Quantum Fingerprinting and Quantum Hashing. Computational and Cryptographical Aspects

. Rusins Freivalds was one of the ﬁrst researchers who introduced methods (later called ﬁngerprinting) for constructing efﬁcient classical randomized and quantum algorithms. Fingerprinting and cryptographic hashing have quite different usages in computer science, but have similar properties. Interpretation of their properties is determined by the area of their usage: ﬁngerprinting methods are methods for constructing efﬁcient randomized and quantum algorithms for computational problems, while hashing methods are one of the central cryptographical primitives. Fingerprinting and hashing methods are being developed from the mid of the previous century, while quantum ﬁngerprinting and quantum hashing have a short history. In the paper we present computational aspects of quantum ﬁngerprinting, discuss cryptographical properties of quantum hashing, and present the possible use of quantum hashing for quantum hash-based message authentication codes.


Introduction
Fingerprinting and hashing are well-known techniques.Fingerprinting is widely used in various meanings in different areas of computer science.We restrict ourselves to the area of complexity theory where the notion of fingerprinting is more or less formalized.Cryptographic hashing allow to securely present objects and mathematically is more formalized.
Classical and quantum fingerprinting.Fingerprinting in complexity theory is a procedure that maps a large data item to a much shorter string, its fingerprint, that identifies the original data (with high probability).The key properties of classical fingerprinting methods are: i) they allow to build efficient randomized computational algorithms and ii) the resulting algorithms have bounded error (Motwani and Raghavan, 1995).
Rusins Freivalds was one of the first researchers who introduced methods (later called fingerprinting) for constructing efficient randomized algorithms (which are more efficient than any deterministic algorithm) (Freivalds, 1977(Freivalds, , 1979)).
In quantum case fingerprinting is a procedure that maps classical data to a quantum state that identifies the original data (with high probability).One of the first applications of the quantum fingerprinting method is due to Ambainis and Freivalds (1998): for a specific language they have constructed a quantum finite automaton with an exponentially smaller size than any classical randomized automaton.An explicit definition of the quantum fingerprinting was introduced by Buhrman et al. in (2001) for constructing efficient quantum communication protocol for equality testing.
Cryptographic quantum hashing.Cryptographic hashing has a lot of fruitful applications in cryptography.Note that in cryptography functions satisfying (i) one-way property and (ii) collision resistance property (in different specific meanings) are called hash functions and we propose to do so when we are considering cryptographical aspects of quantum functions with the above properties.So we suggest to call a quantum function that satisfies properties (i) and (ii) (in the quantum setting) a cryptographic quantum hash function or just quantum hash function.Note however, that there is only a thin line between the notions of quantum fingerprinting and quantum hashing.One of the first considerations of a quantum function (that maps classical words into quantum states) as a cryptographic primitive, having one-way property and collision resistance property is due to (Gottesman and Chuang, 2001), where the quantum fingerprinting function from (Buhrman et al., 2001) was used.Another approach to constructing quantum hash functions from quantum walks was considered in (Li et al., 2013a;Li et al., 2013b;Yang et al., 2016), and it resulted in privacy amplification in quantum key distribution and other useful applications.
The paper organization.In Section 3 we consider quantum fingerprinting as a mapping of classical inputs to quantum states that allows to construct efficient quantum algorithms for computing Boolean functions.We consider the quantum fingerprinting function from (Buhrman et al., 2001) as well as the quantum fingerprinting technique from (Ablayev and Vasiliev, 2009).The latter was motivated by the paper (Ambainis and Freivalds, 1998) and its generalization (Ambainis and Nahimovs, 2008).
Section 4 is based on results on quantum hashing developed in our research group.We define a notion of quantum hash function which is quantum one-way function and quantumly collision resistant function.We show that one-way property and collision resistance property are correlated for a quantum hash function.The more the function is one-way the less it is collision resistant and vice versa.We show that such a correlation can be balanced.
We present an approach for quantum hash function constructions by establishing a connection with small biased sets (Naor and Naor, 1990) and quantum hash function constructions: we prove that small sized -biased sets allow to generate balanced quantum hash functions.Such a connection adds to the long list of small-biased sets' applications.
In particular it was observed in (Naor and Naor, 1990;Ben-Sasson et al., 2003) that the -bias property is closely related to the error-correcting properties of linear codes.
Note that the quantum fingerprinting function from (Buhrman et al., 2001) is based on a binary error-correcting code and so it solves the problem of constructing quantum hash functions for the binary case.For the general case -bias does not correspond to Hamming distance.Thus, in contrast to the binary case, an arbitrary linear error correcting code cannot be used directly for quantum hash functions.
Next, recall that any -biased set gives rise to a Cayley expander graph (Alon and Roichman, 1994).We show how such graphs generate balanced quantum hash functions.Every expander graph can be converted to a bipartite expander graph.The generalization of these bipartite expander graphs is the notion of extractor graphs.Such point of view gives a method for constructing quantum hash functions based on extractors.This construction of quantum hash functions is applied to define the notion of keyed quantum hash functions.The latter is used for constructing quantum hash-based message authentication codes (QMAC).The security proof of QMAC is based on using strong extractors against quantum storage developed by Ta-Shma (2009) .

Preliminaries
Recall that mathematically a qubit is described as a unit vector in the two-dimensional Hilbert complex space H 2 .Let s ≥ 1.Let H d be the d = 2 s -dimensional Hilbert space, describing the states of s qubits.Another notation for Conventionally, we use notation |j for the vector from H d , which has a 1 on the j-th position and 0 elsewhere.An orthonormal basis |1 ,. . .,|d is usually referred to as the standard computational basis.For an integer j ∈ {0, . . ., 2 s − 1} let σ 1 . . .σ s be a binary presentation of j.We use notation |j to denote quantum state We let Z q to be finite additive group of Z/qZ, the integers modulo q.Let Σ k be a set of words of length k over a finite alphabet Σ.Let X be a finite set.In the paper we let X = Σ k , or X = Z q .For K = |X| and integer s ≥ 1 we define a (K; s) classical-quantum function (or just quantum function) to be a unitary transformation (determined by an element w ∈ X) of the initial state |ψ 0 ∈ (H 2 ) ⊗s to a quantum state |ψ(w) ∈ (H 2 ) ⊗s where U (w) is a unitary matrix.We let |ψ 0 = |0 in the paper and use (for short) the following notation (instead of the one above)

Quantum fingerprinting
The ideas of the fingerprinting technique in the quantum setting for the first time appeared in (Ambainis and Freivalds, 1998).The authors used a succinct presentation of the classical input by a quantum automata state, which resulted in an exponential improvement over classical algorithm.Later in (Ambainis and Nahimovs, 2008) the ideas were developed further to give an arbitrarily small probability of error.This was the basis for the general quantum fingerprinting framework proposed in (Ablayev and Vasiliev, 2009).However, the term "quantum fingerprinting" is mostly used in scientific literature to address a seminal paper by Buhrman et al. (2001), where this notion first appeared explicitly.To distinguish between different versions of the quantum fingerprinting techniques, here we call the fingerprinting function from (Buhrman et al., 2001) "binary" (since it uses some binary error-correcting code in its construction), while the fingerprinting from (Ablayev and Vasiliev, 2009) is called "q-ary" for it uses presentation of the input in Z q .

Binary quantum fingerprinting function
The quantum fingerprinting function was formally defined in (Buhrman et al., 2001), where it was used for quantum equality testing in a quantum communication model.It is based on the notion of a binary error-correcting code. An The construction of the quantum fingerprinting function is as follows.
-Let c > 2 and < 1.Let k be a positive integer and n = ck.
defined by the rule: E i (w) is the i-th bit of the codeword E(w).-Let s = log n + 1. Define the quantum function ψ F E : {0, 1} k → (H 2 ) ⊗s , determined by a word w as Original paper (Buhrman et al., 2001) used this function to construct a quantum communication protocol that tests equality in the simultaneous message passing (SMP) model with no shared resources.This protocol requires O(log n) qubits to compare n-bit binary strings which is exponentially smaller than any classical deterministic or even randomized protocol in the SMP setting with no shared randomness.The proposed quantum protocol has one-sided error of 1/2(1+ For instance, Justesen codes mentioned in the paper give < 9/10 + 1/(15c) for any chosen c > 2.
In the same paper it was shown, that this result can be improved by choosing an error-correcting code with Hamming distance between any two distinct codewords between (1 − )n/2 and (1 + )n/2 for any > 0 (however, the existence of such codes can only be proved nonconstructively via probabilistic argument).
But even with such code the quantum fingerprinting function above would give which resulted in the following change of construction (Buhrman et al., 2001).Define the classical-quantum function ψ : {0, 1} k → (H 2 ) ⊗s , determined by a word w as (−1) Ei(w) |i .
This function gives the following bound for the fingerprints of distinct inputs The further research on this topic mostly used this version of quantum fingerprinting.

q-ary quantum fingerprinting
In this section we show the basic idea of the quantum fingerprinting from (Ablayev and Vasiliev, 2009;Ablayev and Vasiliev, 2011b).Let σ = σ 1 . . .σ n be an input string and g be the mapping of {0, 1} n onto Z q that "encodes" some property of the input we're about to test.We consider g to be the polynomial over Z q such that g(σ) = 0 mod q iff σ has the property encoded by g.For example, if we test the equality of two n-bit binary strings x 1 . . .x n and y 1 . . .y n , we can choose g equal to the following polynomial over Z 2 n : To test the property encoded by g we rotate the initial state |0 of a single qubit by an angle θ = πg(σ)/q: |0 → cos θ|0 + sin θ|1 .
Then this state is measured and the input σ is accepted iff the result of the measurement is |0 .
Obviously, this quantum state is ±|0 iff g(σ) = 0 mod q.In the worst case this algorithm gives the one-sided error of cos 2 π(q − 1)/q, which can be arbitrarily close to 1.
The above description can be presented as follows using log t + 1 = (log log q) + 1 qubits: where θ i = 2πsig(σ) q and the set S = {s 1 , . . ., s t } ⊆ Z q is chosen in order to guarantee the small probability of error (Ablayev and Vasiliev, 2009;Ablayev and Vasiliev, 2011b).That is, the last qubit is simultaneously rotated in t different subspaces by corresponding angles.
Summarizing, quantum fingerprinting method may be applied in the following manner: 1.The initial state of the quantum register is |0 ⊗ log t |0 .2. The Hadamard transform creates the equal superposition of the basis states 3. Based on the input σ it's fingerprint is created: 4. The Hadamard transform turns the fingerprint into the superposition

5.
The quantum register is measured and the input is accepted iff the result is In (Ablayev and Vasiliev, 2009, 2011a, 2011b) we have applied this technique to construct efficient quantum algorithms for a certain class of Boolean functions in the model of read-once quantum branching programs (Ablayev et al., 2001).

Quantum hashing
In this section we present recent results on quantum hashing developed in our research group.

One-way δ-resistance.
We present the following definition of a quantum δ-resistant one-way function.Let "information extracting" mechanism M be a function M : (H 2 ) ⊗s → X. Informally speaking, mechanism M makes some measurement to state |ψ ∈ (H 2 ) ⊗s and decodes the result of measurement to X. Definition 1.Let X be a random variable distributed over X {P r[X = w] : w ∈ X}.Let ψ : X → (H 2 ) ⊗s be a quantum function.Let Y be any random variable over X obtained by some mechanism M making measurement to the encoding ψ of X and decoding the result of the measurement to X. Let δ > 0. We call a quantum function ψ a one-way δ-resistant function if 1. if it is easy to compute, i.e., a quantum state |ψ(w) for a particular w ∈ X can be determined using a polynomial-time algorithm; 2. for any mechanism M, the probability P r For the cryptographic purposes it is natural to expect (and we do this in the rest of the paper) that random variable X is uniformly distributed.
A quantum state of s ≥ 1 qubits can "carry" an infinite amount of information.On the other hand, the fundamental result of quantum informatics known as the Holevo's Theorem (Holevo, 1973) states that a quantum measurement can only give O(s) bits of information about the state.Here we use the result of (Nayak, 1999) motivated by the Holevo's Theorem.
Property 1.Let X be a random variable uniformly distributed over {0, 1} k .Let ψ : {0, 1} k → (H 2 ) ⊗s be a (2 k ; s) quantum function.Let Y be a random variable over {0, 1} k obtained by some mechanism M making some measurement of the encoding ψ of X and decoding the result of measurement to {0, 1} k .Then the probability of correct decoding is given by

Collision -resistance
The following definition was presented in (Ablayev and Ablayev, 2015b).
Definition 2. Let > 0. We call a quantum function ψ : X → (H 2 ) ⊗s a collision -resistant function if for any pair w, w of different inputs, Testing equality.The crucial procedure for quantum hashing is an equality test for |ψ(v) and |ψ(w) that can be used to compare encoded classical messages v and w; see for example (Gottesman and Chuang, 2001).This procedure can be a well-known SWAP-test (Buhrman, Cleve, Watrous, and Wolf, 2001) or something that is adapted for specific hashing function, like REVERSE-test (Ablayev and Vasiliev, 2014).
The above two definitions and considerations lead to the following formalization of the quantum cryptographic (one-way and collision resistant) function Definition 3. Let K = |X| and s ≥ 1.Let δ > 0 and > 0. We call a function ψ : X → (H 2 ) ⊗s a quantum (δ, )-Resistant (K; s)-hash function (or just quantum (δ, )-hash function) iff ψ is one-way δ-resistant and is collision -resistant function.
We present below the following two examples to demonstrate how one-way δresistance and collision -resistance are correlated.The first example was presented in (Ambainis and Freivalds, 1998) in terms of quantum automata.
Example 1.Let us encode numbers v from {0, . . ., 2 k −1} by a single qubit as follows: Extracting information from |ψ by measuring |ψ with respect to the basis {|0 , |1 } gives the following result.The function ψ is one-way 2 2 k -resistant (see Property 1) and collision cos π/2 k−1 -resistant.Thus, the function ψ has good one-way property, but has bad collision resistance property for large k.
Extracting information from |ψ by measuring |ψ with respect to the basis {|0 . . .0 , . . ., |1 . . . 1 } gives the following result.The function ψ is one-way 1-resistant and collision 0-resistant.So, in contrast to Example 1 the encoding ψ from Example 2 is collision free, that is, for different words v and w quantum states |ψ(v) and |ψ(v) are orthogonal and therefore reliably distinguished; but we lose the one-way property: ψ is easily invertible.
The following result (Ablayev and Ablayev, 2015b) shows that a quantum collision -resistant (K; s) function needs at least log log K − c( ) qubits.
Properties 1 and 2 provide a basis for building a "balanced" one-way δ-resistance and collision -resistance properties.That is, roughly speaking, if we need to hash elements w from the domain X with |X| = K and if one can build for an > 0 a collision -resistant (K; s) hash function ψ with s ≈ log log K − c( ) qubits then the function f is one-way δ-resistant with δ ≈ (log K/K).Such a function is balanced with respect to Property 2.
To summarize the above considerations we can state the following.A quantum (δ, )-hash function is a function that satisfies all of the properties that a "classical" hash function should satisfy.Pre-image resistance follows from Property 1. Second pre-image resistance and collision resistance follow, because all inputs are mapped to states that are nearly orthogonal.Therefore, we see that quantum hash functions can satisfy the three properties of a classical cryptographic hash function.
This section is based on the paper (Vasiliev, 2016).We present here a brief background on -biased sets as defined in (Chen, Moore, and Russell, 2013) and discuss their connection to quantum hashing.Note that -biased sets are generally defined for arbitrary finite groups, but here we restrict ourselves to Z q .
For an a ∈ Z q a character χ a of Z q is a homomorphism χ a : Z q → µ q , where µ q is the (multiplicative) group of complex q-th roots of unity.That is, χ a (x) = ω ax , where ω = e 2πi q is a primitive q-th root of unity.The character χ 0 ≡ 1 is called a trivial character.
These sets are interesting when |S| |Z q | (as S = Z q is 0-biased).In their seminal paper Naor and Naor (1990) defined these small-biased sets, gave the first explicit constructions of such sets, and demonstrated the power of small-biased sets for several applications.
Remark 1.Note that a set S of O(log q/ 2 ) elements selected uniformly at random from Z q is -biased with positive probability (Alon and Roichman, 1994).
Many other constructions of small-biased sets followed during the last decades.Vasiliev (2016) showed that -biased sets generate (δ, )-resistant hash functions.We present the result of (Vasiliev, 2016) in the following form.
Property 3. Let S ⊆ Z q be an -biased set.Let H S = {h a (x) = ax (mod q), a ∈ S, h a : Z q → Z q } be a set of functions determined by S. Then a quantum function ψ S : is a (δ, )-resistant quantum hash function, where δ ≤ |S|/q.
Proof.One-way δ-resistance property of ψ S follows from Property 1: a probability of correct decoding an x from a quantum state |ψ S (x) is bounded by |S|/q.The efficient computability of such a function follows from the fact that any quantum transformation on s qubits (including the one that creates a quantum hash) can be performed with O(s 2 4 s ) elementary quantum gates (Nielsen and Chuang, 2000).Whenever s = O(log |S|) = O(log log q − log ), this number of steps is polynomial in log q (the binary representation of group elements) and 1/ .Collision -resistance property of ψ S follows directly from the corresponding property of (Vasiliev, 2016).Note that Further proof coincides with the proof of the paper (Vasiliev, 2016).
Remark 2. It is natural to call the set H S of functions a uniform -biased quantum hash generator in the context of the definition of quantum hash generator from (Ablayev and Ablayev, 2015a) and the above considerations.
As a corollary of the Property 3 and the above considerations we can state the following.

Quantum fingerprinting functions as hash functions
In this section we give two explicit examples of the quantum hashing for specific finite abelian groups, which turn out to be the known quantum fingerprinting schemas.
Hashing the elements of the Boolean cube.For G = Z n 2 its characters can be written in the form χ a (x) = (−1) (a,x) , and the corresponding quantum hash function is the following The resulting hash function is exactly the quantum fingerprinting by Buhrman et al. (2001), once we consider an error-correcting code, whose matrix is built from the elements of S. Indeed, as stated in (Ben-Aroya and Ta-Shma, 2009) an ε-balanced errorcorrecting code can be constructed out of an ε-biased set.Thus, the inner product (a, x) in the exponent is equivalent to the corresponding bit of the codeword, and altogether this gives the quantum fingerprinting function, that stores information in the phase of quantum states (de Wolf, 2001).
Hashing the elements of the cyclic group For G = Z q its characters can be written as χ a (x) = exp (2πiax/q), and the corresponding quantum hash function is given by |ψ S (a) = 1 The above quantum hash function is essentially equivalent to the one we have defined earlier in (Ablayev and Vasiliev, 2014), which is in turn based on the quantum fingerprinting function from (Ablayev and Vasiliev, 2009).

Quantum hash functions via expander graphs
In this section we show further development of the quantum hashing for finite groups.First, we explore the connection of the small-bias sets to the graph theory and then construct corresponding quantum hash functions.
Let us recall some definitions from graph theory.A graph Γ is a set V of vertices and a (multi-)set of edges E. Graph Γ is the dregular graph if all vertices have the same degree d; i.e. each vertex is incident to exactly d edges.
Adjacency matrix of the graph A = A(Γ) is an n × n matrix whose (u, v) entry is the number of edges between vertex u and vertex v.We refer to the eigenvalues of A(Γ) as the spectrum of the graph Γ.
Next we consider the special case of expanders called Cayley graphs.They are defined as follows.
The set of vertices is identified with group elements G.The set of edges is E = {(g, gs) : s ∈ S}.
If set S is symmetric (i.e. for any element s ∈ S of set its inverse s −1 is also contained in S), graph Γ(G, S) is undirected.
The following fact is true for any finite abelian group G and any symmetric set S.
Property 5. Let χ be a character of a group G.The vector b = {χ(g) : g ∈ G} is a eigenvector of the matrix A S = A(Γ(G, S))/|S| and corresponding eigenvalue is Proof.Let a ij be elements of matrix A S .Denote elements of G by g 1 , g 2 , . ... Then j-th element of Therefore, The number of irreducible characters of a group G is equal to the number of conjugacy classes of G, therefore for any abelian group G the following property holds.Property 6.The Cayley graph Γ(G, S) is an (|S|, )-expander graph if and only if for all nontrivial characters χ 1 |S| s∈S χ(s) ≤ .
Here we note, that any -biased set S gives rise to an (|S|, )-expander graph which is Cayley graph, and Ziatdinov (2016) showed that (d, )-expander graphs generate quantum hash functions using the following construction.
Let Γ = (V, E) be a (d, )-expander graph.We label vertices V of graph Γ with elements of group G.
Let us randomly choose one vertex and perform a random walk of length t > O log |G| starting from it.Denote vertices that occurred in this walk by s j .Then the following theorem holds.

Quantum hash functions via extractors
Every expander graph can be converted to a bipartite expander graph.Generalization of these bipartite expander graphs is the notion of extractor graphs.The extractor graph is a bipartite graph where size of components can be different.An extractor can also be defined in terms of function that maps pair of the first component vertex and edge to the second component vertex.
To define extractors we first recall the notions of statistical distance and min-entropy.
Definition 5. We say that two distributions F and G are -close, if for every event A, The uniform distribution over {0, 1} m is denoted by U m and we say that X isclose to uniform if it is -close to U m .
We denote that distribution F is -close to distribution G by F ≈ G.
Definition 6.Let X be a distribution.The min-entropy of X is .
Now we recall the definition of extractors.
The notion of extractor can be used to construct a quantum hash function in the following way.
Let Ψ Ext,t,S : G → (H 2 ) ⊗(d+log t) be a quantum function defined as The following theorem about Ψ Ext,t,S was proved in (Ziatdinov, 2016).
Thus, using explicit extractors (like the one of (Guruswami, Umans, and Vadhan, 2009)) we can obtain an explicit quantum hash function with cryptographic properties.

Message authentication codes via quantum hash functions
Classical message authentication codes (MAC) have a wide range of applications, for more details we refer to (Menezes, Van Oorschot, and Vanstone, 1996).They are defined as a triple of algorithms: G that generates a key, S that uses the key and the message to generate a tag of the message, and V that uses the key, the message and the tag to verify message integrity.This method uses shared secret key, and so parties should trust each other.
Formally, G : 1 n → K, where n is a security parameter and K is a set of all possible keys, S : K × X → T , where X is a set of messages and T is a set of tags and V : K × X × T → {Acc, Rej}.
We require the following property for MAC to be a sound system: i.e. that verifier always accepts a generated tag.We also require that MAC is a secure system and for any adversary A that can query MAC: i.e. any adversary that can query MAC outputs correct tag for some key that was not queried and some message with negligible probability.One classical construction of MAC is hash-based MAC (also known as keyed hash functions).Basically, keyed hash function is a function H(k, x), such that H(k, •) is a cryptographic hash function for every k.It is easy to see that such function can be used as MAC.
Strong extractors against quantum storage.Ta-Shma (2009) introduced the following definitions.where A is arbitrary attacker that can query S and Query(A) is a set of queries made.
Informally, keyed quantum hash function outputs a tag for a message.If someone changes a message, then the verification step fails with high probability.If an attacker Eve can query a keyed quantum hash function, access to the function doesn't help her to forge a tag for some message with some (unqueried) key.
Let Ψ Ext be the following quantum function.For the detailed proof we refer to (Ziatdinov, 2016).Here we note, that using explicit extractor against quantum storage from (De and Vidick, 2009) one can construct a corresponding keyed quantum hash function.