Quantum Collision-Finding in Non-uniform Random Functions

  • Marko BaloghEmail author
  • Edward EatonEmail author
  • Fang SongEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10786)


We study quantum attacks on finding a collision in a non-uniform random function whose outputs are drawn according to a distribution of min-entropy k. This can be viewed as showing generic security of hash functions under relaxed assumptions in contrast to the standard heuristic of assuming uniformly random outputs. It is useful in analyzing quantum security of the Fujisaki-Okamoto transformation [31]. In particular, our results close a gap left open in [30].

Specifically, let D be a distribution of min-entropy k on a set Y. Let \(f:X\rightarrow Y\) be a function whose output f(x) is drawn according to D for each \(x\in X\) independently. We show that \(\varOmega (2^{k/3})\) quantum queries are necessary to find a collision in f, improving the previous bound \(\varOmega (2^{k/9})\) [30]. In fact we show a stronger lower bound \(2^{k/2}\) in some special case. For most cases, we also describe explicit quantum algorithms matching the corresponding lower bounds.


  1. 1.
    Password hashing competition (2012).
  2. 2.
    National Institute of Standards and Technology. SHA-3 standard: permutation-based hash and extendable-output functions (2014).
  3. 3.
    IBM Q quantum experience (2017).
  4. 4.
    National Institute of Standards and Technology. FIPS 180–1: secure hash standard, April 1995Google Scholar
  5. 5.
    People of ACM - John Martinis, 16 May 2017.
  6. 6.
    Aaronson, S., Shi, Y.: Quantum lower bounds for the collision and the element distinctness problems. J. ACM (JACM) 51(4), 595–605 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Ambainis, A.: Polynomial degree and lower bounds in quantum complexity: collision and element distinctness with small range. Theory Comput. 1(3), 37–46 (2005). Scholar
  8. 8.
    Ambainis, A.: Quantum walk algorithm for element distinctness. SIAM J. Comput. 37(1), 210–239 (2007). Preliminary version in FOCS 2004. arXiv:quant-ph/0311001MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Ambainis, A., Rosmanis, A., Unruh, D.: Quantum attacks on classical proof systems (the hardness of quantum rewinding). In: FOCS 2014, pp. 474–483. IEEE, October 2014. Preprint on IACR ePrint 2014/296Google Scholar
  10. 10.
    Amy, M., Di Matteo, O., Gheorghiu, V., Mosca, M., Parent, A., Schanck, J.: Estimating the cost of generic quantum pre-image attacks on SHA-2 and SHA-3. arXiv preprint arXiv:1603.09383 (2016)
  11. 11.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62–73. ACM (1993)Google Scholar
  12. 12.
    Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995). Scholar
  13. 13.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: The Keccak sponge function family (2007).
  14. 14.
    Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). Scholar
  15. 15.
    Boyer, M., Brassard, G., Høyer, P., Tapp, A.: Tight bounds on quantum searching. arXiv preprint arXiv:quant-ph/9605034 (1996)
  16. 16.
    Brassard, G., Hoyer, P., Tapp, A.: Quantum algorithm for the collision problem. arXiv preprint arXiv:quant-ph/9705002 (1997)
  17. 17.
    Crépeau, C., Salvail, L., Simard, J.-R., Tapp, A.: Two provers in isolation. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 407–430. Springer, Heidelberg (2011). Scholar
  18. 18.
    Czajkowski, J., Bruinderink, L.G., Hülsing, A., Schaffner, C., Unruh, D.: Post-quantum security of the sponge construction. Cryptology ePrint Archive, Report 2017/771 (2017).
  19. 19.
    Eaton, E., Song, F.: Making existential-unforgeable signatures strongly unforgeable in the quantum random-oracle model. In: 10th Conference on the Theory of Quantum Computation, Communication and Cryptography, TQC 2015. LIPIcs, vol. 44, pp. 147–162. Schloss Dagstuhl (2015)Google Scholar
  20. 20.
    Ebrahimi, E., Unruh, D.: Quantum collision-resistance of non-uniformly distributed functions: upper and lower bounds. Cryptology ePrint Archive, Report 2017/575 (2017)Google Scholar
  21. 21.
    Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. 26(1), 80–101 (2013). Preliminary version in CRYPTO 1999MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, pp. 212–219. ACM (1996)Google Scholar
  23. 23.
    Hallgren, S., Smith, A., Song, F.: Classical cryptographic protocols in a quantum world. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 411–428. Springer, Heidelberg (2011). Scholar
  24. 24.
    Hülsing, A., Rijneveld, J., Song, F.: Mitigating multi-target attacks in hash-based signatures. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 387–416. Springer, Heidelberg (2016). Scholar
  25. 25.
    Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008).
  26. 26.
    Rivest, R.L.: RFC 1321: the MD5 message-digest algorithm, April 1992.
  27. 27.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Song, F.: Early days following Grover’s quantum search algorithm. arXiv preprint arXiv:1709.01236 (2017)
  29. 29.
    Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full SHA-1. Cryptology ePrint Archive, Report 2017/190 (2017).
  30. 30.
    Targhi, E.E., Tabia, G.N., Unruh, D.: Quantum collision-resistance of non-uniformly distributed functions. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 79–85. Springer, Cham (2016). Scholar
  31. 31.
    Targhi, E.E., Unruh, D.: Post-quantum security of the Fujisaki-Okamoto and OAEP transforms. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 192–216. Springer, Heidelberg (2016). Scholar
  32. 32.
    Unruh, D.: Computationally binding quantum commitments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 497–527. Springer, Heidelberg (2016). Scholar
  33. 33.
    Watrous, J.: Zero-knowledge against quantum attacks. SIAM J. Comput. 39(1), 25–58 (2009). Preliminary version in STOC 2006MathSciNetCrossRefzbMATHGoogle Scholar
  34. 34.
    Wiener, M.J.: Bounds on birthday attack times. Cryptology ePrint Archive, Report 2005/318 (2005).
  35. 35.
    Yuen, H.: A quantum lower bound for distinguishing random functions from random permutations. Quantum Inf. Comput. 14(13–14), 1089–1097 (2014)MathSciNetGoogle Scholar
  36. 36.
    Zhandry, M.: How to construct quantum random functions. In: FOCS 2012, pp. 679–687. IEEE (2012).
  37. 37.
    Zhandry, M.: A note on the quantum collision and set equality problems. Quantum Inf. Comput. 15(7 & 8), 557–567 (2015)MathSciNetGoogle Scholar
  38. 38.
    Zhandry, M.: Secure identity-based encryption in the quantum random oracle model. Int. J. Quantum Inf. 13(4) (2015). Early version in Crypto 2012.

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Department of PhysicsPortland State UniversityPortlandUSA
  2. 2.Department of Combinatorics and OptimizationUniversity of WaterlooWaterlooCanada
  3. 3.Department of Computer SciencePortland State UniversityPortlandUSA

Personalised recommendations