900 research outputs found
Tight Quantum Time-Space Tradeoffs for Function Inversion
In function inversion, we are given a function , and want to prepare some advice of size , such that we can efficiently invert any image in time . This is a well studied problem with profound connections to cryptography, data structures, communication complexity, and circuit lower bounds. Investigation of this problem in the quantum setting was initiated by Nayebi, Aaronson, Belovs, and Trevisan (2015), who proved a lower bound of for random permutations against classical advice, leaving open an intriguing possibility that Grover\u27s search can be sped up to time . Recent works by Hhan, Xagawa, and Yamakawa (2019), and Chung, Liao, and Qian (2019) extended the argument for random functions and quantum advice, but the lower bound remains .
In this work, we prove that even with quantum advice, is required for an algorithm to invert random functions. This demonstrates that Grover\u27s search is optimal for , ruling out any substantial speed-up for Grover\u27s search even with quantum advice. Further improvements to our bounds would imply new classical circuit lower bounds, as shown by Corrigan-Gibbs and Kogan (2019).
To prove this result, we develop a general framework for establishing quantum time-space lower bounds. We further demonstrate the power of our framework by proving the following results.
* Yao\u27s box problem: We prove a tight quantum time-space lower bound for classical advice. For quantum advice, we prove a first time-space lower bound using shadow tomography. These results resolve two open problems posted by Nayebi et al (2015).
* Salted cryptography: We show that “salting generically provably defeats preprocessing,” a result shown by Coretti, Dodis, Guo, and Steinberger (2018), also holds in the quantum setting. In particular, we prove quantum time-space lower bounds for a wide class of salted cryptographic primitives in the quantum random oracle model. This yields a first quantum time-space lower bound for salted collision-finding, which in turn implies that relative to a random oracle
Quantum attacks on Bitcoin, and how to protect against them
The key cryptographic protocols used to secure the internet and financial
transactions of today are all susceptible to attack by the development of a
sufficiently large quantum computer. One particular area at risk are
cryptocurrencies, a market currently worth over 150 billion USD. We investigate
the risk of Bitcoin, and other cryptocurrencies, to attacks by quantum
computers. We find that the proof-of-work used by Bitcoin is relatively
resistant to substantial speedup by quantum computers in the next 10 years,
mainly because specialized ASIC miners are extremely fast compared to the
estimated clock speed of near-term quantum computers. On the other hand, the
elliptic curve signature scheme used by Bitcoin is much more at risk, and could
be completely broken by a quantum computer as early as 2027, by the most
optimistic estimates. We analyze an alternative proof-of-work called Momentum,
based on finding collisions in a hash function, that is even more resistant to
speedup by a quantum computer. We also review the available post-quantum
signature schemes to see which one would best meet the security and efficiency
requirements of blockchain applications.Comment: 21 pages, 6 figures. For a rough update on the progress of Quantum
devices and prognostications on time from now to break Digital signatures,
see https://www.quantumcryptopocalypse.com/quantum-moores-law
Randomized vs. Deterministic Separation in Time-Space Tradeoffs of Multi-Output Functions
We prove the first polynomial separation between randomized and deterministic
time-space tradeoffs of multi-output functions. In particular, we present a
total function that on the input of elements in , outputs
elements, such that: (1) There exists a randomized oblivious algorithm with
space , time and one-way access to randomness, that
computes the function with probability ; (2) Any deterministic
oblivious branching program with space and time that computes the
function must satisfy . This implies that
logspace randomized algorithms for multi-output functions cannot be black-box
derandomized without an overhead in time.
Since previously all the polynomial time-space tradeoffs of multi-output
functions are proved via the Borodin-Cook method, which is a probabilistic
method that inherently gives the same lower bound for randomized and
deterministic branching programs, our lower bound proof is intrinsically
different from previous works. We also examine other natural candidates for
proving such separations, and show that any polynomial separation for these
problems would resolve the long-standing open problem of proving
time lower bound for decision problems with
space.Comment: 15 page
Adversary Lower Bound for Element Distinctness with Small Range
The Element Distinctness problem is to decide whether each character of an
input string is unique. The quantum query complexity of Element Distinctness is
known to be ; the polynomial method gives a tight lower bound
for any input alphabet, while a tight adversary construction was only known for
alphabets of size .
We construct a tight adversary lower bound for Element
Distinctness with minimal non-trivial alphabet size, which equals the length of
the input. This result may help to improve lower bounds for other related query
problems.Comment: 22 pages. v2: one figure added, updated references, and minor typos
fixed. v3: minor typos fixe
Consequences of local gauge symmetry in empirical tight-binding theory
A method for incorporating electromagnetic fields into empirical
tight-binding theory is derived from the principle of local gauge symmetry.
Gauge invariance is shown to be incompatible with empirical tight-binding
theory unless a representation exists in which the coordinate operator is
diagonal. The present approach takes this basis as fundamental and uses group
theory to construct symmetrized linear combinations of discrete coordinate
eigenkets. This produces orthogonal atomic-like "orbitals" that may be used as
a tight-binding basis. The coordinate matrix in the latter basis includes
intra-atomic matrix elements between different orbitals on the same atom.
Lattice gauge theory is then used to define discrete electromagnetic fields and
their interaction with electrons. Local gauge symmetry is shown to impose
strong restrictions limiting the range of the Hamiltonian in the coordinate
basis. The theory is applied to the semiconductors Ge and Si, for which it is
shown that a basis of 15 orbitals per atom provides a satisfactory description
of the valence bands and the lowest conduction bands. Calculations of the
dielectric function demonstrate that this model yields an accurate joint
density of states, but underestimates the oscillator strength by about 20% in
comparison to a nonlocal empirical pseudopotential calculation.Comment: 23 pages, 7 figures, RevTeX4; submitted to Phys. Rev.
A tight security reduction in the quantum random oracle model for code-based signature schemes
Quantum secure signature schemes have a lot of attention recently, in
particular because of the NIST call to standardize quantum safe cryptography.
However, only few signature schemes can have concrete quantum security because
of technical difficulties associated with the Quantum Random Oracle Model
(QROM). In this paper, we show that code-based signature schemes based on the
full domain hash paradigm can behave very well in the QROM i.e. that we can
have tight security reductions. We also study quantum algorithms related to the
underlying code-based assumption. Finally, we apply our reduction to a concrete
example: the SURF signature scheme. We provide parameters for 128 bits of
quantum security in the QROM and show that the obtained parameters are
competitive compared to other similar quantum secure signature schemes
Quantum Time/Memory/Data Tradeoff Attacks
One of the most celebrated and useful cryptanalytic algorithms is Hellman\u27s time/memory tradeoff (and its Rainbow Table variant), which can be used to invert random-looking functions on possible values with time and space complexities satisfying . As a search problem, one can always transform it into the quantum setting by using Grover\u27s algorithm, but this algorithm does not benefit from the possible availability of auxiliary advice obtained during a free preprocessing stage. However, at FOCS\u2720 it was rigorously shown that a small amount of quantum auxiliary advice (which can be stored in a quantum memory of size ) cannot possibly yield an attack which is better than Grover\u27s algorithm.
In this paper we develop new quantum versions of Hellman\u27s cryptanalytic attack which use large memories
in the standard QACM (Quantum Accessible Classical Memory) model of computation. In particular, we improve Hellman\u27s tradeoff curve to . When we generalize the cryptanalytic problem to a time/memory/data tradeoff attack (in which one has to invert for at least one of given values), we get the generalized curve . A typical point on this curve is , , and , whose time is strictly lower than both Grover\u27s algorithm and the classical Hellman algorithm (both of which
require for these and parameters)
Time-Space Lower Bounds for Finding Collisions in Merkle-Damgård Hash Functions
We revisit the problem of finding -block-long collisions in Merkle-Damgård Hash Functions in the auxiliary-input random oracle model, in which an attacker gets a piece of -bit advice about the random oracle and makes oracle queries.
Akshima, Cash, Drucker and Wee (CRYPTO 2020), based on the work of Coretti, Dodis, Guo and Steinberger (EUROCRYPT 2018), showed a simple attack for (with respect to a random salt). The attack achieves advantage where is the output length of the random oracle. They conjectured that this attack is optimal. However, this so-called STB conjecture was only proved for and .
Very recently, Ghoshal and Komargodski (CRYPTO 22) confirmed STB conjecture for all constant values of , and provided an bound for all choices of .
In this work, we prove an bound for every (note as is always at most , otherwise finding a collision is trivial by the birthday attack). Our result subsumes all previous upper bounds for all ranges of parameters except for and .
We obtain our results by adopting and refining the technique of Chung, Guo, Liu, and Qian (FOCS 2020). Our approach yields more modular proofs and sheds light on how to bypass the limitations of prior techniques.
Along the way, we obtain a considerably simpler and illuminating proof for , recovering the main result of Akshima, Cash, Drucker and Wee
- …