Quantum security of hash functions and property-preservation of iterated hashing
Ben Hamlin, Fang Song

TL;DR
This paper analyzes the security of cryptographic hash functions against quantum attacks, adapts security notions to the quantum setting, and examines whether iterated hash constructions preserve security properties in this context.
Contribution
It extends classical security notions of hash functions to the quantum setting and proves property preservation for certain iterated hash schemes like ROX.
Findings
Quantum adversaries do not gain advantage from superposition access.
Implications and separations of security properties are confirmed in the quantum setting.
ROX construction preserves security properties in the quantum random oracle model.
Abstract
This work contains two major parts: comprehensively studying the security notions of cryptographic hash functions against quantum attacks and the relationships between them; and revisiting whether Merkle-Damgard and related iterated hash constructions preserve the security properties of the compression function in the quantum setting. Specifically, we adapt the seven notions in Rogaway and Shrimpton (FSE'04) to the quantum setting and prove that the seemingly stronger attack model where an adversary accesses a challenger in quantum superposition does not make a difference. We confirm the implications and separations between the seven properties in the quantum setting, and in addition we construct explicit examples separating an inherently quantum notion called collapsing from several proposed properties. Finally, we pin down the properties that are preserved under several iterated hash…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCryptographic Implementations and Security · Chaos-based Image/Signal Encryption · Cryptography and Data Security
11institutetext: Texas A&M University
11email: {hamlinb, fang.song}@tamu.edu
Quantum security of hash functions and
property-preservation of iterated hashing
Ben Hamlin
Fang Song
Abstract
This work contains two major parts: comprehensively studying the security notions of cryptographic hash functions against quantum attacks and the relationships between them; and revisiting whether Merkle-Damgård and related iterated hash constructions preserve the security properties of the compression function in the quantum setting. Specifically, we adapt the seven notions in Rogaway and Shrimpton (FSE’04) to the quantum setting and prove that the seemingly stronger attack model where an adversary accesses a challenger in quantum superposition does not make a difference. We confirm the implications and separations between the seven properties in the quantum setting, and in addition we construct explicit examples separating an inherently quantum notion called collapsing from several proposed properties. Finally, we pin down the properties that are preserved under several iterated hash schemes. In particular, we prove that the ROX construction in Andreeva et al. (Asiacrypt’07) preserves the seven properties in the quantum random oracle model.
Keywords:
Quantum random-oracle model, Post-quantum security definitions, Hash functions
1 Introduction
Cryptographic hash functions, which produce a short digest on an input message efficiently, are a ubiquitous building block in modern cryptography. They are indispensable in constructing key-establishment, authentication, encryption, digital signature, cryptocurrency, and more, which constitute the backbone of a secure cyberspace. A host of cryptographic hash functions have been designed [NIS15] which have been subject to extensive cryptanalysis. Most of the constructions follow the iterated hash paradigm, which iterates a compression function on a small domain.
The emerging technology of quantum computing brings devastating challenges to cryptography. In addition to breaking widely deployed public-key cryptography due to Shor’s efficient quantum algorithm for factoring and discrete logarithm, effective quantum attacks on symmetric primitives have been found in recent years that break of a variety of message authentication and authenticated encryption schemes [KLLNP16, SS17].
In this work, we revisit two fundamental threads of cryptographic hash functions in the presence of quantum attacks: modeling basic security properties and establishing their interrelations; and pinning down whether the iterated hash constructions preserve the security of the underlying compression functions.
A principal security property is collision resistance: It should be computationally infeasible to compute a collision such that . Two other basic properties are preimage resistance (Pre) and second-preimage resistance (Sec). Rogaway and Shrimpton extend the three and arrive at a total of seven properties to cope with various scenarios [RS04]. More specifically, they consider a family of hash functions . Conventional Pre and Sec require that under a random key, it is infeasible to find a preimage of a random digest or to find a message that forms a collision with a given random input. They propose two variations named always and everywhere. For example, always preimage resistance (aPre) allows an attacker to pick a key at will, and needs to be preimage resistant in the usual sense. This reflects that real-world hash functions are standalone (i.e., unkeyed), so it is important to always enforce the property on all members in the hash family. In a complementary vein everywhere preimage resistance (ePre), for instance, asks about finding a preimage on any digest (i.e., adversarially chosen as opposed to a random one) being hard. They give a comprehensive characterization of the seven properties, including both implications and separations. For instance, they show that while Coll implies standard Pre, there exist Coll hash functions that are not aPre or ePre. This motivates our first question of this work:
How do we model these properties appropriately against quantum attacks, and what are the relationships between them?
Once the appropriate quantum security notions have been nailed down, we would like to construct hash functions achieving various desired properties. The dominating design framework is iterated hashing, which takes a compression function on a relatively small domain and runs it iteratively, with minor variations, to process longer messages. The Merkle-Damgård construction [Mer89, Dam89] (adopted by SHA-1,2 families) and the sponge construction [BDPA07] (adopted in SHA-3) are notable examples. As a modular approach to attaining security, researchers ask whether the iterated hash preserves the security of the compression function. It is known that Merkle-Damgård is collision resistant as long as the compression function is collision resistant. However it does not preserve preimage resistance: There is a preimage-resistant compression function, such that plugging it into Merkle-Damgård fails to result in preimage-resistance. Andreeva et al. [ANPS07] study several variants of Merkle-Damgård, such as XOR-linear [BR97] and Shoup’s [Sho00] hash schemes, and determine their security-preserving capabilities. In short, none of them are able to preserve all seven properties. They therefore propose a new iterated construction, ROX, built on XOR-linear hash, and prove that it preserves all seven properties in the random oracle model111The compression function is not given as a random oracle. Rather apart from the compression function, the construction has access to a public random function that is given as a black-box.. In contrast, we refer to other constructions as being in the plain model. We pose the second major question of this work:
Is ROX security preserving in the quantum setting?
A positive answer will dramatically simplify the design of secure hash functions to the design of a secure compression function of a small size. Answering this question, however, could be challenging and subtle. What we prove classically often fails to carry over against quantum attacks for some fundamental reasons (e.g., no-cloning of quantum states or probabilistic analysis that has no counterpart in the quantum formalism). There has been extensive work developing tools for analyzing quantum security [Wat09, Unr12, Son14, Zha12a]. In particular, Unruh proves that Merkle-Damgård preserves collapsing, and it can be observed that collision resistance is also preserved in the quantum setting. More specific to ROX, the random oracle model faces grave difficulties in the presence of quantum adversaries [BDF*+*11]. For example, classically one can easily simulate a random oracle by lazy sampling the responses upon every query on-the-fly. A quantum query, which can be in superposition of all possible inputs seems to force the function to be completely specified at the onset. Likewise, the powerful trick of programming a random oracle, i.e., changing the outputs on some input points as long as they have not been queried before, appears impossible if quantum queries are permitted. Recently, there is progress on restoring proof techniques including programming a quantum random oracle [ARU14, Unr14, ES15, HRS16].
Our contributions.
We investigate the two questions systematically in this work. The main results are summarized below.
We formalize the seven security notions in the quantum setting222Some standard notions have appeared in the literature before [HRS16].. Since all properties are described in simple interactive games, we face two options to modeling quantum attackers depending on whether the interface between the challenger and the adversary remains classical or can also be quantum. We call the latter “fully” or “strong” quantum attacks, reminiscent of an active line of work recently [BZ13, Unr14, AR17]. This stronger type of attack is more realistic in some cases than others. Our interesting finding is that which model we use makes no difference in this setting, by a simple observation of commutativity of some quantum operators. Namely, the security property (e.g. aPre) against a quantum adversary and classical communication with the challenger is equivalent to that where the access to the challenger can be quantum too.
We depict the landscape of the seven notions in the quantum setting as well as the collapsing property, by fully determining their relationships (Figure 2a). For most of the existing implications and separations in [RS04], we apply a general lifting tool in [Son14] to make analogous conclusions in the quantum setting. We construct new examples to separate collapsing from our quantum notions of aSecQ and eSecQ, and derive other relations by transitivity. Unruh’s separation example between collapsing and collision resistance [Unr16b] is the only one that is relative to an oracle.
We determine the security-preserving capabilities of various iterated hash constructions. We show that the results in [ANPS07] (other than ROX) can be “lifted” into a quantum setting. As to ROX, we adapt techniques of programming a quantum random oracle and show that ROX preserves all security properties we consider in this work.
Discussion.
As Andreeva et al. remarked in their work, ROX is proven secure in the random oracle model. Can we design an iterated hash that is all-preserving in the plain model? Recently there is another quantum notion extending collision resistance proposed in [AMRS18] termed Bernoulli-preserving. It implies collapsing and appears stronger. Do the iterated hash constructions preserve collapsing and Bernoulli-preserving of the compression function? Another interesting future direction is to investigate whether iterated hash can be amplifying, especially with the assistance of a random oracle such as in ROX. Finally, we consider variants of the Merkle-Damgård and Merkle Tree constructions. Less is known about the versatile sponge construction in terms of security-preserving of round functions. It has been shown very recently that the sponge is collapsing assuming the round functions are truly random [CBH*+*18].
2 Preliminaries
Notations.
Hash-function properties are formulated as games with a challenger and an adversary . and perform one or more rounds of communication, after which outputs a bit indicating whether “won”. Our proofs take the form of reductions, where winning the game allows us to create an adversary to win another game that is supposed to be hard. Following on [Son14], we formalize a reduction as a tuple where is the game that is assumed to be hard, is the game we would like to show to be secure, and transforms an adversary for into one for . If is efficient and maintains ’s success probability up to a negligible difference, showing the existence of a reduction is a proof by contradiction that is hard.
We are concerned primarily with quantum adversaries. These are adversaries that run in polynomial time on a quantum computer (qpt). We call the probability that this adversary succeeds its “advantage”, denoted by , where is a hash function. By , we mean the maximum advantage over qpt adversaries. When discussing concrete security, we say that is -prop if for all adversaries running in time at most , . When the interaction between and an adversary has two rounds, we sometimes refer to an adversary as having two parts . In this case, they share a state register , which the challenger may not read or modify. By convention, we use capital letters to indicate quantum registers. Measuring a quantum register () results in a classical value, which we denote with the corresponding lowercase letter.
We assume there exists a security parameter for each hash function that corresponds to the size of a key. A probability is negligible, denoted , if it is less than , where is any polynomial function. By , we mean the time required to compute . We indicate sampling from a distribution or receiving a result from a probabilistic algorithm by . When is a set, this indicates uniform sampling, unless otherwise noted.
Quantum random oracles.
One goal of this paper is to translate results about the ROX construction from the classical (RO) to the quantum (QRO) random oracle model. In general, results proven in the classical RO model do not necessarily carry over to a quantum setting, and even when they do, the techniques often need to be modified.
Even efficiently simulating a random oracle—a simple task in a classical setting, since an algorithm can simply lazily answer queries—is not obviously possible in a quantum setting. A quantum query could be a superposition of exponentially many inputs, naively requiring an exponential number of samples from the oracle’s codomain to simulate. Zhandry showed that it is possible to efficiently simulate a random oracle using samples, where is the number of queries made to the oracle (Corollary 1 of Theorem 3.1 from [Zha12b]). Whenever we refer to simulating a QRO, we refer to this technique.
Another property of classical random oracles is that they can be adaptively programmed. That is, even after a polynomial number of queries have been made, the algorithm simulating the oracle can change the output of the oracle at some input points, since it is unlikely that has seen the output at those points. However, a single quantum query in superposition can “see” the output at all points of the domain. We use a technique for programming a quantum random oracle from [ES15], which defines a “witness-search” game in which an adversary must guess a “witness” with , given some predicate and public information chosen by the challenger, given that the challenger knows a witness . The probability that any qpt adversary detects adaptive programming at a point with is at most his success probability in witness search.
Standard hash-function security.
Rogaway and Shrimpton [RS04] identify seven properties of hash functions. These consist of the standard collision resistance (Coll), preimage resistance (Pre), and second-preimage resistance (Sec), as well as two stronger variants of each of the latter two—“always” (aPre, aSec) and “everywhere” (ePre,eSec)—which give the adversary more power. The following defines standard collision, preimage, and second-preimage resistance:
[TABLE]
Note that the challenger chooses the key , and in the latter two properties, challenger chooses the target that the preimage needs to match. A successful adversary needs to work with non-negligible probability regardless of what the challenger chooses. One way to create a stronger property would be to relax this requirement on either the key or the preimage target.
Allowing the adversary to choose the key results in the “always” variants of preimage and second-preimage resistance. Here, the adversary is given as a pair of algorithms : is responsible for choosing the key, and is responsible for guessing the preimage.
[TABLE]
Alternatively, allowing the adversary to choose the target the preimage must match before knowing the key results in the “everywhere” variants of these properties:
[TABLE]
A standard quantum-only property is called “collapsing” [Unr16b, Unr16a] (CLAPS). Let be an element of the digest space of . CLAPS captures the idea that it should be difficult for an adversary to produce a “useful” superposition of elements of the set . If a hash function is not collapsing, an adversary may be able to find some input-output pair with desirable properties even if it can succeed with only negligible advantage in the Coll game.
An adversary for CLAPS is a pair of qpt algorithms . On input , outputs quantum registers and a classical register . We call the adversary “correct” if , and we restrict our attention to correct adversaries. On input , outputs a classical bit that represents a guess whether has been measured. The collapsing advantage , where are as shown in Fig. 1.
3 Quantum security properties of hash functions
We adapt the above notions from [RS04] to a quantum setting by allowing the adversary to be qpt, rather than ppt, as in the original definitions. The hash function is public, so he can make superposition queries to it, but all interactions with the challenger are classical. With the exception of the -qubit state register , we assume that the adversary measures all of its wires before outputting them. We call these variants CollQ, PreQ, etc.
It would be natural to ask whether stronger properties result from allowing the interface between the adversary and the challenger to be quantum. In other words, the adversary does not measure its wires before outputting them. At the end, the challenger measures all registers to determine whether the adversary has succeeded. These properties, which we call “strongly quantum” (SQ), are defined as follows, where , , and are quantum registers:
[TABLE]
In (11), is quantum gate that acts as . In other words, given a key register in superposition, it outputs a superposition of digests for .
It is easy to see that CollSQ, PreSQ, and SecSQ(8, 9, and 10) are equivalent to their counterparts (1, 2, and 3) defined above: The challenger immediately measures the adversary’s output registers, so without loss of generality, we may assume that the adversary measures all output registers itself.
As it happens, the other SQ properties (11–14) are equivalent to the above versions (4–7) as well. Intuitively, this is because, although can put a superposition of values on its output register, the challenger never gives this register to . If the challenger did so, it would be unable to check whether the adversary had won, since it would no longer have a copy of that register. Hence, the quantum “interface” with the challenger gives the adversary no additional power in this case.
A more formal proof requires us to show the equivalence of two quantum circuits. We give the full proof for in Appendix 0.B. The proofs for aSecQ, ePreQ, and eSecQ are similar, but slightly more straightforward, in that they do not require Lemma 8.
4 Relations of quantum security properties
In this section, we examine the relationships among the properties in Sect. 3. Fig. 2 illustrates these graphically. The relationships among the properties with classical analogs carry over from the classical setting, based on the framework from [Son14]. The following is a sufficient criterion for “lifting” a reduction from a classical to a quantum setting:
Lemma 1 (Corrollary 4.6 from [Son14])
Let be a black-box reduction that holds for ppt machines, and suppose the following:
* and are defined for qpt ;* 2. 2.
* for all qpt ;* 3. 3.
when runs , it runs it “in a straight line until completion,” i.e., as an honest challenger would; and 4. 4.
for all with , .
Then holds for qpt machines as well.
All the classical implication proofs from [RS04] ( from Fig. 2b) satisfy the hypotheses in Lemma 1, and thus that these proofs can be lifted into a quantum setting. For example, the standard proof that involves creating a reduction where is defined as follows:
Sample and send it to the challenger.
Receive from .
Run to get and send to the challenger.
Note that could be applied to a quantum for eSecQ as easily as a classical one for eSec, and the result, finds a collision in the CollQ game. This is guaranteed due to the classical “interface” in the definitions from Sect. 3. Moreover, it runs as normal. So hypotheses 1 and 3 from Lemma 1 hold. Hypothesis 2 holds as well, since the success probabilities of and are the same Hypothesis 4 captures the idea that the success probability of depends only on the success probability of , not some specific facet of its internal behavior. This is easily seen to be the case here.
The classical separations from [RS04] ( from Fig. 2b) can also be lifted in a similar fashion. For example, the proof that Coll does not imply aSec runs as follows: Suppose that is Coll. We define a new function such that if , , but . There is a trivial attack for aSec on : The adversary simply chooses and outputs any as a second preimage. Finally, we show that is still collision resistant using a simple reduction. The first half of this proof (the attack) is clearly as possible on a quantum computer as it is on a classical one. In fact, the structure of the properties from Sect. 3 (excluding CLAPS)—where the adversary is given classical input and must produce classical output—guarantees this. Moreover, as with the implication proofs, the reductions in the separation proofs satisfy the hypotheses in Lemma 1. So we conclude that these separations hold in a quantum setting as well.
We additionally examine the relationships between collapsing and each of the standard properties. Unruh shows in [Unr16b] that collapsing implies collision resistance, and this proof applies to CollQ as well. This leads to the transitive implications from CLAPS in Fig. 2b. We find that CLAPS does not imply aPreQ, aSecQ, or ePreQ. The proofs of these separations are given in Appendix 0.A.
5 Quantum security preservations of iterated hash constructions
In this section, we consider whether several standard iterated hash constructions, including one in the random oracle model (ROX), preserve the quantum-safe properties from Sect. 3. The constructions we consider are the same as those considered in [ANPS07], and we find that they preserve (and fail to preserve) the quantum analogs of the same properties that [ANPS07] show they do classically. In the case of the standard constructions, we omit explicit proofs, instead using the lifting framework we introduced in Sect. 4. The proofs for ROX, meanwhile, are more subtle, since they must be adapted to the quantum random oracle model. We give explicit proofs in the most interesting of these cases.
Andreeva et al. discuss eleven standard iterated hash constructions, proving exhaustively (with a few exceptions) which of the seven classical properties from [RS04] they preserve. These proofs are amenable to being “lifted” to a quantum setting by reasoning similar to that in Sect. 4: Each implication proof uses a reduction that satisfies the hypotheses of Lemma 1. Each separation combines an attack, which is still possible in a quantum setting given the nature of the games we consider, and a reduction, which also satisfies the hypotheses.
In contrast, we cannot use Lemma 1 to lift the proofs for the random-oracle model construction ROX. In particular, the reductions used cannot claim to run identically to an honest challenger, since they must simulate a pair of random oracles. This violates Hypothesis 3 of the lemma. Although the same results hold, the proofs must be explicitly adapted, which we do below.
5.1 ROX preserves all quantum properties
Definition 1 (ROX)
[TABLE]
where is the empty string; is the largest integer such that divides i; is the first bits of ; is a fixed string; and
- •
, where is the block size, and ;
- •
and are random oracles, where is the maximum input size in blocks; and
- •
truncates its input to a multiple of bits;
We denote the block length of as , the number of padding blocks as , and the total oracle queries as .
Andreeva et al. [ANPS07] describe an iterated hash called ROX (Definition 1) that preserves all of the classical properties discussed in [RS04]. In addition to a compression function, ROX relies on two random oracles (), although it does not rely on this fact for all proofs. Specifically, ROX preserves aPre, Pre, aSec, and Sec in the random oracle (RO) model, and Coll, ePre, and eSec in the standard model.
We show that ROX also preserves the quantum analogs of these properties. Andreeva et al.’s standard-model proofs carry over nearly unchanged for CollQ, ePreQ, and eSecQ carry over nearly unchanged, so we omit those proofs. We show that ROX preserves aPreQ, PreQ, aSecQ, and SecQ, replacing the classical RO model with the QRO model.
We begin by stating the existence of some constructions using ROX that will be useful in our proofs. The full constructions are given in Appendix 0.C.
Lemma 2 (Extracting collisions on from collisions on
)
Given with and , we can extract with and except with probability using applications of and oracle queries.
Lemma 3 (Embedding inputs for into inputs for )
Given an input for and an index , we can create an input for such that the input to the th application of is using calls to and at most oracle queries. Moreover, an adversary making queries notices the change with probability at most .
Lemma 4 (Extracting a preimage under from a preimage under )
Given a key and a message with , we can generate a message with using calls to and oracle queries.
We are now ready to prove that ROX preserves the properties from Sect. 3 in the QRO model. To conserve space, we only summarize our proofs here, providing the full proofs in Appendix 0.D.
Theorem 5.1 (ROX preserves aPreQ)
If is -aPreQ, then is -aPreQ with
[TABLE]
Proof summary.
We use a preimage target for as a preimage target for . In the classical proof, is correctly distributed because an adversary would have to guess correctly some random points to query . This argument fails in the quantum setting. We instead use QRO programming to show that appears correctly distributed to a quantum adversary.
Theorem 5.2 (ROX preserves PreQ)
If is -PreQ then is -PreQ, where
[TABLE]
Proof summary.
An adversary for PreQ on can be run using a preimage target for , since will appear to be correctly distributed. The argument is the same as that in the proof of Theorem 5.1, so we omit it here for brevity.
Theorem 5.3 (ROX preserves aSecQ)
If is -aSecQ then is -aSecQ with
[TABLE]
Proof summary
We embed a second-preimage target for into a second-preimage target for by adaptively programming . We argue that reprogramming the random oracles in this way is imperceptible to the adversary.
Theorem 5.4 (ROX preserves SecQ)
If is -SecQ then is -SecQ, where
[TABLE]
Proof summary.
Similarly to Theorem 5.3, here we embed a second-preimage target for into one for by programming . Since we do not need to program adaptively, however, the programming is straightforward. The proof is similar to that of Theorem 5.3, so we omit it here for brevity.
Appendix 0.A CLAPS separation proofs
Here we show that CLAPS does not imply aPreQ, aSecQ, or ePreQ, completing the diagram in Fig. 2.
0.A.1
Theorem 0.A.1
If a collapsing function family exists, then there is a function family that is -CLAPS with negligible , but with .
Proof summary:
Since the key in the collapsing game is chosen uniformly at random, a collapsing function can have a constant number of “bad” keys that, for example, result in a constant function . Finding a preimage for such a function is obviously trivial. Given a collapsing function , we exhibit a function that is collapsing, but for which .
Proof
Suppose is -CLAPS, and define as follows:
[TABLE]
Lemma 5
* is -CLAPS, where .*
The obvious adversary suffices to break aPreQ on : picks , and outputs any . Since we assume to be negligible, is negligible as well, and the theorem is immediate from Lemma 5.
Proof (Proof of Lemma 5)
Let be a correct qpt adversary with . We construct a correct qpt adversary for as follows:
Constructing from
:
If , FAIL. Otherwise…
Run to get with .
Send the challenger .
:
Run to get .
Send to the challenger.
We claim that is correct: If does not fail, then , and by the premise that is correct, .
Suppose doesn’t fail, and the challenger for is running . Then receives , and sees . On the other hand, if the challenger for is running , is unmeasured, and sees .
Since the probability that fails is , . Therefore .
0.A.2
Theorem 0.A.2
If a collapsing function family exists, then there is a function family that is -CLAPS with negligible , but with .
Proof summary:
This proof uses the same as the proof of Theorem 0.A.1. Given a collapsing function , this is also collapsing, but has a single “bad” key s.t. , . If an adversary can control the key and chooses , then whichever the challenger picks, any other element of is a second preimage. Since the proof is identical to Theorem 0.A.1, we omit it for brevity.
0.A.3
Theorem 0.A.3
If a collapsing function family exists, then there is a function family that is -CLAPS with negligible , but .
Proof summary:
If the image of some element in the domain of is fixed, regardless of the key , then an adversary can find a preimage of an element of his choice easily: All he must do is choose , and whatever the adversary picks, is a preimage. But if is the only preimage of , this property does not help in creating superpositions of preimages to use in the collapsing game. So may still be collapsing.
Proof
Suppose is -CLAPS. We define a new function as follows:
[TABLE]
Lemma 6
* is -CLAPS.*
The obvious adversary suffices to break ePreQ on : picks and outputs . Thus, the theorem is immediate from Lemma 6.
Proof (Proof of Lemma 6)
Let be a correct qpt adversary with . We construct a qpt adversary for as follows:
Constructing from
:
Run to get with .
Measure to get .
Send to the challenger.
:
Run to get .
Send to the challenger.
is correct by construction. We claim that . Consider the following cases:
Suppose . Then by the premise that is correct, , since is the only preimage of . In this case , since , so for both and . 2. 2.
Suppose , and the challenger for is running . Then receives , so sees . 3. 3.
Suppose , and the challenger for is running . By the premise that is correct, when produces ,
[TABLE]
So the measurement at step 2 of does not collapse . Hence, sees .
Therefore .
Appendix 0.B
Theorem 0.B.1
Equations 4 and 11 are equivalent. I.e.,
Proof (Proof of Theorem 0.B.1)
Let each part , of the adversary be a unitary operator and let be the size of a key, be the size of a message, and be the size of a digest. We illustrate the circuits for three games in Figure 3.
Lemma 7
Game 1 is equivalent to Game 2.
Lemma 8
Game 2 is equivalent to Game 3.
We claim that the theorem follows from Lemmas 7 and 8. Note that Game 1 is exactly the aPreSQ game, as defined in Equation 11. In Game 3, the output of and , with the exception of the state register , are measured immediately, so without loss of generality, we may assume that their output is classical. Thus Game 3 is equivalent to the aPreQ game (Equation 4).
In the following two proofs, let denote measuring the first qubits in the standard basis and leaving the rest untouched. In other words,
[TABLE]
Proof (Proof of Lemma 7)
It suffices to show that for any unitary and all , commutes with . This is immediate, since .
Proof (Proof of Lemma 8)
We must show that commutes with . Since
[TABLE]
is a unitary operator that leaves the register untouched, it can be viewed as using the register solely as control bits for CNOT gates, interspersed with unitaries on the register. Let denote a CNOT gate with control and target , and denote an arbitrary unitary that acts on the register. Then for and for all ,
[TABLE]
Given the definition of in Equation 24, we must show all the factors in Equation 25 commute with . Clearly this is the case for , by the same reasoning as in the proof of Lemma 7. Similarly, it is well known that measurement of the control qubit commutes with CNOT.
Appendix 0.C ROX constructions
0.C.1 Extracting compression-function collisions
(Lemma 2)
Proof (Proof of Lemma 2)
We claim that the following procedure extracts a compression-function with overwhelming probability:
Extract-Collision()
Let and .
Let and .
For to …
If , output .
Let and be the first bits of , and be their respective lengths. We must show that there always exists a colliding pair . We consider two cases:
- •
Case i. Suppose or . Then since and each contains at least one full output from , except with probability . In this case the inputs to the last application of form a collision for .
- •
Case ii. Otherwise, and . In this case, the padding applied to and will be identical. But the mask schedule taken from will be identical as well. So since , there must be block pair, on which they differ. Since the masks and padding match, these form a collision for .
0.C.2 Embedding messages (Lemma 3)
Proof (Proof of Lemma 3)
Let , where and , and define the following procedure:
Embed-Message()
Generate a random message of length .
If , let be the first bits of , adding bits from , starting with the st, if isn’t long enough. Otherwise, let be the first bits of .
Let with .
Evaluate .
Program with .
Program the outputs of contained in with .
Let be the first bits of .
Output .
In steps 5 and 6, the above procedure requires us to program a random oracle. To do so, we invoke witness search from [ES15], where a witness is some image of corresponding to an input that starts with . Since is chosen at random, and since the codomains of are much larger than their domains, the random search problem in [HRS16] can be reduced to this, with marked items in a set of , so the success probability is .
0.C.3 Extracting compression-function preimages
(Lemma 4)
Proof (Proof of Lemma 4)
We claim that the following procedure extracts a collision-function preimage with overwhelming probability:
Extract-Preimage()
Evaluate up to the last application of . Namely let
Output .
By construction, as desired. The only calls to and are in the partial computation of . Since we omit one call to , the procedure calls it times.
Appendix 0.D ROX property-preservation proofs
0.D.1 ROX preserves aPreQ
Proof (Proof of Theorem 5.1)
Let be a quantum adversary for aPreQ on , making oracle queries. We construct an adversary for using an additional oracle queries:
Constructing from
:
Run , simulating quantum oracles .
Output .
:
Run .
Run Extract-Preimage() to obtain a preimage for under .
Output .
By Lemma 4, if , then , and wins the aPreQ-game. Note that for chosen at random, while would expect a to be , where contains at least bits of , and for some . The view of in the simulated run in is thus identical to the real aPreQ-game, unless can distinguish and using at most queries. We show that can distinguish them with probability at most . Hence .
We argue that if some challenger that knew were to reprogram on inputs corresponding to , no algorithm would be able to discover this except with negligible probability. In the Witness-Search game from [ES15], let output 1 if and only if and for some . Next, let and . This amounts to finding a preimage with a suffix from a set in a random function. Hence by reducing a random search problem developed in [HRS16] to it. Thus we can safely reprogram at points corresponding to being true, and are indistinguishable from the random values supplied by .
0.D.2 ROX preserves aSecQ
Proof (Proof of Theorem 5.3)
Let be a adversary for aSecQ on making oracle queries. We construct an adversary for , using an additional oracle queries:
Constructing from
:
Run , simulating quantum oracles .
Output .
:
Choose an index .
Run Embed-Message() to get with embedded as the input to the th application of .
Run , to get .
Run Extract-Collision() to get .
If , FAIL. Output .
By Lemma 3, Embed-Message adds an additional applications of and an additional oracle queries and alters the success probability of by at most , where is the number of queries makes. By Lemma 2, Extract-Collision adds applications of and oracle queries and fails w.p. . Assuming both succeed, w.p. . Hence .
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[AMRS 18] Gorjan Alagic, Christian Majenz, Alexander Russell, and Fang Song. Quantum-secure message authentication via blind-unforgeability. ar Xiv preprint ar Xiv:1803.03761 , 2018.
- 2[ANPS 07] Elena Andreeva, Gregory Neven, Bart Preneel, and Thomas Shrimpton. Seven-property-preserving iterated hashing: ROX. In International Conference on the Theory and Application of Cryptology and Information Security , pages 130–146. Springer, 2007.
- 3[AR 17] Gorjan Alagic and Alexander Russell. Quantum-secure symmetric-key cryptography based on hidden shifts. In Advances in Cryptology – EUROCRYPT 2017 , pages 65–93. Springer, 2017.
- 4[ARU 14] Andris Ambainis, Ansis Rosmanis, and Dominique Unruh. Quantum attacks on classical proof systems: The hardness of quantum rewinding. In Foundations of Computer Science (FOCS), 2014 IEEE 55th Annual Symposium on , pages 474–483. IEEE, 2014.
- 5[BDF + 11] Dan Boneh, Özgür Dagdelen, Marc Fischlin, Anja Lehmann, Christian Schaffner, and Mark Zhandry. Random oracles in a quantum world. In Advances in Cryptology – ASIACRYPT 2011 , pages 41–69. Springer, 2011.
- 6[BDPA 07] Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. Sponge functions. In Ecrypt Hash Workshop , 2007. http://sponge.noekeon.org/ .
- 7[BR 97] Mihir Bellare and Phillip Rogaway. Collision-resistant hashing: Towards making uowhfs practical. In Advances in Cryptology – CRYPTO 1997 , page 470. Springer, 1997.
- 8[BZ 13] Dan Boneh and Mark Zhandry. Secure signatures and chosen ciphertext security in a quantum computing world. In Advances in Cryptology – CRYPTO 2013 , pages 361–379. Springer, 2013.
