Skip to main content

Finding Collisions in a Quantum World: Quantum Black-Box Separation of Collision-Resistance and One-Wayness

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12491)


Since the celebrated work of Impagliazzo and Rudich (STOC 1989), a number of black-box impossibility results have been established. However, these works only ruled out classical black-box reductions among cryptographic primitives. Therefore it may be possible to overcome these impossibility results by using quantum reductions. To exclude such a possibility, we have to extend these impossibility results to the quantum setting. In this paper, we study black-box impossibility in the quantum setting.

We first formalize a quantum counterpart of fully-black-box reduction following the formalization by Reingold, Trevisan and Vadhan (TCC 2004). Then we prove that there is no quantum fully-black-box reduction from collision-resistant hash functions to one-way permutations (or even trapdoor permutations). We take both of classical and quantum implementations of primitives into account. This is an extension to the quantum setting of the work of Simon (Eurocrypt 1998) who showed a similar result in the classical setting.


  • Post-quantum cryptography
  • One-way permutation
  • One-way trapdoor permutation
  • Collision resistant hash function
  • Fully black-box reduction
  • Quantum reduction
  • Impossibility

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-64837-4_1
  • Chapter length: 30 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   119.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-64837-4
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   159.99
Price excludes VAT (USA)


  1. 1.

    This is an explanation for fully-black-box reduction using the terminology of Reingold, Trevisan, and Vadhan [RTV04]. Since we only consider fully-black-box reductions in this paper, in this introduction, we just say black-box reduction to mean fully-black-box reduction.

  2. 2.

    Though the basic idea is similar to the proof of Simon [Sim98], we explain the description in [AS15] since this is more suitable for explaining how we extend the proof to the quantum setting.

  3. 3.

    Actually, they showed that a random permutation is hard to invert even given a classical advice string.

  4. 4.

    Such a randomized encoder was also used in some works in the classical setting, e.g., [DTT10].

  5. 5.

    Formally, this is proven by using the swapping lemma shown by Vazirani [Vaz98, Lem. 3.1].

  6. 6.

    The definition of “good” given here corresponds to the negation of “bad” defined in the main body.

  7. 7.

    Note that we consider information theoretic encoder and decoder, and we do not care whether they run efficiently.

  8. 8.

    We assume that the queries are always performed in a sequential order (e.g., before each query to \(O_2\), the adversary always makes a query to \(O_1\)), but there is no reason for an adversary to fix the order. We assume this only for an ease of notation. There are multiple ways to fix it, but changes of the order does not essentially affect (im)possibility of reductions.

  9. 9.

    Note that the meaning of the symbol \(O_X\) changes depending on the set that the index X belongs to. \(R_n\) is the set of random coins for the security parameter n, and each coin \(r_n \in R_n\) corresponds to one fixed unitary operator \(O_{r_n}\). \(O_r\) is an infinite family \(\{ O_{r_1},O_{r_2},\dots \}\) for each fixed \(r = (r_1,r_2,\dots ) \in R\), and \(O_n\) is the finite family \(\{O_{r_n}\}_{r_n \in R_n}\) for each fixed n. Each of \(O_r\) and \(O_n\) can be regarded as a subset of O. In addition, \(O_{r,n}\) denotes “the n-th element of \(O_r\)” for each fixed r, which is the same as \(O_{r_n}\).

  10. 10.

    Here we are using the value 2/3 for the threshold, but it does not make any essential difference even if we use another constant c such that instead of 2/3, as long as \(1/2< c < 1\).

  11. 11.

    We sometimes call a sequence of oracles just “oracle”.

  12. 12.

    The original swapping lemma is the special case of Lemma 3 such that \(t=1\).

  13. 13.

    Note that it also excludes possible quantum (fully-black-box) reductions from collapsing hash functions to one-way permutations, since the notion of collapsing is stronger than collision-resistance.

  14. 14.

    Later, we will set \(\hat{{\mathcal {A}}} := {\mathcal {B}}_c\) for a constant c.

  15. 15.

    We introduced Q here just for convenience. Q is an upper bound of both of i) The number of queries made by \({\mathcal {B}}_c\) to f and \(\mathsf{ColFinder}\), and ii) The number of queries to f made by quantum circuits that are queried by \({\mathcal {B}}_c\) to \(\mathsf{ColFinder}\). Because the notations in later proofs become simpler when i) and ii) are the same (i.e., \(q = \eta \)), we introduced Q here.

  16. 16.

    Since \(\mathcal {I}^{f'} \in F_{\mathsf{CC\text {-}qCRH}}\) for any permutation \(f'\), \(\mathsf{Eval}^{f'}_n(\cdot ,\cdot )\) computes a function \(H^{f'}(\cdot ,\cdot )\) for any permutation \(f'\) by definition of \(\mathsf{QC\text {-}qCRH}\). In particular, even when \(\sigma \) is generated by \(\mathsf{Gen}^f(1^n)\) and \(f' \ne f\), \(\mathsf{Eval}^{f'}_n(\sigma ,\cdot )\) computes the function \(H^{f'}(\sigma ,\cdot )\). Hence \(\mathsf{ColFinder}^f_\lambda \) does not return \(\bot \) on the input \(\mathsf{Eval}_n(\sigma ,\cdot )\).

  17. 17.

    Note that it also excludes possible quantum (fully-black-box) reductions from collapsing hash functions to trapdoor permutations, since the notion of collapsing is stronger than collision-resistance.


  1. Aaronson, S.: Quantum copy-protection and quantum money. In: CCC 2009, Proceedings, pp. 229–242 (2009)

    Google Scholar 

  2. Alagic, G., Broadbent, A., Fefferman, B., Gagliardoni, T., Schaffner, C., St. Jules, M.: Computational security of quantum encryption. In: Nascimento, A.C.A., Barreto, P. (eds.) ICITS 2016. LNCS, vol. 10015, pp. 47–71. Springer, Cham (2016).

    CrossRef  MATH  Google Scholar 

  3. Aaronson, S., Christiano, P.: Quantum money from hidden subspaces. In: Karloff, H.J., Pitassi, T. (eds.) 44th ACM STOC, pp. 41–60. ACM Press (May 2012)

    Google Scholar 

  4. Alagic, G., Gagliardoni, T., Majenz, C.: Unforgeable quantum encryption. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 489–519. Springer, Cham (2018).

    CrossRef  Google Scholar 

  5. Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: 28th ACM STOC, pp. 99–108. ACM Press (May 1996)

    Google Scholar 

  6. Ambainis, A., Rosmanis, A., Unruh, D.: Quantum attacks on classical proof systems: the hardness of quantum rewinding. In: 55th FOCS, pp. 474–483. IEEE Computer Society Press (October 2014)

    Google Scholar 

  7. Asharov, G., Segev, G.: Limits on the power of indistinguishability obfuscation and functional encryption. In: Guruswami, V. (ed.) 56th FOCS, pp. 191–209. IEEE Computer Society Press (October 2015)

    Google Scholar 

  8. Bennett, C.H., Brassard, G.: Quantum cryptography: public key distribution and coin tossing. In: Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing, India, pp. 175–179 (1984)

    Google Scholar 

  9. Bennett, C.H., Bernstein, E., Brassard, G., Vazirani, U.: Strengths and weaknesses of quantum computing. SIAM J. Comput. 26(5), 1510–1523 (1997)

    MathSciNet  CrossRef  Google Scholar 

  10. Bitansky, N., Degwekar, A.: On the complexity of collision resistant hash functions: new and old black-box separations. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11891, pp. 422–450. Springer, Cham (2019).

    CrossRef  MATH  Google Scholar 

  11. Broadbent, A., Jeffery, S.: Quantum homomorphic encryption for circuits of low T-gate complexity. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 609–629. Springer, Heidelberg (2015).

    CrossRef  Google Scholar 

  12. Bernstein, D.J., Lange, T.: Post-quantum cryptography. Nature 549, 188–194 (2017)

    CrossRef  Google Scholar 

  13. Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC, pp. 575–584. ACM Press (June 2013)

    Google Scholar 

  14. Brakerski, Z.: Quantum FHE (almost) as secure as classical. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 67–95. Springer, Cham (2018).

    CrossRef  Google Scholar 

  15. Broadbent, A., Schaffner, C.: Quantum cryptography beyond quantum key distribution. Des. Codes Cryptogr. 78(1), 351–382 (2016)

    MathSciNet  CrossRef  Google Scholar 

  16. Chia, N.-H., Hallgren, S., Song, F.: On basing one-way permutations on NP-hard problems under quantum reductions. CoRR arxiv:1804.10309 (2018)

  17. Chung, K.-M., Lin, H., Mahmoody, M., Pass, R.: On the power of nonuniformity in proofs of security. In: Kleinberg, R.D. (ed.) ITCS 2013, pp. 389–400. ACM (January 2013)

    Google Scholar 

  18. De, A., Trevisan, L., Tulsiani, M.: Time space tradeoffs for attacks against one-way functions and PRGs. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 649–665. Springer, Heidelberg (2010).

    CrossRef  Google Scholar 

  19. Gottesman, D., Chuang, I.: Quantum digital signatures. CoRR, abs/quant-ph/0105032 (2001)

    Google Scholar 

  20. Gennaro, R., Trevisan, L.: Lower bounds on the efficiency of generic cryptographic constructions. In: 41st FOCS, pp. 305–313. IEEE Computer Society Press (November 2000)

    Google Scholar 

  21. Haitner, I., Hoch, J.J., Reingold, O., Segev, G.: Finding collisions in interactive protocols - a tight lower bound on the round complexity of statistically-hiding commitments. In: 48th FOCS, pp. 669–679. IEEE Computer Society Press (October 2007)

    Google Scholar 

  22. Holmgren, J., Lombardi, A.: Cryptographic hashing from strong one-way functions (or: one-way product functions and their applications). In: Thorup, M. (ed.) 59th FOCS, pp. 850–858. IEEE Computer Society Press (October 2018)

    Google Scholar 

  23. Hsiao, C.-Y., Reyzin, L.: Finding collisions on a public road, or do secure hash functions need secret coins? In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 92–105. Springer, Heidelberg (2004).

    CrossRef  Google Scholar 

  24. Hhan, M., Xagawa, K., Yamakawa, T.: Quantum random oracle model with auxiliary input. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 584–614. Springer, Cham (2019).

    CrossRef  Google Scholar 

  25. Hosoyamada, A., Yamakawa, T.: Finding collisions in a quantum world: quantum black-box separation of collision-resistance and one-wayness. IACR Cryptology ePrint Archive: Report 2018/1066 (2018)

    Google Scholar 

  26. Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: 21st ACM STOC, pp. 44–61. ACM Press (May 1989)

    Google Scholar 

  27. Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011).

    CrossRef  MATH  Google Scholar 

  28. Kitaev, A.Y., Shen, A., Vyalyi, M.N., Vyalyi, M.N.: Classical and Quantum Computation, vol. 47. American Mathematical Society, Calgary (2002)

    MATH  Google Scholar 

  29. Mahadev, U.: Classical homomorphic encryption for quantum circuits. In: Thorup, M. (ed.) 59th FOCS, pp. 332–338. IEEE Computer Society Press (October 2018)

    Google Scholar 

  30. McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. DSN Prog. Rep. 44, 114–116 (1978)

    Google Scholar 

  31. Nayebi, A., Aaronson, S., Belovs, A., Trevisan, L.: Quantum lower bound for inverting a permutation with advice. Quantum Inf. Comput. 15(11&12), 901–913 (2015)

    MathSciNet  Google Scholar 

  32. Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information: 10th, Anniversary edn. Cambridge University Press (2010)

    Google Scholar 

  33. NIST: Post-quantum cryptography standardization (2016).

  34. Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: Mitzenmacher, M. (ed.) 41st ACM STOC, pp. 333–342. ACM Press, May/June 2009

    Google Scholar 

  35. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 84–93. ACM Press (May 2005)

    Google Scholar 

  36. Rotem, L., Segev, G.: Injective trapdoor functions via derandomization: how strong is Rudich’s black-box barrier? In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11239, pp. 421–447. Springer, Cham (2018).

    CrossRef  Google Scholar 

  37. Reingold, O., Trevisan, L., Vadhan, S.: Notions of reducibility between cryptographic primitives. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 1–20. Springer, Heidelberg (2004).

    CrossRef  MATH  Google Scholar 

  38. Rudich, S.: Limits on the provable consequences of one-way functions. Ph.D. thesis, University of California, Berkeley (1988)

    Google Scholar 

  39. Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th FOCS, pp. 124–134. IEEE Computer Society Press (November 1994)

    Google Scholar 

  40. Simon, D.R.: Finding collisions on a one-way street: can secure hash functions be based on general assumptions? In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 334–345. Springer, Heidelberg (1998).

    CrossRef  Google Scholar 

  41. Vazirani, U.: On the power of quantum computation. Philos. Trans.-R. Soc. Lond. Ser. A Math. Phys. Eng. Sci. 356, 1759–1767 (1998)

    CrossRef  Google Scholar 

  42. Wiesner, S.: Conjugate coding. SIGACT News 15(1), 78–88 (1983)

    CrossRef  Google Scholar 

  43. Yao, A.C.-C.: Quantum circuit complexity. In: 34th Annual Symposium on Foundations of Computer Science, Palo Alto, California, USA, 3–5 November, 1993, pp. 352–361 (1993)

    Google Scholar 

  44. Zhandry, M.: Quantum lightning never strikes the same state twice. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 408–438. Springer, Cham (2019).

    CrossRef  Google Scholar 

Download references


We thank anonymous reviewers for their insightful comments. Especially, we thank reviewers of STOC 2019 and CRYPTO 2020 who pointed out technical errors in previous versions of this paper.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Akinori Hosoyamada .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 International Association for Cryptologic Research

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Hosoyamada, A., Yamakawa, T. (2020). Finding Collisions in a Quantum World: Quantum Black-Box Separation of Collision-Resistance and One-Wayness. In: Moriai, S., Wang, H. (eds) Advances in Cryptology – ASIACRYPT 2020. ASIACRYPT 2020. Lecture Notes in Computer Science(), vol 12491. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-64836-7

  • Online ISBN: 978-3-030-64837-4

  • eBook Packages: Computer ScienceComputer Science (R0)