Quantum secure message authentication via blind-unforgeability - - PowerPoint PPT Presentation

Quantum secure message authentication via blind-unforgeability

Christian Majenz Joint work with Gorjan Alagic, Alexander Russell and Fang Song

QCrypt 2018, Shanghai, China

Bob Alice m

Message authentication

Bob Alice m

Message authentication

m′

… the Internet is a scary place…

m m′

Bob Alice m

Message authentication

m′

… the Internet is a scary place…

m m′ acc/rej? Problem: how can Bob check if a message came from Alice and is unchanged?

Message authentication

Solution: message authentication code (MAC) (some efficient function Mac) Problem: how can Bob check if a message came from Alice and is unchanged?

Alice Bob m k k

Message authentication

Solution: message authentication code (MAC) (some efficient function Mac) Problem: how can Bob check if a message came from Alice and is unchanged?

Alice Bob m k k

Message authentication

Mac

𝑢

Solution: message authentication code (MAC) (some efficient function Mac) Problem: how can Bob check if a message came from Alice and is unchanged?

Alice Bob m k k

Message authentication

Mac

𝑢 𝑢′

m′

… the Internet is a scary place…

m

𝑢

m′

𝑢′

Solution: message authentication code (MAC) (some efficient function Mac) Problem: how can Bob check if a message came from Alice and is unchanged?

Alice Bob m k k

Message authentication

Mac

𝑢

Mac

=

? acc/rej

𝑢′

m′

… the Internet is a scary place…

m

𝑢

m′

𝑢′

Solution: message authentication code (MAC) (some efficient function Mac) Problem: how can Bob check if a message came from Alice and is unchanged?

Alice Bob m k k

Message authentication

Mac

𝑢

Mac

=

? acc/rej

𝑢′

m′

… the Internet is a scary place…

m

𝑢

m′

𝑢′

Note: Bob is only checking consistency with the function . Solution: message authentication code (MAC) (some efficient function Mac) Problem: how can Bob check if a message came from Alice and is unchanged?

Message authentication

What properties should a MAC satisfy to be secure?

Message authentication

What properties should a MAC satisfy to be secure? What are we worried about? Forgeries!

Message authentication

What properties should a MAC satisfy to be secure? What are we worried about? Forgeries!

• plain forgery:

(𝑛, 𝐍𝐛𝐝𝑙(𝑛))

Message authentication

What properties should a MAC satisfy to be secure? What are we worried about? Forgeries!

• plain forgery:
• “malleability” attacks:

(𝑛, 𝐍𝐛𝐝𝑙(𝑛)) (𝑛′, 𝐍𝐛𝐝𝑙(𝑛′)) (𝑛, 𝐍𝐛𝐝𝑙(𝑛))

Message authentication

What properties should a MAC satisfy to be secure? What are we worried about? Forgeries!

• plain forgery:
• “malleability” attacks:
• using an oracle to produce a fresh forgery (most general attack):

(𝑛, 𝐍𝐛𝐝𝑙(𝑛)) (𝑛′, 𝐍𝐛𝐝𝑙(𝑛′)) (𝑛, 𝐍𝐛𝐝𝑙(𝑛))

(fresh)

𝐍𝐛𝐝𝑙

Message authentication

What properties should a MAC satisfy to be secure? What are we worried about? Forgeries!

• plain forgery:
• “malleability” attacks:
• using an oracle to produce a fresh forgery (most general attack):

(𝑛, 𝐍𝐛𝐝𝑙(𝑛)) (𝑛′, 𝐍𝐛𝐝𝑙(𝑛′)) (𝑛, 𝐍𝐛𝐝𝑙(𝑛))

(fresh)

𝐍𝐛𝐝𝑙

Key property: unpredictability of .

𝐍𝐛𝐝𝑙

Classical security: Unforgeability

A message authentication code is secure, if no successful forger exists:

Classical security: Unforgeability

𝐍𝐛𝐝𝑙

A message authentication code is secure, if no successful forger exists:

Classical security: Unforgeability

𝐍𝐛𝐝𝑙

m1 t1

A message authentication code is secure, if no successful forger exists:

Classical security: Unforgeability

𝐍𝐛𝐝𝑙

m1 t1 m2 t2

A message authentication code is secure, if no successful forger exists:

Classical security: Unforgeability

𝐍𝐛𝐝𝑙

m1 t1 m2 t2 … mq tq

A message authentication code is secure, if no successful forger exists:

Classical security: Unforgeability

𝐍𝐛𝐝𝑙

m1 t1 m2 t2 … mq tq (m*, t*)

A message authentication code is secure, if no successful forger exists:

Classical security: Unforgeability

𝐍𝐛𝐝𝑙

m1 t1 m2 t2 … mq tq (m*, t*) Success: i) m* ≠ mi for all i = 1,...,q ii) Mack(m*) = t*

A message authentication code is secure, if no successful forger exists:

Classical security: Unforgeability

𝐍𝐛𝐝𝑙

m1 t1 m2 t2 … mq tq (m*, t*) Success: i) m* ≠ mi for all i = 1,...,q ii) Mack(m*) = t*

A message authentication code is secure, if no successful forger exists: “Existential unforgeability under chosen message attacks”, EUF-CMA

Classical security: Unforgeability

What if the adversary has quantum oracle access to ?

𝐍𝐛𝐝𝑙

𝐍𝐛𝐝𝑙

m1 t1 m2 t2 … mq tq (m*, t*) Success: i) m* ≠ mi for all i = 1,...,q ii) Mack(m*) = t*

A message authentication code is secure, if no successful forger exists: “Existential unforgeability under chosen message attacks”, EUF-CMA

Classical security: Unforgeability

What if the adversary has quantum oracle access to ?

𝐍𝐛𝐝𝑙

𝐍𝐛𝐝𝑙

m1 t1 m2 t2 … mq tq (m*, t*) Success: i) m* ≠ mi for all i = 1,...,q ii) Mack(m*) = t*

A message authentication code is secure, if no successful forger exists: “Existential unforgeability under chosen message attacks”, EUF-CMA Example: i) Query to obtain ii) Measure in the computational basis to obtain for random iii) Output

m1 = ∑

m∈{0,1}n

|m⟩|0⟩ (m, Mack(m)) m ∑

m∈{0,1}n

|m⟩|Mack(m)⟩ (m, Mack(m))

Classical security: Unforgeability

What if the adversary has quantum oracle access to ?

𝐍𝐛𝐝𝑙

𝐍𝐛𝐝𝑙

m1 t1 m2 t2 … mq tq (m*, t*) Success: i) m* ≠ mi for all i = 1,...,q ii) Mack(m*) = t*

EUF-CMA doesn’t make sense anymore… A message authentication code is secure, if no successful forger exists: “Existential unforgeability under chosen message attacks”, EUF-CMA Example: i) Query to obtain ii) Measure in the computational basis to obtain for random iii) Output

m1 = ∑

m∈{0,1}n

|m⟩|0⟩ (m, Mack(m)) m ∑

m∈{0,1}n

|m⟩|Mack(m)⟩ (m, Mack(m))

Quantum

What does it mean for a function to be unpredictable against quantum? What is a good predictor?

Quantum

What does it mean for a function to be unpredictable against quantum? What is a good predictor? Not a good predictor: i) Query to obtain ii) Measure in the computational basis to obtain for random iii) Output

m1 = ∑

m∈{0,1}n

|m⟩|0⟩ (m, Mack(m)) m ∑

m∈{0,1}n

|m⟩|Mack(m)⟩ (m, Mack(m))

Quantum

What does it mean for a function to be unpredictable against quantum? What is a good predictor? Not a good predictor: i) Query to obtain ii) Measure in the computational basis to obtain for random iii) Output

m1 = ∑

m∈{0,1}n

|m⟩|0⟩ (m, Mack(m)) m ∑

m∈{0,1}n

|m⟩|Mack(m)⟩ (m, Mack(m))

A good predictor: key specifies a random periodic function with period , and i) run period finding to find ii) output

k fk Mack(pk) = 0 Mack(x) = fk(x) ∀x ≠ pk pk pk (pk,0)

Boneh Zhandry unforgeability

A proposal: (Boneh and Zhandry, EUROCRYPT 2013): Ask forgeries for queries!

q + 1 q

Boneh Zhandry unforgeability

𝐍𝐛𝐝𝑙

m1 t1 m2 t2 … mq tq (m*

1 , t* 1 ), (m* 2 , t* 2 ), . . . , (m* q+1, t* q+1)

Success: Mack(m*

i ) = t* i ∀i = 1,...,q + 1

A proposal: (Boneh and Zhandry, EUROCRYPT 2013): Ask forgeries for queries!

q + 1 q

Boneh Zhandry unforgeability

𝐍𝐛𝐝𝑙

m1 t1 m2 t2 … mq tq (m*

1 , t* 1 ), (m* 2 , t* 2 ), . . . , (m* q+1, t* q+1)

Success: Mack(m*

i ) = t* i ∀i = 1,...,q + 1

A proposal: (Boneh and Zhandry, EUROCRYPT 2013): Ask forgeries for queries!

q + 1 q

Has some nice properties:

• Equivalent to EUF-CMA for classical oracle
• A random function is BZ-unforgeable (BZ ’13)

The right definition?

𝐍𝐛𝐝𝑙

m1 t1 m2 t2

…

mq tq (m*

1 , t* 1 ), (m* 2 , t* 2 ), . . . , (m* q+1, t* q+1)

Success:

Mack(m*

i ) = t* i ∀i = 1,...,q+1

The right definition?

𝐍𝐛𝐝𝑙

m1 t1 m2 t2

…

mq tq (m*

1 , t* 1 ), (m* 2 , t* 2 ), . . . , (m* q+1, t* q+1)

Success:

Mack(m*

i ) = t* i ∀i = 1,...,q+1

Is this really right? What does your quantum intuition tell you? What if…

• adversary has to fully measure many queries to generate one forgery? (no-cloning)

The right definition?

𝐍𝐛𝐝𝑙

m1 t1 m2 t2

…

mq tq (m*

1 , t* 1 ), (m* 2 , t* 2 ), . . . , (m* q+1, t* q+1)

Success:

Mack(m*

i ) = t* i ∀i = 1,...,q+1

Is this really right? What does your quantum intuition tell you? What if…

• adversary has to fully measure many queries to generate one forgery? (no-cloning)

space of all messages

forgery comes from here (msg prefix “from Gilles”) all queries supported here (msg prefix “from Charlie”)

• adversary “queries here, forges there”?

The right definition?

𝐍𝐛𝐝𝑙

m1 t1 m2 t2

…

mq tq (m*

1 , t* 1 ), (m* 2 , t* 2 ), . . . , (m* q+1, t* q+1)

Success:

Mack(m*

i ) = t* i ∀i = 1,...,q+1

Is this really right? What does your quantum intuition tell you? What if…

• adversary has to fully measure many queries to generate one forgery? (no-cloning)

In fact, it seems like it should be easy to find examples like this! It’s not, though.

space of all messages

forgery comes from here (msg prefix “from Gilles”) all queries supported here (msg prefix “from Charlie”)

• adversary “queries here, forges there”?

The right definition?

𝐍𝐛𝐝𝑙

m1 t1 m2 t2

…

mq tq (m*

1 , t* 1 ), (m* 2 , t* 2 ), . . . , (m* q+1, t* q+1)

Success:

Mack(m*

i ) = t* i ∀i = 1,...,q+1

Is this really right? What does your quantum intuition tell you? What if…

• adversary has to fully measure many queries to generate one forgery? (no-cloning)

In fact, it seems like it should be easy to find examples like this! It’s not, though.

space of all messages

forgery comes from here (msg prefix “from Gilles”) all queries supported here (msg prefix “from Charlie”)

• adversary “queries here, forges there”?

Is our intuition right? One obstacle: “property finding” cannot be used.

A concrete MAC that “breaks” Boneh-Zhandry: Idea: build a function where forging requires sampling from a large space of symmetries.

Not the right definition!

• Let be random functions; let be a large random subgroup of ;
• Define

f0, f1 ℤn

2

f A

0 (x) = ⨁ a∈A

f0(x ⊕ a) A

• Define unless , and for .
• MAC: with .

f A

1 (x) = f1(x)

x ∈ A⊥ f A

1 (x) = 0n

x ∈ A⊥ Mack(bx) = f A

b (x)

k = ( f0, f1, A)

random Simon problem (but with large subgroup ) a function which is only forgeable by sampling 𝑐 = 0 𝑐 = 1

m e s s a g e s p a c e

random Simon problem (but with large subgroup ) a function which is only forgeable by sampling

A concrete MAC that “breaks” Boneh-Zhandry: Idea: build a function where forging requires sampling from a large space of symmetries.

Not the right definition!

• Let be random functions; let be a large random subgroup of ;
• Define

f0, f1 ℤn

2

f A

0 (x) = ⨁ a∈A

f0(x ⊕ a) A

• Define unless , and for .
• MAC: with .

f A

1 (x) = f1(x)

x ∈ A⊥ f A

1 (x) = 0n

x ∈ A⊥ Mack(bx) = f A

b (x)

k = ( f0, f1, A)

random Simon problem (but with large subgroup ) a function which is only forgeable by sampling 𝑐 = 0 𝑐 = 1

m e s s a g e s p a c e

random Simon problem (but with large subgroup ) a function which is only forgeable by sampling

A concrete MAC that “breaks” Boneh-Zhandry: Idea: build a function where forging requires sampling from a large space of symmetries.

Not the right definition!

Simple one-query attack: i) use Fourier sampling to get random ii) output

x ∈ A⊥ (0x,0n)

• Let be random functions; let be a large random subgroup of ;
• Define

f0, f1 ℤn

2

f A

0 (x) = ⨁ a∈A

f0(x ⊕ a) A

• Define unless , and for .
• MAC: with .

f A

1 (x) = f1(x)

x ∈ A⊥ f A

1 (x) = 0n

x ∈ A⊥ Mack(bx) = f A

b (x)

k = ( f0, f1, A)

random Simon problem (but with large subgroup ) a function which is only forgeable by sampling 𝑐 = 0 𝑐 = 1

m e s s a g e s p a c e

random Simon problem (but with large subgroup ) a function which is only forgeable by sampling

A concrete MAC that “breaks” Boneh-Zhandry: Idea: build a function where forging requires sampling from a large space of symmetries.

Not the right definition!

Simple one-query attack: i) use Fourier sampling to get random ii) output

x ∈ A⊥ (0x,0n)

Theorem (AMRS17). There are no efficient quantum algorithms which query once but output two distinct input-output pairs of .

Mack Mack

New approach: Blind Unforgeability (BU)

Problem: how do we define unpredictability vs quantum?

New approach: Blind Unforgeability (BU)

Problem: how do we define unpredictability vs quantum? A new approach: “blind unforgeability.” (AMRS17) Idea: to check if a predictor is good…

• give it the oracle for the MAC, but “blind” it on some inputs;
• ask the predictor to forge on a blinded spot.

New approach: Blind Unforgeability (BU)

Problem: how do we define unpredictability vs quantum? A new approach: “blind unforgeability.” (AMRS17) Idea: to check if a predictor is good…

• give it the oracle for the MAC, but “blind” it on some inputs;
• ask the predictor to forge on a blinded spot.

𝐶𝜗Mack : 𝑦 ↦ { Mack(𝑦) 𝑦 ∉ 𝐶𝜗 ⊥ 𝑦 ∈ 𝐶𝜗

More formally: for

• 1. Select by putting every independently with probability ;
• 2. Define “blinded” oracle:

Bε ⊂ {0,1}n x ∈ Bε ε Mack

New approach: Blind Unforgeability (BU)

Problem: how do we define unpredictability vs quantum? A new approach: “blind unforgeability.” (AMRS17) Idea: to check if a predictor is good…

• give it the oracle for the MAC, but “blind” it on some inputs;
• ask the predictor to forge on a blinded spot.

𝐶𝜗Mack : 𝑦 ↦ { Mack(𝑦) 𝑦 ∉ 𝐶𝜗 ⊥ 𝑦 ∈ 𝐶𝜗

More formally: for

• 1. Select by putting every independently with probability ;
• 2. Define “blinded” oracle:

Bε ⊂ {0,1}n x ∈ Bε ε Mack

Definition (Blind-Unforgeability): A MAC is blind-unforgeable if for every adversary with a quantum oracle for ,

Mack

𝐶𝜗Mack

𝒝 ℙ [(y, Mack(y) ← 𝒝BεMack and y ∈ Bε] = negl(n)

Blind Unforgeability

Definition (Blind-Unforgeability): A MAC is unpredictable if for every adversary with a quantum oracle for ,

Mack

𝐶𝜗Mack

𝒝 ℙ [(y, Mack(y) ← 𝒝BεMack and y ∈ Bε] = negl(n)

Blind Unforgeability

Does this work?

• equivalent to EUF-CMA in classical setting;

Definition (Blind-Unforgeability): A MAC is unpredictable if for every adversary with a quantum oracle for ,

Mack

𝐶𝜗Mack

𝒝 ℙ [(y, Mack(y) ← 𝒝BεMack and y ∈ Bε] = negl(n)

Blind Unforgeability

Does this work?

• equivalent to EUF-CMA in classical setting;

Definition (Blind-Unforgeability): A MAC is unpredictable if for every adversary with a quantum oracle for ,

Mack

𝐶𝜗Mack

𝒝 ℙ [(y, Mack(y) ← 𝒝BεMack and y ∈ Bε] = negl(n)

• random functions satisfy it;

Blind Unforgeability

Does this work?

• equivalent to EUF-CMA in classical setting;

Definition (Blind-Unforgeability): A MAC is unpredictable if for every adversary with a quantum oracle for ,

Mack

𝐶𝜗Mack

𝒝 ℙ [(y, Mack(y) ← 𝒝BεMack and y ∈ Bε] = negl(n)

1.

• 1. prepare: ;
• 2. query
• 3. measure

Output: for random .

m (m, BεMack(m)) m1 = ∑

m∈{0,1}n

|m⟩|0⟩

• classifies the examples we have seen thus far correctly.
• random functions satisfy it;

Blind Unforgeability

Does this work?

• equivalent to EUF-CMA in classical setting;

Definition (Blind-Unforgeability): A MAC is unpredictable if for every adversary with a quantum oracle for ,

Mack

𝐶𝜗Mack

𝒝 ℙ [(y, Mack(y) ← 𝒝BεMack and y ∈ Bε] = negl(n)

1.

• 1. prepare: ;
• 2. query
• 3. measure

Output: for random .

m (m, BεMack(m)) m1 = ∑

m∈{0,1}n

|m⟩|0⟩

• classifies the examples we have seen thus far correctly.
• random functions satisfy it;

Check, e.g., for random functions:

• if oracle is blinded…
• … for blinded is independent of post-query state,
• this adversary fails.

Mack(m) m

Blind Unforgeability

Does this work?

• equivalent to EUF-CMA in classical setting;

Definition (Blind-Unforgeability): A MAC is unpredictable if for every adversary with a quantum oracle for ,

Mack

𝐶𝜗Mack

𝒝 ℙ [(y, Mack(y) ← 𝒝BεMack and y ∈ Bε] = negl(n)

2.

• classifies the examples we have seen thus far correctly.
• random functions satisfy it;

random Simon problem (but with large subgroup ) a function which is only forgeable by sampling 𝑔𝐵 𝑔𝐵

1

Blind Unforgeability

One-query attack: Fourier sample orange part, forge in olive part. Does this work?

• equivalent to EUF-CMA in classical setting;

Definition (Blind-Unforgeability): A MAC is unpredictable if for every adversary with a quantum oracle for ,

Mack

𝐶𝜗Mack

𝒝 ℙ [(y, Mack(y) ← 𝒝BεMack and y ∈ Bε] = negl(n)

2.

• classifies the examples we have seen thus far correctly.
• random functions satisfy it;

random Simon problem (but with large subgroup ) a function which is only forgeable by sampling 𝑔𝐵 𝑔𝐵

1

Blind Unforgeability

One-query attack: Fourier sample orange part, forge in olive part. Does this work?

• equivalent to EUF-CMA in classical setting;

Definition (Blind-Unforgeability): A MAC is unpredictable if for every adversary with a quantum oracle for ,

Mack

𝐶𝜗Mack

𝒝 ℙ [(y, Mack(y) ← 𝒝BεMack and y ∈ Bε] = negl(n)

2.

• classifies the examples we have seen thus far correctly.
• random functions satisfy it;

random Simon problem (but with large subgroup ) a function which is only forgeable by sampling 𝑔𝐵 𝑔𝐵

1

Check, say for ,

ε = 0.0001

Blind Unforgeability

One-query attack: Fourier sample orange part, forge in olive part.

• racle is blinded only on few random inputs…

Does this work?

• equivalent to EUF-CMA in classical setting;

Definition (Blind-Unforgeability): A MAC is unpredictable if for every adversary with a quantum oracle for ,

Mack

𝐶𝜗Mack

𝒝 ℙ [(y, Mack(y) ← 𝒝BεMack and y ∈ Bε] = negl(n)

2.

• classifies the examples we have seen thus far correctly.
• random functions satisfy it;

random Simon problem (but with large subgroup ) a function which is only forgeable by sampling 𝑔𝐵 𝑔𝐵

1

Check, say for ,

ε = 0.0001

Blind Unforgeability

One-query attack: Fourier sample orange part, forge in olive part.

• racle is blinded only on few random inputs…

Does this work?

• equivalent to EUF-CMA in classical setting;

Definition (Blind-Unforgeability): A MAC is unpredictable if for every adversary with a quantum oracle for ,

Mack

𝐶𝜗Mack

𝒝 ℙ [(y, Mack(y) ← 𝒝BεMack and y ∈ Bε] = negl(n)

2.

• classifies the examples we have seen thus far correctly.
• random functions satisfy it;

random Simon problem (but with large subgroup ) a function which is only forgeable by sampling 𝑔𝐵 𝑔𝐵

1

Check, say for ,

ε = 0.0001

• …post-query state won’t change too much;

Blind Unforgeability

One-query attack: Fourier sample orange part, forge in olive part.

• racle is blinded only on few random inputs…

Does this work?

• equivalent to EUF-CMA in classical setting;

Definition (Blind-Unforgeability): A MAC is unpredictable if for every adversary with a quantum oracle for ,

Mack

𝐶𝜗Mack

𝒝 ℙ [(y, Mack(y) ← 𝒝BεMack and y ∈ Bε] = negl(n)

2.

• classifies the examples we have seen thus far correctly.
• random functions satisfy it;

random Simon problem (but with large subgroup ) a function which is only forgeable by sampling 𝑔𝐵 𝑔𝐵

1

Check, say for ,

ε = 0.0001

• The Fourier sample is blinded with

independent probability ;

ε

• …post-query state won’t change too much;

Blind Unforgeability

One-query attack: Fourier sample orange part, forge in olive part.

• racle is blinded only on few random inputs…
• so this adversary succeeds!

Does this work?

• equivalent to EUF-CMA in classical setting;

Definition (Blind-Unforgeability): A MAC is unpredictable if for every adversary with a quantum oracle for ,

Mack

𝐶𝜗Mack

𝒝 ℙ [(y, Mack(y) ← 𝒝BεMack and y ∈ Bε] = negl(n)

2.

• classifies the examples we have seen thus far correctly.
• random functions satisfy it;

random Simon problem (but with large subgroup ) a function which is only forgeable by sampling 𝑔𝐵 𝑔𝐵

1

Check, say for ,

ε = 0.0001

• The Fourier sample is blinded with

independent probability ;

ε

• …post-query state won’t change too much;

Blind Unforgeability

Definition (Blind-Unforgeability): A MAC is unpredictable if for every adversary with a quantum oracle for ,

Mack

𝐶𝜗Mack

𝒝 ℙ [(y, Mack(y) ← 𝒝BεMack and y ∈ Bε] = negl(n)

Additional results:

Blind Unforgeability

Definition (Blind-Unforgeability): A MAC is unpredictable if for every adversary with a quantum oracle for ,

Mack

𝐶𝜗Mack

𝒝 ℙ [(y, Mack(y) ← 𝒝BεMack and y ∈ Bε] = negl(n)

• Bernoulli-preserving hash function: generalizes collision resistance to quantum,

strengthens collapsingness Additional results:

Blind Unforgeability

Definition (Blind-Unforgeability): A MAC is unpredictable if for every adversary with a quantum oracle for ,

Mack

𝐶𝜗Mack

𝒝 ℙ [(y, Mack(y) ← 𝒝BεMack and y ∈ Bε] = negl(n)

• Bernoulli-preserving hash function: generalizes collision resistance to quantum,

strengthens collapsingness

• Hash-and-MAC is BU-secure when using Bernoulli-preserving hash function

Additional results:

Blind Unforgeability

Definition (Blind-Unforgeability): A MAC is unpredictable if for every adversary with a quantum oracle for ,

Mack

𝐶𝜗Mack

𝒝 ℙ [(y, Mack(y) ← 𝒝BεMack and y ∈ Bε] = negl(n)

• Bernoulli-preserving hash function: generalizes collision resistance to quantum,

strengthens collapsingness

• Hash-and-MAC is BU-secure when using Bernoulli-preserving hash function
• A construction of a collapsing hash function based on LWE by Unruh (ASIACRYPT 16) is

actually even Bernoulli-preserving Additional results:

Blind Unforgeability

Definition (Blind-Unforgeability): A MAC is unpredictable if for every adversary with a quantum oracle for ,

Mack

𝐶𝜗Mack

𝒝 ℙ [(y, Mack(y) ← 𝒝BεMack and y ∈ Bε] = negl(n)

• Bernoulli-preserving hash function: generalizes collision resistance to quantum,

strengthens collapsingness

• Hash-and-MAC is BU-secure when using Bernoulli-preserving hash function
• A construction of a collapsing hash function based on LWE by Unruh (ASIACRYPT 16) is

actually even Bernoulli-preserving

• Lamport signatures are 1-BU in the quantum random oracle model

Additional results:

Blind Unforgeability

Definition (Blind-Unforgeability): A MAC is unpredictable if for every adversary with a quantum oracle for ,

Mack

𝐶𝜗Mack

𝒝 ℙ [(y, Mack(y) ← 𝒝BεMack and y ∈ Bε] = negl(n)

• Bernoulli-preserving hash function: generalizes collision resistance to quantum,

strengthens collapsingness

• Hash-and-MAC is BU-secure when using Bernoulli-preserving hash function
• A construction of a collapsing hash function based on LWE by Unruh (ASIACRYPT 16) is

actually even Bernoulli-preserving

• Lamport signatures are 1-BU in the quantum random oracle model

Tools: Additional results:

Blind Unforgeability

Definition (Blind-Unforgeability): A MAC is unpredictable if for every adversary with a quantum oracle for ,

Mack

𝐶𝜗Mack

𝒝 ℙ [(y, Mack(y) ← 𝒝BεMack and y ∈ Bε] = negl(n)

• Bernoulli-preserving hash function: generalizes collision resistance to quantum,

strengthens collapsingness

• Hash-and-MAC is BU-secure when using Bernoulli-preserving hash function
• A construction of a collapsing hash function based on LWE by Unruh (ASIACRYPT 16) is

actually even Bernoulli-preserving

• Lamport signatures are 1-BU in the quantum random oracle model

Tools:

• A simulation lemma that relates an adversary’s performance in the blinded and unblinded

cases Additional results:

Blind Unforgeability

Definition (Blind-Unforgeability): A MAC is unpredictable if for every adversary with a quantum oracle for ,

Mack

𝐶𝜗Mack

𝒝 ℙ [(y, Mack(y) ← 𝒝BεMack and y ∈ Bε] = negl(n)

• Bernoulli-preserving hash function: generalizes collision resistance to quantum,

strengthens collapsingness

• Hash-and-MAC is BU-secure when using Bernoulli-preserving hash function
• A construction of a collapsing hash function based on LWE by Unruh (ASIACRYPT 16) is

actually even Bernoulli-preserving

• Lamport signatures are 1-BU in the quantum random oracle model

Tools:

• A simulation lemma that relates an adversary’s performance in the blinded and unblinded

cases

• Boneh and Zhandry’s rank method

Additional results:

Blind Unforgeability

Definition (Blind-Unforgeability): A MAC is unpredictable if for every adversary with a quantum oracle for ,

Mack

𝐶𝜗Mack

𝒝 ℙ [(y, Mack(y) ← 𝒝BεMack and y ∈ Bε] = negl(n)

• Bernoulli-preserving hash function: generalizes collision resistance to quantum,

strengthens collapsingness

• Hash-and-MAC is BU-secure when using Bernoulli-preserving hash function
• A construction of a collapsing hash function based on LWE by Unruh (ASIACRYPT 16) is

actually even Bernoulli-preserving

• Lamport signatures are 1-BU in the quantum random oracle model

Tools:

• A simulation lemma that relates an adversary’s performance in the blinded and unblinded

cases

• Boneh and Zhandry’s rank method
• Zhandry’s superposition representation of quantum random oracles

Additional results:

Outlook

What’s next?

• did we solve the problem?
• is blind-unforgeability the “right” notion of unforgeability against quantum adversaries?
• maybe: it does the right thing on all the examples we could think of;
• maybe not: it seems hard to prove that it implies BZ (does that matter?); we can come up

with lots of seemingly inequivalent variants of BU. In general: we need to develop and refine new techniques for quantum query complexity to suit “crypto needs”, e.g. to analyze

• 1. algorithms which only succeed on a small space of inputs;
• 2. algorithms which succeed with vanishing (but non-negligible) probability;
• 3. non-asymptotics: problems with an “easy/impossible” thresholds of one (or few)

queries.