Quantum Collision-Finding in Non-Uniform Random Functions Marko - PowerPoint PPT Presentation

Quantum Collision-Finding in Non-Uniform Random Functions Marko Balogh 1 and Edward Eaton 2 , 3 and Fang Song 1 1 Portland State University 2 University of Waterloo 3 ISARA Corporation April 11, 2018 1 / 33

Motivation Let H : [ M ] → [ N ] be a hash function. 2 / 33

Motivation Let H : [ M ] → [ N ] be a hash function. The collision resistance of H is a measure of how difficult it is to find x , y ∈ [ M ] such that H ( x ) = H ( y ). 2 / 33

Difficulty? 3 / 33

Difficulty? • Time 3 / 33

Difficulty? • Time • Space 3 / 33

Difficulty? • Time • Space • (Qu)bit operations 3 / 33

Difficulty? • Time • Space • (Qu)bit operations (logical/physical) 3 / 33

Difficulty? • Time • Space • (Qu)bit operations (logical/physical) • Easy to parallelize 3 / 33

Difficulty? • Time • Space • (Qu)bit operations (logical/physical) • Easy to parallelize • Hash function queries 3 / 33

Difficulty? • Time • Space • (Qu)bit operations (logical/physical) • Easy to parallelize • Hash function queries 4 / 33

We can allow a quantum query to H by � � U H : α x , y | x �| y � �→ α x , y | x �| y ⊕ H ( x ) � x ∈ [ M ] x ∈ [ M ] y ∈ [ N ] y ∈ [ N ] 5 / 33

Generic Security H A

Generic Security H x A

Generic Security H x H ( x ) A

Generic Security H x H ( x ) A m 1 , m 2 : H ( m 1 ) = H ( m 2 )

Generic Security U H H x H ( x ) A A m 1 , m 2 : H ( m 1 ) = H ( m 2 )

Generic Security U H H � | x �| y � � | x �| y ⊕ H ( x ) � x H ( x ) A A m 1 , m 2 : H ( m 1 ) = H ( m 2 )

Generic Security U H H � | x �| y � � | x �| y ⊕ H ( x ) � x H ( x ) A A m 1 , m 2 : m 1 , m 2 : H ( m 1 ) = H ( m 2 ) H ( m 1 ) = H ( m 2 ) 6 / 33

Collision Resistance Let H := { H : [ M ] → [ N ] } , and M = Ω( N 1 / 2 ). 7 / 33

Collision Resistance Let H := { H : [ M ] → [ N ] } , and M = Ω( N 1 / 2 ). $ Then if we have H ← − H uniformly : • Any algorithm finding a collision in H (with constant probability) must make Ω( N 1 / 3 ) queries to U H . 7 / 33

Collision Resistance Let H := { H : [ M ] → [ N ] } , and M = Ω( N 1 / 2 ). $ Then if we have H ← − H uniformly : • Any algorithm finding a collision in H (with constant probability) must make Ω( N 1 / 3 ) queries to U H . • There is an algorithm that finds a collision in H (with constant probability) and makes O ( N 1 / 3 ) queries to U H . Results from “A Note on the Quantum Collision and Set Equality Problems” by Mark Zhandry (2015). 7 / 33

Motivation When H is uniform, the query complexity is Θ( N 1 / 3 ). 8 / 33

Motivation When H is uniform, the query complexity is Θ( N 1 / 3 ). Is only considering uniform functions enough? 8 / 33

Motivation • Uniformity is a very strong condition on a function — considering non-uniform can relax our security assumptions. 9 / 33

Motivation • Uniformity is a very strong condition on a function — considering non-uniform can relax our security assumptions. • Some crypto functions are certainly not uniform, e.g., if H 1 , H 2 are uniform then H 1 ◦ H 2 is not. 9 / 33

Motivation • Uniformity is a very strong condition on a function — considering non-uniform can relax our security assumptions. • Some crypto functions are certainly not uniform, e.g., if H 1 , H 2 are uniform then H 1 ◦ H 2 is not. • Proofs of Fujisaki-Okamoto require collision resistance of non-uniform functions ( f ◦ H ). 9 / 33

Definitions Let D be a distribution on [ N ]. Then we say that D has min-entropy k if − log 2 max y ∈ [ N ] Pr[ y ← D ] = k . 10 / 33

Definitions Let D be a distribution on [ N ]. Then we say that D has min-entropy k if − log 2 max y ∈ [ N ] Pr[ y ← D ] = k . We say that a function H has distribution D if H ( x ) has distribution D for all x ∈ [ M ], and all are independent. 10 / 33

Examples N = 8, D 1 = uniform / flat: 11 / 33

Examples N = 8, D 1 = uniform / flat: N = 25, D 2 = generic : 11 / 33

Examples N = 8, D 1 = uniform / flat: N = 25, D 2 = generic : Both have min-entropy 3 11 / 33

Examples N = Ω( M ), D 3 = delta: 12 / 33

Examples N = Ω( M ), D 3 = delta: Still min-entropy 3 12 / 33

Definitions Useful tool: The collision probability 1 β ( D ) := Pr[ x = y : x , y ← D ] . ( − log β is the collision entropy ) 13 / 33

Definitions Useful tool: The collision probability 1 β ( D ) := Pr[ x = y : x , y ← D ] . ( − log β is the collision entropy ) � � = 2 k β

Definitions Useful tool: The collision probability 1 β ( D ) := Pr[ x = y : x , y ← D ] . ( − log β is the collision entropy ) � � = 2 k β � � ≈ 2 2 k β

Definitions Useful tool: The collision probability 1 β ( D ) := Pr[ x = y : x , y ← D ] . ( − log β is the collision entropy ) � � = 2 k β � � ≈ 2 2 k β � � ∈ [2 k , 2 2 k ) β 13 / 33

Previous Work To find a collision with constant probability... it takes at least 2 k / 3 ? 2 k / 9 this many queries it can be done in 2 k / 3 ? ? this many queries 14 / 33

Independent Work — Ebrahimi & Unruh To find a collision with constant probability... it takes at least 2 k / 3 2 k / 2 2 k / 5 this many queries it can be done in β 1 / 3 2 k / 3 2 k / 2 this many queries 15 / 33

Our Work To find a collision with constant probability... it takes at least min { N 1 / 3 , 2 k / 2 } 2 k / 3 2 k / 3 this many queries it can be done in β 1 / 3 2 k / 3 min { N 1 / 3 , 2 k / 2 } this many queries

Our Work To find a collision with constant probability... it takes at least min { N 1 / 3 , 2 k / 2 } 2 k / 3 2 k / 3 this many queries it can be done in β 1 / 3 2 k / 3 min { N 1 / 3 , 2 k / 2 } this many queries 16 / 33

We prove Any adversary that can find a collision in a hash function H ′ with outputs distributed by in q queries to U H ′ , with probability p , 17 / 33

We prove Any adversary that can find a collision in a hash function H ′ with outputs distributed by in q queries to U H ′ , with probability p , can be used to find a collision in a hash function H with outputs distributed by in 2 q queries to U H , with probability p / 2. 17 / 33

Reduction H ′ H Adversary

Reduction H ′ H Adversary Collision in Collision in H ′ H 18 / 33

Proof outline Idea: Use a distribution conversion to ‘chop up’ and turn it into 19 / 33

Proof outline Idea: Use a distribution conversion to ‘chop up’ and turn it into Then show that a collision in the generic distribution should imply a collision in the uniform! 19 / 33

Simulating H ′ Say we have H with output distribution 20 / 33

Simulating H ′ Say we have H with output distribution $ We pick m ← − [ M ] and compute H ( m ) = 20 / 33

Simulating H ′ We want to provide the adversary with access to a hash function H ′ with distribution 21 / 33

Simulating H ′ We want to provide the adversary with access to a hash function H ′ with distribution , we will choose what H ′ ( m ) can So when we compute H ( m ) = be based on this. 21 / 33

Simulating H ′

Simulating H ′ 22 / 33

Simulating H ′ When H ( m ) = we will set H ′ ( m ) to either , , or . 23 / 33

Simulating H ′ When H ( m ) = we will set H ′ ( m ) to either , , or . We need a randomness oracle R : [ M ] → { 0 , 1 } ∗ to decide which. (Querying R does not require us to query H .) 23 / 33

Simulating H ′ When the adversary makes a query on a point m , we: 24 / 33

Simulating H ′ When the adversary makes a query on a point m , we: • Compute H ( m ). 24 / 33

Simulating H ′ When the adversary makes a query on a point m , we: • Compute H ( m ). • Obtain ‘sufficient’ randomness by R ( m ). 24 / 33

Simulating H ′ When the adversary makes a query on a point m , we: • Compute H ( m ). • Obtain ‘sufficient’ randomness by R ( m ). • From this, decide what H ′ ( m ) is by breaking up H ( m ). 24 / 33

Simulating H ′ When the adversary makes a query on a point m , we: • Compute H ( m ). • Obtain ‘sufficient’ randomness by R ( m ). • From this, decide what H ′ ( m ) is by breaking up H ( m ). Note that this only requires one query to H . 24 / 33

Converting H ′ collision to H Then note that if the adversary finds m 1 , m 2 ∈ [ M ] such that H ′ ( m 1 ) = H ′ ( m 2 ) = , we have that H ( m 1 ) = H ( m 2 ) = . 25 / 33

Converting H ′ collision to H Then note that if the adversary finds m 1 , m 2 ∈ [ M ] such that H ′ ( m 1 ) = H ′ ( m 2 ) = , we have that H ( m 1 ) = H ( m 2 ) = . But we don’t always have this property. 25 / 33

Converting H ′ collision to H

Converting H ′ collision to H 26 / 33

Converting H ′ collision to H Say the adversary finds m 1 , m 2 ∈ [ M ] such that H ′ ( m 1 ) = H ′ ( m 2 ) = . What does this mean for H ( m 1 ) and H ( m 2 )? 27 / 33

Converting H ′ collision to H If H ′ ( m 1 ) = H ′ ( m 2 ) = , we could have: 28 / 33