Chosen-Blinding Unforgeability

Chosen-Blinding Unforgeability

Bachelor Thesis Physics and Astronomy

February 23, 2021

Jilling J. Kingma

Faculty of Sciences

University of Amsterdam

Abstract

The formal way to secure an authentic data exchange between party A and B over the digital infrastructure is achieved by Message Authentication Code (MAC) notions. A MAC achieves this authenticity by using algorithms that supply unique tags with the messages in such a way that a possible adversary cannot forge these tags in a reasonable time span. On the other hand, it has been shown that advances in the quantum computing field will require ’quantum proof’ algorithms to be introduced in order to stay secure against a new generation of adversaries. On top of that, in a distant future where these kinds of infrastructures allow for quantum superpositions of messages to be exchanged, a completely new notion is required. In this paper we will make an effort to prove the relations between existing MAC notions such as EUF-CMA/SUF-CMA and a new notion introduced by [Ala+20] called Blind Unforgeability (BU). Also, we will prove the relations to Strong Blind Unforgeability (SBU), a somewhat more secure variant of BU, against quantum adversaries. Furthermore, a completely new variant on BU, called Chosen-Blinding Unforgeability (CBU) is introduced. This notion is more akin to the philosophy of cryptography, in the sense that it gives more control to the adversary over certain variables in the security notion.

Title: Chosen-Blinding Unforgeability Author: Jilling J. Kingma

Supervisor: Dr. C. Schaffner Daily Supervisor: Dr. C. Majenz. Examiner: Dr. M. Walter

Institute: QuSoft Faculty: FNWI Size: 18 EC

Contents

1 Introduction 3

2 Preliminaries 4

2.1 Message Authentication Code . . . 4

2.1.1 Relations between SUF-CMA and EUF-CMA . . . 6

2.2 Quantum Computing . . . 8

2.3 Quantum Cryptography . . . 9

2.4 Blind Unforgeability . . . 10

2.4.1 Relations between BU and EUF-CMA . . . 11

2.4.2 Strong Blind Unforgeability . . . 13

3 Strong Blind Unforgeability and relations to BU 13 3.1 Strong Blind Unforgeability implies BU . . . 13

3.2 BU does not imply Strong Blind Unforgeability . . . 14

3.3 SBU is equivalent to BU for deterministic MAC with canonical verification . . . 15

4 Introducing the CBU notion with adversary chosen-blinding 16

4.1 New Chosen Blinding Unforgeability notion (CBU) relations to Blind Unforgeability 17

1

Introduction

With the introduction of quantum computing, researchers by the likes of [Sho97] have found quan-tum algorithms that provide a substantial speed up in solving mathematical problems crucial to present-day cryptography methods. If these quantum algorithms can be properly implemented with the help of efficient quantum computers, they could break modern notions of cryptography such as Message Authentication Codes (MAC). As the name suggests, this security notion provides a way of authenticating messages via secret-key cryptographic primitives. These MAC notions are of great importance, because often parties prefer to communicate over open communication channels while simultaneously upholding the integrity of their messages. Formally MAC notions work with algo-rithms providing and verifying security tags on messages. This is done in such a way, that it is very hard for any classical adversary to find some pattern in the way these tags are created and verified. As a result, the probability that an adversary randomly guesses the right tag or creates some other forgery is negligible. Quantum computers can however in some instances do find these patterns in a reasonable time span, and thus new algorithms are required for these MAC notions. Luckily, a lot of research in the form of the papers [Zha12] and [Bon+11] has already been conducted in order to make MAC notions ”quantum proof”. This works by slight modifications in the MAC algorithms, that are used to create and verify tags. For example, instead of using pseudo-random functions (PRF) as MAC algorithm to create tags, post-quantum pseudo random functions (pqPRF) have been introduced. Functions such as these, will make modern MAC notions like EUF-CMA secure against adversaries with access to quantum computing power.

There is, however, another complication with current MAC notions that is imposed by quantum computing. That is, allowing for an infrastructure in which parties can query superpositions of messages. At the moment, an adversary classically collects information about a MAC by multiple times querying a message to a figurative oracle and in turn receiving a tag on that message. The oracle here is just a representation of the most ideal situation of a real-world MAC, supplying the adversary with as much information as possible. By being able to query superpositions, an adver-sary could as a result query every possible message at once. This is a problem for notions such as EUF-CMA, because they rely on the fact that once an adversary queries a message, it cannot use the accompanying tag as a forgery. This means that adversaries querying every message in superposition at once cannot forge anything under the EUF-CMA notion in this specific situation. That of course is not desirable, as in the field of cryptography we generally strive to give adversaries as many options to break a security notion as possible.

One recognisable thing I want to add is something I encountered on a Quora page about pre-cisely this situation. Someone asked a question about how one could secure a MAC against an adversary that has the option to query superpositions of messages onto a MAC oracle. This guy responded stoically: ”if a guy in a dark alley asks you for tags on superpositions of messages.. just say no”. Of course, it is understandable where this guy is coming from; sometimes the easiest solutions are the best solutions. However, in this case there are several motivations for allowing querying superpositions of messages. One of these would, for example, be the so-called quantum ’black box obfuscation’. This theory describes a system where functionality is (partly) obfuscated by quantum states. Such a system would be very handy but also automatically allow for querying of superpositions, as the functionality of a MAC would be packed up in quantum states. In general a big motivation is the expected large-scale adoption of quantum computing in the future. However

the most obvious reason would be that of the general philosophy of cryptography, in that we always try to be future-proof. Even if something like this perhaps won’t be implemented in the future, it is better to be safe than sorry.

To tackle the problems caused by the above mentioned functionality of querying superpositions, a new notion has been introduced by [Ala+20] called Blind Unforgeability (BU). This notion is motivated by these problems, but also by some complications with other proposed notions, one of which was introduced by [BZ13]. The new notion generally works by ’blinding’ a certain part of the message set, i.e. not returning valid tags on those messages, and only allowing adversaries to forge within this message set. In this paper, we will prove the relations between EUF-CMA, SUF-CMA and Blind Unforgeability against classical adversaries. We will also (partly) prove relations of BU to the somewhat stronger version called Strong Blind Unforgeability against quantum adversaries. Finally, we will introduce a notion, in which the adversary has control over the blinding. This notion, named Chosen-Blinding Unforgeability (CBU), works similar to BU, but differs in that it gives the adversary complete control over the set of blinded messages.

2

Preliminaries

2.1

Message Authentication Code

One of the most important things in the world of online security is validating whether (digital) data is authentic or not. This is of great importance because it is not feasible to encrypt every and all messages and even if one would do this there would still be ways an adversary could impersonate someone he is actually not. We start by making a general definition of Message Authentication Code algorithms, the MAC experiment and the conditions for which these MAC notions are secure. During this part of the preliminaries, we will mostly follow the notation of [KL07]. First off, the basic ingredients for MAC algorithms are; a randomly generated secret key, a message-specific generated tag and a verification algorithm. Formally, this looks like:

Definition 1. Message Authentication Code (MAC) is a triple of three algorithms (Gen, Mac, Ver), defined by:

1. Gen(1n_{) = k, |k| ≥ n Create some random key.}

2. Mack(m) = t, m ∈ {0, 1} Uses key and a message m to build a unique tag t.

3. b := Verk(m, t) Verifies tag and message for specific key. Then outputs a bit, with b = 1

implying the tag is valid and b = 0 implying invalid.

Note that this is a fixed length MAC (of length n). Also, the key generation algorithm is often neglected and done by just choosing some uniformly random key from the set of strings {0, 1}n_.

A more interesting question is; when is a MAC, that we just described in a general perspective, really secure? We can make the workings of MAC notions more intuitive by doing an experiment of the sorts. Simply put, we let an adversary query messages on a MAC-oracle, which then returns tags on the messages back to the adversary. After some reasonable time step, the adversary has to come up with a tag on a message which he validates by sending to our figurative oracle.

Definition 2. The MAC experiment MacForgeAΠ(n) for a MAC Π and adversary A runs as

follows:

1. Generate a key with Gen(1n).

2. The A gets the security parameter n and oracle access to the Mac(·) algorithm where Q denotes the set of all messages queried to the oracle.

3. A outputs a forgery (m, t) ←− AΠ_.

4. A succeeds if, and only if; (1) Ver(m, t) = 1 and (2) m /∈ Q. In this case MacForgeAΠ(n) = 1,

else equals to zero.

Here a set Q of queried messages is introduced, because it is not desirable to consider already queried messages as a valid forgery of the notion. With this experiment we can almost define a EUF-CMA secure MAC. First however, we need to introduce one additional function; the negligible function:

negl(n) = a−n (1)

Where a is some constant and n is the variable security parameter. Note that for large enough (positive) n, the function approaches zero faster than any (super) polynomial function. So far we have defined the negligible function, the MAC experiment and the general definition of a MAC. An EUF-CMA secure MAC can successively be defined as:

Definition 3. A MAC Π = (Gen, Mac, Ver) is EUF-CMA secure if:

P[MacForgeAΠ(n) = 1] ≤ negl(n) (2)

To get a feel for a EUF-CMA secure MAC we propose the following scenario; there is a MAC that uniformly (truly) random picks tags on every message from the set T = {0, 1}n_{. The probability}

that someone can guess the tag for a certain message is _{|T |}1 = ₂1n, because for a n-bits you can

construct 2n different strings and the string is picked at random. Clearly, this function has the same form as our definition of a negligible function, therefore such a MAC would be EUF-CMA secure. Of course true randomness is hard to create on a deterministic machine, however with pseudo-random generators one can still achieve a similar result. Finally, the last thing that should be added is a somewhat different form of the EUF-CMA security condition. This has been added because it gives a clear description of the conditions, which is useful when working with different notions.

Definition 4. A MAC Π = (Gen, Mac, Ver) is EUF-CMA secure if the probability for the following two conditions are smaller or equal to some negligible function:

P(m,t)←−AMack[m /∈ Q ∧ Verk(m, t) = 1] ≤ negl(n) (3)

There is one addition to make here which is the Strong EUF-CMA notion, also named SUF-CMA. This is a stronger notion in a sense, that an adversary can also win by forging a different tag on an already queried message. Note that it only differs from EUF-CMA when the MAC is not deterministic and does not use canonical verification. We will see later on why this is the case exactly. For this notion the main difference is the set of queried messages Q; instead of just containing messages, it contains message-tag pairs (m, t) ∈ Q0. This change of set means for the MAC experiment, named SMacForgeΠA(n), that the first ’winning’ condition changes to that of

Definition 5. A MAC Π is SUF-CMA secure if the same conditions holds for message-tag pairs: P_(m,t)←−AMack[(m, t) /∈ Q0∧ Verk(m, t) = 1] ≤ negl(n) (4)

2.1.1 Relations between SUF-CMA and EUF-CMA

To get familiar with the kind of proofs that will be done in this paper, we will start here by proving the relations between EUF-CMA and SUF-CMA security. As one can intuitively imagine, a MAC that is SUF-CMA secure, would also be EUF-CMA secure. The converse, on the other hand, would not hold. The last relation that will be proved, is that the two security notions are equivalent for a deterministic MAC with canonical verification. This MAC functions in such a way, that it only provides and accepts one unique tag per message.

Proposition 1. SUF-CMA =⇒ EUF-CMA

Proof. We want to prove that every MAC that is secure under the SUF-CMA notion is also secure under EUF-CMA. We start with the definition of a SUF-CMA secure MAC:

P[SMacForgeΠA(n) = 1] ≤ negl(n) (5)

Where Π = (Gen, M ac, V er) is our SUF-CMA secure MAC and A is a polynomial time adversary. Now we rewrite this definition to the definition of EUF-CMA and see if it still holds.

P[SMacforgeΠA(n) = 1] = P(m,t)←−AMack[(m, t) /∈ Q ∧ Ver(m, t) = 1] (6)

where Q is all the queried pairs of messages m and tags t. Now we transform the set Q to the set of queried messages without tags, called Q0. Clearly the probability that the adversary produces a ’fresh’ forgery on a message that is in this new set Q0, is equal to or lower than that of the old set Q of message-tag pairs:

P[(m, t) /∈ Q ∧ Ver(m, t) = 1] ≥ P[(m /∈ Q0∧ Ver(m, t) = 1] (7) Following from the above, we realise that this last expression is just the definition of EUF-CMA.

P[(m /∈ Q0∧ Ver(m, t) = 1] = P[MacForgeΠA(n) = 1] (8)

In the next step, all equations are combined to come to the finding, that a SUF-CMA secure MAC is in fact also secure under EUF-CMA. In other words:

Proposition 2. EUF-CMA 6=⇒ SUF-CMA

Proof. This proposition can be proved by finding a MAC that is EUF-CMA secure but is not SUF-CMA secure. Let Π = (Gen, Mac, Ver) be a MAC that is EUF-CMA secure. We proceed by creating a new MAC Π0= (Gen, Mac0, Ver0) that is defined as follows:

Mac0k(m) = Mack(m) k 0 (10)

Ver0k(m, t k b) = Verk(m, t) (11)

An adversary queries m on this new MAC, which will return (m, t||0) to the adversary. Then the adversary produces the forgery by setting the last bit of the tag equal to one, that is (m, t||1). It seems this new MAC is still secure under the EUF-CMA notion against this adversary, as the forged message m is in the set Q which dissatisfies the first condition:

P[MacForge_Π0_A(n) = 1] = P[m /∈ Q ∧ Ver(m, t) = 1] = 0 (12)

However, for the SUF-CMA notion the opposite is the case. In this instance, instead of single messages, message-tag pairs will be added to the other set of Q0. So, when the adversary queries the tag pair (m, t||0), this pair will be added to the set Q0. The adversary continues to produce the forgery (m, t||1) which is not in the set of Q0, thus satisfying the condition (m, t) /∈ Q0_{. Furthermore,}

the verification still checks out, resulting in a probability equal to one of breaking the strong notion: P[SMacForgeΠ0_A(n) = 1]P[(m, t) /∈ Q0∧ Ver(m, t) = 1] = 1 (13)

With this procedure, we have proved that there exists a MAC that is EUF-CMA secure and not SUF-CMA secure. As a result, the proposition holds.

Proposition 3. SUF-CMA=EUF-CMA for a MAC with deterministic functions and canonical verification

Proof. For deterministic functions of t = Mack(m) as MAC algorithm and canonical verification

per definition, there exists only one unique tag t per message m. That means that the adversary can never create a valid new tag on an already queried message. Looking back at the proof of the first proposition of this chapter, the transformation of Q → Q0 in this case just results in an equality:

P[(m, t) /∈ Q ∧ Ver(m, t) = 1] = P[(m /∈ Q0∧ Ver(m, t) = 1] (14) This is clearly the case as every message-tag pair just corresponds with a message in set Q0. In other words; the transformation of the set Q to Q0 is a bijection, mapping every message m ∈ Q to a corresponding message-tag pair (m, t) ∈ Q0. Because of this the full relation can now be written as:

P[SMacForgeΠA(n) = 1] = P[MacForgeΠA(n) = 1] (15)

Which proves that for deterministic MAC and canonical verification a MAC, EUF-CMA is indeed equivalent to SUF-CMA.

2.2

Quantum Computing

Next is a short introduction into the field of Quantum Computing, mostly following the notation from [NC11]. We start by translating, as far as possible, classical computing to the quantum setting. First, classically speaking we work with deterministic bits; they will either correspond to a zero state or a one state. On these rows of one’s and zero’s we can apply and combine certain logic gates to ultimately make complex calculations. With qubits on the other hand, they can represent classical values like one and zero but also a superposition of both. One can interpret this as, instead of a small electric current corresponding to one and no current to zero, we have some physical object that can either be in one state corresponding to one or another state corresponding to zero (or both). Which object does not matter (it does but not for our research), as long as it behaves ’quantum’. An example would be for instance an electron configuration that can have spin up, spin down or a superposition of the two. To describe phenomena like these we use Dirac notation. The mathematical space this notation is based around is called Hilbert space. This is a three dimensional vector space, with a well defined inner product. One single qubit |ψi, that can either be in state one or state zero (or both), can be written as:

|ψi = α |0i + β |1i ∈ C2 ₍₁₆₎

Here α and β are the amplitudes of the two states, that always must satisfy the following the normalisation condition |α|2+ |β|2 = 1. These amplitudes describe the probability of the qubit being in one state or the other. For two qubits the total state could exist of any combination of the states of the individual qubits:

|ψi = α |00i + β |01i + γ |10i + δ |11i (17)

Again, it is required that the absolute values of the amplitudes in the complete state have to equal one. Notice that for multiple p qubits, there are a maximum of 2p superpositions. Thus, a p qubit system can be written as:

|ψi = X

i∈{0,1}p

αi|ii ∈ C2

p

(18) How would one perform any operation on a system on qubits? In the field of quantum computing they simulate operations on qubits by applying quantum gates, which in case of a single qubit system can be represented by two by two matrices. Some basic single qubit gates are the Not-gate, Hadamard-gate and XYZ-gates. The Not-gates flip the state, the hadamard turns a collapsed state to a superposition or the other way around and the gates flip the states in a physical XYZ-direction respectively. Focusing on the multiple qubit system, there is a collection of important gates called Controlled Unitary gates. These are gates with specific control qubits and target qubits. One example is the CNOT-gate which in a classical sense flips the target qubit if the control qubit is equal to one, which corresponds to a XOR-operation of the sorts. This gate is also reversible as applying it twice will return the same starting value. This gate can be represented by a four-by-four matrix:     1 0 0 0 0 1 0 0 0 0 0 1 0 0 1 0     (19)

Notice that for p qubits any operation can be represented by a 2p_{∗ 2}p _{unitary matrix. However, in}

to be that any p qubits gate can be represented by applying multiple universal two qubits gates on p qubits. The last gate to introduce is called the Toffoli-gate (also the CCNOT-gate). This gate, like one might have expected considering the name, is pretty much a CNOT-gate with another control-bit. This allows for implementing an operation of the form:

|xi |yi = |xi |y ⊕ f (x)i (20)

In the next section, this operation will turn out to be quite useful. Note that one can create CCNOT-gate by applying two CNOT-gates on both control qubits and the single target qubit.

2.3

Quantum Cryptography

Combining the previous sections, the MAC experiment can now be defined for the quantum-setting. The main difference to the classical case, is that an adversary can now supply unlimited superpo-sitions of messages to the oracle. In turn the oracle returns a superposition of message-tag pairs. We start a query to a quantum oracle with a begin state:

|φi =X|mi_X|ti_Y |ci_Z (21)

Here the last state is a computational register, which is mostly classical and is used to store in-formation and prepare the states for every query. This inin-formation in turn is stored by applying a computational unitary operation C every query. Querying message states itself is simulated by applying a unitary operator OMack ∈ (C

2n

⊗ C2m

) for every query: OMack|φi =

X

m={0,1}n

|mi_X|t ⊕ Mack(m)iY |ciZ (22)

A complete attempt to a forgery onto a certain MAC oracle by an adversary can be simulated by applying these gates in series:

|φfi = CTOfCT −1Of..C0Of|φii (23)

Here the specific MAC is simply indicated by f . At the end a POVM gate is applied to the final state in order to check whether or not the adversary has produced a forgery. This POVM-gate (Positive Operator-Valued Measure) is, like its name suggests, a set of positive operators and de-termines the probability of specific measurement outcomes.

This section was mostly about a quantum infrastructure of the sorts to enable and simulate quan-tum oracles and adversaries. However, there’s a more imminent threat to classical cryptographic algorithms, first introduced by Peter Shor with papers such as [Sho97]. The main (mathematical) idea that classical cryptographic algorithms use to make schemes safe against polynomial time ad-versaries is a principle of factorising being a hard problem to solve with classical computing power. As it turns out however, there are quantum algorithms that speed up this factorisation so notice-ably, that it can in theory break EUF-CMA security. Remember that pseudo random functions (PRF) as a MAC is EUF-CMA secure, however even most cryptographic secure PRFs are at most of the same complexity class as the factorisation problem. Therefore, we will also need a new sort

of MAC to be secure against quantum adversaries. We continue, by going briefly through the main ideas of these quantum algorithms to get a feeling for how this would work. The problem we want to solve with a quantum algorithm is the following:

xr= 1 mod N (24)

In short, this problem is solved by applying a Quantum Fourier Transform (QFT), creating a uniform superposition. Continue, by applying a gate that sets a register equal to the period function. When measuring this state, one gets an upper and lower bound for the period. After this apply the QFT again, transforming it back to the computational basis, and measure one final time. With some classical processing one should be able to get the period with a substantial speed up compared to fastest classical algorithms.

2.4

Blind Unforgeability

From the section on quantum cryptography one can easily spot some problems with the old notion of EUF-CMA security. First off, the condition of the set of queried messages Q does not work in the quantum setting. In the field of cryptography one should strive to give the adversary as much freedom as possible for a stronger security notion. This is hard to achieve if the notions do not allow for the adversary to query all or at least a large set of messages in superposition at once. For this reason (and others), a new notion called Blind Unforgeability is introduced in [Ala+20]. This notion ’blinds’ a certain portion of all messages and requires the adversary to forge within that blinded message space. The blinding set B is a subset of the total message-space B⊆ M , where

every message will be put in to the set with independent probability . Furthermore, the blinding function behaves on the MAC algorithm as follows:

BMac(k) =



⊥ for m ∈ B

Mac(k) for else (25)

Definition 6. For a MAC Π = (Gen, M ac, V er), with blinding probability  and adversary A, the BU experiment BlindForge_AΠ(n, (n)) runs as follows:

1. Generate key Gen(1n_).

2. Create blinding set B ⊆ M by putting every message m ∈ M in the blinding set with

inde-pendent probability .

3. Adversary produces forgery (m, t) ←− ABMack₍₁n_).

4. Adversary breaks notion if, and only if Verk(m, t) = 1 and m ∈ B.

As for the definition of a BU secure MAC, [Ala+20] introduces two definitions; one against classical adversaries (PPT), one against efficient quantum algorithms (QPT) and also unrestricted theoretical quantum algorithms. The latter differs from QPT adversaries in a sense that as of now they have not found certain powerful quantum algorithms, however they might be found somewhere in the future.

Definition 7. Let Π be a MAC, it is blind unforgeable (BU) secure if against every polynomial time adversary:

Definition 8. Let Π be a MAC, it is q-time blind unforgeable (q-BU) secure if against every q-query adversary:

P[BlindForgeq_AΠ(n, (n)) = 1] ≤ negl(n) (27)

2.4.1 Relations between BU and EUF-CMA

In this section, an effort will made to show the relations between BU and EUF-CMA. In [Ala+20] it has already been proven, however here it will be shown perhaps a little more in detail.

Proposition 4. BU =⇒ EUF-CMA for classical adversaries

Proof. First rewrite the proposition to its contrapositive, i.e. ¬EUF-CMA =⇒ ¬BU. The relation now states that if there exists an adversary that breaks an EUF-CMA secure MAC, it also breaks a BU secure MAC. This statement can be proven by creating a new adversary, that works as a reduction from the adversary breaking the EUF-CMA notion, to one that breaks the BU notion. Then if it can be shown that this new adversary breaks the BU notion, the proposition has been proven. Start by defining the adversary breaking the BU notion A0 and the EUF-CMA adversary A. The adversary A, as assumed in the proposition, ’wins’ the EUF-CMA security experiment:

P[A wins] ≥ Poly(n)−1 (28)

where Poly(n) is some polynomial function of n. Now one relates this function to the probability that the adversary A0_{breaks the BU notion. First let’s define the procedure the adversary A}0_goes

through:

1. Adversary A0 queries the exact same messages as the adversary A does.

2. It receives the tags from the BU-oracle and passes the tags on to the adversary A only if they are not blinded, if they are it stops the game and ’breaks’.

3. Finally the adversary produces a forgery and delivers it to the oracle.

With this behaviour in mind we can produce the following relations for our adversary A0:

P[A0 wins] = P_(m,t)←−A0 BMack[m ∈ B∧ Ver(m, t) = 1] (29)

We continue, by adding a third condition and see that this probability is obviously greater or equal to the previous equation:

P[m ∈ B∧ Ver(m, t) = 1] ≥ P[m ∈ B∧ m /∈ Q ∧ Ver(m, t) = 1] (30)

The last two conditions of the second part of the equation are just equal to the probability that the adversary A wins. However, there is one extra condition. Only if the adversary A0 receives tags outside of the blinding set, he can pass it on to the other one. So an extra probability that the oracle will in fact not put the queried message in the blinding set and breaks down has to be included:

P[m ∈ B∧ m /∈ Q ∧ Ver(m, t) = 1] = P[A wins]P[A0 does not abort]P[m ∈ B|∗] (31)

Where ∗ is the condition that A wins. The probability that A0 has to abort is: (1 −1

q)

q _≥ 1

Where the fraction is the probability  that a message gets put into the blinding set B, where we

chose one over the amount of queries q so that the whole function always will be equal or larger than 1₄ for q ≥ 2. Now put this in the equation and realise that the probability that m ∈ Bis just

equal to  =1_q:

P[A wins]P[A0 does not abort]P[m ∈ B|∗] =

1

4qP[A wins] (33)

Using all the previous expressions, one can find: P[A0 wins] ≥ 1

4qP[A wins] ≥ 1

4qPoly(n)

−1 ₍₃₄₎

Which shows that the adversary A0also has a non-negligible probability of breaking the BU notion, proving the proposition.

Proposition 5. EUF-CMA =⇒ BU for classical adversaries

Proof. We make use of the contrapositive ¬BU =⇒ ¬EUF-CMA. Again, a reduction is made, that only sends the messages to the EUF-CMA oracle that are not blinded by the BU oracle. Very instinctively one can see that this will result in an at least identical probability of winning the EUF-CMA game for the reduction. The reduction here is A0 and the adversary winning the BU game is A:

P[A0 wins] ≥ P[m ∈ B∧ m /∈ Q ∧ Ver(m, t) = 1] = P[A wins]P[m /∈ Q|∗] (35)

However, in the last step notice that for the original adversary to win the BU game, the forged message-tag pair cannot be in the set of queried messages. This is the case, because in the reduction the blinded messages were not sent to the EUF-CMA oracle. For this reason we can neglect the second condition of the last expression and write:

P[A0 wins] ≥ P[A wins] (36)

This shows that an adversary breaking the BU notion can also break the EUF-CMA notion, thus proving the proposition.

2.4.2 Strong Blind Unforgeability

The definitions of Blind Unforgeability have been showcased. However, a somewhat stronger notion is also introduced in [Ala+20], called Strong Blind Unforgeability (SBU). It works pretty analogously to the way SUF-CMA is defined compared to EUF-CMA. Instead of blinding messages, with this stronger notion message-tag pairs get blinded:

Definition 9. For a MAC Π = (Gen, Mac, Ver), with blinding probability  and adversary A the SBU experiment StrongBlindForge_AΠ(n, (n)) runs as follows:

1. Generate key Gen(1n_).

2. Create blinding set B_0 ⊆ M × T by putting every message-tag pair (m, t) ∈ M × T in the blinding set with independent probability .

3. Adversary produces forgery (m, t) ←− AB0_Mack₍₁n_).

4. Adversary StrongBlindForge_AΠ(n, (n)) = 1 if, and only if Verk(m, t) = 1 and (m, t) ∈ B0.

Here the blinding operator B_0 is defined by: B0_Mac(m) =



⊥ for (m, t) ∈ B0_

Mac(m) for else (37)

The definitions for a SBU secure MAC are exactly the same as those for BU, but in this case we use the SBU-experiment. As such it will not be copied here in full extent. In the succeeding chapters we will show the relationships between BU and SBU, against classical adversaries and (partly) against quantum adversaries.

3

Strong Blind Unforgeability and relations to BU

In the previous section of preliminaries a definition of SBU was given, as introduced in the paper [Ala+20]. However, in that same paper a relationship between SBU and BU was not really discussed. We will proceed by showcasing these relationships, similar to what we did for SUF-CMA and EUF-CMA, and get a better feel for these security notions.

3.1

Strong Blind Unforgeability implies BU

To show that this relation holds, propose:

Proposition 6. SBU =⇒ BU for classical adversaries

Proof. We will once again assume there exists an adversary that breaks the BU scheme. Subse-quently, we will show that this adversary through a reduction also breaks the SBU notion. In other words, we will prove that ¬BU =⇒ ¬SBU. First define an adversary A that breaks the BU scheme:

P[A wins BU] ≥ Poly(n)−1 (38)

To prove the proposition we create a reduction, which will be a somewhat modified version of adversary A. This reduction, labelled adversary A0, behaves as follows:

1. Query the same messages that the old adversary wants to query.

2. It then receives the message-tag pair and only proceeds if that tag is not blinded, otherwise it will stop the whole experiment.

3. Create a new blinding set B_0 with identical independent probability , however it adds mes-sages instead message-tag pairs in the blinding set.

4. Finally this new adversary creates a forgery.

We define and rewrite the probability that our new adversary breaks the SBU notion. Subsequently, we define this probability in terms of the probability that the old adversary breaks BU:

P[A0 wins SBU] = P_{(m,t)←−A0 B0Mack}[(m, t) ∈ B∧ Ver(m, t) = 1] (39)

≥ P[(m, t) ∈ B∧ m ∈ B0∧ Ver(m, t) = 1] (40)

= P[m ∈ B_0∧ Ver(m, t) = 1]P[(m, t) ∈ B|∗]P[A0 not abort] (41)

≥ P[A wins BU] ·1 q ·

1

4 (42)

The first inequality is constructed by adding the condition of the BU blinding m ∈ B_0, leading to a lower probability. We follow up by splitting the probability that both the message and the pair are in their respective blinding set. Here the star just signifies that the first condition is true. However also remember that this reduction only works if it gets back unblinded tags, if it is blinded the reduction breaks down. Therefore, a last condition is added; the probability that the whole experiment will not break down. In the last step of the equations we made use of the fact that a specific message-tag pair is in the blinding set Bis just equal to 1_q. As for the probability that the

reduction will not abort, we use a boundary of 1₄. This boundary has already been derived in the section on the relationships between BU and EUF-CMA. Taking the whole equation one gets:

P[A0 wins SBU] ≥ 1

4q · P[A wins BU] ≥ 1

4q· Poly(n)

−1 ₍₄₃₎

Which proves that the reduction does in fact break the SBU notion with non-negligible probability. This in turn proves that SBU implies BU, therefore completing the proof.

3.2

BU does not imply Strong Blind Unforgeability

To prove the relationship of BU not implicating SBU, we show that there exists a MAC that is BU secure but not SBU secure.

Proposition 7. BU 6=⇒ SBU against quantum adversaries

Proof. We again use the modified MAC from the very much similar proof in the preliminaries. We assume there exists a MAC Π = (Gen, Mac, Ver) that is q-time BU secure and use this MAC to create a different MAC Π0_{= (Gen, Mac}0_{, Ver}0_{) with some slight modifications:}

Mac0k(m) = Mack(m) k 0 (44)

The main difference is that an extra bit is added, set to zero, and that the verification algorithm does not read this extra bit. We continue by fabricating the following situation for the MAC Π0; the adversary queries (m, t), receives (m, t||0) and produces the forgery (m, t||1). Notice that for this situation the adversary does not break the BU notion:

P[m ∈ B∧ Ver(m, t) = 1] = 0 (46)

This is the case because; or the message is blinded therefore the verification algorithm will be output an invalid, or the message is not in the blinding set and will therefore not be accepted as a forgery. Both results give a zero probability to a successful forgery.

That same MAC Π0_{however, is not SBU secure against this adversary. If the message gets blinded,}

the verification algorithm still does not check out. However if the message-tag pair (m, t||0) does not get blinded, the result is somewhat different. Here the forgery (m, t||1) differs from the queried message-tag pair, (m, t||0) thus is blinded with independent probability . In other words, for the SBU notion the probability that the adversary breaks this MAC is:

P[(m, t) ∈ B_0∧ Ver(m, t) = 1] = (1 − ) (47)

Here the first epsilon comes from the condition that this new message-tag pair will be in the blinding set B_0. The second term between brackets is simply the probability that the first queried message-tag pair is not blinded. The resulting probability is non-negligible, which means the SBU notion has been breached. All in all, this shows that there exists a MAC that is q-time BU secure and not q-time SBU secure, therefore concluding the proof.

3.3

SBU is equivalent to BU for deterministic MAC with canonical

ver-ification

The last step is to prove that the equivalence for deterministic MAC with canonical verification also holds for the BU to SBU relationship:

Proposition 8. SBU ≡ BU for deterministic MAC with canonical verification

Proof. First note that for a deterministic MAC with canonical verification, there exists only one unique tag per message. Assume there exists a MAC that is q-time SBU secure:

P[A wins SBU] ≤ negl(n) (48)

Next, we will proceed to write down the conditions and see that for deterministic MAC with canonical verification this equals q-time BU security. Here B_0 is the strong blinding set and B the

BU blinding set.

P[A wins SBU] = P[(m, t) ∈ B0

∧ Ver(m, t) = 1] (49)

(49) = P[(m, t0) ∈ B_0 for every t0∧ Ver(m, t) = 1] (50) (50) = P[(m ∈ B∧ Ver(m, t) = 1] = P[A wins BU] (51)

4

Introducing the CBU notion with adversary chosen-blinding

Following the general philosophy of cryptography, there is a logical next step to make from the BU notion. It is common in this field to give an adversary as much control over the variables within the security notion whilst making sure that the functionality of said notion is still realisable. For BU this would translate to giving the adversary control over the blinding set. To do this we introduce the notion Chosen-Blinding Unforgeability (CBU). CBU behaves similar to BU, with a small difference that now the adversary has control over the messages that get blinded. To implement this, we have to introduce a function that the adversary queries to an oracle together with the usual messages. We denote this function by fi and it specifies the messages that get blinded for the i-th query.

Furthermore, this function also works as input for a list that states ⊥ if a message is blinded. This list keeps track of all the messages that were blinded for previous queries which is required for the final condition that determines if it is a forgery or not. So in the quantum setting an adversary queries |mi_X|ti_Y alongside the function fi for the i-th query. It will then receive tags on messages

specified by the queried function respectively. The CBU experiment is defined by: Definition 10. For a MAC Π = (Gen, Mac, Ver) we define the CBU security experiment ChosenBlindForge_AΠ(n) as follows:

1. Create key k ←− Gen(1n_).

2. Adversary queries (P |mi_X|ti_Y , fi) q-times, with q the amount of total quantum queries.

3. Adversary creates forgery (m, t) ←− ABAdaptMack₍₁n_).

4. A wins if, and only if Ver(m, t) = 1 and fi(m) = ⊥, for i = 1, 2, 3, .., q.

Here the blinding operator BAdaptis defined as follows:

BAdaptMac(m) =



⊥ for fi(m) = ⊥

4.1

New Chosen Blinding Unforgeability notion (CBU) relations to Blind

Unforgeability

Following the definition above, we will try to prove the relationships between CBU and BU. Proposition 9. CBU =⇒ BU

Proof. We will show that the proposition holds by again making a reduction. This reduction includes an adversary that wins the BU experiment, which we will show after a slight modification also has a non-negligible probability of winning the CBU security experiment. Notice that this kind of proof once again proceeds by taking the contrapositive of the proposition. We start by describing the reduction:

1. Query the same messages as the old adversary, but add the same blinding function f(m) for every query.

2. This function is defined by: f(m) = ⊥ with independent probability , such that fi =

⊥, for i = 1, 2, .., q.

3. It then returns the (un)blinded tags.

To simulate the blinding function with independent probability , we use a (4q +1)-wise independent function family. One can think of a k-wise independent function family as randomly picked polyno-mials of degree k. With k or lesser observations this function family seems to be random, in other words the functions supply independent random variables. Against quantum adversaries however, a stronger definition is needed. We let an adversary make q quantum queries and c classical queries to an oracle. By Lemma 6.4 of [BZ13], if the oracle uses functions drawn from a (2q + c)-wise independent function family, this oracle is indistinguishable from a truly random oracle. In this case the blinding set adds another quantum computation and we use one final classical computa-tion, therefore a (4q + 1)-wise independent function family suffices. With this, we can form the probability that this reduction actually wins the CBU notion.

P[A0 wins] = P_(m,t)←−ABAdaptMack[fi(m) = ⊥ for i = 1, 2, ..q ∧ Ver(m, t) = 1] (53)

Recall that we are using a reduction to simulate the BU-game on the CBU oracle. We can achieve this by replacing the blinding functions with one that simulates the BU blinding operator. The function we use for this is f(m), as defined in the reduction. Applying this on the equation:

(53) = P[f(m) = ⊥ ∧ Ver(m, t) = 1] (54)

Because this the function f_{(m) is simulating the BU blinding set and is indistinguishable from a}

truly random blinding, we can write:

(54) = P[m ∈ B∧ Ver(m, t) = 1] = P[A wins] (55)

This outcome is of course not really a surprising result as in this direction we are pretty much ’reducing’ the CBU notion to that of the BU. This is very intuitive because CBU is a more loose definition of BU, in that the adversary may choose to blind or un-blind specific messages. Therefore, one should also expect an BU adversary to break the CBU notion with at least the same probability as that of BU. In other terms, the CBU notion should at least be as secure as that of the BU notion.

Proposition 10. BU =⇒ CBU

Proof. Similar to the previous proof we will show that an adversary breaking a CBU secure MAC, can be reduced to an adversary in such a way that it breaks the BU notion as well. We start with a proposition that an adversary wins the CBU game:

˜

p := P_(m,t)←−ABAdaptMack[fi(m) = ⊥, for i = 1, 2, 3, .q ∧ Ver(m, t) = 1] ≥ n−c (56)

This equation applies for an adversary forging using a CBU oracle. In the next step, we want to show that the same forgery can break the BU security notion as well. To achieve this we make the following reduction:

1. We create a new register to differentiate between (un)blinded message states, i.e. where fi(m) = ⊥.

2. Then it sets for the blinded states |ti_Y equal to the zero string 0l_.

3. The unblinded message states, on the other hand, get queried to the BU oracle.

In practice one will achieve step 2-3, by applying a controlled unitary operator, in such a way that it only works on states that have the new register set to 1. This corresponds to states that are unblinded and ’need’ a tag. As explained in the preliminaries, controlled unitary operators allow us to use a control bit to specify whether or not we want to apply a certain function to another state. In this situation, we have a matrix with (2p+1_{) ∗ (2}p+1_{) dimensions, two corresponding with the}

control (qu)bit and 2p _{corresponding with the working qubits. These dimensions are the amount}

of states needed to simulate the message space.

p := P_(m,t)←−ABMack[m ∈ B∧ Ver(m, t) = 1] (57)

(57) ≥ P[m ∈ B∧ fi(m) = ⊥, for i = 1, 2, 3, .q ∧ Ver(m, t) = 1] (58)

(58) = P[fi(m) = ⊥, for i = 1, 2, 3, .q ∧ Ver(m, t) = 1]P[m ∈ B|∗] (59)

With the reduction in mind, we can see that the first condition of the last equation has exactly the same conditions as ˜p. However, the difference is the oracle on which the messages are queried. One could imagine this, by thinking about the CBU as just querying message states on an un-blinded MAC oracle and setting the blinded message states equal to the zero bit. Then when trying to forge on the BU oracle, one has the same situation but now a part of the initially un-blinded states will be blinded as well. Luckily we have a boundary expression for the difference between a (un)blinded MAC, given by theorem 11 from [Ala+20]. This boundary states the maximum difference in the probability that an adversary will break an unblinded MAC notion versus that same MAC blinded with blinding B and q queries. In other words:

[˜p − p] ≤ 2q√ (60)

Here ˜p is the probability that the adversary breaks an unblinded MAC and p the probability that the adversary breaks that same MAC, but now blinded with independent probability . Starting from the last expression, we can now write:

P[fi(m) = ⊥, for i = 1, 2, 3, .q ∧ Ver(m, t) = 1]P[m ∈ B|∗] ≥ (˜p − 2q

√

The first probability here corresponds to the part in the brackets, which was derived with the expression from the boundary condition just discussed. Finally, the last probability just corresponds to  as it is independent from the former condition. In total this becomes:

p ≥ (˜p − 2q√) (62)

Remember that we can set the blinding  factor at will. Therefore, if we pick  = (_3qp˜)2, we can write the following expression:

p ≥ p˜

3

27q2 (63)

This expression is clearly not a negligible function, as such we have shown that an adversary breaking the CBU security notion can also break the BU notion. With that we have proved our proposition as well.

5

Conclusion and discussion

There are a few relationships between security notions shown in this paper. First there are the re-lations that have already been performed to some degree, as such you can find them in the section on preliminaries. These proofs include the relations from EUF-CMA to SUF-CMA and EUF-CMA to BU, both for classical adversaries. They have been shown already in [KL07] and [Ala+20] re-spectively, but are presented for the reader to get familiar with the notation.

Second, we tried to prove the relations between BU and SBU against quantum adversaries. In the paper of [Ala+20] the notion of SBU was introduced, however the relation to BU was not proven in detail. It turned out, however, to be rather difficult to prove that SBU implied BU against quantum adversaries. To prove any such relation, the effect of a random blinding was needed. An expression for this effect was created for the BU blinding in [Ala+20], however not for a strong blinding with message-tag pairs. In the end it was a little out of the scope of this particular research to find a new lower bound for the effect of the ’strong blinding’.

Finally, a new notion was introduced where adversaries could decide which messages would be blinded. This notion, called Chosen Blind Unforgeability, is proven to be equivalent to BU. Fur-thermore, one could argue that this notion is more secure, because here an adversary can unblind messages in areas where he knows he would not want to forge. In other words, the CBU notion is at least as secure as BU.

For further research on the matter, I would recommend making the lower bound expression for the effect of the ’strong blinding’ on the MAC experiment. With this, one could quite easily prove the relation of SBU implies BU against quantum adversaries. My second recommendation for further research is introducing a Strong version of CBU that, pretty analogous to previous denota-tions, blinds message-tag pairs chosen by the adversary. Proving the relation to CBU would then be straightforward, with this new lower bound of a strong blinding and the proof of SBU implying BU.

References

[Sho97] Peter W. Shor. “Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer”. In: SIAM Journal on Computing 26.5 (Oct. 1997), pp. 1484–1509. issn: 1095-7111. doi: 10.1137/s0097539795293172. url: http: //dx.doi.org/10.1137/S0097539795293172.

[KL07] Jonathan Katz and Yehuda Lindell. Introduction to Modern Cryptography. Chapman and Hall/CRC Press, 2007. isbn: 978-1-58488-551-1.

[Bon+11] Dan Boneh et al. “Random Oracles in a Quantum World”. In: Proceedings of AsiaCrypt 2011. 2011.

[NC11] Michael A. Nielsen and Isaac L. Chuang. Quantum Computation and Quantum Infor-mation: 10th Anniversary Edition. 10th. USA: Cambridge University Press, 2011. isbn: 1107002176.

[Zha12] Mark Zhandry. “How to Construct Quantum Random Functions”. In: Proceedings of FOCS 2012. 2012.

[BZ13] Dan Boneh and Mark Zhandry. “Quantum-Secure Message Authentication Codes”. In: Proceedings of EUROCRYPT 2013. 2013.

[Ala+20] Gorjan Alagic et al. “Quantum-Access-Secure Message Authentication via Blind-Unforgeability”. In: Lecture Notes in Computer Science (2020), pp. 788–817. issn: 1611-3349. doi:

10 . 1007 / 978 - 3 - 030 - 45727 - 3 _ 27. url: http://dx.doi.org/10.1007/978- 3-030-45727-3_27.