Paper 2017/302
Quantum preimage, 2nd-preimage, and collision resistance of SHA3
Jan Czajkowski and Leon Groot Bruinderink andAndreas Hülsing and Christian Schaffner
Abstract
SHA3 and its extendable output variant SHAKE belong to the family of sponge functions. In this work, we present formal security arguments for the quantum preimage, $2^{\text{nd}}$-preimage, and collision resistance of any sponge function. We just assume that the internally used transformation behaves like a random transformation. These are the first formal arguments that sponge functions (incl. SHA3 and SHAKE) are secure in the post-quantum setting. We even go one step further and prove that sponges are collapsing (Unruh, EUROCRYPT'16). Thereby, we can also derive the applicability of sponge functions for collapse-binding commitments. In addition to the security arguments, we also present a quantum collision attack against sponges. The complexity of our attack asymptotically matches the proven lower bound up to a square root.
Metadata
- Available format(s)
- Publication info
- Preprint. MINOR revision.
- Keywords
- Post-quantum cryptographySHA3SHAKEspongeskeccakhash functionquantum securityquantum collision resistancequantum second-preimage resistancequantum preimage resistance
- Contact author(s)
- authors-quantum-sponges @ huelsing net
- History
- 2017-08-15: withdrawn
- 2017-04-10: received
- See all versions
- Short URL
- https://ia.cr/2017/302
- License
-
CC BY