Abstract
We investigate the post-quantum security of hash functions based on the sponge construction. A crucial property for hash functions in the post-quantum setting is the collapsing property (a strengthening of collision-resistance). We show that the sponge construction is collapsing (and in consequence quantum collision-resistant) under suitable assumptions about the underlying block function. In particular, if the block function is a random function or a (non-invertible) random permutation, the sponge construction is collapsing. We also give a quantum algorithm for finding collisions in an arbitrary function. For the sponge construction, the algorithm complexity asymptotically matches the complexity implied by collision resistance.
This work was supported in part by the Commission of the European Communities through the Horizon 2020 program under project number 645622 PQCRYPTO. CS and JC are supported by a NWO VIDI grant (Project No. 639.022.519). DU was supported by institutional research funding IUT2-1 of the Estonian Ministry of Education and Research, and by the Estonian Centre of Exellence in IT (EXCITE) funded by the ERDF, and the Estonian ICT program 2011–2015 (3.2.1201.13-0022).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
We mean a situation in which the protocols and primitives that are studied are classical, but the attacker can perform quantum computations.
- 2.
More precisely, [18] shows that relative to certain oracles, a collision-resistant hash function exists that allows such attacks. In particular, this means that there cannot be a relativizing proof that the commitment scheme is binding assuming a collision-resistant hash function.
- 3.
For example, hash functions using the Merkle-Damgård construction are not well modeled as a random oracle. If we use \( MAC (k,m):=H(k\Vert m)\) as a message authentication code (MAC) with key k, we have that \( MAC \) is secure (unforgeable) when H is a random oracle, but easily broken when H is a hash function built using the Merkle-Damgård construction.
- 4.
It is not called a compression function, since the domain and range of \({\mathbf {f}}\) are identical.
- 5.
[5] shows that the sponge construction is indifferentiable from a random oracle in the classical setting. Together with the fact that the random oracle is collision-resistant, collision-resistance of the sponge construction follows.
- 6.
E.g., M could contain \(\sum _m 2^{-|m| /2}|m\rangle \). Then measuring H(m) will lead to the state \(\sum _{m\, \text {s.t.}\ H(m)=h}\frac{1}{\sqrt{|H^{-1}(h)|}}|m\rangle \) which is almost orthogonal for large \(|H^{-1}(h)|\) to the state \(|m\rangle \) we get when measuring m.
- 7.
The original construction requires that the last block of \( pad (m)\) is non-zero, this is important for other properties than collision-resistance/collapsing. In this work, we do not put any such requirement on \( pad \). We do, however, assume that \( pad \) outputs at least one block.
- 8.
In this proof sketch, when we use the expression “measure a” where a is some expression depending on the message m (e.g., a could be \(\mathbf {S}^{\textit{in}}(m)\)), then we mean that we measure the register M, but not with a complete measurement, but with a measurement that gives outcome a (e.g., \(\mathbf {S}^{\textit{in}}(m)\)) when M contains \(|m\rangle \). Formally, that measurement would consist of the projectors \(P_i\) defined by \(P_i:=\sum _{m\ \text {s.t.}\ a=i}|m\rangle \langle m|\). E.g., if we “measure \(\mathbf {S}^{\textit{in}}(m)\)”, the projectors are \(P_i:=\sum _{m\ \text {s.t.}\ \mathbf {S}^{\textit{in}}(m)=i}|m\rangle \langle m|\).
- 9.
Measuring “whether \(s_{-2}=\bot \)” means a measurement on M defined by projectors P and \(1-P\) where \(P:=\sum _{m\ \text {s.t.}\ s_{-2}=\bot }|m\rangle \langle m|\).
References
Ambainis, A.: Quantum walk algorithm for element distinctness. SIAM J. Comput. 37(1), 210–239 (2007)
Aumasson, J.-P., Henzen, L., Meier, W., Naya-Plasencia, M.: Quark: a lightweight hash. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 1–15. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15031-9_1. ISBN 978-3-642-15030-2
Berger, T.P., D’Hayer, J., Marquet, K., Minier, M., Thomas, G.: The GLUON family: a lightweight hash function family based on FCSRs. In: Mitrokotsa, A., Vaudenay, S. (eds.) AFRICACRYPT 2012. LNCS, vol. 7374, pp. 306–323. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31410-0_19. ISBN 978-3-642-31410-0
Bertoni, G., Daemen, J., Peeters, M., van Assche, G.: Sponge functions. In: Ecrypt Hash Workshop, May 2007. http://sponge.noekeon.org/SpongeFunctions.pdf
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_11. ISBN 978-3-540-78966-6
Bogdanov, A., Knezevic, M., Leander, G., Toz, D., Varici, K., Verbauwhede, I.: SPONGENT: the design space of lightweight cryptographic hashing. IEEE Trans. Comput. 62(10), 2041–2053 (2013). https://doi.org/10.1109/TC.2012.196. ISSN 0018-9340
Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3. ISBN 978-3-642-25384-3
Brassard, G., Hoyer, P., Tapp, A.: Quantum algorithm for the collision problem. arXiv preprint quant-ph/9705002 (1997)
Contini, S., Lenstra, A.K., Steinfeld, R.: VSH, an efficient and provable collision-resistant hash function. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 165–182. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_11. ISBN 978-3-540-34547-3
Czajkowski, J., Groot Bruinderink, L., Hülsing, A., Schaffner, C., Unruh, D.: Post-quantum security of the sponge construction. IACR ePrint 2017/711 (2017)
Guo, J., Peyrin, T., Poschmann, A.: The PHOTON family of lightweight hash functions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 222–239. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_13. ISBN 978-3-642-22792-9
Halevi, S., Micali, S.: Practical and provably-secure commitment schemes from collision-free hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 201–215. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_16. ISBN 978-3-540-61512-5
Hülsing, A., Rijneveld, J., Song, F.: Mitigating multi-target attacks in hash-based signatures. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 387–416. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_15. ISBN 978-3-662-49384-7
Katz, J., Lindell, Y.: Introduction to Modern Cryptography. Chapman & Hall/CRC Cryptography and Network Security Series, 2nd edn. Taylor & Francis, Milton Park (2014). ISBN 9781466570269
Knight, W., Bloom, D.M.: E2386. Am. Math. Mon. 80(10), 1141–1142 (1973). https://doi.org/10.2307/2318556. http://www.jstor.org/stable/2318556. ISSN 00029890, 19300972
National Institute of Standards and Technology (NIST). Secure Hash Standard (SHS). FIPS PUBS 180-4. 2015. https://doi.org/10.6028/NIST.FIPS.180-4
NIST. SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. Draft FIPS 202 (2014). http://csrc.nist.gov/publications/drafts/fips-202/fips_202_draft.pdf
Unruh, D.: Computationally binding quantum commitments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 497–527. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_18. ISBN 978-3-662-49896-5
Unruh, D.: Collapse-binding quantum commitments without random oracles. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 166–195. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_6
Zhandry, M.: A note on the quantum collision and set equality problems. Quant. Inf. Comput. 15(7&8), 557–567 (2015). http://www.rintonpress.com/xxqic15/qic-15-78/0557-0567.pdf
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Czajkowski, J., Groot Bruinderink, L., Hülsing, A., Schaffner, C., Unruh, D. (2018). Post-quantum Security of the Sponge Construction. In: Lange, T., Steinwandt, R. (eds) Post-Quantum Cryptography. PQCrypto 2018. Lecture Notes in Computer Science(), vol 10786. Springer, Cham. https://doi.org/10.1007/978-3-319-79063-3_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-79063-3_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-79062-6
Online ISBN: 978-3-319-79063-3
eBook Packages: Computer ScienceComputer Science (R0)