Quantum collision-finding in non-uniform random functions

Abstract

We study quantum attacks on finding a collision in a non-uniform random function whose outputs are drawn according to a distribution of min-entropy k. This can be viewed as showing generic security of hash functions under relaxed assumptions in contrast to the standard heuristic of assuming uniformly random outputs. It is useful in analyzing quantum security of the Fujisaki-Okamoto transformation [31]. In particular, our results close a gap left open in [30]. Specifically, let D be a distribution of min-entropy k on a set Y. Let f : X → Y be a function whose output f(x) is drawn according to D for each x ∈ X independently. We show that Ω(2k/3) quantum queries are necessary to find a collision in f, improving the previous bound Ω(2k/9) [30]. In fact we show a stronger lower bound 2k/2 in some special case. For most cases, we also describe explicit quantum algorithms matching the corresponding lower bounds.