Sponge hashing is a widely used class of cryptographic hash algorithms which underlies the current international hash function standard SHA-3. In a nutshell, a sponge function takes as input a bit-stream of any length and processes it via a simple iterative procedure: it repeatedly feeds each block of the input into a so-called block function, and then produces a digest by once again iterating the block function on the final output bits. While much is known about the post-quantum security of the sponge construction when the block function is modeled as a random function or one-way permutation, the case of invertible permutations, which more accurately models the construction underlying SHA-3, has so far remained a fundamental open problem. In this work, we make new progress towards overcoming this barrier and show several results. First, we prove the "double-sided zero-search" conjecture proposed by Unruh (eprint' 2021) and show that finding zero-pairs in a random $2n$-bit permutation requires at least $\Omega(2^{n/2})$ many queries -- and this is tight due to Grover's algorithm. At the core of our proof lies a novel "symmetrization argument" which uses insights from the theory of Young subgroups. Second, we consider more general variants of the double-sided search problem and show similar query lower bounds for them. As an application, we prove the quantum one-wayness of the single-round sponge with invertible permutations in the quantum random oracle model.

翻译：海绵哈希是一类广泛使用的密码学哈希算法，构成了当前国际哈希函数标准SHA-3的基础。简而言之，海绵函数接收任意长度的比特流输入，并通过简单的迭代过程进行处理：它重复地将每个输入块馈入所谓的块函数，然后通过再次对最终输出比特迭代块函数来生成摘要。虽然当块函数建模为随机函数或单向置换时，关于海绵构造的后量子安全性已有诸多研究，但更准确建模SHA-3基础构造的可逆置换情形，至今仍是一个根本性的开放问题。本工作在此障碍的突破上取得了新进展，并展示了多项成果。首先，我们证明了Unruh（eprint' 2021）提出的“双侧零搜索”猜想，并证明在随机$2n$比特置换中寻找零对至少需要$\Omega(2^{n/2})$次查询——由于Grover算法的存在，该下界是紧的。我们证明的核心在于一种新颖的“对称化论证”，该论证利用了杨子群理论的深刻见解。其次，我们考虑了双侧搜索问题的更一般变体，并证明了类似的查询下界。作为应用，我们在量子随机预言机模型中证明了单轮可逆置换海绵结构的量子单向性。