Quantum-secure message authentication via blind-unforgeability

We consider the problem of unforgeable authentication of classical messages in the presence of quantum adversaries. Formulating and solving this natural problem has been a challenge, as the familiar classical notions of unforgeability do not directly translate into meaningful notions in the quantum setting. A particular difficulty is how to fairly capture the notion of “predicting an unqueried value” of a function in a setting where the adversary can query in quantum superposition. In this article, we point out some shortcomings of previous definitions of unpredictability against quantum adversaries, propose a new definition, and support its viability with several constructions and reductions. We begin by pointing out a weakness in a previous definition of Boneh and Zhandry. Specifically, we demonstrate a function which is secure according to the (single-query) Boneh-Zhandry definition, but is clearly vulnerable to a (single-query) quantum forgery attack, whereby a query supported only on inputs that start with 0 divulges the value of the function on an input that starts with 1. We then propose a new definition, which we call “blind-unforgeability” (or BU). This notion defines a function to be predictable if there exists an adversary which can use “partially blinded” oracle access to predict values in the blinded region. Our definition (BU) coincides with classical unpredictability (i.e., EUF-CMA) in the purely classical setting. In the quantum setting, it can be satisfied efficiently using quantum-secure pseudorandom functions. We show that BU satisfies a composition property (Hash-and-MAC) using “Bernoulli-preserving” hash functions, a new notion which may be of independent interest. We also show that BU is amenable to security reductions, by giving a precise bound on the extent to which quantum algorithms can deviate from their usual behavior due to the blinding in the BU security experiment.