Postquantum security of hash functions Dominique Unruh University of Tartu Hash functions Integrity of data Identification of files Efficient signatures Commitment schemes etc Postquantum secure hashes ID: 769265
Download Presentation The PPT/PDF document "Post-quantum security" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Post-quantum securityof hash functions Dominique UnruhUniversity of Tartu
Hash functionsIntegrity of data Identification of filesEfficient signaturesCommitment schemesetc. Post-quantum secure hashes 2 H l ong input s hort output Are common hash functions p ost-quantum secure?
Properties of hash functionsCollision resistance Pseudo randomgenerators/functions“Random-oracle like” Post-quantum secure hashes 3 H H H random more random H ??? ??? And more
Surprises with hash functionsConsider a hash function and a horse race “Spicy Spirit” wins…Post-quantum secure hashes Player Bookie Player Bookie $$$ 4
Surprises with hash functions (II)Consider a cheating player “Wallopping Waldo” wins… Post-quantum secure hashes Player Bookie with $$$ 5 Player Bookie Some fake
Surprises with hash functions (III) Classical crypto: is collision-resistant (infeasible to find with ) Consequence: Can open to one horse only. Surprise: Does not hold for quantum adv ( might be coll.-res., and attack still works) Post-quantum secure hashes Player Bookie with 6
Surprises with hash functions (IV)Post-quantum secure hashes Player Bookie Some fake Player Bookie with used up! 7
Collapsing hash functions Strengthening of “collision-resistance”for quantum setting Adv. A outputs messages (in superposition) Def: Collapsing = A cannot distinguish Post-quantum secure hashes A A A A or Measure Measure 8
Post-quantum hashes?Question: Are existing hashes post-quantum secure?(E.g., SHA2, SHA3, etc.)Collision-resistance? Collapsing? PRG/PRF? … Post-quantum secure hashes 9 This talk
How are hashes constructed?A small building block: Checked by cryptanalysisAssumed ideal (e.g., random oracle) An iterative construction: With security proof Post-quantum secure hashes 10 f f ixed len f ixed len Compression function Block function Merkle-Damgård (e.g., SHA2) Sponge (e.g., SHA3)
Security of Merkle-Damgård Building block: Compression functionIdealized: random functionRandom functions are collision-resistant / collapsing We can assume f to be collapsing Post-quantum secure hashes 11 f bits bits
Security of Merkle-Damgård (II) MD-construction: To show: Measuring: is indistinguishable from measuring: . Post-quantum secure hashes 12 f f f f f = measure ✓
Security of Merkle-Damgård (III) Post-quantum secure hashes13 One subtlety: Superpositions of messages of different lengths We assumed known length Measuring length disturbs state? Fortunately: padding has length in last block f f f f f SHA2 post-quantum secure ( coll -res., collapsing)
Security of sponges Building block: Block function (or permutation)Idealized: random function / permutation Collision-resistant / collapsing when restricted to left/right half of output Not true for invertible permutation!!! Post-quantum secure hashes 14 f bits bits SHA3
Security of sponges (II)Post-quantum secure hashes 15 Sponge-construction: To show: Measuring: is indistinguishable from measuring: . = measure ✓ f f f f
Security of sponges (III)Same subtlety: Superposition of different lengths more tricky, but solvable Conclusion: Sponge hashes are collapsing/collision-resistant But only if f not invertible! Post-quantum secure hashes 16
Which sponges are post-quantum?With non-invertible block function: ✓ E.g., Gluon hash functionWith invertible block function: unknown E.g ., SHA3 Preferred by classical community (better parameters)? What shall we prefer in post-quantum case???Post-quantum secure hashes 17
Indifferentiability of spongesClassically, sponges are indifferentiableI.e., they have “the same properties” as random oraclesCollision-resistance and much more: trivial consequence Time-saver approach: one proof for all Post-quantum secure hashes 18
Indifferentiability: “Definition”Simulator must find f that “explains” the random oracle as a sponge.Post-quantum secure hashes 19 Real model f Sponge Ideal model Random oracle f fake indistinguishable
Quantum indifferentiability of sponge Queries to f in superposition simulator cannot adaptively fix f needs to fix all of f in a go Counting argument: not enough different f’s Post-quantum secure hashes 20 Real model f Sponge Ideal model Random oracle f fake Half-proven conjecture
Main open problem Understand sponges with invertible block functionOtherwise, no clue if SHA-3 post-quantum secure Post-quantum secure hashes 21
I thank for your attention This research was supported by European Social Fund’s Doctoral Studies and Internationalisation Programme DoRa 22
23 Postdoc Positions (also phd) Verification of Quantum Crypto Formal verification of quantum crypto protocols (“ QuEasyCrypt ” tool)http://tinyurl.com/postdoc-vqc