On the balanced quantum hashing

In the paper we define a notion of a resistant quantum hash function which combines a notion of pre-image (one-way) resistance and the notion of collision resistance. In the quantum setting one-way resistance property and collision resistance property are correlated: the “more” a quantum function is one-way resistant the “less” it is collision resistant and vice versa. We present an explicit quantum hash function which is “balanced” one-way resistant and collision resistant and demonstrate how to build a large family of balanced quantum hash functions.


Introduction
Peter Shor's quantum factoring algorithm and quantum algorithm for finding discrete logarithm are results that use quantum mechanical effects to break cryptographic systems. The response from a cryptographic community is a "Post-quantum cryptography", which refers to research on problems (usually public-key cryptosystems) that are not efficiently solvable by quantum computers. Currently post-quantum cryptography includes different approaches, in particular, hash-based digital signature schemes such as Lamport signature and Merkle signature scheme.
Quantum key distribution and quantum digital signature are also part of Post-quantum cryptography. Gottesman and Chuang introduced a notion of a quantum one-way function and proposed a quantum digital signature protocol [1], which is based on such a function. This is also the case for other protocols (see for example [2] and [3]).
Recall that in the classical setting a cryptographic hash function h should have at least the following three properties (see, for example, [3]): (1) Pre-image resistance: given h(x), it should be difficult to find x, that is, these hash functions are one-way functions; (2) Second pre-image resistance: given x 1 , it should be difficult to find an x 2 , such that h(x 1 ) = h(x 2 ); (3) Collision resistance: it should be difficult to find any pair of distinct x 1 , x 2 , such that h(x 1 ) = h(x 2 ). Note, that there are no one-way functions that are known to be provably hard to invert, the security of cryptographic hash functions is "computationally conditional".
In [4], [5] we defined a notion of quantum hashing as a quantum counterpart of classical hashing and presented approach for constructing quantum hash functions. It appeared that the quantum digital signature by Gottesman and Chuang is based on quantum functions which are actually quantum hash functions. Those quantum functions have "unconditionally one-way" property based on Holevo Theorem [6]. We have also shown that quantum hashing can be useful for constructing efficient quantum algorithms [7] and quantum communication protocols [8].
For a quantum hash function, which is a mapping that creates a quantum state from classical information, we require the following properties: • It can be effectively computed given classical input; • It is impossible to extract this input from the quantum hash; • Hashes of different inputs can be distinguished with high probability, which also implies a reliable equality test.
In this paper we investigate the connection between the last two properties. We show that there is a trade-off between them and introduce a notion of the balanced quantum hash function that has both in a good combination.

Quantum Hashing
In this section we briefly recall the notion of the quantum hash function, formalize its properties and give several examples.
In the paper [9] we defined a notion of ( , δ)-hash function where values and δ are numerical characteristics of the above two properties: (i) one-way resistance and (ii) collision resistance properties. The notion of the ( , δ)-hash function is a generalization of the quantum hash function defined in [4], [5].
We present formal definitions now. For s ≥ 1 let (H 2 ) ⊗s be the 2 s -dimensional Hilbert space, describing the states of s qubits. Let X be a finite set of size K = |X|. We define a (K; s) quantum function ψ to be a unitary transformation (determined by an element w ∈ X) of the initial state |ψ 0 ⊗s ∈ (H 2 ) ⊗s to a quantum state |ψ(w) ∈ (H 2 ) ⊗s : where U (w) is a unitary matrix. We will also use a shorter notation ψ : X → (H 2 ) ⊗s .
One-way Resistant Function. We present the following definition of quantum -resistant oneway function. Let decoding ("information extracting mechanism") M be a function M : (H 2 ) ⊗s → X. Informally: M makes some measurement of the state |ψ ∈ (H 2 ) ⊗s and decodes the result to X.
Definition 2.1 Let X be a random variable uniformly distributed over X. Let ψ : X → (H 2 ) ⊗s be a quantum function. Let Y is a random variable over X obtained by some decoding M, i.e. Y = M(X). Let > 0. We call a quantum function ψ a one-way -resistant function if for any decoding M, the probability P r[Y = X] that M successfully decodes Y is bounded by We will use here the following fact [10]. Let X be random variable uniformly distributed over a k-bit binary words {0, 1} k . Let ψ : {0, 1} k → (H 2 ) ⊗s be a (2 k ; s) quantum function. Let Y be a random variable over {0, 1} k obtained by some decoding M of |ψ(X) to {0, 1} k . Then the probability of correct decoding is bounded by That is, we should pick s as small as possible to make a quantum hash function one-way resistant. Collision Resistant Function. As we have noted in [4] there might be no collisions in the classical sense: since quantum hashes are quantum states they can store arbitrary amount of data and can be different for unequal messages. But the procedure of comparing those quantum states implies measurement, which can lead to collision-type errors. That is, in order to make a quantum hash function resistant to quantum collisions, we must guarantee the distinguishability of quantum hashes for different inputs. Therefore, the pairwise inner product of the quantum hash function values should be bounded. This is formalized by the following definition.
Definition 2.2 Let δ > 0. Following [9] we call a quantum function ψ : X → (H 2 ) ⊗s a collision δ-resistant function if for any pair w, w of different elements, There is a known lower bound by Buhrman et al. [11] for the size of the sets of pairwisedistinguishable states: to construct a set of 2 k quantum states with pairwise inner products below δ we will need at least Ω(log(k/δ)) qubits. Using the notation above this implies the bound s = Ω(log log K − log δ)). The similar lower bound of log log K − c(δ) was proved by a different method in [5].
One-way Resistance and Collision Resistance. The above two definitions and considerations lead to the following formalization of the quantum cryptographic (one-way and collision resistant) function Definition 2.3 Let K = |X| and s ≥ 1. Let > 0 and δ > 0. We call a function ψ : X → (H 2 ) ⊗s a quantum ( , δ)-Resistant (K; s)-hash function iff ψ is one-way -resistant and collision δresistant function.
The trade-off between one-way resistance and collision resistance The following examples show that one-way resistance and collision resistance lead to the contradictory requirements on the size of the quantum hash and the "more" a quantum function is one-way resistant the "less" it is collision resistant and vice versa.
Example 2.1 We encode a word w ∈ {0, 1} k into one qubit: This function has good one-way property with = 2 2 k , but also has poor collision resistance of δ = cos π/2 k . Example 2.2 We encode a word w ∈ {0, 1} k into k qubits: This function has one-way resistance = 1 (no resistance) and collision resistance with δ = 0 (perfect resistance).

Example 2.3
This example is based on the quantum fingerprinting by Buhrman et al. [11].
Let E : {0, 1} k → {0, 1} n be an error-correcting code with Hamming distance d ≥ n − δn and E i (w) is the i-th bit of the codeword E(w).

Example 2.4
This example is based on the quantum fingerprinting by Ablayev and Vasiliev [12].
The properties of this function depend on the set of numeric parameters B. We have proved the existence of such a set B with |B| = (2/δ 2 ) ln(2 k+1 ) = O(k/δ 2 ), that the corresponding function has one-way resistance = 2|B|/2 k and collision resistance equal to the δ above (for proof see [12]).

"Balanced" Quantum Hash Functions
The above considerations lead to the notion of a "balanced" quantum hash function. Informally, if we need to hash elements w from a domain X, |X| = K and if one can build for δ > 0 a collision δ-resistant (K; s) hash function ψ with s = O(log log K − log δ)) qubits then the function f will be one-way -resistant with = O(log K/(δ * K)).
The functions from Examples 2.3 and 2.4 are exactly such functions.
In [9], we have defined the concept of a quantum hash generator and offered design, which allows to build different quantum hash functions based on the composition of function from Example 2.4 and an arbitrary classical -universal hash family [13]. This construction allows to build a large family of balanced quantum hash functions [9]. In particular the following construction explicitly presented: • Using the relationship between -universal hash families and Freivalds fingerprinting schemas we present explicit balanced quantum hash function and prove that this construction is optimal with respect to of number of qubits needed for construction. • Using the relationship between -universal hash families and error correcting codes (see for example [13]) we present explicit balanced hash function based on Reed-Solomon codes and prove that this construction is optimal with respect to the number of qubits needed for construction.