Abstract
Hash functions are of fundamental importance in theoretical and in practical cryptography, and with the threat of quantum computers possibly emerging in the future, it is an urgent objective to understand the security of hash functions in the light of potential future quantum attacks. To this end, we reconsider the collapsing property of hash functions, as introduced by Unruh, which replaces the notion of collision resistance when considering quantum attacks. Our contribution is a formalism and a framework that offers significantly simpler proofs for the collapsing property of hash functions. With our framework, we can prove the collapsing property for hash domain extension constructions entirely by means of decomposing the iteration function into suitable elementary composition operations. In particular, given our framework, one can argue purely classically about the quantum-security of hash functions; this is in contrast to previous proofs which are in terms of sophisticated quantum-information-theoretic and quantum-algorithmic reasoning.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
1 Introduction
Background. Given the threat of possible future quantum computing capabilities, it is an important and urgent objective to evaluate the security of classical cryptographic schemes against quantum attacks. There are different places where security can break down when using quantum computing techniques to attack a cryptographic scheme that was designed to withstand standard classical attacks. The most prominent place is the computational hardness assumption, which is typically well justified to hold for classical models of computation but may be false with respect to quantum computation. Another place is the security proof, which may use techniques that fail to work in the context of a quantum attacker, like proofs that rely on rewinding techniques. Finally, another place where things can go wrong is the security definition, which may not capture anymore what it is supposed to capture when allowing quantum attacks.
An example of the latter is the computational binding property of a commitment scheme. Our intuitive understanding of what a commitment should achieve is that once a commitment is “on the table” there should be no freedom left for the (computationally bounded) committer in choosing the value to which he can open the commitment. The formal definition of the binding property expresses this requirement by demanding that no (computationally bounded) dishonest committer should be able to open a commitment in two distinct ways. While for classical committers this captures precisely what we want, it fails to do so for quantum committers. Indeed, a quantum committer can potentially open a commitment to one value that he freely chooses after he has put the commitment “on the table”, without contradicting the requirement of being unable to produce two distinct openings; this is because producing the opening information may involve a destructive quantum measurement that can only be applied once.
We stress that being able to open a given commitment to an arbitrary value that one can freely choose renders a commitment scheme useless in essentially all applications. So, when considering the security of commitment schemes against quantum attacks, it is essential that one uses a stronger notion of security than the standard computational binding property extended to quantum attackers.
A similar and related example is the collision resistance of hash functions. Also here, in the presence of a quantum attacker, the standard formal requirement that it should be computationally hard to produce two colliding inputs does not capture our intuitive understanding of a hash value as acting as a “fingerprint” that removes any freedom in the message to which it fits. As such, also here, when considering security against quantum attacks, the standard security notion, i.e. collision resistance, needs to be replaced by something stronger.
The Collapsing Property. Unruh [5] proposed the notion of collapsing; in the context of commitment schemes as a counterpart for the computational binding property when considering quantum attacks, and in the context of hash functions as a counterpart for collision resistance. In essence, for hash functions, the collapsing property requires that for any computationally bounded adversary that output a hash value together with a quantum superposition of corresponding preimages, he should not be able to tell if the superposition gets measured or not. The details of the notion, and why it indeed restores the right security properties when considering quantum attacks, are not so important for the discussion here. In terms of achievability, Unruh proved that the random oracle is collapsing as a hash function, and thus that simple hash-function-based commitment schemes are collapsing in the random oracle model. In the context of hash functions, he proved in a follow-up work [6] that the Merkle-Damgård construction for hash functions is collapsing (under some mild restriction on the padding) if the underlying compression function is. Given that the random oracle is collapsing, this in particular implies that the Merkle-Damgård construction is collapsing in the random oracle model, and thus gives heuristic evidence that certain practical hash functions like SHA-2 are collapsing. Recently, Czajkowski et al. [2] showed a similar result for the Sponge construction [1], which for instance underlies the hash function standard SHA-3: the Sponge construction is collapsing if both parts of the underlying round function, i.e., the so-called inner and outer parts, are collapsing, and if the inner part is “zero-preimage resistant”.Footnote 1
Our Contribution. In this work, we introduce a new formalism and a new framework for arguing about the collapsing property of (hash) functions. The advantage of our new approach is that it allows for significantly simper proofs compared to the previous work above.
At the heart of our new formalism is a pseudo-metric that abstracts away computational aspects, and which allows for an “algebraic” formulation of the collapsing property. This in turn allows for simple proofs of basic composability results for the collapsing property. Some of those have already been claimed and proven in the work mentioned above; however, our proofs are much simpler. For instance, proving that the collapsing property is preserved under nested composition takes 2 full pages in [5] (see Lemma 27 in the full version of [5]), with various quantum circuits depicted; our proof (see Lemma 5) is a few lines. The main reason for this difference lies in the “algebraic” nature of our formulation, compared to the “algorithmic” approach used in prior work. This means that instead of specifying quantum reduction algorithms and arguing that they “do the job”, our proofs are almost entirely by means of term-manipulations, where we manipulate the terms of interest by using a small set of basic rules that come along with our formalism. This not only results in very compact proofs, these proofs are also mathematically very clean in that in every term-manipulation step we can—and typically do—specify what basic rule was used.
These composability results for the collapsing property, together with a couple of basic features when “disallowing” certain inputs, form what we call our framework. With this framework, proving the collapsing property of hash domain extensions boils down to decomposing the iteration function under consideration into a few simple composition operations.
We demonstrate this new proof methodology on various examples. Applied to Merkle-Damgård, we obtain a proof of the collapsing property without any restriction on the padding as in [6], but with the additional assumption on the compression function to be “iv-preimage resistant” (which is satisfied in the random oracle model). We can also recover Unruh’s original result, which requires a restriction on the padding but avoids the “iv-preimage resistance”. By adding a counter and “salt” to the compression function but otherwise using the same kind of reasoning, we get a proof of the collapsing property of HAIFA [3], as proposed by Biham and Dunkelman. Applied to the Sponge construction, we recover the result from [2] up to an insignificant difference in the exact parameter.
The distinguishing feature of our proofs lies in their conceptual simplicity and low technical complexity. Our proofs are entirely in terms of decomposing the iteration function into elementary composition operations that are ensured to preserve the collapsing property. In particular, our proofs are purely classical. In contrast, the proofs provided in [2, 6] are in terms of lengthy hybrid arguments that consider sequences of “quantum games” and in terms of quantum information theoretic arguments and quantum reduction algorithms for reasoning that every game in the sequence behaves similarly to its predecessor.
As such, even though the collapsing property of HAIFA is new, we consider our main contribution more in terms of offering a simple understanding of why certain hash function are collapsing, and in providing a tool to easily check if similar results also hold for other hash functions (as we demonstrate on HAIFA).
The Framework in Action. To give a better idea, we illustrate here on the various examples how our framework enables to argue for the collapsing property by means of decomposing the iteration function into suitable elementary decomposition operations, and thus in particular by means of purely classical reasoning. We challenge the reader to compare our proofs with those in [2, 6].
Merkle-Damgård. The Merkle-Damgård hash of a message \(x_1,\ldots ,x_i\), consisting of i blocks, is given by \({ I\!H}_i(x_1,\ldots ,x_i)\), where \({ I\!H}_i\) is iteratively defined as
with \({ I\!H}_0() = {{\textsf {\textit{iv}}}}\). The round function f is assumed to be collapsing. We observe that \({ I\!H}_i\) is the nested composition of f with the concurrent composition of \({ I\!H}_{i-1}\) with the identity \(x_i \mapsto x_i\). Our framework ensures that these compositions preserve the collapsing property; thus, by recursive application, given that \({ I\!H}_0\) is trivially collapsing, we get that \({ I\!H}_L\) is collapsing for every fixed L, and hence the Merkle-Damgård hash is collapsing when restricted to inputs of fixed size.
In order to deal with messages of variable size, we allow in the definition of \({ I\!H}_i(x_1,\ldots ,x_i)\) the left-most message blocks to be “empty”, i.e., \(x_1\) up to some \(x_j\) may be \(\bot \), and we set \({ I\!H}_i(\bot ,\ldots ,\bot ) := {{\textsf {\textit{iv}}}}\) (for any i) and keep to recursive definition above if \(x_i \ne \bot \). This extended version of \({ I\!H}_i\) is then the disjoint union of the trivial function \(\{\bot ^i\} \rightarrow \{{{\textsf {\textit{iv}}}}\}\) and the restriction of \({ I\!H}_i\) to inputs different than \(\bot ^i\), if we “disallow” non-\(\bot ^i\) inputs that are mapped to \({{\textsf {\textit{iv}}}}\).Footnote 2 Thus, as long as we “disallow” such inputs (which is something our framework can capture), we still have that the recursive definition of \({ I\!H}_i\) decomposes into composition operations that are covered by our framework, and thus we can conclude that \({ I\!H}_L\) is collapsing for every fixed L, but now for inputs that may have \(\bot \)-prefixes, i.e., variable length. Finally, by the assumed “\({{\textsf {\textit{iv}}}}\)-preimage resistant” of f, inputs (\(\ne \bot ^i\)) that \({ I\!H}_i\) maps to \({{\textsf {\textit{iv}}}}\) are hard to find, and therefore “disallowing” those has no noticeable effect.
HAIFA. The HAFIA hash function is a variant of Merkle-Damgård that includes a counter in the iteration function, and it uses a “salt” (which we though treat as ordinary input). Formally,
Here, we can reason exactly as above, except that now the iteration function is a nested composition of the function \(f(\cdot ,\cdot ,\cdot ,i)\), which is collapsing if f is, with the parallel composition of the projection function \((salt,x_1,\ldots ,x_i) \mapsto salt\) with the concurrent composition of \({ I\!H}_{i-1}\) with the identity function \(x_i \mapsto x_i\). All these composition operations are covered by our framework, and so the collapsing property follows as for the original Merkle-Damgård construction, assuming again that f is “\({{\textsf {\textit{iv}}}}\)-preimage resistance” in case of arbitrary length messages.
Sponge. The Sponge hashFootnote 3 of a message \(x_1,\ldots ,x_i\) of i blocks is given by \(S^0_i(x_1,\ldots ,x_i)\), where \(S^b_i\) is iteratively defined as
for \(b \in \{0,1\}\), with \(S^0_0() = 0 = S_0^1()\), and it is assumed that both components of the round function \(f = (f^0,f^1)\) are collapsing. Here, \(S^b_i\) is the nested composition of \(f^b\) with a function that is yet another composition of the functions \(S^0_{i-1}\) and \(S^1_{i-1}\), and our framework immediately ensures that \(S^0_i\) and \(S^1_i\) stay collapsing as long as \(S^1_{i-1}\) is. Thus, again, the iteration function decomposes into composition operations that are ensured to preserve the collapsing property, and so by recursive application we get that \(S^1_1,\ldots ,S^1_{L-1}\) and eventually \(S^0_L\) are collapsing. The only difference to above is that here, we have to set \(S^b_i(\bot ,\ldots ,\bot ) := S^b_0() = 0\) to ensure that \(S^0_L\) acts correctly on messages of smaller block size, i.e., that \(S^b_j(x_1,\ldots ,x_j) = S^b_L(\bot ,\ldots ,\bot ,x_1,\ldots ,x_j)\). As a consequence, for the recursive reasoning, to have \(S^1_i\) be the disjoint union of the trivial function \(\{\bot ^i\} \rightarrow \{0\}\) and the restriction of \(S^1_i\) to non-\(\bot ^i\) inputs, we need to “disallow” inputs (\(\ne \bot ^i\)) which \(S^1_i\) maps to 0; this has no noticeable effect though if \(f^1\) is “zero-preimage resistant”.
2 Preliminaries
2.1 Basic Quantum Formalism
Knowledge of basic concepts of quantum information science is necessary in order to prove “correctness” of our framework (but not to apply the framework); we fix here some notation and conventions, which both are not fully standard.
Typically, the state of a quantum system with state space \(\mathcal {H}\) is given by a density matrix \(\rho \), i.e., by a trace-1 positive-semidefinite matrix that acts on \(\mathcal {H}\), and a quantum operation is expressed by a CPTP map which maps a state \(\rho \) to a new state over a possibly different state space. In this work, for technical reasons, we allow states to be subnormalized, and we consider the more general notion of completely-positive trace-nonincreasing (CPTN) maps, which are of the form with and \(\sum _i T_i^\dagger T_i \le I\) (the identity on \(\mathcal {H}\)).Footnote 4
For the purpose of this work, a measurement is a CPTN map with as above, but with the restriction that the \(P_i\)’s are mutually orthogonal Hermitian projections on \(\mathcal {H}\). If is in fact a CPTP map, i.e., \(\sum _i P_i = I\), then we speak of a total measurement, and otherwise of a partial measurement. The individual “components” of such a (partial or total) measurement are sometimes also referred to as measurements with post-selection.
We write for , i.e., the probability that “outcome i is observed”. An elementary property of any (projective, as considered here) measurement , is Winter’s “gentle-measurement lemma” [7], which captures that the measurement does not disturb the state much if the outcome is almost certain. Formally,Footnote 5 for any state \(\rho \) and any \(\beta \ge 0\):
where \(\delta \) is the trace distance, given by \(\delta (\rho , \sigma ) := \frac{1}{2} \Vert \rho -\sigma \Vert _{tr}\).
Different quantum systems are identified by means of “labels” X, Y etc., and we write \(\rho _X\) for the state of system X and \(\mathcal {H}_X\) for its state space, etc. For a CPTN map , we may write to emphasize that it acts on system X, and to additionally emphasize that it maps into system \(X'\). For simplicity, we tend to write rather than .
For any state space we consider a fixed orthonormal basis, referred to as the computational basis. For state spaces \(\mathcal {H}_X\) and \(\mathcal {H}_Y\) with respective computational bases \(\{{|x\rangle }\}_{x \in \mathcal{X}}\) and \(\{{|y\rangle }\}_{y \in \mathcal{Y}}\), we associate to any function \(f: \mathcal{X}\rightarrow \mathcal{Y}\) the CPTP “evaluation” map given by the isometry \(V[f]: {|x\rangle } \mapsto {|x\rangle }{|f(x)\rangle }\). Here, we also write \(\rho _{Xf(X)Z}\) instead of .Footnote 6 We note that admits a left inverse, i.e., a CPTP map such that .
The composition of a CPTP evaluation map with the partial trace \(\mathrm {tr}_Y\) equals the measurement , where is the CPTN map given by the projection into the span of \(\{{|x\rangle }\,|\,f(x) \!=\! y\}\). To simplify notation, we may also write \(\rho _{X^{\!f} Z}\) instead of , and, similarly, \(\rho _{X^{\!f=y} Z}\) instead of .
The usual “measurement in the computational basis”, given by the projections \({|x\rangle }{\langle x|}\), is simply denoted by . For lighter notation, we often use \(\overline{\!(\cdot )\!}\;\) instead of and write \(\rho _{\bar{X} Y}\) instead of . A quantum system X of a (possibly) joint state \(\rho _{XY}\) is called classical if \(\rho _{\bar{X} Y} = \rho _{XY}\).
When the state is clear from the context, then we may do the “arithmetic” on the labels. For instance, using this convention, we can then say that any state \(\rho _{XZ}\) satisfies
to express that and commute, and that \(f(\bar{X})\) is classical given that \(\bar{X}\) is. Similarly, we may then write , which may be interpreted differently but coincide.
2.2 Randomized Functions and States, and Their Complexity
In Appendix A, we offer a formal discussion of randomized functions, randomized CPTN maps, and randomized quantum states. As one would expect, these are simply functions, CPTN maps and states that depend on some global randomness r, which is randomly chosen once and for all from some finite set \(\mathcal R\).
Informally, when considering randomized functions, one can make the following distinction. In one case, r is given as input to the function f (or to the algorithm that computes f, if you prefer); one then typically speaks of keyed or seeded functions. In the other case, f makes queries to an oracle that computes every reply dependent on r, in which case one refers to f as an oracle function. A similar distinction can be made for randomized CPTN maps, and thus for randomized states, which are simply randomized CPTN maps that act on the trivial state space .
Formally, the way the two variants differ is by the way complexity is captured: for keyed functions one consider the computational complexity of computing the function whereas for oracle functions one considers the query complexity.
Our results apply to both variants in that we consider an abstract complexity measure \(\mathfrak {c}\) that assigns to every randomized function f a non-negative integer \(\mathfrak {c}(f)\), also denoted \(\mathfrak {c}_f\), and similarly for randomized CPTN maps, and which satisfies natural properties that one would expect from a complexity measure. The details of this are given in Appendix B. The computational complexity and the query complexity are then just specific instantiations.
2.3 The Distinguishing Advantage
The following parameterized indistinguishability measure, and our understanding of it as an abstract metric, is one of the central notions of our formalism.
Definition 1
For randomized states \(\rho _X\) and \(\rho _Y\) (with randomness r) over a common Hilbert space \(\mathcal {H}_X = \mathcal {H}_Y\), and for any non-negative integer q, we set
where the supremum is over all randomized CPTN maps (with randomness r) that map into the two-dimensional qubit state space and have complexity and, by convention, is the measurement in the computational basis.
Following the convention of doing the “arithmetic” on the labels, we typically write \(\delta _q(X,Y)\) instead of \(\delta _q\bigl (\rho _X, \rho _Y\bigr )\). Also, we write \(\delta _q(X, Y|Z)\) as a short hand for \(\delta _q\bigl (\rho _{XZ}, \rho _{YZ}\bigr )\).
We emphasize that \(\delta _q\) is a pseudometric: it is non-negative, symmetric, and satisfies triangle inequality, but it may potentially vanish for non-identical states. Furthermore, \(\delta _q\) is upper bounded by the trace distance \(\delta \), and it coincides with \(\delta \) in case \(q = \infty \), i.e., there is no restriction on . Finally, \(\delta _q\) inherits several properties from the ordinary trace distance, which can easily be verified. For instance, it is monotone under randomized CPTN maps as
and for any randomized CPTN map , we have subadditivity as
To simplify terminology, from now on we drop on the word “randomized” and take it as understood that functions, CPTN maps and states may be randomized, either in the form of keyed functions or as oracle functions, etc.
3 The Collapsing Property
We state here (a slight variation of) the definition of the collapsing property of functions, as proposed by Unruh [5], but using the formalism introduced above. In Sect. 3.2 we then discuss the straightforward extension to partial functions, which will turn out to be useful, and in Sect. 3.3 we show that the collapsing property behaves nicely under various composition operations. These composability results are all rather natural, and—with our formalism!—have simple short proofs. All together, this section then stands as “the framework” that we propose for arguing about the collapsing property of hash functions.
3.1 The Definition
The original formulation of the collapsing property for a function h is by means of two “games”, where an “adversary” produces a (normalized) state \(\rho _{XYE}\) of a certain form, namely Y must be classical and equal to h(X), and then in one game X is measured in the computation basis whereas in the other game it is left untouched instead, and the definition requires that it should be hard for any “distinguisher” to distinguish between the two games.
As for the notion of collision resistance, the collapsing property is meaningful only for randomized functions h.Footnote 7 In case of a keyed variant of such a function, one can aim for conditional results that state that h is collapsing (against computationally bounded adversaries) under some computational hardness assumption. In case of an oracle function and aiming for unconditional results, there is no exploitable effect in restricting the computational power of the parties, as long as the query complexity is limited. Our approach of using an abstract complexity notion allows us to cover both these settings simultaneously.
Our formal definition of the collapsing property is given below. Compared to the original definition by Unruh (which comes in a couple of different flavors, which we discuss in Appendix C), we use a somewhat different terminology and formalism. For instance we do not explicitly speak of “games”, and instead of quantifying over the possible adversaries we quantify over the states that may possibly be prepared by an adversary, and the quantification over the distinguishers is absorbed into the pseudometric \(\delta _q\). These modifications to the mathematical language have obviously no effect on the notion. There are a few more differences compared to the definition proposed by Unruh, but they all have no more than a small quantitative effect, as we discuss below.
Definition 2
A function \(h: \mathcal{X}\rightarrow \mathcal{Y}\) is called \(\varepsilon (q)\)-collapsing if
for all q, where the supremum is over all statesFootnote 8 \(\rho _{XYE} = \rho _{X h(X) E}\) with complexity \(\mathfrak {c}(\rho _{XYE}) \le q\). The measure \(\mathsf{cAdv}[h]\) is called the collapsing advantage of h.
Beyond the change in mathematical language, another difference is that in the original definition the system Y of the state \(\rho _{XYE}\), as produced by the adversary, is required to be classical, whereas in Definition 2 we allow it to be non-classical but then “make it classical” by measuring it; this is obviously equivalent (given that measuring has zero complexity). A slightly more substantial difference is that we allow the state \(\rho _{XYE}\) to be subnormalized; i.e., we allow the adversary to abort. However, the collapsing advantage \(\delta _q\bigl (X,\bar{X}\,|\,\bar{Y} E\bigr )\) of any subnormalized state \(\rho _{XYE}\) is the same as of the normalized state \(\tilde{\rho }_{XYE} := \rho _{XYE} + (1-\mathrm {tr}(\rho _{XYE})){|x_\circ \rangle }{\langle x_\circ |}\otimes {|h(x_\circ )\rangle }{\langle h(x_\circ )|}\otimes {|0\rangle }{\langle 0|}\) for an arbitrary choice of \(x_\circ \in \mathcal{X}\) on which h is defined. Since \(\mathfrak {c}(\tilde{\rho }_{XYE}) \le \mathfrak {c}(\rho _{XYE}) + \mathfrak {c}(h)\), this has only a small quantitative effect that is insignificant if \(\mathfrak {c}(h)\) is insignificant compared to q. In other words, we can easily transform an adversary that aborts into one that does not abort but outputs \(x_\circ \) and \(y_\circ = h(x_\circ )\) instead.
Finally, in the original definition, the complexity of the adversary and the distinguisher together is bounded (by q), whereas we bound the individual complexities (both by q). This is merely for simplicity, and has only a factor-2 quantitative effect.
3.2 Partial versus Total Functions
In Definition 2, we implicitly considered the function \(h: \mathcal{X}\rightarrow \mathcal{Y}\) to be a total function, i.e., a function that is defined on its entire domain \(\mathcal{X}\). However, it will be useful to extend the definition to partial functions, which are defined only on a subset \(\mathcal{X}_\text {eff} \subseteq \mathcal{X}\) of the domain.Footnote 9 In the context of randomized functions, as considered here, we allow \(\mathcal{X}_\text {eff}\) to depend on the global randomness r; this is what distinguishes such a partial function from a total function with a smaller domain, since the domain \(\mathcal{X}\) of a function is declared fixed and independent of r.
Definition 2 applies directly to such partial functions as well, given that the definition of the evaluation map is naturally extended to partial functions h by having the defining operator V[h] map \({|x\rangle }\) to 0 for any \(x \not \in \mathcal{X}_\text {eff}\). The effect of this is that the requirement \(\rho _{XYE} = \rho _{X h(X) E}\) enforces X to contain no inputs from outside of \(\mathcal{X}_\text {eff}\). Hence, considering partial functions in Definition 2 serves as a convenient way to “disallow” certain inputs.
Formally, consider a function \(h : \mathcal{X}\rightarrow \mathcal{Y}\) (which may be partial but let us think of it as a total function for now), and let \(\pi : \mathcal{X}\rightarrow \{0,1\}\) be a predicate, which will always be understood to be a total function. Then, we define \(h|_\pi \) to be the partial function \(h|_\pi : \mathcal{X}\rightarrow \mathcal{Y}\) that is undefined for \(x \in \mathcal{X}\) with \(\pi (x) = 0\), and that coincides with h for the remaining \(x \in \mathcal{X}\). The collapsing advantage of \(h|_\pi \) then coincides with the collapsing advantage of h modified in that the quantification over \(\rho _{XYE}\) is restricted to states for which \(\Pr [\,\pi (\bar{X}) \!=\! 0\,] = 0\).
Below, in Lemmas 1 and 2, we show how \(\mathsf{cAdv}[h]\) and \(\mathsf{cAdv}[h|_\pi ]\) relate to each other. Lemma 1 follows trivially from the above observation, i.e., that \(\rho _{XYE} = \rho _{X h|_\pi (X) E}\) implies \(\rho _{XYE} = \rho _{X h(X) E}\).
Lemma 1
If h is \(\varepsilon (q)\)-collapsing then so is \(h|_\pi \), i.e., \(\mathsf{cAdv}[h|_\pi ] \le \mathsf{cAdv}[h]\).
Applied to h of the form \(h|_\tau \), and noting that \((h|_\tau )|_\pi = h|_{\pi \wedge \tau }\), we get the following, which captures that disallowing more inputs can only decrease the collapsing advantage.
Corollary 1
For any predicates \(\pi \) and \(\tau \), it holds that \(\mathsf{cAdv}[h|_{\pi \wedge \tau }] \le \mathsf{cAdv}[h|_\tau ]\). In particular, if \(\pi \) implies \(\tau \), i.e. \(\pi (x) \!=\! 1 \Rightarrow \tau (x) \!=\! 1\), then \(\mathsf{cAdv}[h|_\pi ] \le \mathsf{cAdv}[h|_\tau ]\).
For the other direction, disallowing some inputs has little effect if those are hard to find. For the formal statement, we need the following definition.
Definition 3
A predicate \(\pi :\mathcal{X}\rightarrow \{0,1\}\) is called \(\beta (q)\)-almost-certain if it holds that \(\Pr [\pi (\bar{X})\!=\!0] \le \beta (q)\) for any state \(\rho _X\) with complexity q.
Lemma 2
If \(\pi \) is \(\beta (q)\)-almost-certain then
Proof
Let \(\rho _{XYZ} = \rho _{X h(X) E}\) be with complexity q. Consider the measurement given by and .Footnote 10 By triangle inequality and since , we have
where the second inequality is because \(\delta _q \le \delta \), and by subadditivity and choice of , and the last inequality is by the “gentle-measurement lemma” (1), plus footnote 5, given that , plus the observation that \(\rho _{X^{\pi = 1} Y E}\) has complexity \(q+\mathfrak {c}_\pi \). \(\square \)
We conclude with the following simple observation, which follows from the fact that under the given assumptions, \(\Pr [\tau (\bar{X})\!=\!0] \le \Pr [\pi \circ \lambda (\bar{X})\!=\!0] \le \beta (q+\mathfrak {c}(\lambda ))\) for any state \(\rho _X\) with complexity q.
Lemma 3
Consider predicates \(\pi : \mathcal{X}' \rightarrow \{0,1\}\) and \(\tau : \mathcal{X}\rightarrow \{0,1\}\) and a total function \(\lambda : \mathcal{X}' \rightarrow \mathcal{X}\) such that \(\pi \circ \lambda \) implies \(\tau \), i.e., \(\pi (\lambda (x)) \!=\! 1\) \(\Rightarrow \) \(\tau (x) \!=\! 1\). If \(\pi \) is \(\beta (q)\)-almost-certain then \(\tau \) is \(\beta (q+\mathfrak {c}(\lambda ))\)-almost-certain.
3.3 Composability Properties
We show composability of the collapsing property under different means of composing functions. In one or another form, some of these composability properties are also present in previous work (see e.g. Lemma 27 in the full version of [5] for the corresponding claim on nested composition); we cover them here for completeness and since our notion differs in minor ways, but also in order to demonstrate how succinctly these composability properties can be phrased and proven using our formalism.
We take it as understood that for partial functions g and h, the considered composition is defined whenever g and h are both defined on their respective inputs.
Lemma 4
(Concurrent composition). For \(g: \mathcal{X}\rightarrow \mathcal{Y}\) and \(h: \mathcal{W}\rightarrow \mathcal{Z}\), the concurrent composition \(g\Vert h: \mathcal{X}\times \mathcal{W}\rightarrow \mathcal{Y}\times \mathcal{Z}\), \((x,w) \mapsto \bigl (g(x),h(w)\bigr )\) satisfies
Proof
Let \(\rho _{X W Y Z E} = \rho _{X W g(X) h(W) E}\) be with complexity q. Then, by triangle inequality,
\(\square \)
Lemma 5
(Nested composition). For \(g: \mathcal{X}\rightarrow \mathcal{Y}\) and \(h: \mathcal{Y}\rightarrow \mathcal{Z}\), the nested (or sequential) composition \(h \circ g: \mathcal{X}\rightarrow \mathcal{Z}\), \(x \mapsto h\bigl (g(x)\bigr )\) satisfies
Proof
Let \(\rho _{X Z E} = \rho _{X (h \circ g)(X) E}\) be with complexity q. Then, \(\rho _{X Y Z E} = \rho _{Xg(X) Z E}\) has complexity at most \(q + \mathfrak {c}_g\). Recalling that \(\rho _{X Z E}\) is recovered from \(\rho _{X Y Z E}\) by applying , we get
\(\square \)
Lemma 6
For \(g: \mathcal{X}\rightarrow \mathcal{Y}\) and \(h: \mathcal{W}\times \mathcal{X}\rightarrow \mathcal{Z}\), where the latter function is such that \(h(\cdot ,x)\) is injective for any \(x \in \mathcal{X}\), the composition \(f: \mathcal{W}\times \mathcal{X}\rightarrow \mathcal{Y}\times \mathcal{Z}\), \((w,x) \mapsto \bigl (g(x),h(w,x)\bigr )\) satisfies
We emphasize that the statement includes the special case where \(\mathcal{W}\) is empty, i.e., \(h: \mathcal{X}\rightarrow \mathcal{Z}\), in which case the the injectivity requirement becomes void, so that in particular the following holds.
Corollary 2
(Parallel composition). For \(g: \mathcal{X}\rightarrow \mathcal{Y}\) and \(h: \mathcal{X}\rightarrow \mathcal{Z}\), the parallel composition \((g,h): \mathcal{X}\rightarrow \mathcal{Y}\times \mathcal{Z}\), \(x \mapsto \bigl (g(x),h(x)\bigr )\) satisfies
Proof
(of Lemma 6). Let \(\rho _{WXYZE} = \rho _{WX g(X) \, h(W,X) E}\) be with complexity q. Then, using that \(\bar{W} \bar{X} \bar{Z} = W \bar{X} \bar{Z}\), which holds by (2) because w is a function of x and \(z = h(w,x)\),
\(\square \)
Lemma 7
(Disjoint union). For \(g: \mathcal{X}\rightarrow \mathcal{Y}\) and \(h: \mathcal{W}\rightarrow \mathcal{Z}\) with disjoint domains and images, the disjoint union \(g \sqcup h: \mathcal{X}\cup \mathcal{W}\rightarrow \mathcal{Y}\cup \mathcal{Z}\), which maps \(x \in \mathcal{X}\) to g(x) and \(w \in \mathcal{W}\) to h(w), satisfies
Proof
Let \(\rho _{U V E} = \rho _{U (g \,\sqcup \, h)(U) E}\), and consider the “distinguishing function” \(dis: \mathcal{X}\cup \mathcal{W}\rightarrow \{0,1\}\) that maps \(x \in \mathcal{X}\) to 1 and \(w \in \mathcal{W}\) to 0. By our convention on function domains being recognizable, dis has zero complexity. Furthermore, is of the form
and, by the disjointness of the images, \(\rho _{U \bar{V} E} = \rho _{U^{dis} \bar{V} E}\), and so it follows from subadditivity that
which is bounded by \(\mathsf{cAdv}[g] + \mathsf{cAdv}[h]\). \(\square \)
4 Application I: Merkle-Damgård and HAIFA
We demonstrate the usefulness of our framework. Here, we do so by (re)proving the collapsing property Merkle-Damgård, and by showing that the proof trivially translates to the HAIFA variation [3]. In the subsequent section we analyze the Sponge construction [1]. Our proofs argue entirely by means of decomposing the iteration function under consideration into a few composition operations.
Here and in the remainder, for \(b \in \{0,1,\bot \}\) and positive integer , we write \(b^i \in \{0,1,\bot \}^i\) for the i-fold concatenation \((b,\ldots ,b)\) of b with itself.
4.1 The Construction
Let \(f: \{0,1\}^c \times \{0,1\}^r \rightarrow \{0,1\}^c\) be a (total) function, which will act as the round function in the Merkle-Damgård construction. For any positive integer i, we consider the function \( { I\!H}_i: \bigl (\{0,1\}^r\bigr )^i \rightarrow \{0,1\}^c \) given recursively by
with \({ I\!H}_0() := {{\textsf {\textit{iv}}}}\), some fixed string in \(\{0,1\}^c\) called the initialization vector. The Merkle-Damgård hash function is then formally given byFootnote 11
For technical reasons, we extend the domain of \({ I\!H}_i\) above to
by setting \({ I\!H}_i(\bot ,\ldots ,\bot ) := {{\textsf {\textit{iv}}}}\) and keeping the recursive definition (3) for \(x_i \ne \bot \). We can now apply \({ I\!H}_L\) to messages of size \(i < L\) blocks by pre-padding it with \(\bot \)’s: \({ I\!H}_i(x_1,\ldots ,x_i) = { I\!H}_{i+1}(\bot ,x_1,\ldots ,x_i) = \cdots = { I\!H}_L(\bot ,\ldots ,\bot ,x_1,\ldots ,x_i)\), and thus the restriction of \({ M\!D}\) to messages of block size \(0 \le i \le L\) can be expressed as \( { M\!D}^{\le L}(x_1,\ldots ,x_i) = { I\!H}_L(\bot ,\ldots ,\bot ,x_1,\ldots ,x_i) \).
4.2 The Analysis
Using our framework, we will now prove the following security statement for Merkle-Damgård. The assumption on \(\mathfrak {c}(f)\) is simply for normalization, and for f to be \(\beta \)-\({{\textsf {\textit{iv}}}}\)-preimage-resistant means, by definition, that the predicate \(1_{f(y) \ne {{\textsf {\textit{iv}}}}}\), which is 1 if y satisfies \(f(y) \ne {{\textsf {\textit{iv}}}}\) and 0 otherwise, is \(\beta \)-almost-certain.
Theorem 1
If f has complexity \(\mathfrak {c}(f) = 1\), is \(\varepsilon \)-collapsing and \(\beta \)-\({{\textsf {\textit{iv}}}}\)-preimage-resistant, then, for any integer \(L \ge 0\), the function \({ M\!D}^{\le L}\) is \(\gamma \)-collapsing with
For the purpose of the proof, we define for any i the predicate \(\pi _i: \mathcal{X}_i \rightarrow \{0,1\}\) as
i.e., the bit is set unless the input is a non-trivial \({{\textsf {\textit{iv}}}}\)-preimage of some \({ I\!H}_j\). In particular, if \(\pi _i(x_1,\ldots ,x_i) = 0\) then it must be that \({ I\!H}_j(x_1,\ldots ,x_j) = {{\textsf {\textit{iv}}}}\) for some j with \(x_j \ne \bot \), and thus \(y:= \bigl ({ I\!H}_{j-1}(x_1,\ldots ,x_{j-1}),x_j\bigr )\) satisfies \(f(y) = { I\!H}_j(x_1,\ldots ,x_j) = {{\textsf {\textit{iv}}}}\) by (3). So, by Lemma 3, the following holds.
Lemma 8
If f is \(\beta \)-\({{\textsf {\textit{iv}}}}\)-preimage-resistant then \(\pi _i\) is \(\beta (q+\mathfrak {c}_{{ I\!H}_{i-1}})\)-almost-certain.
Recall that \({ I\!H}_i|_{\pi _i}\) is the partial function that is defined only for the inputs which satisfy \(\pi _i\). The heart of the proof of Theorem 2 is the following recursive statement, which ensures that if \({ I\!H}_{i-1}|_{\pi _{i-1}}\) is collapsing then so is \({ I\!H}_i|_{\pi _i}\). By repeated application, we then get that \({ I\!H}_L|_{\pi _L}\) is collapsing, and since \(\pi _L\) is almost-certain, \({ I\!H}_L\) is collapsing as well (by Lemma 2).
Proposition 1
For any positive integer i:
Proof
We let \(\dot{ I\!H}_i\) and \(\dot{\pi }_i\) be the respective restrictions of \({ I\!H}_i\) and \({\pi _i}\) to the domain \(\dot{\mathcal{X}}_i := \mathcal{X}_i \setminus \{\bot ^i\}\). Then, we see that \({ I\!H}_i|_{\pi _i}\) is the disjoint union of the trivial function \(\{\bot ^i\} \rightarrow \{{{\textsf {\textit{iv}}}}\}\) and \(\dot{ I\!H}_i|_{\dot{\pi }_i}\); the crucial observation here is that the image of \(\dot{ I\!H}_i|_{\dot{\pi }_i}\) is disjoint with \(\{{{\textsf {\textit{iv}}}}\}\). Therefore, by Lemma 7,
where the latter inequality is by Lemma 1, given that \(\dot{\pi }_i\) implies \(\pi _{i-1}\).Footnote 12 Furthermore, since
on its domain \(\dot{\mathcal{X}}_i\), i.e., it is the nested composition of f with the concurrent composition of \({ I\!H}_{i-1}\) and the identity function \(x_i \mapsto x_i\), Lemma 4 and 5 imply
which completes the proof. \(\square \)
Proof
(of Theorem 1). \({ I\!H}_0|_{\pi _0} = { I\!H}_0\) is trivially 0-collapsing. For convenience, we let \(n_i\) be the sum of integers \(n_i := 1 + 2 + \cdots i = \frac{1}{2}i (i+1)\). Assuming by induction that \(\mathsf{cAdv}[{ I\!H}_{i}|_{\pi _{i}}](q) \le i\cdot \varepsilon (q+ n_{i-1})\), we get from Proposition 1 that
using that \(\mathfrak {c}_{{ I\!H}_i} = i \cdot \mathfrak {c}_f = i\) and \(n_{i-1}+i = n_i\). Hence, the induction assumption holds for all i, and
\(\square \)
4.3 Instantiation with a Random Oracle
If f is a random oracle, which formally means that we consider the oracle \(\mathcal {O}\) that is a uniformly random function \(\{0,1\}^c \times \{0,1\}^r \rightarrow \{0,1\}^c\) and f is the trivial oracle function that outputs whatever \(\mathcal {O}\) outputs on the given input, then, as shown by Unruh in [5], f is \(O\bigl (\sqrt{q^3/2^c}\bigr )\)-collapsing.Footnote 13 Furthermore, by the results on the hardness of quantum search from [4, Theorem 1], applied to the oracle function \(F:\{0,1\}^c \times \{0,1\}^r \rightarrow \{0,1\}\) given by \(F(y) = 1\) if and only if \(f(y) = {{\textsf {\textit{iv}}}}\), we immediately get that f is \(8(q\!+\!1)^2\!/2^c\,\)-\({{\textsf {\textit{iv}}}}\)-preimage-resistant. As such, we obtain that for messages of block-size at most L, the Merkle-Damgård hash function \({ M\!D}^{\le L}\) is \(\varepsilon \)-collapsing with
As far as we understand, the results of [6] imply a collapsing advantage of \(O\bigl ( L \sqrt{(q+L)^3/2^c}\bigr )\), which is slightly better because of the \(L^2\) that we have in our bound, but this is insignificant in typical settings where \(q \gg L\).
4.4 HAIFA
Along the very same lines as for the original Merkle-Damgård construction, we can easily show that also HAIFA, a variant proposed by Biham and Dunkelmann [3], is collapsing, under the same assumptions. HAIFA works similarly to Merkle-Damgård except that
i.e., the round function takes as additional inputs the round number i and some salt (that is the same for every round).Footnote 14 Proposition 1 immediately extends to HAIFA; the only thing that changes in the proof is that f becomes \(f_i = f(\cdot ,\cdot ,\cdot ,i)\), which is collapsing if f is, and we also have to use Corollary 2 to argue that the parallel composition of \((salt, x_1,\ldots ,x_i) \mapsto salt\) with the concurrent composition of \({ I\!H}_{i-1}\) and \(x_i \mapsto x_i\) stays collapsing. The collapsing property of HAIFA then follows easily by inductively applying this variation of Proposition 1 as in the proof of Theorem 1.
4.5 Merkle-Damgård Without \({{\textsf {\textit{iv}}}}\)-Preimage-Resistance
We can also recover Unruh’s original result on \({ M\!D}\), which does not require f to be \({{\textsf {\textit{iv}}}}\)-preimage-resistant but instead restricts the set of inputs to be suffix-free. For that, given a fixed integer \(L > 0\) and arbitrary \(0 \le i \le L\), consider the map \({ I\!H}^*_i\) given by
defined on the considered suffix-free inputs of size at most L blocks, left-padded with \(\bot \)’s, and we argue the following variant of Proposition 1: if \({ I\!H}^*_i|_{x_i \ne \bot }\) is collapsing then \({ I\!H}^*_{i+1}|_{x_{i+1} \ne \bot }\) is collapsing too (for \(i < L\)). This variant of Proposition 1 follows from the observation that the latter is obtained as the nested composition \({ I\!H}^*_{i+1}|_{x_{i+1} \ne \bot } = (f\Vert id) \circ { I\!H}^*_i|_{x_{i+1} \ne \bot }\) of \({ I\!H}^*_i|_{x_{i+1} \ne \bot }\) with the concurrent composition of f and the identity id acting on \(x_{i+2},\ldots ,x_L\). Furthermore,
and therefore \({ I\!H}^*_i|_{x_{i+1} \ne \bot }\) is the disjoint union of \({ I\!H}^*_i|_{x_i \ne \bot }\) and the function \((\bot ^i,x_{i+1},\ldots ,x_L) \mapsto ({{\textsf {\textit{iv}}}},x_{i+1},x_{i+2},\ldots ,x_L)\). Here, we are using the suffix-freeness of the considered inputs \(x_1,\ldots ,x_L\); this ensures that not only the domains but also the images of the two functions are disjoint: if \((\bot ^i,x_{i+1},\ldots ,x_L)\) is “allowed” then \((x_1,\ldots ,x_L)\) is not unless \(x_1\) up to \(x_i\) are all \(\bot \). The above variant of Proposition 1 then follows from the preservation of the collapsing property under the different compositions, and then, by inductively applying this variant of Proposition 1, we obtain that \({ I\!H}^*_L|_{x_L \ne \bot }\) is collapsing, and thus \({ M\!D}^{\le L}\) is, given that the input is from a suffix-free set.
5 Application II: The Sponge
Here, we apply our framework to the Sponge construction [1]. As one can see, we follow the exact same blueprint as in Sect. 4.
5.1 The Construction
Let \(f = (f^0,f^1): \{0,1\}^r \times \{0,1\}^c \rightarrow \{0,1\}^r \times \{0,1\}^c\) be a (total) function, which will act as the round function in the Sponge construction. For any positive integer i, consider the function
given recursively by
with \(S_0() := 0\). The sponge function (with s rounds of “squeezing”) is then formally given byFootnote 15
For technical reasons, we extend the domain of \(S_i\) above to
i.e., to strings that may have \(\bot \)-prefixes. We do so by setting
and keeping the recursive definition (4) for \(x_i \ne \bot \). This extension allows us to apply \(S_L\) to messages \((x_1,\ldots ,x_i) \in (\{0,1\}^r)^i\) of size \(i < L\) blocks by pre-padding it with \(\bot \)’s: \(S_i(x_1,\ldots ,x_i) = S_{i+1}(\bot ,x_1,\ldots ,x_i) = \cdots = S_L(\bot ,\ldots ,\bot ,x_1,\ldots ,x_i)\), and thus the restriction of \({ Sponge}[s]\) to messages of block size \(1 \le i \le L\) can be expressed as:
where we note that we insist here on \(i \ge 1\), i.e., the message is non-empty.
5.2 The Analysis
Here, we prove the following. Also here, the assumption on \(\mathfrak {c}(f)\) is simply for normalization, and for \(f^1\) to be \(\beta \)-zero-preimage-resistant means, by definition, that the predicate \(1_{f^1(y) \ne 0^c}\) is \(\beta \)-almost-certain.
Theorem 2
If f has complexity 1, and \(f^0\) and \(f^1\) are \(\varepsilon ^0\)- and \(\varepsilon ^1\)-collapsing, and \(f^1\) is \(\beta \)-zero-preimage-resistant, then, for any integer \(L \ge 0\), the Sponge function \({ Sponge}[s]^{\le L}\) is \(\gamma \)-collapsing with
For the purpose of the proof, we define for any i the predicate \(\pi _i: \mathcal{X}_i \rightarrow \{0,1\}\) as
i.e., the bit is set unless the input is a non-trivial zero-preimage of some \(S_j^1\). In particular, if \(\pi _i(x_1,\ldots ,x_i) = 0\) then \(S_j^1(x_1,\ldots ,x_j) = 0^c\) for some j with \(x_j \ne \bot \), and thus \(y:= \bigl (S_{j-1}^0(x_1,\ldots ,x_{j-1}) \oplus x_j,S_{j-1}^1(x_1,\ldots ,x_{j-1})\bigr )\) satisfies \(f^1(y) = S_j^1(x_1,\ldots ,x_j) = 0^c\) by (4). Thus, by Lemma 3, the following holds.
Lemma 9
If \(f^1\) is \(\beta \)-zero-preimage-resistant then \(\pi _i\) is \(\beta (q+\mathfrak {c}_{S_{i-1}})\)-almost-certain, and the same holds for \(\dot{\pi }_i\), defined as below.
For any i, let \(\dot{S}_i^b\) and \(\dot{\pi }_i\) be the respective restrictions of \(S_i^b\) and \({\pi _i}\) to the domain \(\dot{\mathcal{X}}_i := \mathcal{X}_i \setminus \{\bot ^i\}\). The heart of the proof of Theorem 2 is the following recursive statement, which ensures that if \(S_{i-1}^1|_{\pi _{i-1}}\) is collapsing then so are \(\dot{S}_i^0|_{\dot{\pi }_i}\) and \(S_i^1|_{\pi _i}\). By repeated application, we then get that \(\dot{S}_L^0|_{\dot{\pi }_L}\) is collapsing, and since \(\dot{\pi }_L\) is almost-certain, \(\dot{S}_L^0\) is collapsing as well (by Lemma 2).
Proposition 2
For any positive integer i:
Proof
We note that \(S_i^1|_{\pi _i}\) is the disjoint union of the trivial function \(\{\bot ^i\} \rightarrow \{0^c\}\) and \(\dot{S}_i^1|_{\dot{\pi }_i}\); the crucial observation here is that the image of \(\dot{S}_i^1\) does not contain \(0^c\). Therefore, by Lemma 7,
where the latter inequality is by Lemma 1, given that \(\dot{\pi }_i\) implies \(\pi _{i-1}\).Footnote 16 Furthermore, since
on its domain \(\dot{\mathcal{X}}_i\), i.e., it is a nested composition of \(f^1\) with a function that is obtained as a composition as considered in Lemma 6, Lemmas 5 and 6 imply that
which was to be proven. The reasoning for \(\dot{S}_i^0|_{\dot{\pi }_i}\) is exactly as for \(\dot{S}_i^1|_{\dot{\pi }_i}\) above. \(\square \)
Proof
(of Theorem 2). \(S_0^1|_{\pi _0} = S_0^1\) is trivially 0-collapsing. For convenience, we let \(n_i\) be the sum of integers \(n_i := 1 + 2 + \cdots i = \frac{1}{2}i (i+1)\). Assuming by induction that \(\mathsf{cAdv}[S_{i}^1|_{\pi _{i}}](q) \le i\cdot \varepsilon ^1(q+ n_{i-1})\), we get from Proposition 2 that
using that \(\mathfrak {c}_{S_i} = i \cdot \mathfrak {c}_f = i\) and \(n_{i-1}+i = n_i\). Hence, the induction assumption holds for all i, and
where the first inequality is by Lemmas 2 and 9, and the second by Proposition 2. The claim on \({ Sponge}[s]^{\le L}\) follows now from (5) and Corollary 2. \(\square \)
5.3 Instantiation with a Random Oracle
If \(f = (f^0,f^1)\) is a random oracle, then it follows easily from the work of Unruh in [5] on the collapsing property of the random oracle that \(f^0\) and \(f^1\) are respectively \(O\bigl (\sqrt{q^3/2^r}\bigr )\)- and \(O\bigl (\sqrt{q^3/2^c}\bigr )\)-collapsing. Furthermore, as pointed out in [2], by the results on the hardness of quantum search from [4, Theorem 1] to the oracle function \(F:\{0,1\}^r \times \{0,1\}^c \rightarrow \{0,1\}\) given by \(F(y) = 1\) if and only if \(f^1(y) = 0^c\), we immediately get that the function \(f^1\) is \(8(q+1)^2/2^c\)-zero-preimage-resistant. Therefore, we get that for messages of block-size at most L, the sponge function \({ Sponge}[s]^{\le L}\), with the round function modeled by a random oracle, is \(\varepsilon \)-collapsing with
This matches with single-execution-variant (i.e. \(t=1\)) of Theorem 33 of [2], except for the square in the \(L^2\) term. When considering a t-fold parallel composition \({ Sponge}[s]^{\le L}\Vert \cdots \Vert { Sponge}[s]^{\le L}\), it follows immediately from Lemma 6 that the collapsing parameter grows linearly with t, i.e., as
which is comparable to Theorem 33 of [2] with a general t, which states a collapsing advantage of
6 Conclusion
We consider the quantum collapsing property of classical hash functions, which replaces the notion of collision resistance in the presence of quantum attacks, and we propose a formalism and a framework that enables to argue about the collapsing property of hash domain extension constructions simply by means of decomposing the iteration function under consideration into elementary composition operations. In particular, our framework allows us to argue by purely classical means that hash functions are secure against quantum attacks.
We demonstrate this proof methodology on several examples. For Merkle-Damgård and the Sponge construction, we recover what has already been proven in [2, 6], up to insignificant differences, whereas our result for HAIFA is, strictly speaking, new. It is well possible that the respective proof provided in [6] extends to HAIFA as well; however, this is cumbersome to verify (we challenge the reader to do so). With our approach, on the other hand, it is trivial to see that our proof for Merkle-Damgård extends to this variation: the only thing that needs to be verified is that the modified iteration function still decomposes into composition operations that are covered by our framework.
We think it is fair to say that, compared to previous work which proves that some hash domain extension constructions are collapsing, our approach gives much more insight into why they are collapsing. Furthermore, our framework should be a helpful tool when designing new hash functions that are meant to withstand quantum attacks.
Last but not least, from a conceptual perspective, we find it particularly interesting to see that our simplified proofs are the result of departing from the common methodology of proving a conditional security statement by means of an algorithmic reduction. Instead of assuming an attack against the construction and then building an attack against the underlying component, we argue directly—and in some sense “algebraically”—that if the underlying component is secure then so is the construction.
Notes
- 1.
This again implies security in the random oracle model, but a subtle issue here is that if the round function is efficiently invertible then the assumptions on the two parts are not satisfied. Hence, this is not so strong evidence yet that e.g. SHA-3 is collapsing.
- 2.
The latter is because (our notion of) the disjoint union of two functions requires not only the two respective domains but also the two respective ranges to be disjoint.
- 3.
For simplicity, we consider one block of output only; multiple output blocks are argued by means of composition too.
- 4.
This can be understood in that quantum operations may “abort”, and the trace \(\mathrm {tr}(\rho ) \le 1\) expresses the probability that the process that produces \(\rho \) does not abort.
- 5.
- 6.
A subtle issue with this notation is that \(\mathrm {tr}_Y(\rho _{Xf(X)Z}) \ne \rho _{XZ}\), but rather (see below).
- 7.
See the discussion in Appendix C for an exception to the rule.
- 8.
We recall that the requirement \(\rho _{XYE} = \rho _{X h(X) E}\) is a shorthand for asking \(\rho _{XYE}\) to be equal to a state obtained by applying to system X.
- 9.
This may be understood in that the computation of h “fails” on inputs not in \(\mathcal{X}_\text {eff}\).
- 10.
I.e., first performs the measurement , and then measures the resulting state in the computation basis if (and only if) the measurement outcome was 0.
- 11.
Since the bit size of the input to \({ M\!D}\) must be an integer multiple of r, the Merkle-Damgård construction usually comes with a padding that maps a string of arbitrary size into a sequence of blocks of bit size r. We can safely ignore this since any injective padding preserves the collapsing property by Lemma 5.
- 12.
Here, we understand \(\pi _{i-1}\) as \(\pi _{i-1}: \dot{\mathcal{X}}_i \rightarrow \{0,1\}\), \((x_1,\ldots ,x_i) \mapsto \pi _{i-1}(x_1,\ldots ,x_{i-1})\).
- 13.
- 14.
For the purpose of collisions and the collapsing property, we can think of the salt simply as part of the input: we do not want collisions even for different choices of the salt.
- 15.
Like for Merkle-Damgård, we can safely ignore the padding here.
- 16.
Here, we understand \(\pi _{i-1}\) as \(\pi _{i-1}: \dot{\mathcal{X}}_i \rightarrow \{0,1\}\), \((x_1,\ldots ,x_i) \mapsto \pi _{i-1}(x_1,\ldots ,x_{i-1})\).
- 17.
For the latter, one could actually consider both simultaneously.
- 18.
Meaning that for any \(\mathcal{X}' \supset \mathcal{X}\), the function \(\mathcal{X}' \rightarrow \{0,1\}\) that maps \(x \in \mathcal{X}\) to 1 and \(x \in \mathcal{X}'\setminus \mathcal{X}\) to 0 has zero complexity. This is trivially satisfied for any function f in case of \(\mathfrak {c}^\mathsf{query}\) (given in Example 2).
- 19.
This is in line with our interpretation of \(\mathrm {tr}(\rho ) < 1\) as capturing an “abort” of the preparation process.
- 20.
Remember that we want XOR’s to be “for free”.
- 21.
As a matter of fact, [6, Definition 8] considers a t-fold parallel repetition of the game, where t is an additional parameter of the definition. We ignore this for the discussion here, recalling that we obtain immediately a similar variant of our definition by means of concurrent composition.
References
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_11
Czajkowski, J., Groot Bruinderink, L., Hülsing, A., Schaffner, C., Unruh, D.: Post-quantum security of the sponge construction. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 185–204. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_9
Biham, E., Dunkelman, O.: A framework for iterative hash functions – HAIFA. In: Second NIST Cryptographic Hash Workshop (2006). https://eprint.iacr.org/2007/278.pdf
Hülsing, A., Rijneveld, J., Song, F.: Mitigating multi-target attacks in hash-based signatures. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 387–416. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_15
Unruh, D.: Computationally binding quantum commitments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 497–527. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_18
Unruh, D.: Collapse-binding quantum commitments without random oracles. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 166–195. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_6
Winter, A.: Coding theorem and strong converse for quantum channels. IEEE Trans. Inf. Theory 45(7), 2481–2485 (1999). https://arxiv.org/abs/1409.2536
Wilde, M.: From Classical to Quantum Shannon Theory, 2nd edn. (2016). https://arxiv.org/abs/1106.1445. Manuscript
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Randomized Functions and CPTN Maps
In this work, we will consider two variants of the notion of a randomized function, and our techniques will apply to both. Formally, a randomized function is a function \(f: \mathcal{R} \times \mathcal{X}\rightarrow \mathcal{Y}\) for a fixed choice of the (finite) set \(\mathcal R\), and it is understood that \(r \in \mathcal{R}\) is chosen uniformly at random once-and-for-all. Informally, we think of such a randomized function as a function \(f: \mathcal{X}\rightarrow \mathcal{Y}\) that produces its output \(f(x) = f(r,x)\) for any input x dependent on some “global randomness” r, which is the same for all inputs and all randomized functions considered at a time.
Informally, the two variants we consider in this work differ in the way the randomness r is accessed by the function. In one case, r is explicitly given as input to the function f (or to the algorithm that computes f, if you prefer); one then typically speaks of keyed (or seeded) functions. In the other case, r is not explicitly given to f but instead, f makes oracle queries to a designated randomized function \(\mathcal {O}\), called the oracle, which computes every reply dependent on r. This latter case is typically referred to as an oracle function.
We point out that from a mathematical perspective, there is no distinction yet between a keyed and an oracle function, in that both are merely functions that additionally act on some global randomness r. The way the two variants differ formally is by the way we capture complexity: for keyed functions we consider the computational complexity whereas for oracle functions we consider the query complexity.Footnote 17 We address this in more detail in the subsequent section.
In line with the above, we can also consider the notion of a randomized CPTN map , which is a CPTN map whose action on a quantum state depends on the global randomness r, and we can distinguish between keyed CPTN maps that have direct access to r, and oracle CPTN maps that have quantum oracle access to a designated randomized function \(\mathcal {O}: \mathcal{R} \times \mathcal{U} \rightarrow \mathcal{V}\). Here, “quantum oracle access” means that can query \(\mathcal {O}\) in superposition, i.e., it may ask to have the unitary \({|u\rangle }{|v\rangle } \mapsto {|u\rangle }{|v + \mathcal {O}(r,u)\rangle }\) applied to any state (of appropriate dimension). Again, the formal distinction between the two variants is in terms of the complexity measure.
We point out that by considering randomized CPTN maps (of either flavor) that act on the empty system with trivial one-dimensional state space, we may also speak of randomized states (of either flavor) as the states \(\rho \) produced as for such a randomized CPTN map. We take it as understood here that the description of such a randomized state includes the dependency on the randomness r.
B Complexity
We introduce here the abstract notion of complexity that we consider in this work and discuss below the two main instantiations that are relevant for us. In the context of randomized functions \(f: \mathcal{X}\rightarrow \mathcal{Y}\), we consider a map that assigns to any such function a non-negative integer \(\mathfrak {c}(f)\), called the complexity of f, which is meant to express how hard it is to “compute” f. We assume that our abstract notion satisfies natural properties, like that the identity function on any set has zero complexity, and that it behaves well under composition, so that
for any f and g with appropriate domain/range, where \(g \circ f: x\mapsto g\bigl (f(x)\bigr )\) and \(f \Vert g: (x,w) \mapsto \bigl (f(x),g(w)\bigr )\). For simplicity, we additionally assume that certain “simple” functions have zero complexity. These are: constants, copying, deleting, swapping, checking equality, as well as bit-wise XOR. Also, to avoid certain technical complications, once \(\mathfrak {c}\) is fixed we only consider randomized functions \(f: \mathcal{X}\rightarrow \mathcal{Y}\) for which \(\mathcal{X}\) can be recognized with zero complexity.Footnote 18 For lighter notation, we may also write \(\mathfrak {c}_f\) instead of \(\mathfrak {c}(f)\).
We also consider a notion of complexity for randomized CPTN maps, which, as above, assigns a non-negative integer to any randomized CPTN map . Similarly to above, we assume that the identity has zero complexity, that
and that certain “simple” maps have zero complexity, namely: the preparation of states in the computational basis, measurements (with or without post-selection) in the computational basis, partial traces, and swapping registers. On top, we assume the complexity notion for CPTN maps to be consistent with that of functions, in that we require that
where the latter two actually follow from the first, given that partial traces and measurements in the computational basis are “for free”.
Given such a notion of complexity (for randomized CPTN maps), we can define the complexity of a randomized state \(\rho \) as where is the randomized CPTN map with minimal complexity that produces \(\rho \) as . It obviously holds that for any randomized CPTN map. A last requirement we pose onto our abstract complexity measure \(\mathfrak {c}\) is that \(\mathfrak {c}\bigl (\rho +\bigl (1\!-\!\mathrm {tr}(\rho )\bigr )\sigma \bigr ) \le \mathfrak {c}(\rho ) + \mathfrak {c}(\sigma )\) for all randomized states.Footnote 19
Example 1
An important class of examples for such a complexity measure arises by considering keyed functions and keyed CPTN maps and writing them as circuits that get the global randomness as additional input. The complexity can then be specified to be the minimal number of gates (of certain types) of any such circuit representation. For instance, writing any randomized function f as a binary circuit with AND and XOR gates, one may define \(\mathfrak {c}^\mathsf{comp}(f)\) to be the minimal necessary number of AND gates.Footnote 20 Similarly for randomized CPTN maps, where one could for instance count the number of gates (or the number of non-Clifford gates) with respect to a fixed universal set of gates. These kinds of notions of complexity are referred to as computational complexity.
Example 2
Another example that is relevant for us is the query complexity \(\mathfrak {c}^\mathsf{query}\) for oracle functions and oracle CPTN maps, which counts the number of (quantum) oracle queries that the function or CPTN map makes to the oracle \(\mathcal {O}\).
We note that this abstract treatment of complexity allows us to explicitly cover computational complexity and query complexity in one go, using one language. Also, all results expressed using this language do explicitly not depend on the technical details of any model of computation. Related to the latter, this approach allows us to reason about functions (and CPTN maps etc.), which are unambiguously defined objects that do not depend on any model of computation.
C On the Definitions of the Collapsing Property in [5, 6]
As already mentioned in Sect. 3, the definition of the collapsing property introduced by Unruh comes in a few different variations in [5, 6], which we want to briefly recall here, and we discuss how they compare to our definition. Some differences (like allowing non-normalized states), which have some minor quantitative impact, have already been discussed in Sect. 3; here, we focus on some technical differences that are orthogonal to those.
The definition originally proposed in [5, Definition 20] (respectively Definition 23 in the full version) is of asymptotic nature and for a deterministic function h (that depends on a security parameter \(\kappa \)): it requires that every (uniform) quantum-polynomial time adversary has a negligible collapsing advantage. Note that it makes sense to consider a deterministic hash function h in this case since a uniform model of computation is considered, i.e., the adversary that has a collision hard-wired into its code (for any \(\kappa \)) is not allowed. In the formal statement on the collapsing property of a random oracle [5, Theorem 31], which bounds the advantage by \(O(q^3/\text {size of the range})\), an obvious variation (in terms of oracle algorithms, and with the randomness also over the oracle’s random choices) of this definition is then (implicitly) considered. It also remains implicit that the bound (and in particular the hidden constant) is independent of the running time of the adversary; indeed, the proof considers “q-query adversaries”, which have bounded query complexity but (possibly) unbounded running time. As such, the bound \(O(q^3/\text {size of the range})\) carries over to our non-asymptotic definition of the collapsing property (with the complexity measure being the query complexity), with the understanding that the bound includes a hidden constant and only applies for a large enough range of h (compared to q).
In terms of comparing Unruh’s original definition [5, Definition 20] with our Definition 2, though being similar in spirit (up small differences as discussed in Sect. 3), they are technically incomparable: an asymptotic definition as [5, Definition 20] makes no meaningful statement about a fixed instance, while, on the other hand, our non-asymptotic definition is meaningless for a deterministic hash function, for instance. If we consider an asymptotic variant of our Definition 2, which would ask \(\mathsf{cAdv}[h_{\kappa }](q(\kappa ))\) to be negligible in the security parameter \(\kappa \) for any polynomially bounded function q, we get a non-uniform (and thus stronger) variant of [5, Definition 20]. It is easy to see that all our results directly carry over to such an asymptotic variant.
In [6, Definition 8], Unruh also considers a non-asymptotic “concrete security” variant of his original definition, which considers a keyed hash function (using our terminology) and defines the “collapsing advantage” of an arbitrary but fixed adversary in the obvious way, as the advantage of this adversary distinguishing the two games.Footnote 21 For a function h being \(\varepsilon (q)\)-collapsing according to our definition thus immediately implies that the “collapsing advantage” according to [6, Definition 8] is bounded by \(\varepsilon (q)\) (up to a small constant factor, as explained in Sect. 3) for any adversary that is bounded by q, and vice versa. In that sense, our Definition 2 and Unruh’s “concrete security” variant [6, Definition 8] are equivalent (again, up to negligible quantitative differences).
However, formalized as in [6], i.e., not as a security property of h but as a property of an arbitrary but fixed adversary that is attacking h, security statements are bound to be in reductionistic form. Indeed, all the concrete-security statements in [6] are like:
“Let A be a q-time (or query) adversary with collapsing advantage \(\varepsilon \) against function h, then there exists a 2q-time (or query) adversary \(A'\) with collapsing advantage \(\varepsilon ^2\) against \(h'\) ”
where we consider concrete example functions for the “security loss”. On the other hand, our definition allows us to express such a statement simply as:
“If the function \(h'\) is \(\varepsilon '(q')\)-collapsing then h is \(\sqrt{\varepsilon '(2q)}\)-collapsing”
or even more compactly as
Again, these statements are equivalent (up to the minor quantitative differences discussed in Sect. 3), so it is merely a matter of taste what sort of language one prefers.
A more crucial difference is that we not only can state but also prove these kinds of security claims “in the forward direction”, i.e., not via the counter position of assuming an attacker A that breaks the target primitive and turning it into an attacker \(A'\) that breaks something else. Indeed, we have “algebraic” proofs that avoid reasoning about algorithms altogether. On the other hand, the proofs in [2, 5, 6] are typically constructive, in that the adversary \(A'\) is explicitly constructed from the adversary A. One can then for instance easily check that \(A'\) does not rely on any non-uniform auxiliary information, and thus that the reductions are uniform. Our proofs do not spell out the reductions; however, if desired, they could still be extracted by backtracking the proofs all the way down to the basic properties of the pseudometric \(\delta _q\) upon which the proofs rely, and which all have simple—uniform—reduction proofs. This ensures that also our implicitly defined reductions are uniform.
Rights and permissions
Copyright information
© 2018 International Association for Cryptologic Research
About this paper
Cite this paper
Fehr, S. (2018). Classical Proofs for the Quantum Collapsing Property of Classical Hash Functions. In: Beimel, A., Dziembowski, S. (eds) Theory of Cryptography. TCC 2018. Lecture Notes in Computer Science(), vol 11240. Springer, Cham. https://doi.org/10.1007/978-3-030-03810-6_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-03810-6_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-03809-0
Online ISBN: 978-3-030-03810-6
eBook Packages: Computer ScienceComputer Science (R0)