1 Introduction
1.1 Background.
Largescale quantum computers will break all widelydeployed publickey cryptography, and may even threaten certain postquantum candidates [19, 7, 8, 9, 4]. Basic symmetrickey constructions like Feistel ciphers and CBCMACs also become vulnerable in a quantum attack model [14, 15, 13, 18], where the adversary is presumed to have quantum query access to some part of the cryptosystem. For example, the adversary may gain access to the unitary operator where is the encryption or decryption function with the key . While it is unclear if this model is directly relevant to physical implementations of symmetrickey cryptography, it appears necessary in a number of generic settings, such as publickey encryption and hashing with public hash functions. It could also be relevant when privatekey primitives are composed in larger protocols, e.g., by exposing circuits via obfuscation [17]. Setting down appropriate security definitions in this quantum attack model is the subject of several threads of recent research [6, 10].
In this article, we study authentication of classical information in this quantumsecure model. Here, the adversary is granted quantum query access to the signing algorithm of a message authentication code (MAC) or a digital signature scheme, and is tasked with producing valid forgeries. In the purely classical setting, we insist that the forgeries are fresh, i.e., distinct from previous queries to the oracle, so that the security definition does not become vacuous. When the function may be queried in superposition, however, it’s unclear how to meaningfully reflect this constraint that a forgery was “unqueried” without ruling out natural, intuitive attacks. For example, consider a uniform superposition query. Simply measuring the output state to get a forgery—a feasible attack against any function—should not be considered a break. On the other hand, an adversary who uses the same query to discover some structural property (e.g., a superpolynomialsize period in the MAC) should be considered successful. Examples like these indicate the difficulty of the problem. How do we correctly “price” the queries? How do we decide if a forgery is fresh? Furthermore, how do we do this in a manner that is consistent with these examples, and many others? This problem has a natural interpretation that goes well beyond cryptography: What does it mean for a classical function to appear unpredictable to a quantum oracle algorithm?^{1}^{1}1The related notion of “appearing random” has a satisfying definition, which can be fulfilled efficiently [24].
Previous approaches.
The first approach to this problem was suggested by Boneh and Zhandry [5]. They define a MAC to be unforgeable, if no adversary can use queries to the MAC to produce
valid inputoutput pairs except with negligible probability. We will refer to this notion as “
security” (and  for the case where the adversary is permitted a maximum of queries). Boneh and Zhandry prove a number of results about this notion, including that it can be realized by a quantumsecure pseudorandom function ().In an approach by Garg, Yuen and Zhandry [11], a MAC is considered onetime secure if only a trivial “query, measure in computational basis, output result” attack is allowed; we call this notion . Unfortunately, it is not clear how to extend beyond the singlequery case. Zhandry recently gave a separation example between and by means of indistinguishability obfuscation [25].
It is interesting to note that similar problems are present in defining unforgeability for authentication of quantum data. A convincing solution was recently found [2]. This approach relies on the fact that, for quantum messages, authentication implies secrecy; this enables “tricking” the adversary by replacing their queries with “trap” plaintexts to detect replays. As a result, the approach of [2] is inapplicable to the setting of classical messages, where unforgeability and secrecy are orthogonal. Indeed, in situations where unforgeability is required but secrecy is not, adversaries would easily recognize spoofed oracles.
Unresolved issues.
security, the only candidate definition of quantumsecure unforgeability in the setting of more than one query, appears to be insufficient for several reasons. First, as observed in [11], it is apriori unclear if security rules out adversaries who forge a message in region after querying the signing oracle on a disjoint message region . Second, may not capture the unique features of quantum information, such as the destructiveness of measurement. Quantum algorithms must sometimes “consume” (i.e., fully measure) a state to extract some useful information, such as a symmetry in the oracle. It’s plausible that, for some MACs, there is an adversary who makes one or more quantum queries but then must consume the postquery states completely in order to make a single convincing forgery.
Despite these philosophical criticisms, prior to this work no secure schemes have been shown to be manifestly insecure. It is thus essential to gain a concrete understanding of these potential issues, and thereby place the security of MACs and other primitives against quantum attacks on firmer foundations.
1.2 Summary of results
1.2.1 The problem with .
Our first result is a construction of a MAC which is forgeable (in a strong intuitive sense) and yet is classified by
as secure.Construction 1.
Given a triple where and , define by
Consider an adversary that queries only on messages starting with , as follows:
(1) 
Since
, discarding the first qubit and
yields . One can then recover via periodfinding and output . We emphasize that the forgery was queried with zero amplitude. One can interpret this attack as, e.g., querying only on messages starting with “From: Alice” and then forging a message starting with “From: Bob”. Despite this, we can show that is secure.Theorem 1.
The family (for uniformly random ) is secure.
The security of relies on a dilemma the adversary faces at each query: either learn an output of , or obtain a superposition of pairs for Fourier sampling. Our proof shows that, once the adversary commits to one of these two choices, the other option is irrevocably lost. Our result can thus be understood as a refinement of an observation of Aaronson: quantumly learning a property sometimes requires uncomputing some information [1]. Note that, while Aaronson could rely on standard (asymptotic) query complexity techniques, our problem is quite fragile: security describes a task which should be hard with queries, but is completely trivial given queries. Our proof is inspired by a new quantum random oracle technique of Zhandry [26].
1.2.2 A new definition: Blindunforgeability.
We then develop a new definition of unpredictability. Given the context of quantumsecure MACs and digital signatures, we call our notion “blindunforgeability” (or ). In this approach, we examine the behavior of adversaries in the following experiment. The adversary is granted quantum oracle access to the MAC, “blinded” at a random region . Specifically, we set to be a random fraction of the message space, and declare that the oracle function will output on all of .
Given a MAC , an adversary , and adversaryselected parameter , the “blind forgery experiment” is:

Generate key and random blinding ;

Produce candidate forgery .

Output if and ; otherwise output .
Definition 1.
A MAC is blindunforgeable () if for every adversary , the probability of winning the blind forgery experiment is negligible.
In this work, will typically refer to the case where is an efficient quantum algorithm (QPT) and the oracle is quantum, i.e., . We will also consider , the informationtheoretic variant where the total number of queries is apriori fixed to . We remark that the above definition is also easy to adapt to other settings, e.g., classical security against PPT adversaries, quantum or classical security for digital signatures, etc.
1.2.3 Results about blindunforgeability.
Next, we collect a series of results which build up confidence in as a viable definition of unforgeability. These results allow us to conclude that classifies a wide range of examples (in fact, all examples we have examined) as either forgeable or unforgeable in a way that agrees with our intuition about the meaning of unpredictability. First, we show that correctly classifies unforgeability in the classicalquery setting.
Proposition 1.
In the setting of classical queries, .
Next, we give a general simulation theorem which tightly controls the deviation in the adversary’s behavior when subjected to the experiment.
Theorem 2.
Let be a quantum query algorithm making at most queries. Let be a function, a random blinding subset of , and any function with support . Then
The above fact can be viewed as evidence that adversaries that produce “good forgeries” (in any reasonably intuitive sense) will not be disturbed too much by blinding, and will thus in fact also win the experiment. We can formulate and prove this intuition explicitly for a wide class of adversaries, as follows. Given an oracle algorithm , we let denote the union of the supports of all the queries of , taken over all choices of oracle function.
Theorem 3 (informal).
Let be QPT and for some . Let be a MAC, and suppose outputs a valid pair with with noticeable probability. Then is not secure.
A straightforward application of Theorem 3 shows that Construction 1 is insecure. In particular, we have the following.
Corollary 1.
There exists a secure MAC which is insecure.
1.2.4 Blindunforgeable MACs.
Next, we show that several natural constructions satisfy . We first show that a random function is blindunforgeable.
Theorem 4.
Let be a random function such that is negligible. Then is a blindunforgeable MAC.
By means of results of Zhandry [24] and Boneh and Zhandry [5], this leads to efficient secure constructions.
Corollary 2.
Quantumsecure pseudorandom functions () are secure MACs, and (4q+1)wise independent functions are secure MACs.
We can then invoke a recent result about the quantumsecurity of domainextension schemes such as NMAC and HMAC [20], and obtain variablelength secure MACs from any .
HashandMAC.
Consider the following natural variation on the blindforgery experiment. To blind , we first select a hash function and a blinding set ; we then declare that will be blinded on whenever . We refer to this as “hashblinding.” We say that a hash function is a Bernoullipreserving hash if, for every oracle function , no QPT can distinguish between an oracle that has been hashblinded with , and an oracle that has been blinded in the usual sense.
Recall that the notion of collapsing hash [22] is a quantum analogue of classical collisionresistance, which plays an important role in the construction of postquantum digital signatures.
Theorem 5.
Let be a hash function. If is a Bernoullipreserving hash, then it is also collapsing. Moreover, against adversaries with classical oracle access, is a Bernoullipreserving hash if and only if it is collisionresistant.
We apply this new notion to show security of the HashandMAC construction with .
Theorem 6.
Let be a secure MAC with , and let a Bernoullipreserving hash. Then is a secure MAC.
2 Preliminaries
Basic notation, conventions.
Given a finite set , the notation will mean that is a uniformly random element of . Given a subset of a set , let
denote the characteristic function of
, i.e., if and else. When we say that a classical function is efficiently computable, we mean that there exists a uniform family of deterministic classical circuits which computes .We will consider three classes of algorithms: (i.) unrestricted algorithms, modeling computationally unbounded adversaries, (ii.) probabilistic polytime algorithms (PPTs), modeling classical adversaries, and (iii.) quantum polytime algorithms (QPTs), modeling quantum adversaries. We assume that the latter two are given as polynomialtime uniform families of circuits. For PPTs, these are probabilistic circuits. For QPTs, they are quantum circuits, which may contain both unitary gates and measurements. We will often assume (without loss of generality) that the measurements are postponed to the end of the circuit, and that they take place in the computational basis.
Given an algorithm , we let denote the (in general, mixed) state output by on input . In particular, if has classical output, then
denotes a probability distribution. Unless otherwise stated, the probability is taken over all random coins and measurements of
, and any randomness used to select the input . If is an oracle algorithm and a classical function, then is the mixed state output by equipped with oracle and input ; the probability is now also taken over any randomness used to generate .We will distinguish between two ways of presenting a function as an oracle. First, the usual “classical oracle access” simply means that each oracle call grants one classical invocation . This will always be the oracle model for PPTs. Second, “quantum oracle access” will mean that each oracle call grants an invocation of the qubit unitary gate For us, this will always be the oracle model for QPTs. Note that both QPTs and unrestricted algorithms could in principle receive either oracle type.
We will need the following lemma. We use the formulation from [6, Lemma 2.1], which is a special case of a more general “pinching lemma” of Hayashi [12].
Lemma 1.
Let be a quantum algorithm and . Let be another quantum algorithm obtained from by pausing at an arbitrary stage of execution, performing a measurement that obtains one of outcomes, and then resuming . Then .
We denote the trace distance between states and by . Recall that this is simply half the trace norm of the difference, i.e., . When and are classical probability distributions, the trace distance is equal to the total variation distance.
Quantumsecure pseudorandomness.
A quantumsecure pseudorandom function () is a family of classical, deterministic, efficientlycomputable functions which appear random to QPT adversaries with quantum oracle access.
Definition 2.
An efficiently computable function family is a quantumsecure pseudorandom function () if, for all QPTs ,
Here denotes the set of all functions from to . The standard “GGM+GL” construction of a yields a when instantiated with a quantumsecure oneway function [24]. One can also construct a directly from [24]. If we have an apriori bound on the number of allowed queries, then a computational assumption is not needed.
Theorem 7 (Lemma 6.4 in [5]).
Let be integers, and a wise independent family of functions. Let be an algorithm making no more than quantum oracle queries and classical oracle queries. Then
unforgeability.
Boneh and Zhandry define unforgeability (against quantum queries) for classical MACs as follows [5]. They also show that random functions satisfy this notion.
Definition 3.
Let be a MAC with message set . Consider the following experiment with an algorithm :

Generate key: .

Generate forgeries: receives quantum oracle for , makes queries, and outputs a string ;

Outcome: output win if contains distinct inputoutput pairs of , and fail otherwise.
We say that is secure if no adversary can succeed at the above experiment with better than negligible probability.
The Fourier Oracle.
Our separation proof will make use of a new technique of Zhandry [26] for working with random oracles. We now briefly describe this idea.
A random function from bits to bits can be viewed as the outcome of a quantum measurement. More precisely, let , where . Then set with , , and where denotes the measurement of the register in the computational basis. This measurement commutes with any gate with control qubit in and target qubit outside . It follows that, for any quantum algorithm making queries to a random oracle, the output distribution is identical if the algorithm is instead run with the following oracle:

Setup: prepare the state .

Upon a query with query registers and , controlled on being in state , apply .

After the algorithm has finished, measure to determine the success of the computation.
We denote the oracle unitary defined in step 2 above by . Having defined this oracle representation, we are free to apply any unitary to the oracle state, so long as we then also apply the conjugated query unitary in place of . We choose , which means that the oracle register starts in the allzero state now. Applying Hadamard to both qubits reverses the direction of CNOT, i.e.
so the adversaryoraclestate after a first query with query state is
(2) 
where denotes the position of in the lexicographic ordering of , and we defined the Fourier basis state
. In the rest of this section, we freely change the order in which tensor products are written, and keep track of the tensor factors through the use of subscripts. This adjusted representation is called the
Fourier oracle (FO), and we denote its oracle unitary byAn essential fact about the FO is that each query can only change the number of nonzero entries in the FO’s register by at most one. To formalize this idea, we define the “number operator”
(3) 
The number operator can also be written in its spectral decomposition,
Note that the initial joint state of a quantum query algorithm and the oracle (in the FOoracle picture described above) is in the image of . The following fact is essential for working with the Fourier Oracle; the proof is given in Appendix A.
Lemma 2.
The number operator satisfies
In particular, the joint state of a quantum query algorithm and the oracle after the th query is in the kernel of for all .
3 The problem with unforgeability
3.1 Intuition, and some obstacles
We begin by motivating our search for a new definition of unforgeability for quantumsecure authentication. We point out a significant security concern not addressed by the existing definition ( security) [5]. Before getting to the specifics, we briefly discuss some intuition behind the problem with security, as well as some obstacles to making this intuition concrete.
One intuitive concern about is that it might rule out adversaries who have to measure and thereby “fully destroy” one or more postquery states before they can produce an interesting forgery. At first, constructing such an example does not seem difficult. For instance, let us look at onetime , and construct a MAC from a by sampling a key for and a superpolynomiallylarge prime , and setting
(4) 
This MAC is forgeable: a quantum adversary can use a single query to perform periodfinding on the MAC, and then forge at . Intuitively, it seems plausible that the MAC might be  secure, since periodfinding uses a full measurement, and the outputs of the MAC are random everywhere else. As it turns out, this is incorrect, and for a somewhat subtle reason: identifying the hidden symmetry does not fully consume the postquery state. On the contrary, the fact that the periodfinding measurement succeeds with high probability implies that the measured postquery state is not too different from the unmeasured postquery state. In particular, one can still extract an inputoutput pair of from the measured postquery state.
More generally, let be an algorithm that makes a uniformsuperposition query to some function and then outputs a property with nonnegligible probability . Let denote the postquery state, and consider applying to the POVM which identifies the property (but measures nothing else.) By assumption, there exists a particular POVM element (i.e., ) that is observed with probability . This implies that has roughly overlap with the postmeasurement state . This means that, even after extracting , measuring in the computational basis will result in a random inputoutput pair of with probability .
One can also try an idea similar to (4) but with Simon’s problem rather than periodfinding, with the aim of requiring the adversary to consume queries in order to produce a single good forgery (e.g., whose tag is the nontrivial element of the hidden subgroup.) This again fails by similar reasoning: we can make all the queries in parallel, postpone the measurement which identifies until the end of the algorithm, and then observe that each postquery state is not disturbed too much by this measurement. This allows us to extract inputoutput pairs from every query, with nonnegligible success probability overall.
These rather general features of quantum algorithms make it difficult to instantiate the above intuition about the problems with security with a concrete scheme. We formalize these somewhat surprising observations in Lemma 8 in Appendix B.4.
3.2 A counterexample to
In order to construct an explicit function which exemplifies the issues with , we will make use of both the intuition described above, and the wellknown (but only partially understood) necessity of uncomputing certain registers when attempting to extract some data from an oracle [1]. Consider the following MAC construction.
Construction 2.
Select a uniformly random string and two random functions , and define a MAC for bit messages by
(5) 
with .
Consider an adversary that queries as follows
(6) 
and then discards the first qubit and the register; this yields . The adversary can extract via periodfinding from polynomiallymany such states, and then output . This attack only queries the MAC on messages starting with (e.g., “from Alice”), and then forges at a message which starts with (e.g., “from Bob.”) We emphasize that the forgery was never queried, not even with negligible amplitude. It is thus intuitively clear that this MAC does not provide secure authentication. And yet, despite this obvious and intuitive vulnerability, this MAC is in fact secure.
Theorem 8.
The MAC from Construction 2 is secure.
Proof.
Let be an adversary that makes quantum queries and outputs distinct candidate forgeries (where is selected by at runtime.) We let this adversary interact with a mixed oracle, where and
are treated as random variables, and
is represented as a Fourier Oracle as in Section 2. We denote the relevant quantum registers as follows. First, the quantum oracle for is a unitary operator on three registers: (i.) the qubit input register , (ii.) the qubit output register into which is computed, and (iii.) the qubit output register which interacts with the Fourier Oracle. We set . The Fourier Oracle is an qubit register denoted by , with the subregister corresponding to input denoted by . Finally, the workspace of is a qubit register denoted by .Let denote the final state of and the Fourier Oracle, after the candidate forgeries have been measured, but prior to any other measurements. Recall that each “number projector” from Section 2 projects to the subspace spanned by basis states with exactly nonzero entries. We apply to the twooutcome measurement defined by and its complementary projector , effectively measuring whether contains fewer than nonzero entries (i.e., registers containing a state other than ); note that it cannot contain more than by Lemma 2. By Lemma 1, applying this measurement decreases the success probability of at any particular task by a factor . We handle the two possible outcomes ( and ) separately.
Case : Let be the postmeasurement state. Note that for all , i.e., each basis component of has fewer than nonzero entries in . On the other hand, the output of contains at least candidate inputoutput pairs of (since is the only inputoutput pair of that does not also contain an inputoutput pair of .) We apply the outcome measurement to which asks: “among the registers , which is the first one to contain ?” This measurement is defined by projectors
Adding this measurement to ensures that is in the state for some , at the cost of multiplying ’s success probability by (by Lemma 1.) Recalling that, in the Fourier Oracle picture, is the result of QFTing and then fully measuring , we see that is now uniformly random and independent of . The original (i.e., without the measurement ) thus succeeded with probability at most . ^{2}^{2}2This argument amounts to an alternative proof that random functions are secure.
Case : We will denote the postmeasurement state in this case by , emphasizing that the state was produced by interacting with the oracle . By the security of (Theorem 19) it suffices to show that the correct period is output by (by measuring, say, some designated subregister of of the state ) with at most negligible probability. Since testing success at outputting does not involve the register , we are free to apply any quantum channel to the register of . We choose to measure which subregisters of are in a nonzero state. This PVM is defined by projectors
(7) 
where with . Note that , so the outcome “rest” never occurs for . In the following we denote by the random variable obtained from this measurement. We also set some other random variables in boldface to better distinguish them from particular values they can take.
Now consider the preparation of the state (by and the Fourier Oracle) with an arbitrary choice of oracle function in place of . We will denote this state by . We now show that, conditioned on a particular measurement outcome , we can arbitrarily relabel the values of outside , without affecting the output state of the algorithm.
Lemma 3.
Let with and a pair of functions satisfying for all . Then .
Proof.
Let , where is ’s th internal unitary, is the standard oracle unitary for , and is the Fourier Oracle unitary as described in Section 2. The intermediate states are
(8) 
and the final state is . By Lemma 2, for all , so
For the term in the sum above, the unitary applies queries to ; by Lemma 2 this term is thus zero unless . We can therefore insert a after the th query for free when projecting with in the end. Explicitly,
(9) 
We first show that we can apply
after every query of .
We are interested in the state . We can make a similar argument as above to show that we can project with after every query as well. As the FOunitary is the only one that acts on , and because , we can even apply the projector before and after each query. We write , where
(10) 
i.e. and measure the number of nonzero entries inside and outside , respectively. Lemma 2 applies to and separately, and . Therefore we have, defining
(11) 
and using the same argument as above, that
(12) 
and hence
(13) 
implying
. But the projector onto the zeroeigenspace of
is , so .With an even simpler argument we can insert a projector before every query. This is because , and therefore the number operator eignenvalue does not increase.
To show that is independent of the values outside , we observe that for all , and for all states , we have
(14) 
where we have used that for all it holds that . This implies that our artificial oracle (together with a renormalization) only gives access to for inputs
This concludes the proof of Lemma 3. ∎
We now continue with the “case ” proof of Theorem 8. We bound ’s success probability separately for each outcome . Indeed, it suffices to show that for all , the probability that the output contains a pair is negligible if continues with
(15) 
in place of .
We show that the periodic oracle can be replaced by a nonperiodic one, except with negligible probability. More precisely, if is ’s output, there exists an event such that and for all .
In the following, let us denote the oracle for the MAC of Construction 2 with functions and and period by . We define
(16) 
For and , if , let be a transversal for (i.e., a maximal set such that for it holds that ) such that . Using this transversal, we can define for each a random periodic function that is identically distributed with , as follows.

If , we set .

If , we set for such that .
For a unitary algorithm that makes queries to an oracle , we define the following procedures:
Procedure 0

Sample , and .

Run with oracle resulting in a final adversaryoracle state . Apply the measurement to . If outcome is , output “fail.”

Measure . If , output “bad.” Otherwise, let be the postmeasurement state of adversary and oracle, i.e. .

Output .
Procedure
Same as Procedure 0, except with oracle instead of .
Procedure 1

Sample and .

Run with an oracle resulting in a final adversaryoracle state . Apply the measurement to . If outcome is , output “fail.”

Measure and sample . If , output “bad.” Otherwise, let be the postmeasurement state of adversary and oracle, i.e. .

Output .
We first observe that for all , the outputs of procedures and are identically distributed because and are. Note that for any fixed , ; this, together with Lemma 3, implies that
(17) 
It follows that, still for a fixed ,
(18) 
This implies also that in any of the three procedures, conditioned on the event that the output is neither “fail” nor “bad” and on a fixed first output ,
is uniformly distributed on
. In other words,(19) 
Let us denote the event that a procedure outputs a triple by “good.”
In what follows, we fix a particular period , an outcome of the periodsampling step (step 1 in Procedures and and step 3 in Procedure ). Given a number of queries we identify three subspaces of corresponding to the three outcomes “good,” “bad” and “fail” of the procedures above:
(20)  