B Technical Difference from the Previous Version

Here we describe the technical difference from this paper’s two previous versions. The previous versions contained technical errors and failed to show the main results. Below we do not explain the differences in Section 5 (the separation result for CRHand TDP) since those are almost the same as the differences in Section 4 (the separation result forCRHandOWP).

B.1 The First Version

In the first version, the definition of CRH is different from the current version. Specifically, the condition

Eval(·,·) computes a functionH(·,·) :{0,1}s(n)_{× {}₀_,₁_}m(n)_{→ {}₀_,₁_}`(n)_.

in the current version was replaced with

Eval(σ,·) computes a functionH(σ,·) :{0,1}m(n)_{→ {}₀_,₁_}`(n) _{for the func-} tion indexσgenerated byGen(1n_).

In particular, according to the previous definition of CRH, Eval(σ,·) does not necessarily compute a function whenσ is not generated byGen(1n_{). Let CRH’} denote the collision-resistant hash functions with the previous definition. Then there exists a trivial reduction from CRH’ to CRH, but it is not clear whether there exists a black-box reduction from CRH to CRH’. There is no other essential difference between the first version and the current version.

Technical error in the first version. In the first version, we tried to show the impossibility of reductions from CRH’ to OWP, in the same way as we showed impossibility of reductions from CRH to OWP in the current version. However, the oracleColFinderf is actually too weak to break CRH’, contrary to our claim. Here we show an example of implementation of CRH’ of which collisions cannot be found with ColFinderf 25_{. Let (}_Genf

,Evalf) be an oracle-aided implementation of hash function (a pair of oracle-aided quantum circuits) that makes queries to a permutation f. Fix a positive integer n. Assume that outputs of Genf on the input 1n are always in {0,1}n _and _f _{is an} _n_{-bit permu-} tation, for simplicity. In addition, suppose thatEvalf(σ,·) computes a function

Hf(σ,·) : {0,1}n+1 _{→ {}₀_,₁_}n _{for each} _σ _{returned by} _Genf

(1n). Now, consider to construct another implementation of hash function I0 _{= (}_Gen0f_,_Eval0f_{) as} follows.

AlgorithmGen0f.

1. Take 1n _{as an input.}

2. RunGenf on the input 1n _{and obtain an output}_σ_{∈ {}₀_,₁_}n_.

3. Choose rfrom {0,1}n _{uniformly at random and compute}_f₍_r_{) by querying}

rtof.

4. Returnσ0:= (σ, r, f(r))∈ {0,1}3n_.

AlgorithmEval0f.

1. Take (σ0, x) as an input, whereσ0= (σ, r, v) andσ, r, v∈ {0,1}n_.

2. Check if f(r) = v holds by querying r to f. If it does not hold, return a randomn-bit string.

3. Iff(r) =v, computey=Hf₍_{σ, x}_{) by running}_Evalf _{on the input (}_{σ, x}_{), and} returny.

The pair (Gen0f,Eval0f) is in fact an (oracle-aided) implementation of CRH’. Letσ0 = (σ, r, f(r)) be an output ofGen0f(1n_{). The oracle}_ColFinderf _{should have} been defined in such a way that it would return a collision ofHf₍_σ,_·_{) when the} (oracle-aided) quantum circuit of Eval0(·)(σ0,·) is queried. However, since there exists a permutationg such thatg(r)6=f(r) andEval0g(σ,·) outputs a random

n-bit string for any input x, ColFinderf judges that the input Eval0(·)(σ0,·) is invalid. In particular,ColFinderf outputs⊥on the inputEval0(·)(σ0,·), and thus we failed to prove the main theorem in the previous version.

B.2 The Second Version

To correct the above technical flaw, in the second version, we just removed the checking procedure from ColFinderf so that it would correctly return collisions for all possible implementations of CRH’ (the remaining technical contents were 25

unchanged). This indeed strengthened the power ofColFinderf, but the power of the oracle had become so strong that the statement of Lemma 7 became invalid, andColFinderf could be used to efficiently invertf.26

B.3 The Current Version

SinceColFinderf in the second version was too strong, in the current version we changed the construction ofColFinderfback to that of the first version. However, ColFinderf is not strong enough to break CRH’. Thus, instead of strengthening ColFinderf, we weakened the definition of collision-resistant hash functions from CRH’ to CRH.

Indeed, the example I0 _{described in Section B.1 is an implementation of}

CRH’ but not an implementation of CRH, andColFinderf finds collisions of any implementations of CRH (for a precise proof thatColFinderf finds a collision for any implementation of CRH, see footnote 21).

The result proven in the current version (impossibility of reductions from CRH to OWP) is weaker than the corresponding claim in the previous versions (impossibility of reductions from CRH’ to OWP), though, the result in the current version is still meaningful: Even in the classical setting, the definition of collision-resistant hash functions that allows Evalto be a probabilistic algorithm [HR04] assumes that Eval(σ,·) computes a function not only for σ

generated byGen(1n_{) but also for} _all _possible_σ_{. In particular, when we replace} “quantum algorithm” with “probabilistic Turing machine” verbatim, the current definition of CRH exactly matches the classical definition, but the previous definition CRH’ becomes stronger than the classical definition. The new definition CRH is not too weak. Rather, our previous definition CRH’ was too strong.

In document Finding Collisions in a Quantum World: Quantum Black-Box Separation of Collision-Resistance and One-Wayness (Page 61-63)