On Quantum Fingerprinting and Quantum Cryptographic Hashing

1.1. Classical and quantum fingerprinting

Fingerprinting in complexity theory is a procedure that maps a large data item to a much shorter string, its fingerprint, that identifies the original data (with high probability). The key properties of classical fingerprinting methods are (i) they allow to build efficient randomized computational algorithms and (ii) the resulting algorithms have bounded error [1].

Rusins Freivalds was one of the first researchers who introduced methods (later called fingerprinting) for constructing efficient randomized algorithms (which are more efficient than any deterministic algorithm) [2, 3].

In quantum case, fingerprinting is a procedure that maps classical data to a quantum state that identifies the original data (with high probability). One of the first applications of the quantum fingerprinting method is due to Ambainis and Freivalds [4]: for a specific language, they have constructed a quantum finite automaton with an exponentially smaller size than any classical randomized automaton. An explicit definition of the quantum fingerprinting was introduced by Buhrman et al. [5] in (2001) for constructing efficient quantum communication protocol for equality testing. It is worth noting that the fingerprinting by Buhrman et al. has been used as a cryptographic hash function in [6, 7].

1.2. Cryptographic quantum hashing

Cryptographic hashing has a lot of fruitful applications in cryptography. Note that in cryptography functions satisfying (i) one-way property and (ii) collision resistance property (in different specific meanings) are called hash functions, and we propose to do so when we are considering cryptographical aspects of quantum functions with the above properties. So, we suggest to call a quantum function that satisfies properties (i) and (ii) (in the quantum setting), a cryptographic quantum hash function or just quantum hash function. Note, however, that there is only a thin line between the notions of quantum fingerprinting and quantum hashing. One of the first considerations of a quantum function (that maps classical words into quantum states) as a cryptographic primitive, having one-way property and collision resistance property is due to [6], where the quantum fingerprinting function from [5] was used. Another approach to constructing quantum hash functions from quantum walks was considered in [8, 9, 10], and it resulted in privacy amplification in quantum key distribution and other useful applications.

1.3. The chapter organization

In Section 3, we consider quantum fingerprinting as a mapping of classical inputs to quantum states, which allows to construct efficient quantum algorithms for computing Boolean functions. We consider the quantum fingerprinting function from [5] as well as the quantum fingerprinting technique from [11]. The latter was motivated by the paper [4] and its generalization [12].

We define a notion of quantum (δ, ε)-hash function that is quantumly one-way δ-resistant and quantumly collision ε-resistant.

We show that one-way property and collision resistance property are correlated for a quantum hash function. The more the function is one-way, the less it is collision resistant and vice versa. We show that such a correlation can be balanced.

We present an approach for quantum hash function constructions by establishing a connection with small-biased sets [13] and quantum hash function constructions: we prove that each ε-biased set allows to generate quantum collision ε-resistant function. Note that one-way property of this function depends on the size of such ε-biased set: the smaller ε-biased set allows to generate a quantum function with the better one-way characteristics. Such a connection adds to the long list of small-biased sets’ applications.

In particular, it was observed in [13, 14] that the ε-bias property is closely related to the error-correcting properties of linear codes. In particular, for the binary case, a set S is ε-biased iff every pair of distinct code words of corresponding error correcting code C_S has relative Hamming distance (1 ± ε)/2.

Note that the quantum fingerprinting function from [5] is based on a binary error-correcting code, and so it solves the problem of constructing quantum hash functions for the binary case. For the general (nonbinary) case, ε-bias does not correspond to Hamming distance. Thus, in contrast to the binary case, an arbitrary linear error correcting code cannot be used directly for quantum hash functions.

Note that one-way property of function means computational effectiveness of this function. We show that considered construction of quantum (δ, ε)-hash function is computed effectively in the model of quantum branching programs. We consider two complexity measures: a number width(Q) of qubits that QBP Q uses for computation and a number time(Q) of computational steps of QBP Q. Such QBP Q is of width(Q) = O(log log q) and time(Q) = log q.

We prove that such QBP construction is optimal. That is, we prove lower bounds Ω(log log q) for QBP width and Ω(log q) for QBP time for quantum (δ, ε)-hash function presentation.

3.1. Binary quantum fingerprinting

The quantum fingerprinting function was formally defined in [5], where it was used for quantum equality testing in a quantum communication model. It is based on the notion of a binary error-correcting code.

An (n, k, d) error-correcting code is a map C : Σ^k→Σⁿ such that, for any two distinct words w , w^′ ∈ Σ^k, the Hamming distance d(C(w), C(w^′)) between code words C(w) and C(w^′) is at least d. The code is binary if Σ = {0, 1}.

The construction of the quantum fingerprinting function is as follows.

• Let c > 2 and ε < 1. Let k be a positive integer and n = ck. Let E : {0, 1}^k→{0, 1}ⁿ be a (n, k, d) binary error-correcting code with Hamming distance d ≥ (1 − ε)n.

• Define a family of functions F_E = {E₁,  … , E_n}, where E i : 0 1 k → F 2 is defined by the rule: E_i(w) is the i-th bit of the codeword E(w).

• Let s = log n + 1. Define the quantum function ψ_FE : {0, 1}^k→(ℋ²)^⊗s, determined by a word w as

Original paper of [5] used this function to construct a quantum communication protocol that tests equality in the simultaneous message passing (SMP) model with no shared resources. This protocol requires O(log n) qubits to compare n-bit binary strings, which is exponentially smaller than any classical deterministic or even randomized protocol in the SMP setting with no shared randomness. The proposed quantum protocol has one-sided error of 1/2(1 + ⟨ψ_FE(x)| ψ_FE(y)⟩²), where |ψ_FE(x)⟩ and |ψ_FE(y)⟩ are two different quantum fingerprints. Their inner product |⟨ψ_FE(x)| ψ_FE(y)⟩| is bounded by ε, if the Hamming distance of the underlying code is (1 − ε)n. Thus, ε is determined by the chosen error-correcting code. For instance, Justesen codes mentioned in the paper give ε < 9/10 + 1/(15c) for any chosen c > 2.

In the same paper, it was shown that this result can be improved by choosing an error-correcting code with Hamming distance between any two distinct code words (1 − ε)n/2 and (1 + ε)n/2 for any ε > 0 (however, the existence of such codes can only be proved nonconstructively via probabilistic argument).

Further research on this topic mostly used the following phase presentation version of quantum fingerprinting. We define the quantum fingerprinting function ψ : {0, 1}^k→(ℋ²)^⊗s determined by a word w as

This function gives the following bound for the fingerprints of distinct inputs

3.2. q-ary quantum fingerprinting

In this section, we demonstrate the generalization of binary fingerprinting function to the q-ary case. General technique is presented in [11, 15]. Here, we present the idea using specific Boolean function g : {0, 1}ⁿ→{0, 1} where g(σ) = 1 iff σ = 0 mod sq. We treat σ also as an integer encoded by binary string σ.

To test g, we rotate the initial state |0⟩ of a single qubit by an angle θ = πσ/q:

Then, this state |ψ(σ)⟩ is measured and the input σ is accepted iff the result of the measurement is |0⟩.

Obviously, this quantum state is ±|0⟩ iff σ = 0 mod q. In the worst case, this algorithm gives the one-sided error of cos²π(q − 1)/q, which can be arbitrarily close to 1.

The above description can be presented as follows using log t + 1 = (log log q) + 1 qubits:

where θ i = 2 π s i σ q and the set S = {s₁,  … , s_t} ⊆ ℤ_q is chosen in order to guarantee the small probability of error [11, 15]. That is, the last qubit is simultaneously rotated in t different subspaces by corresponding angles θ_i.

The above q-ary quantum fingerprinting method can be presented in the following procedure:

1. The initial state of the quantum register is |0⟩^⊗ log t|0⟩.

2. The Hadamard transform creates the uniform superposition 1 t ∑ j = 1 t   j 0 of the basis states {|j⟩|0⟩ : j ∈ {1,  … , t}}.

3. Based on the input σ, its fingerprint is created: 1 t ∑ j = 1 t   | j ⟩ cos 2 π s j σ q | 0 ⟩ + sin 2 π s j σ q | 1 ⟩ .

4. The Hadamard transform turns the fingerprint into the state | ψ ⟩ = 1 t ∑ l = 1 t   cos 2 π s l σ q | 0 ⊗ log t 0 + …

5. The quantum state |ψ⟩ is measured and the input is accepted iff the result is |0⟩^⊗ log t|0⟩.

In [11, 15, 16], we have applied this technique to construct efficient quantum algorithms for a certain class of Boolean functions in the model of read-once quantum branching programs [17].

3.2.2. Circuit representation

Quantum circuits are good formalism for quantum algorithms representation [19, 20]. A quantum branching programs can be viewed as a quantum circuit aided with an ability to read classical bits as control variables for unitary operations (see Figure 1).

4.1. One-way δ resistance

We present the following definition of a quantum δ-resistant one-way function. Let “information extracting” mechanism M be a function M : ℋ 2 ⊗ s → X . Informally speaking, mechanism M makes some measurements to state |ψ⟩ ∈ (ℋ²)^⊗s and decodes the result of measurement to X .

Definition 2 ([21]) Let X be a random variable distributed over X Pr X = w : w ∈ X . Let ψ : X → ℋ 2 ⊗ s be a quantum function. Let Y be any random variable over X obtained by some mechanism M making measurement to the encoding ψ of X and decoding the result of the measurement to X . Let δ > 0. We call a quantum function ψ a one-way δ-resistant function if

1. it is easy to compute, i.e., a quantum state |ψ(w)⟩ for a particular w ∈ X can be determined using a polynomial-time algorithm.

2. for any mechanism M, the probability Pr[Y = X] that M successfully decodes Y is bounded by δ

For the cryptographic purposes, it is natural to expect (and we do this in the rest of the paper) that random variable X is uniformly distributed.

A quantum state of s ≥ 1 qubits can theoretically record an infinite amount of information. On the other hand, the Holevo’s theorem [22] states that by a quantum measurement, one can extract O(s) bits of information about the state. Here, we use the result of [23] motivated by the Holevo’s theorem.

Property 1 ([23]) Let X be a random variable uniformly distributed over {0, 1}^k. Let ψ : {0, 1}^k→(ℋ²)^⊗s be a quantum function. Let Y be a random variable over {0, 1}^k obtained by some mechanism M making some measurement of the encoding ψ of X and decoding the result of measurement to {0, 1}^k. Then, the probability of correct decoding is given by

So, extracting an information on input σ from state |ψ(σ)⟩ in conditions of Property 1 is “hard.” The effectiveness of computation |ψ(σ)⟩ depends on construction of quantum hash function ψ. In Section 4.4, we consider quantum hash function construction based on small-biased sets and prove effectiveness of this construction.

4.2. Collision ε resistance

The following definition was presented in [24].

Definition 3 Let ε > 0. We call a quantum function ψ : X → ℋ 2 ⊗ s a collision ε-resistant function if for any pair w , w^′ of different inputs, |⟨ψ(w)| ψ(w^′)⟩| ≤ ε.

Informally speaking, we need two states |ψ(w)⟩ and |ψ(w^′)⟩ that is almost orthogonal in order to get small probability of collision, that is, if one tests states |ψ(w)⟩ and |ψ(w^′)⟩ for equality, then a testing procedure should give positive result with a small probability. We start with quantum testing procedures.

4.3. Balanced quantum (δ, ε) resistance

The combination of one-way and collision-resistant function definitions gives the definition of quantum cryptographic function.

Definition 4 ([21]) Let K = ∣ X ∣ and s ≥ 1. Let δ > 0 and ε > 0. We call a function ψ : X → ℋ 2 ⊗ s a quantum (δ, ε)-hash function iff ψ is one-way δ-resistant and is collision ε-resistant function.

We present below the following two examples to demonstrate how one-way δ resistance and collision ε resistance are correlated. The first example was presented in [4] in terms of quantum automata.

Example 1 Let v ∈ {0,  … , 2^k − 1}. Number v is encoded by a single qubit as follows:

Extracting information from |ψ⟩ by measuring |ψ⟩ with respect to the basis {|0⟩, |1⟩} gives the following result. The function ψ is one-way 2 2 k resistant (see Property 1) and collision cos(π/2^k − 1) resistant. Thus, the function ψ has a good one-way property but has a bad collision resistance property for large k.

Clearly, that one can store (to hash) in this way an arbitrary large amount of classical information, that is, for arbitrary large k one can store all numbers from {0,  … , 2^k − 1} in a single qubit. Holevo bound [22] proves that given s ≥ 1 qubits, the amount of classical information that can be retrieved, i.e., accessed, can be only up to s classical bits. This is a quantum mechanical approach for the one-way property.

The map ψ is one to one. So, there is no collision in a “quantum level.” But extracting the result from quantum state is a probabilistic procedure. This means that one can get the situation when some procedure that tests the equality of different quantum hashes |ψ(v)⟩, |ψ(w)⟩ outputs “the hashes are the same” (equivalently “the numbers v, w are the same”), while the numbers v and w are different. For example, two numbers 0 and 2^k − 2 generate orthogonal states |ψ(0)⟩ = |1⟩ and |ψ(2^k − 2)⟩ = |0⟩. So, numbers 0 and 2^k − 2 are distinguishably reliable in respect of the above encoding. But two numbers 0 and 1 cannot be reliably distinguished by encoding ψ.

Example 2 Binary word v = σ₁ ,  …  , σ_k ∈ {0, 1}^k encoded by k qubits (each bit encoded by a qubit): ψ : v↦|v⟩ = |σ₁⟩ ,  ⋯  , |σ_k⟩.

Clearly, we have that such encoding is collision one-way, 1-resistant, and 0-resistant. So, in contrast to Example 1, the encoding ψ from Example 2 for different words v and w, their images (quantum states) |ψ(v)⟩ and |ψ(v)⟩ are orthogonal and therefore reliably distinguished; but ψ is easily invertible: the function ψ is not one-way resistant.

The following result [24] proves that a quantum collision ε-resistant function needs at least log log K − c(ε) qubits.

Property 4 ([24]) Let s ≥ 1 and K = ∣ X ∣ ≥ 4 . Let ψ : X → ℋ 2 ⊗ s be a collision ε-resistant quantum hash function. Then,

Proof. First, we observe that from the definition ∣ ∣ ψ ∣ ∣ = ψ ψ of the norm, it follows that

Hence, for an arbitrary pair w , w^′ of different elements from X , we have that

We let Δ = 2 1 − ε . For short, we let (ℋ²)^⊗s = V in this proof. Consider a set Φ = ψ w : w ∈ X . If we draw spheres of radius Δ/2 with centers |ψ⟩ ∈ Φ, then spheres do not pairwise intersect. All these K spheres are in a large sphere of radius 1 + Δ/2. The volume of a sphere of radius r in V is cr^2s + 1 for the complex space V. The constant c depends on the metric of V. From this, we have that the number K is bonded by the number of “small spheres” in the “large sphere”

Hence,

Properties 1 and 4 provide a basis for building a “balanced” one-way δ-resistance and collision ε-resistance properties. That is, roughly speaking, if we need to hash elements w from the domain X with ∣ X ∣ = K and if one can build for an ε > 0 a collision ε-resistant (K; s) hash function ψ with s ≈ loglogK − c(ε) qubits, then the function f is one-way δ resistant with δ ≈ (logK/K). Such a function is balanced with respect to Property 4.

To summarize the above considerations, we can state the following. A quantum (δ, ε)-hash function is a function that satisfies all of the properties that a “classical” hash function should satisfy. Preimage resistance follows from Property 1. Second preimage resistance and collision resistance follow, because all inputs are mapped to states that are nearly orthogonal. Therefore, we see that quantum hash functions can satisfy the three properties of a classical cryptographic hash function.

4.4. Quantum hash functions construction via small-biased sets

This section is based on the paper [26]. We first present a brief background on ε-biased sets. For more information, see [27]. Note that ε-biased sets are generally defined for arbitrary finite groups, but here we restrict ourselves to ℤ_q.

For an a ∈ ℤ_q, a character χ_a of ℤ_q is a homomorphism χ_a : ℤ_q→μ_q, where μ_q is the (multiplicative) group of complex q-th roots of unity. That is, χ_a(x) = ω^ax, where ω = e 2 πi q is a primitive q-th root of unity. The character χ₀ ≡ 1 is called a trivial character.

Definition 5 A set S ⊆ ℤ_q is called ε biased, if for any nontrivial character χ ∈ {χ_a : a ∈ ℤ_q}

These sets are interesting when ∣S∣ ≪ ∣ℤ_q∣ (as S = ℤ_q is 0 biased). In their seminal paper, Naor and Naor [13] defined these small-biased sets, gave the first explicit constructions of such sets, and demonstrated the power of small-biased sets for several applications.

Remark 1 Note that a set S of O(log q/ε²) elements selected uniformly at random from ℤ_q is ε biased with positive probability [28].

Many other constructions of small-biased sets followed during the last decades.

Vasiliev [26] showed that ε-biased sets generate (δ,ε)-resistant hash functions. We present the result of [26] in the following form.

Theorem 1 Let S ⊆ ℤ_q be an ε-biased set. Let H_S = {h_a(x) = ax(mod q), a ∈ S, h_a : ℤ_q→ℤ_q} be a set of functions determined by S. Then, a quantum function ψ_HS : ℤ_q→(ℋ²)^{⊗ log ∣S∣}

Proof. One-way δ-resistance property of ψ_HS follows from Property 1: a probability of correct decoding an x from a quantum state |ψ_HS(x)⟩ is bounded by ∣S∣/q.

Collision ε-resistance property of ψ_HS follows directly from the corresponding property of [26]. Note that

We will prove that for arbitrary different elements v , v^′ ∈ ℤ_q, it is true that

Let χ_v(x) and χ_v′(x) be characters of group ℤ_q. Then, χ v ∗ x is also a character of ℤ_q and so the following function is χ x = χ v ∗ x χ v ′ x . χ(x) is nontrivial character of ℤ_q, since χ v x ≡ χ v ′ x and χ x = χ v ∗ x χ v ′ x ≡ χ v ∗ x χ v x ≡ 1 , where 1 is a trivial character of ℤ_q. Thus, the statement of Theorem 1 follows from the definition of an ε-biased set.

4.5. Quantum fingerprinting functions as hash functions

In this section, we give two explicit examples of the quantum hashing for specific finite abelian groups, which turn out to be the known quantum fingerprinting schemas.

5.1. Complexity measures

We consider the following notations. For the QBP Q from Theorem 2, we let width(Q) = s and time Q = ∣ T ∣ . Next for quantum hash function ψ_HS (6), we let

where minimum is taken over all QBPs that compute ψ_HS.