Claw finding problem

The claw finding problem is a classical problem in complexity theory, with several applications in cryptography. In short, given two functions f, g, viewed as oracles, the problem is to find x and y such as f(x) = g(y). The pair (x, y) is then called a claw. Some problems, especially in cryptography, are best solved when viewed as a claw finding problem, hence any algorithmic improvement to solving the claw finding problem provides a better attack on cryptographic primitives such as hash functions.

Definition
Let $$A, B, C$$ be finite sets, and $$f: A \to C$$, $$g: B \to C$$ two functions. A pair $$(x,y) \in A \times B$$ is called a claw if $$f(x) = g(y)$$. The claw finding problem is defined as to find such a claw, given that one exists.

If we view $$f, g$$ as random functions, we expect a claw to exist iff $$|A| \cdot |B| \geq |C|$$. More accurately, there are exactly $$|A| \cdot |B|$$ pairs of the form $$(x,y)$$ with $$x \in A, y \in B$$; the probability that such a pair is a claw is $$1/|C|$$. So if $$|A| \cdot |B| \geq |C|$$, the expected number of claws is at least 1.

Algorithms
If classical computers are used, the best algorithm is similar to a Meet-in-the-middle attack, first described by Diffie and Hellman. The algorithm works as follows: assume $$|A| \leq |B|$$. For every $$x \in A$$, save the pair $$(f(x),x)$$ in a hash table indexed by $$f(x)$$. Then, for every $$y \in B$$, look up the table at $$g(y)$$. If such an index exists, we found a claw. This approach takes time $$O(|A| + |B|)$$ and memory $$O(|A|)$$.

If quantum computers are used, Seiichiro Tani showed that a claw can be found in complexity

$$\sqrt[3]{|A|\cdot|B|}$$ if $$|A|\le|B|<|A|^2$$ and

$$\sqrt{|B|}$$ if $$|B|\ge|A|^2$$.

Shengyu Zhang showed that asymptotically these algorithms are the most efficient possible.

Applications
As noted, most applications of the claw finding problem appear in cryptography. Examples include:
 * Collision finding on cryptographic hash functions.
 * Meet-in-the-middle attacks: using this technique, k bits of round keys can be found in time roughly 2k/2+1. Here f is encrypting halfway through and g is decrypting halfway through. This is why Triple DES applies DES three times and not just two.