change the number of non-zero entries in the FO’s register by at most one. To formalize this idea, we define the “number operator”

NF =

X

x∈{0,1}n

(₁− |0ih0|)Fx⊗1⊗(2 n₋₁₎

.

The number operator can also be written in its spectral decomposition,

NF =

2n

X

l=0

lPl where Pl=

X

r∈Sl |rihr|,

Sl=

n

r∈({0,1}m₎2n

|{x∈ {0,1}

n_|r

x6= 0}|=l

o

.

Note that the initial joint state of a quantum query algorithm and the oracle (in the FO-oracle picture described above) is in the image ofP0. The following fact is essential for working with the Fourier Oracle; to

avoid disrupting the flow of the article, the proof is given inAppendix A.1.

Lemma 2. The number operator satisfies

NF, UXY FF O

∞= 1.In particular, the joint state of a quantum

query algorithm and the oracle after the q-th query is in the kernel ofPl for alll > q.

4

The new notion: Blind-Unforgeability

4.1

Formal definition

For ease of exposition, we begin by introducing our new security notion in a form analogue to the standard notion of existential unforgeability under chosen-message attacks,EUF-CMA. We will also later show how to extend our approach to obtain a corresponding analogue of strong unforgeability. We begin by defining a “blinding” operation. Letf :X →Y andB⊆X. We let

Bf(x) =

(

⊥ ifx∈B, f(x) otherwise.

We say that f has been “blinded” by B. In this context, we will be particularly interested in the setting where elements of X are placed in B independently at random with a particular probability ; we letB

denote this random variable. (It will be easy to inferX from context so we do not reflect it in the notation.) Next, we define a security game in which an adversary is tasked with using a blinded MAC oracle to produce a valid input-output pair in the blinded set.

Definition 4. Let Π = (KeyGen,Mac,Ver) be a MAC with message set X. Let A be an algorithm, and

:N→R≥0 an efficiently computable function. The blind forgery experimentBlindForgeA,Π(n, )proceeds as

follows:

1. Generate key: k←KeyGen(1n).

2. Generate blinding: selectB⊆X by placing eachmintoB independently with probability(n).

3. Produce forgery: (m, t)← ABMack₍₁n_).

4. Outcome: output 1 ifVerk(m, t) =acc andm∈B; otherwise output 0.

Definition 5. A MAC Πis blind-unforgeable (BU) if for every polynomial-time uniform adversary (A, ),

Pr

BlindForge_A,Π(n, (n)) = 1]≤negl(n).

We also define the “q-time” variant of the blinded forgery game, which is identical to Definition 4except that the adversary is only allowed to make q queries toBMack in step (3). We call the resulting game BlindForgeq_A,Π(n, ), and give the corresponding definition ofq-time security (now against computationally unbounded adversaries).

Definition 6. A MAC Πisq-time blind-unforgeable (q-BU) if for everyq-query adversary(A, ), we have

PrBlindForgeq_A,Π(n, (n)) = 1]≤negl(n).

The above definitions are agnostic regarding the computational power of the adversary and the type of oracle provided. For example, selecting PPT adversaries and classical oracles inDefinition 5yields a definition of classical unforgeability; we will later show that this is equivalent to standardEUF-CMA. The main focus of our work will be onBUagainst QPTs with quantum oracle access, andq-BU against unrestricted adversaries with quantum oracle access.

4.2

Some technical details

We now remark on a few details in the usage ofBU. First, strictly speaking, the blinding sets in the security games above cannot be generated efficiently. However, a pseudorandom blinding set will suffice. Pseudorandom blinding sets can be generated straightforwardly using an appropriate pseudorandom function, such as aPRF

against PPTs or aqPRFagainst QPT. A precise description of how to perform this pseudorandom blinding is given in the proof ofCorollary 4. Note that simulating the blinding requires computing and uncomputing the random function, so we must make two quantum queries for each quantum query of the adversary. Moreover, verifying whether the forgery is in the blinding set at the end requires one additional classical query. This means that (4q+ 1)-wise independent functions are both necessary and sufficient for generating blinding sets forq-query adversaries (see [6, Lemma 6.4]). In any case, an adversary which behaves differently in the random-blinding game versus the pseudorandom-blinding game immediately yields a distinguisher against the corresponding pseudorandom function.

The blinding symbol. There is some flexibility in how one defines the blinding symbol⊥. In situations where the particular instantiation of the blinding symbol might matter, we will adopt the convention that the blinded versionBf of f :{0,1}n _{→ {0,1}}` <sub>is defined by settingBf :{0,1}</sub>n <sub>→ {0,1}</sub>`+1_{, whereBf(m) = 0}`_{||1 if}

m∈B and Bf(m) =f(m)||0 otherwise. One advantage of this convention (i.e., that⊥= 0`_{||1) is that we}

can compute on and/or measure the blinded bit (i.e., the (`+ 1)-st bit) without affecting the output register of the function. This will also turn out to be convenient for uncomputation.

Strong blind-unforgeability. The security notionBUgiven inDefinition 5is an analogue of simple unforgeability, i.e.,EUF-CMA, for the case of a quantum-accessible MAC/Signing oracle. It is, however, straightforward to define a corresponding analogue of strong unforgeability, i.e.,SUF-CMA, as well.

The notion of strong blind-unforgeability, sBU, is obtained by a simple adjustment compared to BU: we blind (message, tag) pairs rather than just messages. We briefly describe this for the case of MACs. Let Π = (KeyGen,Mac,Ver) be a MAC with message set M, randomness set R and tag set T, so that

Mack : M ×R → T and Verk : M ×T → {acc,rej} for every k ← KeyGen. Given a parameter and an

adversaryA, the strong blind forgery game proceeds as follows:

1. Generate key: k ← KeyGen; generate blinding: select B ⊆ M ×T by placing pairs (m, t) in B

independently with probability ;

2. Produce forgery: produce (m, t) by executingA(1n) with quantum oracle access to the function

BMack;r(m) :=

(

whereris sampled uniformly for each oracle call.

3. Outcome: output 1 ifVerk(m, t) =acc∧(m, t)∈B; otherwise output 0.

Security is then defined as before: Π issBU-secure if for all adversariesA(and their declared), the success probability at winning the above game is negligible. Note that, for the case of canonical MACs, this definition coincides withDefinition 5, just asEUF-CMAandSUF-CMAcoincide in this case.

5

Intuitive security and the meaning of

BU

In this section, we gather a number of results which build confidence inBU as a satisfactory definition of unforgeability in our setting. We begin by showing that a wide range of “intuitively forgeable” MACs (indeed, all such examples we have examined) are correctly characterized byBUas insecure.

5.1

Intuitively forgeable schemes

As indicated earlier,BU security rules out any MAC schemes where an attacker can query a subset of the message space and forge outside that region. To make this claim precise, we first define thequery support

supp(A) of an oracle algorithmA. LetAbe a quantum query algorithm with oracle access to the quantum oracleO for a classical function fromntombits. Without loss of generality Aproceeds by applying the sequence of unitaries OUqOUq−1...U1 to the initial state |0iXY Z, followed by a POVM E. Here, X and

Y are the input and output registers of the function andZ is the algorithm’s workspace. Let|ψiibe the

intermediate state of ofAafter the application ofUi. Thensupp(A) is defined to be the set of input strings

xsuch that there exists a functionf :{0,1}n_{→ {0,1}}m_{such thathx|}

X|ψii 6= 0 for at least onei∈ {1, ..., q}

whenO=Of.

Theorem 10. LetAbe a QPT such thatsupp(A)∩R=∅for some R6=∅. Let Macbe a MAC, and suppose

AMack₍₁n_{)outputs a valid pair (m,Mack(m))withm∈R with non-negligible probability. ThenMacis not} BU-secure.

To prove Theorem 10, we will need the following theorem, which controls the change in the output state of an algorithm resulting from applying a blinding to its oracle. Given an oracle algorithm Aand two oracles F andG, the trace distance between the output of A with oracle F andA with oracle G is denoted byδ(AF₍₁n_),AG₍₁n_{)). Given two functionsF, P :{0,1}}n _{→ {0,1}}m_{, we define the functionF⊕P}

by (F⊕P)(x) =F(x)⊕P(x).

Theorem 11. LetA be a quantum query algorithm making at mostT queries, andF :{0,1}n _{→ {0,1}}m

a function. Let B ⊆ {0,1}n _{be a subset chosen by independently including each element of {0,1}}n _with

probability, andP :{0,1}n_{→ {0,1}}m_{be any function with supportB. Then}

E B

δ AF₍₁n_),AF⊕P₍₁n₎

≤2T√.

The proof is a relatively straightforward hybrid argument in the spirit of the lower bound for Grover search [4]. We provide the complete proof inAppendix A.2. We are now ready to prove Theorem 10.

Proof of Theorem 10. LetAbe a quantum algorithm withsupp(A) for any oracle. By our hypothesis,

˜

p:= Pr_k,(m,t)←AMac_k(1n₎[Mack(m) =t∧m /∈supp(A)]≥n−c,

for somec > 0 and sufficiently large n. Since supp(A) is a fixed set, we can think of sampling a random

experiment ofArunning onMack blinded by a randomBε: k, Bε,(m, t)← ABεMack(1n), which is equivalent

tok, B0, B1,(m, t)← AB0Mack(1n). The probability thatAwins the BU game is

p:= Pr

blind[f(m) =t∧m∈Bε]≥blindPr[f(m) =t∧m∈B

0_]

≥ Pr

blind[f(m) =t∧m∈B

0_{|m /∈supp(A)]· Pr}

blind[m /∈supp(A)]

= Pr

f,B0

(m,t)←ABf

[f(m) =t∧m /∈supp(A)]· Pr

f,B0

(m,t)←ABf

[m∈B0|m /∈supp(A)]

≥ p˜−2T√εε≥ p˜

3

27T2.

Here the second-to-last step follows fromTheorem 11; in the last step, we choseε= (˜p/3T)2. We conclude thatAbreaks theBUsecurity of the MAC.

5.2

Relationship to other definitions

As we will show inSection 8,POfails to capture certain prediction algorithms. It does, however, capture a natural family of attacks and should hence be implied by a good security notion. In this section we show that our new definition,BU, indeed impliesPO. To this end, we first introduce a natural weaker variant ofBU

that we call measuredBU, ormBU.

Definition 7. The measuredε-blinded oraclefor a function f :{0,1}n _{→ {0,1}}m _{is the oracle that first}

applies theε-blinded oracle for f and then performs the projective measurement|⊥ih⊥| vs. ₁− |⊥ih⊥|. A schemeΠis measured-BU, ormBU, secure, if for allε >0and all QPT adversariesA, the winning probability in theBU game when provided with a measuredε-blinded oracle instead of a ε-blinded oracle, is negligible.

A straightforward reduction argument shows thatBU impliesmBU.

Proposition 1. Let Πbe aBU (k−BU)-secure MAC. ThenΠ ismBU(k−mBU)-secure.

Proof. LetA be anmBU-adversary against Π. We construct a BU-adversary A0 _{against Π as follows. A}0

runsA. For each query thatAmakes to the measuredε-blinded oracle,A0 _{queries theε-blinded oracle and}

performs the “blinded or not” measurement before returning the answer toA. Clearly the probabilities for

A0 _{winning theBU and forAwinning the mBUgame are the same.}

For the following proof we need a generalization of Zhandry’s superposition oracle technique to functions drawn from a non-uniform distribution. This has has been developed in detail in [10]. As for the proof of Theorem 21, we do not need the more complicated (but efficiently implementable) compressed oracle. Hence we introduce only the basic non-uniform superposition oracle. The generalization is straightforward. In [29], a uniformly random function f : {0,1}n _{→ {0,1}}m _{is sampled by preparing 2}n _{m-qubit uniform}

superposition states. The measurement that performs the actual sampling is delayed, which allows for new ways of analyzing the behavior of a query algorithm by inspecting the oracle registers. Here, we would like to use the superposition oracle representation for the indicator function₁B:{0,1}n → {0,1}of the blinding

setB. This is a Boolean function with Pr [1B(x) = 1] =independently for all x∈ {0,1}n.

We will sample₁B by preparing 2

n _{qubits in the state}

|η₀i=√1−|0i+√|1i, (3)

i.e., we prepare the 2n_{-qubit oracle registerF in the state}

|η₀i⊗2n F

= O

x∈{0,1}⊗n

We will refrain from Fourier-transforming any registers, so if the adversaries query registers are X andB

(the input register and the blinding bit register), the oracle unitary is just given by

UStO=

X

x∈{0,1}n

|xihx|X⊗CNOTFx:B. (5)

We can also define the generalization of the projectorsP`. To this end we complete|η0ito an orthonormal

basis by introducing the state

|η1i=

√

|0i −√1−|1i. (6)

Let furtherUbe the unitary such thatU|ii=|ηii. The generaization ofP` is now defined byP`=UP`U†.

As UStO is a sum of terms that each act non-trivially only on one out of the 2n Fx-registers, the analogue

ofLemma 2clearly holds, i.e., if|ψqiis the joint algorithm-oracle state afterq queries to the superposition

oracle for₁B, thenP`|ψqi= 0 for all` > q.

We are now ready to prove thatBU security impliesPOsecurity.

Theorem 12. Let Πbe aBU-secure MAC. ThenΠisPO-secure.

Proof. According toProposition 1, Π is mBUsecure. It therefore suffices to find a reduction from breaking

mBUto breakingPO. LetAbe aqqueryPOadversary against Π, i.e., an algorithm that makesqqueries and outputs q+ 1 pairs (xi, ti) with the goal that ti =Mack(xi) for all i= 1, ..., q+ 1. We construct an mBU-adversaryA0 _{as follows. The adversaryA}0 _{runsA, answering the queries using the measured-blinded}

oracle forMack. If for any of the queries the result is⊥,A0 _{aborts. In this case we formally defineA’s output}

to be⊥. After (and if)Ahas finished by outputtingq+ 1 candidate message-tag pairs (mi, ti),A0 chooses

i∈R{1, ..., q+ 1}and outputs (mi, ti).

According toTheorem 2, the trace distance between the distribution of theq+ 1 candidate message tag pairs thatA outputs only changes byδ= 2q√in total variational distance when run with the measured

-blinded oracle as done as a subroutine ofA0 . It follows that with at least probabilitypA_succ−δ, allq+ 1 outputs ofAar valid message-tag-pairs, wherepA_succ is the probability with whichAwins thePOgame when provided with an unblindedMack-oracle.

For the rest of the proof we instantiate the blinding set using the superposition oracle described above. In this case, the measured-blinded oracle is implemented as follows. On input registersX andY, create a blank qubit registerBand query the blinding function₁B onXB. MeasureB to obtainb(the blinding bit).

Ifb= 1, query theMack-oracle onXY, otherwise add⊥toY. For theq-query algorithm A0_{,qqueries are}

made to the superposition blinding oracle. Afterwards the oracle registerF is measured in the computational basis to determine whether the output is blinded or not.

We continue by developing a lower bound on the probability that the message output byA0 _{is blinded. To}

that end, consider the modified game, where afterA0 _{has finished, but before measuring the oracle register}

F, we compute the smallest indexi∈ {1, ..., q+ 1} such thatFxi is in state|η

(ε)

0 iin superposition into an

additional register. Such an index always exists. This is becauseP<sub>`</sub>|ψi= 0 for all` > q, where |ψiis the joint adversary-oracle state after the execution ofA0_{. Hence|ψiis a superposition of states}

|βi= O

x∈{0,1}n |η_β

xi

for stringsβ ∈ {0,1}2n

of Hamming weight at mostq. Now we measure the register to obtain an outcomei0.

But given outcomei0, the registerFmi0 is in state|η

0i. Now the oracle register is measured to determine the

blinding setB⊂ {0,1}n. The computation together with the measurement implements a (q+ 1)-outcome

projective measurement onF. The probability thatmi0is blinded isεindependently, so the success probability in the modified game is

˜

pAsucc0 ≥

pAsucc−2q

√

Finally, we can applyLemma 1to conclude that adding the measurement has not decreased the success probability by more than a factor 1/(q+ 1), to conclude that the success probability ofA0 _{in the unmodified} mBUgame is lower-bounded by

pAsucc0 ≥

pAsucc−2q

√

(q+ 1)2 . (8)

Choosing= pA_succ/3q2 we obtain

pA_succ0 ≥ p A

succ

3

27q2_{(q+ 1)}2. (9)

In particular we have thatpA_succ0 is non-negligible ifpsucc was non-negligible.

In the purely classical setting, our notion is equivalent to EUF-CMA. In the strong unforgeability case, this meansBUwith blinding on message-tag pairs, as described inSection 4.2.

Proposition 2. A MAC is EUF-CMA if and only if it is blind-unforgeable against classical adversaries.

Proof. SetFk =Mack. Consider an adversaryA which violates EUF-CMA. Such an adversary, given 1n

and oracle access toFk (fork∈R{0,1}n), produces a forgery (m, t) with non-negligible probabilitys(n); in

particular,|m| ≥n andm is not among the messages queried byA. This same adversary (when coupled with an appropriate ) breaks the system under the blind-forgery definition. Specifically, let p(n) be the running time of A, in which case A clearly makes no more thanp(n) queries, and define(n) = 1/p(n). Consider now a particulark∈ {0,1}n _{and a particular sequencerof random coins forA}Fk₍₁n_{). If this run}

ofAresults in a forgery (m, t), observe that with probability at least (1−)p(n)_≈e−1 _{in the choice ofB}

,

we have Fk(q) =BFk(q) for every queryq made byA. On the other hand,B(m) =⊥with (independent)

probability. It follows φ(n, n) is at leasts(n)/e= Ω(s(n)/p(n)).

On the the other hand, suppose that (A, ) is an adversary that breaks blind-unforgeability. Consider now the EUF-CMA adversaryA0Fk₍₁n_{) which simulates the adversaryA}(·)₍₁n_{) by answering oracle queries}

according to a locally-simulated version ofBFk; specifically, the adversaryA0 proceeds by drawing a subset

B(n)⊆ {0,1}∗ as described above and answering queries made byAaccording toBF. Two remarks are in

order:

• Whenx∈B, this query is answered without an oracle call toF(x).

• A0 can construct the set B “on the fly,” by determining, when a particular queryq is made by A,

whetherq∈Band “remembering” this information in case the query is asked again (“lazy sampling”).

With probabilityφ(n, (n))Aproduces a forgery on a point which was not queried byA0_{, as desired. It follows}

thatAproduces a (conventional) forgery with non-negligible probability when givenFk fork∈R{0,1}n.

5.3

BU

implies

GYZ

In this section, we sketch how our new security notion,BU, implies the one-time security notion put forward by Garg, Yuen and Zhandry [13]. We do this for unitary adversaries without loss of generality. We expect that the ideas carry over to the fully general case. For the special case we consider here,GYZunforgeability can be defined as follows.

Definition 8 (GYZunforgeability). LetΠ = (KeyGen,Mac,Ver)be a MAC. Π is calledε-GYZ-unforgeable, if for attack unitary VM T B, there exists a simulator sub-unitaryWM T B4 such that hi|CW|jiC= 0 fori6=j

and for all initial states|ψiM B

Er,k

(ΠVer,k)_{M T}(V −W)M T B(UMac,r,k)_{M T}|ψiM B|0iT

2

≤ε, (10)

whereUMac,r,k|miM|yiT =|miM|y⊕Macr;k(m)iT and

ΠVer,k=

X

(m,t) valid

|mihm| ⊗ |tiht| (11)

is the projector onto the subspace of valid message-tag-pairs.

We are now ready to state the desired theorem. Here,δ-1-BU denotes the one-time version ofBUthat allows for maximal adversarial advantageδ, and similarly forδ0-GYZ. The theorem is easiest proven using the measured version ofBU,mBU.

Theorem 13. Let Π = (KeyGen,Mac,Ver) be unconditionally5 δ-1-mBU-secure. Then it is 16δ-GYZ -unforgeable.

mBU impliesBU, so we immediately obtain the following

Corollary 3. LetΠ = (KeyGen,Mac,Ver)be δ-1-BU-secure. Then it is 16δ-GYZ-unforgeable.

For the proof ofTheorem 13, we need the following lemma stating that an algorithm’s success probability does not degrade too much if some operation that never leaves a computational basis state unchanged is sandwiched between a blinding projector and its complement.

Lemma 3. LetΠ(_Aε)be the projector onto the subspace spanned by the computational basis states corresponding to strings in the blinding setBε sampled as for the definition ofBU. Let further MAB be a matrix such that hx|AM|xiA= 0for all x. Then for all ρ≥0

EBε

h

Π(_Aε)MABΠ¯

(ε)

A ρABΠ¯

(ε)

A M † ABΠ

(ε)

A

i

≥ε2(1−ε)2MABρABM_AB† , (12)

whereΠ¯(_Aε)=₁−Π(_Aε).

Proof. Let

MAB=

X

x6=y

|xihy|_A⊗M_B(xy) (13)

and

ρAB=

X

xy

|xihy|_A⊗ρ(_Bxy). (14)

We calculate

EBε

h

Π(_Aε)MABΠ¯

(ε)

A ρΠ¯

(ε)

A M † ABΠ

(ε)

A

i

(15)

= X

x6=y,z6=t

Pr [y, z∈Bε, x, t /∈Bε]|xiht|A⊗

M_B(xy)ρ_B(yz)M_B(tz)†

(16)

=ε2(1−ε)2MABρABMAB† +ε(1−ε)

3_M

ABM(ρAB)MAB† (17)

+ε3(1−ε)M(MABρABMAB† ) (18)

+ε2(1−ε)2X

x

|xihx|AMAB|xihx|AρAB|xihx|AMAB† |xihx|A. (19)

In the last three lines,

M(X) =X

x

|xihx|X|xihx| (20)

is the computational basis pinching channel, we used the condition hi|AM|iiB = 0 so we can add these

terms for free, and the second, third and fourth term arise because of the increase of the probability Pr [y, z∈Bε, x, t /∈Bε] if y = z, x = t, or both. But the second, third and fourth term are positive

semidefinite, so the claimed operator inequality follows.

Proof of Theorem 13. Let

VM T B =

X

xy

|xihy|_M⊗V_{T B}(xy) (21)

be an attack unitary that breaksδ0-GYZ, and define the simulator sub-unitary

WM T B =

X

x

|xihx|_M ⊗V_{T B}(xx) (22)

to be the diagonal part ofV. By assumption there exists a state|ψiM Bsuch that

Ek

(ΠVer,k)M T(V −W)M T B(UMac,r,k)M T|ψiM B|0iT

2

> δ0. (23)

Now we use the initial state |ψiM B|0iT and the unitary V as attacker A for 1-mBU: A queries the mBU-type oracle for Mack on |ψiM B|0iT, applies V, measures M T and outputs the result. The success

probabilitypsucc of this adversary can be lower bounded by the probability that the first measurement turns

up “not blinded” and the adversary is successful. So for a fixed key k and randomness r, and defining

ρ=|φihφ|with|φi= (UMac,r,k)_{M T}|ψiM B|0iT we get

psucc(k, r)≥EBε

(ΠVer,k)M TΠ

(ε)

MVM T BΠ¯

(ε)

M (UMac,r,k)_{M T}|ψiM B|0iT

2

(24)

=EBε

(ΠVer,k)M TΠ

(ε)

M(V −W)M T BΠ¯

(ε)

M (UMac,r,k)_{M T}|ψiM B|0iT

2

(25)

=_EBεTr

h

(ΠVer,k)_{M T}Π

(ε)

M(V −W)M T BΠ¯

(ε)

MρΠ¯

(ε)

M(V −W) † M T BΠ

(ε)

M

i

(26)

≥ε2(1−ε)2Trh(ΠVer,k)M T(V −W)M T Bρ(V −W)†M T B

i

(27)

=ε2(1−ε)2(ΠVer,k)_{M T}(V −W)M T B(UMac,r,k)_{M T}|ψiM B|0iT

2

. (28)

Here we have used the fact that Π(_Mε)WM T BΠ¯

(ε)

M = 0 for all blinding sets in the second line, and Lemma3

in the second-to-last line. Taking the expectation overkandr and using Equation (23), we arrive at

psucc≥ε2(1−ε)2δ0. (29)

Choosing= 1/2 we obtain

psucc≥

1 16δ

0_{. (30)}

6

Blind-unforgeable schemes

6.1

Random schemes

We now show that suitable random and pseudorandom function families satisfy our notion of unforgeability.

Theorem 14. LetR:X →Y be a uniformly random function such that1/|Y| is negligible inn. Then Ris a blind-forgery secure MAC.

Proof. For simplicity, we assume that the function is length-preserving; the proof generalizes easily. LetAbe an efficient quantum adversary. The oracleBR supplied toAduring the blind-forgery game is determined

entirely byB and the restriction ofR to the complement ofB. On the other hand, the forgery event

ABFk₍₁n_{) = (m, t)∧ |m| ≥n∧F}

depends additionally on values ofRat points inB. To reflect this decomposition, givenRandB define

R:B→Y to be the restriction ofRto the setBand note that—conditioned onBRandB—the random

variableRis drawn uniformly from the space of all (length-preserving) functions fromB intoY. Note, also,

that for everynthe purported forgery (m, t)← ABR₍₁n_{) is a (classical) random variable depending only on}

BR. In particular, conditioned onB, (m, t) is independent ofR. It follows that, conditioned onm∈B,

thatt=R(m) with probability no more than 1/2n and henceφ(n, )≤2−n, as desired.

Next, we show that aqPRFis a blind-unforgeable MAC.

Corollary 4. Let m and t be poly(n) (n), and F : {0,1}n _{× {0,1}}m _{→ {0,1}}t _{a qPRF. Then F is a}

blind-forgery-secure fixed-length MAC (with lengthm(n)).

Proof. For a contradiction, letAbe a QPT which wins the blind forgery game for a certain blinding factor

ε(n), with running timeq(n) success probabilityδ(n). We will useAto build a quantum oracle distinguisher

Dbetween theqPRF F and the perfectly random function familyFt

mwith the same domain and range.

First, letk=q(n) and let Hbe a family of (4k+ 1)-wise independent functions with domain{0,1}m_and

range{0,1, . . . ,1/ε(n)}. The distinguisherDfirst samplesh∈RH. SetBh:=h−1(0). Given its oracleOf, Dcan implement the functionBhf (quantumly) as follows:

|xi|yi 7→|xi|yi|Hxi|δh(x),0i 7→ |xi|yi|Hxi|δh(x),0i|f(x)i

7→|xi|y⊕f(x)·(1−δh(x),0)i|Hxi|δh(x),0i|f(x)i

7→|xi|y⊕f(x)·(1−δh(x),0)i.

Here we used the CCNOT (Toffoli) gate from step 2 to 3 (with one control bit reversed), and uncomputed bothhandf in the last step. After samplingh, the distinguisherDwill executeAwith the oracleBhf. If Asuccessfully forges a tag for a message inBh,A0 outputs “pseudorandom”; otherwise “random.”

Note that the function Bhf is perfectly-blinded ifhis a perfectly random function. Note also that the

entire security experiment withA(including the final check to determine if the output forgery is blind) makes at most 2k quantum queries and 1 classical query toh, and is thus (byTheorem 9) identically distributed to the perfect-blinding case.

Finally, by Theorem 14, the probability thatDoutputs “pseudorandom” whenf ∈RFt

m is negligible. By

our initial assumption aboutA, the probability thatDoutputs “pseudorandom” becomesδ(n) whenf ∈RF. It follows thatDdistinguishesF from perfectly random.

Next, we give a information-theoretically secureq-time MACs (Definition 6).

Theorem 15. Let H be a (4q+ 1)-wise independent function family with range Y, such that 1/|Y| is a negligible function. ThenHis aq-time BU-secure MAC.

Proof. Let (A, ) be an adversary for theq-time gameBlindForge_A,hq (n, (n)), wherehis drawn fromH. We will use Ato construct a distinguisher D betweenH and a random oracle. Given access to an oracle O,

Dfirst runs Awith the blinded oracleBO, where the blinding operation is performed as in the proof of

Corollary 4(i.e., via a (4q+ 1)-wise independent function with domain size 1/(n)). WhenAis completed, it outputs (m, σ). Next,DqueriesOon the messagemand outputs 1 if and only ifO(m) =σandm∈B. Let

γO be the probability of the output being 1.

We consider two cases: (i.) Ois drawn as a random oracleR, and (ii.) Ois drawn from the familyH. By

Theorem 9, sinceDmakes only 2qquantum queries and one classical query toO, its output is identical in the two cases. Observe thatγR (respectively,γH) is exactly the success probability ofAin the blind-forgery

game with random oracleR (respectively,H). We know fromTheorem 14thatγR is negligible; it follows

thatγH is as well.

6.2

Lamport one-time signatures

The Lamport signature scheme [18] is a EUF-1-CMA-secure signature scheme, specified as follows.

Construction 2(Lamport signature scheme, [18]). For the Lamport signature scheme using a hash function familyh:{0,1}n_{× {0,1}}n_{→ {0,1}}n_{, the algorithmsKeyGen,SignandVer are specified as follows. KeyGen,}

on input1n, outputs a pair(pk,sk)with

sk= (sj_i)i∈{1,...,n},j=0,1, withs

j

i ∈R{0,1}

n_{, and (31)}

pk=

k,pj_i

i∈{1,...,n},j=0,1

, with k∈ {0,1}n _andpj i =hk

sj_i. (32)

The signing algorithm is defined bySignsk(x) = (s

xi

i )i∈{1,...,n} wherexi,i= 1, ..., n are the bits of x. The

verification procedure checks the signature’s consistency with the public key, i.e.,Verpk(x, s) = 0ifpixi =hk(si)

andVerpk(x, s) = 0 otherwise.

We now show that the Lamport scheme is 1-BUsecure in the quantum random oracle model.

Theorem 16. Construction 2is 1-BUsecure if his modeled as a quantum-accessible random oracle.

Proof. We implement the random oracle has a superposition oracle with registerF. In the 1-BlindForge

experiment we execute the sampling part of the key generation by preparing a superposition as well. More precisely, we can just prepare 2n n-qubit registers S_ij in a uniform superposition, with the intention of measuring them to samplesj_i in mind. We are talking about a classical one-time signature scheme, and all computation that uses the secret key is done by an honest party, and is therefore classical. It follows that the measurement that samplessj_i commutes with all other operations which are implemented as quantum-controlled operations quantum-controlled on the secret key registers, i.e., we can postpone it to the very end of the 1-BlindForgeexperiment, just like the measurement that samples an actual random oracle using a superposition oracle. The joint state|ψ0iwith oracle register F and secret key registerSK = (S

j

i)i∈{1,...,n},j=0,1 is now in a

uniform superposition, i.e.,

|ψ0iSKF =|φ0iSK⊗2n⊗ |φ0i⊗2

n

F . (33)

To subsequently generate the public key, the superposition oracle forhis queried on each of theS_ij with an empty outrput registerP_ij, producing the state|ψ1iSKPKF equal to

2−2n2 X

sj_i∈{0,1}n pj_i∈{0,1}n i∈{1,...,n},j=0,1

   

O

i∈{1,...,n} j=0,1

|sj_ii_Sj i

   

⊗

   

O

i∈{1,...,n} j=0,1

|pj_ii_Pj i

   

⊗ |fsk,pkiF,

where|fsk,pkiF is the superposition oracle state whereFsj_i is in state|p j

iiand all other registers are still in

state|φ0i. Then the registersP

j

i are measured to produce an actual, classical, public key that can be handed

to the adversary. Note that there is no hash function key k now, as it has been replaced by the random oracle. Treating the public key as classical information from now on and removing the registersPK, the state takes the form

|ψ2(pk)iSKF =2−n

2 X

sj_i∈{0,1}n i∈{1,...,n},j=0,1

   

O

i∈{1,...,n} j=0,1

|sj_ii_Sj i

   

⊗ |fsk,pkiF. (34)

Now the interactive phase of the 1-BlindForgeexperiment can begin, and we provide both the random oracle

|ψ2(pk)iabove. The random oracle answers queries as described inSection 3.3. The signing oracle, when

queried with registersXZwith Z=Z1...Zn, applies CNOT⊗n_Sxi

i :Zi, i= 1, ..., ncontrolled onX being in the

statex /∈Bε.

Now supposeA, after making at most one query toSignand an arbitrary polynomial number of queries to

h, outputs a candidate message signature pair (x0_{, z}0_{) withz}0_=z0

1k · · · kzn0. If x0∈/Bε,Ahas lost. Suppose

therefore thatx0∈Bε. We will now make a measurement on the oracle register to find an indexisuch that

Sx

0

i

i has not been queried. To this end we first need to decorrelateSK andF. This is easily done, as the

success test only needs computational basis measurement results from the registerSK, allowing us to perform any controlled operation on F controlled onSK. Therefore we can apply the operationL_pj

i followed by

H⊗n to the registerF_sj i

controlled onSj_i being in state|sj_ii, for alli= 1, ..., nandj= 0,1. For an adversary that does not make any queries toh, this has the effect that allF-registers are in state|φ0iagain now.

We can equivalently perform this restoring procedure before the adversary starts interaction, and answer the adversary’sh-queries as follows. Controlled on the adversary’s input being equal to one of the partssj_i of the secret key, answer with the corresponding public key, otherwise use the superposition oracle forh.

For any fixed secret key registerS_ij, the unitary that is applied upon an h-query can hence be written as

U_h0 =U⊥+

X

x∈{0,1}n

(Ux−U⊥)|xihx|X|xihx|Sj_i (35)

=U⊥+

X

x∈{0,1}n

|xihx|X|xihx|_Sj i

(Ux−U⊥), (36)

where U⊥ acts trivially onSij and the second equality follows because the unitariesU⊥ andUxare controlled

unitaries withX andS_ij part of the control register. Using the above equation we derive a bound on the operator norm of the commutator of this unitary and the projector onto|φ0i,

h

Uh0,|φ0ihφ0|_Sj i

i

∞=2 −n/2

X

x∈{0,1}n

(Ux−U⊥)|xihx|X|xihφ0|_Sj

i − |xihx|X|φ0ihx|S j

i (Ux−U⊥)

_∞

=2−n/2 max

x∈{0,1}n

(Ux−U⊥)|xihx|X|xihφ0|_Sj

i − |xihx|X|φ0ihx|S j

i (Ux−U⊥)

∞

≤4·2−n/2,

where the second equality follows again because U⊥ andUxare controlled unitaries withX andSij part of

the control register.

It follows that a query tohdoes not decrease the number of registersS_ij that are in state |φ0i, except

with negligible amplitude.

As we assume thatx0is blinded, we have that for any message x /∈Bε, there exists ani∈ {1, ..., n} such

thatxi 6=x0i. ButAinteracts with a blinded signing oracle, i.e., controlled on his input being not blinded, it

is forwarded to the signing oracle, otherwise⊥is XORed into his output register. Therefore only non-blinded queries have been forwarded to the actual signing oracle, so the final state is a superposition of states in which the register SK has at least nsubregisters S_ij are in state|φ0i, and at least one of them is such that

x0

i =j. We can therefore apply ann-outcome measurement to the oracle register to obtain an indexi0 such

thatSx

0

i0

i0 is in state|φ0i. ByLemma 1, this implies thatA’s forgery is independent ofsi0, soA’s probability of succeeding inBlindForgeis negligible.

A simple proof of thePO-security of a random function can be given using a similar idea, seeTheorem 22

in the appendix.

6.3

Hash-and-MAC

Hash-and-MAC. However, when it comes toBU-security, collision-resistance may not be sufficient. We therefore propose a new notion, Bernoulli-preserving hash, generalizing collision-resistance in the quantum setting, and show that it is sufficient for Hash-and-MAC withBU security. Recall that, given a subsetB of a setX,

χB :X → {0,1}denotes the characteristic function of B.

Definition 9 (Bernoulli-preserving hash). Let H : X → Y be an efficiently computable function family. Define the following distributions on subsets ofX:

1. B : generate B⊆X by placing x∈B independently with probability. OutputB.

2. BH

: generate C⊆Y by placingy∈C independently with probability . Sampleh∈ H and define

Bh

:={x∈X:h(x)∈C}. OutputBh.

We say thatHis a Bernoulli-preserving hash if for all adversaries(A, ),

_B←BPr [A

χB₍₁n_{) = 1]− Pr} B←BH

[AχB₍₁n_{) = 1]}

≤negl(n).

The motivation for the name Bernoulli-preserving hash is simply that selecting B can be viewed as a Bernoulli process taking place on the setX, whileBh

can be viewed as the pullback (alongh) of a Bernoulli

process taking place onY.

We show that the standard, so-called “Hash-and-MAC” construction will work w.r.t. toBUsecurity, if we instantiate the hash funtion with a Bernoulli-preserving hash. Recall that, given a MAC Π = (Mack,Verk) with message set X and a function h: Z → X, there is a MAC Πh := (Mach_k,Verh_k) with message set Z

defined byMachk =Mack◦handVer h

k(m, t) =Verk(h(m), t).

Theorem 17 (Hash-and-MAC with Bernoulli-preserving hash). Let Π = (Mack,Verk)be aBU-secure MAC withMack :X →Y, and leth:Z→X a Bernoulli-preserving hash. ThenΠh is aBU-secure MAC.

Proof. LetAbe an adversary against Πh_{. We build an adversaryA}

0against Π which (given oraclef :X →Y)

runsAand answers its queries withf◦h, i.e.,|mi|ti 7→ |mi|t⊕f(h(m))i. This can be implemented by first computinghinto an extra register, then invoking the oracle, and then uncomputingh. WhenAproduces its final output (m, t),A0 outputs (h(m), t) and terminates. We claim that

Pr[BlindForge_A,Πh(n, ) = 1]−Pr[BlindForge_A0,Π(n, ) = 1]

≤negl(n).

Since the right-hand-side of the difference above is negligible byBU-security of Π, establishing the claim will finish the proof.

We prove the claim by showing that the difference can be viewed as the success probability of a distinguisher

Dagainst the Bernoulli-preserving property ofh. The distinguisherDreceives an oracle forχB(whereB⊆Z

is sampled according to eitherB orBh

) and proceeds as follows:

1. generate a key kfor Π;

2. runA, answering its oracle queries with

|mi|ti 7→ |mi|ti|χB(m)i|Mack(h(m))i 7→ |mi|t⊕χB(m)·Mack(h(m))i|χB(m)i

where we invoked the oracle in the first step and CCNOT in the second;

3. when A outputs (m, t), compute b = Verh_k(m, t) = Verk(h(m), t). Query the oracle to compute

b0=χB(m), and outputb∧b0.

thenD is simulating the game BlindForge_A0,Π(n, ). Fact (i.) follows directly from the definition6 of the

BlindForgegame. To see fact (ii.), observe that theBlindForgegame againstA0 samples a uniform blinding

setC⊆X and executes algorithmAwith oracle

m7−→χC(h(m))·Mack(h(m)) =χBh

(m)·Mack(h(m)),

precisely as in the execution ofAbyD.

In the next section, we provide a number of additional results about Bernoulli-preserving hash functions.

7

Properties of Bernoulli-preserving hash functions

We explore the notion of Bernoulli-preserving hash functions. These results can be summarized as follows.

• IfH is a random oracle or aqPRF, then it is a Bernoulli-preserving hash.

• IfH is 4q-wise independent, then it is a Bernoulli-preserving hash againstq-query adversaries.

• Under theLWE assumption, there is a (public-key) family of Bernoulli-preserving hash functions.

• If we only allow classical oracle access, then the Bernoulli-preserving property is equivalent to standard collision-resistance.

• Bernoulli-preserving hash functions arecollapsing(another quantum generalization of collision-resistance proposed in [26]).

First, we show that random and pseudorandom functions are Bernoulli-preserving, and that this property is equivalent to collision-resistance against classical queries.

Lemma 4. Let H:X→Y be a function such that1/|Y|is negligible. Then:

1. IfH is a random oracle or aqPRF, then it is a Bernoulli-preserving hash.

2. IfH is4q-wise independent, then it is a Bernoulli-preserving hash againstq-query adversaries.

Proof. The claim for random oracles is obvious: by statistical collision-resistance, uniform blinding is statistically indistinguishable from hash-blinding. The remaining claims follow from the observation that one can simulate one quantum query toχBh

using two quantum queries toh(see, e.g., the proof ofCorollary 4). Theorem 18. A functionh:{0,1}∗_{→ {0,1}}n _{is Bernoulli-preserving against classical-query adversaries if}

and only if it is collision-resistant.

Proof. First, the Bernoulli-preserving hash property implies collision-resistance: testing whether two colliding inputs are either (i.) both not blinded or both blinded, or (ii.) exactly one of them is blinded, yields always outcome (i.) when dealing with a hash-blinded oracle and a uniformly random outcome for a blinded oracle andε= 1/2. On the other hand, consider an adversaryAthat has inverse polynomial distinguishing advantage between blinding and hash-blinding, and letx1, ..., xq be it’s queries. Assume for contradiction that

with overwhelming probability h(xi)6=h(xj) for allxi6=xj. Then with that same overwhelming probability

the blinded and hash blinded oracles are both blinded independently with probabilityεon eachxi and are

hence statistically indistinguishable, a contradiction. It follows that with non-negligible probability there exist two queriesxi 6=xj such thath(xi) =h(xj), i.e.,Ahas found a collision.

6_{Note that we have again used the convention that the blinding symbol⊥is the string 0. . .01; in our case, the final bit}

corresponds to the register containingχB(m). If one chooses a different convention, it may be necessary to adjustDto uncompute

7.1

A Bernoulli-preserving hash from LWE

We have observed that any qPRFis a Bernoulli-preserving hash function, which can be constructed from various quantum-safe computational assumpiton (e.g., LWE). Nonetheless,qPRFtypically does not give short digest, which would result in long tags, and it requires a secret key.7

Here we point out an alternative construction of a public Bernoulli-preserving hash function based on the quantum security of LWE. In fact, we show that the collapsing hash function in [25] is also Bernoulli-preserving hash. This constructions relies on a lossy function family F : X → Y and a universal hash functionG={gk : Y →Z}k∈K. A lossy function family admits two types of keys: a lossy keys ← Dlos

and an injective keys← Dinj, which are computationally indistinguishable. Fs:X →Y under a lossy key

sis compressing, i.e.,|im(Fs)| |Y|; whereas under an injective keys, Fs is injective. We refer a formal

definition to [25, Definition 2], and an explicit construction based on LWE to [19]. There exist efficient constructions for universal hash families by various means [27]. Then one constructs a hash funciton family

H ={hs,k} byhs,k:=gk◦Fswith public parameters generated bys← Dlos, k← K.

The proof of Bernoulli-preserving for this hash function is similar to Unruh’s proof thatH is collapsing. We begin with a lemma.

Lemma 5. Any injective function f is Bernoulli-preserving hash. Given any Bernoulli-preserving hash

f : X →Y and g : Y →Z that is Bernoulli-preserving hash on im(f), then h=g◦f is also Bernoulli-preserving hash.

Proof. The first part follows by observing that aε-random subset in the codomain corresponds exactly to a

ε-random subset in the domain under inverse of the function. LetO ≈ O0 _{denote that two oraclesOand} Oare indistinguishable by any quantum poly-time algorithm. For the second part, we need to show that

χC:C←εX ≈χC:C=h−1(CZ),CZ←εZ, where ←ε indicates sampling a random subset of fraction ε. Sincef is

Bernoulli-preserving hash, we have that

χC:C←εX ≈χC:C=f−1(CY),CY←εY ≡χC:C=f−1(C0Y),CY0←εim(f).

The second equivalence holds by observing that for anyCY ⊆Y,f−1(CY) =f−1(CY∩im(f)). Then because

g is Bernoulli-preserving on im(f),

χC0 Y:C

0

Y←εim(f)≈χC 0 Y:C

0

Y=g−1(CZ),CZ←εZ.

Therefore, we conclude that

χC:C←εX≈χC:C=f−1_(g−1_(C

Z)),Cz←εZ =χC:C=h−1(CZ),Cz←εZ.

Theorem 19. H is Bernoulli-preserving hash if LWE holds against any efficient quantum distinguisher.

Proof. We proceed in three steps (with help ofLemma 5above):

1) Since Fs is injective under an injective key, it is clearly Bernoulli-preserving hash. As a result,

Fs, s← Dlos must be Bernoulli-preserving hash too, because a lossy key is indistinguishable from an

injective key by definition.

2) Thengk is chosen properly so that it is injective when restricted to im(Fs) of lossy keys. Therefore gk

is Bernoulli-preserving hash too.

3) Finally,Hk,sis Bernoulli-preserving hash by the composition of Bernoulli-preserving hash functions gk

andFs.

7_{In practice, it is probably more convenient (and more reliable) to instantiate aqPRFfrom block ciphers, which may not be}