Quantum security of subset cover problems
- URL: http://arxiv.org/abs/2210.15396v2
- Date: Tue, 13 Jun 2023 10:43:34 GMT
- Title: Quantum security of subset cover problems
- Authors: Samuel Bouaziz--Ermann, Alex B. Grilo and Damien Vergnaud
- Abstract summary: The security of many hash-based signature schemes relies on the subset cover problem or a variant of this problem.
We prove that any quantum algorithm needs to make $Omegaleft(k+1)-frac2k2k+1-1cdot Nfrac2k-12k+1-1right)$ queries to the underlying hash functions.
We also analyze the security of the general $(r,k)$-subset cover problem, which is the underlying problem.
- Score: 1.4072904523937533
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: The subset cover problem for $k \geq 1$ hash functions, which can be seen as
an extension of the collision problem, was introduced in 2002 by Reyzin and
Reyzin to analyse the security of their hash-function based signature scheme
HORS.
The security of many hash-based signature schemes relies on this problem or a
variant of this problem (e.g. HORS, SPHINCS, SPHINCS+, $\dots$).
Recently, Yuan, Tibouchi and Abe (2022) introduced a variant to the subset
cover problem, called restricted subset cover, and proposed a quantum algorithm
for this problem. In this work, we prove that any quantum algorithm needs to
make $\Omega\left((k+1)^{-\frac{2^{k}}{2^{k+1}-1}}\cdot
N^{\frac{2^{k}-1}{2^{k+1}-1}}\right)$ queries to the underlying hash functions
with codomain size $N$ to solve the restricted subset cover problem, which
essentially matches the query complexity of the algorithm proposed by Yuan,
Tibouchi and Abe.
We also analyze the security of the general $(r,k)$-subset cover problem,
which is the underlying problem that implies the unforgeability of HORS under a
$r$-chosen message attack (for $r \geq 1$). We prove that a generic quantum
algorithm needs to make $\Omega\left(N^{k/5}\right)$ queries to the underlying
hash functions to find a $(1,k)$-subset cover.
We also propose a quantum algorithm that finds a $(r,k)$-subset cover making
$O\left(N^{k/(2+2r)}\right)$ queries to the $k$ hash functions.
Related papers
- The Communication Complexity of Approximating Matrix Rank [50.6867896228563]
We show that this problem has randomized communication complexity $Omega(frac1kcdot n2log|mathbbF|)$.
As an application, we obtain an $Omega(frac1kcdot n2log|mathbbF|)$ space lower bound for any streaming algorithm with $k$ passes.
arXiv Detail & Related papers (2024-10-26T06:21:42Z) - Generalized Hybrid Search and Applications to Blockchain and Hash
Function Security [50.16790546184646]
We first examine the hardness of solving various search problems by hybrid quantum-classical strategies.
We then construct a hybrid quantum-classical search algorithm and analyze its success probability.
arXiv Detail & Related papers (2023-11-07T04:59:02Z) - On the exact quantum query complexity of $\text{MOD}_m^n$ and $\text{EXACT}_{k,l}^n$ [4.956977275061968]
We present an exact quantum algorithm for computing $textMOD_mn$.
We show exact quantum query complexity of a broad class of symmetric functions that map $0,1n$ to a finite set $X$ is less than $n$.
arXiv Detail & Related papers (2023-03-20T08:17:32Z) - Basic quantum subroutines: finding multiple marked elements and summing
numbers [1.1265248232450553]
We show how to find all $k$ marked elements in a list of size $N$ using the optimal number $O(sqrtN k)$ of quantum queries.
arXiv Detail & Related papers (2023-02-20T19:11:44Z) - Mind the gap: Achieving a super-Grover quantum speedup by jumping to the
end [114.3957763744719]
We present a quantum algorithm that has rigorous runtime guarantees for several families of binary optimization problems.
We show that the algorithm finds the optimal solution in time $O*(2(0.5-c)n)$ for an $n$-independent constant $c$.
We also show that for a large fraction of random instances from the $k$-spin model and for any fully satisfiable or slightly frustrated $k$-CSP formula, statement (a) is the case.
arXiv Detail & Related papers (2022-12-03T02:45:23Z) - Optimal exact quantum algorithm for the promised element distinctness
problem [0.2741266294612775]
An element distinctness problem is to determine whether a string $x=(x_1,ldots,x_N)$ of $N$ elements contains two elements of the same value.
We propose an exact quantum algorithm for the promise problem which never errs and requires $O(N2/3)$ queries.
arXiv Detail & Related papers (2022-11-10T09:33:13Z) - Finding many Collisions via Reusable Quantum Walks [1.376408511310322]
Collision finding is an ubiquitous problem in cryptanalysis.
In this paper, we improve the algorithms for this problem and, in particular, extend the range of admissible parameters.
As an application, we improve the quantum sieving algorithms for the shortest vector problem.
arXiv Detail & Related papers (2022-05-27T14:50:45Z) - On Avoiding the Union Bound When Answering Multiple Differentially
Private Queries [49.453751858361265]
We give an algorithm for this task that achieves an expected $ell_infty$ error bound of $O(frac1epsilonsqrtk log frac1delta)$.
On the other hand, the algorithm of Dagan and Kur has a remarkable advantage that the $ell_infty$ error bound of $O(frac1epsilonsqrtk log frac1delta)$ holds not only in expectation but always.
arXiv Detail & Related papers (2020-12-16T17:58:45Z) - Locally Private Hypothesis Selection [96.06118559817057]
We output a distribution from $mathcalQ$ whose total variation distance to $p$ is comparable to the best such distribution.
We show that the constraint of local differential privacy incurs an exponential increase in cost.
Our algorithms result in exponential improvements on the round complexity of previous methods.
arXiv Detail & Related papers (2020-02-21T18:30:48Z) - Tight Quantum Lower Bound for Approximate Counting with Quantum States [49.6558487240078]
We prove tight lower bounds for the following variant of the counting problem considered by Aaronson, Kothari, Kretschmer, and Thaler ( 2020)
The task is to distinguish whether an input set $xsubseteq [n]$ has size either $k$ or $k'=(1+varepsilon)k$.
arXiv Detail & Related papers (2020-02-17T10:53:50Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.