Abstract
We study the quantum query complexity of finding a collision for a function f whose outputs are chosen according to a distribution with min-entropy k. We prove that \(\varOmega (2^{k/9})\) quantum queries are necessary to find a collision for function f. This is needed in some security proofs in the quantum random oracle model (e.g. Fujisaki-Okamoto transform).
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Let D be a distribution with min-entropy k over set Y and f be a function whose outputs are drawn according to the distribution D. In this paper, we study the difficulty of finding a collision for unknown function f in the quantum query model. Recall that a collision for function f consists of two distinct inputs \(x_1\) and \(x_2\) such that \(f(x_1) = f(x_2)\). Classically, by application of the birthday attack it is easy to observe that \(\varTheta (2^{k/2})\) queries are necessary and sufficient to find a collision with constant probability. However, in quantum query model this number of queries may be high for the reason that one quantum query may contain the whole input-output values of the function.
Zhandry [Zha15] shows that \(\varTheta (2^{k/3})\) quantum queries are necessary and sufficient to find a collision for the function f when D is a uniform distribution. However, he leaves the non-uniform case as an open problem. One motivation for studying the quantum collision problem for a non-uniform distribution is the interest in proving the security of classical cryptographic schemes against quantum adversaries. Hash functions are crucial cryptographic primitives that are used to construct many encryption schemes and cryptographic schemes. They are usually modeled as random functions and they are used inside other functions. Therefore the output of combination of a function f and a random function H may not be distributed uniformly and finding a collision for this non-uniformly distributed \(f\circ H\) may break the security of the scheme. For example the well-known Fujisaki-Okamoto construction [FO99] uses a random function H to produce the randomness for an encryption scheme f. The security relies on the fact that the adversary can not find two inputs of the random function that lead to the same ciphertext. This is roughly equivalent to saying that \(f \circ H\) is collision-resistant. In fact, our result is a crucial ingredient for analyzing a variant of Fujisaki-Okamoto construction in the quantum setting [ETU15].
We prove an \(\varOmega (2^{k/9})\) lower bound for the quantum query complexity of the function f and leave as an open problem to verify whether or not Zhandry’s bound applies to the function f. The proof procedure is as follows. We apply the Leftover Hash Lemma [HILL93] to the function f to extract the number of bits that are indistinguishable from uniformly random bits. After applying the Leftover Hash Lemma, the output distribution of \(h\circ f\), where h is a universal hash function, is indistinguishable from the uniform distribution over a set. Note that a collision for function f is a collision for \(h\circ f\). Let A be a quantum adversary that has quantum access to f and finds a collision for \(h\circ f\). Using the existence of A, we show that there exists a quantum algorithm B that has quantum access to \(h \circ f\) and finds a collision for \(h\circ f\) with the same probability and the same number of queries as algorithm A. Theorem 1.1 by Zhandry [Zha12] shows that two distribution are indistinguishable if and only if they are oracle-indistinguishable. Therefore, \(h\circ f\) is indistinguishable from a random function (recall that the output of \(h\circ f\) is indistinguishable from the uniform distribution by Leftover Hash Lemma) and as a result any quantum algorithm B is unable to differentiate between \(h\circ f\) and a random function. By using an existing result for finding a collision for a random function presented by Zhandry [Zha15, Theorem 7], we obtain an upper bound for the probability of finding a collision for function \(h\circ f\). Therefore, we get an upper bound for the probability of success for the quantum collision problem applied to the function f.
The quantum collision problem has been studied in various previous works. In the following, we mention the existing results on the number of queries that are necessary to find a collision. An \(\varOmega (N^{1/3})\) lower bound for function f is given by Aaronson and Shi [AS04] and Ambainis [Amb05] where f is a two-to-one function with the same domain and co-domain and N is the domain size. Yuen [Yue14] proves an \(\varOmega (N^{1/5}/\)polylog N) lower bound for the quantum collision problem for a random function f with same domain and co-domain. He reduces the distinguishing between a random function and a random permutation problem to the distinguishing between a function with r-to-one part and a function without r-to-one part. His proof is a merger of using the r-to-one lower bound from [AS04] and using the quantum adversary method [Amb00]. Zhandry [Zha15] improves Yuen’s bound to the \(\varOmega (N^{1/3})\) and also removes the same size domain and co-domain constraint. He uses the existing result from [Zha12] to prove his bound.
The sufficient number of quantum queries to find a collision is given in the following works. A quantum algorithm that requires \(O(N^{1/3})\) quantum queries and finds a collision for any two-to-one function f with overwhelming probability is given by Brassard, H\(\phi \)yer and Tapp [BHT97]. Ambainis [Amb07] gives a quantum algorithm that requires \(O(N^{2/3})\) queries to find two equal elements among N given elements and therefore it is an algorithm for finding a collision in an arbitrary function f given the promise that f has at least one collision. Yuen [Yue14] shows that the collision-finding algorithm from [BHT97] is able to produce a collision for a random function with same domain and co-domain using \(O(N^{1/3})\) queries. Zhandry shows that \(O(M^{1/3})\) queries are adequate to find a collision for a random function \(f: [N] \rightarrow [M]\) where \(N = \varOmega (M^{1/2})\). He uses Ambainis’s element distinctness algorithm [Amb07] as a black box in his proof. Zhandry’s bound also implies that we can not expect a lower bound for the query complexity of finding a collision for a non-uniform function better than \(O(2^{k/3})\).
2 Preliminaries
In this section, we present some definitions and existing results that are needed in this paper. Notation \(x \xleftarrow \$ X\) shows that x is chosen uniformly at random from set X. If D is a distribution over X, then notation \(x \leftarrow D\) shows that x is chosen at random according to the distribution D. \(\Pr [P: G]\) is the probability that the predicate P holds true where free variables in P are assigned according to the program in G. We say that the quantum algorithm A has quantum access to the oracle \(O : \{0,1\}^{n_0} \rightarrow \{0,1\}^{n_1}\), denoted by \(A^O\), where A can submit queries in superposition and the oracle O answers to the queries by a unitary transformation that maps \({\left| {x,\ y}\right\rangle }\) to \({\left| {x,\ y \oplus O(x)}\right\rangle }\).
Definition 1
Let \(D_1\) and \(D_2\) be distributions on a set X. The statistical distance between \(D_1\) and \(D_2\) is
Definition 2
Let D be a distribution on a set X. The min-entropy of this distribution is defined as
Definition 3
We say that function \(f: \{0, 1\}^{n_1} \rightarrow \{0, 1\}^{n_2}\) has min-entropy k if,
Definition 4
(Universal Hash Function [CW79]). A family of functions \(H = \{h: \{0,1\}^n \rightarrow \{0,1\}^{m}\}\) is called a universal family if for all distinct \(x, y \in \{0,1\}^n\):
Lemma 1
(Leftover Hash Lemma [HILL93]). Let D be a distribution with min-entropy k and e be a positive integer. Let \(h: \{0,1\}^m \times \{0,1\}^n \rightarrow \{0,1\}^{k-2e}\) be a universal hash function. Then,
where \(x \xleftarrow {D} \{0,1\}^n, y \xleftarrow {\$} \{0,1\}^m\) and \(z \xleftarrow {\$} \{0,1\}^{k-2e}\).
Lemma 2
([Zha12]). Let \(D_1\) and \(D_2\) be efficiently sampleable distributions over some set Y, and let X be some other set. For \(i=1,\ 2\), let \(D_i^{X}\) be the distributions of functions \(F_i\) from X to Y where for each \(x\in X\), \(F_i(x)\) is chosen at random according to the distribution \(D_i\). Then if A be a quantum algorithm that makes q queries and distinguish \(D_1^{X}\) from \(D_2^{X}\) with non-negligible probability \(\epsilon \), we can construct a quantum algorithm B that distinguishes samples from \(D_1\) and \(D_2\) with probability at least \(\frac{3\epsilon ^2}{64\pi ^2q^3}\).
Lemma 3
(Theorem 7 [Zha15]). Let \(h : \{0,1\}^n \rightarrow \{0,1\}^{m}\) be a random function. Then any quantum algorithm making q number of queries to h outputs a collision for h with probability at most \(\frac{C(q+2)^3}{2^m}\) where C is a universal constant.
3 Main Result
Let \(\Pr [\mathsf {Coll}(O; A^O): O \leftarrow D]\) be the probability of finding a collision in function O that is drawn according to the distribution D using a quantum algorithm A with quantum access to the function O.
Lemma 4
Let D be a distribution over \(\{0, 1\}^{n_1}\). Let \(f: \{0, 1\}^{n_1} \rightarrow \{0, 1\}^{n_2}\) be a public function and \(X = \{0, 1\}^{n_0}\). If A is a quantum algorithm that makes q queries to function O drawn from distribution \(D^X\) and finds a collision for \(f \circ O\) with some probability, then there exists a quantum algorithm B that makes q queries to \(f \circ O\) and outputs a collision for \(f \circ O\) with the same probability.
Proof
Let \(S_y = f^{-1}(\{y\})\) for \(y \in {{\mathrm{Im}}}f\). We define distribution \(D_y\) over \(S_y\) as
Let \(D'\) be the distribution of functions F from \(\{0,1\}^{n_0}\times {{\mathrm{Im}}}f\) to \(\{0,1\}^{n_1}\) where for each \(x \in \{0,1\}^{n_0}\) and \(y \in {{\mathrm{Im}}}f\), F(x, y) is chosen at random in \(S_y\) according to the distribution \(D_y\). Let \((F\odot g)(x):= F\big (x, g(x)\big )\). We show that output of O and output of \(F \odot (f \circ O)\) have the same distribution when F is chosen according to distribution \(D'\). For every \(x \in \{0, 1\}^{n_0}\) and \(z \in \{0, 1\}^{n_1}\):
where \((*)\) holds for the reason that if \(z'' = z\) be true, then \(z'\) will be in the set \(S_{f(z)}\) and \((**)\) uses the conditional probability. As a result:
Now, we construct quantum algorithm B. Algorithm B runs A and answers to its query as follows: (i) query \((f\circ O)(x) := y\), (ii) pick \(z \leftarrow D_y\), and (iii) set \(O(x) := z\). That is, B runs \(A^{F\odot f \circ O}\) with \(F \leftarrow D'\). Let \(\overline{O} = f\circ O\). The way that quantum algorithm B handles quantum queries is shown in the following circuit.
Algorithm B returns the output of A after q queries. Therefore, we prove the existence of quantum algorithm B stated in the lemma.
Theorem 1
Let D be a distribution with \(H_{\infty }(D) \ge k\) over set \(\{0, 1\}^{n_1}\). Let O be a function drawn from distribution \(D^X\). Then any quantum algorithm A making q queries to O returns a collision for O with probability at most \(\frac{C'(q + 2)^{9/5}}{2^{k/5}}\) where \(C'\) is a universal constant. That is,
Let \(h: \{0,1\}^m \times \{0,1\}^{n_1} \rightarrow \{0,1\}^{k-2e}\) be a universal hash function. Lemma 1 implies that:
where \(h_y(x) := h(y,x)\), \(x \leftarrow D,\ y \xleftarrow {\$} \{0,1\}^m\) and \(z \xleftarrow {\$} \{0,1\}^{k-2e}\).
The upper bound can be concluded by following steps:
where
-
(i)
follows from the fact that collisions for O will also be collisions for \(h_y \circ O\), and that \(h_y \circ O\) can have other collisions;
-
(ii)
follows from Lemma 4 that implies the existence of quantum algorithm B;
-
(iii)
can be seen as follows: Let \(D_1\) be output distribution of \(h_y \circ O\) and \(D_2\) be uniform distribution over \(\{0, 1\}^{k - 2e}\). Equation 1 implies that for every adversary A,
$$\begin{aligned} \left| \Pr \left[ A(y) = 1: y \leftarrow D_1 \right] - \Pr \left[ A(y) = 1: y \leftarrow D_2 \right] \right| \le 2^{-e-1}. \end{aligned}$$Using Lemma 2, we can conclude that
$$\begin{aligned}&\quad \Big |\Pr [ \mathsf {Coll}(h_y \circ O; B^{h_y \circ O}): O \leftarrow D^X] - \\&\Pr [ \mathsf {Coll}(O^*; B^{O^*}): O^* \xleftarrow {\$} (\{0,1\}^{n_1} \rightarrow \{0,1\}^{k-2e})]\Big | \le \sqrt{64 \pi ^2 q^3 2^{-e-1}/3}; \end{aligned}$$and finally
-
(iv)
follows from applying Lemma 3 to the random function \(O^*\).
So far, we have the upper bound
It is minimized by choosing
Substituting this value of e gives us
Corollary 1
Let \(f: \{0, 1\}^{n_1} \rightarrow \{0, 1\}^{n_2}\) be a function with min-entropy k. Let \(O: \{0, 1\}^{*} \rightarrow \{0, 1\}^{n_1}\) be a random function. Then any quantum algorithm A making q queries to O returns a collision for \(f\circ O\) with probability at most \(O\left( \frac{q^{9/5}}{2^{k/5}}\right) \).
We apply Lemma 4 to obtain the quantum algorithm B that has access to \(f \circ O\) and finds a collision for \(f \circ O\) with the same number of queries and the same probability as the quantum algorithm A. Then the result follows by Theorem 1 for the reason that the output distribution of \(f\circ O\) has min-entropy k.
References
Ambainis, A.: Quantum lower bounds by quantum arguments. In: Yao, F.F., Luks, E.M. (eds.) Proceedings of the Thirty-Second Annual ACM Symposium on Theory of Computing, May 21–23, Portland, OR, USA, pp. 636–643. ACM (2000)
Ambainis, A.: Polynomial degree and lower bounds in quantum complexity: Collision and element distinctness with small range. Theor. Comput. 1(1), 37–46 (2005)
Ambainis, A.: Quantum walk algorithm for element distinctness. SIAM J. Comput. 37(1), 210–239 (2007)
Aaronson, S., Shi, Y.: Quantum lower bounds for the collision and the element distinctness problems. J. ACM 51(4), 595–605 (2004)
Brassard, G., Høyer, P., Tapp, A.: Quantum algorithm for the collision problem. ACM SIGACT News (Cryptology Column) 28, 14–19 (1997)
Carter, L., Wegman, M.N.: Universal classes of hash functions. J. Comput. Syst. Sci. 18(2), 143–154 (1979)
Targhi, E.E., Unruh, D.: Quantum security of the Fujisaki-Okamoto transform (2015). http://2015.qcrypt.net/wp-content/uploads/2015/09/Poster10_Ehsan-Ebrahimi.pdf
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999)
Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: Construction of a pseudo-random generator from any one-way function. SIAM J. Comput. 28, 12–24 (1993)
Yuen, H.: A quantum lower bound for distinguishing random functions from random permutations. Quantum Inf. Comput. 14(13–14), 1089–1097 (2014)
Zhandry, M.: How to construct quantum random functions. In: 53rd Annual IEEE Symposium on Foundations of Computer Science, FOCS , New Brunswick, NJ, USA, October 20–23, 2012, pp. 679–687. IEEE Computer Society (2012)
Zhandry, M.: A note on the quantum collision and set equality problems. Quantum Inf. Comput. 15(7–8), 557–567 (2015)
Acknowledgments
We would like to thank the anonymous reviewers for their comments. This work was supported by the Estonian ICT program 2011–2015 (3.2.1201.13-0022), the European Union through the European Regional Development Fund through the sub-measure “Supporting the development of R&D of info and communication technology”, by the European Social Fund’s Doctoral Studies and Internationalisation Programme DoRa, by the Estonian Centre of Excellence in Computer Science, EXCS.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Targhi, E.E., Tabia, G.N., Unruh, D. (2016). Quantum Collision-Resistance of Non-uniformly Distributed Functions. In: Takagi, T. (eds) Post-Quantum Cryptography. PQCrypto 2016. Lecture Notes in Computer Science(), vol 9606. Springer, Cham. https://doi.org/10.1007/978-3-319-29360-8_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-29360-8_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-29359-2
Online ISBN: 978-3-319-29360-8
eBook Packages: Computer ScienceComputer Science (R0)