Quantum hashing is maximally secure against classical leakage

TL;DR

This paper demonstrates that quantum cryptographic hash functions can remain secure even when leaking nearly all the secret information, contrasting classical hash functions vulnerable to side-channel attacks.

Contribution

It introduces the concept of quantum cryptographic hash functions and proves their security against extensive leakage, highlighting a fundamental difference from classical hash functions.

Findings

Quantum hash functions remain secure with leakage of almost all secret bits.

Existence of such quantum hash functions based on quantum fingerprinting.

Verifying quantum hashes requires only a small quantum state, not the full classical information.

Abstract

Cryptographic hash functions are fundamental primitives widely used in practice. For such a function $f:\{0, 1\}^n\to\{0, 1\}^m$, it is nearly impossible for an adversary to produce the hash $f(x)$ without knowing the secret message $x\in\{0, 1\}^n$. Unfortunately, all hash functions are vulnerable under the side-channel attack, which is a grave concern for information security in practice. This is because typically $m\ll n$ and an adversary needs only $m$ bits of information to pass the verification test. In sharp contrast, we show that when quantum states are used, the leakage allowed can be almost the entire secret. More precisely, we call a function that maps $n$ bits to $m$ qubits a quantum cryptographic function if the maximum fidelity between two distinct hashes is negligible in $n$. We show that for any $k=n-\omega(\log n)$, all quantum cryptographic hash functions remain cryptographically secure when leaking $k$ bits of information. By the quantum fingerprinting constructions of Buhrman et al.~({\em Phys. Rev. Lett.} 87, 167902), for all $m=\omega(\log n)$, there exist such quantum cryptographic hash functions. We also show that one only needs $\omega(\log^2 n)$ qubits to verify a quantum cryptographic hash, rather than the whole classical information needed to generate one. Our result also shows that to approximately produce a small amount of quantum side information on a classical secret, it may require almost the full information of the secret. This large gap represents a significant barrier for proving quantum security of classical-proof extractors.