Abstract
At ASIACRYPT 2022, Benedikt, Fischlin, and Huppert proposed the quantum herding attacks on iterative hash functions for the first time. Their attack needs exponential quantum random access memory (qRAM), more precisely \(2^{0.43n}\) quantum accessible classical memory (QRACM). As the existence of large qRAM is questionable, Benedikt et al. leave an open question on building low-qRAM quantum herding attacks.
In this paper, we answer this open question by building a quantum herding attack, where the time complexity is slightly increased from Benedikt et al.’s \(2^{0.43n}\) to ours \(2^{0.46n}\), but it does not need qRAM anymore (abbreviated as no-qRAM). Besides, we also introduce various low-qRAM or no-qRAM quantum attacks on hash concatenation combiner, hash XOR combiner, Hash-Twice, and Zipper hash functions.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
Leaf nodes with \(r_0\) 0s suffix are used for the following herding attack in Sect. 4, and are not relevant to this diamond building algorithm. After a diamond is built whose leaves are suffixed with \(r_0\)0, we can apply the CNS algorithm (see Definition 2) to find a linking message whose digest collides to one of those leaves. Similar techniques for constructing distinguished points (e.g., leaves suffixed with \(r_0\)0) are often used in cryptanalysis, e.g., the quantum collision or preimage finding algorithm [5, 10, 21], quantum k-XOR algorithm [33, 53], and many classical attacks e.g. [24], to name a few. However, our Algorithm 1 is the first to apply this technique to quantum herding attack.
References
Ambainis, A.: Quantum walk algorithm for element distinctness. SIAM J. Comput. 37(1), 210–239 (2007)
Andreeva, E., et al.: New second-preimage attacks on hash functions. J. Cryptol. 29(4), 657–696 (2016)
Andreeva, E., Bouillaguet, C., Dunkelman, O., Kelsey, J.: Herding, second preimage and trojan message attacks beyond Merkle-Damgård. In: Jacobson, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 393–414. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-05445-7_25
Andreeva, E., et al.: Second preimage attacks on dithered hash functions. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 270–288. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_16
Banegas, G., Bernstein, D.J.: Low-communication parallel quantum multi-target preimage search. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 325–335. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_16
Bao, Z., Dinur, I., Guo, J., Leurent, G., Wang, L.: Generic attacks on hash combiners. J. Cryptol. 33(3), 742–823 (2020)
Bao, Z., Guo, J., Li, S., Pham, P.: Evaluating the security of Merkle-Damgård hash functions and combiners in quantum settings. In: Yuan, X., Bai, G., Alcaraz, C., Majumdar, S. (eds.) NSS 2022. LNCS, vol. 13787, pp. 687–711. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-23020-2_39
Bao, Z., Wang, L., Guo, J., Gu, D.: Functional graph revisited: updates on (second) preimage attacks on hash combiners. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 404–427. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_14
Benedikt, B.J., Fischlin, M., Huppert, M.: Nostradamus goes quantum. In: Agrawal, S., Lin, D. (eds.) ASIACRYPT 2022. LNCS, vol. 13793, pp. 583–613. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22969-5_20
Bernstein, D.J.: Cost analysis of hash collisions: will quantum computers make SHARCS obsolete. SHARCS 9, 105 (2009)
Biham, E., Dunkelman, O.: A framework for iterative hash functions - HAIFA. IACR Cryptology ePrint Archive, p. 278 (2007)
Blackburn, S.R., Stinson, D.R., Upadhyay, J.: On the complexity of the herding attack and some related attacks on hash functions. Des. Codes Cryptogr. 64(1–2), 171–193 (2012)
Bonnetain, X., Hosoyamada, A., Naya-Plasencia, M., Sasaki, Yu., Schrottenloher, A.: Quantum attacks without superposition queries: the offline Simon’s algorithm. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 552–583. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_20
Bonnetain, X., Jaques, S.: Quantum period finding against symmetric primitives in practice. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2022(1), 1–27 (2022)
Bonnetain, X., Leurent, G., Naya-Plasencia, M., Schrottenloher, A.: Quantum linearization attacks. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021, Part I. LNCS, vol. 13090, pp. 422–452. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92062-3_15
Bonnetain, X., Naya-Plasencia, M.: Hidden shift quantum cryptanalysis and implications. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part I. LNCS, vol. 11272, pp. 560–592. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_19
Bonnetain, X., Naya-Plasencia, M., Schrottenloher, A.: On quantum slide attacks. In: Paterson, K.G., Stebila, D. (eds.) SAC 2019. LNCS, vol. 11959, pp. 492–519. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-38471-5_20
Bonnetain, X., Schrottenloher, A., Sibleyras, F.: Beyond quadratic speedups in quantum attacks on symmetric schemes. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part III. LNCS, vol. 13277, pp. 315–344. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07082-2_12
Brassard, G., Hoyer, P., Mosca, M., Tapp, A.: Quantum amplitude amplification and estimation. Contemp. Math. 305, 53–74 (2002)
Brassard, G., HØyer, P., Tapp, A.: Quantum cryptanalysis of hash and claw-free functions. In: Lucchesi, C.L., Moura, A.V. (eds.) LATIN 1998. LNCS, vol. 1380, pp. 163–169. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054319
Chailloux, A., Naya-Plasencia, M., Schrottenloher, A.: An efficient quantum collision search algorithm and implications on symmetric cryptography. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part II. LNCS, vol. 10625, pp. 211–240. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_8
Damgård, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_39
Dierks, T., Allen, C.: The TLS protocol version 1.0. Technical report (1999)
Dinur, I.: New attacks on the concatenation and XOR hash combiners. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part I. LNCS, vol. 9665, pp. 484–508. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_19
Dong, X., Dong, B., Wang, X.: Quantum attacks on some feistel block ciphers. Des. Codes Cryptogr. 88(6), 1179–1203 (2020)
Dong, X., Guo, J., Li, S., Pham, P.: Triangulating rebound attack on AES-like hashing. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022. LNCS, vol. 13507, pp. 94–124. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15802-5_4
Dong, X., Sun, S., Shi, D., Gao, F., Wang, X., Hu, L.: Quantum collision attacks on AES-like hashing with low quantum random access memories. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part II. LNCS, vol. 12492, pp. 727–757. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_25
Dong, X., Zhang, Z., Sun, S., Wei, C., Wang, X., Hu, L.: Automatic classical and quantum rebound attacks on AES-like hashing by exploiting related-key differentials. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021, Part I. LNCS, vol. 13090, pp. 241–271. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92062-3_9
Flórez Gutiérrez, A., Leurent, G., Naya-Plasencia, M., Perrin, L., Schrottenloher, A., Sibleyras, F.: New results on Gimli: full-permutation distinguishers and improved collisions. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part I. LNCS, vol. 12491, pp. 33–63. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_2
Freier, A., Karlton, P., Kocher, P.: The secure sockets layer (SSL) protocol version 3.0. Technical report (2011)
Giovannetti, V., Lloyd, S., Maccone, L.: Architectures for a quantum random access memory. Phys. Rev. A 78(5), 052310 (2008)
Giovannetti, V., Lloyd, S., Maccone, L.: Quantum random access memory. Phys. Rev. Lett. 100(16), 160501 (2008)
Grassi, L., Naya-Plasencia, M., Schrottenloher, A.: Quantum algorithms for the \(k\)-xor problem. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part I. LNCS, vol. 11272, pp. 527–559. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_18
Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, Philadelphia, Pennsylvania, USA, 22–24 May 1996, pp. 212–219 (1996)
Hosoyamada, A., Sasaki, Yu.: Cryptanalysis against symmetric-key schemes with online classical queries and offline quantum computations. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 198–218. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76953-0_11
Hosoyamada, A., Sasaki, Yu.: Finding hash collisions with quantum computers by using differential trails with smaller probability than birthday bound. IACR Cryptology ePrint Archive 2020:213 (2020)
Hosoyamada, A., Sasaki, Yu.: Quantum collision attacks on reduced SHA-256 and SHA-512. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021, Part I. LNCS, vol. 12825, pp. 616–646. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_22
Ito, G., Hosoyamada, A., Matsumoto, R., Sasaki, Yu., Iwata, T.: Quantum chosen-ciphertext attacks against feistel ciphers. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 391–411. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12612-4_20
Jaques, S., Schrottenloher, A.: Low-gate quantum golden collision finding. In: Dunkelman, O., Jacobson, Jr., M.J., O’Flynn, C. (eds.) SAC 2020. LNCS, vol. 12804, pp. 329–359. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81652-0_13
Joux, A.: Multicollisions in iterated hash functions. Application to cascaded constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_19
Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Breaking symmetric cryptosystems using quantum period finding. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 207–237. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_8
Kelsey, J., Kohno, T.: Herding hash functions and the nostradamus attack. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 183–200. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_12
Kelsey, J., Schneier, B.: Second preimages on n-bit hash functions for much less than 2n work. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 474–490. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_28
Kortelainen, T., Kortelainen, J.: On diamond structures and trojan message attacks. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 524–539. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42045-0_27
Kuperberg, G.: Another subexponential-time quantum algorithm for the dihedral hidden subgroup problem. In: Severini, S., Brandão, F.G.S.L. (eds.) 8th Conference on the Theory of Quantum Computation, Communication and Cryptography, TQC 2013, 21–23 May 2013, Guelph, Canada, volume 22 of LIPIcs, pp. 20–34. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2013)
Kuwakado, H., Morii, M.: Quantum distinguisher between the 3-round feistel cipher and the random permutation. In: IEEE International Symposium on Information Theory, ISIT 2010, 13–18 June 2010, Austin, Texas, USA, Proceedings, pp. 2682–2685 (2010)
Kuwakado, H., Morii, M.: Security on the quantum-type even-mansour cipher. In: Proceedings of the International Symposium on Information Theory and its Applications, ISITA 2012, Honolulu, HI, USA, 28–31 October 2012, pp. 312–316 (2012)
Leander, G., May, A.: Grover meets Simon – quantumly attacking the FX-construction. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part II. LNCS, vol. 10625, pp. 161–178. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_6
Leurent, G., Wang, L.: The sum can be weaker than each part. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 345–367. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_14
Liskov, M.: Constructing an ideal hash function from weak ideal compression functions. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 358–375. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74462-7_25
Mendel, F., Rechberger, C., Schläffer, M.: MD5 is weaker than weak: attacks on concatenated combiners. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 144–161. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_9
Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_21
Naya-Plasencia, M., Schrottenloher, A.: Optimal merging in quantum \(k\)-xor and k-sum algorithms. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part II. LNCS, vol. 12106, pp. 311–340. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_11
Nielsen, Chuang, I.L.: Quantum Computation and Quantum Information, 10th Anniversary edn. Cambridge University Press, Cambridge (2016)
NIST. The post quantum project. https://csrc.nist.gov/projects/post-quantum-cryptography
Preneel, B.: Analysis and design of cryptographic hash functions. Ph.D. thesis, Katholieke Universiteit te Leuven Leuven (1993)
Schrottenloher, A.: Quantum linear key-recovery attacks using the QFT. In: Handschuh, H., Lysyanskaya, A. (eds.) CRYPTO 2023. LNCS, vol. 14085, pp. 258–291. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-38554-4_9
Schrottenloher, A., Stevens, M.: Simplified MITM modeling for permutations: new (quantum) attacks. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part III. LNCS, vol. 13509, pp. 717–747. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15982-4_24
Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, Santa Fe, New Mexico, USA, 20–22 November 1994, pp. 124–134 (1994)
Simon, D.R.: On the power of quantum computation. SIAM J. Comput. 26(5), 1474–1483 (1997)
Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full SHA-1. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I. LNCS, vol. 10401, pp. 570–596. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_19
Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_2
Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_2
Acknowledgements
We thank the anonymous reviewers of ASIACRYPT 2023 for their insightful comments, and a special thanks to our shepherd for providing so much wonderful guidance and co-inventing some algorithms that greatly improved the paper. This work is supported by the National Key R &D Program of China (2022YFB2702804, 2018YFA0704701), the Natural Science Foundation of China (62272257, 62302250, 62072270, 62072207), Shandong Key Research and Development Program (2020ZLYS09), the Major Scientific and Technological Innovation Project of Shandong, China (2019JZZY010133), the Major Program of Guangdong Basic and Applied Research (2019B030302008, 2022A1515140090), Key Research Project of Zhejiang Province, China (2023C01025).
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Appendices
A On Bao et al.’s Diamond Structure Building Algorithm
In [7, Section 3.3], the authors proposed a quantum algorithm for building diamond structure with exponential large QRAQM in their Algorithm 2. After that, they try to study the no-qRAM version. However, they only give the following sentences for their no-qRAM algorithm [7, Page 12]:
“In Scenario R2, the time complexity to find a collision is of \((2^{(n-t)})^{2/5}\) computations. Therefore, building a \(2^t\)-diamond structure requires \(\mathcal {O}(t^{(2/3)}\cdot 2^t \cdot 2^{(2(n-t)/5)}) = \mathcal {O}(t^{2/3} \cdot 2^{(2n+3t)/5})\) computations, with \(\mathcal {O}(t^{2/3} \cdot 2^t \cdot 2^{(n-t)/5}) = \mathcal {O}(t^{2/3} \cdot 2^{(n+4t)/5})\) classical memory. (see [7, Page 12])”
The authors do not give concrete steps for this no-qRAM algorithm. After communicating with the authors, we know that they just estimated the time complexity by replacing the Grover’s algorithm with CNS algorithm [21] and use classical memory to store the data instead of qRAM. They do not give the concrete steps at all.
However, the conversion is not trivial as estimated by the authors of [7]. In fact, we use almost two pages in Sect. 3.2 to reveal the no-qRAM algorithm. When we try to rebuild the steps with CNS collision algorithm [21] for building diamond, we find the final time complexity is \(2^{(2n+4t)/5}\), which is different from the time \(2^{(2n+3t)/5}\) claimed in [7]. Then, we communicated with the authors of [7] again, and they admitted our steps and time evaluation are correct.
Since the authors of [7] do not publish or give us their concrete steps for their claimed no-qRAM algorithm, we can not check which step is possibly wrong or which step leads to the different complexities. Since the herding attack is based on diamond structure, Bao et al’s [7] herding attack in no-qRAM setting is also flawed.
B On Bao et al.’s Quantum Herding Attack
In the original estimation by Bao et al. [7, Section 4.3], the overall time complexity of the no-qRAM herding attack is about \(2^{((2n+3k)/5)} + 2^{(n/2-k/6)}\), where \(2^{((2n+3k)/5)}\) is the time to build a \(2^k\)-diamond, and the time \(2^{(n/2-k/6)}\) is to find the linking message \(M_{link}\) to the diamond based on Chailloux et al.’s multi-target preimage algorithm [21]. After tradeoff between the two, it achieves optimal when \(k=3n/23\), which results in the overall time complexity \(2^{(11n/23)} = 2^{(0.478n)}\), classical memory \(2^{(7n/23)}=2^{(0.304n)}\). Even if we compare our no-qRAM herding attack in Sect. 4 (i.e., time \(2^{0.46n}\), classical memory \(2^{0.23n}\)) with this original complexity estimation of [7], the improvement of our attack is obvious.
However, the algorithm of building diamond structure of [7] is flawed as shown in Appendix A. Their herding attack based on diamond is also wrong. In fact, the time \(2^{((2n+3k)/5)}\) will be \(2^{((2n+4k)/5})\) when using our correct diamond building algorithm given in Sect. 3.2. Therefore, the complexity of Bao et al.’s no-qRAM herding attack becomes \(2^{((2n+4k)/5)} + 2^{(n/2-k/6)}\) time and \(2^{(n+2k)/5}\) classical memory, which achieves optimal when \(k=3n/29\), that results in time \(2^{(14n/29)}=2^{(0.4827n)}\), classical memory \(2^{(7n/29)}=2^{(0.24n)}\). When compared with this corrected Bao et al.’s attack, our attack in Sect. 4 (time=\(2^{0.46n}\), classical memory=\(2^{0.23n}\)) is still better obviously.
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Dong, X., Li, S., Pham, P., Zhang, G. (2023). Quantum Attacks on Hash Constructions with Low Quantum Random Access Memory. In: Guo, J., Steinfeld, R. (eds) Advances in Cryptology – ASIACRYPT 2023. ASIACRYPT 2023. Lecture Notes in Computer Science, vol 14440. Springer, Singapore. https://doi.org/10.1007/978-981-99-8727-6_1
Download citation
DOI: https://doi.org/10.1007/978-981-99-8727-6_1
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-8726-9
Online ISBN: 978-981-99-8727-6
eBook Packages: Computer ScienceComputer Science (R0)