Quantum-Secure (Non-)Sequential Aggregate Message Authentication Codes

Abstract

Recently, the post-quantum cryptography becomes the object of attention, since quantum algorithms breaking the existing cryptosystems have been proposed and the development of quantum computers has been promoted. In fact, quantum-secure systems have been studied in both areas of public key cryptography and symmetric key cryptography. This paper studies quantum security of message authentication codes (MACs) with advanced functionality of compressing multiple tags, so-called aggregate message authentication codes (AMACs) and sequential aggregate message authentication codes (SAMACs).

In this paper, we present AMAC/SAMAC schemes meeting quantum security in the model where adversaries can submit quantum queries. Specifically, we first formalize the quantum security for AMAC/SAMAC schemes. Second, we propose AMAC/SAMAC schemes satisfying the quantum security. Regarding AMACs, we show that Katz-Lindell scheme meets the quantum security. Regarding SAMACs, since the existing schemes are insecure, we newly present two generic constructions: One is constructed from quantum pseudorandom functions, and the other is constructed from randomized pseudorandom generators and (classical) pseudorandom functions.

Appendices

Appendix A: Attacks against the Existing Schemes

We describe the attack against the existing sequential aggregate authentication schemes of [8, 19].

1.1 A.1: The Attack against the Scheme of [8]

The algorithm breaking the scheme of [8] follows the quantum attack against CBC-MAC of [12]. First, we define Simon’s algorithm used by the one against the scheme of [8]. Simon’s algorithm is a quantum algorithm solving the following problem.

Definition 6

(Simon’s Problem). Given a Boolean function \(f : \{ 0,1 \}^n \rightarrow \{ 0,1 \}^n\) and the promise that there exists \(s \in \{ 0,1 \}^n\) such that for any \((x,y) \in \{ 0,1 \}^n\), \(\left[ f(x) = f(y) \right] \Leftrightarrow \left[ x \oplus y \in \{ 0^n,s \} \right] \), the goal is to find s.

Simon’s algorithm is as follows:

1. 1.

   Set the following 2n-qubit: \(\frac{1}{\sqrt{2^n}} \sum _{x \in \{ 0,1 \}^n} | x \rangle | 0 \rangle \).

2. 2.

   A quantum query to the function f maps this state to \(\frac{1}{\sqrt{2^n}} \sum _{x \in \{ 0,1 \}^n} | x \rangle | f(x) \rangle \).

3. 3.

   Measure the second register in the computational basis and obtain a value f(z). Then, from the promise \(f(x) = f(x \oplus s)\), the first register is as follows:

   $$\begin{aligned} \frac{1}{\sqrt{2}} ( | z \rangle + | z \oplus s \rangle ). \end{aligned}$$
4. 4.

   Apply the Hadamard transformation to the first register and get

   $$\begin{aligned} \frac{1}{\sqrt{2}}\frac{1}{\sqrt{2^n}} \sum _{y \in \{ 0,1 \}^n} (-1)^{y \cdot z} (1 + (-1)^{y \cdot s}) | y \rangle . \end{aligned}$$
5. 5.

   Measure the register and obtain a vector y.

The obtained vector y meets \(y \cdot s = 0\) since if the amplitude of y such that \(y \cdot s = 1\) is 0. By replying the above process, we have \(\mathcal {O}\left( n\right) \) vectors y such that \(y \cdot s = 0\). Therefore, we can recover s.

Let \(\varepsilon (f,s) := \max _{t \in \{ 0,1 \}^n \backslash \{ 0,s \}} \Pr _x[f(x) + f(x \oplus t)]\) for a function \(f: \{ 0,1 \}^n \rightarrow \{ 0,1 \}^n\) meeting the promise of Simon’s algorithm (\(f(x \oplus s) = f(x)\) for all x). From [12], the success probability of Simon’s algorithm is as follows.

Proposition 1

(Theorem 1 in [12]). Let \(f: \{ 0,1 \}^n \rightarrow \{ 0,1 \}^n\) be a function such that \(f(x \oplus s) = f(x)\) for all x, and let c be a positive integer. If \(\varepsilon (f,s) \le p_0 < 1\) holds for probability \(p_0\), then Simon’s algorithm returns s with cn queries, with probability at least \(1 - \left( 2 \left( \frac{1+p_0}{2} \right) ^c \right) ^n\).

Next, we describe the SAMAC scheme \(\mathsf {SAMAC}_{ex} = (\mathsf {KGen},\mathsf {STag},\mathsf {SVrfy})\) of [8] as follows: Let \((\mathsf {KGen}, \mathsf {Tag}, \mathsf {Vrfy})\) be a deterministic MAC with a tag space \(\mathcal {T}\), and let \(\mathsf {PRP}: \mathcal {K}_{\mathsf {PRP}} \times \mathcal {T}\rightarrow \mathcal {T}\) be a pseudorandom permutation.

• \(\mathsf {k}_{\mathsf {id}} \leftarrow \mathsf {KGen}(1^\lambda , \mathsf {id})\): Generate keys \(\mathsf {k}_{\mathsf {MAC}} \leftarrow \mathsf {MAC}.\mathsf {KGen}\) and . Output \(\mathsf {k}_{\mathsf {id}} := (\mathsf {k}_{\mathsf {MAC}},\mathsf {k}_{\mathsf {PRP}})\).

• \(\tau \leftarrow \mathsf {STag}(\mathsf {k}_{\mathsf {id}},m,\tau ^\prime )\):

  Compute \(t \leftarrow \mathsf {Tag}(\mathsf {k}_{\mathsf {MAC}},m)\), and then output \(\tau \leftarrow \mathsf {PRP}(\mathsf {k}_{\mathsf {PRP}},t \oplus \tau ^\prime )\).

• \(1/0 \leftarrow \mathsf {SVrfy}(K,(M,\tau ^\prime ),\tau )\):

  Compute \(\tilde{\tau } \leftarrow \mathsf {STag}(\mathsf {k}_{\mathsf {id}_{\sigma (\ell )}}, m_{\ell }, \mathsf {STag}(\ldots ,\mathsf {STag}(\mathsf {k}_{\mathsf {id}_{\sigma (1)}},m_1,\tau ^\prime )\ldots ))\). Output 1 if \(\tau = \tilde{\tau }\), or output 0 otherwise.

Finally, we describe the attack against \(\mathsf {SAMAC}_{ex}\). We fix two arbitrary messages \(m_0,m_1 \in \mathcal {M}\) (\(m_0 \ne m_1\)), and the function of Simon’s problem is defined as follows:

$$\begin{aligned} f : \{ 0,1 \} \times \mathcal {M}&\rightarrow \mathcal {T}\\ (b,\tau ^\prime )&\mapsto \mathsf {PRP}(\mathsf {k}_{\mathsf {PRP}}, \tau ^\prime \oplus \mathsf {Tag}(\mathsf {k}_{\mathsf {MAC}},m_b)) \end{aligned}$$

For \(s = 1 \parallel \mathsf {Tag}(\mathsf {k}_{\mathsf {MAC}},m_0) \oplus \mathsf {Tag}(\mathsf {k}_{\mathsf {MAC}},m_1)\), the function f meets the promise of Simon’s problem:

$$\begin{aligned} f(0,x)&= \mathsf {PRP}(\mathsf {k}_{\mathsf {PRP}}, \tau ^\prime \oplus \mathsf {Tag}(\mathsf {k}_{\mathsf {MAC}},m_1)), \\ f(1,x)&= \mathsf {PRP}(\mathsf {k}_{\mathsf {PRP}}, \tau ^\prime \oplus \mathsf {Tag}(\mathsf {k}_{\mathsf {MAC}},m_0)), \\ f(b,x)&= f(b \oplus 1, x \oplus \mathsf {Tag}(\mathsf {k}_{\mathsf {MAC}},m_0) \oplus \mathsf {Tag}(\mathsf {k}_{\mathsf {MAC}},m_1)). \end{aligned}$$

Then, we can generate the following forgery against \(\mathsf {SAMAC}_{ex}\):

1. 1.

   Fix \(m_0,m_1\) as the messages of a message block, and let a previous tag \(\tau ^\prime = 0^n \in \mathcal {T}\) denote a n-bit string of 0.

2. 2.

   Submit a classical query \(m_0 \parallel 0^n\) to the tagging oracle of \(\mathsf {saggUF}- \mathsf {qCMA}\) security game, and receive the aggregate tag \(\tau \).

3. 3.

   By using Simon’s algorithm with O(n) quantum queries, we obtain \(s = \mathsf {Tag}(\mathsf {k}_{\mathsf {MAC}},m_0) \oplus \mathsf {Tag}(\mathsf {k}_{\mathsf {MAC}},m_1)\).

4. 4.

   Output a forgery \((m_1 \parallel \mathsf {Tag}(\mathsf {k}_{\mathsf {MAC}},m_0) \oplus \mathsf {Tag}(\mathsf {k}_{\mathsf {MAC}},m_1), \tau )\) as a valid aggregate tag.

The above forgery is valid, since \(m_1 \parallel \mathsf {Tag}(\mathsf {k}_{\mathsf {MAC}},m_0) \oplus \mathsf {Tag}(\mathsf {k}_{\mathsf {MAC}},m_1)\) has never been queried.

1.2 A.2: The Attack against the Scheme of [19]

We describe two schemes presented in [19]. Let \(\mathbb {F}_p\) be a finite field with a prime power p. The first construction is given as follows:

• \(\mathsf {k}_{\mathsf {id}} \leftarrow \mathsf {KGen}(1^\lambda , \mathsf {id})\): Output a secret key .

• \(\tau \leftarrow \mathsf {STag}(\mathsf {k}_{\mathsf {id}},m,\tau ^\prime )\): On input a message \(m\in \mathbb {F}_p\) and an aggregate-so-far tag \(\tau ^\prime \in \mathbb {F}_p\), output a tag \(\tau := a \cdot m+ b + \tau ^\prime \in \mathbb {F}_p\).

• \(1/0 \leftarrow \mathsf {SVrfy}(K,(M,\tau ^\prime ),\tau )\): Compute \(\tilde{\tau } \leftarrow \mathsf {STag}(K,(M,\tau ^\prime ))\). Output 1 if \(\tau = \tilde{\tau }\), or output 0 otherwise.

And, the second construction is described as follows:

• \(\mathsf {k}_{\mathsf {id}} \leftarrow \mathsf {KGen}(1^\lambda , \mathsf {id})\): Output a secret key .

• \(\tau \leftarrow \mathsf {STag}(\mathsf {k}_{\mathsf {id}},m,\tau ^\prime )\): On input a message \(m\in \mathbb {F}_p\), an ID \(\mathsf {id}\in \mathbb {F}_p\), and an aggregate-so-far tag \(\tau ^\prime = (s^\prime ,t^\prime ) \in \mathbb {F}_p^2\), output a tag \(\tau := (a \cdot m+ b + s^\prime , a \cdot \mathsf {id}+ c + t^\prime ) \in \mathbb {F}_p^2\).

• \(1/0 \leftarrow \mathsf {SVrfy}(K,(M,\tau ^\prime ),\tau )\): Compute \(\tilde{\tau } \leftarrow \mathsf {STag}(K,(M,\tau ^\prime ))\). Output 1 if \(\tau = \tilde{\tau }\), or output 0 otherwise.

Regarding both schemes, we can view aggregate tags as the values of pairwise independent hash functions \(h(x) = ax + b\) with \(a,b \in \mathbb {F}_p\). In the straightforward way, we can apply the quantum algorithm in the proof of Lemma 6.3 in [4]. In this case, adversaries can get secret keys \((a,b) \in \mathbb {F}_p^2\) with non-negligible probability and generate forgeries obviously even if they submit only one quantum query. Therefore, the schemes of [19] do not meet the one-time security formalized in Sect. 4.

Appendix B: Concrete Construction of \(\mathsf {SAMAC}_2\)

We describe our concrete \(\mathsf {SAMAC}_2\) scheme based on the learning parity with noise (LPN) problem by using the randomized PRG of [20].

1.1 B.1: LPN Problem

We first define an oracle \(\varLambda _{t,n}(\cdot )\) that outputs LPN samples in the following way: Let \(\mathsf {Ber}_{t}\) be the Bernoulli distribution over \(\{ 0,1 \}\) with bias \(t \in (0,1/2)\). For parameters \(t \in (0,1/2)\) and \(n \ge 1\), an oracle \(\varLambda _{t,n}(s)\) takes \(s \in \{ 0,1 \}^n\) as input and outputs samples \((a, a \cdot s \oplus e) \in \{ 0,1 \}^n \times \{ 0,1 \}\) by sampling and \(e \leftarrow \mathsf {Ber}_t\). In addition, an oracle \(U_{n}\) outputs uniformly random samples over \(\{ 0,1 \}^n \times \{ 0,1 \}\). The LPN assumption is defined as follows:

Definition 7

(Learning Parity with Noise). The (decisional) \(\mathsf {LPN}_{t,n}\) assumption holds if for any PPT algorithm \(\mathcal {D}\), the advantage

is negligible.

1.2 B.2: Concrete Construction of \(\mathsf {SAMAC}_2\)

We describe a concrete scheme \(\mathsf {SAMAC}_{\mathsf {LPN}} = (\mathsf {KGen},\mathsf {STag},\mathsf {SVrfy})\). The randomized PRG based on LPN is \(G_{a}(s;e) = a \cdot s \oplus e\), where \(a \in \{ 0,1 \}^{\delta n \times n}\) and \(s \in \{ 0,1 \}^n\) are uniformly random, and \(e \in \{ 0,1 \}^{\delta n}\) is a sample drawn from the Bernoulli distribution with a parameter t. We use the following public parameters and primitives based on a security parameter \(\lambda \).

• \(t \in (0,1/2)\) is a parameter for the error distribution \(\mathsf {Ber}_t\).

• An integer n is a LPN parameter based on \(\lambda \).

• An integer \(v = \mathcal {O}\left( \log {n}\right) \) denotes the block-size of messages, and then let \(\delta := 2^v\).

• A positive integer \(\mu = d v\) denotes the bit-length of message/tag pairs, where d is a positive integer.

• \(G_a: \{ 0,1 \}^n \rightarrow \{ 0,1 \}^{\delta n}\) is a randomized PRG with a uniformly random parameter \(a \in \{ 0,1 \}^{\delta n \times n}\) and a randomness space \(\mathsf {Ber}_{t}^{\delta n}\). \(G_a\) is described as \(G_a(s;e) = a \cdot s \oplus e\), where e is drawn from \(\mathsf {Ber}_{t}^{\delta n}\).

• \(\mathsf {SAMP}: \{ 0,1 \}^n \rightarrow \mathsf {Ber}_{t}^{\delta ^2 n}\) denotes a (deterministic) sampling function which, on input randomness in \(\{ 0,1 \}^n\), outputs a value over \(\mathsf {Ber}_{t}^{\delta n}\).

• \(\mathsf {PRF}: \mathcal {K}\times \mathcal {X} \rightarrow \{ 0,1 \}^n\) is a classical PRF.

• \(c\) is a counter value and \(\mathcal {L}_{c} \leftarrow \{ \emptyset \}\) is a list of counter values.

\(\mathsf {SAMAC}_{\mathsf {LPN}}\) is constructed as follows:

• \(\mathsf {k}_{\mathsf {id}} \leftarrow \mathsf {KGen}(1^\lambda , \mathsf {id})\): Generate a key as follows:

  1. 1.

     , .

  2. 2.

     Output \(\mathsf {k}_{\mathsf {id}} := (s,\mathsf {k}_{\mathsf {PRF}})\).

• \(\tau \leftarrow \mathsf {STag}(\mathsf {k}_{\mathsf {id}},m,\tau ^\prime )\): Split \(\tau ^\prime \) into \((c,\varvec{y}^\prime )\) and generate an aggregate tag in the following way:

  1. 1.

     \(e^{(0\ldots 00)} \parallel e^{(0\ldots 01)} \parallel \cdots \parallel e^{(1\ldots 11)} \leftarrow \mathsf {SAMP} (\mathsf {PRF}(\mathsf {k}_{\mathsf {PRF}},c))\).

  2. 2.

     \((z_i)_{i \in [\mu ]} \leftarrow m\parallel y^\prime \in \{ 0,1 \}^{\mu }\).

  3. 3.

     \(y \leftarrow {G}_a^{(z_{(d-1)v + 1} \ldots z_{dv})}( \ldots G_a^{(z_{v+1}\ldots z_{2v})}(G_a^{(z_1 \ldots z_v)}\left( s;e^{(z_1 \ldots z_v)});e^{(z_{v+1}\ldots z_{2v})}\right) \ldots )\).

  4. 4.

     Output \(\tau := (c, y)\).

• \(1/0 \leftarrow \mathsf {SVrfy}(K,(M,\tau ^\prime ),\tau )\): Verify \(((M,\tau ^\prime ),\tau )\) in the following way:

  1. 1.

     Output 0 if \(c\in \mathcal {L}_{c}\).

  2. 2.

     \(\tilde{\tau } \leftarrow \mathsf {STag}(\mathsf {k}_{\mathsf {id}_{\sigma (\ell )}}, m_{\ell }, \mathsf {STag}(\ldots \mathsf {STag}(\mathsf {k}_{\mathsf {id}_{\sigma (1)}},m_1,\tau ^\prime ) \ldots ))\).

  3. 3.

     Output 1 and set \(\mathcal {L}_{c} \leftarrow \mathcal {L}_{c} \cup \{ c\}\) if \(\tau = \tilde{\tau }\), or output 0 otherwise.

We can obtain the following result about security. The proof can be given in the same way as that of Theorem 3.

Corollary 1

If \(\mathsf {LPN}_{t,n}\) assumption holds and \(\mathsf {PRF}\) is a pseudorandom function, then \(\mathsf {SAMAC}_{\mathsf {LPN}}\) meets \(\mathsf {saggUF}- \mathsf {qCMA}\) security.