Abstract
As an enhancement of quantum collision-resistance, the collapsing property of hash functions proposed by Unruh (EUROCRYPT 2016) emphasizes the hardness for distinguishing a superposition state of a hash value from a collapsed one. The collapsing property trivially implies the quantum collision-resistance. However, it remains to be unknown whether there is a reduction from the collapsing hash functions to the quantum collision-resistant hash functions. In this paper, we further study the relations between these two properties and derive two intriguing results as follows:
-
Firstly, when the size of preimages of each hash value is bounded by some polynomial, we demonstrate that the collapsing property and the collision-resistance must hold simultaneously. This result is proved via a semi-black-box manner by taking advantage of the invertibility of a unitary quantum circuit.
-
Next, we further consider the relations between these two properties in the exponential-sized preimages case. By giving a construction of polynomial bounded hash functions, which preserves the quantum collision-resistance, we show the existence of collapsing hash functions is implied by the quantum collision-resistant hash functions when the size of preimages is not too large to the expected value.
Our results indicate that the gap between these two properties is sensitive to the size of preimages. As a corollary, our results also reveal the non-existence of polynomial bounded equivocal collision-resistant hash functions.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
In the following part, we always assume the functions as \(\{H_{n}:\{0,1\}^{l(n)}\times \{0,1\}^{n}\rightarrow \{0,1\}^{m(n)}\}_{n\in \mathbb {N}}\) namely \(\textbf{X}=\{0,1\}^{n}\), \(\textbf{K}=\{0,1\}^{l(n)}\) and \(\textbf{Y}=\{0,1\}^{m(n)}\). Moreover, we always assume \(\{H_{n}\}\) is compressing, namely \(m(n)<n\) for all \(n\in \mathbb {N}\), and \(|\textbf{X}|/|\textbf{Y}|>C\) for general \(H_{n}:\textbf{X}\rightarrow \textbf{Y}\), where \(C>1\) is a constant.
- 2.
We will always follow this classification in the following definitions. It’s not important to the proof in our result, but we believe it can help us clarify the underlying relations of each primitive with different perspectives.
- 3.
To make it clear, we denote it as a mixed state where the measurement of \(\mathcal {P},y\) is replaced by the tracing out operation, and without loss of generality, we assume the register containing the bit b is not changed by \(\mathcal {E}\).
References
Aharonov, D., Kitaev, A.Y., Nisan, N.: Quantum circuits with mixed states. In: Vitter, J.S. (ed.) Proceedings of the Thirtieth Annual ACM Symposium on the Theory of Computing, pp. 20–30. ACM, Dallas, Texas, USA (1998)
Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: Miller, G.L. (ed.) Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, pp. 99–108. ACM, Philadelphia, Pennsylvania, USA (1996)
Ambainis, A., Rosmanis, A., Unruh, D.: Quantum attacks on classical proof systems: the hardness of quantum rewinding. In: 55th IEEE Annual Symposium on Foundations of Computer Science, FOCS 2014, pp. 474–483. IEEE Computer Society, Philadelphia, PA, USA (2014)
Amos, R., Georgiou, M., Kiayias, A., Zhandry, M.: One-shot signatures and applications to hybrid quantum/classical authentication. In: Makarychev, K., Makarychev, Y., Tulsiani, M., Kamath, G., Chuzhoy, J. (eds.) Proccedings of the 52nd Annual ACM SIGACT Symposium on Theory of Computing, STOC 2020, pp. 255–268. ACM, Chicago, IL, USA (2020)
Asharov, G., Segev, G.: Limits on the power of indistinguishability obfuscation and functional encryption. In: Guruswami, V. (ed.) IEEE 56th Annual Symposium on Foundations of Computer Science, FOCS 2015, pp. 191–209. IEEE Computer Society, Berkeley, CA, USA (2015)
Barak, B., Goldreich, O.: Universal arguments and their applications. SIAM J. Comput. 38(5), 1661–1694 (2008)
Berman, I., Degwekar, A., Rothblum, R.D., Vasudevan, P.N.: Multi-collision resistant hash functions and their applications. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 133–161. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_5
Bitansky, N., Haitner, I., Komargodski, I., Yogev, E.: Distributional collision resistance beyond one-way functions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 667–695. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_23
Bitansky, N., Kalai, Y.T., Paneth, O.: Multi-collision resistance: a paradigm for keyless hash functions. In: Diakonikolas, I., Kempe, D., Henzinger, M. (eds.) Proceedings of the 50th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2018, pp. 671–684. ACM, Los Angeles, CA, USA (2018)
Bitansky, N., Paneth, O., Wichs, D.: Perfect structure on the edge of Chaos. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 474–502. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49096-9_20
Canetti, R., Lin, H., Tessaro, S., Vaikuntanathan, V.: Obfuscation of probabilistic circuits and applications. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 468–497. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_19
Cao, S., Xue, R.: Being a permutation is also orthogonal to one-wayness in quantum world: Impossibilities of quantum one-way permutations from one-wayness primitives. Theor. Comput. Sci. 855, 16–42 (2021)
Carter, L., Wegman, M.N.: Universal classes of hash functions (extended abstract). In: Hopcroft, J.E., Friedman, E.P., Harrison, M.A. (eds.) Proceedings of the 9th Annual ACM Symposium on Theory of Computing, pp. 106–112. ACM, Boulder, Colorado, USA (1977)
Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen Ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_4
Czajkowski, J., Groot Bruinderink, L., Hülsing, A., Schaffner, C., Unruh, D.: Post-quantum security of the sponge construction. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 185–204. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_9
Dubrov, B., Ishai, Y.: On the randomness complexity of efficient sampling. In: Kleinberg, J.M. (ed.) Proceedings of the 38th Annual ACM Symposium on Theory of Computing, pp. 711–720. ACM, Seattle, WA, USA (2006)
Fehr, S.: Classical proofs for the quantum collapsing property of classical hash functions. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11240, pp. 315–338. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6_12
Goldreich, O., Goldwasser, S., Halevi, S.: Collision-free hashing from lattice problems. Electron. Colloquium Comput. Complex. (42) (1996)
Haitner, I., Hoch, J.J., Reingold, O., Segev, G.: Finding collisions in interactive protocols - tight lower bounds on the round and communication complexities of statistically hiding commitments. SIAM J. Comput. 44(1), 193–242 (2015)
Hamlin, B., Song, F.: Quantum security of hash functions and property-preservation of iterated hashing. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 329–349. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_18
Hosoyamada, A., Yamakawa, T.: Finding collisions in a quantum world: quantum black-box separation of collision-resistance and one-wayness. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12491, pp. 3–32. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_1
Hsiao, C.-Y., Reyzin, L.: Finding collisions on a public road, or do secure hash functions need secret coins? In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 92–105. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_6
Hülsing, A., Rijneveld, J., Song, F.: Mitigating multi-target attacks in hash-based signatures. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 387–416. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_15
Impagliazzo, R.: A personal view of average-case complexity. In: Proceedings of the Tenth Annual Structure in Complexity Theory Conference, pp. 134–147. IEEE Computer Society, Minneapolis, Minnesota, USA (1995)
Katz, J., Lindell, Y.: Introduction to Modern Cryptography. CRC Press (2020)
Komargodski, I., Naor, M., Yogev, E.: Collision resistant hashing for paranoids: dealing with multiple collisions. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 162–194. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_6
Komargodski, I., Yogev, E.: On distributional collision resistant hashing. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 303–327. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_11
Mazor, N., Zhang, J.: Simple constructions from (Almost) regular one-way functions. In: Nissim, K., Waters, B. (eds.) TCC 2021. LNCS, vol. 13043, pp. 457–485. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90453-1_16
Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_21
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)
Nielsen, M.A., Chuang, I.: Quantum Computation and Quantum Information (2002)
Reingold, O., Trevisan, L., Vadhan, S.: Notions of reducibility between cryptographic primitives. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 1–20. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_1
Ristenpart, T., Shrimpton, T.: How to build a hash function from any collision-resistant function. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 147–163. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-76900-2_9
Rogaway, P., Shrimpton, T.: Cryptographic hash-function basics: definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 371–388. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-25937-4_24
Rompel, J.: One-way functions are necessary and sufficient for secure signatures. In: Ortiz, H. (ed.) Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, pp. 387–394. ACM, Baltimore, Maryland, USA (1990)
Simon, D.R.: Finding collisions on a one-way street: can secure hash functions be based on general assumptions? In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 334–345. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054137
Unruh, D.: Collapse-binding quantum commitments without random oracles. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 166–195. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_6
Unruh, D.: Computationally binding quantum commitments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 497–527. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_18
Unruh, D.: Collapsing sponges: Post-quantum security of the sponge construction. IACR Cryptol. ePrint Arch. 282 (2017)
Wegman, M.N., Carter, L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)
Zhandry, M.: Secure identity-based encryption in the quantum random oracle model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 758–775. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_44
Zhandry, M.: How to record quantum queries, and applications to quantum indifferentiability. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 239–268. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_9
Zhandry, M.: Quantum lightning never strikes the same state twice. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 408–438. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_14
Zhandry, M.: New constructions of collapsing hashes. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022. LNCS, vol. 13509, pp. 596–624. Springer, Cham (2022)
Acknowledgment
We sincerely thank the anonymous reviewers of CRYPTO 2022 for their valuable comments on our paper, and Mark Zhandry for introducing his work to us during the preparation of this final version. This work was supported by National Natural Science Foundation of China (Grants No. 62172405).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proof of Lemma 1
A Proof of Lemma 1
We give a proof of Lemma 1 as follows.
Proof (of Lemma 1)
Notice that if the state \(\rho _{y,\mathcal {P}}\) output by \(\mathcal {E}\) already contains the superposition of the preimages of y. One can obviously distinguishes the difference between measureing the input or the output register of \(\rho _{y,\mathcal {P}}\) by invoking \(\mathcal {E}\) which directly breaks the collapsing property. However, \(\rho _{y,\mathcal {P}}\) may not contain the preimages of y directly. Therefore the main task is to construct a suitable state which contains the superposition of the preimages of y (namely, the challenging state output by the first phase of the adversary \(\mathcal {A}\) that intends to break the collapsing property).
Since the evaluation key is not involved in this proof, without loss of generality, we consider this problem in the keyless setting, which is \(\{H_{n}:\{0,1\}^{n}\rightarrow \{0,1\}^{m}\}_{n\in \mathbb {N}}\).
To proof that lemma, we firstly replace the original \(\mathcal {G}\) and \(\mathcal {E}\) by their purifications (i.e. assume they are unitary), then we can denote the output state of \(\mathcal {G}\) as
where \(|\phi _{y,\mathcal {P},z}\rangle \) is the corresponding output state state when the description is \(\mathcal {P}\), the hash value equals y, and the auxiliary internal information of \(\mathcal {G}\) is z. Then the actual output \(\rho _{y,\mathcal {P}}\) equals to the collapsed state \(|\psi \rangle \) after measuring the y, \(\mathcal {P}\), and tracing out the auxiliary register z which is \(\sum _{z}|a_{\mathcal {P},y,z}|^{2}|\phi _{y,\mathcal {P},z}\rangle \langle \phi _{y,\mathcal {P},z}|/({\sum _{z}|a_{\mathcal {P},y,z}|^{2}})\). Here for convenience, we denote it equivalently by the following mixed state
Then the final state after invoking the purified \(\mathcal {E}\) on \((b,\rho _{y,\mathcal {P}})\) can be denoted as
Equivalently, we denote by \(\mathcal {E}(0,\cdot )\) (or \(\mathcal {E}(1,\cdot )\)) the unitary operator for the case \(b=0\) (or \(b=1\)). Since the correctness of the equivocal collision-resistant hash functions indicates that \(\mathcal {E}\) recovers an preimage x of y satisfying \(\mathcal {P}(x)=b\) with overwhelming probability, hence \(\rho ^{(b)}\) must contain the preimages of y with overwhelming probability. Therefore we can rewrite the state \(\rho ^{(b)}\) as followsFootnote 3
where x is the output that need to be measured after running \(\mathcal {E}(b,\cdot )\), and it holds that
for some negligible function \(\texttt{negl}(\cdot )\) due to the correctness of the equivocality. Since it may not always hold that \(y=H_{n}(x)\), we hence add an additional register to \(\rho ^{(b)}\) in order to store the hash value \(H_{n}(x)\), which we denote it by
Hence \(\tilde{\rho }^{(b)}\) contains the input and output of \(H_{n}\), that inspires us to adopt that state as the challenging state in the collapsing experiment. More specifically, when we give the registers \(x,H_{n}(x)\) of \(\tilde{\rho }^{(0)}\) to the challenger of the collapsing game, then if it has been measured in the output register, the state \(\rho ^{(0)}\) would basically not change, which means we can retrieve some x satisfying \(H_{n}(x)=y\wedge \mathcal {P}(x)=1\) with overwhelming probability by invoking \(\mathcal {E}(1,\cdot )\circ \mathcal {E}^{\dag } (0, \cdot )\). On the other hand, if it has been measured in the input register, then the state \(\rho ^{(0)}\) would be probably collapsed and can not be reversible, if not, that implies we can get a collision of y with non-negligible probability.
The following is the description of the adversary \(\mathcal {A}\) that breaks the collapsing property:
-
\(\mathcal {A}\) gets the description of the hash function \(H_{n}(k,\cdot )\), and then invokes the purified \(\mathcal {G}(1^{n})\) to get the state \(\rho \).
-
\(\mathcal {A}\) runs the operator \(\mathcal {E}(0, \cdot )\) to the state \(|0,0\rangle \langle 0,0|\otimes \rho \), and gets \(\tilde{\rho }^{(0)}\) in result, then sends the input and output registers of \(\tilde{\rho }^{(0)}\) to the challenger.
-
After receiving the state \(\tilde{\rho }^{(0)}_{(b^{*})}\) from the challenger (\(b^{*}=0\) means the state after measuring (tracing out) the output register of \(\tilde{\rho }^{(0)}\) , and \(b^{*}=1\) denotes the state after measuring the input register), \(\mathcal {A}\) invokes the \(\mathcal {E}(1,\cdot )\circ \mathcal {E}^{\dag } (0, \cdot )\) to that state and measures the result to get a measurement x and the corresponding y. It would output 0 if \(\mathcal {P}(x)=1\wedge H_{n}(x)=y\), and output 1 if \(\mathcal {P}(x)=0\wedge H_{n}(x)=y\) otherwise, it would returns a random bit \(b'\leftarrow \{0,1\}\) uniformly.
We now estimate the advantage of \(\mathcal {A}\). In the case that the challenger measures the output register, according to the correctness of the equivocality of \(H_{n}\), we can deduce from inequality (29) that the trace distance between \(\tilde{\rho }^{(0)}_{(0)}\) and \(\tilde{\rho }^{(0)}\) is at most
for some negligible function \(\texttt{negl}_{0}(\cdot )\). That implies if we invoke the inverse \(\mathcal {E}^{\dag }(0, \cdot )\) in that case, we could recover the state \(|0,0\rangle \langle 0,0|\otimes \rho \) with overwhelming probability. And hence we get the measurement x that satisfies \(\mathcal {P}(x)=1\) and \(H_{n}(k,x)=y\) with overwhelming probability after invoking \(\mathcal {E}\) again. Namely, we have
In the case that the challenger measures the input register (i.e. \(b^{*}=1\)), the input register of \(\tilde{\rho }^{(0)}\) would collapse to some \(x^{*}\) ( which is the preimage of y with overwhelming probability due to the correctness of equivocality). Then we run the \(\mathcal {E}(1,\cdot )\circ \mathcal {E}^{\dag } (0, \cdot )\) and measure the result to get a measurement x and the corresponding \(H_{n}(x)\). To estimate the probability that \(\mathcal {A}\) wins in this case, we consider the following these events separately:
-
The measurement x satisfies \(\mathcal {P}(x)=1\wedge H_{n}(x)=y\), that implies we successfully find a collision \(x,x^{*}\). Therefore the probability of that event occurs is bounded by some negligible function \(\texttt{negl}_{2}(\cdot )\) (otherwise it would induce an adversary breaks the quantum collision-resistance of \(H_{n}(\cdot )\) with non-negligible probability).
-
The measurement x satisfies \(\mathcal {P}(x)=0\wedge H_{n}(x)=y\), then \(\mathcal {A}\) would return 1 deterministically when that event occurs.
-
The measurement x is not a preimage of y, then the probability that \(\mathcal {A}\) returns 1 with probability exactly 1/2
That implies
for some negligible function \(\texttt{negl}_{2}(\cdot )\).
Combining the inequality (30) with (31), we have
which hence breaks the collapsing property of \(H_{n}(\cdot )\).\(\square \)
Note that the inverse of the operator \(\mathcal {E}(\cdot )\) is involved in our proof, which is usually infeasible in the fully black-box sense (even the semi-black-box sense), that is because the process of purification requires the internal information of the equivocal hash functions. That implies we prove the Lemma 1 via a non-black-box manner. However, we believe it is also interesting to figure out if this result still holds in the black-box manner.
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
Cao, S., Xue, R. (2022). The Gap Is Sensitive to Size of Preimages: Collapsing Property Doesn’t Go Beyond Quantum Collision-Resistance for Preimages Bounded Hash Functions. In: Dodis, Y., Shrimpton, T. (eds) Advances in Cryptology – CRYPTO 2022. CRYPTO 2022. Lecture Notes in Computer Science, vol 13509. Springer, Cham. https://doi.org/10.1007/978-3-031-15982-4_19
Download citation
DOI: https://doi.org/10.1007/978-3-031-15982-4_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-15981-7
Online ISBN: 978-3-031-15982-4
eBook Packages: Computer ScienceComputer Science (R0)