I see lots of mention that zk-STARK proofs that are being developed notably for use in blockchain networks are labelled as "quantum resistant". Many articles and reports that state this, claim such based on the idea that zk-STARKs rely on collision-resistant hashes. My understanding though is that there can never be a perfectly collision-resistant hash - and that it would be trivial for a quantum computer to attempt to find a collision in any hash. Is there some part that I do not understand that does make zk-STARKs quantum resistant?
Asked
Active
Viewed 835 times
1 Answers
1
For many hash functions, the best known quantum attacks are based on Grover Search. This speeds up an $O(N)$ operation to $O(\sqrt{N})$, so is a speedup, but only by a "polynomial" factor (it does not speed up an $O(2^N)$ operation to $O(N)$, or something like that).
My understanding though is that there can never be a perfectly collision-resistant hash - and that it would be trivial for a quantum computer to attempt to find a collision in any hash.
The part you do not understand is the second statement. If you have a particular attack in mind (that beats things based on Grover search), you should try working out the details, as it would be a quite nice result.
Mark Schultz-Wu
- 15,089
- 1
- 22
- 53