quantum collision finding in non uniform random functions
play

Quantum Collision-Finding in Non-Uniform Random Functions Marko - PowerPoint PPT Presentation

Nov 19, 2022 •689 likes •1.58k views

Quantum Collision-Finding in Non-Uniform Random Functions Marko Balogh 1 and Edward Eaton 2 , 3 and Fang Song 1 1 Portland State University 2 University of Waterloo 3 ISARA Corporation April 11, 2018 1 / 33 Motivation Let H : [ M ] [ N ]

  1. Quantum Collision-Finding in Non-Uniform Random Functions Marko Balogh 1 and Edward Eaton 2 , 3 and Fang Song 1 1 Portland State University 2 University of Waterloo 3 ISARA Corporation April 11, 2018 1 / 33

  2. Motivation Let H : [ M ] → [ N ] be a hash function. 2 / 33

  3. Motivation Let H : [ M ] → [ N ] be a hash function. The collision resistance of H is a measure of how difficult it is to find x , y ∈ [ M ] such that H ( x ) = H ( y ). 2 / 33

  4. Difficulty? 3 / 33

  5. Difficulty? • Time 3 / 33

  6. Difficulty? • Time • Space 3 / 33

  7. Difficulty? • Time • Space • (Qu)bit operations 3 / 33

  8. Difficulty? • Time • Space • (Qu)bit operations (logical/physical) 3 / 33

  9. Difficulty? • Time • Space • (Qu)bit operations (logical/physical) • Easy to parallelize 3 / 33

  10. Difficulty? • Time • Space • (Qu)bit operations (logical/physical) • Easy to parallelize • Hash function queries 3 / 33

  11. Difficulty? • Time • Space • (Qu)bit operations (logical/physical) • Easy to parallelize • Hash function queries 4 / 33

  12. We can allow a quantum query to H by � � U H : α x , y | x �| y � �→ α x , y | x �| y ⊕ H ( x ) � x ∈ [ M ] x ∈ [ M ] y ∈ [ N ] y ∈ [ N ] 5 / 33

  13. Generic Security H A

  14. Generic Security H x A

  15. Generic Security H x H ( x ) A

  16. Generic Security H x H ( x ) A m 1 , m 2 : H ( m 1 ) = H ( m 2 )

  17. Generic Security U H H x H ( x ) A A m 1 , m 2 : H ( m 1 ) = H ( m 2 )

  18. Generic Security U H H � | x �| y � � | x �| y ⊕ H ( x ) � x H ( x ) A A m 1 , m 2 : H ( m 1 ) = H ( m 2 )

  19. Generic Security U H H � | x �| y � � | x �| y ⊕ H ( x ) � x H ( x ) A A m 1 , m 2 : m 1 , m 2 : H ( m 1 ) = H ( m 2 ) H ( m 1 ) = H ( m 2 ) 6 / 33

  20. Collision Resistance Let H := { H : [ M ] → [ N ] } , and M = Ω( N 1 / 2 ). 7 / 33

  21. Collision Resistance Let H := { H : [ M ] → [ N ] } , and M = Ω( N 1 / 2 ). $ Then if we have H ← − H uniformly : • Any algorithm finding a collision in H (with constant probability) must make Ω( N 1 / 3 ) queries to U H . 7 / 33

  22. Collision Resistance Let H := { H : [ M ] → [ N ] } , and M = Ω( N 1 / 2 ). $ Then if we have H ← − H uniformly : • Any algorithm finding a collision in H (with constant probability) must make Ω( N 1 / 3 ) queries to U H . • There is an algorithm that finds a collision in H (with constant probability) and makes O ( N 1 / 3 ) queries to U H . Results from “A Note on the Quantum Collision and Set Equality Problems” by Mark Zhandry (2015). 7 / 33

  23. Motivation When H is uniform, the query complexity is Θ( N 1 / 3 ). 8 / 33

  24. Motivation When H is uniform, the query complexity is Θ( N 1 / 3 ). Is only considering uniform functions enough? 8 / 33

  25. Motivation • Uniformity is a very strong condition on a function — considering non-uniform can relax our security assumptions. 9 / 33

  26. Motivation • Uniformity is a very strong condition on a function — considering non-uniform can relax our security assumptions. • Some crypto functions are certainly not uniform, e.g., if H 1 , H 2 are uniform then H 1 ◦ H 2 is not. 9 / 33

  27. Motivation • Uniformity is a very strong condition on a function — considering non-uniform can relax our security assumptions. • Some crypto functions are certainly not uniform, e.g., if H 1 , H 2 are uniform then H 1 ◦ H 2 is not. • Proofs of Fujisaki-Okamoto require collision resistance of non-uniform functions ( f ◦ H ). 9 / 33

  28. Definitions Let D be a distribution on [ N ]. Then we say that D has min-entropy k if − log 2 max y ∈ [ N ] Pr[ y ← D ] = k . 10 / 33

  29. Definitions Let D be a distribution on [ N ]. Then we say that D has min-entropy k if − log 2 max y ∈ [ N ] Pr[ y ← D ] = k . We say that a function H has distribution D if H ( x ) has distribution D for all x ∈ [ M ], and all are independent. 10 / 33

  30. Examples N = 8, D 1 = uniform / flat: 11 / 33

  31. Examples N = 8, D 1 = uniform / flat: N = 25, D 2 = generic : 11 / 33

  32. Examples N = 8, D 1 = uniform / flat: N = 25, D 2 = generic : Both have min-entropy 3 11 / 33

  33. Examples N = Ω( M ), D 3 = delta: 12 / 33

  34. Examples N = Ω( M ), D 3 = delta: Still min-entropy 3 12 / 33

  35. Definitions Useful tool: The collision probability 1 β ( D ) := Pr[ x = y : x , y ← D ] . ( − log β is the collision entropy ) 13 / 33

  36. Definitions Useful tool: The collision probability 1 β ( D ) := Pr[ x = y : x , y ← D ] . ( − log β is the collision entropy ) � � = 2 k β

  37. Definitions Useful tool: The collision probability 1 β ( D ) := Pr[ x = y : x , y ← D ] . ( − log β is the collision entropy ) � � = 2 k β � � ≈ 2 2 k β

  38. Definitions Useful tool: The collision probability 1 β ( D ) := Pr[ x = y : x , y ← D ] . ( − log β is the collision entropy ) � � = 2 k β � � ≈ 2 2 k β � � ∈ [2 k , 2 2 k ) β 13 / 33

  39. Previous Work To find a collision with constant probability... it takes at least 2 k / 3 ? 2 k / 9 this many queries it can be done in 2 k / 3 ? ? this many queries 14 / 33

  40. Independent Work — Ebrahimi & Unruh To find a collision with constant probability... it takes at least 2 k / 3 2 k / 2 2 k / 5 this many queries it can be done in β 1 / 3 2 k / 3 2 k / 2 this many queries 15 / 33

  41. Our Work To find a collision with constant probability... it takes at least min { N 1 / 3 , 2 k / 2 } 2 k / 3 2 k / 3 this many queries it can be done in β 1 / 3 2 k / 3 min { N 1 / 3 , 2 k / 2 } this many queries

  42. Our Work To find a collision with constant probability... it takes at least min { N 1 / 3 , 2 k / 2 } 2 k / 3 2 k / 3 this many queries it can be done in β 1 / 3 2 k / 3 min { N 1 / 3 , 2 k / 2 } this many queries 16 / 33

  43. We prove Any adversary that can find a collision in a hash function H ′ with outputs distributed by in q queries to U H ′ , with probability p , 17 / 33

  44. We prove Any adversary that can find a collision in a hash function H ′ with outputs distributed by in q queries to U H ′ , with probability p , can be used to find a collision in a hash function H with outputs distributed by in 2 q queries to U H , with probability p / 2. 17 / 33

  45. Reduction H ′ H Adversary

  46. Reduction H ′ H Adversary Collision in Collision in H ′ H 18 / 33

  47. Proof outline Idea: Use a distribution conversion to ‘chop up’ and turn it into 19 / 33

  48. Proof outline Idea: Use a distribution conversion to ‘chop up’ and turn it into Then show that a collision in the generic distribution should imply a collision in the uniform! 19 / 33

  49. Simulating H ′ Say we have H with output distribution 20 / 33

  50. Simulating H ′ Say we have H with output distribution $ We pick m ← − [ M ] and compute H ( m ) = 20 / 33

  51. Simulating H ′ We want to provide the adversary with access to a hash function H ′ with distribution 21 / 33

  52. Simulating H ′ We want to provide the adversary with access to a hash function H ′ with distribution , we will choose what H ′ ( m ) can So when we compute H ( m ) = be based on this. 21 / 33

  53. Simulating H ′

  54. Simulating H ′ 22 / 33

  55. Simulating H ′ When H ( m ) = we will set H ′ ( m ) to either , , or . 23 / 33

  56. Simulating H ′ When H ( m ) = we will set H ′ ( m ) to either , , or . We need a randomness oracle R : [ M ] → { 0 , 1 } ∗ to decide which. (Querying R does not require us to query H .) 23 / 33

  57. Simulating H ′ When the adversary makes a query on a point m , we: 24 / 33

  58. Simulating H ′ When the adversary makes a query on a point m , we: • Compute H ( m ). 24 / 33

  59. Simulating H ′ When the adversary makes a query on a point m , we: • Compute H ( m ). • Obtain ‘sufficient’ randomness by R ( m ). 24 / 33

  60. Simulating H ′ When the adversary makes a query on a point m , we: • Compute H ( m ). • Obtain ‘sufficient’ randomness by R ( m ). • From this, decide what H ′ ( m ) is by breaking up H ( m ). 24 / 33

  61. Simulating H ′ When the adversary makes a query on a point m , we: • Compute H ( m ). • Obtain ‘sufficient’ randomness by R ( m ). • From this, decide what H ′ ( m ) is by breaking up H ( m ). Note that this only requires one query to H . 24 / 33

  62. Converting H ′ collision to H Then note that if the adversary finds m 1 , m 2 ∈ [ M ] such that H ′ ( m 1 ) = H ′ ( m 2 ) = , we have that H ( m 1 ) = H ( m 2 ) = . 25 / 33

  63. Converting H ′ collision to H Then note that if the adversary finds m 1 , m 2 ∈ [ M ] such that H ′ ( m 1 ) = H ′ ( m 2 ) = , we have that H ( m 1 ) = H ( m 2 ) = . But we don’t always have this property. 25 / 33

  64. Converting H ′ collision to H

  65. Converting H ′ collision to H 26 / 33

  66. Converting H ′ collision to H Say the adversary finds m 1 , m 2 ∈ [ M ] such that H ′ ( m 1 ) = H ′ ( m 2 ) = . What does this mean for H ( m 1 ) and H ( m 2 )? 27 / 33

  67. Converting H ′ collision to H If H ′ ( m 1 ) = H ′ ( m 2 ) = , we could have: 28 / 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Generation of Non-Uniform Random Numbers Generation of Non-Uniform Random Numbers Refs: Chapter 8

Generation of Non-Uniform Random Numbers Generation of Non-Uniform Random Numbers Refs: Chapter 8

Generation of Non-Uniform Random Numbers Generation of Non-Uniform Random Numbers Refs: Chapter 8 in Law and book by Devroye (watch for typos) Acceptance-Rejection Convolution Method Composition Method Peter J. Haas Alias Method Random

228 views • 6 slides
Random generation of combinatorial structures Uniform random maps and graphs on surfaces using

Random generation of combinatorial structures Uniform random maps and graphs on surfaces using

Random generation of combinatorial structures Uniform random maps and graphs on surfaces using Boltzmann sampling a survey by Gilles Schaeffer CNRS / Ecole Polytechnique, Palaiseau, France What is uniform random generation? A combinatorial

1.39k views • 121 slides
An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography

An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography

Cryptographic context Quantum collision search: a brief state of the art Our collision algorithm An Efficient Quantum Collision Search Algorithm and Implications on Symmetric Cryptography Andr Chailloux, Mara Naya-Plasencia, Andr

321 views • 28 slides
Finding the Seed of Uniform Attachment Trees Alan Pereira - UFGM G abor Lugosi - UPF July 26,

Finding the Seed of Uniform Attachment Trees Alan Pereira - UFGM G abor Lugosi - UPF July 26,

Finding the Seed of Uniform Attachment Trees Alan Pereira - UFGM G abor Lugosi - UPF July 26, 2019 Network Archaeology on Random Trees Setup Results Skecth of the proofs Introduction Studies questions about old or extinct networks.

1.19k views • 58 slides
Vacuum fluctuations Secure heterodyne-based quantum random number quantum random number

Vacuum fluctuations Secure heterodyne-based quantum random number quantum random number

Vacuum fluctuations Secure heterodyne-based quantum random number quantum random number generator with non-iid generator at 17 Gbps samples Tobias Gehring et al. Marco Avesani et al. 1 The need for random numbers Alice quantum Rx laser

346 views • 32 slides
Introduction to Quantum Collision Theory Pierre Capel 16 July 2015 1 / 30 Quantum Collisions

Introduction to Quantum Collision Theory Pierre Capel 16 July 2015 1 / 30 Quantum Collisions

Introduction to Quantum Collision Theory Pierre Capel 16 July 2015 1 / 30 Quantum Collisions Quantum Collisions Quantum collisions used to study the interaction between particles/nuclei/atoms. . . analyse the structure of

651 views • 30 slides
a zoo of (discrete) Probability: Mean, Variance: random variables 1 2 discrete uniform

a zoo of (discrete) Probability: Mean, Variance: random variables 1 2 discrete uniform

discrete uniform random variables A discrete random variable X equally likely to take any (integer) value between integers a and b , inclusive, is uniform. Notation: X ~ Unif (a,b) a zoo of (discrete) Probability: Mean, Variance:

194 views • 7 slides
Generation of Non-Uniform Random Numbers Refs: Chapter 8 in Law and book by Devroye (watch for

Generation of Non-Uniform Random Numbers Refs: Chapter 8 in Law and book by Devroye (watch for

Generation of Non-Uniform Random Numbers Refs: Chapter 8 in Law and book by Devroye (watch for typos) Peter J. Haas CS 590M: Simulation Spring Semester 2020 1 / 21 Generation of Non-Uniform Random Numbers Acceptance-Rejection Convolution

322 views • 21 slides
Toward Uniform Random Generation in 1-safe Petri Nets Yi-Ting Chen (LIP6 / Sorbonne Universit)

Toward Uniform Random Generation in 1-safe Petri Nets Yi-Ting Chen (LIP6 / Sorbonne Universit)

Toward Uniform Random Generation in 1-safe Petri Nets Yi-Ting Chen (LIP6 / Sorbonne Universit) Advisor: Jean Mairesse, Samy Abbes 2019 Apr 23 - LIPN Introduction Uniform measure Uniform measure for actions Uniqueness of uniform measure

1.02k views • 51 slides
Finding Locally-Op0mal, Collision-Free Trajectories with Sequen0al

Finding Locally-Op0mal, Collision-Free Trajectories with Sequen0al

Finding Locally-Op0mal, Collision-Free Trajectories with Sequen0al Convex Op0miza0on John Schulman, Jonathan Ho, Alex Lee, Ibrahim Awwal, Henry Bradlow, Pieter

263 views • 15 slides
Finding Locally-Op0mal, Collision-Free Trajectories with Sequen0al

Finding Locally-Op0mal, Collision-Free Trajectories with Sequen0al

Finding Locally-Op0mal, Collision-Free Trajectories with Sequen0al Convex Op0miza0on John Schulman, Jonathan Ho, Alex Lee, Ibrahim Awwal, Henry Bradlow, Pieter

289 views • 15 slides
Elementary Functions Part 1, Functions Lecture 1.1c, Finding the domains of functions Dr. Ken W.

Elementary Functions Part 1, Functions Lecture 1.1c, Finding the domains of functions Dr. Ken W.

Elementary Functions Part 1, Functions Lecture 1.1c, Finding the domains of functions Dr. Ken W. Smith Sam Houston State University 2013 Smith (SHSU) Elementary Functions 2013 22 / 27 Domains of functions The domain of a function is

405 views • 37 slides
10-Collision Response Collision Response Collision Response [Moore and Wilhelms 88]:

10-Collision Response Collision Response Collision Response [Moore and Wilhelms 88]:

10-Collision Response Collision Response Collision Response [Moore and Wilhelms 88]: automatic suggestions about the motions of objects immediately following a collision; animation systems using dynamical simulation inherently must respond

767 views • 53 slides
Renormalization of random quantum magnets Ferenc Igl oi (Budapest) in collaboration with acs ,

Renormalization of random quantum magnets Ferenc Igl oi (Budapest) in collaboration with acs ,

Renormalization of random quantum magnets Ferenc Igl oi (Budapest) in collaboration with acs , R Istv an Kov obert Juh asz Cargese, August 25- September 6, 2014 1 Introduction Quantum phase transitions quantum spin

796 views • 28 slides
How to improve the price-performance ratio of quantum collision search D. J. Bernstein

How to improve the price-performance ratio of quantum collision search D. J. Bernstein

How to improve the price-performance ratio of quantum collision search D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Warning: Complexity estimates in this talk are approximate; small factors are suppressed. What is the

478 views • 26 slides
Efficient Simulation of Random States and Random Unitaries Gorjan Alagic, Christian Majenz and

Efficient Simulation of Random States and Random Unitaries Gorjan Alagic, Christian Majenz and

Efficient Simulation of Random States and Random Unitaries Gorjan Alagic, Christian Majenz and Alexander Russell QCrypt 2020, in Cyberspace Results overview We study the simulation of random quantum objects , i.e. random quantum states

1.08k views • 72 slides
Cost-Based Optimization Database Systems: The Complete Book Ch 2.3, 6.1-6.4,15, 16.4-16.5 1

Cost-Based Optimization Database Systems: The Complete Book Ch 2.3, 6.1-6.4,15, 16.4-16.5 1

Cost-Based Optimization Database Systems: The Complete Book Ch 2.3, 6.1-6.4,15, 16.4-16.5 1 Optimizing 2 Optimizing Some equivalence rules are always good Which? 2 Optimizing Some equivalence rules are always good

949 views • 58 slides
Graph-based Nearest Neighbor Search: From Practice to Theory Liudmila Prokhorenkova, Aleksandr

Graph-based Nearest Neighbor Search: From Practice to Theory Liudmila Prokhorenkova, Aleksandr

Graph-based Nearest Neighbor Search: From Practice to Theory Liudmila Prokhorenkova, Aleksandr Shekhovtsov ICML 2020 Liudmila Prokhorenkova Graph-based Nearest Neighbor Search ICML 2020 1 / 16 Nearest neighbor search Dataset D = { x 1 , . .

578 views • 33 slides
Privacy Preserving Data Mining: Additive Data Perturbation Outline Input perturbation

Privacy Preserving Data Mining: Additive Data Perturbation Outline Input perturbation

Privacy Preserving Data Mining: Additive Data Perturbation Outline Input perturbation techniques Additive perturbation Multiplicative perturbation Privacy metrics Privacy metrics Summary Definition of dataset Column

280 views • 23 slides
Hyperuniformity on the Sphere Peter Grabner (joint work with J. Brauchart and W. Kusner)

Hyperuniformity on the Sphere Peter Grabner (joint work with J. Brauchart and W. Kusner)

Hyperuniformity on the Sphere Peter Grabner (joint work with J. Brauchart and W. Kusner) Institute for Analysis and Number Theory Graz University of Technology Workshop on Computation and Optimization of Energy, Packing, and Covering

595 views • 27 slides
Webinar 1: Getting Started With Simulation www. SIMUL8 .com Max Guild Bsc. Applied

Webinar 1: Getting Started With Simulation www. SIMUL8 .com Max Guild Bsc. Applied

Webinar Series: Complete Guide to SIMUL8 Success Webinar 1: Getting Started With Simulation www. SIMUL8 .com Max Guild Bsc. Applied Mathematics Finance and Banking Business Consultant Lean Six Sigma Agenda Agenda Session 2:

518 views • 15 slides
opencypher.org | opencypher@googlegroups.com opencypher.org | opencypher@googlegroups.com

opencypher.org | opencypher@googlegroups.com opencypher.org | opencypher@googlegroups.com

opencypher.org | opencypher@googlegroups.com opencypher.org | opencypher@googlegroups.com DO opencypher.org | opencypher@googlegroups.com UNION INTERSECT opencypher.org | opencypher@googlegroups.com

295 views • 15 slides
The Cause of Union and Freedom: Missouri Germans and the

The Cause of Union and Freedom: Missouri Germans and the

The Cause of Union and Freedom: Missouri Germans and the Civil War Walter D. Kamphoefner Texas A&M University waltkamp@tamu.edu 1860 PresidenIal

707 views • 18 slides
CSE 105 THEORY OF COMPUTATION Fall 2016 http://cseweb.ucsd.edu/classes/fa16/cse105-abc/

CSE 105 THEORY OF COMPUTATION Fall 2016 http://cseweb.ucsd.edu/classes/fa16/cse105-abc/

CSE 105 THEORY OF COMPUTATION Fall 2016 http://cseweb.ucsd.edu/classes/fa16/cse105-abc/ Language of a TM L(M) = {w | M accepts w} M may reject or loop on strings not in L(M) A language X is recognizable if X=L(M) for some TM M A

682 views • 21 slides

More recommend