1. No category

Quantum Collision-Resistance of Non

Quantum Collision-Resistance of Non-Uniformly
Distributed Functions
Made by:
Ehsan Ebrahimi Targhi
University of Tartu
February 1, 2016
Joint work with Dominique Unruh and Gelo Tabia
Made by: Ehsan Ebrahimi Targhi
Quantum Collision-Resistance of Non-Uniformly Distributed Functions
University of Tartu
The problem: (Quantum Collision-Resistance)
෍ Ξ±π‘₯ |π‘₯βŒͺ
π‘₯
f :[N]
[M]
෍ Ξ±π‘₯ |𝑓(π‘₯)βŒͺ
π‘₯
π‘₯1 β‰  π‘₯2 such that f(π‘₯1 ) = f( π‘₯2 ).
Question: How many quantum queries are needed to output a
collision? (quantum query complexity point of view)
or
What is the maximum success probability given the specific
number of queries? (quantum query solvability (Zhandry))
Made by: Ehsan Ebrahimi Targhi
Quantum Collision-Resistance of Non-Uniformly Distributed Functions
University of Tartu
Why for random function?
Collision-resistance hash functions are central in cryptology.
1
In the random oracle model, they model as random functions.
Made by: Ehsan Ebrahimi Targhi
Quantum Collision-Resistance of Non-Uniformly Distributed Functions
University of Tartu
Why for random function?
Collision-resistance hash functions are central in cryptology.
1
In the random oracle model, they model as random functions.
2
In most cryptographic applications, they need to be
compression functions.
Made by: Ehsan Ebrahimi Targhi
Quantum Collision-Resistance of Non-Uniformly Distributed Functions
University of Tartu
Why for random function?
Collision-resistance hash functions are central in cryptology.
1
In the random oracle model, they model as random functions.
2
In most cryptographic applications, they need to be
compression functions.
Recall: By birthday attack, the probability of success is roughly
1/2 when q = Θ(M 1/2 ) for a classical adversary.
Made by: Ehsan Ebrahimi Targhi
Quantum Collision-Resistance of Non-Uniformly Distributed Functions
University of Tartu
Previous result:
Theorem
Let f : [N] β†’ [M] be a random function. Then any quantum
algorithm making q number of queries to f outputs a collision for f
3
where C is a universal constant.1
with probability at most C (q+2)
M
β‡’ Ω(M 1/3 ) queries are needed to output a collision.
Question: What if outputs of function f are chosen according to a
non-uniform distribution.
1
[Zhandry, Quantum Information & Computation, 2013]
Made by: Ehsan Ebrahimi Targhi
Quantum Collision-Resistance of Non-Uniformly Distributed Functions
University of Tartu
Motivation for non-uniform functions:
In some cryptographic constructions, the combination of a
truly random function and encryption function has to be
collision-resistance:
Fujisaki-Okamoto
transform:
sy
sy
hy
asy
Encpk (m; Ξ΄) = Encpk Ξ΄; H Ξ΄kEncG (Ξ΄) (m) , EncG (Ξ΄) (m) .
hy
Encpk
β—¦ H has to be collision-resistance.
Made by: Ehsan Ebrahimi Targhi
Quantum Collision-Resistance of Non-Uniformly Distributed Functions
University of Tartu
Our contribution:
H∞ (D) = βˆ’ log max Pr[D(m)]
m∈[M]
Theorem
Let f : [N] β†’ [M] be a function whose outputs are chosen
according to a distribution with min-entropy k. Then any quantum
algorithm A making q queries to f returns a collision for f with
0
9/5
probability at most C (q+2)
where C 0 is a universal constant.
k/5
2
β‡’ Ω(2k/9 ) queries are needed to output a collision.
Made by: Ehsan Ebrahimi Targhi
Quantum Collision-Resistance of Non-Uniformly Distributed Functions
University of Tartu
Preliminaries (for proof):
Definition (Universal Hash Function 2 )
A family of functions H = {h : {0, 1}n β†’ {0, 1}m } is called a
universal family if for all distinct x, y ∈ {0, 1}n :
$
Pr[h(x) = h(y ) : h ←
βˆ’ H] ≀ 1/2m .
2
[Larry Carter, Mark N. Wegman, J. Comput. Syst. Sci, 1979]
Made by: Ehsan Ebrahimi Targhi
Quantum Collision-Resistance of Non-Uniformly Distributed Functions
University of Tartu
Preliminaries (Leftover Hash Lemma3 ):
X
with 𝐻∞ (𝑋) β‰₯ π‘˜
3
h
Random UHF
~π‘˜ bits
Good randomness
[Johan Håstad, Russell Impagliazzo, Leonid A. Levin, Michael Luby, 1993]
Made by: Ehsan Ebrahimi Targhi
Quantum Collision-Resistance of Non-Uniformly Distributed Functions
University of Tartu
Proof sketch:
Pr[Coll(f ; Afq ) : f ← D X ]
≀ Pr[Coll(h β—¦ f ; Afq ) : f ← D X ]
= Pr[Coll(h β—¦ f ; Bqhβ—¦f ) : f ← D X ] (preimages of f )
βˆ—
$
u Pr[Coll(f βˆ— ; Bqf ) : f βˆ— ←
βˆ’ {}] (LHL, Oracle Indistinguishability)
u hard
We prove that:
Pr[Coll(f ; Afq ) : f ← D X ] ≀ O(
Made by: Ehsan Ebrahimi Targhi
Quantum Collision-Resistance of Non-Uniformly Distributed Functions
q 9/5
).
2k/5
University of Tartu
Question?
Thank you for listening!
Made by: Ehsan Ebrahimi Targhi
Quantum Collision-Resistance of Non-Uniformly Distributed Functions
University of Tartu

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz