1. Introduction
One of the main information security objectives is to provide assurance about the original source of a received message [
1,
2,
3,
4]. This goal is usually referred to as data origin authentication, and it is a stronger version of another cryptographic goal, the so-called data integrity. The latter addresses the unauthorized (including accidental) alteration of the message, from the time it was created, transmitted or stored by an authorized user. Data origin authentication, on the other hand, provides assurance of the identity of the sender of the message, in addition to data integrity. From another point of view, data origin authentication implicitly provides data integrity, in the sense that if the message is somehow modified, then essentially the source of the message has changed.
Another security objective that is closely related to data origin authentication, is the so-called non-repudiation, which prevents the original sender of a specific message from denying to a third party his/her action. This is a stronger requirement than data origin authentication, because the latter provides this assurance to the receiver of the message, but it does not provide any evidence that could be presented to a third party in order, for example, to resolve a dispute between the sender and the receiver.
In modern cryptography, data origin authentication is provided by message-authentication codes (MACs), which require the two legitimate users (sender and receiver) to share a common secret key [
1,
2,
3,
4,
5]. Typically, MACs are built from block ciphers [
1,
6] or hash functions [
1,
3,
4,
5,
7]. A MAC takes as input the message and the key, and produces an authentication tag, which is sent from the sender to the receiver, together with the message. MACs that rely on block ciphers or collision resistant hash functions offer computational security, as opposed to the Wegman and Carter scheme, which exploits universal hash functions and offers information-theoretic (unconditional) security [
3,
4,
5,
7]. On the other hand, digital signature schemes are the main mechanism for providing non-repudiation and they typically rely on public-key cryptography [
1,
2]. Both MACs and digital-signature schemes offer data origin authentication, but only the latter can ensure non-repudiation. Hence, digital-signature schemes are of vital importance in cases where the sender and the receiver of the message do not trust each other (e.g., business applications), and there is the potential of dispute over the message. MACs are widely used in every task, when non-repudiation is not an issue (e.g., in authenticated end-to-end communication), mainly because the computational cost associated with the generation and the verification of a tag is considerably smaller than for digital signatures. It is worth noting, however, that MACs can provide non-repudiation in certain realistic scenarios e.g., when a trusted third party is involved [
4].
Data origin authentication and data integrity have also been discussed in a quantum setting. More precisely, Curty and Santos have proposed an authentication protocol for 1-bit message, which requires the two legitimate users to share a maximally entangled state of qubits [
8]. To the best of our knowledge, this is the only quantum MAC (QMAC) scheme in the literature, which claims an advantage over the Wegman–Carter scheme. The first quantum digital-signature scheme has been proposed by Gottesman and Chuang [
9], and relies on the notion of a quantum one-way function, which maps classical bit strings (private keys) on quantum public keys (see also [
10,
11,
12] for other applications of quantum public keys). Various authors improved on the original scheme of Gottesman and Chuang, by removing the need for quantum memory, for authenticated quantum channels, etc. [
10,
13,
14,
15,
16]. These develpments go beyond the scope of the present work, and the interested reader may refer to Refs. [
17,
18], for an extensive list of publications related to quantum digital signatures. It is worth noting, however, that until now all of these quantum digital-signature schemes have been far less efficient than classical schemes, which renders them impractical [
19,
20].
By contrast to the thorough investigation of quantum digital-signature schemes, QMACs remain largely unexplored. The main question we address in the present work is whether prepare-and-measure QMACs can outperform classical schemes for information-theoretically secure data origin authentication. To address this question, we define a rather general theoretical framework for symmetric prepare-and-measure QMACs, which is absent from the literature. Subsequently, we show that such schemes cannot do better than their classical counterparts. This result is rather general, and implies that the QMAC scheme of Curty and Santos cannot outperform classical MACs.
The paper is organized as follows. For the sake of completeness,
Section 2 contains a brief summary of unconditionally secure classical MACs. In
Section 3, we discuss prepare-and-measure QMACs, and our main results are presented in
Section 4. A summary with concluding remarks is given in
Section 5.
2. Unconditionally Secure Classical MACs
Two honest users, Alice and Bob, share a common secret random key k, which is uniformly distributed over the set . The distribution of the secret key is not our concern here, since it can be achieved by various classical or quantum means that go beyond the scope of data origin authentication.
Alice wants to send an authenticated message m to Bob, and let denote the message space, with . To authenticate the message, she evaluates the tag t, through a publicly known function . The message and the tag are sent to Bob over a classical channel (throughout this work we focus on data origin authentication, and hence we assume that the message is sent in the clear together with the tag. If confidentiality is also an issue, the message has to be encrypted). In general, as a result of forgery or noise, Bob receives and he accepts the message only if . In the framework of MACs, we can define the deception probability , to be the probability for an adversary (Eve) to produce a successful forgery after observing l valid message-tag pairs. In particular, we can distinguish between an impersonation and a substitution attack (also known as key-only and chosen-message attacks, respectively). In the former attack, the adversary does not have access to any message-tag pair (i.e., ), and her task is to create a pair, without knowing the secret key k, that will pass Bob’s verification. In the substitution attack, Eve has access to a single valid message-tag pair , i.e., , and her task is to produce another message , such that . It is straightforward to generalize the substitution attack, by giving Eve access to valid message-tag pairs.
Definition 1. A MAC is l-time -secure, if for all (including unbounded) adversaries, .
Note that there is no MAC scheme with
. Although Eve does not know the actual secret key, she may guess the correct tag for her message
m with probability at least
, where
denotes the set of different possible tags and it is assumed to be the same for all messages [
3,
4,
5]. Hence, we have
and the best we can expect from a MAC scheme is to be
l-time
-secure. One can readily show the following fundamental theorem [
4,
7].
Theorem 1. An l-time ε-secure MAC must have keys of length at least .
A 1-time
-secure MAC can be obtained by means of the Wegman–Carter construction, and the use of a strongly universal hash function
[
3,
4,
7], which is chosen at random from a class of such functions, and it is identified uniquely by the shared secret key
k. In this case we have
which are the lowest deception probabilities one can aim at (it is worth noting, and keeping in mind, that the calculation of deception probabilities for classical MACs typically pertains to the worst-case scenario i.e., it involves a maximization over all possible cheating strategies for Eve). However, the cost one has to pay for attaining these probabilities is that the key scales linearly with the length of the message. More efficient 1-time
secure MACs can be constructed by means of
almost strongly universal hash functions, for some
. For instance, in this context, Wegman and Carter have shown that one can have a 1-time
secure MAC with a key length which scales linearly with the length of the tag, and logarithmically with the length of the message i.e.,
. Various
almost strongly universal hash functions have been proposed in the literature (e.g., see references in [
3,
4,
5]), and one can readily build a MAC scheme based on each one of them, with
The precise value of the security parameter and the length of the key vary from scheme to scheme. Strongly universal functions can be viewed as almost strongly universal hash functions, and it is only in this case that . Finally, universal hash functions have also been exploited in the development of time unconditionally secure MACs, with .
The main question we address in the following section is whether there are QMACs which can, in principle, compete with
secure classical MACs, in terms of the achievable deception probabilities and/or perhaps the required key lengths. A corollary of Theorem 1 is that there is no MAC with unbounded-length keys that can provide information-theoretic security for an unbounded number of messages. Hence, following standard textbooks in the field [
3,
4] as well as existing work on QMACs [
8] and quantum digital-signature schemes [
10,
13,
14,
15,
16,
17,
18], we will focus on the most basic scenario pertaining to the authentication of a single message. Moreover, although losses and imperfections during transmission are inevitable in the realization of any quantum protocol, it is always of vital importance to know beforehand if a task can be achieved at least ideally, in the most basic communication scenario. In this spirit, we address the aforementioned question for an ideal scenario i.e., in the absence of noise and imperfections during the transmission of the quantum states.
3. Theoretical Framework for Unconditionally Secure Prepare-and-Measure QMACs
We begin with a rather general theoretical framework for unconditionally secure prepare-and- measure QMACs, which is absent from the literature. For the sake of consistency, the adopted framework follows closely the one for classical MACs that was summarized in the previous section.
Two honest users, Alice and Bob, share a random secret key
k, uniformly distributed over the set
, and Alice wants to send an authenticated classical message
to Bob, where
. The key is independent of the message, and we have the condition
We will assume that the tagging of the message involves the state of a
dimensional quantum system, which is initially prepared in some publicly known quantum state
. Typically, a QMAC involves a publicly known set of (unitary) tagging operations
, where the classical label is a function of the key and the message i.e.,
with publicly known
. For a given pair
, the operation
is applied on the initial state of the system, thereby obtaining the quantum state
Let denote the set of possible quantum states corresponding to a given message . Each quantum state is identified by the label , and the tagging operation is chosen such that for any possible message there exist distinct labels such that . Given that m is fixed, the distinct labels correspond to distinct keys.
The quantum state serves as a quantum tag of the message m when Alice and Bob share the secret key k, and it is sent together with the message to Bob. As a result of noise or Eve’s intervention, Bob will receive the pair , and his task is to infer whether the received message has originated from Alice or not. In prepare-and-measure QMACs, this decision is made based solely on a local measurement, perhaps after a local operation, on the received quantum tag. That is, there is no need for additional communication between Alice and Bob, and the latter accepts the message as authentic only if the outcome of the measurement is consistent with the expected quantum tag . We are interested in protocols with deterministic decision making, where Bob always accepts (with probability 1) the message-tag pair of honest Alice, with whom he shares the secret key. Completeness/correctness of the protocol implies that the same must also hold if Eve succeeds in guessing a valid message-tag pair. This is because, as far as Bob is concerned, the only feature that discriminates Alice from Eve is the secret key that he shares with Alice. If Eve happens to correctly guess a valid message-tag pair, this feature ceases to exist.
In general, different keys may yield the same label (and thus quantum tag) for the same message. Hence, for a given message
m, the key space
can be partitioned into smaller non-overlapping subspaces
Each subspace contains all the keys that lead to the same label for the given message , while different subspaces correspond to different labels, and thus we have as many subspaces as labels.
The following discussion focuses on prepare-and-measure QMACs and thus from now on the term prepare-and-measure will be omitted for the sake brevity. For direct comparison to standard
secure classical MACs (see
Section 2), throughout this work we consider symmetric QMACs, which treat equally all of the possible messages and keys. Hence,
for all
, and
, while the number of labels is related to the size of the key space as follows
. The probability for a quantum tag
to be equal to
for a given
m, is given by
The number of different possible quantum tags is the same for any given message , and moreover, all of the quantum tags are equally probable. There are no preferable (i.e., more probable) messages, keys or tags. Of course, the partition of the key space varies from message to message, in the sense that a key has to yield a different tag for different messages (i.e., ), and thus it will appear at different subspaces (If this is not satisfied, then Eve can easily cheat on Bob by substituting m with , because the details of the protocol are publicly known and the message is sent in the clear).
The impersonation and the substitution attacks in the quantum setting can be defined in complete analogy to the classical setting.
Definition 2. Impersonation attack—Eve wants to impersonate Alice without knowing the actual secret key k, and without having access to any valid message-tag pair. To this end, she chooses a pair with , and sends it to Bob, hoping that Bob will accept it as a valid message originated from Alice.
Definition 3. Substitution attack—Eve does not know the secret key k of Alice and Bob, but she has access to a single valid message-tag pair . Her task is to produce another message , such that the pair with will be accepted by Bob as a valid message originated from Alice.
In closing, it is worth noting that the theoretical framework that we have just presented includes the unconditionally secure classical MACs discussed in
Section 2. More precisely, one recovers the classical MACs when for any
, the possible classical tags
are encoded on mutually orthogonal quantum states i.e.,
with
,
with
. In this case, the security is ensured only by the classical tagging, and not by the encoding on the mutually orthogonal states.
4. Results
At this stage, we have defined a rather general theoretical framework for unconditionally secure QMACs. We can prove the following theorem.
Theorem 2. For any QMAC that falls within the aforementioned framework and involves deterministic decision making, the deception probability for the impersonation attack is higher than what can be achieved by unconditionally secure classical MACs.
Proof. As discussed in
Section 2, for unconditionally-secure classical MACs
. We will show that this is not possible for the QMACs discussed in
Section 3, when Bob always accepts (with probability 1) Alice’s message.
In view of conditions (
3) and (
5), all of the keys are equally probable, and for any possible message, there are
different possible quantum tags. For any message, there exist at least two distinct labels, say
and
, such that
, and in this case Bob cannot discriminate perfectly between the quantum states
and
.
The probability for Eve to choose the valid message-tag pair
is
, and in this case, Bob will certainly accept the pair. By contrast to the classical setting, however, in the case of QMACs, there is also a non-vanishing probability for Bob to accept the wrong pair
as valid, because
. The maximum probability for successful cheating is given by
where
with
, is the conditional probability for Bob to accept Eve’s pair, given that Eve has sent
, whereas the unknown secret key shared with Alice is
k so that Bob expects
for
.
In classical unconditionally secure classical MACs, the second term in Equation (
6) vanishes, because Bob can perfectly discriminate between different classical tags. So, the probability for Bob to accept the wrong message-tag pair as valid is zero, thereby obtaining
. However, for the QMACs of
Section 3, there exists at least one message, such that
. This implies a non-vanishing probability for Bob to accept the wrong pair (i.e.,
), and thus
, which is worse than what can be achieved in terms of classical unconditionally secure MACs. □
Based on the above, we conclude that one can have only when the quantum tags with distinct labels are mutually orthogonal for any possible message. In this case, however, we essentially deal with a classical MAC, because one can perfectly discriminate between the different quantum tags, and thus the security of the protocol may rely only on the choice of the classical function . The same conclusion can be reached if one works with the average rather than the maximum deception probability. It is also worth emphasizing that these observations and arguments do not depend on the type or the size of the key. This point becomes clearer in the following subsection.
4.1. A QMAC with Quantum Key
Curty and Santos have proposed a QMAC for the authentication of a binary message, by means of a quantum key [
8]. In their protocol, Alice (A) and Bob (B) share a pure entangled state
which plays the role of a secret key. The message and the tag are carried by a four-dimensional quantum system “C” (e.g., two qubits), and let
be an orthonormal basis.
When Alice wants the send message
, she sends state
to Bob, after applying a publicly known tagging operation
controlled by the state of her half of the entangled state. More precisely, the tagging operation is given by
for a publicly known unitary
, and the overall state becomes
Tracing out the entangled state, the state of the transmitted message-tag pair reads
Upon receipt of the message-tag pair, Bob performs the decoding operation and subsequently a projective measurement on the orthonormal basis . He accepts the pair if the measurement returns one of the first two elements in the basis, i.e., , and rejects it otherwise. One can readily confirm that Bob always accepts Alice’s message with probability 1.
In this protocol, Alice and Bob essentially share a secret key
in the form of an entangled state. For message
m, Alice sends
to Bob if
, and
if
. The basis state
can be viewed as if obtained from some publicly known initial state
by applying
. Hence, the present scheme can be viewed as a special case of the quantum tagging defined in Equation (
4), where the function
is the identity function, and
with
and
. The label
is essentially
and for a given
it can take two possible values depending on the value of
k, namely
. According to Theorem 2 and the related proof, the present scheme cannot achieve
for the impersonation attack, unless
for all possible messages in
and
, with
. This condition reduces to
(See also
Appendix A for an example of the impersonation attack.)
Let us consider now the substitution attack. Suppose that Eve has access to a valid message-tag pair, which is sent from Alice to Bob. Eve’s task is to decide whether the transmitted system is in state
or
. If she succeeds, then she knows whether Bob will apply
or not. Given that
is a publicly known unitary, in this case Eve can cheat successfully by changing
m to
and by sending
or
to Bob. In order to prevent such an attack, one needs
so that Eve cannot perfectly distinguish between
and
. However, this requirement contradicts the conditions (
10), required for attaining
. Thus, there is no unitary operation
that can satisfy both of these conditions simultaneously.
4.2. Decision Making Based on a Symmetry Test
We have seen that a broad class of symmetric QMACs cannot attain
, irrespective of the length of the key. The natural question arises as of whether QMACs in the particular class allow for shorter keys than their classical counterparts, at the cost of accepting slightly larger deception probabilities for the impersonation attack. In this context one may, for instance, accept
in Equation (
6), for some small correction
. The precise value of
is determined by the set of overlaps
, as well as by the strategy based on which Bob accepts/rejects a message-tag pair. In general,
increases with increasing
, which in turn implies increasing deviations of
from the lowest possible value
. To keep
close to
, one would like to have the maximum overlap
as small as possible (close to zero) which, however, facilitates Eve’s cheating by means of a substitution attack (states with different
become nearly orthogonal).
One way to circumvent this stumbling block for any given
is to use message-tag pairs of the form
. Hence, the probability for Bob to accept an invalid message-tag pair can be reduced to any
for a suitable
[
9,
11], without the necessity for choosing
close to 0.
It is worth noting here that Bob’s task is not to infer the precise state of the quantum tag, but rather to decide on whether this state equals the expected state. In other words, given
copies of
(received tag) and one copy of the expected tag
(which can be prepared locally), Bob has to decide whether
or
. In the former (latter) case, he concludes that the received message-tag pair has (not) originated from Alice, and he accepts (rejects) it. This task can be performed, for instance, by means of a symmetry-test [
21], which is optimal (with respect to the one-sided error requirement). Bob never rejects a valid message-tag pair, while for
, the maximum error probability is given by [
21,
22]
Inserting the resulting expression into Equation (
5), and asking for
, we obtain
which is meaningful for
. Recalling that
, we have
which shows that for any chosen
, the number of copies
n required for attaining
is more than
.
In order to have 1-time
secure QMAC, the entropy of the tags should be at least
, where
is the information that Eve can extract from
copies of the
dimensional quantum state
, while according to the Holevo bound,
. Given that the message is known, this entropy can originate only from the key, and thus we ask for
. Using Inequality (
14), we find that
, which scales linearly with
. This is in striking contrast to known
time
secure classical MACs with
, which attain similar deception probabilities for
(see
Section 2 and related references).