Abstract
In this work, we evaluate the security of Merkle-Damgård (MD) hash functions and their combiners (XOR and concatenation combiners) in quantum settings. Two main quantum scenarios are considered, including the scenario where a substantial amount of cheap quantum random access memory (qRAM) is available and where qRAM is limited and expensive to access. We first convert a rich set of known tools invented for generic attacks in the classical setting to quantum versions. That includes Joux’s multi-collision, expandable message, diamond structure, and interchange structure. With these basic tools in hand, we then present generic quantum attacks on the MD hash functions and hash combiners, and carefully analyze the complexities under both quantum scenarios. The considered securities are fundamental requirements for hash functions, including the resistance against collision, (second-)preimage, and herding attacks. The results are consistent with the conclusions in the classical setting, that is, the considered resistances of the MD hash functions and their combiners are far less than ideal, despite the significant differences in the expected security bounds between the classical and quantum settings. Particularly, the generic attacks can be improved significantly using quantum computers under both scenarios. These results serve as an indication that classical hash constructions require careful security re-evaluation before being deployed to the post-quantum cryptography schemes.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
In graph \( \mathcal {G} \), if there exists a set of edges, no two of which share a vertex, then the set of edges is called a matching. M is a maximum matching in \( \mathcal {G} \) if no matching in \( \mathcal {G} \) contains more edges than M does. If matching M in \( \mathcal {G} \) contains every vertex, then M is called a perfect matching. Our goal here, is to find a perfect matching in \( \mathcal {G} = (\mathcal {V}, \mathcal {E}) \), of which the vertex set is \( \mathcal {V} = \{x_1, \ldots , x_{2^t} \} \) and \( (x_i, x_j) \in \mathcal {E} \) if \( x_i \) and \( x_j \) generate an obtained collision.
References
Aaronson, S., Shi, Y.: Quantum lower bounds for the collision and the element distinctness problems. J. ACM (JACM) 51(4), 595–605 (2004)
Ambainis, A.: Quantum walk algorithm for element distinctness. SIAM J. Comput. 37(1), 210–239 (2007)
Andreeva, E., et al.: New second-preimage attacks on hash functions. J. Cryptol. 29(4), 657–696 (2016)
Andreeva, E., Bouillaguet, C., Dunkelman, O., Kelsey, J.: Herding, second preimage and trojan message attacks beyond Merkle-Damgård. In: Jacobson, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 393–414. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-05445-7_25
Andreeva, E., Bouillaguet, C., Fouque, P.-A., Hoch, J.J., Kelsey, J., Shamir, A., Zimmer, S.: Second preimage attacks on dithered hash functions. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 270–288. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_16
Bao, Z., Dinur, I., Guo, J., Leurent, G., Wang, L.: Generic attacks on hash combiners. J. Cryptol. 1–82 (2019)
Bao, Z., Wang, L., Guo, J., Gu, D.: Functional graph revisited: updates on (second) preimage attacks on hash combiners. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 404–427. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_14
Blackburn, S.R., Stinson, D.R., Upadhyay, J.: On the Complexity of the Herding Attack and Some Related Attacks on Hash Functions. Cryptology ePrint Archive, Report 2010/030 (2010). http://eprint.iacr.org/2010/030
Brassard, G., HØyer, P., Tapp, A.: Quantum cryptanalysis of hash and claw-free functions. In: Lucchesi, C.L., Moura, A.V. (eds.) LATIN 1998. LNCS, vol. 1380, pp. 163–169. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054319
Canteaut, A., et al.: Saturnin: a suite of lightweight symmetric algorithms for post-quantum security. IACR Trans. Symmetric Cryptol. 2020(S1), 160–207 (2020). https://doi.org/10.13154/tosc.v2020.iS1.160-207
Chailloux, A., Naya-Plasencia, M., Schrottenloher, A.: An efficient quantum collision search algorithm and implications on symmetric cryptography. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 211–240. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_8
Damgård, I.: A design principle for hash functions. In: Brassard, G. (ed.) Advances in Cryptology - CRYPTO’89. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg, Germany, Santa Barbara, CA, USA (Aug 20–24, 1990)
Dierks, T., Allen, C.: The TLS protocol version 1.0. RFC 2246, 1–80 (1999). https://doi.org/10.17487/RFC2246
Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.1. RFC 4346, 1–87 (2006). https://doi.org/10.17487/RFC4346
Dinur, I.: New attacks on the concatenation and XOR hash combiners. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 484–508. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_19
Fischlin, M., Lehmann, A., Wagner, D.: Hash function combiners in TLS and SSL. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 268–283. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11925-5_19
Freier, A.O., Karlton, P., Kocher, P.C.: The secure sockets layer (SSL) protocol version 3.0. RFC 6101, 1–67 (2011). https://doi.org/10.17487/RFC6101
Google: Google Quantum Computing. https://research.google/teams/applied-science/quantum/
Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-eighth Annual ACM Symposium on Theory of Computing, pp. 212–219 (1996)
Hosoyamada, A., Yasuda, K.: Building quantum-one-way functions from block ciphers: davies-meyer and merkle-damgård constructions. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 275–304. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_10
IBM: IBM Quantum Computing. https://www.ibm.com/quantum-computing/
Jaques, S., Schrottenloher, A.: Low-gate quantum golden collision finding. Cryptology ePrint Archive, Report 2020/424 (2020). https://eprint.iacr.org/2020/424
Jha, A., Nandi, M.: Some Cryptanalytic Results on Zipper Hash and Concatenated Hash. Cryptology ePrint Archive, Report 2015/973 (2015). http://eprint.iacr.org/2015/973
Joux, A.: Multicollisions in iterated hash functions. application to cascaded constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_19
Kelsey, J., Kohno, T.: Herding hash functions and the nostradamus attack. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 183–200. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_12
Kelsey, J., Schneier, B.: Second Preimages on n-Bit Hash Functions for Much Less than 2n Work. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 474–490. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_28
Kortelainen, T., Kortelainen, J.: On diamond structures and trojan message attacks. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 524–539. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42045-0_27
Leurent, G., Wang, L.: The sum can be weaker than each part. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 345–367. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_14
Merkle, R.C.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_40
National Institute for Standards and Technology, USA: Post-Quantum Cryptography Standardization (2017). https://csrc.nist.gov/projects/post-quantum-cryptography
Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, Santa Fe, New Mexico, USA, 20–22 November 1994, pp. 124–134. IEEE Computer Society (1994). https://doi.org/10.1109/SFCS.1994.365700
Zalka, C.: Grover’s quantum searching algorithm is optimal. Phys. Rev. 60(4), 2746 (1999)
Zhandry, M.: A note on the quantum collision and set equality problems. arXiv preprint arXiv:1312.1027 (2013)
Zhandry, M.: How to record quantum queries, and applications to quantum indifferentiability. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 239–268. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_9
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Bao, Z., Guo, J., Li, S., Pham, P. (2022). Evaluating the Security of Merkle-Damgård Hash Functions and Combiners in Quantum Settings. In: Yuan, X., Bai, G., Alcaraz, C., Majumdar, S. (eds) Network and System Security. NSS 2022. Lecture Notes in Computer Science, vol 13787. Springer, Cham. https://doi.org/10.1007/978-3-031-23020-2_39
Download citation
DOI: https://doi.org/10.1007/978-3-031-23020-2_39
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-23019-6
Online ISBN: 978-3-031-23020-2
eBook Packages: Computer ScienceComputer Science (R0)