Large-scale quantum computers will break all widely-deployed public-key cryptography, and may even threaten certain post-quantum candidates [19, 7, 8, 9, 4]. Basic symmetric-key constructions like Feistel ciphers and CBC-MACs also become vulnerable in a quantum attack model [14, 15, 13, 18], where the adversary is presumed to have quantum query access to some part of the cryptosystem. For example, the adversary may gain access to the unitary operator where is the encryption or decryption function with the key . While it is unclear if this model is directly relevant to physical implementations of symmetric-key cryptography, it appears necessary in a number of generic settings, such as public-key encryption and hashing with public hash functions. It could also be relevant when private-key primitives are composed in larger protocols, e.g., by exposing circuits via obfuscation . Setting down appropriate security definitions in this quantum attack model is the subject of several threads of recent research [6, 10].
In this article, we study authentication of classical information in this quantum-secure model. Here, the adversary is granted quantum query access to the signing algorithm of a message authentication code (MAC) or a digital signature scheme, and is tasked with producing valid forgeries. In the purely classical setting, we insist that the forgeries are fresh, i.e., distinct from previous queries to the oracle, so that the security definition does not become vacuous. When the function may be queried in superposition, however, it’s unclear how to meaningfully reflect this constraint that a forgery was “unqueried” without ruling out natural, intuitive attacks. For example, consider a uniform superposition query. Simply measuring the output state to get a forgery—a feasible attack against any function—should not be considered a break. On the other hand, an adversary who uses the same query to discover some structural property (e.g., a superpolynomial-size period in the MAC) should be considered successful. Examples like these indicate the difficulty of the problem. How do we correctly “price” the queries? How do we decide if a forgery is fresh? Furthermore, how do we do this in a manner that is consistent with these examples, and many others? This problem has a natural interpretation that goes well beyond cryptography: What does it mean for a classical function to appear unpredictable to a quantum oracle algorithm?111The related notion of “appearing random” has a satisfying definition, which can be fulfilled efficiently .
The first approach to this problem was suggested by Boneh and Zhandry . They define a MAC to be unforgeable, if no adversary can use queries to the MAC to produce
valid input-output pairs except with negligible probability. We will refer to this notion as “security” (and - for the case where the adversary is permitted a maximum of queries). Boneh and Zhandry prove a number of results about this notion, including that it can be realized by a quantum-secure pseudorandom function ().
In an approach by Garg, Yuen and Zhandry , a MAC is considered one-time secure if only a trivial “query, measure in computational basis, output result” attack is allowed; we call this notion . Unfortunately, it is not clear how to extend beyond the single-query case. Zhandry recently gave a separation example between and by means of indistinguishability obfuscation .
It is interesting to note that similar problems are present in defining unforgeability for authentication of quantum data. A convincing solution was recently found . This approach relies on the fact that, for quantum messages, authentication implies secrecy; this enables “tricking” the adversary by replacing their queries with “trap” plaintexts to detect replays. As a result, the approach of  is inapplicable to the setting of classical messages, where unforgeability and secrecy are orthogonal. Indeed, in situations where unforgeability is required but secrecy is not, adversaries would easily recognize spoofed oracles.
security, the only candidate definition of quantum-secure unforgeability in the setting of more than one query, appears to be insufficient for several reasons. First, as observed in , it is a-priori unclear if security rules out adversaries who forge a message in region after querying the signing oracle on a disjoint message region . Second, may not capture the unique features of quantum information, such as the destructiveness of measurement. Quantum algorithms must sometimes “consume” (i.e., fully measure) a state to extract some useful information, such as a symmetry in the oracle. It’s plausible that, for some MACs, there is an adversary who makes one or more quantum queries but then must consume the post-query states completely in order to make a single convincing forgery.
Despite these philosophical criticisms, prior to this work no -secure schemes have been shown to be manifestly insecure. It is thus essential to gain a concrete understanding of these potential issues, and thereby place the security of MACs and other primitives against quantum attacks on firmer foundations.
1.2 Summary of results
1.2.1 The problem with .
Our first result is a construction of a MAC which is forgeable (in a strong intuitive sense) and yet is classified byas secure.
Given a triple where and , define by
Consider an adversary that queries only on messages starting with , as follows:
, discarding the first qubit andyields . One can then recover via period-finding and output . We emphasize that the forgery was queried with zero amplitude. One can interpret this attack as, e.g., querying only on messages starting with “From: Alice” and then forging a message starting with “From: Bob”. Despite this, we can show that is -secure.
The family (for uniformly random ) is -secure.
The security of relies on a dilemma the adversary faces at each query: either learn an output of , or obtain a superposition of -pairs for Fourier sampling. Our proof shows that, once the adversary commits to one of these two choices, the other option is irrevocably lost. Our result can thus be understood as a refinement of an observation of Aaronson: quantumly learning a property sometimes requires uncomputing some information . Note that, while Aaronson could rely on standard (asymptotic) query complexity techniques, our problem is quite fragile: security describes a task which should be hard with queries, but is completely trivial given queries. Our proof is inspired by a new quantum random oracle technique of Zhandry .
1.2.2 A new definition: Blind-unforgeability.
We then develop a new definition of unpredictability. Given the context of quantum-secure MACs and digital signatures, we call our notion “blind-unforgeability” (or ). In this approach, we examine the behavior of adversaries in the following experiment. The adversary is granted quantum oracle access to the MAC, “blinded” at a random region . Specifically, we set to be a random -fraction of the message space, and declare that the oracle function will output on all of .
Given a MAC , an adversary , and adversary-selected parameter , the “blind forgery experiment” is:
Generate key and random blinding ;
Produce candidate forgery .
Output if and ; otherwise output .
A MAC is blind-unforgeable () if for every adversary , the probability of winning the blind forgery experiment is negligible.
In this work, will typically refer to the case where is an efficient quantum algorithm (QPT) and the oracle is quantum, i.e., . We will also consider -, the information-theoretic variant where the total number of queries is a-priori fixed to . We remark that the above definition is also easy to adapt to other settings, e.g., classical security against PPT adversaries, quantum or classical security for digital signatures, etc.
1.2.3 Results about blind-unforgeability.
Next, we collect a series of results which build up confidence in as a viable definition of unforgeability. These results allow us to conclude that classifies a wide range of examples (in fact, all examples we have examined) as either forgeable or unforgeable in a way that agrees with our intuition about the meaning of unpredictability. First, we show that correctly classifies unforgeability in the classical-query setting.
In the setting of classical queries, .
Next, we give a general simulation theorem which tightly controls the deviation in the adversary’s behavior when subjected to the experiment.
Let be a quantum query algorithm making at most queries. Let be a function, a random -blinding subset of , and any function with support . Then
The above fact can be viewed as evidence that adversaries that produce “good forgeries” (in any reasonably intuitive sense) will not be disturbed too much by blinding, and will thus in fact also win the experiment. We can formulate and prove this intuition explicitly for a wide class of adversaries, as follows. Given an oracle algorithm , we let denote the union of the supports of all the queries of , taken over all choices of oracle function.
Theorem 3 (informal).
Let be QPT and for some . Let be a MAC, and suppose outputs a valid pair with with noticeable probability. Then is not secure.
There exists a -secure MAC which is -insecure.
1.2.4 Blind-unforgeable MACs.
Next, we show that several natural constructions satisfy . We first show that a random function is blind-unforgeable.
Let be a random function such that is negligible. Then is a blind-unforgeable MAC.
Quantum-secure pseudorandom functions () are -secure MACs, and (4q+1)-wise independent functions are --secure MACs.
We can then invoke a recent result about the quantum-security of domain-extension schemes such as NMAC and HMAC , and obtain variable-length -secure MACs from any .
Consider the following natural variation on the blind-forgery experiment. To blind , we first select a hash function and a blinding set ; we then declare that will be blinded on whenever . We refer to this as “hash-blinding.” We say that a hash function is a Bernoulli-preserving hash if, for every oracle function , no QPT can distinguish between an oracle that has been hash-blinded with , and an oracle that has been blinded in the usual sense.
Recall that the notion of collapsing hash  is a quantum analogue of classical collision-resistance, which plays an important role in the construction of post-quantum digital signatures.
Let be a hash function. If is a Bernoulli-preserving hash, then it is also collapsing. Moreover, against adversaries with classical oracle access, is a Bernoulli-preserving hash if and only if it is collision-resistant.
We apply this new notion to show security of the Hash-and-MAC construction with .
Let be a -secure MAC with , and let a Bernoulli-preserving hash. Then is a -secure MAC.
Basic notation, conventions.
Given a finite set , the notation will mean that is a uniformly random element of . Given a subset of a set , let
denote the characteristic function of, i.e., if and else. When we say that a classical function is efficiently computable, we mean that there exists a uniform family of deterministic classical circuits which computes .
We will consider three classes of algorithms: (i.) unrestricted algorithms, modeling computationally unbounded adversaries, (ii.) probabilistic poly-time algorithms (PPTs), modeling classical adversaries, and (iii.) quantum poly-time algorithms (QPTs), modeling quantum adversaries. We assume that the latter two are given as polynomial-time uniform families of circuits. For PPTs, these are probabilistic circuits. For QPTs, they are quantum circuits, which may contain both unitary gates and measurements. We will often assume (without loss of generality) that the measurements are postponed to the end of the circuit, and that they take place in the computational basis.
Given an algorithm , we let denote the (in general, mixed) state output by on input . In particular, if has classical output, then
denotes a probability distribution. Unless otherwise stated, the probability is taken over all random coins and measurements of, and any randomness used to select the input . If is an oracle algorithm and a classical function, then is the mixed state output by equipped with oracle and input ; the probability is now also taken over any randomness used to generate .
We will distinguish between two ways of presenting a function as an oracle. First, the usual “classical oracle access” simply means that each oracle call grants one classical invocation . This will always be the oracle model for PPTs. Second, “quantum oracle access” will mean that each oracle call grants an invocation of the -qubit unitary gate For us, this will always be the oracle model for QPTs. Note that both QPTs and unrestricted algorithms could in principle receive either oracle type.
Let be a quantum algorithm and . Let be another quantum algorithm obtained from by pausing at an arbitrary stage of execution, performing a measurement that obtains one of outcomes, and then resuming . Then .
We denote the trace distance between states and by . Recall that this is simply half the trace norm of the difference, i.e., . When and are classical probability distributions, the trace distance is equal to the total variation distance.
A quantum-secure pseudorandom function () is a family of classical, deterministic, efficiently-computable functions which appear random to QPT adversaries with quantum oracle access.
An efficiently computable function family is a quantum-secure pseudorandom function () if, for all QPTs ,
Here denotes the set of all functions from to . The standard “GGM+GL” construction of a yields a when instantiated with a quantum-secure one-way function . One can also construct a directly from . If we have an a-priori bound on the number of allowed queries, then a computational assumption is not needed.
Theorem 7 (Lemma 6.4 in ).
Let be integers, and a -wise independent family of functions. Let be an algorithm making no more than quantum oracle queries and classical oracle queries. Then
Boneh and Zhandry define unforgeability (against quantum queries) for classical MACs as follows . They also show that random functions satisfy this notion.
Let be a MAC with message set . Consider the following experiment with an algorithm :
Generate key: .
Generate forgeries: receives quantum oracle for , makes queries, and outputs a string ;
Outcome: output win if contains distinct input-output pairs of , and fail otherwise.
We say that is -secure if no adversary can succeed at the above experiment with better than negligible probability.
The Fourier Oracle.
Our separation proof will make use of a new technique of Zhandry  for working with random oracles. We now briefly describe this idea.
A random function from bits to bits can be viewed as the outcome of a quantum measurement. More precisely, let , where . Then set with , , and where denotes the measurement of the register in the computational basis. This measurement commutes with any gate with control qubit in and target qubit outside . It follows that, for any quantum algorithm making queries to a random oracle, the output distribution is identical if the algorithm is instead run with the following oracle:
Setup: prepare the state .
Upon a query with query registers and , controlled on being in state , apply .
After the algorithm has finished, measure to determine the success of the computation.
We denote the oracle unitary defined in step 2 above by . Having defined this oracle representation, we are free to apply any unitary to the oracle state, so long as we then also apply the conjugated query unitary in place of . We choose , which means that the oracle register starts in the all-zero state now. Applying Hadamard to both qubits reverses the direction of CNOT, i.e.
so the adversary-oracle-state after a first query with query state is
where denotes the position of in the lexicographic ordering of , and we defined the Fourier basis state
. In the rest of this section, we freely change the order in which tensor products are written, and keep track of the tensor factors through the use of subscripts. This adjusted representation is called theFourier oracle (FO), and we denote its oracle unitary by
An essential fact about the FO is that each query can only change the number of non-zero entries in the FO’s register by at most one. To formalize this idea, we define the “number operator”
The number operator can also be written in its spectral decomposition,
Note that the initial joint state of a quantum query algorithm and the oracle (in the FO-oracle picture described above) is in the image of . The following fact is essential for working with the Fourier Oracle; the proof is given in Appendix A.
The number operator satisfies
In particular, the joint state of a quantum query algorithm and the oracle after the -th query is in the kernel of for all .
3 The problem with -unforgeability
3.1 Intuition, and some obstacles
We begin by motivating our search for a new definition of unforgeability for quantum-secure authentication. We point out a significant security concern not addressed by the existing definition ( security) . Before getting to the specifics, we briefly discuss some intuition behind the problem with security, as well as some obstacles to making this intuition concrete.
One intuitive concern about is that it might rule out adversaries who have to measure and thereby “fully destroy” one or more post-query states before they can produce an interesting forgery. At first, constructing such an example does not seem difficult. For instance, let us look at one-time , and construct a MAC from a by sampling a key for and a superpolynomially-large prime , and setting
This MAC is forgeable: a quantum adversary can use a single query to perform period-finding on the MAC, and then forge at . Intuitively, it seems plausible that the MAC might be - secure, since period-finding uses a full measurement, and the outputs of the MAC are random everywhere else. As it turns out, this is incorrect, and for a somewhat subtle reason: identifying the hidden symmetry does not fully consume the post-query state. On the contrary, the fact that the period-finding measurement succeeds with high probability implies that the measured post-query state is not too different from the unmeasured post-query state. In particular, one can still extract an input-output pair of from the measured post-query state.
More generally, let be an algorithm that makes a uniform-superposition query to some function and then outputs a property with non-negligible probability . Let denote the post-query state, and consider applying to the POVM which identifies the property (but measures nothing else.) By assumption, there exists a particular POVM element (i.e., ) that is observed with probability . This implies that has roughly overlap with the post-measurement state . This means that, even after extracting , measuring in the computational basis will result in a random input-output pair of with probability .
One can also try an idea similar to (4) but with Simon’s problem rather than period-finding, with the aim of requiring the adversary to consume queries in order to produce a single good forgery (e.g., whose tag is the nontrivial element of the hidden subgroup.) This again fails by similar reasoning: we can make all the queries in parallel, postpone the measurement which identifies until the end of the algorithm, and then observe that each post-query state is not disturbed too much by this measurement. This allows us to extract input-output pairs from every query, with non-negligible success probability overall.
3.2 A counterexample to
In order to construct an explicit function which exemplifies the issues with , we will make use of both the intuition described above, and the well-known (but only partially understood) necessity of uncomputing certain registers when attempting to extract some data from an oracle . Consider the following MAC construction.
Select a uniformly random string and two random functions , and define a MAC for bit messages by
Consider an adversary that queries as follows
and then discards the first qubit and the register; this yields . The adversary can extract via period-finding from polynomially-many such states, and then output . This attack only queries the MAC on messages starting with (e.g., “from Alice”), and then forges at a message which starts with (e.g., “from Bob.”) We emphasize that the forgery was never queried, not even with negligible amplitude. It is thus intuitively clear that this MAC does not provide secure authentication. And yet, despite this obvious and intuitive vulnerability, this MAC is in fact -secure.
The MAC from Construction 2 is -secure.
Let be an adversary that makes quantum queries and outputs distinct candidate forgeries (where is selected by at runtime.) We let this adversary interact with a mixed oracle, where and
are treated as random variables, andis represented as a Fourier Oracle as in Section 2. We denote the relevant quantum registers as follows. First, the quantum oracle for is a unitary operator on three registers: (i.) the -qubit input register , (ii.) the -qubit output register into which is computed, and (iii.) the -qubit output register which interacts with the Fourier Oracle. We set . The Fourier Oracle is an -qubit register denoted by , with the subregister corresponding to input denoted by . Finally, the workspace of is a -qubit register denoted by .
Let denote the final state of and the Fourier Oracle, after the candidate forgeries have been measured, but prior to any other measurements. Recall that each “number projector” from Section 2 projects to the subspace spanned by basis states with exactly non-zero entries. We apply to the two-outcome measurement defined by and its complementary projector , effectively measuring whether contains fewer than non-zero entries (i.e., registers containing a state other than ); note that it cannot contain more than by Lemma 2. By Lemma 1, applying this measurement decreases the success probability of at any particular task by a factor . We handle the two possible outcomes ( and ) separately.
Case : Let be the post-measurement state. Note that for all , i.e., each basis component of has fewer than non-zero entries in . On the other hand, the output of contains at least candidate input-output pairs of (since is the only input-output pair of that does not also contain an input-output pair of .) We apply the -outcome measurement to which asks: “among the registers , which is the first one to contain ?” This measurement is defined by projectors
Adding this measurement to ensures that is in the state for some , at the cost of multiplying ’s success probability by (by Lemma 1.) Recalling that, in the Fourier Oracle picture, is the result of QFT-ing and then fully measuring , we see that is now uniformly random and independent of . The original (i.e., without the measurement ) thus succeeded with probability at most . 222This argument amounts to an alternative proof that random functions are -secure.
Case : We will denote the post-measurement state in this case by , emphasizing that the state was produced by interacting with the oracle . By the -security of (Theorem 19) it suffices to show that the correct period is output by (by measuring, say, some designated subregister of of the state ) with at most negligible probability. Since testing success at outputting does not involve the register , we are free to apply any quantum channel to the register of . We choose to measure which subregisters of are in a non-zero state. This PVM is defined by projectors
where with . Note that , so the outcome “rest” never occurs for . In the following we denote by the random variable obtained from this measurement. We also set some other random variables in boldface to better distinguish them from particular values they can take.
Now consider the preparation of the state (by and the Fourier Oracle) with an arbitrary choice of oracle function in place of . We will denote this state by . We now show that, conditioned on a particular measurement outcome , we can arbitrarily relabel the values of outside , without affecting the output state of the algorithm.
Let with and a pair of functions satisfying for all . Then .
Let , where is ’s -th internal unitary, is the standard oracle unitary for , and is the Fourier Oracle unitary as described in Section 2. The intermediate states are
and the final state is . By Lemma 2, for all , so
For the term in the sum above, the unitary applies queries to ; by Lemma 2 this term is thus zero unless . We can therefore insert a after the -th query for free when projecting with in the end. Explicitly,
We first show that we can apply
after every query of .
We are interested in the state . We can make a similar argument as above to show that we can project with after every query as well. As the FO-unitary is the only one that acts on , and because , we can even apply the projector before and after each query. We write , where
i.e. and measure the number of non-zero entries inside and outside , respectively. Lemma 2 applies to and separately, and . Therefore we have, defining
and using the same argument as above, that
. But the projector onto the zero-eigenspace ofis , so .
With an even simpler argument we can insert a projector before every query. This is because , and therefore the number operator eignenvalue does not increase.
To show that is independent of the values outside , we observe that for all , and for all states , we have
where we have used that for all it holds that . This implies that our artificial oracle (together with a renormalization) only gives access to for inputs
This concludes the proof of Lemma 3. ∎
We now continue with the “case ” proof of Theorem 8. We bound ’s success probability separately for each outcome . Indeed, it suffices to show that for all , the probability that the output contains a pair is negligible if continues with
in place of .
We show that the periodic oracle can be replaced by a non-periodic one, except with negligible probability. More precisely, if is ’s output, there exists an event such that and for all .
In the following, let us denote the oracle for the MAC of Construction 2 with functions and and period by . We define
For and , if , let be a transversal for (i.e., a maximal set such that for it holds that ) such that . Using this transversal, we can define for each a random periodic function that is identically distributed with , as follows.
If , we set .
If , we set for such that .
For a unitary algorithm that makes queries to an oracle , we define the following procedures:
Sample , and .
Run with oracle resulting in a final adversary-oracle state . Apply the measurement to . If outcome is , output “fail.”
Measure . If , output “bad.” Otherwise, let be the post-measurement state of adversary and oracle, i.e. .
Same as Procedure 0, except with oracle instead of .
Sample and .
Run with an oracle resulting in a final adversary-oracle state . Apply the measurement to . If outcome is , output “fail.”
Measure and sample . If , output “bad.” Otherwise, let be the post-measurement state of adversary and oracle, i.e. .
We first observe that for all , the outputs of procedures and are identically distributed because and are. Note that for any fixed , ; this, together with Lemma 3, implies that
It follows that, still for a fixed ,
This implies also that in any of the three procedures, conditioned on the event that the output is neither “fail” nor “bad” and on a fixed first output ,
is uniformly distributed on. In other words,
Let us denote the event that a procedure outputs a triple by “good.”
In what follows, we fix a particular period , an outcome of the period-sampling step (step 1 in Procedures and and step 3 in Procedure ). Given a number of queries we identify three subspaces of corresponding to the three outcomes “good,” “bad” and “fail” of the procedures above: