Abstract
Recently, the post-quantum cryptography becomes the object of attention, since quantum algorithms breaking the existing cryptosystems have been proposed and the development of quantum computers has been promoted. In fact, quantum-secure systems have been studied in both areas of public key cryptography and symmetric key cryptography. This paper studies quantum security of message authentication codes (MACs) with advanced functionality of compressing multiple tags, so-called aggregate message authentication codes (AMACs) and sequential aggregate message authentication codes (SAMACs).
In this paper, we present AMAC/SAMAC schemes meeting quantum security in the model where adversaries can submit quantum queries. Specifically, we first formalize the quantum security for AMAC/SAMAC schemes. Second, we propose AMAC/SAMAC schemes satisfying the quantum security. Regarding AMACs, we show that Katz-Lindell scheme meets the quantum security. Regarding SAMACs, since the existing schemes are insecure, we newly present two generic constructions: One is constructed from quantum pseudorandom functions, and the other is constructed from randomized pseudorandom generators and (classical) pseudorandom functions.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Ahn, J.H., Green, M., Hohenberger, S.: Synchronized aggregate signatures: new definitions, constructions and applications. In: ACM Conference on Computer and Communications Security, pp. 473–484. ACM (2010)
Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_35
Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci. 61(3), 362–399 (2000)
Boneh, D., Zhandry, M.: Quantum-secure message authentication codes. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 592–608. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_35
David, B., Dowsley, R., Nascimento, A.C.A.: Universally composable oblivious transfer based on a variant of LPN. In: Gritzalis, D., Kiayias, A., Askoxylakis, I. (eds.) CANS 2014. LNCS, vol. 8813, pp. 143–158. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-12280-9_10
Dodis, Y., Kiltz, E., Pietrzak, K., Wichs, D.: Message authentication, revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 355–374. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_22
Döttling, N., Müller-Quade, J., Nascimento, A.C.A.: IND-CCA secure cryptography based on a variant of the LPN problem. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 485–503. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_30
Eikemeier, O., et al.: History-free aggregate message authentication codes. In: Garay, J.A., De Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 309–328. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15317-4_20
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions (extended abstract). In: FOCS, pp. 464–479. IEEE Computer Society (1984)
Hirose, S., Kuwakado, H.: Forward-secure sequential aggregate message authentication revisited. In: Chow, S.S.M., Liu, J.K., Hui, L.C.K., Yiu, S.M. (eds.) ProvSec 2014. LNCS, vol. 8782, pp. 87–102. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-12475-9_7
Hohenberger, S., Waters, B.: Synchronized aggregate signatures from the RSA assumption. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 197–229. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_7
Kaplan, M., Leurent, G., Leverrier, A.,  Naya-Plasencia, M.: Breaking symmetric cryptosystems using quantum period finding. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 207–237. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_8
Katz, J., Lindell, A.Y.: Aggregate message authentication codes. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 155–169. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-79263-5_10
Kiltz, E., Masny, D., Pietrzak, K.: Simple chosen-ciphertext security from low-noise LPN. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 1–18. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_1
NIST: Post-quantum cryptography: post-quantum cryptography standardzation (2017)
Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings of IEEE Symposium on Foundations of Computer Science, pp. 124–134. IEEE (1994)
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)
Song, F., Yun, A.: Quantum security of NMAC and related constructions. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 283–309. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_10
Tomita, S., Watanabe, Y., Shikata, J.: Sequential aggregate authentication codes with information theoretic security. In: CISS, pp. 192–197. IEEE (2016)
Yu, Y., Steinberger, J.: Pseudorandom functions in almost constant depth from low-noise LPN. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 154–183. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_6
Zhandry, M.: How to construct quantum random functions. In: FOCS. pp. 679–687. IEEE Computer Society (2012)
Zhandry, M.: A note on the quantum collision and set equality problems. Quantum Inf. Comput. 15(7–8), 557–567 (2015)
Acknowledgements
The authors would like to thank the anonymous referees for their helpful comments. This research was conducted under a contract of Research and Development for Expansion of Radio Wave Resources funded by the Ministry of Internal Affairs and Communications, Japan.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix A: Attacks against the Existing Schemes
We describe the attack against the existing sequential aggregate authentication schemes of [8, 19].
1.1 A.1: The Attack against the Scheme of [8]
The algorithm breaking the scheme of [8] follows the quantum attack against CBC-MAC of [12]. First, we define Simon’s algorithm used by the one against the scheme of [8]. Simon’s algorithm is a quantum algorithm solving the following problem.
Definition 6
(Simon’s Problem). Given a Boolean function \(f : \{ 0,1 \}^n \rightarrow \{ 0,1 \}^n\) and the promise that there exists \(s \in \{ 0,1 \}^n\) such that for any \((x,y) \in \{ 0,1 \}^n\), \(\left[ f(x) = f(y) \right] \Leftrightarrow \left[ x \oplus y \in \{ 0^n,s \} \right] \), the goal is to find s.
Simon’s algorithm is as follows:
-
1.
Set the following 2n-qubit: \(\frac{1}{\sqrt{2^n}} \sum _{x \in \{ 0,1 \}^n} | x \rangle | 0 \rangle \).
-
2.
A quantum query to the function f maps this state to \(\frac{1}{\sqrt{2^n}} \sum _{x \in \{ 0,1 \}^n} | x \rangle | f(x) \rangle \).
-
3.
Measure the second register in the computational basis and obtain a value f(z). Then, from the promise \(f(x) = f(x \oplus s)\), the first register is as follows:
$$\begin{aligned} \frac{1}{\sqrt{2}} ( | z \rangle + | z \oplus s \rangle ). \end{aligned}$$ -
4.
Apply the Hadamard transformation to the first register and get
$$\begin{aligned} \frac{1}{\sqrt{2}}\frac{1}{\sqrt{2^n}} \sum _{y \in \{ 0,1 \}^n} (-1)^{y \cdot z} (1 + (-1)^{y \cdot s}) | y \rangle . \end{aligned}$$ -
5.
Measure the register and obtain a vector y.
The obtained vector y meets \(y \cdot s = 0\) since if the amplitude of y such that \(y \cdot s = 1\) is 0. By replying the above process, we have \(\mathcal {O}\left( n\right) \) vectors y such that \(y \cdot s = 0\). Therefore, we can recover s.
Let \(\varepsilon (f,s) := \max _{t \in \{ 0,1 \}^n \backslash \{ 0,s \}} \Pr _x[f(x) + f(x \oplus t)]\) for a function \(f: \{ 0,1 \}^n \rightarrow \{ 0,1 \}^n\) meeting the promise of Simon’s algorithm (\(f(x \oplus s) = f(x)\) for all x). From [12], the success probability of Simon’s algorithm is as follows.
Proposition 1
(Theorem 1 in [12]). Let \(f: \{ 0,1 \}^n \rightarrow \{ 0,1 \}^n\) be a function such that \(f(x \oplus s) = f(x)\) for all x, and let c be a positive integer. If \(\varepsilon (f,s) \le p_0 < 1\) holds for probability \(p_0\), then Simon’s algorithm returns s with cn queries, with probability at least \(1 - \left( 2 \left( \frac{1+p_0}{2} \right) ^c \right) ^n\).
Next, we describe the SAMAC scheme \(\mathsf {SAMAC}_{ex} = (\mathsf {KGen},\mathsf {STag},\mathsf {SVrfy})\) of [8] as follows: Let \((\mathsf {KGen}, \mathsf {Tag}, \mathsf {Vrfy})\) be a deterministic MAC with a tag space \(\mathcal {T}\), and let \(\mathsf {PRP}: \mathcal {K}_{\mathsf {PRP}} \times \mathcal {T}\rightarrow \mathcal {T}\) be a pseudorandom permutation.
-
\(\mathsf {k}_{\mathsf {id}} \leftarrow \mathsf {KGen}(1^\lambda , \mathsf {id})\): Generate keys \(\mathsf {k}_{\mathsf {MAC}} \leftarrow \mathsf {MAC}.\mathsf {KGen}\) and
. Output \(\mathsf {k}_{\mathsf {id}} := (\mathsf {k}_{\mathsf {MAC}},\mathsf {k}_{\mathsf {PRP}})\).
-
\(\tau \leftarrow \mathsf {STag}(\mathsf {k}_{\mathsf {id}},m,\tau ^\prime )\):
Compute \(t \leftarrow \mathsf {Tag}(\mathsf {k}_{\mathsf {MAC}},m)\), and then output \(\tau \leftarrow \mathsf {PRP}(\mathsf {k}_{\mathsf {PRP}},t \oplus \tau ^\prime )\).
-
\(1/0 \leftarrow \mathsf {SVrfy}(K,(M,\tau ^\prime ),\tau )\):
Compute \(\tilde{\tau } \leftarrow \mathsf {STag}(\mathsf {k}_{\mathsf {id}_{\sigma (\ell )}}, m_{\ell }, \mathsf {STag}(\ldots ,\mathsf {STag}(\mathsf {k}_{\mathsf {id}_{\sigma (1)}},m_1,\tau ^\prime )\ldots ))\). Output 1 if \(\tau = \tilde{\tau }\), or output 0 otherwise.
Finally, we describe the attack against \(\mathsf {SAMAC}_{ex}\). We fix two arbitrary messages \(m_0,m_1 \in \mathcal {M}\) (\(m_0 \ne m_1\)), and the function of Simon’s problem is defined as follows:
For \(s = 1 \parallel \mathsf {Tag}(\mathsf {k}_{\mathsf {MAC}},m_0) \oplus \mathsf {Tag}(\mathsf {k}_{\mathsf {MAC}},m_1)\), the function f meets the promise of Simon’s problem:
Then, we can generate the following forgery against \(\mathsf {SAMAC}_{ex}\):
-
1.
Fix \(m_0,m_1\) as the messages of a message block, and let a previous tag \(\tau ^\prime = 0^n \in \mathcal {T}\) denote a n-bit string of 0.
-
2.
Submit a classical query \(m_0 \parallel 0^n\) to the tagging oracle of \(\mathsf {saggUF}- \mathsf {qCMA}\) security game, and receive the aggregate tag \(\tau \).
-
3.
By using Simon’s algorithm with O(n) quantum queries, we obtain \(s = \mathsf {Tag}(\mathsf {k}_{\mathsf {MAC}},m_0) \oplus \mathsf {Tag}(\mathsf {k}_{\mathsf {MAC}},m_1)\).
-
4.
Output a forgery \((m_1 \parallel \mathsf {Tag}(\mathsf {k}_{\mathsf {MAC}},m_0) \oplus \mathsf {Tag}(\mathsf {k}_{\mathsf {MAC}},m_1), \tau )\) as a valid aggregate tag.
The above forgery is valid, since \(m_1 \parallel \mathsf {Tag}(\mathsf {k}_{\mathsf {MAC}},m_0) \oplus \mathsf {Tag}(\mathsf {k}_{\mathsf {MAC}},m_1)\) has never been queried.
1.2 A.2: The Attack against the Scheme of [19]
We describe two schemes presented in [19]. Let \(\mathbb {F}_p\) be a finite field with a prime power p. The first construction is given as follows:
-
\(\mathsf {k}_{\mathsf {id}} \leftarrow \mathsf {KGen}(1^\lambda , \mathsf {id})\): Output a secret key
.
-
\(\tau \leftarrow \mathsf {STag}(\mathsf {k}_{\mathsf {id}},m,\tau ^\prime )\): On input a message \(m\in \mathbb {F}_p\) and an aggregate-so-far tag \(\tau ^\prime \in \mathbb {F}_p\), output a tag \(\tau := a \cdot m+ b + \tau ^\prime \in \mathbb {F}_p\).
-
\(1/0 \leftarrow \mathsf {SVrfy}(K,(M,\tau ^\prime ),\tau )\): Compute \(\tilde{\tau } \leftarrow \mathsf {STag}(K,(M,\tau ^\prime ))\). Output 1 if \(\tau = \tilde{\tau }\), or output 0 otherwise.
And, the second construction is described as follows:
-
\(\mathsf {k}_{\mathsf {id}} \leftarrow \mathsf {KGen}(1^\lambda , \mathsf {id})\): Output a secret key
.
-
\(\tau \leftarrow \mathsf {STag}(\mathsf {k}_{\mathsf {id}},m,\tau ^\prime )\): On input a message \(m\in \mathbb {F}_p\), an ID \(\mathsf {id}\in \mathbb {F}_p\), and an aggregate-so-far tag \(\tau ^\prime = (s^\prime ,t^\prime ) \in \mathbb {F}_p^2\), output a tag \(\tau := (a \cdot m+ b + s^\prime , a \cdot \mathsf {id}+ c + t^\prime ) \in \mathbb {F}_p^2\).
-
\(1/0 \leftarrow \mathsf {SVrfy}(K,(M,\tau ^\prime ),\tau )\): Compute \(\tilde{\tau } \leftarrow \mathsf {STag}(K,(M,\tau ^\prime ))\). Output 1 if \(\tau = \tilde{\tau }\), or output 0 otherwise.
Regarding both schemes, we can view aggregate tags as the values of pairwise independent hash functions \(h(x) = ax + b\) with \(a,b \in \mathbb {F}_p\). In the straightforward way, we can apply the quantum algorithm in the proof of Lemma 6.3 in [4]. In this case, adversaries can get secret keys \((a,b) \in \mathbb {F}_p^2\) with non-negligible probability and generate forgeries obviously even if they submit only one quantum query. Therefore, the schemes of [19] do not meet the one-time security formalized in Sect. 4.
Appendix B: Concrete Construction of \(\mathsf {SAMAC}_2\)
We describe our concrete \(\mathsf {SAMAC}_2\) scheme based on the learning parity with noise (LPN) problem by using the randomized PRG of [20].
1.1 B.1: LPN Problem
We first define an oracle \(\varLambda _{t,n}(\cdot )\) that outputs LPN samples in the following way: Let \(\mathsf {Ber}_{t}\) be the Bernoulli distribution over \(\{ 0,1 \}\) with bias \(t \in (0,1/2)\). For parameters \(t \in (0,1/2)\) and \(n \ge 1\), an oracle \(\varLambda _{t,n}(s)\) takes \(s \in \{ 0,1 \}^n\) as input and outputs samples \((a, a \cdot s \oplus e) \in \{ 0,1 \}^n \times \{ 0,1 \}\) by sampling and \(e \leftarrow \mathsf {Ber}_t\). In addition, an oracle \(U_{n}\) outputs uniformly random samples over \(\{ 0,1 \}^n \times \{ 0,1 \}\). The LPN assumption is defined as follows:
Definition 7
(Learning Parity with Noise). The (decisional) \(\mathsf {LPN}_{t,n}\) assumption holds if for any PPT algorithm \(\mathcal {D}\), the advantage
![](http://media.springernature.com/lw351/springer-static/image/chp%3A10.1007%2F978-3-030-35199-1_15/MediaObjects/491672_1_En_15_Equ16_HTML.png)
is negligible.
1.2 B.2: Concrete Construction of \(\mathsf {SAMAC}_2\)
We describe a concrete scheme \(\mathsf {SAMAC}_{\mathsf {LPN}} = (\mathsf {KGen},\mathsf {STag},\mathsf {SVrfy})\). The randomized PRG based on LPN is \(G_{a}(s;e) = a \cdot s \oplus e\), where \(a \in \{ 0,1 \}^{\delta n \times n}\) and \(s \in \{ 0,1 \}^n\) are uniformly random, and \(e \in \{ 0,1 \}^{\delta n}\) is a sample drawn from the Bernoulli distribution with a parameter t. We use the following public parameters and primitives based on a security parameter \(\lambda \).
-
\(t \in (0,1/2)\) is a parameter for the error distribution \(\mathsf {Ber}_t\).
-
An integer n is a LPN parameter based on \(\lambda \).
-
An integer \(v = \mathcal {O}\left( \log {n}\right) \) denotes the block-size of messages, and then let \(\delta := 2^v\).
-
A positive integer \(\mu = d v\) denotes the bit-length of message/tag pairs, where d is a positive integer.
-
\(G_a: \{ 0,1 \}^n \rightarrow \{ 0,1 \}^{\delta n}\) is a randomized PRG with a uniformly random parameter \(a \in \{ 0,1 \}^{\delta n \times n}\) and a randomness space \(\mathsf {Ber}_{t}^{\delta n}\). \(G_a\) is described as \(G_a(s;e) = a \cdot s \oplus e\), where e is drawn from \(\mathsf {Ber}_{t}^{\delta n}\).
-
\(\mathsf {SAMP}: \{ 0,1 \}^n \rightarrow \mathsf {Ber}_{t}^{\delta ^2 n}\) denotes a (deterministic) sampling function which, on input randomness in \(\{ 0,1 \}^n\), outputs a value over \(\mathsf {Ber}_{t}^{\delta n}\).
-
\(\mathsf {PRF}: \mathcal {K}\times \mathcal {X} \rightarrow \{ 0,1 \}^n\) is a classical PRF.
-
\(c\) is a counter value and \(\mathcal {L}_{c} \leftarrow \{ \emptyset \}\) is a list of counter values.
\(\mathsf {SAMAC}_{\mathsf {LPN}}\) is constructed as follows:
-
\(\mathsf {k}_{\mathsf {id}} \leftarrow \mathsf {KGen}(1^\lambda , \mathsf {id})\): Generate a key as follows:
-
1.
,
.
-
2.
Output \(\mathsf {k}_{\mathsf {id}} := (s,\mathsf {k}_{\mathsf {PRF}})\).
-
1.
-
\(\tau \leftarrow \mathsf {STag}(\mathsf {k}_{\mathsf {id}},m,\tau ^\prime )\): Split \(\tau ^\prime \) into \((c,\varvec{y}^\prime )\) and generate an aggregate tag in the following way:
-
1.
\(e^{(0\ldots 00)} \parallel e^{(0\ldots 01)} \parallel \cdots \parallel e^{(1\ldots 11)} \leftarrow \mathsf {SAMP} (\mathsf {PRF}(\mathsf {k}_{\mathsf {PRF}},c))\).
-
2.
\((z_i)_{i \in [\mu ]} \leftarrow m\parallel y^\prime \in \{ 0,1 \}^{\mu }\).
-
3.
\(y \leftarrow {G}_a^{(z_{(d-1)v + 1} \ldots z_{dv})}( \ldots G_a^{(z_{v+1}\ldots z_{2v})}(G_a^{(z_1 \ldots z_v)}\left( s;e^{(z_1 \ldots z_v)});e^{(z_{v+1}\ldots z_{2v})}\right) \ldots )\).
-
4.
Output \(\tau := (c, y)\).
-
1.
-
\(1/0 \leftarrow \mathsf {SVrfy}(K,(M,\tau ^\prime ),\tau )\): Verify \(((M,\tau ^\prime ),\tau )\) in the following way:
-
1.
Output 0 if \(c\in \mathcal {L}_{c}\).
-
2.
\(\tilde{\tau } \leftarrow \mathsf {STag}(\mathsf {k}_{\mathsf {id}_{\sigma (\ell )}}, m_{\ell }, \mathsf {STag}(\ldots \mathsf {STag}(\mathsf {k}_{\mathsf {id}_{\sigma (1)}},m_1,\tau ^\prime ) \ldots ))\).
-
3.
Output 1 and set \(\mathcal {L}_{c} \leftarrow \mathcal {L}_{c} \cup \{ c\}\) if \(\tau = \tilde{\tau }\), or output 0 otherwise.
-
1.
We can obtain the following result about security. The proof can be given in the same way as that of Theorem 3.
Corollary 1
If \(\mathsf {LPN}_{t,n}\) assumption holds and \(\mathsf {PRF}\) is a pseudorandom function, then \(\mathsf {SAMAC}_{\mathsf {LPN}}\) meets \(\mathsf {saggUF}- \mathsf {qCMA}\) security.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Sato, S., Shikata, J. (2019). Quantum-Secure (Non-)Sequential Aggregate Message Authentication Codes. In: Albrecht, M. (eds) Cryptography and Coding. IMACC 2019. Lecture Notes in Computer Science(), vol 11929. Springer, Cham. https://doi.org/10.1007/978-3-030-35199-1_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-35199-1_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-35198-4
Online ISBN: 978-3-030-35199-1
eBook Packages: Computer ScienceComputer Science (R0)