(Quantum) Indifferentiability and Pre-Computation

TL;DR

This paper identifies a limitation of the indifferentiability framework in capturing pre-computation attacks and proposes a strengthened version that accounts for pre-processing, with applications to sponge constructions and space-time trade-offs.

Contribution

It introduces a new indifferentiability notion that includes pre-computation, enhancing the security analysis of cryptographic primitives against pre-processing attacks.

Findings

One-round sponge is indifferentiable with pre-computation from a random oracle.

First tight classical/quantum space-time trade-off for one-round sponge inversion.

Strengthened indifferentiability captures pre-processing attacks effectively.

Abstract

Indifferentiability is a popular cryptographic paradigm for analyzing the security of ideal objects -- both in a classical as well as in a quantum world. It is typically stated in the form of a composable and simulation-based definition, and captures what it means for a construction (e.g., a cryptographic hash function) to be ``as good as'' an ideal object (e.g., a random oracle). Despite its strength, indifferentiability is not known to offer security against pre-processing attacks in which the adversary gains access to (classical or quantum) advice that is relevant to the particular construction. In this work, we show that indifferentiability is (generically) insufficient for capturing pre-computation. To accommodate this shortcoming, we propose a strengthening of indifferentiability which is not only composable but also takes arbitrary pre-computation into account. As an application, we show that the one-round sponge is indifferentiable (with pre-computation) from a random oracle. This yields the first (and tight) classical/quantum space-time trade-off for one-round sponge inversion.