Claw finding problem

The claw finding problem is a classical problem in complexity theory, with several applications in cryptography. In short, given two functions f, g, viewed as oracles, the problem is to find x and y such as f(x) = g(y). The pair (x, y) is then called a claw. Some problems, especially in cryptography, are best solved when viewed as a claw finding problem, hence any algorithmic improvement to solving the claw finding problem provides a better attack on cryptographic primitives such as hash functions.

Let ${\displaystyle A,B,C}$ be finite sets, and ${\displaystyle f:A\to C}$, ${\displaystyle g:B\to C}$ two functions. A pair ${\displaystyle (x,y)\in A\times B}$ is called a claw if ${\displaystyle f(x)=g(y)}$. The claw finding problem is defined as to find such a claw, given that one exists.

If we view ${\displaystyle f,g}$ as random functions, we expect a claw to exist iff ${\displaystyle |A|\cdot |B|\ge |C|}$. More accurately, there are exactly ${\displaystyle |A|\cdot |B|}$ pairs of the form ${\displaystyle (x,y)}$ with ${\displaystyle x\in A,y\in B}$; the probability that such a pair is a claw is ${\displaystyle 1/|C|}$. So if ${\displaystyle |A|\cdot |B|\ge |C|}$, the expected number of claws is at least 1.

If classical computers are used, the best algorithm is similar to a Meet-in-the-middle attack, first described by Diffie and Hellman.^[1] The algorithm works as follows: assume ${\displaystyle |A|\le |B|}$. For every ${\displaystyle x\in A}$, save the pair ${\displaystyle (f(x),x)}$ in a hash table indexed by ${\displaystyle f(x)}$. Then, for every ${\displaystyle y\in B}$, look up the table at ${\displaystyle g(y)}$. If such an index exists, we found a claw. This approach takes time ${\displaystyle O(|A|+|B|)}$ and memory ${\displaystyle O(|A|)}$.

If quantum computers are used, Seiichiro Tani showed that a claw can be found in complexity

${\displaystyle \sqrt[3]{|A|\cdot |B|}}$ if ${\displaystyle |A|\le |B|<|A{|}^2}$ and

${\displaystyle \sqrt{|B|}}$ if ${\displaystyle |B|\ge |A{|}^2}$.^[2]

Shengyu Zhang showed that asymptotically these algorithms are the most efficient possible.^[3]

As noted, most applications of the claw finding problem appear in cryptography. Examples include:

• Collision finding on cryptographic hash functions.
• Meet-in-the-middle attacks: using this technique, k bits of round keys can be found in time roughly 2^k/2+1. Here f is encrypting halfway through and g is decrypting halfway through. This is why Triple DES applies DES three times and not just two.

Template:Reflist