The Gap Is Sensitive to Size of Preimages: Collapsing Property Doesn’t Go Beyond Quantum Collision-Resistance for Preimages Bounded Hash Functions

Abstract

As an enhancement of quantum collision-resistance, the collapsing property of hash functions proposed by Unruh (EUROCRYPT 2016) emphasizes the hardness for distinguishing a superposition state of a hash value from a collapsed one. The collapsing property trivially implies the quantum collision-resistance. However, it remains to be unknown whether there is a reduction from the collapsing hash functions to the quantum collision-resistant hash functions. In this paper, we further study the relations between these two properties and derive two intriguing results as follows:

• Firstly, when the size of preimages of each hash value is bounded by some polynomial, we demonstrate that the collapsing property and the collision-resistance must hold simultaneously. This result is proved via a semi-black-box manner by taking advantage of the invertibility of a unitary quantum circuit.

• Next, we further consider the relations between these two properties in the exponential-sized preimages case. By giving a construction of polynomial bounded hash functions, which preserves the quantum collision-resistance, we show the existence of collapsing hash functions is implied by the quantum collision-resistant hash functions when the size of preimages is not too large to the expected value.

Our results indicate that the gap between these two properties is sensitive to the size of preimages. As a corollary, our results also reveal the non-existence of polynomial bounded equivocal collision-resistant hash functions.

A Proof of Lemma 1

We give a proof of Lemma 1 as follows.

Proof (of Lemma 1)

Notice that if the state \(\rho _{y,\mathcal {P}}\) output by \(\mathcal {E}\) already contains the superposition of the preimages of y. One can obviously distinguishes the difference between measureing the input or the output register of \(\rho _{y,\mathcal {P}}\) by invoking \(\mathcal {E}\) which directly breaks the collapsing property. However, \(\rho _{y,\mathcal {P}}\) may not contain the preimages of y directly. Therefore the main task is to construct a suitable state which contains the superposition of the preimages of y (namely, the challenging state output by the first phase of the adversary \(\mathcal {A}\) that intends to break the collapsing property).

Since the evaluation key is not involved in this proof, without loss of generality, we consider this problem in the keyless setting, which is \(\{H_{n}:\{0,1\}^{n}\rightarrow \{0,1\}^{m}\}_{n\in \mathbb {N}}\).

To proof that lemma, we firstly replace the original \(\mathcal {G}\) and \(\mathcal {E}\) by their purifications (i.e. assume they are unitary), then we can denote the output state of \(\mathcal {G}\) as

$$\begin{aligned} |\psi \rangle =\sum _{\mathcal {P},y,z}a_{\mathcal {P},y,z}|\mathcal {P},y,z\rangle \otimes |\phi _{y,\mathcal {P},z}\rangle . \end{aligned}$$

(27)

where \(|\phi _{y,\mathcal {P},z}\rangle \) is the corresponding output state state when the description is \(\mathcal {P}\), the hash value equals y, and the auxiliary internal information of \(\mathcal {G}\) is z. Then the actual output \(\rho _{y,\mathcal {P}}\) equals to the collapsed state \(|\psi \rangle \) after measuring the y, \(\mathcal {P}\), and tracing out the auxiliary register z which is \(\sum _{z}|a_{\mathcal {P},y,z}|^{2}|\phi _{y,\mathcal {P},z}\rangle \langle \phi _{y,\mathcal {P},z}|/({\sum _{z}|a_{\mathcal {P},y,z}|^{2}})\). Here for convenience, we denote it equivalently by the following mixed state

$$\begin{aligned} \rho =\mathop {\textrm{Tr}}_{\mathcal {P},y,z} |\psi \rangle \langle \psi |=\sum _{\mathcal {P},y,z}|a_{\mathcal {P},y,z}|^{2}|\mathcal {P},y,z\rangle \langle \mathcal {P},y,z|\otimes |\phi _{y,\mathcal {P},z}\rangle \langle \phi _{y,\mathcal {P},z}|. \end{aligned}$$

Then the final state after invoking the purified \(\mathcal {E}\) on \((b,\rho _{y,\mathcal {P}})\) can be denoted as

$$\begin{aligned} \rho ^{(b)}:=\mathcal {E}|b,0\rangle \langle b,0|\otimes \rho \mathcal {E}^{\dag }. \end{aligned}$$

(28)

Equivalently, we denote by \(\mathcal {E}(0,\cdot )\) (or \(\mathcal {E}(1,\cdot )\)) the unitary operator for the case \(b=0\) (or \(b=1\)). Since the correctness of the equivocal collision-resistant hash functions indicates that \(\mathcal {E}\) recovers an preimage x of y satisfying \(\mathcal {P}(x)=b\) with overwhelming probability, hence \(\rho ^{(b)}\) must contain the preimages of y with overwhelming probability. Therefore we can rewrite the state \(\rho ^{(b)}\) as follows³

$$\begin{aligned} \rho ^{(b)}=\sum _{\mathcal {P},y,z}|a_{\mathcal {P},y,z}|^{2}|\mathcal {P},y,z,b\rangle \langle \mathcal {P},y,z,b|\otimes (\sum _{x,w} \beta _{\mathcal {P},y,z,b,x,w}|x,w\rangle )(\sum _{x,w} \bar{\beta }_{\mathcal {P},y,z,b,x,w}\langle x,w|), \end{aligned}$$

where x is the output that need to be measured after running \(\mathcal {E}(b,\cdot )\), and it holds that

$$\begin{aligned} \sum _{\mathcal {P},y,z}|a_{\mathcal {P},y,z}|^{2}\cdot \sum _{w,x}^{\mathcal {P}(x)=b, H_{n}(x)=y}|\beta _{\mathcal {P},y,z,b,x,w}|^{2}\ge 1-\texttt{negl}(n) \end{aligned}$$

(29)

for some negligible function \(\texttt{negl}(\cdot )\) due to the correctness of the equivocality. Since it may not always hold that \(y=H_{n}(x)\), we hence add an additional register to \(\rho ^{(b)}\) in order to store the hash value \(H_{n}(x)\), which we denote it by

$$\begin{aligned}&\tilde{\rho }^{(b)}=\sum _{\mathcal {P},y,z}|a_{\mathcal {P},y,z}|^{2}|\mathcal {P},y,z,b\rangle \langle \mathcal {P},y,z,b|\\&\qquad \otimes (\sum _{x,w} \beta _{\mathcal {P},y,z,b,x,w}|x,H_{n}(x),w\rangle )(\sum _{x,w} \bar{\beta }_{\mathcal {P},y,z,b,x,w}\langle x,H_{n}(x),w|). \end{aligned}$$

Hence \(\tilde{\rho }^{(b)}\) contains the input and output of \(H_{n}\), that inspires us to adopt that state as the challenging state in the collapsing experiment. More specifically, when we give the registers \(x,H_{n}(x)\) of \(\tilde{\rho }^{(0)}\) to the challenger of the collapsing game, then if it has been measured in the output register, the state \(\rho ^{(0)}\) would basically not change, which means we can retrieve some x satisfying \(H_{n}(x)=y\wedge \mathcal {P}(x)=1\) with overwhelming probability by invoking \(\mathcal {E}(1,\cdot )\circ \mathcal {E}^{\dag } (0, \cdot )\). On the other hand, if it has been measured in the input register, then the state \(\rho ^{(0)}\) would be probably collapsed and can not be reversible, if not, that implies we can get a collision of y with non-negligible probability.

The following is the description of the adversary \(\mathcal {A}\) that breaks the collapsing property:

• \(\mathcal {A}\) gets the description of the hash function \(H_{n}(k,\cdot )\), and then invokes the purified \(\mathcal {G}(1^{n})\) to get the state \(\rho \).

• \(\mathcal {A}\) runs the operator \(\mathcal {E}(0, \cdot )\) to the state \(|0,0\rangle \langle 0,0|\otimes \rho \), and gets \(\tilde{\rho }^{(0)}\) in result, then sends the input and output registers of \(\tilde{\rho }^{(0)}\) to the challenger.

• After receiving the state \(\tilde{\rho }^{(0)}_{(b^{*})}\) from the challenger (\(b^{*}=0\) means the state after measuring (tracing out) the output register of \(\tilde{\rho }^{(0)}\) , and \(b^{*}=1\) denotes the state after measuring the input register), \(\mathcal {A}\) invokes the \(\mathcal {E}(1,\cdot )\circ \mathcal {E}^{\dag } (0, \cdot )\) to that state and measures the result to get a measurement x and the corresponding y. It would output 0 if \(\mathcal {P}(x)=1\wedge H_{n}(x)=y\), and output 1 if \(\mathcal {P}(x)=0\wedge H_{n}(x)=y\) otherwise, it would returns a random bit \(b'\leftarrow \{0,1\}\) uniformly.

We now estimate the advantage of \(\mathcal {A}\). In the case that the challenger measures the output register, according to the correctness of the equivocality of \(H_{n}\), we can deduce from inequality (29) that the trace distance between \(\tilde{\rho }^{(0)}_{(0)}\) and \(\tilde{\rho }^{(0)}\) is at most

$$\begin{aligned} \textrm{TD}(\tilde{\rho }^{(0)}_{(0)},\tilde{\rho }^{(0)})\le \texttt{negl}_{0}(n) \end{aligned}$$

for some negligible function \(\texttt{negl}_{0}(\cdot )\). That implies if we invoke the inverse \(\mathcal {E}^{\dag }(0, \cdot )\) in that case, we could recover the state \(|0,0\rangle \langle 0,0|\otimes \rho \) with overwhelming probability. And hence we get the measurement x that satisfies \(\mathcal {P}(x)=1\) and \(H_{n}(k,x)=y\) with overwhelming probability after invoking \(\mathcal {E}\) again. Namely, we have

$$\begin{aligned} \mathop {\textrm{Pr}}[\mathcal {A}\;\text {outputs 0} \mid b^{*}=0] \ge 1-\texttt{negl}_{1}(n). \end{aligned}$$

(30)

In the case that the challenger measures the input register (i.e. \(b^{*}=1\)), the input register of \(\tilde{\rho }^{(0)}\) would collapse to some \(x^{*}\) ( which is the preimage of y with overwhelming probability due to the correctness of equivocality). Then we run the \(\mathcal {E}(1,\cdot )\circ \mathcal {E}^{\dag } (0, \cdot )\) and measure the result to get a measurement x and the corresponding \(H_{n}(x)\). To estimate the probability that \(\mathcal {A}\) wins in this case, we consider the following these events separately:

• The measurement x satisfies \(\mathcal {P}(x)=1\wedge H_{n}(x)=y\), that implies we successfully find a collision \(x,x^{*}\). Therefore the probability of that event occurs is bounded by some negligible function \(\texttt{negl}_{2}(\cdot )\) (otherwise it would induce an adversary breaks the quantum collision-resistance of \(H_{n}(\cdot )\) with non-negligible probability).

• The measurement x satisfies \(\mathcal {P}(x)=0\wedge H_{n}(x)=y\), then \(\mathcal {A}\) would return 1 deterministically when that event occurs.

• The measurement x is not a preimage of y, then the probability that \(\mathcal {A}\) returns 1 with probability exactly 1/2

That implies

$$\begin{aligned}&\mathop {\textrm{Pr}}[\mathcal {A}\;\text {outputs 1} \mid b^{*}=1]\nonumber \\&\qquad =1-\mathop {\textrm{Pr}}[\mathcal {P}(x)=1\wedge H_{n}(x)=y\mid b^{*}=1]-\frac{1}{2}\mathop {\textrm{Pr}}[H_{n}(x)\ne y \mid b^{*}=1]\nonumber \\&\qquad \ge \frac{1}{2}-\texttt{negl}_{2}(n), \end{aligned}$$

(31)

for some negligible function \(\texttt{negl}_{2}(\cdot )\).

Combining the inequality (30) with (31), we have

$$\begin{aligned}&\big |\textrm{Pr}[\texttt{Exp}^{coll}_{\mathcal {A}}(n)=1]-\frac{1}{2}\big |\nonumber \\&\qquad \ge \big | \frac{1}{2}\cdot \mathop {\textrm{Pr}}[\mathcal {A}\;\text {outputs 1} \mid b^{*}=1]+\frac{1}{2}\cdot \mathop {\textrm{Pr}}[\mathcal {A}\;\text {outputs 1} \mid b^{*}=1]-\frac{1}{2}\big |\nonumber \\&\qquad \ge \frac{1}{4}-\texttt{negl}_{1}(n)-\texttt{negl}_{2}(n), \end{aligned}$$

(32)

which hence breaks the collapsing property of \(H_{n}(\cdot )\).\(\square \)

Note that the inverse of the operator \(\mathcal {E}(\cdot )\) is involved in our proof, which is usually infeasible in the fully black-box sense (even the semi-black-box sense), that is because the process of purification requires the internal information of the equivocal hash functions. That implies we prove the Lemma 1 via a non-black-box manner. However, we believe it is also interesting to figure out if this result still holds in the black-box manner.