Formulating and designing authentication of classical messages in the presence of adversaries with quantum query access has been a longstanding challenge, as the familiar classical notions of unforgeability do not directly translate into meaningful notions in the quantum setting. A particular difficulty is how to fairly capture the notion of "predicting an unqueried value" when the adversary can query in quantum superposition. We propose a natural definition of unforgeability against quantum adversaries called blind unforgeability. This notion defines a function to be predictable if there exists an adversary who can use "partially blinded" oracle access to predict values in the blinded region. We support the proposal with a number of technical results. We begin by establishing that the notion coincides with EUF-CMA in the classical setting and go on to demonstrate that the notion is satisfied by a number of simple guiding examples, such as random functions and quantum-query-secure pseudorandom functions. We then show the suitability of blind unforgeability for supporting canonical constructions and reductions. We prove that the "hash-and-MAC" paradigm and the Lamport one-time digital signature scheme are indeed unforgeable according to the definition. To support our analysis, we additionally define and study a new variety of quantum-secure hash functions called Bernoulli-preserving. Finally, we demonstrate that blind unforgeability is stronger than a previous definition of Boneh and Zhandry [EUROCRYPT '13, CRYPTO '13] in the sense that we can construct an explicit function family which is forgeable by an attack that is recognized by blind-unforgeability, yet satisfies the definition by Boneh and Zhandry.

翻译：在具有量子查询权限的敌手存在下，对经典消息进行认证的公式化描述与设计一直是一项长期挑战，因为经典不可伪造性概念无法直接转化为有意义的量子场景。一个特殊难点在于，当敌手可以通过量子叠加态进行查询时，如何公平地刻画"预测未查询值"的概念。我们提出了一种针对量子敌手的自然不可伪造性定义，称为盲不可伪造性。该定义将函数定义为可预测的，当且仅当存在某个敌手能够利用"部分盲化"的预言机访问权限，在盲化区域内预测函数值。我们通过一系列技术成果支持该定义。首先，我们证明该定义在经典场景下与EUF-CMA概念等价，并进一步展示随机函数和量子查询安全的伪随机函数等简单指导性示例均满足该定义。随后，我们证明盲不可伪造性适用于支持经典构造和归约，并验证了"哈希-MAC"范式与Lamport一次性数字签名方案根据该定义确实具有不可伪造性。为支撑分析，我们额外定义并研究了一种新型量子安全哈希函数——伯努利保持哈希函数。最后，我们证明盲不可伪造性比Boneh与Zhandry此前在EUROCRYPT '13和CRYPTO '13中提出的定义更强，因为可构造出显式函数族：该函数族对盲不可伪造性识别的攻击而言是可伪造的，却仍满足Boneh与Zhandry的定义。