Post-quantum security
of hash functions
Dominique Unruh
University of Tartu
Dominique Unruh
Hash functions
long input
•
•
•
•
•
H
Integrity of data
Identification of files
Efficient signatures
Commitment schemes
etc.
Dominique Unruh
short output
Are common hash
functions
post-quantum
secure?
Post-quantum secure hashes
2
Properties of hash functions
• Collision resistance
𝑥1
𝑥2
• Pseudo random
generators/functions
random
• “Random-oracle like”
???
Dominique Unruh
Post-quantum secure hashes
H
𝑦
H
H
H
more
random
???
3
Surprises with hash functions
• Consider a hash function and a horse race
Player
𝐻("𝑠𝑝𝑖𝑐𝑦 𝑠𝑝𝑖𝑟𝑖𝑡", 231632)
Bookie
• “Spicy Spirit” wins…
Player
231632
Bookie
$$$
Dominique Unruh
Post-quantum secure hashes
4
Surprises with hash functions (II)
• Consider a cheating player
Player
𝐻("𝑠𝑝𝑖𝑐𝑦 𝑠𝑝𝑖𝑟𝑖𝑡", 231632)
Some fake ℎ
Bookie
• “Wallopping Waldo” wins…
Player
𝑟 with 𝐻 𝑤𝑎𝑙𝑙𝑜𝑝, 𝑟 = ℎ
Bookie
$$$
Dominique Unruh
Post-quantum secure hashes
5
Surprises with hash functions (III)
Player
𝑟 with 𝐻 𝑤𝑎𝑙𝑙𝑜𝑝, 𝑟 = ℎ
Bookie
Classical crypto: 𝐻 is collision-resistant
(infeasible to find 𝑥, 𝑥 ′ with 𝐻 𝑥 = 𝐻(𝑥 ′ ))
Consequence: Can open ℎ to one horse only.
Surprise: Does not hold for quantum adv
(𝐻 might be coll.-res., and attack still works)
Dominique Unruh
Post-quantum secure hashes
6
Surprises with hash functions (IV)
Player
Some fake ℎ
Bookie
𝑟 with 𝐻 𝑤𝑎𝑙𝑙𝑜𝑝, 𝑟 = ℎ
Bookie
|Ψ〉
Player
|Ψ〉 used up!
Dominique Unruh
Post-quantum secure hashes
7
Collapsing hash functions
Strengthening of “collision-resistance”
for quantum setting
Adv. A outputs messages 𝑚 (in superposition)
A
|𝑚〉
A
or
A
|𝑚〉
A
Def: Collapsing = A cannot distinguish
Dominique Unruh
Post-quantum secure hashes
8
Post-quantum hashes?
Question:
Are existing hashes post-quantum secure?
(E.g., SHA2, SHA3, etc.)
•
•
•
•
Collision-resistance?
Collapsing?
PRG/PRF?
…
Dominique Unruh
This talk
Post-quantum secure hashes
9
How are hashes constructed?
A small building block:
fixed
len
f
fixed
len
• Compression function
• Block function
• Checked by cryptanalysis
• Assumed ideal (e.g., random oracle)
An iterative construction:
• Merkle-Damgård (e.g., SHA2)
• Sponge (e.g., SHA3)
• With security proof
Dominique Unruh
Post-quantum secure hashes
10
Security of Merkle-Damgård
Building block: Compression function
2𝑛 bits
f
𝑛 bits
• Idealized: random function
• Random functions are
collision-resistant / collapsing
We can assume f to be collapsing
Dominique Unruh
Post-quantum secure hashes
11
Security of Merkle-Damgård (II)
MD-construction:
f
𝑖𝑣
𝑚1
f
𝑚2
f
𝑚3
f
𝑚4
f
𝑚5
To show:
Measuring: ℎ𝑎𝑠ℎ
is indistinguishable from
measuring: 𝑚1 , 𝑚2 , 𝑚3 , 𝑚4 , 𝑚5 .
Dominique Unruh
Post-quantum secure hashes
ℎ𝑎𝑠ℎ
= measure
✓
12
Security of Merkle-Damgård (III)
One subtlety:
Superpositions of messages of different lengths
f
𝑖𝑣
𝑚1
f
𝑚2
f
𝑚3
f
𝑚4
f
ℎ𝑎𝑠ℎ
𝑚5
• We assumed known length
⇒
SHA2
post-quantum
• Measuring length  disturbs state?
secure (coll-res., collapsing)
• Fortunately: padding has length in last block
Dominique Unruh
Post-quantum secure hashes
13
Security of sponges
Building block: Block function (or permutation)
𝑛 bits
f
𝑛 bits
SHA3
• Idealized: random function / permutation
• Collision-resistant / collapsing
when restricted to left/right half of output
• Not true for invertible permutation!!!
Dominique Unruh
Post-quantum secure hashes
14
Security of sponges (II)
Sponge-construction:
𝑚1
0
0
𝑚3
𝑚2
f
f
ℎ1
f
To show:
Measuring: ℎ1 , ℎ2
is indistinguishable from
measuring: 𝑚1 , 𝑚2 , 𝑚3 .
Dominique Unruh
ℎ2
f
= measure
✓
Post-quantum secure hashes
15
Security of sponges (III)
Same subtlety:
Superposition of different lengths
 more tricky, but solvable
Conclusion:
Sponge hashes are collapsing/collision-resistant
But only if f not invertible!
Dominique Unruh
Post-quantum secure hashes
16
Which sponges are post-quantum?
• With non-invertible block function: ✓
– E.g., Gluon hash function
• With invertible block function: unknown
– E.g., SHA3
– Preferred by classical community
(better parameters)?
What shall we prefer in post-quantum case???
Dominique Unruh
Post-quantum secure hashes
17
Indifferentiability of sponges
Classically, sponges are indifferentiable
• I.e., they have “the same properties” as
random oracles
• Collision-resistance and much more:
trivial consequence
Time-saver approach: one proof for all
Dominique Unruh
Post-quantum secure hashes
18
Indifferentiability: “Definition”
Real model
f
Ideal model
f
Sponge
fake
Random
oracle
indistinguishable
• Simulator must find f that “explains” the
random oracle as a sponge.
Dominique Unruh
Post-quantum secure hashes
19
Quantum indifferentiability of sponge
Real model
f
Sponge
Ideal model
f
fake
Random
oracle
• Queries to f in superposition
Half-proven
⇒ simulator cannot adaptively fix f
conjecture
⇒ needs to fix all of f in a go
• Counting argument: not enough different f’s
Dominique Unruh
Post-quantum secure hashes
20
Main open problem
Understand sponges
with invertible block function
Otherwise, no clue if SHA-3 post-quantum secure
Dominique Unruh
Post-quantum secure hashes
21
I thank for your
attention
This research was supported
by European Social Fund’s
Doctoral Studies and
Internationalisation
Programme DoRa
Dominique Unruh
22
Postdoc Positions (also phd)
Verification of
Quantum Crypto
Formal verification of quantum crypto protocols
(“QuEasyCrypt” tool)
http://tinyurl.com/postdoc-vqc
Dominique Unruh
23