The sponge is a cryptographic construction that turns a public permutation into a hash function. When instantiated with the Keccak permutation, the sponge forms the NIST SHA-3 standard. SHA-3 is a core component of most post-quantum public-key cryptography schemes slated for worldwide adoption. While one can consider many security properties for the sponge, the ultimate one is indifferentiability from a random oracle, or simply indifferentiability. The sponge was proved indifferentiable against classical adversaries by Bertoni et al. in 2008. Despite significant efforts in the years since, little is known about sponge security against quantum adversaries, even for simple properties like preimage or collision resistance beyond a single round. This is primarily due to the lack of a satisfactory quantum analog of the lazy sampling technique for permutations. In this work, we develop a specialized technique that overcomes this barrier in the case of the sponge. We prove that the sponge is in fact indifferentiable from a random oracle against quantum adversaries. Our result establishes that the domain extension technique behind SHA-3 is secure in the post-quantum setting. Our indifferentiability bound for the sponge is a loose $O(\mathsf{poly}(q) 2^{-\mathsf{min}(r, c)/4})$, but we also give bounds on preimage and collision resistance that are tighter.

翻译：海绵构造是一种将公开置换转化为哈希函数的密码学结构。当使用Keccak置换实例化时，海绵构造构成了NIST SHA-3标准。SHA-3是多数被全球采纳的后量子公钥密码方案的核心组件。虽然海绵构造可考虑多种安全特性，但最根本的特性是相对于随机预言机的不可区分性（简称不可区分性）。Bertoni等人于2008年证明了海绵构造对经典攻击者具有不可区分性。尽管此后多年付出巨大努力，人们对海绵构造抵抗量子攻击者的安全性仍知之甚少，即使是单轮操作下的原像抵抗或碰撞抵抗等基础特性。这主要源于缺乏令人满意的置换延迟采样技术的量子类比。本研究针对海绵构造的特殊情况，开发了一种突破此障碍的专用技术。我们证明海绵构造实际上对量子攻击者而言具有相对于随机预言机的不可区分性。该结果证实了SHA-3背后的域扩展技术在后量子环境中是安全的。我们给出的海绵构造不可区分性界限是宽松的$O(\mathsf{poly}(q) 2^{-\mathsf{min}(r, c)/4})$，但同时提供了更严格的原像抵抗与碰撞抵抗界限。