
Defeating Quantum Algorithms with Hash Functions - signa11
https://research.kudelskisecurity.com/2017/02/01/defeating-quantum-algorithms-with-hash-functions/
======
johncolanduoni
> Furthermore, we know what the quantum collision-finding algorithm is
> optimal—no faster algorithm can be found.

There's two problems with this:

First, I'm not aware of any proof that Brassard et al.'s algorithm is optimal.
Grover's algorithm is optimal, but it is optimal for searching for a
_specific_ output value given an _arbitrary_ function. Obviously this
optimality doesn't carry over to collision finding because Brassard et al.'s
algorithm is superior to a naive use of Grover's for that purpose!

Second, even if Brassard's algorithm is optimal in the usual sense, it would
be optimal if given an _arbitrary_ function. Specific weaknesses in specific
hash functions could still result in methods that would beat it.

If you could prove it was the best method for finding hash collisions, even
against algorithms designed for specific hash functions, you would have to
conclude that the best way to break MD5 on a quantum computer is Brassard's
algorithm. That would be a big problem, since we already have better classical
methods, and classical algorithms transfer trivially to quantum computers
(with the same asymptotic properties). Someone's proof would have to be
inconsistent, or ZFC would have to be inconsistent or something crazy like
that!

~~~
DannyBee
"First, I'm not aware of any proof that Brassard et al.'s algorithm is
optimal."

Also, it's really not clear from this post why you can't play the same kind of
parallelization game.

(IE if the underlying thing it provides is a faster way to do x, why can't you
parallelize that x in the same way)

Actually, it looks like bernstein points out you can do this, so the author of
this post is essentially comparing a crappy technique to a good one, and
saying "The good one is better".

It turns out they are the same in the end and it's just cheaper to build
normal machines than quantum ones. That seems more reasonable to me than "this
technique is slower than the best classical one". It's not. It's just cheaper.
That's all.

He also says bernstein brilliantly explains why even better quantum algorithms
will never win, but actually, bernstein just conjectures that :)

" there are several obvious ways to combine quantum search with the rho
method, but I have not found any such combinations that improve performance,
and I conjecture that—in a suitable generic model—no such improvements are
possible."

That's a pretty easy conjecture to always make - "i haven't found a way to
make this faster, so i conjecture a way to make it faster doesn't exist".
These types of conjectures are often very wrong, which is why we have proofs
;)

------
tromp
While quantum computers are of limited use in inverting a hash function (which
remains infeasible for 256-bit hash functions), they would be a tremendous
boon for cryptocurrency mining on a Hashcash proof-of-work system, such as the
one used in bitcoin. In fact this is an obvious application of Grover's
algorithm [1] that can find an input x satisfying a predicate P(x) in time
O(sqrt(N)) where N is the domain size of P. The predicate P in this case is
just that SHA256(SHA256(x)) < difficulty_target, while N is about 2^70 at the
current difficulty level.

This gives a nice speedup, even if the quantum computer cycle time is a
million times slower. As a result, mining would centralize to outfits having
the most advanced quantum hashing chips.

Of course this ignores the bigger issue bitcoin would have with its signature
scheme being completely broken on quantum computers, rendering all exposed
public keys unsafe (addresses, being hashes of public keys, remain safe until
spent though; hence the recommendation against address re-use).

[1]
[https://en.wikipedia.org/wiki/Grover's_algorithm](https://en.wikipedia.org/wiki/Grover's_algorithm)

~~~
chriswarbo
> they would be a tremendous boon for cryptocurrency mining

Only for the miner's short-term self-interest. If quantum computers become
practical (e.g. a few states and organisations have one, of sufficient
size/speed to beat contemporary classical setups on some problems), then I
would imagine a sharp drop in value for any cryptocurrencies whose proof-of-
work is vulnerable to known quantum shortcuts.

------
PhantomGremlin
Is this all still totally hype? Anything close to practical? Wikipedia[1]
shows:

    
    
       year 2001: factor 15
       year 2011: factor 21
       year 2011: factor 143
    

At that rate of progress we might be able to factor something useful before we
reach the heat death of the universe. But I guess the topic is good for lots
of scary headlines.

[1]
[https://en.wikipedia.org/wiki/Quantum_computing](https://en.wikipedia.org/wiki/Quantum_computing)

~~~
reikonomusha
We are a very long way away from having quantum factorization of integers.
Quantum computers will be more useful for things like chemistry problems in
the near term.

~~~
tromp
Although articles like this

[https://phys.org/news/2017-02-blueprint-unveiled-large-
scale...](https://phys.org/news/2017-02-blueprint-unveiled-large-scale-
quantum.html)

make it seem we're getting much closer...

~~~
reikonomusha
It will be physics papers demonstrating stability that should get your hopes
up, not signal delivery "blueprints", unfortunately.

------
baby
shameless plug, a 4 parts blog series on hash-based signatures:
[http://cryptologie.net/article/306/hash-based-signatures-
par...](http://cryptologie.net/article/306/hash-based-signatures-part-i-one-
time-signatures-ots/)

