Quantum One-Wayness of the Single-Round Sponge with Invertible Permutations
Joseph Carolan, Alexander Poremba
TL;DR
This work advances the understanding of post-quantum security for sponge hashing when the block function is an invertible permutation by solving the double-sided zero-search problem and deriving tight quantum lower bounds. The authors introduce a novel symmetrization method based on Young subgroups and extend the analysis to non-uniform subset-pair variants, enabling reductions from worst-case search to average-case instances. They then connect these query lower bounds to the one-wayness of the single-round sponge in the quantum random oracle model, establishing that any $T$-query quantum attacker has failure probability bounded by $\epsilon = O\big(T^2/2^{\min(r,c)}\big)$ for inverting $Sp^\varphi$. The results thus provide the first arbitrary-parameter post-quantum security guarantee for the single-round sponge and illuminate the feasibility of proving security for more rounds by combining these techniques with insights from the non-invertible case. Overall, the paper introduces powerful combinatorial and quantum-information tools to analyze permutation-based sponge constructions and their cryptanalytic hardness under quantum queries.
Abstract
Sponge hashing is a widely used class of cryptographic hash algorithms which underlies the current international hash function standard SHA-3. In a nutshell, a sponge function takes as input a bit-stream of any length and processes it via a simple iterative procedure: it repeatedly feeds each block of the input into a so-called block function, and then produces a digest by once again iterating the block function on the final output bits. While much is known about the post-quantum security of the sponge construction when the block function is modeled as a random function or one-way permutation, the case of invertible permutations, which more accurately models the construction underlying SHA-3, has so far remained a fundamental open problem. In this work, we make new progress towards overcoming this barrier and show several results. First, we prove the "double-sided zero-search" conjecture proposed by Unruh (eprint' 2021) and show that finding zero-pairs in a random $2n$-bit permutation requires at least $Ω(2^{n/2})$ many queries -- and this is tight due to Grover's algorithm. At the core of our proof lies a novel "symmetrization argument" which uses insights from the theory of Young subgroups. Second, we consider more general variants of the double-sided search problem and show similar query lower bounds for them. As an application, we prove the quantum one-wayness of the single-round sponge with invertible permutations in the quantum random oracle model.