 Hello, my name is Christian Mayans, and this video talk is about the paper Quantum Secure Message to Authentication via Blind Unfortability. This is joint work with Corinne Allergitsch, Alexander Russell, and Fangsong. Let me start with a short introduction. On this painting, you see a woman who is receiving a letter, so we can imagine two security-related thoughts going through her head right now. The first one is, okay, on the bottom of the letter, it says, sincerely, X. But how can I know that this letter is really from X? Anybody could have written that there. And the second one is, okay, this courier looks really sketchy. And probably, he has been on the road for five days or something. So anything could have happened to this letter in between extending it and me receiving it. Nowadays, we can reassure the recipient of a message with regards to both of these concerns by the use of digital signature schemes and message authentication codes. In the remainder of this talk, I will focus on message authentication codes for simplicity of exposition, while all the security notions, etc., apply to both of these kinds of schemes. How does the message authentication code work? So let's assume Alice wants to send a message to Bob. And to authenticate it, she shares a secret key K with Bob. She begins by computing the so-called MAC tag using the MAC function, her secret P and the message. Then she sends the message together with the tag to Bob. Upon receiving a message tag pair, Bob uses the message and his copy of the secret key to recompute the tag. And if it doesn't match the one he received, he rejects. Otherwise, he accepts. The security property that we want from such a MAC is called unfortability under chosen message attack or UFCMA. Works as follows. We consider a message authentication code secure if no forgery adversary can be successful in the following game. This game, the adversary gets Oracle access to the MAC function, can make a number of queries. So send messages to the Oracle and receive tags back. And in the end, the adversary has to submit a message tag pair, mstar, tstar. And he wins the game if this is a valid message tag pair and if it's distinct from all the queries he made to the Oracle. In this paper, we study quantum access security of MACs. So that means that instead of providing a classical Oracle for the secret key MAC function, we provide a quantum Oracle for it to the adversary. That means we give Oracle access to the functionality defined here. And one obvious question that one might ask is, why would we consider such a setting? There's a couple of answers to it. First of all, one answer is because we can. So as theoretical cryptographers, we are often interested in as strong as possible security and this turns out to be possible. Second, there's also a motivation from post-quantum composability. So for example, if we use an obfuscation to publish an obfuscated circuit for the secret key function, then of course, a quantum attacker can implement it on their quantum computer and evaluate it in superposition. Finally, a third reason might be physics. So this is maybe a bit less likely to actually realize this risk. But if you imagine, for example, a smart card that has a secret key hardcoded in it, then one might imagine an attacker that freezes this smart card, cools it down to near absolute zero temperature and hopes that it starts to behave in a quantum way. So first of all, let's try kind of the naive generalization of UFCMA. So let's call that unforgibility under quantum chosen message attack. So here's an example attacker. This attacker just prepares a uniform superposition of messages uses the oracle to convert it into a uniform superposition of message tag pairs and afterwards applies a measurement to obtain a random message tag pair and outputs that. So two thoughts about this. First of all, clearly this should not be counted as a break of the scheme because it's clearly possible for any Mac and it's in some sense just a quantum analog of the algorithm that samples a random message queries it and then outputs that the resulting message tag pair. On the other hand, it turns out that the output is almost distinct from the query, right? So it's almost orthogonal to the query. So therefore somehow UFCMA doesn't seem to make sense anymore. Okay, so we cannot generalize UFCMA in a straightforward manner, but then how can we judge whether a function is unpredictable for quantum algorithms? How do we identify a successful forging adversary? We've just seen a non-example, so an example of an attack that we shouldn't count as successful. Here's one that we that we should be worried about. Let's specify a Mac by choosing a random periodic function with period pk, but then puncturing it at the input pk and set the output to zero there. So now there's the following adversary. We first start by running the so-called period finding algorithm, which is a subroutine of Shor's algorithm to find the period pk and afterwards we just output the pair pk, zero. This clearly should be counted as a successful attack because we have kind of planted this vulnerability there and this is not the analog of a classical attack that also should work. Here are some additional problems that arise when generalizing UFCMA to the quantum pigs. First of all, there's the so-called no-cloning principle that says that a quantum state cannot be copied. This implies that we can't even think about the straightforward generalization in the sense that we cannot compare the output of an adversary to their queries and in addition, if we were to find a way to compare the output with certain messages, then such a comparison would most certainly involve quantum measurement, which changes the state that is being measured. So then we could only do at most one such comparison. Let me move on to our results. Here's an overview. As I said, we study unforgeability under quantum chosen message attacks. In this setting, we propose a new security definition, which we call blind unforgeability. The motivation for proposing a new definition is that the previously proposed definition by Bonet and Jandri from a Eureka paper from 2013 is insufficient to capture all possible quantum attacks. So this has been suspected before and we confirm this by exhibiting a MAC that is secure under this previous definition, but on the one hand, intuitively broken and on the other hand also insecure under our new definition. We go on to characterize blind unforgeability by first proving that it also implies the previous definition by Bonet and Jandri, but also by proving that random functions on the one hand and also the lamp or at one time signature scheme are secure under it. Finally, we also prove that the so-called hash and MAC or hash and sign paradigm preserves BU security if we choose an appropriate hash function. Let us quickly recall the previous security definition by Bonet and Jandri. So their approach was as follows. They just say, okay, fine, we cannot compare a forgery with the query transcript. So let's just ask a little bit more from the adversary. Let's just ask them to output Q plus 1 valid message tag pairs. So in that sense, if they make Q queries and output Q plus 1 message tag pairs, one of them has to be fresh. This has a couple of nice properties. For example, it's equivalent to UFCMA in the classical setting and also a random function or a random oracle is busy, unfortable. So already before our work, there were some doubts in the literature about whether this is the correct definition of security. This was mainly suspected in a paper by Garg Ewen and Jandri and later also elaborated on in the quantum lightning paper by Jandri. So here are the problems. So first of all, say an adversary can make a genuine forgery for a Mac, but to do that, the adversary has to make a number of queries and then completely measure the whole state and thereby destroy it, right? Then they can maybe output the final forgery, but not a number of queries, many other valid message tag pairs. In addition, maybe such an adversary can make a number of queries inside a certain region of the message space and then make a forgery outside of that reason. So no matter whether we can compare, et cetera, this should really clearly count as a forgery, right? In fact, just looking at these options, it should be easy to come up with an example where this happens. Turns out that that is not that easy, however. And one of the reasons is that, for example, this period finding attacker that we talked about doesn't work to show this. And this is because if a quantum measurement succeeds with good probability, then the disturbance is also limited. So in this period finding example, the adversary makes a measurement to determine the period. But afterwards, because that succeeds with good probability, they can still rewind their computation and recover a message tag pair from their query. In the quantum lightning paper, there was, in fact, constructed a MAC that is secure according to the Boney-Jandry definition, but insecure according to a one-time security definition put forward by Garg, UN, and Jandry. But this was assuming in distinguishability obfuscation. And I don't think one can call it an intuitive example. This brings me to our first contribution. We construct a MAC that kind of unconditionally breaks the Boney-Jandry definition. Here it is. The message space are the N plus one bit strings. The first bit we call B and the rest is X. And the output has two parts, which are both functions of X determined by B. So for B equals zero, the first part is a random periodic function with period P. And the second part is a uniformly random function. But if B equals one, then the first part is a uniformly random function except if the input is P, then we set it to the all zero string. And the second part is just identically zero. This is kind of complicated. But in summary, the message space is split into two parts determined by the first bit. And if that first bit is zero, then we have a random periodic function, but it's kind of shielded by another random function. Whereas if B equals one, then we have a random function that's punctured at that same period as an input. There's a simple one-query convincing forgery attack. Works as follows. First, use the period finding algorithm to find the period P. And this is done by ignoring the uniformly random part of the output. And then just output the message one P together with the all zero tag. This is a convincing forgery because the period finding algorithm uses a uniform superposition of the messages that start with zero, while the forgery is on a message that starts with one. In addition, we can prove that there's in fact no efficient quantum algorithm that wins the boney-jandry security game for this map. This is kind of difficult to prove, it turns out. And a key step is to show that if an attacker wants to learn anything about the period P, then kind of this ignorance of the random part of the output is necessary. So after giving this convincing counter example, we have moved on to proposing a replacement definition, which we call blind affordability. So how does it work? The idea is as follows. So instead of providing an adversary with a proper oracle for the MAC function, we provide them with a modified oracle that is kind of blinded in a certain random subset of the inputs. Afterwards, we ask the adversary to afford in one of the blinded spots. More formally, we define a set B epsilon, which is a random subset of the message space. And each message is put into the set with independent probability epsilon. Now we define the blinded MAC oracle by sending every message to its corresponding tag, if the message is not in the blinding set, but by returning the bottom symbol if the message is in the blinding set. The definition is now as follows. A message authentication code is called blindunforgible if no adversary can output a valid message tag pair with the message being in the blinding set when provided with the blinded oracle. So great, we have come up with a can as a replacement. Let's check whether it actually works. So first of all, we can prove that it's equivalent to UFCMA if we restrict to a classical oracle. So that's reassuring. Also, we can prove that a random oracle is blindunforgible. The other standard is sent into check. We also prove that it implies the previous definition, which builds additional confidence. And finally, it classifies all the examples that we know correctly. So here's the first example that we looked at, the kind of the stupid forgery adversary that shouldn't be credited with breaking. Let's see whether it succeeds in the blinding forgibility game. We could, for example, consider this for a random function. If we now consider a blinded oracle, then the output of the random oracle for a blinded input is independent of any adversarial state. So this adversary clearly has to fail. Now let's look at our constructed MAC that we've used to show the insufficiency of the Boney-Jandry definition. So here, let's just take a very small value of this epsilon. That means that the oracle is almost the correct one. And the period is a global property of the MAC. So the period finding algorithm would still almost succeed with the same probability as if the adversary was provided with the correct oracle. The forgery message, on the other hand, which is completely separate from the query that the adversary makes, is blinded with independent probability epsilon. So this adversary, in fact, succeeds with small probability. Here are some additional results that we have about this new notion. We define a new security notion for hash functions, which we call Bernoulli preserving. This generalizes collision resistance to the quantum setting, and it strengthens the previously proposed notion of collapsingness. Using a hash function that is Bernoulli preserving, we can prove that the so-called hash and MAC paradigm is blind and affordable. Furthermore, we construct such a Bernoulli preserving hash function by proving that a contraction by Unruh based on LWE is actually, here are a number of additional results that we have about our new security notion. We define a new, here are a number of additional results. We define a new security property for hash functions, which we call Bernoulli preserving. This property generalizes collision resistance to the quantum setting, and it strengthens a previous such generalization, which is called collapsingness. Using this notion, we can show that hash and MAC instantiated with such a hash function is blind and affordable, and we can also show that a construction of a collapsing hash function by Unruh that's based on the LWE assumption is actually even Bernoulli preserving. In addition, we can show that lamport signatures are one time blind and affordable if they are instantiated with a random oracle. To prove these results, we use mainly two tools. First of all, we have a simulation lemma that shows that an attacker doesn't behave very different if provided with a blinded oracle with small blinding parameter compared to an unblinded oracle. As a second tool, we use the superposition representation of a random oracle by Gendry. This we use extensively, so both for the proof of Bernoulli-Gendry security of the separation example, as well as for the implication blind and affordability implies Bernoulli-Gendry affordability, and for the security proof of the lamport signature scheme, we all employ the superposition representation of random oracles. This brings me to my last slide. Here's the summary and some open questions. As we have seen, there is a MAC that is secure according to the previous definition by Bonnet and Gendry, but allows for an intuitive forgery attack. So this definition really needs to be replaced, and we have such a replacement, which is called blind and affordability. Blind and affordability has a lot of nice properties and classifies all the known examples that we have correctly. Here are some open questions. First of all, the security gain for blind and affordability is not very natural. This is because the adversary is provided with this blinded oracle, which is kind of different from the actual functionality that we're testing. One question is whether this can be fixed somehow. And another open question is, are popular schemes blind and affordable? So what we know is that the lamport one-time signature scheme, as well as some pseudo-random function-based MACs are secure, but these are the only examples for now. Thank you very much.