Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

The Sponge is Quantum Indifferentiable

Gorjan Alagic, Joseph Carolan, Christian Majenz, Saliha Tokat

TL;DR

This work establishes the quantum-security of the sponge construction underlying SHA-3 by proving indifferentiability from a random oracle in the quantum-accessible permutation model. It introduces a tailored approach that decomposes the sponge permutation into Feistel-like rounds and a fixed permutation, shifting hardness to simple quantum-accessible hash functions and enabling analysis with compressed oracles. The authors derive quantum preimage and collision bounds of the form O(q^5 n 2^{- ext{min}(r,c)}) for single-round squeezing, and prove a main indifferentiability theorem with a simulator achieving a bound of O(l^3 (q^9 2^{- ext{min}(r,c)})^{1/4}). They also introduce the Msponge variant to facilitate the analysis, prove properties about good databases, and discuss a potential gap in Merkle-Damgård indifferentiability that their techniques may help address. Overall, the results show that SHA-3’s domain-extension security remains robust in the post-quantum setting, with implications for modern post-quantum cryptographic schemes and hardware implementations that rely on SHA-3 primitives.

Abstract

The sponge is a cryptographic construction that turns a public permutation into a hash function. When instantiated with the Keccak permutation, the sponge forms the NIST SHA-3 standard. SHA-3 is a core component of most post-quantum public-key cryptography schemes slated for worldwide adoption. While one can consider many security properties for the sponge, the ultimate one is indifferentiability from a random oracle, or simply indifferentiability. The sponge was proved indifferentiable against classical adversaries by Bertoni et al. in 2008. Despite significant efforts in the years since, little is known about sponge security against quantum adversaries, even for simple properties like preimage or collision resistance beyond a single round. This is primarily due to the lack of a satisfactory quantum analog of the lazy sampling technique for permutations. In this work, we develop a specialized technique that overcomes this barrier in the case of the sponge. We prove that the sponge is in fact indifferentiable from a random oracle against quantum adversaries. Our result establishes that the domain extension technique behind SHA-3 is secure in the post-quantum setting. Our indifferentiability bound for the sponge is a loose $O(\mathsf{poly}(q) 2^{-\mathsf{min}(r, c)/4})$, but we also give bounds on preimage and collision resistance that are tighter.

The Sponge is Quantum Indifferentiable

TL;DR

This work establishes the quantum-security of the sponge construction underlying SHA-3 by proving indifferentiability from a random oracle in the quantum-accessible permutation model. It introduces a tailored approach that decomposes the sponge permutation into Feistel-like rounds and a fixed permutation, shifting hardness to simple quantum-accessible hash functions and enabling analysis with compressed oracles. The authors derive quantum preimage and collision bounds of the form O(q^5 n 2^{- ext{min}(r,c)}) for single-round squeezing, and prove a main indifferentiability theorem with a simulator achieving a bound of O(l^3 (q^9 2^{- ext{min}(r,c)})^{1/4}). They also introduce the Msponge variant to facilitate the analysis, prove properties about good databases, and discuss a potential gap in Merkle-Damgård indifferentiability that their techniques may help address. Overall, the results show that SHA-3’s domain-extension security remains robust in the post-quantum setting, with implications for modern post-quantum cryptographic schemes and hardware implementations that rely on SHA-3 primitives.

Abstract

The sponge is a cryptographic construction that turns a public permutation into a hash function. When instantiated with the Keccak permutation, the sponge forms the NIST SHA-3 standard. SHA-3 is a core component of most post-quantum public-key cryptography schemes slated for worldwide adoption. While one can consider many security properties for the sponge, the ultimate one is indifferentiability from a random oracle, or simply indifferentiability. The sponge was proved indifferentiable against classical adversaries by Bertoni et al. in 2008. Despite significant efforts in the years since, little is known about sponge security against quantum adversaries, even for simple properties like preimage or collision resistance beyond a single round. This is primarily due to the lack of a satisfactory quantum analog of the lazy sampling technique for permutations. In this work, we develop a specialized technique that overcomes this barrier in the case of the sponge. We prove that the sponge is in fact indifferentiable from a random oracle against quantum adversaries. Our result establishes that the domain extension technique behind SHA-3 is secure in the post-quantum setting. Our indifferentiability bound for the sponge is a loose , but we also give bounds on preimage and collision resistance that are tighter.

Paper Structure

This paper contains 49 sections, 55 theorems, 199 equations, 4 figures, 1 algorithm.

Table of Contents

  1. Introduction
  2. The sponge construction
  3. Classical security.
  4. Quantum security.
  5. Our approach
  6. Summary of results
  7. Preimage and collision resistance.
  8. Indifferentiability.
  9. Additional related work
  10. Acknowledgements
  11. Technical summary
  12. A View of permutation oracles
  13. Stateful oracles inspired by Feistel.
  14. The case of the sponge.
  15. Query lower bounds
  16. ...and 34 more sections

Key Result

Theorem 1.1

The probability that a quantum algorithm $\mathcal{A}$ making no more than $q$ quantum queries to a random permutation $\varphi \in S_{\{0,1\}^{r+c}}$ and its inverse $\varphi^{-1}$ outputs a sponge collision is upper bounded as The same bound also holds for preimage-resistance. For constant success probability, $\tilde{\Omega}\bigl(2^{\min(r,c)/5}\bigr)$ quantum queries are thus necessary to fin

Figures (4)

  • Figure 1: Sponge construction on input $x_1 \Vert x_2$, with output $y$.
  • Figure 2: An out-of-place quantum circuit for intermediate sponge rounds.
  • Figure 3: Circuit $U$, representing an out-of-place quantum circuit for computing the sponge state before the $h$ call. Because we consider the purified experiment, uncomputed workspace is not discarded.
  • Figure 4: An out-of-place quantum circuit for computing the Msponge. Because we consider the purified experiment, uncomputed workspace is not discarded.

Theorems & Definitions (136)

  • Theorem 1.1: Informal summary of \ref{['thm:quantum-collision', 'cor:quantum-preimage']}
  • Theorem 1.2: Informal summary of \ref{['thm:main']}
  • Definition : Tail
  • Definition : Intermediate pair
  • Definition : Good
  • Theorem 2.1: quantum collision resistance
  • Theorem 2.2: quantum preimage resistance
  • Theorem 2.3
  • Definition 3.1
  • Claim 3.2
  • ...and 126 more