1 Introduction

Background. Given the threat of possible future quantum computing capabilities, it is an important and urgent objective to evaluate the security of classical cryptographic schemes against quantum attacks. There are different places where security can break down when using quantum computing techniques to attack a cryptographic scheme that was designed to withstand standard classical attacks. The most prominent place is the computational hardness assumption, which is typically well justified to hold for classical models of computation but may be false with respect to quantum computation. Another place is the security proof, which may use techniques that fail to work in the context of a quantum attacker, like proofs that rely on rewinding techniques. Finally, another place where things can go wrong is the security definition, which may not capture anymore what it is supposed to capture when allowing quantum attacks.

An example of the latter is the computational binding property of a commitment scheme. Our intuitive understanding of what a commitment should achieve is that once a commitment is “on the table” there should be no freedom left for the (computationally bounded) committer in choosing the value to which he can open the commitment. The formal definition of the binding property expresses this requirement by demanding that no (computationally bounded) dishonest committer should be able to open a commitment in two distinct ways. While for classical committers this captures precisely what we want, it fails to do so for quantum committers. Indeed, a quantum committer can potentially open a commitment to one value that he freely chooses after he has put the commitment “on the table”, without contradicting the requirement of being unable to produce two distinct openings; this is because producing the opening information may involve a destructive quantum measurement that can only be applied once.

We stress that being able to open a given commitment to an arbitrary value that one can freely choose renders a commitment scheme useless in essentially all applications. So, when considering the security of commitment schemes against quantum attacks, it is essential that one uses a stronger notion of security than the standard computational binding property extended to quantum attackers.

A similar and related example is the collision resistance of hash functions. Also here, in the presence of a quantum attacker, the standard formal requirement that it should be computationally hard to produce two colliding inputs does not capture our intuitive understanding of a hash value as acting as a “fingerprint” that removes any freedom in the message to which it fits. As such, also here, when considering security against quantum attacks, the standard security notion, i.e. collision resistance, needs to be replaced by something stronger.

The Collapsing Property. Unruh [5] proposed the notion of collapsing; in the context of commitment schemes as a counterpart for the computational binding property when considering quantum attacks, and in the context of hash functions as a counterpart for collision resistance. In essence, for hash functions, the collapsing property requires that for any computationally bounded adversary that output a hash value together with a quantum superposition of corresponding preimages, he should not be able to tell if the superposition gets measured or not. The details of the notion, and why it indeed restores the right security properties when considering quantum attacks, are not so important for the discussion here. In terms of achievability, Unruh proved that the random oracle is collapsing as a hash function, and thus that simple hash-function-based commitment schemes are collapsing in the random oracle model. In the context of hash functions, he proved in a follow-up work [6] that the Merkle-Damgård construction for hash functions is collapsing (under some mild restriction on the padding) if the underlying compression function is. Given that the random oracle is collapsing, this in particular implies that the Merkle-Damgård construction is collapsing in the random oracle model, and thus gives heuristic evidence that certain practical hash functions like SHA-2 are collapsing. Recently, Czajkowski et al.  [2] showed a similar result for the Sponge construction [1], which for instance underlies the hash function standard SHA-3: the Sponge construction is collapsing if both parts of the underlying round function, i.e., the so-called inner and outer parts, are collapsing, and if the inner part is “zero-preimage resistant”.Footnote 1

Our Contribution. In this work, we introduce a new formalism and a new framework for arguing about the collapsing property of (hash) functions. The advantage of our new approach is that it allows for significantly simper proofs compared to the previous work above.

At the heart of our new formalism is a pseudo-metric that abstracts away computational aspects, and which allows for an “algebraic” formulation of the collapsing property. This in turn allows for simple proofs of basic composability results for the collapsing property. Some of those have already been claimed and proven in the work mentioned above; however, our proofs are much simpler. For instance, proving that the collapsing property is preserved under nested composition takes 2 full pages in [5] (see Lemma 27 in the full version of [5]), with various quantum circuits depicted; our proof (see Lemma 5) is a few lines. The main reason for this difference lies in the “algebraic” nature of our formulation, compared to the “algorithmic” approach used in prior work. This means that instead of specifying quantum reduction algorithms and arguing that they “do the job”, our proofs are almost entirely by means of term-manipulations, where we manipulate the terms of interest by using a small set of basic rules that come along with our formalism. This not only results in very compact proofs, these proofs are also mathematically very clean in that in every term-manipulation step we can—and typically do—specify what basic rule was used.

These composability results for the collapsing property, together with a couple of basic features when “disallowing” certain inputs, form what we call our framework. With this framework, proving the collapsing property of hash domain extensions boils down to decomposing the iteration function under consideration into a few simple composition operations.

We demonstrate this new proof methodology on various examples. Applied to Merkle-Damgård, we obtain a proof of the collapsing property without any restriction on the padding as in [6], but with the additional assumption on the compression function to be “iv-preimage resistant” (which is satisfied in the random oracle model). We can also recover Unruh’s original result, which requires a restriction on the padding but avoids the “iv-preimage resistance”. By adding a counter and “salt” to the compression function but otherwise using the same kind of reasoning, we get a proof of the collapsing property of HAIFA [3], as proposed by Biham and Dunkelman. Applied to the Sponge construction, we recover the result from [2] up to an insignificant difference in the exact parameter.

The distinguishing feature of our proofs lies in their conceptual simplicity and low technical complexity. Our proofs are entirely in terms of decomposing the iteration function into elementary composition operations that are ensured to preserve the collapsing property. In particular, our proofs are purely classical. In contrast, the proofs provided in [2, 6] are in terms of lengthy hybrid arguments that consider sequences of “quantum games” and in terms of quantum information theoretic arguments and quantum reduction algorithms for reasoning that every game in the sequence behaves similarly to its predecessor.

As such, even though the collapsing property of HAIFA is new, we consider our main contribution more in terms of offering a simple understanding of why certain hash function are collapsing, and in providing a tool to easily check if similar results also hold for other hash functions (as we demonstrate on HAIFA).

The Framework in Action. To give a better idea, we illustrate here on the various examples how our framework enables to argue for the collapsing property by means of decomposing the iteration function into suitable elementary decomposition operations, and thus in particular by means of purely classical reasoning. We challenge the reader to compare our proofs with those in [2, 6].

Merkle-Damgård. The Merkle-Damgård hash of a message \(x_1,\ldots ,x_i\), consisting of i blocks, is given by \({ I\!H}_i(x_1,\ldots ,x_i)\), where \({ I\!H}_i\) is iteratively defined as

$$ { I\!H}_i(x_1,\ldots ,x_i) := f\bigl ({ I\!H}_{i-1}(x_1,\ldots ,x_{i-1}),x_i\bigr ) $$

with \({ I\!H}_0() = {{\textsf {\textit{iv}}}}\). The round function f is assumed to be collapsing. We observe that \({ I\!H}_i\) is the nested composition of f with the concurrent composition of \({ I\!H}_{i-1}\) with the identity \(x_i \mapsto x_i\). Our framework ensures that these compositions preserve the collapsing property; thus, by recursive application, given that \({ I\!H}_0\) is trivially collapsing, we get that \({ I\!H}_L\) is collapsing for every fixed L, and hence the Merkle-Damgård hash is collapsing when restricted to inputs of fixed size.

In order to deal with messages of variable size, we allow in the definition of \({ I\!H}_i(x_1,\ldots ,x_i)\) the left-most message blocks to be “empty”, i.e., \(x_1\) up to some \(x_j\) may be \(\bot \), and we set \({ I\!H}_i(\bot ,\ldots ,\bot ) := {{\textsf {\textit{iv}}}}\) (for any i) and keep to recursive definition above if \(x_i \ne \bot \). This extended version of \({ I\!H}_i\) is then the disjoint union of the trivial function \(\{\bot ^i\} \rightarrow \{{{\textsf {\textit{iv}}}}\}\) and the restriction of \({ I\!H}_i\) to inputs different than \(\bot ^i\), if we “disallow” non-\(\bot ^i\) inputs that are mapped to \({{\textsf {\textit{iv}}}}\).Footnote 2 Thus, as long as we “disallow” such inputs (which is something our framework can capture), we still have that the recursive definition of \({ I\!H}_i\) decomposes into composition operations that are covered by our framework, and thus we can conclude that \({ I\!H}_L\) is collapsing for every fixed L, but now for inputs that may have \(\bot \)-prefixes, i.e., variable length. Finally, by the assumed “\({{\textsf {\textit{iv}}}}\)-preimage resistant” of f, inputs (\(\ne \bot ^i\)) that \({ I\!H}_i\) maps to \({{\textsf {\textit{iv}}}}\) are hard to find, and therefore “disallowing” those has no noticeable effect.

HAIFA. The HAFIA hash function is a variant of Merkle-Damgård that includes a counter in the iteration function, and it uses a “salt” (which we though treat as ordinary input). Formally,

$$ { I\!H}_i(salt, x_1,\ldots ,x_i) := f\bigl (salt,{ I\!H}_{i-1}(salt,x_1,\ldots ,x_{i-1}),x_i,i\bigr ) \, . $$

Here, we can reason exactly as above, except that now the iteration function is a nested composition of the function \(f(\cdot ,\cdot ,\cdot ,i)\), which is collapsing if f is, with the parallel composition of the projection function \((salt,x_1,\ldots ,x_i) \mapsto salt\) with the concurrent composition of \({ I\!H}_{i-1}\) with the identity function \(x_i \mapsto x_i\). All these composition operations are covered by our framework, and so the collapsing property follows as for the original Merkle-Damgård construction, assuming again that f is “\({{\textsf {\textit{iv}}}}\)-preimage resistance” in case of arbitrary length messages.

Sponge. The Sponge hashFootnote 3 of a message \(x_1,\ldots ,x_i\) of i blocks is given by \(S^0_i(x_1,\ldots ,x_i)\), where \(S^b_i\) is iteratively defined as

$$ S^b_i(x_1,\ldots ,x_i) := f^b\bigl (S^0_{i-1}(x_1,\ldots ,x_{i-1}) \oplus x_i, S^1_{i-1}(x_1,\ldots ,x_{i-1})\bigr ) $$

for \(b \in \{0,1\}\), with \(S^0_0() = 0 = S_0^1()\), and it is assumed that both components of the round function \(f = (f^0,f^1)\) are collapsing. Here, \(S^b_i\) is the nested composition of \(f^b\) with a function that is yet another composition of the functions \(S^0_{i-1}\) and \(S^1_{i-1}\), and our framework immediately ensures that \(S^0_i\) and \(S^1_i\) stay collapsing as long as \(S^1_{i-1}\) is. Thus, again, the iteration function decomposes into composition operations that are ensured to preserve the collapsing property, and so by recursive application we get that \(S^1_1,\ldots ,S^1_{L-1}\) and eventually \(S^0_L\) are collapsing. The only difference to above is that here, we have to set \(S^b_i(\bot ,\ldots ,\bot ) := S^b_0() = 0\) to ensure that \(S^0_L\) acts correctly on messages of smaller block size, i.e., that \(S^b_j(x_1,\ldots ,x_j) = S^b_L(\bot ,\ldots ,\bot ,x_1,\ldots ,x_j)\). As a consequence, for the recursive reasoning, to have \(S^1_i\) be the disjoint union of the trivial function \(\{\bot ^i\} \rightarrow \{0\}\) and the restriction of \(S^1_i\) to non-\(\bot ^i\) inputs, we need to “disallow” inputs (\(\ne \bot ^i\)) which \(S^1_i\) maps to 0; this has no noticeable effect though if \(f^1\) is “zero-preimage resistant”.

2 Preliminaries

2.1 Basic Quantum Formalism

Knowledge of basic concepts of quantum information science is necessary in order to prove “correctness” of our framework (but not to apply the framework); we fix here some notation and conventions, which both are not fully standard.

Typically, the state of a quantum system with state space \(\mathcal {H}\) is given by a density matrix \(\rho \), i.e., by a trace-1 positive-semidefinite matrix that acts on \(\mathcal {H}\), and a quantum operation is expressed by a CPTP map which maps a state \(\rho \) to a new state over a possibly different state space. In this work, for technical reasons, we allow states to be subnormalized, and we consider the more general notion of completely-positive trace-nonincreasing (CPTN) maps, which are of the form with and \(\sum _i T_i^\dagger T_i \le I\) (the identity on \(\mathcal {H}\)).Footnote 4

For the purpose of this work, a measurement is a CPTN map with as above, but with the restriction that the \(P_i\)’s are mutually orthogonal Hermitian projections on \(\mathcal {H}\). If is in fact a CPTP map, i.e., \(\sum _i P_i = I\), then we speak of a total measurement, and otherwise of a partial measurement. The individual “components” of such a (partial or total) measurement are sometimes also referred to as measurements with post-selection.

We write for , i.e., the probability that “outcome i is observed”. An elementary property of any (projective, as considered here) measurement , is Winter’s “gentle-measurement lemma” [7], which captures that the measurement does not disturb the state much if the outcome is almost certain. Formally,Footnote 5 for any state \(\rho \) and any \(\beta \ge 0\):

(1)

where \(\delta \) is the trace distance, given by \(\delta (\rho , \sigma ) := \frac{1}{2} \Vert \rho -\sigma \Vert _{tr}\).

Different quantum systems are identified by means of “labels” XY etc., and we write \(\rho _X\) for the state of system X and \(\mathcal {H}_X\) for its state space, etc. For a CPTN map , we may write to emphasize that it acts on system X, and to additionally emphasize that it maps into system \(X'\). For simplicity, we tend to write rather than .

For any state space we consider a fixed orthonormal basis, referred to as the computational basis. For state spaces \(\mathcal {H}_X\) and \(\mathcal {H}_Y\) with respective computational bases \(\{{|x\rangle }\}_{x \in \mathcal{X}}\) and \(\{{|y\rangle }\}_{y \in \mathcal{Y}}\), we associate to any function \(f: \mathcal{X}\rightarrow \mathcal{Y}\) the CPTP “evaluation” map given by the isometry \(V[f]: {|x\rangle } \mapsto {|x\rangle }{|f(x)\rangle }\). Here, we also write \(\rho _{Xf(X)Z}\) instead of .Footnote 6 We note that admits a left inverse, i.e., a CPTP map such that .

The composition of a CPTP evaluation map with the partial trace \(\mathrm {tr}_Y\) equals the measurement , where is the CPTN map given by the projection into the span of \(\{{|x\rangle }\,|\,f(x) \!=\! y\}\). To simplify notation, we may also write \(\rho _{X^{\!f} Z}\) instead of , and, similarly, \(\rho _{X^{\!f=y} Z}\) instead of .

The usual “measurement in the computational basis”, given by the projections \({|x\rangle }{\langle x|}\), is simply denoted by . For lighter notation, we often use  \(\overline{\!(\cdot )\!}\;\) instead of and write \(\rho _{\bar{X} Y}\) instead of . A quantum system X of a (possibly) joint state \(\rho _{XY}\) is called classical if \(\rho _{\bar{X} Y} = \rho _{XY}\).

When the state is clear from the context, then we may do the “arithmetic” on the labels. For instance, using this convention, we can then say that any state \(\rho _{XZ}\) satisfies

$$\begin{aligned} \bar{X} f(X)Z = \bar{X} f(\bar{X})Z = \bar{X} \overline{f(\bar{X})} Z = \bar{X} \overline{f(X)} Z \, , \end{aligned}$$
(2)

to express that and commute, and that \(f(\bar{X})\) is classical given that \(\bar{X}\) is. Similarly, we may then write , which may be interpreted differently but coincide.

2.2 Randomized Functions and States, and Their Complexity

In Appendix A, we offer a formal discussion of randomized functions, randomized CPTN maps, and randomized quantum states. As one would expect, these are simply functions, CPTN maps and states that depend on some global randomness r, which is randomly chosen once and for all from some finite set \(\mathcal R\).

Informally, when considering randomized functions, one can make the following distinction. In one case, r is given as input to the function f (or to the algorithm that computes f, if you prefer); one then typically speaks of keyed or seeded functions. In the other case, f makes queries to an oracle that computes every reply dependent on r, in which case one refers to f as an oracle function. A similar distinction can be made for randomized CPTN maps, and thus for randomized states, which are simply randomized CPTN maps that act on the trivial state space .

Formally, the way the two variants differ is by the way complexity is captured: for keyed functions one consider the computational complexity of computing the function whereas for oracle functions one considers the query complexity.

Our results apply to both variants in that we consider an abstract complexity measure \(\mathfrak {c}\) that assigns to every randomized function f a non-negative integer \(\mathfrak {c}(f)\), also denoted \(\mathfrak {c}_f\), and similarly for randomized CPTN maps, and which satisfies natural properties that one would expect from a complexity measure. The details of this are given in Appendix B. The computational complexity and the query complexity are then just specific instantiations.

2.3 The Distinguishing Advantage

The following parameterized indistinguishability measure, and our understanding of it as an abstract metric, is one of the central notions of our formalism.

Definition 1

For randomized states \(\rho _X\) and \(\rho _Y\) (with randomness r) over a common Hilbert space \(\mathcal {H}_X = \mathcal {H}_Y\), and for any non-negative integer q, we set

where the supremum is over all randomized CPTN maps (with randomness r) that map into the two-dimensional qubit state space and have complexity and, by convention, is the measurement in the computational basis.

Following the convention of doing the “arithmetic” on the labels, we typically write \(\delta _q(X,Y)\) instead of \(\delta _q\bigl (\rho _X, \rho _Y\bigr )\). Also, we write \(\delta _q(X, Y|Z)\) as a short hand for \(\delta _q\bigl (\rho _{XZ}, \rho _{YZ}\bigr )\).

We emphasize that \(\delta _q\) is a pseudometric: it is non-negative, symmetric, and satisfies triangle inequality, but it may potentially vanish for non-identical states. Furthermore, \(\delta _q\) is upper bounded by the trace distance \(\delta \), and it coincides with \(\delta \) in case \(q = \infty \), i.e., there is no restriction on . Finally, \(\delta _q\) inherits several properties from the ordinary trace distance, which can easily be verified. For instance, it is monotone under randomized CPTN maps as

and for any randomized CPTN map , we have subadditivity as

To simplify terminology, from now on we drop on the word “randomized” and take it as understood that functions, CPTN maps and states may be randomized, either in the form of keyed functions or as oracle functions, etc.

3 The Collapsing Property

We state here (a slight variation of) the definition of the collapsing property of functions, as proposed by Unruh [5], but using the formalism introduced above. In Sect. 3.2 we then discuss the straightforward extension to partial functions, which will turn out to be useful, and in Sect. 3.3 we show that the collapsing property behaves nicely under various composition operations. These composability results are all rather natural, and—with our formalism!—have simple short proofs. All together, this section then stands as “the framework” that we propose for arguing about the collapsing property of hash functions.

3.1 The Definition

The original formulation of the collapsing property for a function h is by means of two “games”, where an “adversary” produces a (normalized) state \(\rho _{XYE}\) of a certain form, namely Y must be classical and equal to h(X), and then in one game X is measured in the computation basis whereas in the other game it is left untouched instead, and the definition requires that it should be hard for any “distinguisher” to distinguish between the two games.

As for the notion of collision resistance, the collapsing property is meaningful only for randomized functions h.Footnote 7 In case of a keyed variant of such a function, one can aim for conditional results that state that h is collapsing (against computationally bounded adversaries) under some computational hardness assumption. In case of an oracle function and aiming for unconditional results, there is no exploitable effect in restricting the computational power of the parties, as long as the query complexity is limited. Our approach of using an abstract complexity notion allows us to cover both these settings simultaneously.

Our formal definition of the collapsing property is given below. Compared to the original definition by Unruh (which comes in a couple of different flavors, which we discuss in Appendix C), we use a somewhat different terminology and formalism. For instance we do not explicitly speak of “games”, and instead of quantifying over the possible adversaries we quantify over the states that may possibly be prepared by an adversary, and the quantification over the distinguishers is absorbed into the pseudometric \(\delta _q\). These modifications to the mathematical language have obviously no effect on the notion. There are a few more differences compared to the definition proposed by Unruh, but they all have no more than a small quantitative effect, as we discuss below.

Definition 2

A function \(h: \mathcal{X}\rightarrow \mathcal{Y}\) is called \(\varepsilon (q)\)-collapsing if

$$ \mathsf{cAdv}[h](q) := \sup _{\rho _{XYE}} \delta _q\bigl (X,\bar{X}\,|\,\bar{Y} E\bigr ) \le \varepsilon (q) $$

for all q, where the supremum is over all statesFootnote 8 \(\rho _{XYE} = \rho _{X h(X) E}\) with complexity \(\mathfrak {c}(\rho _{XYE}) \le q\). The measure \(\mathsf{cAdv}[h]\) is called the collapsing advantage of h.

Beyond the change in mathematical language, another difference is that in the original definition the system Y of the state \(\rho _{XYE}\), as produced by the adversary, is required to be classical, whereas in Definition 2 we allow it to be non-classical but then “make it classical” by measuring it; this is obviously equivalent (given that measuring has zero complexity). A slightly more substantial difference is that we allow the state \(\rho _{XYE}\) to be subnormalized; i.e., we allow the adversary to abort. However, the collapsing advantage \(\delta _q\bigl (X,\bar{X}\,|\,\bar{Y} E\bigr )\) of any subnormalized state \(\rho _{XYE}\) is the same as of the normalized state \(\tilde{\rho }_{XYE} := \rho _{XYE} + (1-\mathrm {tr}(\rho _{XYE})){|x_\circ \rangle }{\langle x_\circ |}\otimes {|h(x_\circ )\rangle }{\langle h(x_\circ )|}\otimes {|0\rangle }{\langle 0|}\) for an arbitrary choice of \(x_\circ \in \mathcal{X}\) on which h is defined. Since \(\mathfrak {c}(\tilde{\rho }_{XYE}) \le \mathfrak {c}(\rho _{XYE}) + \mathfrak {c}(h)\), this has only a small quantitative effect that is insignificant if \(\mathfrak {c}(h)\) is insignificant compared to q. In other words, we can easily transform an adversary that aborts into one that does not abort but outputs \(x_\circ \) and \(y_\circ = h(x_\circ )\) instead.

Finally, in the original definition, the complexity of the adversary and the distinguisher together is bounded (by q), whereas we bound the individual complexities (both by q). This is merely for simplicity, and has only a factor-2 quantitative effect.

3.2 Partial versus Total Functions

In Definition 2, we implicitly considered the function \(h: \mathcal{X}\rightarrow \mathcal{Y}\) to be a total function, i.e., a function that is defined on its entire domain \(\mathcal{X}\). However, it will be useful to extend the definition to partial functions, which are defined only on a subset \(\mathcal{X}_\text {eff} \subseteq \mathcal{X}\) of the domain.Footnote 9 In the context of randomized functions, as considered here, we allow \(\mathcal{X}_\text {eff}\) to depend on the global randomness r; this is what distinguishes such a partial function from a total function with a smaller domain, since the domain \(\mathcal{X}\) of a function is declared fixed and independent of r.

Definition 2 applies directly to such partial functions as well, given that the definition of the evaluation map is naturally extended to partial functions h by having the defining operator V[h] map \({|x\rangle }\) to 0 for any \(x \not \in \mathcal{X}_\text {eff}\). The effect of this is that the requirement \(\rho _{XYE} = \rho _{X h(X) E}\) enforces X to contain no inputs from outside of \(\mathcal{X}_\text {eff}\). Hence, considering partial functions in Definition 2 serves as a convenient way to “disallow” certain inputs.

Formally, consider a function \(h : \mathcal{X}\rightarrow \mathcal{Y}\) (which may be partial but let us think of it as a total function for now), and let \(\pi : \mathcal{X}\rightarrow \{0,1\}\) be a predicate, which will always be understood to be a total function. Then, we define \(h|_\pi \) to be the partial function \(h|_\pi : \mathcal{X}\rightarrow \mathcal{Y}\) that is undefined for \(x \in \mathcal{X}\) with \(\pi (x) = 0\), and that coincides with h for the remaining \(x \in \mathcal{X}\). The collapsing advantage of \(h|_\pi \) then coincides with the collapsing advantage of h modified in that the quantification over \(\rho _{XYE}\) is restricted to states for which \(\Pr [\,\pi (\bar{X}) \!=\! 0\,] = 0\).

Below, in Lemmas 1 and 2, we show how \(\mathsf{cAdv}[h]\) and \(\mathsf{cAdv}[h|_\pi ]\) relate to each other. Lemma 1 follows trivially from the above observation, i.e., that \(\rho _{XYE} = \rho _{X h|_\pi (X) E}\) implies \(\rho _{XYE} = \rho _{X h(X) E}\).

Lemma 1

If h is \(\varepsilon (q)\)-collapsing then so is \(h|_\pi \), i.e., \(\mathsf{cAdv}[h|_\pi ] \le \mathsf{cAdv}[h]\).

Applied to h of the form \(h|_\tau \), and noting that \((h|_\tau )|_\pi = h|_{\pi \wedge \tau }\), we get the following, which captures that disallowing more inputs can only decrease the collapsing advantage.

Corollary 1

For any predicates \(\pi \) and \(\tau \), it holds that \(\mathsf{cAdv}[h|_{\pi \wedge \tau }] \le \mathsf{cAdv}[h|_\tau ]\). In particular, if \(\pi \) implies \(\tau \), i.e. \(\pi (x) \!=\! 1 \Rightarrow \tau (x) \!=\! 1\), then \(\mathsf{cAdv}[h|_\pi ] \le \mathsf{cAdv}[h|_\tau ]\).

For the other direction, disallowing some inputs has little effect if those are hard to find. For the formal statement, we need the following definition.

Definition 3

A predicate \(\pi :\mathcal{X}\rightarrow \{0,1\}\) is called \(\beta (q)\)-almost-certain if it holds that \(\Pr [\pi (\bar{X})\!=\!0] \le \beta (q)\) for any state \(\rho _X\) with complexity q.

Lemma 2

If \(\pi \) is \(\beta (q)\)-almost-certain then

$$ \mathsf{cAdv}[h](q) \le \mathsf{cAdv}[h|_\pi ](q+\mathfrak {c}_\pi ) + \sqrt{\beta (q)} \cdot \min \bigl \{\sqrt{2},1\!+\!\sqrt{\beta (q)}\,\bigr \} \, . $$

Proof

Let \(\rho _{XYZ} = \rho _{X h(X) E}\) be with complexity q. Consider the measurement given by and .Footnote 10 By triangle inequality and since , we have

where the second inequality is because \(\delta _q \le \delta \), and by subadditivity and choice of , and the last inequality is by the “gentle-measurement lemma” (1), plus footnote 5, given that , plus the observation that \(\rho _{X^{\pi = 1} Y E}\) has complexity \(q+\mathfrak {c}_\pi \).    \(\square \)

We conclude with the following simple observation, which follows from the fact that under the given assumptions, \(\Pr [\tau (\bar{X})\!=\!0] \le \Pr [\pi \circ \lambda (\bar{X})\!=\!0] \le \beta (q+\mathfrak {c}(\lambda ))\) for any state \(\rho _X\) with complexity q.

Lemma 3

Consider predicates \(\pi : \mathcal{X}' \rightarrow \{0,1\}\) and \(\tau : \mathcal{X}\rightarrow \{0,1\}\) and a total function \(\lambda : \mathcal{X}' \rightarrow \mathcal{X}\) such that \(\pi \circ \lambda \) implies \(\tau \), i.e., \(\pi (\lambda (x)) \!=\! 1\) \(\Rightarrow \) \(\tau (x) \!=\! 1\). If \(\pi \) is \(\beta (q)\)-almost-certain then \(\tau \) is \(\beta (q+\mathfrak {c}(\lambda ))\)-almost-certain.

3.3 Composability Properties

We show composability of the collapsing property under different means of composing functions. In one or another form, some of these composability properties are also present in previous work (see e.g. Lemma 27 in the full version of [5] for the corresponding claim on nested composition); we cover them here for completeness and since our notion differs in minor ways, but also in order to demonstrate how succinctly these composability properties can be phrased and proven using our formalism.

We take it as understood that for partial functions g and h, the considered composition is defined whenever g and h are both defined on their respective inputs.

Lemma 4

(Concurrent composition). For \(g: \mathcal{X}\rightarrow \mathcal{Y}\) and \(h: \mathcal{W}\rightarrow \mathcal{Z}\), the concurrent composition \(g\Vert h: \mathcal{X}\times \mathcal{W}\rightarrow \mathcal{Y}\times \mathcal{Z}\), \((x,w) \mapsto \bigl (g(x),h(w)\bigr )\) satisfies

$$ \mathsf{cAdv}[g\Vert h] \le \mathsf{cAdv}[g] + \mathsf{cAdv}[h] \, . $$

Proof

Let \(\rho _{X W Y Z E} = \rho _{X W g(X) h(W) E}\) be with complexity q. Then, by triangle inequality,

$$\begin{aligned} \delta _q\bigl (X W, \bar{X} \bar{W} |\bar{Y} \bar{Z} E \bigr )&\le \delta _q\bigl (X W, X \bar{W} |\bar{Y} \bar{Z} E \bigr ) + \delta _q\bigl (X \bar{W}, \bar{X} \bar{W} |\bar{Y} \bar{Z} E \bigr ) \\&= \delta _q\bigl (W, \bar{W} | \bar{Z} X \bar{Y} E \bigr ) + \delta _q\bigl (X, \bar{X} |\bar{Y} \bar{W} \bar{Z} E \bigr ) \\&\le \mathsf{cAdv}[g](q) + \mathsf{cAdv}[h](q) \, . \end{aligned}$$

   \(\square \)

Lemma 5

(Nested composition). For \(g: \mathcal{X}\rightarrow \mathcal{Y}\) and \(h: \mathcal{Y}\rightarrow \mathcal{Z}\), the nested (or sequential) composition \(h \circ g: \mathcal{X}\rightarrow \mathcal{Z}\), \(x \mapsto h\bigl (g(x)\bigr )\) satisfies

$$ \mathsf{cAdv}[h \circ g](q) \le \mathsf{cAdv}[g](q+\mathfrak {c}_g) + \mathsf{cAdv}[h](q+\mathfrak {c}_g) \, . $$

Proof

Let \(\rho _{X Z E} = \rho _{X (h \circ g)(X) E}\) be with complexity q. Then, \(\rho _{X Y Z E} = \rho _{Xg(X) Z E}\) has complexity at most \(q + \mathfrak {c}_g\). Recalling that \(\rho _{X Z E}\) is recovered from \(\rho _{X Y Z E}\) by applying , we get

$$\begin{aligned} \delta _q\bigl (X, \bar{X} |\bar{Z} E \bigr )&\le \delta _{q+\mathfrak {c}_g}\bigl (X Y, \bar{X} Y | \bar{Z} E \bigr )&\text {(monotonicity)} \\&\le \delta _{q+\mathfrak {c}_g}\bigl (X Y, X \bar{Y} | \bar{Z} E \bigr ) + \delta _{q+\mathfrak {c}_g}\bigl (X \bar{Y} ,\bar{X} Y | \bar{Z} E \bigr )&(\triangle \text { inequality)} \\&\le \delta _{q+\mathfrak {c}_g}\bigl (Y, \bar{Y} | \bar{Z} X E \bigr ) + \delta _{q+\mathfrak {c}_g}\bigl (X,\bar{X} | \bar{Y} \bar{Z} E \bigr )&\!\!\!\!\!\!(\bar{X} Y \!=\! \bar{X} \bar{Y} \text { by (2))} \\&\le \mathsf{cAdv}[g](q+\mathfrak {c}_g) + \mathsf{cAdv}[h](q+\mathfrak {c}_g) \, . \end{aligned}$$

   \(\square \)

Lemma 6

For \(g: \mathcal{X}\rightarrow \mathcal{Y}\) and \(h: \mathcal{W}\times \mathcal{X}\rightarrow \mathcal{Z}\), where the latter function is such that \(h(\cdot ,x)\) is injective for any \(x \in \mathcal{X}\), the composition \(f: \mathcal{W}\times \mathcal{X}\rightarrow \mathcal{Y}\times \mathcal{Z}\), \((w,x) \mapsto \bigl (g(x),h(w,x)\bigr )\) satisfies

$$\mathsf{cAdv}[f] \le \mathsf{cAdv}[g] \, .$$

We emphasize that the statement includes the special case where \(\mathcal{W}\) is empty, i.e., \(h: \mathcal{X}\rightarrow \mathcal{Z}\), in which case the the injectivity requirement becomes void, so that in particular the following holds.

Corollary 2

(Parallel composition). For \(g: \mathcal{X}\rightarrow \mathcal{Y}\) and \(h: \mathcal{X}\rightarrow \mathcal{Z}\), the parallel composition \((g,h): \mathcal{X}\rightarrow \mathcal{Y}\times \mathcal{Z}\), \(x \mapsto \bigl (g(x),h(x)\bigr )\) satisfies

$$ \mathsf{cAdv}[(g,h)] \le \min \bigl \{\mathsf{cAdv}[g],\mathsf{cAdv}[h]\bigr \} \, . $$

Proof

(of Lemma 6). Let \(\rho _{WXYZE} = \rho _{WX g(X) \, h(W,X) E}\) be with complexity q. Then, using that \(\bar{W} \bar{X} \bar{Z} = W \bar{X} \bar{Z}\), which holds by (2) because w is a function of x and \(z = h(w,x)\),

$$\begin{aligned} \delta _q\bigl (W X, \bar{W} \bar{X} |\bar{Y} \bar{Z} E \bigr ) = \delta _q\bigl (X,\bar{X} |\bar{Y} \bar{Z} W E \bigr ) \le \mathsf{cAdv}[g](q) \, . \end{aligned}$$

   \(\square \)

Lemma 7

(Disjoint union). For \(g: \mathcal{X}\rightarrow \mathcal{Y}\) and \(h: \mathcal{W}\rightarrow \mathcal{Z}\) with disjoint domains and images, the disjoint union \(g \sqcup h: \mathcal{X}\cup \mathcal{W}\rightarrow \mathcal{Y}\cup \mathcal{Z}\), which maps \(x \in \mathcal{X}\) to g(x) and \(w \in \mathcal{W}\) to h(w), satisfies

$$ \mathsf{cAdv}[g \sqcup h] \le \mathsf{cAdv}[g] + \mathsf{cAdv}[h] \, . $$

Proof

Let \(\rho _{U V E} = \rho _{U (g \,\sqcup \, h)(U) E}\), and consider the “distinguishing function” \(dis: \mathcal{X}\cup \mathcal{W}\rightarrow \{0,1\}\) that maps \(x \in \mathcal{X}\) to 1 and \(w \in \mathcal{W}\) to 0. By our convention on function domains being recognizable, dis has zero complexity. Furthermore, is of the form

$$ \rho _{U^{dis} V E} = \rho _{U^{dis=0} V E} + \rho _{U^{dis=1} V E} = \rho _{X g(X) E} + \rho _{W h(W) E} $$

and, by the disjointness of the images, \(\rho _{U \bar{V} E} = \rho _{U^{dis} \bar{V} E}\), and so it follows from subadditivity that

$$\begin{aligned} \delta _q\bigl (U, \bar{U} |\bar{V} E \bigr )&= \delta _q\bigl (U^{dis}, \bar{U}^{dis} |\bar{V} E \bigr ) \le \delta _q\bigl (X, \bar{X} |\bar{Y} E \bigr ) + \delta _q\bigl (W, \bar{W} |\bar{Z} E \bigr ) \end{aligned}$$

which is bounded by \(\mathsf{cAdv}[g] + \mathsf{cAdv}[h]\).    \(\square \)

4 Application I: Merkle-Damgård and HAIFA

We demonstrate the usefulness of our framework. Here, we do so by (re)proving the collapsing property Merkle-Damgård, and by showing that the proof trivially translates to the HAIFA variation [3]. In the subsequent section we analyze the Sponge construction [1]. Our proofs argue entirely by means of decomposing the iteration function under consideration into a few composition operations.

Here and in the remainder, for \(b \in \{0,1,\bot \}\) and positive integer , we write \(b^i \in \{0,1,\bot \}^i\) for the i-fold concatenation \((b,\ldots ,b)\) of b with itself.

4.1 The Construction

Let \(f: \{0,1\}^c \times \{0,1\}^r \rightarrow \{0,1\}^c\) be a (total) function, which will act as the round function in the Merkle-Damgård construction. For any positive integer i, we consider the function \( { I\!H}_i: \bigl (\{0,1\}^r\bigr )^i \rightarrow \{0,1\}^c \) given recursively by

$$\begin{aligned} { I\!H}_i(x_1,\ldots ,x_i) := f\bigl ({ I\!H}_{i-1}(x_1,\ldots ,x_{i-1}),x_i\bigr ) \end{aligned}$$
(3)

with \({ I\!H}_0() := {{\textsf {\textit{iv}}}}\), some fixed string in \(\{0,1\}^c\) called the initialization vector. The Merkle-Damgård hash function is then formally given byFootnote 11

$$ { M\!D}: \bigl (\{0,1\}^r\bigr )^* \rightarrow \{0,1\}^c, \; (x_1,\ldots ,x_i) \mapsto { I\!H}_i(x_1,\ldots ,x_i). $$

For technical reasons, we extend the domain of \({ I\!H}_i\) above to

$$ \mathcal{X}_i := \bigl \{(x_1,\ldots ,x_i) \in \bigl (\{\bot \} \cup \{0,1\}^r \bigr )^i \,\big |\, x_j \!=\! \bot \Rightarrow x_1\!=\!\cdots \!=\! x_j \!=\! \bot \bigr \} $$

by setting \({ I\!H}_i(\bot ,\ldots ,\bot ) := {{\textsf {\textit{iv}}}}\) and keeping the recursive definition (3) for \(x_i \ne \bot \). We can now apply \({ I\!H}_L\) to messages of size \(i < L\) blocks by pre-padding it with \(\bot \)’s: \({ I\!H}_i(x_1,\ldots ,x_i) = { I\!H}_{i+1}(\bot ,x_1,\ldots ,x_i) = \cdots = { I\!H}_L(\bot ,\ldots ,\bot ,x_1,\ldots ,x_i)\), and thus the restriction of \({ M\!D}\) to messages of block size \(0 \le i \le L\) can be expressed as \( { M\!D}^{\le L}(x_1,\ldots ,x_i) = { I\!H}_L(\bot ,\ldots ,\bot ,x_1,\ldots ,x_i) \).

4.2 The Analysis

Using our framework, we will now prove the following security statement for Merkle-Damgård. The assumption on \(\mathfrak {c}(f)\) is simply for normalization, and for f to be \(\beta \)-\({{\textsf {\textit{iv}}}}\)-preimage-resistant means, by definition, that the predicate \(1_{f(y) \ne {{\textsf {\textit{iv}}}}}\), which is 1 if y satisfies \(f(y) \ne {{\textsf {\textit{iv}}}}\) and 0 otherwise, is \(\beta \)-almost-certain.

Theorem 1

If f has complexity \(\mathfrak {c}(f) = 1\), is \(\varepsilon \)-collapsing and \(\beta \)-\({{\textsf {\textit{iv}}}}\)-preimage-resistant, then, for any integer \(L \ge 0\), the function \({ M\!D}^{\le L}\) is \(\gamma \)-collapsing with

$$ \gamma (q) = L \cdot \varepsilon \bigl (q+ {\textstyle \frac{1}{2}}L(L+1) \bigr ) + \sqrt{2\beta (q+L)} \, . $$

For the purpose of the proof, we define for any i the predicate \(\pi _i: \mathcal{X}_i \rightarrow \{0,1\}\) as

$$ \pi _i(x_1,\ldots ,x_i) = 1 \; \Longleftrightarrow \; \forall \, j \in \{1,\ldots ,i\}: x_j = \bot \,\vee \, { I\!H}_j(x_1,\ldots ,x_j) \ne {{\textsf {\textit{iv}}}}\, , $$

i.e., the bit is set unless the input is a non-trivial \({{\textsf {\textit{iv}}}}\)-preimage of some \({ I\!H}_j\). In particular, if \(\pi _i(x_1,\ldots ,x_i) = 0\) then it must be that \({ I\!H}_j(x_1,\ldots ,x_j) = {{\textsf {\textit{iv}}}}\) for some j with \(x_j \ne \bot \), and thus \(y:= \bigl ({ I\!H}_{j-1}(x_1,\ldots ,x_{j-1}),x_j\bigr )\) satisfies \(f(y) = { I\!H}_j(x_1,\ldots ,x_j) = {{\textsf {\textit{iv}}}}\) by (3). So, by Lemma 3, the following holds.

Lemma 8

If f is \(\beta \)-\({{\textsf {\textit{iv}}}}\)-preimage-resistant then \(\pi _i\) is \(\beta (q+\mathfrak {c}_{{ I\!H}_{i-1}})\)-almost-certain.

Recall that \({ I\!H}_i|_{\pi _i}\) is the partial function that is defined only for the inputs which satisfy \(\pi _i\). The heart of the proof of Theorem 2 is the following recursive statement, which ensures that if \({ I\!H}_{i-1}|_{\pi _{i-1}}\) is collapsing then so is \({ I\!H}_i|_{\pi _i}\). By repeated application, we then get that \({ I\!H}_L|_{\pi _L}\) is collapsing, and since \(\pi _L\) is almost-certain, \({ I\!H}_L\) is collapsing as well (by Lemma 2).

Proposition 1

For any positive integer i:

$$ \mathsf{cAdv}\bigl [{ I\!H}_i|_{\pi _i}\bigr ](q) \,\le \, \mathsf{cAdv}\bigl [{ I\!H}_{i-1}|_{\pi _{i-1}}\bigr ]\bigl (q+\mathfrak {c}_{{ I\!H}_{i-1}}\bigr ) + \varepsilon \bigl (q+\mathfrak {c}_{{ I\!H}_{i-1}}\bigr ) \, . $$

Proof

We let \(\dot{ I\!H}_i\) and \(\dot{\pi }_i\) be the respective restrictions of \({ I\!H}_i\) and \({\pi _i}\) to the domain \(\dot{\mathcal{X}}_i := \mathcal{X}_i \setminus \{\bot ^i\}\). Then, we see that \({ I\!H}_i|_{\pi _i}\) is the disjoint union of the trivial function \(\{\bot ^i\} \rightarrow \{{{\textsf {\textit{iv}}}}\}\) and \(\dot{ I\!H}_i|_{\dot{\pi }_i}\); the crucial observation here is that the image of \(\dot{ I\!H}_i|_{\dot{\pi }_i}\) is disjoint with \(\{{{\textsf {\textit{iv}}}}\}\). Therefore, by Lemma 7,

$$ \mathsf{cAdv}\bigl [{ I\!H}_{i}|_{\pi _i}\bigr ](q) \le \mathsf{cAdv}\bigl [\dot{ I\!H}_i|_{\dot{\pi }_i}\bigr ](q) \le \mathsf{cAdv}\bigl [\dot{ I\!H}_i|_{\pi _{i-1}}\bigr ](q) \, , $$

where the latter inequality is by Lemma 1, given that \(\dot{\pi }_i\) implies \(\pi _{i-1}\).Footnote 12 Furthermore, since

$$ \dot{ I\!H}_i(x_1,\ldots ,x_i) = f\bigl ({ I\!H}_{i-1}(x_1,\ldots ,x_{i-1}),x_i\bigr ) $$

on its domain \(\dot{\mathcal{X}}_i\), i.e., it is the nested composition of f with the concurrent composition of \({ I\!H}_{i-1}\) and the identity function \(x_i \mapsto x_i\), Lemma 4 and 5 imply

$$ \mathsf{cAdv}\bigl [\dot{ I\!H}_i|_{\pi _{i-1}}\bigr ](q) \,\le \, \mathsf{cAdv}\bigl [{ I\!H}_{i-1}|_{\pi _{i-1}}\bigr ]\bigl (q+\mathfrak {c}_{{ I\!H}_{i-1}}\bigr ) + \mathsf{cAdv}\bigl [f\bigr ]\bigl (q+\mathfrak {c}_{{ I\!H}_{i-1}}\bigr ) \, , $$

which completes the proof.    \(\square \)

Proof

(of Theorem 1). \({ I\!H}_0|_{\pi _0} = { I\!H}_0\) is trivially 0-collapsing. For convenience, we let \(n_i\) be the sum of integers \(n_i := 1 + 2 + \cdots i = \frac{1}{2}i (i+1)\). Assuming by induction that \(\mathsf{cAdv}[{ I\!H}_{i}|_{\pi _{i}}](q) \le i\cdot \varepsilon (q+ n_{i-1})\), we get from Proposition 1 that

$$ \mathsf{cAdv}\bigl [{ I\!H}_{i+1}^1|_{\pi _{i+1}}\bigr ](q) \le \varepsilon (q+i) + i\cdot \varepsilon (q+n_{i-1} + i) \le (i+1) \cdot \varepsilon (q+n_i) \, , $$

using that \(\mathfrak {c}_{{ I\!H}_i} = i \cdot \mathfrak {c}_f = i\) and \(n_{i-1}+i = n_i\). Hence, the induction assumption holds for all i, and

$$ \begin{aligned} \mathsf{cAdv}\bigl [{ I\!H}_{L}\bigr ](q)&\le \mathsf{cAdv}\bigl [{ I\!H}_{L}|_{\pi _{L}}\bigr ](q+L) + \sqrt{2\beta (q+L)}&\text {(Lemma }2~ \& ~8) \\&\le L \cdot \varepsilon \bigl (q + L + n_{L-1} \bigr ) + \sqrt{2\beta (q+L)} \, . \end{aligned}$$

   \(\square \)

4.3 Instantiation with a Random Oracle

If f is a random oracle, which formally means that we consider the oracle \(\mathcal {O}\) that is a uniformly random function \(\{0,1\}^c \times \{0,1\}^r \rightarrow \{0,1\}^c\) and f is the trivial oracle function that outputs whatever \(\mathcal {O}\) outputs on the given input, then, as shown by Unruh in [5], f is \(O\bigl (\sqrt{q^3/2^c}\bigr )\)-collapsing.Footnote 13 Furthermore, by the results on the hardness of quantum search from [4, Theorem 1], applied to the oracle function \(F:\{0,1\}^c \times \{0,1\}^r \rightarrow \{0,1\}\) given by \(F(y) = 1\) if and only if \(f(y) = {{\textsf {\textit{iv}}}}\), we immediately get that f is \(8(q\!+\!1)^2\!/2^c\,\)-\({{\textsf {\textit{iv}}}}\)-preimage-resistant. As such, we obtain that for messages of block-size at most L, the Merkle-Damgård hash function \({ M\!D}^{\le L}\) is \(\varepsilon \)-collapsing with

$$ \varepsilon (q) = O\Bigl ( L \sqrt{(q+L^2)^3/2^c}\Bigr ) \, . $$

As far as we understand, the results of [6] imply a collapsing advantage of \(O\bigl ( L \sqrt{(q+L)^3/2^c}\bigr )\), which is slightly better because of the \(L^2\) that we have in our bound, but this is insignificant in typical settings where \(q \gg L\).

4.4 HAIFA

Along the very same lines as for the original Merkle-Damgård construction, we can easily show that also HAIFA, a variant proposed by Biham and Dunkelmann [3], is collapsing, under the same assumptions. HAIFA works similarly to Merkle-Damgård except that

$$ { I\!H}_i(salt, x_1,\ldots ,x_i) := f\bigl (salt,{ I\!H}_{i-1}(salt,x_1,\ldots ,x_{i-1}),x_i,i\bigr ) $$

i.e., the round function takes as additional inputs the round number i and some salt (that is the same for every round).Footnote 14 Proposition 1 immediately extends to HAIFA; the only thing that changes in the proof is that f becomes \(f_i = f(\cdot ,\cdot ,\cdot ,i)\), which is collapsing if f is, and we also have to use Corollary 2 to argue that the parallel composition of \((salt, x_1,\ldots ,x_i) \mapsto salt\) with the concurrent composition of \({ I\!H}_{i-1}\) and \(x_i \mapsto x_i\) stays collapsing. The collapsing property of HAIFA then follows easily by inductively applying this variation of Proposition 1 as in the proof of Theorem 1.

4.5 Merkle-Damgård Without \({{\textsf {\textit{iv}}}}\)-Preimage-Resistance

We can also recover Unruh’s original result on \({ M\!D}\), which does not require f to be \({{\textsf {\textit{iv}}}}\)-preimage-resistant but instead restricts the set of inputs to be suffix-free. For that, given a fixed integer \(L > 0\) and arbitrary \(0 \le i \le L\), consider the map \({ I\!H}^*_i\) given by

$$ { I\!H}^*_i: (x_1,\ldots ,x_L) \mapsto \bigl ({ I\!H}_i(x_1,\ldots ,x_i),x_{i+1},\ldots ,x_L\bigr ) \, , $$

defined on the considered suffix-free inputs of size at most L blocks, left-padded with \(\bot \)’s, and we argue the following variant of Proposition 1: if \({ I\!H}^*_i|_{x_i \ne \bot }\) is collapsing then \({ I\!H}^*_{i+1}|_{x_{i+1} \ne \bot }\) is collapsing too (for \(i < L\)). This variant of Proposition 1 follows from the observation that the latter is obtained as the nested composition \({ I\!H}^*_{i+1}|_{x_{i+1} \ne \bot } = (f\Vert id) \circ { I\!H}^*_i|_{x_{i+1} \ne \bot }\) of \({ I\!H}^*_i|_{x_{i+1} \ne \bot }\) with the concurrent composition of f and the identity id acting on \(x_{i+2},\ldots ,x_L\). Furthermore,

$$ { I\!H}^*_i|_{x_{i+1} \ne \bot }(x_1,\!...,x_L) = \left\{ \begin{array}{ll} { I\!H}^*_i|_{x_i \ne \bot }(x_1,\!...,x_L) = \bigl ({ I\!H}_i(x_1,\!...,x_i),x_{i+1},\!...,x_L\bigr ) &{} \text {if } x_i \ne \bot \\ \bigl ({{\textsf {\textit{iv}}}},x_{i+1},x_{i+2},\!...,x_L\bigr ) &{} \text {if }x_i = \bot \end{array}\right. $$

and therefore \({ I\!H}^*_i|_{x_{i+1} \ne \bot }\) is the disjoint union of \({ I\!H}^*_i|_{x_i \ne \bot }\) and the function \((\bot ^i,x_{i+1},\ldots ,x_L) \mapsto ({{\textsf {\textit{iv}}}},x_{i+1},x_{i+2},\ldots ,x_L)\). Here, we are using the suffix-freeness of the considered inputs \(x_1,\ldots ,x_L\); this ensures that not only the domains but also the images of the two functions are disjoint: if \((\bot ^i,x_{i+1},\ldots ,x_L)\) is “allowed” then \((x_1,\ldots ,x_L)\) is not unless \(x_1\) up to \(x_i\) are all \(\bot \). The above variant of Proposition 1 then follows from the preservation of the collapsing property under the different compositions, and then, by inductively applying this variant of Proposition 1, we obtain that \({ I\!H}^*_L|_{x_L \ne \bot }\) is collapsing, and thus \({ M\!D}^{\le L}\) is, given that the input is from a suffix-free set.

5 Application II: The Sponge

Here, we apply our framework to the Sponge construction [1]. As one can see, we follow the exact same blueprint as in Sect. 4.

5.1 The Construction

Let \(f = (f^0,f^1): \{0,1\}^r \times \{0,1\}^c \rightarrow \{0,1\}^r \times \{0,1\}^c\) be a (total) function, which will act as the round function in the Sponge construction. For any positive integer i, consider the function

$$ S_i = (S_i^0,S_i^1): \bigl (\{0,1\}^r\bigr )^i \rightarrow \{0,1\}^r \times \{0,1\}^c $$

given recursively by

$$\begin{aligned} S_i(x_1,\ldots ,x_i) := f\bigl (S^0_{i-1}(x_1,\ldots ,x_{i-1}) \oplus x_i, S^1_{i-1}(x_1,\ldots ,x_{i-1})\bigr ) \end{aligned}$$
(4)

with \(S_0() := 0\). The sponge function (with s rounds of “squeezing”) is then formally given byFootnote 15

$$\begin{aligned} { Sponge}[s]: \bigl (\{0,1\}^r\bigr )^*&\rightarrow \bigl (\{0,1\}^r\bigr )^s \\ (x_1,\!...,x_i)&\mapsto \bigl (S^0_i(x_1,\!...,x_i), S^0_{i+1}(x_1,\!...,x_i,0^r),\!..., S^0_{i+s-1}(x_1,\!...,x_i,0^r,\!...,0^r)\bigr ) \, . \end{aligned}$$

For technical reasons, we extend the domain of \(S_i\) above to

$$ \mathcal{X}_i := \bigl \{(x_1,\ldots ,x_i) \in \bigl (\{\bot \} \cup \{0,1\}^r \bigr )^i \,\big |\, x_j \!=\! \bot \Rightarrow x_1\!=\!\cdots \!=\! x_j \!=\! \bot \bigr \} $$

i.e., to strings that may have \(\bot \)-prefixes. We do so by setting

$$ S_i(\bot ,\ldots ,\bot ) := 0^{r+c} $$

and keeping the recursive definition (4) for \(x_i \ne \bot \). This extension allows us to apply \(S_L\) to messages \((x_1,\ldots ,x_i) \in (\{0,1\}^r)^i\) of size \(i < L\) blocks by pre-padding it with \(\bot \)’s: \(S_i(x_1,\ldots ,x_i) = S_{i+1}(\bot ,x_1,\ldots ,x_i) = \cdots = S_L(\bot ,\ldots ,\bot ,x_1,\ldots ,x_i)\), and thus the restriction of \({ Sponge}[s]\) to messages of block size \(1 \le i \le L\) can be expressed as:

$$\begin{aligned} { Sponge}[s]^{\le L}(x_1,\!...,x_i) = \bigl (S^0_L(\bot ^{L-i},x_1,\!...,x_i), S^0_{L+1}(\bot ^{L-i},x_1,\!...,x_i,0^r),\!... \bigr ) \end{aligned}$$
(5)

where we note that we insist here on \(i \ge 1\), i.e., the message is non-empty.

5.2 The Analysis

Here, we prove the following. Also here, the assumption on \(\mathfrak {c}(f)\) is simply for normalization, and for \(f^1\) to be \(\beta \)-zero-preimage-resistant means, by definition, that the predicate \(1_{f^1(y) \ne 0^c}\) is \(\beta \)-almost-certain.

Theorem 2

If f has complexity 1, and \(f^0\) and \(f^1\) are \(\varepsilon ^0\)- and \(\varepsilon ^1\)-collapsing, and \(f^1\) is \(\beta \)-zero-preimage-resistant, then, for any integer \(L \ge 0\), the Sponge function \({ Sponge}[s]^{\le L}\) is \(\gamma \)-collapsing with

$$ \gamma (q) \,\le \, \varepsilon ^0(q+2L-1) + (L-1) \cdot \varepsilon ^1\bigl (q+ \textstyle \frac{1}{2}L(L\!+\!1) \bigr ) + \sqrt{2\beta (q+L)} \, . $$

For the purpose of the proof, we define for any i the predicate \(\pi _i: \mathcal{X}_i \rightarrow \{0,1\}\) as

$$ \pi _i(x_1,\ldots ,x_i) = 1 \; \Longleftrightarrow \; \forall \, j \in \{1,\ldots ,i\}: x_j = \bot \,\vee \, S_j^1(x_1,\ldots ,x_j) \ne 0^c \, , $$

i.e., the bit is set unless the input is a non-trivial zero-preimage of some \(S_j^1\). In particular, if \(\pi _i(x_1,\ldots ,x_i) = 0\) then \(S_j^1(x_1,\ldots ,x_j) = 0^c\) for some j with \(x_j \ne \bot \), and thus \(y:= \bigl (S_{j-1}^0(x_1,\ldots ,x_{j-1}) \oplus x_j,S_{j-1}^1(x_1,\ldots ,x_{j-1})\bigr )\) satisfies \(f^1(y) = S_j^1(x_1,\ldots ,x_j) = 0^c\) by (4). Thus, by Lemma 3, the following holds.

Lemma 9

If \(f^1\) is \(\beta \)-zero-preimage-resistant then \(\pi _i\) is \(\beta (q+\mathfrak {c}_{S_{i-1}})\)-almost-certain, and the same holds for \(\dot{\pi }_i\), defined as below.

For any i, let \(\dot{S}_i^b\) and \(\dot{\pi }_i\) be the respective restrictions of \(S_i^b\) and \({\pi _i}\) to the domain \(\dot{\mathcal{X}}_i := \mathcal{X}_i \setminus \{\bot ^i\}\). The heart of the proof of Theorem 2 is the following recursive statement, which ensures that if \(S_{i-1}^1|_{\pi _{i-1}}\) is collapsing then so are \(\dot{S}_i^0|_{\dot{\pi }_i}\) and \(S_i^1|_{\pi _i}\). By repeated application, we then get that \(\dot{S}_L^0|_{\dot{\pi }_L}\) is collapsing, and since \(\dot{\pi }_L\) is almost-certain, \(\dot{S}_L^0\) is collapsing as well (by Lemma 2).

Proposition 2

For any positive integer i:

$$ \mathsf{cAdv}\bigl [\dot{S}_i^0|_{\dot{\pi }_i}\bigr ](q), \mathsf{cAdv}\bigl [S_i^1|_{\pi _i}\bigr ](q) \,\le \, \mathsf{cAdv}\bigl [S_{i-1}^1|_{\pi _{i-1}}\bigr ]\bigl (q+\mathfrak {c}_{S_{i-1}}\bigr ) + \varepsilon ^b\bigl (q+\mathfrak {c}_{S_{i-1}}\bigr ) \, . $$

Proof

We note that \(S_i^1|_{\pi _i}\) is the disjoint union of the trivial function \(\{\bot ^i\} \rightarrow \{0^c\}\) and \(\dot{S}_i^1|_{\dot{\pi }_i}\); the crucial observation here is that the image of \(\dot{S}_i^1\) does not contain \(0^c\). Therefore, by Lemma 7,

$$ \mathsf{cAdv}\bigl [S^1_{i}|_{\pi _i}\bigr ](q) \le \mathsf{cAdv}\bigl [\dot{S}_i^1|_{\dot{\pi }_i}\bigr ](q) \le \mathsf{cAdv}\bigl [\dot{S}_i^1|_{\pi _{i-1}}\bigr ](q) \, . $$

where the latter inequality is by Lemma 1, given that \(\dot{\pi }_i\) implies \(\pi _{i-1}\).Footnote 16 Furthermore, since

$$ \dot{S}_i^1(x_1,\ldots ,x_i) = f^1\bigl (S^0_{i-1}(x_1,\ldots ,x_{i-1}) \oplus x_i, S^1_{i-1}(x_1,\ldots ,x_{i-1})\bigr ) $$

on its domain \(\dot{\mathcal{X}}_i\), i.e., it is a nested composition of \(f^1\) with a function that is obtained as a composition as considered in Lemma 6, Lemmas 5 and 6 imply that

$$ \mathsf{cAdv}\bigl [\dot{S}_i^1|_{\pi _{i-1}}\bigr ](q) \,\le \, \mathsf{cAdv}\bigl [S_{i-1}^1|_{\pi _{i-1}}\bigr ]\bigl (q+\mathfrak {c}_{S_{i-1}}\bigr ) + \mathsf{cAdv}\bigl [f^b\bigr ]\bigl (q+\mathfrak {c}_{S_{i-1}}\bigr ) \, , $$

which was to be proven. The reasoning for \(\dot{S}_i^0|_{\dot{\pi }_i}\) is exactly as for \(\dot{S}_i^1|_{\dot{\pi }_i}\) above.    \(\square \)

Proof

(of Theorem 2). \(S_0^1|_{\pi _0} = S_0^1\) is trivially 0-collapsing. For convenience, we let \(n_i\) be the sum of integers \(n_i := 1 + 2 + \cdots i = \frac{1}{2}i (i+1)\). Assuming by induction that \(\mathsf{cAdv}[S_{i}^1|_{\pi _{i}}](q) \le i\cdot \varepsilon ^1(q+ n_{i-1})\), we get from Proposition 2 that

$$ \mathsf{cAdv}\bigl [S_{i+1}^1|_{\pi _{i+1}}\bigr ](q) \le \varepsilon ^1(q+i) + i\cdot \varepsilon ^1(q+n_{i-1} + i) \le (i+1) \cdot \varepsilon ^1(q+n_i) \, , $$

using that \(\mathfrak {c}_{S_i} = i \cdot \mathfrak {c}_f = i\) and \(n_{i-1}+i = n_i\). Hence, the induction assumption holds for all i, and

$$\begin{aligned} \mathsf{cAdv}\bigl [\dot{S}_{L}^0\bigr ](q)&\le \mathsf{cAdv}\bigl [\dot{S}_{L}^0|_{\dot{\pi }_{L}}\bigr ](q+L) + \sqrt{\beta (q+L)} \\&\le \varepsilon ^0(q+2L-1) + \mathsf{cAdv}\bigl [S_{L-1}^1|_{\pi _{L-1}}\bigr ](q+2L-1) + \sqrt{2\beta (q+L)} \\&\le \varepsilon ^0(q+2L-1) + (L-1) \cdot \varepsilon ^1\bigl (q+ n_L \bigr ) + \sqrt{2\beta (q+L)} \, . \end{aligned}$$

where the first inequality is by Lemmas 2 and 9, and the second by Proposition 2. The claim on \({ Sponge}[s]^{\le L}\) follows now from (5) and Corollary 2.    \(\square \)

5.3 Instantiation with a Random Oracle

If \(f = (f^0,f^1)\) is a random oracle, then it follows easily from the work of Unruh in [5] on the collapsing property of the random oracle that \(f^0\) and \(f^1\) are respectively \(O\bigl (\sqrt{q^3/2^r}\bigr )\)- and \(O\bigl (\sqrt{q^3/2^c}\bigr )\)-collapsing. Furthermore, as pointed out in [2], by the results on the hardness of quantum search from [4, Theorem 1] to the oracle function \(F:\{0,1\}^r \times \{0,1\}^c \rightarrow \{0,1\}\) given by \(F(y) = 1\) if and only if \(f^1(y) = 0^c\), we immediately get that the function \(f^1\) is \(8(q+1)^2/2^c\)-zero-preimage-resistant. Therefore, we get that for messages of block-size at most L, the sponge function \({ Sponge}[s]^{\le L}\), with the round function modeled by a random oracle, is \(\varepsilon \)-collapsing with

$$ \varepsilon (q) = O\Bigl (\sqrt{(q+L)^3/2^r} + L \sqrt{(q+L^2)^3/2^c}\Bigr ) . $$

This matches with single-execution-variant (i.e. \(t=1\)) of Theorem 33 of [2], except for the square in the \(L^2\) term. When considering a t-fold parallel composition \({ Sponge}[s]^{\le L}\Vert \cdots \Vert { Sponge}[s]^{\le L}\), it follows immediately from Lemma 6 that the collapsing parameter grows linearly with t, i.e., as

$$ O\Bigl (t\sqrt{(q+L)^3/2^r} + tL \sqrt{(q+L^2)^3/2^c}\Bigr ) \, , $$

which is comparable to Theorem 33 of [2] with a general t, which states a collapsing advantage of

$$ O\Bigl (t\sqrt{(q+tL)^3/2^r} + tL \sqrt{(q+tL)^3/2^c}\Bigr ) \, . $$

6 Conclusion

We consider the quantum collapsing property of classical hash functions, which replaces the notion of collision resistance in the presence of quantum attacks, and we propose a formalism and a framework that enables to argue about the collapsing property of hash domain extension constructions simply by means of decomposing the iteration function under consideration into elementary composition operations. In particular, our framework allows us to argue by purely classical means that hash functions are secure against quantum attacks.

We demonstrate this proof methodology on several examples. For Merkle-Damgård and the Sponge construction, we recover what has already been proven in [2, 6], up to insignificant differences, whereas our result for HAIFA is, strictly speaking, new. It is well possible that the respective proof provided in [6] extends to HAIFA as well; however, this is cumbersome to verify (we challenge the reader to do so). With our approach, on the other hand, it is trivial to see that our proof for Merkle-Damgård extends to this variation: the only thing that needs to be verified is that the modified iteration function still decomposes into composition operations that are covered by our framework.

We think it is fair to say that, compared to previous work which proves that some hash domain extension constructions are collapsing, our approach gives much more insight into why they are collapsing. Furthermore, our framework should be a helpful tool when designing new hash functions that are meant to withstand quantum attacks.

Last but not least, from a conceptual perspective, we find it particularly interesting to see that our simplified proofs are the result of departing from the common methodology of proving a conditional security statement by means of an algorithmic reduction. Instead of assuming an attack against the construction and then building an attack against the underlying component, we argue directly—and in some sense “algebraically”—that if the underlying component is secure then so is the construction.