This work addresses the foundational security question of whether the sponge construction satisfies quantum indifferentiability—a critical requirement for ensuring the post-quantum security of SHA-3. We introduce the first quantum lazy sampling technique tailored to the sponge construction, overcoming a longstanding bottleneck in quantum indifferentiability analysis. By integrating customized quantum query simulation with a rigorous security analysis framework, we establish, for the first time, that the sponge construction is indifferentiable from a random oracle against quantum adversaries in the standard quantum random oracle model. Furthermore, our analysis yields tighter bounds for quantum preimage and collision attacks. This work provides the first formal, verifiable post-quantum security foundation for the core sponge construction underlying SHA-3.

The sponge is a cryptographic construction that turns a public permutation into a hash function. When instantiated with the Keccak permutation, the sponge forms the NIST SHA-3 standard. SHA-3 is a core component of most post-quantum public-key cryptography schemes slated for worldwide adoption. While one can consider many security properties for the sponge, the ultimate one is indifferentiability from a random oracle, or simply indifferentiability. The sponge was proved indifferentiable against classical adversaries by Bertoni et al. in 2008. Despite significant efforts in the years since, little is known about sponge security against quantum adversaries, even for simple properties like preimage or collision resistance beyond a single round. This is primarily due to the lack of a satisfactory quantum analog of the lazy sampling technique for permutations. In this work, we develop a specialized technique that overcomes this barrier in the case of the sponge. We prove that the sponge is in fact indifferentiable from a random oracle against quantum adversaries. Our result establishes that the domain extension technique behind SHA-3 is secure in the post-quantum setting. Our indifferentiability bound for the sponge is a loose $O(mathsf{poly}(q) 2^{-mathsf{min}(r, c)/4})$, but we also give bounds on preimage and collision resistance that are tighter.