How to improve the price-performance ratio of quantum collision - PDF document

How to improve the price-performance ratio of quantum collision search D. J. Bernstein University of Illinois at Chicago NSF ITR–0716498 Warning: Complexity estimates in this talk are approximate; small factors are suppressed.

What is the fastest algorithm s , finds that, given x 7! MD5( s; x )? collision in 0 ) with 0 x; x x x i.e. finds ( 6 = 0 )? s; x ) = MD5( s; x and MD5( Now have a very fast algorithm, leading to many attacks. MD5 is thoroughly broken.

What is the fastest algorithm s , finds that, given x 7! MD5( s; x )? collision in 0 ) with 0 x; x x x i.e. finds ( 6 = 0 )? s; x ) = MD5( s; x and MD5( Now have a very fast algorithm, leading to many attacks. MD5 is thoroughly broken. Surprised by the collisions? Fact: By 1996, a few years after the introduction of MD5, Preneel, Dobbertin, et al. were calling for MD5 to be scrapped.

What is the fastest algorithm s , finds that, given x 7! SHA-256( s; x )? collision in SHA-256 is an NSA design. Seems much better than MD5, but confidence isn’t high. Ongoing SHA-3 competition will lead to much higher public confidence in SHA-3. But should SHA-3 produce 256-bit output? 512-bit output? How do quantum computers affect the answer?

Guessing a collision H For any classical circuit b -bit output: producing Generate random 0 . b + 1)-bit strings x; x ( b +1 that � 1 = 2 Chance 0 ) is a collision in x; x H , ( 0 and 0 ). x x H ( x ) = H ( x i.e., 6 = Otherwise try again. Good chance of success b evaluations of H . within 2

1996 Grover, 1997 Grover: F Take classical circuit f bit operations using to produce 1-bit output b -bit input. from Explicit construction of G ( F ) quantum circuit b= 2 f qubit operations using 2 F to compute a root of with high probability F has a unique root. if

1996 Boyer–Brassard–Høyer– Tapp, generalizing Grover: 2 ( b � u ) = 2 f qubit operations F to find some root of with high probability u roots. � 2 if there are Can easily use for collisions: H Given classical circuit h bit operations, using 0 ) as 0 F ( x; x define 0 ) is a collision in x; x H . iff ( Obtain some collision with high probability b= 2 h qubit operations. using 2

Table lookups Another classical approach: Generate many random inputs b= 2 . x 1 ; x 2 ; : : : ; x M = 2 M ; e.g. M pairs Compute and sort H ( x 1 ) ; x 1 ), ( H ( x 2 ) ; x 2 ), : : : , ( H ( x ; x M ) M ) in lex order. ( Generate many random inputs b= 2 . y 1 ; y 2 ; : : : ; y N = 2 N ; e.g. y j , After generating H ( y j ) in sorted list. check for

Same effect as searching M N pairs ( x ; y i j ). all b= 2 , M = N = 2 For good chance of success. b= 2 evaluations of H . Only 2 F ( y ) as 0 iff Define there is a collision among x 1 ; y ) ; ( x 2 ; y ) ; : : : ; ( x ; y ). M ( This algorithm is finding F by classical search. root of 1998 Brassard–Høyer–Tapp: Instead use quantum search; b= 3 h qubit operations e.g., 2 b= 3 . M = 2 if

2003 Grover–Rudolph, “How significant are the known collision and element distinctness quantum algorithms?”: Brassard–Høyer–Tapp algorithm b= 3 qubits! � 2 uses With such a huge machine, b= 3 can simply run 2 parallel quantum searches 0 ). x; x for collisions ( High probability of success b= 3 h . within time 2

What if our quantum circuit b= 5 qubits? has only 2 Again Grover–Rudolph, mindless parallelism: high probability of success within time 2 2 b= 5 h . Grover–Rudolph advantage: no need for communication across the parallel searches. Brassard–Høyer–Tapp needs huge RAM lookups using quantum indices. How expensive is this?

Realistic model of computation developed thirty years ago: A circuit is a 2-dimensional mesh of small parallel gates. Have fast communication between neighboring gates. T Try to optimize time A . as function of area See, e.g., 1981 Brent–Kung for definition of model and proof that optimal circuits N convolution for length- N 1 = 2 . A = N and T = have

Can model quantum circuits in the same way to understand speedups from parallelism, slowdowns from communication. Have a 2-dimensional mesh of small parallel quantum gates. T Try to optimize time A . as function of area (Warning: Model is optimistic about quantum computation. Assumes that quantum-computer scalability problems are solved without poly slowdowns.)

b= 5 : e.g. area 2 b= 10 b= 10 mesh � 2 Have 2 of small quantum gates all operating in parallel. b= 5 table lookup Size-2 using quantum index b= 10 . can be handled in time 2 Brassard–Høyer–Tapp b= 2 . takes total time 2 Grover–Rudolph is faster (despite having more “queries”): total time 2 2 b= 5 .

Parallel tables x 1 ; x 2 ; : : : ; x M . Generate Compute H ( x 1 ) ; H ( x 2 ) ; : : : ; H ( x M ). y 1 ; y 2 ; : : : ; y M . Generate Compute H ( y 1 ) ; H ( y 2 ) ; : : : ; H ( y M ). Sort all hash outputs to easily find collisions. b = M 2 times; Repeat 2 high probability of success.

Mesh-sorting algorithms (e.g., 1987 Schimmler) sort these hash outputs M 1 = 2 on in time M . classical circuit of area Computation of hash outputs h ; takes time M is large. negligible if b M 3 = 2 . = Total time 2 b= 5 , time 2 7 b= 10 . e.g. area 2

Now Grover-ize this algorithm. F ( x 1 ; : : : ; x ; y 1 ; : : : ; y M M ) Define as 0 iff x ; y H . i j ) is a collision in some ( Original algorithm used F mesh-sorting circuit for M 1 = 2 . M taking time of size Convert circuit into quantum mesh-sorting circuit M 1 = 2 . M taking time of size

F using Find root of b= 2 = M evaluations of F 2 on quantum superpositions. b= 2 M 1 = 2 . = Total time 2 b= 5 , time 2 2 b= 5 . e.g. area 2 Would beat Grover–Rudolph in a three-dimensional model of parallel quantum computation, or in a naive parallel model without communication delays.

Faster; maybe optimal? H . Do better by iterating b + 1)-bit string x 0 . Choose a ( b -bit string H ( x 0 ); Compute b + 1)-bit string x 1 = � ( H ( x 0 )) ( � is a padding function; where b -bit string H ( x 1 ); b + 1)-bit string x 2 = � ( H ( x 1 )); ( b -bit string H ( x 2 ); etc. Proving time estimates here � randomization, needs good � but experiments show simple H . working for every interesting

b= 2 steps, expect After 2 to find a “distinguished point”: x i a string b= 2 bits are all 0. whose first y 0 , Choose another string iterate in the same way until a distinguished point. b pairs ( x ; y i j ), 2 so expect some collision. If there is a collision then the distinguished points are the same. Seeing this quickly reveals the collision.

More generally, redefine “distinguished point” as b= 2 � d lg M e bits 0. having M parallel iterating units Build M different strings. from b= 2 = M Expect time 2 M distinguished points. to find Good chance of collision. Easily find collision by sorting distinguished points.

Summary: b= 2 M , conj. time 2 = M . area b= 5 , conj. time 2 3 b= 10 . e.g. area 2 Analogous quantum circuit: b= 2 M , conj. time 2 = M . area b= 5 , conj. time 2 3 b= 10 . e.g. area 2 Quantum-search speedup matches iteration speedup! Compare to Grover–Rudolph: b= 5 , time 2 2 b= 5 . area 2 Or Brassard–Høyer–Tapp: b= 5 , time 2 b= 2 . area 2

b = 500. Concretely: Brassard–Høyer–Tapp, quantum: area 2 100 , time 2 250 . Grover–Rudolph, quantum: area 2 100 , time 2 200 . Iteration, quantum or classical: area 2 100 , conj. time 2 150 . b= 2 T = 2 = A is optimal for generic classical algorithms. Conjecture: also for quantum.

Naive free-communication model: Brassard–Høyer–Tapp, quantum: area 2 100 , time 2 200 . Grover–Rudolph, quantum: area 2 100 , time 2 200 . Parallel tables (new), quantum: area 2 100 , time 2 150 . Iteration, quantum or classical: area 2 100 , conj. time 2 150 .

Important notes: 1. Optimal quantum computers seem to be classical computers! Clear quantum impact upon factorization, preimages, et al. but not upon collisions.

Important notes: 1. Optimal quantum computers seem to be classical computers! Clear quantum impact upon factorization, preimages, et al. but not upon collisions. 2. This algorithm isn’t new. M = 1: 1975 Pollard. General case: famous 1994 van Oorschot–Wiener paper, four years before 1998 Brassard–Høyer–Tapp.