The sponge is a cryptographic construction that turns a public permutation into a hash function. When instantiated with the Keccak permutation, the sponge forms the NIST SHA-3 standard. SHA-3 is a core component of most post-quantum public-key cryptography schemes slated for worldwide adoption. While one can consider many security properties for the sponge, the ultimate one is indifferentiability from a random oracle, or simply indifferentiability. The sponge was proved indifferentiable against classical adversaries by Bertoni et al. in 2008. Despite significant efforts in the years since, little is known about sponge security against quantum adversaries, even for simple properties like preimage or collision resistance beyond a single round. This is primarily due to the lack of a satisfactory quantum analog of the lazy sampling technique for permutations. In this work, we develop a specialized technique that overcomes this barrier in the case of the sponge. We prove that the sponge is in fact indifferentiable from a random oracle against quantum adversaries. Our result establishes that the domain extension technique behind SHA-3 is secure in the post-quantum setting. Our indifferentiability bound for the sponge is a loose $O(\mathsf{poly}(q) 2^{-\mathsf{min}(r, c)/4})$, but we also give bounds on preimage and collision resistance that are tighter.

翻译：海绵结构是一种将公开置换转化为哈希函数的密码学构造。当使用Keccak置换进行实例化时，该结构构成了NIST SHA-3标准。SHA-3是大多数即将在全球部署的后量子公钥密码方案的核心组件。虽然海绵结构可考虑多种安全特性，但最根本的特性是其与随机预言机的不可区分性（简称不可区分性）。Bertoni等人于2008年证明了海绵结构对经典攻击者具有不可区分性。尽管此后多年付出大量努力，对于量子攻击者下的海绵结构安全性（即使是单轮条件下的原像抵抗或碰撞抵抗等基础特性）仍知之甚少。这主要源于置换的惰性采样技术缺乏令人满意的量子类比。本研究针对海绵结构开发了一种专门技术以突破此障碍。我们证明海绵结构对量子攻击者而言确实与随机预言机不可区分。该结果确立了SHA-3背后的域扩展技术在后量子环境下的安全性。我们给出的海绵结构不可区分性界限是宽松的$O(\mathsf{poly}(q) 2^{-\mathsf{min}(r, c)/4})$，但同时也提供了更严格的原像抵抗与碰撞抵抗界限。