Information-theoretically secure data origin authentication with quantum and classical resources

In conventional cryptography, information-theoretically secure message authentication can be achieved by means of universal hash functions, and requires that the two legitimate users share a random secret key, which is twice as long as the message. We address the question as of whether quantum resources can offer any advantage over classical unconditionally secure message authentication codes. It is shown that passive prepare-and-measure quantum message-authentication schemes cannot do better than their classical counterparts. Subsequently we present an interactive entanglement-assisted scheme, which ideally allows for the authentication of classical messages with a classical key, which is as long as the message.

In conventional cryptography, information-theoretically secure message authentication can be achieved by means of universal hash functions, and requires that the two legitimate users share a random secret key, which is twice as long as the message. We address the question as of whether quantum resources can offer any advantage over classical unconditionally secure message authentication codes. It is shown that passive prepare-and-measure quantum message-authentication schemes cannot do better than their classical counterparts. Subsequently we present an interactive entanglement-assisted scheme, which ideally allows for the authentication of classical messages with a classical key, which is as long as the message.

I. INTRODUCTION
One of the main information security objectives is to provide assurance about the original source of a received message 1-4 . This goal is usually referred to as data origin authentication, and it is a stronger version of another cryptographic goal, the so-called data integrity. The latter addresses the unauthorized (including accidental) alteration of the message, from the time it was created, transmitted or stored by an authorized user. Data origin authentication, on the other hand, provides assurance of the identity of the sender of the message, in addition to data integrity. From another point of view, data origin authentication implicitly provides data integrity, in the sense that if the message is somehow modified, then essentially the source of the message has changed.
Another security objective that is closely related to data origin authentication, is the so-called nonrepudiation, which prevents the original sender of a specific message from denying to a third party his/her action. This is a stronger requirement than data origin authentication, because the latter provides this assurance to the receiver of the message, but it does not provide any evidence that could be presented to a third party in order, for example, to resolve a dispute between the sender and the receiver.
In modern cryptography, data origin authentication is provided by message-authentication codes (MACs), which require the two legitimate users (sender and receiver) to share a common secret key 1-5 .
Typically, MACs are built from block ciphers 1,6 or hash functions 1,3-5,7 . A MAC takes as input the message and the key, and produces an authentication tag, which is sent from the sender to the receiver, together with the message. MACs that rely on block ciphers or collision resistant hash functions offer computational security, as opposed to the Wegman and Carter scheme, which exploits universal hash functions and offers information-theoretic (unconditional) security 3-5,7 . On the other hand, digital signature schemes are the main mechanism for providing non-repudiation and they typically rely on publickey cryptography 1,2 . Both of MACs and digital-signature schemes offer data origin authentication, but only the latter can ensure non-repudiation. Hence, digital-signature schemes are of vital importance in cases where the sender and the receiver of the message do not trust each other (e.g., business applications), and there is the potential of dispute over the message. MACs are widely used in every task, when non-repudiation is not an issue (e.g., in authenticated end-to-end communication), mainly because the computational cost associated with the generation and the verification of a tag is considerably smaller than for digital signatures. It is worth noting, however, that MACs can provide non-repudiation in certain realistic scenarios e.g., when a trusted third party is involved 4 .
Data origin authentication and data integrity have been also discussed in a quantum setting. More precisely, Curty and Santos have proposed an authentication protocol for 1-bit message, which requires the two legitimate users to share a maximally entangled state of qubits 8 . To the best of our knowledge, this is the only quantum MAC (QMAC) scheme in the literature, which claims an advantage over the Wegman-Carter scheme. The first quantum digital-signature scheme has been proposed by Gottesman and Chuang 9 , and relies on the notion of a quantum one-way function, which maps classical bit strings (private keys) on quantum public keys (see also [10][11][12] for other applications of quantum public keys). Various authors improved on the original scheme of Gottesman and Chuang, by removing the need for quantum memory, for authenticated quantum channels, etc 10,13-16 . These develpments go beyond the scope of the present wotk, and the interested reader may refer to Refs. 17,18 , for an extensive list of publications related to quantum digital signatures. It is worth noting, however, that until now all of these quantum digital-signature schemes are far less efficient than classical schemes which renders them impractical 19,20 .
By contrast to the thorough investigation of quantum digital-signature schemes, QMACs remain largely unexplored. The main question we address in the present work is whether prepare-and-measure QMACs can outperform classical schemes for information-theoretically secure data origin authentication. To address this question we define a rather general theoretical framework for symmetric prepare-and-measure QMACs, which is absent from the literature. Subsequently, we show that such schemes cannot do better than their classical counterparts. This result is rather general, and implies that the QMAC scheme of Curty and Santos cannot outperform classical MACs.
The paper is organized as follows. For the sake of completeness, Sec. II contains a brief summary of unconditionally secure classical MACs. In Sec. III we discuss prepare-and-measure QMACs, and our main results are presented in Sec. IV. A summary with concluding remarks is given in Sec. V.

II. UNCONDITIONALLY SECURE CLASSICAL MACS
Two honest users, Alice and Bob, share a common secret random key k, which is uniformly distributed over the set K. The distribution of the secret key is not of our concern here, since it can be achieved by various classical or quantum means that go beyond the scope of data origin authentication.
Alice wants to send an authenticated message m to Bob, and let M denote the message space, with |M| > 1. To authenticate the message, she evaluates the tag t, through a publicly known function t := h(k, m). The message and the tag (m, t) are sent to Bob over a classical channel 23 . In general, as a result of forgery or noise, Bob receives (m ′ , t ′ ) and he accepts the message only if t ′ = h(k, m ′ ).
In the framework of MACs, we can define the deception probability P (D) l , to be the probability for an adversary (Eve) to produce a successful forgery after observing l valid message-tag pairs. In particular, we can distinguish between an impersonation and a substitution attack (also known as key-only and chosen-message attacks, respectively). In the former attack, the adversary does not have access to any message-tag pair (i.e., l = 0), and her task is to create a pair, without knowing the secret key k, that will pass Bob's verification. In the substitution attack, Eve has access to a single valid message-tag pair (m, t), i.e. l = 1, and her task is to produce another message m ′ = m, such that t ′ = h(k, m ′ ). It is straightforward to generalize the substitution attack, by giving Eve access to l > 1 valid message-tag pairs.
Note that there is no MAC scheme with P (D) 0 = 0. Although Eve does not know the actual secret key, she may guess the correct tag for her message m with probability at least 1/|T|, whereT denotes the set of different possible tags and it is assumed to be the same for all messages 3-5 . Hence, we have and the best we can expect from a MAC scheme is to be l-time 1/|T|-secure. One can readily show the following fundamental theorem 4,7 Theorem 1. An l-time ε-secure MAC must have keys of length at least (l + 1)| log 2 (ε)|.
A 1-time 1/|T|-secure MAC can be obtained by means of the Wegman-Carter construction, and the use of a strongly universal hash function h k 3,4,7 , which is chosen at random from a class of such functions, and it is identified uniquely by the shared secret key k. In this case we have which are the lowest deception probabilities one can aim at 24 . However, the cost one has to pay for attaining these probabilities is that the key scales linearly with the length of the message. More efficient 1-time ε−secure MACs can be constructed by means of ε−almost strongly universal hash functions, for some ε > 1/|T|. For instance, in this context Wegman and Carter have shown that one can have a 1-time 2/|T|−secure MAC with a key length which scales linearly with the length of the tag, and logarithmically with the length of the message i.e., |k| ≃ 4 log 2 (|T|) log 2 [log 2 (M)]. Various ε−almost strongly universal hash functions have been proposed in the literature (e.g., see references in 3-5 ), and one can readily build a MAC scheme based on each one of them, with The precise value of the security parameter ε and the length of the key vary from scheme to scheme. Strongly universal functions can be viewed as 1/|T|−almost strongly universal hash functions, and it is only in this case that ε = 1/|T|. Finally, universal hash functions have been also exploited in the development of l−time unconditionally secure MACs, with l > 1.
The main question we address in the following section is whether there are QMACs which can, in principle, compete with ε−secure classical MACs, in terms of the achievable deception probabilities and/or perhaps the required key lengths. A corollary of theorem 1 is that there is no MAC with unbounded-length keys that can provide information-theoretic security for an unbounded number of messages. Hence, following standard textbooks in the field 3,4 as well as existing work on QMACs 8 and quantum digital-signature schemes 10,13-18 , we will focus on the most basic scenario pertaining to the authentication of a single message. Moreover, although losses and imperfections during transmission are inevitable in the realization of any quantum protocol, it is always of vital importance to know beforehand if a task can be achieved at least ideally, in the most basic communication scenario. In this spirit, we address the aforementioned question for an ideal scenario i.e., in the absence of noise and imperfections during the transmission of the quantum states.

III. THEORETICAL FRAMEWORK FOR UNCONDITIONALLY SECURE PREPARE-AND-MEASURE QMACS
We begin with a rather general theoretical framework for unconditionally secure prepare-and-measure QMACs, which is absent from the literature. For the sake of consistency, the adopted framework follows closely the one for classical MACs that was summarized in the previous section.
Two honest users, Alice and Bob, share a random secret key k, uniformly distributed over the set K, and Alice wants to send an authenticated classical message m ∈ M to Bob, where |M| ≥ 2. The key is independent of the message, and we have the condition We will assume that the tagging of the message involves the state of a d−dimensional quantum system, which is initially prepared in some publicly known quantum state |Ψ in . Typically, a QMAC involves a publicly known set of (unitary) tagging operations {Ê τ : τ ∈ T}, where the classical label is a function of the key and the message i.e., τ = f (k, m) with publicly known f : K × M → T. For a given pair (k, m), the opera-tionÊ τ is applied on initial state of the system thereby obtaining the quantum state Let Q m := {|Ψ τ : τ = f (k, m), k ∈ K} denote the set of possible quantum states corresponding to a given message m ∈ M. Each quantum state is identified by the label τ = f (k, m), and the tagging operation is chosen such that for any possible message m ∈ M there exist distinct labels τ, τ ′ ∈ T such that λ τ,τ ′ := | Ψ τ ′ |Ψ τ | > 0. Given that m is fixed, the distinct labels correspond to distinct keys. The quantum state |Ψ τ serves as a quantum tag of the message m when Alice and Bob share the secret key k, and it is sent together with the message to Bob 23 . As a result of noise or Eve's intervention, Bob will receive the pair (m ′ , |ϕ ), and his task is to infer whether the received message has originated from Alice or not. In prepare-and-measure QMACs this decision is made based solely on a local measurement, perhaps after a local operation, on the received quantum tag. That is, there is no need for additional communication between Alice and Bob, and the latter accepts the message as authentic only if the outcome of the measurement is consistent with the expected quantum tag |Ψ τ . We are interested in protocols with deterministic decision making, where Bob always accepts (with probability 1) the message-tag pair of honest Alice, with whom he shares the secret key. Completeness/Correctness of the protocol implies that the same must also hold if Eve succeeds in guessing a valid message-tag pair. This is because, as far as Bob is concerned, the only feature that discriminates Alice from Eve, is the secret key that he shares with the Alice. If Eve happens to guess correctly a valid message-tag pair, this feature ceases to exist.
In general, different keys may yield the same label (and thus quantum tag) for the same message. Hence, for a given message m, the key space K can be partitioned into smaller non-overlapping subspaces Each subspace contains all the keys that lead to the same label τ ∈ T for the given message m ∈ M, while different subspaces correspond to different labels, and thus we have as many subspaces as labels.
The following discussion focuses on prepare-andmeasure QMACs and thus from now on the term prepareand-measure will be omitted for the sake brevity. For direct comparison to standard ε−secure classical MACs (see Sec. II), throughout this work we consider symmetric QMACs, which treat equally all of the possible messages and keys. Hence, |K m,τ | = L for all m ∈ M, and τ ∈ T, while the number of labels is related to the size of the key space as follows |T| = |K|/L. The probability for a quantum tag |ϕ to be equal to |Ψ τ for a given m, is given by The number of different possible quantum tags is the same for any given message m ∈ M, and moreover all of the quantum tags are equally probable. There are no preferable (i.e., more probable) messages, keys or tags. Of course, the partition of the key space varies from message to message, in the sense that a key has to yield a different tag for different messages [i.e., h(k, m) = h(k, m ′ )], and thus it will appear at different subspaces 25 . The impersonation and the substitution attacks in the quantum setting can be defined in complete analogy to the classical setting.
Definition 2. Impersonation attack.-Eve wants to impersonate Alice without knowing the actual secret key k, and without having access to any valid message-tag pair. To this end, she chooses a pair (m, |Ψ τ ′ ) with τ ′ = f (k ′ , m), and sends it to Bob, hoping that Bob will accept it as a valid message originated from Alice. Definition 3. Substitution attack.-Eve does not know the secret key k of Alice and Bob, but she has access to a single valid message-tag pair (m, |Ψ τ ). Her task is to produce another message m ′ = m, such that the pair (m ′ , |Ψτ ) withτ = f (k, m ′ ) will be accepted by Bob as a valid message originated from Alice.
In closing, it is worth noting that the theoretical framework we have just presented includes the unconditionally secure classical MACs discussed in Sec. II. More precisely, one recovers the classical MACs when for any m ∈ M, the possible classical tags t ∈T are encoded on mutually orthogonal quantum states i.e., t → |Ψ t with λ t,t ′ = | Ψ t |Ψ t ′ | = 0, ∀t, t ′ ∈T with t = t ′ . In this case, the security is ensured by the classical tagging, and not by the encoding on the mutually orthogonal states.

IV. RESULTS
At this stage we have defined a rather general theoretical framework for unconditionally-secure QMACs. We can prove the following theorem.
Theorem 2. For any QMAC that falls within the aforementioned framework and it involves deterministic decision making, the deception probability for the impersonation attack is higher than what can be achieved by unconditionally-secure classical MACs.
Proof. As discussed in Sec. II, for unconditionally-secure classical MACs P (D) 0 = 1/|T|. We will show that this is not possible for the QMACs discussed in Sec. III, when Bob always accepts (with probability 1) Alice's message.
In view of conditions (3) and (5), all of the keys are equally probable, and for any possible message, there are |T| different possible quantum tags. For any message there exist at least two distinct labels, say τ and τ ′ , such that λ τ,τ ′ > 0, and in this case Bob cannot discriminate perfectly between the quantum states |Ψ τ ′ and |Ψ τ .
The probability for Eve to choose the valid messagetag pair (m, |Ψ τ ) is |T| −1 , and in this case Bob will certainly accept the pair. By contrast to the classical setting, however, in the case of QMACs there is also a non-vanishing probability for Bob to accept the wrong pair (m, |Ψ τ ′ ) as valid, because λ τ,τ ′ > 0. The maximum probability for successful cheating is given by where Q(acc|τ, τ ′ , m) with τ ′ = τ , is the conditional probability for Bob to accept Eve's pair, given that Eve has sent (m, |Ψ τ ′ ) whereas the unknown secret key shared with Alice is k so that Bob expects |Ψ τ for τ = h(k, m).
In classical unconditionally secure classical MACs, the second term in Eq. (6) vanishes, because Bob can perfectly discriminate between different classical tags. So, the probability for Bob to accept the wrong message-tag pair as valid is zero, thereby obtaining P (D) 0 = 1/|T|. However, for the QMACs of Sec. III there exists at least one message such that λ τ,τ ′ > 0. This implies a non-vanishing probability for Bob to accept the wrong pair (i.e., max τ,τ ′ ,m {Q(acc|τ, τ ′ , m)} > 0), and thus P (D) 0 > 1/|T|, which is worse than what can be achieved in terms of classical unconditionally secure MACs.
Based on the above, we conclude that one can have P (D) 0 = 1/|T| only when the quantum tags with distinct labels τ, τ ′ ∈ T are mutually orthogonal for any possible message. In this case, however, we essentially deal with a classical MAC, because one can perfectly discriminate between the different quantum tags, and thus the security of the protocol may rely only on the choice of the classical function f (·). The same conclusion can be reached if one works with the average rather than the maximum deception probability. It is also worth emphasizing that these observations and arguments do not depend on the type or the size of the key. This point becomes clearer in the following subsection.

A. A QMAC with quantum key
Curty and Santos have proposed a QMAC for the authentication of a binary message, by means of a quantum key 8 . In their protocol, Alice (A) and Bob (B) share a pure entangled state which plays the role of a secret key. The message and the tag are carried by a four-dimensional quantum system "C" (e.g. two qubits), and let {|ϕ j : j = 0, 1, 2, 3} be an orthonormal basis. When Alice wants the send message m ∈ {0, 1} := M, she sends state |ϕ m to Bob, after applying a publicly known tagging operationÊ controlled by the state of her half of the entangled state. More precisely, the tagging operation is given byÊ AC = (|0 0| A1C +|1 1| AÛC ), for a publicly known unitaryÛ , and the overall state becomes Tracing out the entangled state, the state of the transmitted message-tag pair reads Upon receipt of the message-tag pair, Bob performs the decoding operationD BC = (|0 0| BÛ † C + |1 1| B1C ), and subsequently a projective measurement on the orthonormal basis {|ϕ j : j = 0, 1, 2, 3}. He accepts the pair if the measurement returns one of the first two elements in the basis, i.e., j ∈ {0, 1}, and rejects it otherwise. One can readily confirm that Bob always accepts Alice's message with probability 1.
In this protocol Alice and Bob essentially share a secret key k ∈ K := {0, 1} in the form of an entangled state. For message m Alice sends to Bob |ϕ m if k = 0, and U|ϕ m if k = 1. The basis state |ϕ m can be viewed as if obtained from some publicly known initial state |Ψ in by applyingV m |Ψ in := |ϕ m . Hence, the present scheme can be viewed as a special case of the quantum tagging defined in Eq. (4), where the function f (·) is the identity function, andÊ k,m =Û k ⊗V m withÛ 0 =1 andÛ 1 =Û. The label τ is essentially τ = (k, m) and for a given m ∈ {0, 1} it can take two possible values depending on the value of k, namely {(0, m), (1, m)}. According to Theorem 2 and the related proof, the present scheme cannot achieve P (D) 0 = 1/|T|, unless λ τ,τ ′ = 0 for all possible messages in M and τ, τ ′ ∈ T, with τ = τ ′ . This condition reduces to See also appendix A for an example of the impersonation attack.
Let us consider now the substitution attack. Suppose that Eve has access to a valid message-tag pair, which is sent from Alice to Bob. Eve's task is to decide whether the transmitted system is in state |ϕ m orÛ|ϕ m . If she succeeds, then she knows whether Bob will applyÛ † or not. Given thatÛ is a publicly known unitary, in this case Eve can cheat successfully by changing m to m ⊕ 1 and by sending |ϕ m⊕1 orÛ|ϕ m⊕1 to Bob. In order to prevent such an attack one needs ϕ m |Û |ϕ m = 0, ∀m ∈ {0, 1}, (11) so that Eve cannot unambiguously distinguish between |ϕ m andÛ |ϕ m . However, this requirement contradicts the conditions (10), required for attaining P (D) 0 = 1/T. Thus there is no unitary operationÛ that can satisfy both of these conditions simultaneously.

B. Decision making based on a symmetry test
We have seen that a broad class of symmetric QMACs cannot attain P (D) 0 = 1/|T|, irrespective of the length of the key. The natural question arises as of whether QMACs in the particular class allow for shorter keys than their classical counterparts, at the cost of accepting slightly larger deception probabilities for the impersonation attack. In this context one may, for instance, accept P (D) 0 = 1/|T| + δ in Eq. (6), for some small correction 0 < δ ≤ 1/|T|. The precise value of δ is determined by the set of overlaps {λ τ,τ ′ : τ, τ ′ ∈ T with τ = τ ′ }, as well as by the strategy based on which Bob accepts/rejects a message-tag pair. In general, Q(acc|τ, τ ′ , m) increases with increasing λ τ,τ ′ , which in turn implies increasing deviations of P close to 1/|T| one would like to have the maximum overlap λ max := max k,k ′ ,m {λ τ,τ ′ } as small as possible (close to zero) which, however, facilitates Eve's cheating by means of a substitution attack (states with different τ become nearly orthogonal).
One way to circumvent this stumbling block for any given 0 < λ max < 1 is to use message-tag pairs of the form (m, |Ψ τ ⊗n−1 ). Hence, the probability for Bob to accept an invalid message-tag pair can be reduced to any 0 < ǫ ≤ 1/(|T| − 1) for a suitable n = O(| log 2 (ǫ)|) 9,11 , without the necessity for choosing λ max close to 0.
It is worth noting here that Bob's task is not to infer the precise state of the quantum tag, but rather to decide on whether this state equals the expected state. In other words, given (n − 1) copies of |Ψ τ ′ (received tag) and one copy of the expected tag |Ψ τ (which can be prepared locally), Bob has to decide whether |Ψ τ ′ = |Ψ τ or | Ψ τ ′ |Ψ τ | < 1. In the former(latter) case he concludes that the received message-tag pair has (not) originated from Alice, and he accepts(rejects) it. This task can be performed, for instance, by means of a symmetry-test 21 , which is optimal (with respect to the one-sided error requirement). Bob never rejects a valid message-tag pair, while for τ = τ ′ the maximum error probability is given by 21,22 max τ,τ ′ ,m {Q(acc|τ, τ ′ , m)} = 1 n 1 + (n − 1)λ 2 max . (12) Inserting the resulting expression into Eq. (6), and asking for P which is meaningful for λ max < δ|T|/(|T| − 1). Recalling that δ ≤ 1/|T| we have which shows that for any chosen 0 < δ ≤ 1/|T|, the number of copies n required for attaining P (D) 0 = 1/|T|+δ is more than |T| − 2.

V. SUMMARY
We have discussed unconditionally secure data origin authentication by means of classical and quantum resources. The main question we have addressed is whether, prepare-and-measure QMACs can outperform classical unconditionally secure MACs. This fundamental question is of pivotal importance for the field, and to the best of our knowledge, it has not been addressed adequately in the literature so far. Although losses and imperfections are inevitable in the realization of any quantum protocol, it is always important to know beforehand if a task can be achieved at least ideally, in the most basic communication scenario. Hence, the above question has been addressed in the framework of 1-time authentication under an ideal scenario. We showed that even under such favorable conditions, a broad class of prepareand-measure QMACs cannot do better than their classical counterparts, in the sense that they cannot attain deception probabilities P (D) 0 = 1/|T|. This result contradicts certain conjectures that have been made in previous related work 8 . Moreover, we showed that the key length required for attaining both P (D) 0 = 1/|T| + δ (with 0 < δ ≤ 1/|T|) and P (D) 1 ∼ 1/|T|, increases linearly with the size of the tag space |T|, as opposed to the logarithmic scaling in known classical schemes with similar deception probabilities.
The present analysis and results pertain to a particular, yet rather broad class of symmetric prepare-andmeasure QMACs. From practical point of view, such a type of QMACs is of particular interest, because the receiver can decide on the authenticity of the message based solely on the received message-tag pair, and there is no need for additional communication between the sender and the receiver. The present work may serve as a benchmark for future work in the field. More precisely, the generality of the results suggests that any future efforts for the development of unconditionally secure QMACs, which can outperform their classical counterparts, should focus on protocols outside the present class of protocols (this is for instance the case of interactive and/or entanglement-assisted QMACs). An alternative possible direction of research involves the use of physical unclonable functions with quantum readout (e.g., see 26,27 and references therein).