9

1

The line of questioning is inspired by the pick one trick in Section 4 of the PDF version of the paper
Quantum Attacks on Classical Proof Systems - The Hardness of Quantum Rewinding (Ambainis *et al.*, 2014). Slides available here. I don't fully follow the argument there so maybe I missed something important but here is my interpretation of their trick.

Consider a classical hash function $x \rightarrow H(x)$ that is collision resistant i.e. it is computationally hard to find $H(x) = H(x') \land x\neq x'$. We wish to encode a commitment of a message using this hash function. That is, I take some message $m$ and concatenate some randomness $u$ at the end such that I generate a commitment $c = H(m\Vert u)$. When asked to prove my commitment, I cannot find a different pair $(m',u')$ such that $c = H(m'\Vert u')$ because of the collision-free nature of hashes. My only choice is to open the commitment to $(m,u)$.

Now, we attack this protocol with a quantum circuit of the hash function.

Take a superposition over all possible inputs $x_i$ and query the hash function with this state to obtain the state $\vert\psi\rangle = \sum_{i}\vert x_i\rangle\vert H(x_i)\rangle$.

Measure the second register to obtain a random commitment. The measurement randomly picks $c = H(x_i)$ for some $i$. The first register then has $\vert\phi\rangle = \sum_j \vert x_j\rangle$ such that $\forall j, c = H(x_j)$.

I'd like to open the commitment to some $m'$ that is given to me by the opponent. Use Grover's search on the first register to find a $x_{\text{sol}}$ from the state $\vert\phi\rangle = \sum_j\vert x_j\rangle$ that satisfies some special property. Specifically, the special property is that the first $|m'|$ bits of $x_{\text{sol}}$ are $m'$. That is, I will search to find $x_{\text{sol}} = m'\Vert u'$.

Using the slides posted earlier (Slide 8) and their terminology, it is efficient to find a value $x$ from the intersection of two sets $S$ and $P$. Here $S$ is the set of all $x$ such that $H(x) = c$ and $P$ is the set of all $x$ where the first $|m'|$ bits of $x$ are exactly $m'$.

My questions regarding this attack are the following:

Did I get the basic idea of the attack correct? If wrong, ignore the rest of the post!

How many elements are there in the superposition $\vert\phi\rangle$ after we commit to a certain $c$? In order that I can open the commitment to any message, it seems like I should have $O(N)$ (the size of the hash function's range) elements. But this is too large.

The speed of Grover search - this is related to the previous point - is the other thing. Wouldn't the computational complexity of searching over such a large superposition $\vert\phi\rangle$ be the same as trying to guess a pre-image for a given output of the hash function since one has to search over all the $u$? In this case, where is the advantage?

I'm looking for the intuition more than mathematical proofs so any help is greatly appreciated!

@DomniqueUnruh - What about the storage requirements for the Grove search? – vy32 – 2021-01-30T20:58:37.427

I'm not sure I understand the question. Grover needs as many qubits as needed to compute $P$ plus the qubits to holds $x$. In the cases of interest, $P$ will be something very simple. (E.g., checking whether the first bit is $1$.) – Dominique Unruh – 2021-01-31T17:52:36.753

Okay. I guess my confusion is that Grover requires iteration, and I'm not sure where the intermediate results from each iteration are stored. – vy32 – 2021-01-31T19:47:24.153

If the question is about how Grover works, I believe a textbook such as Nielsen, Chuang "Quantum Computation and Information" might be the best starting point. Otherwise, it is not clear to me what "where the result are stored" means. They are stored in the qubits that are part of the circuit. I don't see how this touches the discussion given in my answer, though. Maybe a separate StackExchange question would be right place for your question in that case. – Dominique Unruh – 2021-02-02T10:01:37.397