Keywords

1 Introduction

Shor’s seminal work [59] shows that sufficiently large quantum computers allow factorization of large numbers and computation of discrete logarithms in polynomial time, potentially dooming many public-key schemes in use today. To meet the challenges posed by quantum computers, the public-key cryptography community and standardization organizations have invested a lot of effort in the research of post-quantum public-key schemes. In particular, NIST has initiated a process to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptography algorithms [55]. For symmetric cryptography, the community has also recently witnessed many important quantum cryptanalysis results [15,16,17, 25, 38, 41, 48] since the initial work of Kuwakado and Morii, who showed that the classically provably secure Even-Mansour cipher and the three-round Feistel network can be broken in polynomial time with the help of quantum computers [46, 47]. Most of these attacks that enjoy exponential speedup rely on Simon’s algorithm [60] to find a key-dependent hidden period where access to a quantum superposition oracle of key primitives is necessary. This is a fairly strong (computation) model, and its actual relevance is sometimes questioned [13]. Therefore, a more complex attack still makes sense if it does not require online queries to the superposition oracles of the keyed primitives [13, 14, 18, 35, 57].

For keyless primitives, especially hash functions, quantum attacks are easier to launch, since there is no need for online queries and all computations can be done offline. The classical algorithm finds collisions of n-bit output hash functions with time complexity \(\mathcal {O}(2^{n/2})\). In the quantum setting, the BHT algorithm [20] finds collisions with a query complexity of \(\mathcal {O}(2^{n/3})\) if \(\mathcal {O}(2^{n/3})\) quantum random access memory (qRAM) is available. However, it is generally acknowledged that the difficulty of fabricating large qRAMs is enormous [31, 32]. So quantum algorithms (even has relatively high time complexity) using less or no qRAM is desirable. At ASIACRYPT 2017, Chailloux, Naya-Plasencia and Schrottenloher first overcome the \(\mathcal {O}(2^{n/2})\) classical bound without using qRAM [21]. The time complexity of the algorithm is \(\mathcal {O}(2^{2n/5})\), and the classical memory is \(\mathcal {O}(2^{n/5})\). Also, a quantum algorithm for the generalized birthday problem (or the k-XOR problem) in settings with and without large qRAM can be found in [33, 53]. Besides the generic attacks on hash functions, the first dedicated quantum attack on hash functions was presented at EUROCRYPT 2020 by Hosoyamada and Sasaki [36], showing quantum attacks on AES-MMO and Whirlpool by exploring differentials whose probability is too low to be useful in the classical setting. Later, refined collision and preimage attacks on hash functions have been presented subsequently by Dong et al. [26,27,28], Flórez Gutiérrez et al. [29], Hosoyamada and Sasaki [37], Schrottenloher and Stevens [58].

The Merkle-Damgård construction [22, 52] is a popular way to build hash functions, where a single compression function is iteratively called to extend the input domain from a fixed length to arbitrary length and the digest length is usually the same as that of the internal state. However, some widely deployed hash function standards (such as MD5 and SHA-1) based Merkle-Damgård construction have been broken [61,62,63]. Besides, Kelsey and Schneier [43] have demonstrated a generic second-preimage attack against all hash functions based on the classical Merkle-Damgård construction, when the challenge message is long. At CRYPTO 2004, Joux [40] introduced multi-collision attacks on iterated hash functions. At EUROCRYPT 2006, Kelsey and Kohno introduced the herding attack (also known as nostradamus attack) [42], in which the adversary commits to a hash value T of an iterated hash function \(\mathcal {H}\), such that when later given a message prefix P, the adversary is able to find a suitable “suffix explanation” S with \(\mathcal {H}(P\Vert S)=T\).

In order to obtain a more secure hash function, and to ensure compatibility, researchers and developers try to combine the output of two (or more) independent hash functions to provide better security in case one or even both hash functions are weak. Practical examples can be found in TLS [23] and SSL [30]. There are several common hash combiners, such as concatenation combiner [56], XOR combiner, Hash-Twice [3], and Zipper hash [50]. However, the security of these hash combiners has also been challenged. At CRYPTO 2004, Joux [40] revealed that the concatenation combiner provides at most n/2-bit security for collision resistance and n-bit security for preimage resistance. Leurent and Wang [49] and Dinur [24] showed that the combiners may be weaker than each hash function. Besides, various cryptanalysis results [2,3,4, 6, 8, 51] have been achieved on the hash combiners.

At ASIACRYPT 2022, Benedikt, Fischlin, and Huppert [9] considered quantum nostradamus attacks on iterative hash functions for the first time, and realized attacks of complexity \(\mathcal {O}(2^{3n/7})\). The attack requires exponentially large qRAM, which is inherited from the BHT algorithm [20]. Since fabricating large qRAMs is difficult to realize [31, 32], Benedikt et al. [9] left open questions for building low-qRAM quantum herding attack. In 2022, Bao et al. [7] built a low-qRAM quantum herding attack based Chailloux et al.’s multi-target preimage algorithm [21]. However, we find their algorithm is flawed and incorrect when building diamond structure for herdingFootnote 1. Therefore, the question is still open. Besides the quantum herding attack, Bao et al. also gave some quantum attacks on hash XOR and concatenation combiners, including collision, preimage, and herding attacks [7].

Our Contributions

In this paper, for the first contribution, we answer the open question by Benedikt et al. [9] to build the first valid low-qRAM quantum herding attack on iterated hash functions. We first convert Benedikt et al.’s quantum diamond-building algorithm (it needs exponential qRAM, i.e., \(2^{{3n/7}}\) quantum accessible classical memory (QRACM)) into an algorithm that does not need qRAM anymore. The new algorithm is highly based on Chailloux et al.’s collision finding algorithm [21] with various adaptions. In our herding attack, we choose the leaves of the diamond structure to be prefixed with r-bit zeros, then apply Chailloux et al.’s collision finding to find the linking message S such that \(H(P\Vert S)\) hits one of the leaves of the diamond structure. Note a previous work by Bao et al. [7] also built a quantum herding attack. However, in their attack, the Chailloux et al.’s multi-target preimage algorithm [21] is applied, which can not take the advantage of the ability that attacker can choose the prefixed leaves of the diamond structure.

Table 1. A Summary of the Attacks. QRACM: quantum accessible classical memory, QRAQM: quantum accessible quantum memory, cRAM: classical random access memory
Full size table

As the Second Contribution, for the quantum preimage attack on hash XOR combiners, we introduce an efficient low-qRAM quantum algorithm to build Leurent and Wang’s interchange structure [49]. Then, based on Schrottenloher and Stevens’s quantum Meet-in-the-Middle attack [58], or Ambainis’ element distinctness algorithm [1], or Jaques and Schrottenloher’s golden collision finding algorithm [39], we propose three different low-qRAM quantum preimage attacks on hash XOR combiner. Especially, our attack based on Jaques and Schrottenloher’s method [39] reduces the \(2^{0.143n}\) qubits of previous attack [7] to ours \(2^{0.013n}\) qubits, without quantum accessible quantum memory (QRAQM). Moreover, the time complexity is also reduced from previous \(2^{0.495n}\) to ours \(2^{0.493n}\).

For hash concatenation combiner, we introduce a no-qRAM quantum collision attack and a no-qRAM quantum herding attack. In [7], both attacks need \(2^{0.143n}\) qubits or \(2^{0.333n}\) QRAQM . However, our attacks do not need qRAM and the number of qubits needed is also of polynomial size. We also introduce quantum herding attacks on other important hash combiners, including Hash-Twice, and Zipper hash function, by exploiting their different features. All the attacks are summarized in Table 1.

2 Preliminaries

2.1 Quantum Computation and Quantum RAM

The state of the n-qubit quantum system can be described as the unit vector \(\{ \left|i\right>: 0 \le i < 2^n \}\) in \(\mathbb {C}^{2^n}\) under the orthogonal basis. Quantum algorithms are typically implemented by manipulating the state of an n-qubit system through a series of unitary transformations and measurements, where all unitary transformations can be implemented as a series quantum gates in quantum circuit models [54]. The efficiency of a quantum algorithm is quantified based on the number of quantum gates used.

Superposition Oracles for Classical Circuit. Let the quantum oracle of a function \(f:\mathbb {F}_2^{m}\mapsto \mathbb {F}_2^{n}\) be the unitary operator \(\mathcal {U}_f\) that \(\mathcal {U}_f\left|x\right>\left|y\right>=\left|x\right>\left|y\oplus f(x)\right>\) with \(x\in \mathbb {F}_2^{m}\) and \(y\in \mathbb {F}_2^{n}\). When \(\mathcal {U}_f\) acts on superposition states, we have

$$\begin{aligned} \mathcal {U}_f \left( \sum _{x \in \mathbb {F}_2^n } a_i\left|x\right> \left|y\right> \right) = \sum _{x \in \mathbb {F}_2^n } a_i \left|x\right> \left|y\oplus f(x)\right>. \end{aligned}$$
(1)

Variations on Grover’s Algorithm. The task is to find the labeled element from the set X. Suppose we denote the subset of labeled elements by \(M\subset X\) and know the fraction of the labeled elements \(\epsilon =|M|/|X|\). The classical algorithm to solve this problem needs \(O(1/\epsilon )\) iterations. A quantum algorithm can be expressed as a function of two parameters.

  • Setup operation, i.e., sampling a uniform element from X. Denote the cost (execution time) of Setup as \(|Setup|_{RT}\).

  • Checking operation, i.e. checking if an element is labeled. Denote the cost (execution time) of Checking as \(|Checking|_{RT}\).

Grover’s algorithm [34] is a quantum search process for finding the labeled elements, whose complexity is a function of the quantum Setup cost \(|Setup|_{RT}\) of construction of uniform superposition of all elements from X, and the quantum Checking cost \(|Checking|_{RT}\). The time complexity of Grover’s algorithm is \(\sqrt{1/\epsilon }\cdot (|Setup|_{RT}+|Checking|_{RT})\). Assuming the Setup and Checking steps are simple, Grover’s algorithm can find the element \(x \in M\) at a cost of \(\mathcal {O}(\sqrt{1/\epsilon })\).

Grover’s algorithm can also be described as a special case of quantum amplitude amplification (QAA), which is a quantum algorithm introduced by Brassard, Høyer, Mosca, and Tapp [19]. Intuitively, assuming there exists an quantum algorithm \(\mathcal {A}\) to produce a superposition of the good subspace and the bad subspace of X. Let a be the initial success probability that the measurement of \(\mathcal {A}\left|0\right>\) is good. Let \(\mathcal {B}\) be a function that classifies the outcomes of \(\mathcal {A}\) as either good or bad state. Quantum Amplitude Amplification (QAA) technique achieves the same result as Grover’s algorithm with a quadratic improvement. The time complexity of QAA is about

$$\begin{aligned} \sqrt{1/a}\cdot (|\mathcal {A}|_{RT}+|\mathcal {B}|_{RT}). \end{aligned}$$
(2)

Quantum Random Access Memories (qRAM) can be conceptualized as the quantum counterpart of classical random access memory (RAM). In the classic setup, RAM facilitates access (read and write operations) to memory elements in time \(\mathcal {O}(1)\) regardless of storage size. Following [45, 58], qRAM comes in two flavors: Quantum Accessible Classical Memory (QRACM), which enables access to classical data in quantum superposition; and Quantum Accessible Quantum Memory (QRAQM), where data is stored in quantum memory. Consider a scenario where we intend to store a list of data, denoted as \(D=(x_0,x_1,\cdots , x_{2^k-1})\), with each \(x_i\) representing an n-bit data. In this context, the qRAM for accessing the data D is established as a quantum gate. This qRAM is defined through a unitary operator \(U_{qRAM}(D)\), which is expressed as follows:

$$\begin{aligned} U_{qRAM}(D): \left|i\right>\left|x_0,x_1,\cdots , x_{2^k-1}\right>\left|y\right> \rightarrow \left|i\right>\left|x_0,x_1,\cdots , x_{2^k-1}\right>\left|y\oplus x_i\right>, \end{aligned}$$

Here, i takes values from the set \(\{0,1\}^k\), and y represents an n-bit value. In both QRACM and QRAQM, we assume that this gate costs \(\mathcal {O}(1)\). For QRACM, i is superposed but the \(x_i\) are classical; For QRAQM, both i and \(x_i\) are superposed. For example, the BHT collision finding algorithm [20] requires QRACM, the quantum element distinctness [1] and quantum meet-in-the-middle attack [58] require QRAQM. Obviously, QRAQM is the strongest quantum memory model.

For the time being, it is unknown how a working qRAM (at least for large qRAMs) can be built. Nevertheless, this disappointing fact does not stop researchers from working in a model where large qRAMs are available, in the same spirit that people started to work on classical and quantum algorithms long before a classical or quantum computer had been built. From another perspective, the absence of large qRAMs makes it quite meaningful to conduct research in an attempt to reduce or even avoid the use of qRAM in quantum algorithms.

Quantum Element Distinctness Problem

Problem 1

Given a set \(S=\{x_1,x_2,\cdots , x_N\}\), does it exist ij such that \(1\le i< j\le N\) and \(x_i=x_j\)? If yes, return ij.

In 2007, Ambainis proposed the quantum walk algorithm for the element distinctness problem [1] and achieved time complexity of \(\mathcal {O}(N^{2/3})\) with \(\mathcal {O}(N^{2/3})\) QRAQM. At SAC 2020, Jaques and Schrottenloher [39] solved the element distinctness problem (or golden collision problem by [39]) in the plain quantum circuit model (i.e., the computation is a sequence of basic quantum gates applied to a pool of qubits) in time complexity of \(\mathcal {O}(N^{6/7})\) with \(\mathcal {O}(N^{2/7})\) qubits without qRAM.

CNS Collision Finding Algorithm [21]. At ASIACRYPT 2017, Chailloux, Naya-Plasencia and Schrottenloher [21] introduced the first quantum collision finding algorithm without any qRAM. Their algorithm is denoted as CNS algorithm in this paper. The time complexity of the algorithm is \(\mathcal {O}(2^{2n/5})\), with a classical memory of \(\mathcal {O}(2^{n/5})\). The CNS algorithm is based on a quantum membership algorithm.

Definition 1

Given a set L of \(2^{k}\) n-bit strings, a classical membership oracle is a function \(f_L\) that computes: \(f_L(x)=1\) if \(x\in L\) and 0 otherwise.

A quantum membership oracle for L is an operator \(O_L\) that computes \(f_L\):

$$\begin{aligned} O_L(\left|x\right>\left|b\right>)=\left|x\right>\left|b\oplus f_L(x)\right>. \end{aligned}$$

When the set L of size \(2^{k}\) is stored in some classical memory, Chailloux et al. implement the quantum operator \(O_L\) with \(n2^k\) simple operations and \(2n+1\) . Since in the following, the time complexity is number of queries of the compression functions of hash function, the \(n2^k\) simple operations are then recorded as \(\mathcal {O}(2^k)\) time complexity. The CNS collision finding algorithm can be divided into two parts, i.e., the precomputing part and the matching part.

Precomputing Part: Given a hash function h that \(h(m)=T\), the CNS algorithm first builds a table L of size \(2^{k}\), where the r-bit most significant bits (MSB) of all \(x\in L\) are zero, and store L in a classical memory. The way to build L is to perform \(2^{k}\) times of Grover’s algorithm with time complexity of \(2^{k}\times 2^{r/2}=2^{k+r/2}\).

The Matching Part: Apply the QAA algorithm. In the setup phase \(\mathcal {A}\), the Grover’s algorithm is applied to produce a superposition of m, where the r-bit MSBs of m are zero. The time of the setup phase is \(|\mathcal {A}|_{RT}=2^{r/2}\). Then, in the checking phase \(\mathcal {B}\), a quantum membership algorithm is applied to classify that if m is in L or not. \(|\mathcal {B}|_{RT}=2^{k}\). Since the initial probability, that the measurement of \(\mathcal {A}\left|0\right>\) is good, is \(a=\frac{2^{k}}{2^{n-r}}\) (since only the last \(n-r\) bits should be matched). According to Eq. (2), time complexity of this part is

$$\begin{aligned} \sqrt{\frac{2^{n-r}}{2^{k}}}\cdot (2^{r/2}+2^{k}). \end{aligned}$$
(3)

Totally, the time of the CNS algorithm is

$$\begin{aligned} \sqrt{\frac{2^{n-r}}{2^{k}}}\cdot (2^{r/2}+2^{k})+2^{k+r/2}. \end{aligned}$$
(4)

By assigning \(r=2k=2n/5\), the complexity given in Eq. (4) will be optimal, which is \(\mathcal {O}(2^{2n/5})\). The number of qubits used is \(\mathcal {O}(n)\). The classical memory is \(2^{n/5}\) to store L.

In this paper, the CNS algorithm is frequently used. In several applications of our paper, only the Matching Part of the CNS algorithm is used with a given L, while L may be built in a different way than the Precomputing Part and thus have a different complexity than \(2^{k+r/2}\). For example, in our quantum herding attack in Sect. 4, the time to build L is the time to build the diamond structure. Therefore, the time complexity of the Matching Part should be weighed against the different time complexity of constructing L. To use the CNS algorithm more flexibly, we define the Matching Part as \(\text {CNS}_{h}(m,L)\) in Definition 2 for a given table L and h in the following.

Definition 2

Let \(\text {CNS}_{h}(m,L)\) be the matching part of CNS algorithm, which finds m so that \(h(m)\in L\). Given the table L of size \(2^{k}\) stored in classical memory, whose elements are prefixed with r-bit zeros, the time complexity \(|\text {CNS}_{h}(m,L)|_{RT}=\sqrt{\frac{2^{n-r}}{2^{k}}}\cdot (2^{r/2}+2^{k}).\)

Quantum Meet-in-the-Middle Algorithm. At CRYPTO 2022, Schrottenloher and Stevens [58] applied the quantum two-list merging algorithm to build the quantum MitM attack: For a given global guess \(G\in \mathbb {F}_2^{g}\), two small lists are computed and merged to on the fly. Suppose the two small lists are \(L_1\) and \(L_2\), the goal is to determine if there are elements \(x\in L_1\) and \(y\in L_2\) such that \(x=y\) (called a solution). Let \(O_\texttt{merge}\) be the unitary operator that

$$\begin{aligned} O_\texttt{merge}(\left|G\right>\left|b\right>)=\left|G\right>\left|b\oplus f(G)\right>, \text {where}~ f(G)=\left\{ \begin{array}{l} 1~\text {if a solution occurs}\\ 0~\text {otherwise} \end{array} \right. . \end{aligned}$$
(5)

Lemma 1

[58] Assume that there exists an implementation of \(O_\texttt{merge}\) with time complexity T. Then there is a quantum MitM attack with time complexity:

$$\begin{aligned} (\frac{\pi }{4}2^{g/2}+1)\times T. \end{aligned}$$
(6)

The T is roughly estimated by

$$\begin{aligned} \min (|L_1|, |L_2|)+\sqrt{\max (|L_\texttt{merge}|,|L_1|,|L_2|))}, \end{aligned}$$
(7)

where \(L_\texttt{merge}\) is the merged list. The QRAQM needed is of size \(\min (|L_1|, |L_2|)\).

2.2 Iterated Hash Constructions

Iterated hash functions \(\mathcal {H}(IV,M)=T\) commonly first pad and split the message M into message blocks of fixed length, i.e., \(M=m_1\Vert m_2\Vert \cdots \Vert m_L\). The message blocks are processed sequentially and iteratively by the compression function h, i.e., \(x_i=h(x_{i-1},m_i)\), where \(x_0=IV\) is a public value, \(T=x_L\) is the n-bit digest, the chaining value \(x_i\in \mathbb {F}_2^n\). Two commonly used iterated hash constructions are the Merkle-Damgård construction [22, 52] and the HAIFA construction [11]. In this paper, we only consider the Merkle-Damgård construction and its extensions.

The concatenation combiner \(\mathcal {H}_1(IV_1,M)\Vert \mathcal {H}_2(IV_2,M)=T_1\Vert T_2\) is one of the most studied hash combiner, which is first described by Preneel in 1993 [56]. In 2004, Joux [40] described the multi-collision attack on the 2n-bit output hash combiner with \(2^{n/2}\) time complexity for collision attack and \(2^{n}\) time complexity for preimage attack. Besides the concatenation combiner, there are other constructions:

  • The XOR hash combiner \(\mathcal {H}_1(IV_1,M)\oplus \mathcal {H}_2(IV_2,M)=T\).

  • Hash-Twice is originally defined in [3]: \(\mathcal {H}_2(\mathcal {H}_1(IV,M),M)=T\) shown in Fig. 1.

  • Zipper hash [50] is defined as \(\mathcal {H}_2(\mathcal {H}_1(IV,M),\overset{\leftarrow }{M})=T\) shown in Fig. 2.

Fig. 1.
figure 1

Hash-Twice Construction

Full size image
Fig. 2.
figure 2

Zipper Hash Construction

Full size image

3 Basic Techniques and Their Quantum Versions

In this section, we give brief introductions of Joux’s multi-collision technique, diamond structure (DS) and their quantum versions.

3.1 Joux’s Multi-collision

At CRYPTO 2004, Joux [40] introduced an efficient method to build multi-collision on iterated hash functions. As shown in Fig. 3, started from \(x_0\), the attacker performs t birthday attacks to find t collisions. Based on the message blocks \(m_1,m_2,\cdots m_t\) and \(m'_1,m'_2,\cdots m'_t\), the attacker can build \(2^{t}\) collision message pairs (denoted as \(2^{t}\)-\(\mathcal {M}_\texttt{MC}\)), e.g., \((m_1\Vert m'_2\Vert \cdots \Vert m_t, m'_1\Vert m_2\Vert \cdots \Vert m'_t,)\). The time complexity to build the \(2^{t}\) collision message pairs is \(t\cdot 2^{n/2}\). In quantum setting, Bao et al. [7] first applied CNS’s algorithm to build Joux’s multi-collision, where one collision is built in time \(2^{2n/5}\). Therefore, the time to build \(2^{t}\)-\(\mathcal {M}_\texttt{MC}\) is \(t\cdot 2^{2n/5}\). The quantum attack only uses a classical memory \(2^{n/5}\).

Fig. 3.
figure 3

Joux’s multi-collision [40]

Full size image

3.2 Diamond Structure and Its New Quantum Algorithm in no-QRAM setting

Kelsey and Kohno in [42] invented the diamond structure. Similar to Joux’s multi-collisions and Kelsey and Schneier’s expandable message [43], diamond is also a kind of multi-collision. The difference is that, instead of mapping a single starting state to a final state in the form of sequential chain like Joux’s multi-collisions, a \(2^t\)-diamond maps a set of \(2^t\) leaf states to a common root state as shown in Fig. 4. In classical setting, several improvements [12, 44] on building diamond structure have been proposed. The time complexity to build a \(2^t\)-diamond is \(\sqrt{t}\cdot 2^{\frac{n+t}{2}}\) evaluations of the compression function of the hash function. Based on the diamond structure, Kelsey and Kohno [42] introduced the herding attack with time complexity \(\sqrt{t}\cdot 2^{\frac{n+t}{2}}+2^{n-t}\), which achieve the optimal \(\mathcal {O}(2^{2n/3})\) when \(t=n/3\). The memory complexity is bounded by building \(2^{t}\)-diamond, which is \(\mathcal {O}(2^{(n+t)/2})=\mathcal {O}(2^{2n/3})\) [12, 42].

Fig. 4.
figure 4

\(2^{3}\)-diamond [7]

Full size image

Bao et al. [7] initially introduced the quantum diamond structure algorithm for both qRAM and no-qRAM scenarios. However, when we tried to replicate their algorithm, we find their no-qRAM algorithm is incorrect and for more details please refer Appendix A.

Later, at ASIACRYPT 2022, Benedikt, Fischlin, Huppert [9] presented a quantum diamond structure algorithm utilizing exponential QRACM, resulting in a time complexity of \(t^{1/3}\cdot 2^{(n+2t)/3}\). Consider a level s of the \(2^t\)-diamond structure and try to connect \(2^{s}\) nodes \(\{x_{s,1}, \cdots , x_{s,2^s}\}\) in a pairwise manner. Benedikt et al. split the \(2^{s}\) nodes into a upper and a lower half of \(2^{s-1}\) nodes each. For the upper half, they compute a list Y of \(2^{l}\) hash evaluations \(h(m_j,x_{s,i})\) with \(i=1,\cdots ,2^{s-1}\), which equally spread out over the \(2^{s-1}\) nodes. Hence, for each node, there are \(\frac{2^l}{2^{s-1}}\) hash evaluations. Store Y in QRACM, and apply Grover’s algorithm to connect the first value \(x_{s,2^{s-1}+1}\) of the lower half to some of these \(2^{l}\) values with some message block \(m'\). Once a connection message is found, remove the partner node from the upper half and all of its \(2^{l}/2^{s-1}\) entries from Y. Then, add this amount of new values, again equally spread out over the remaining \(2^{s-1}-1\) values paired up, to fill the list Y up to \(2^{l}\) elements again. Then connect the second node \(x_{s,2^{s-1}+2}\) to Y. Continue till all \(2^{s}\) nodes are connected, then proceed with the next level \(s-1\) until the entire tree is built. Benedikt et al. choose \(l=\frac{n+2s}{3}\) to achieve optimal complexity to build the \(2^t\)-diamond structure, where \(s\le t\). Therefore, the size of Y is about \(2^l=2^{\frac{n+2t}{3}}\).

To build the quantum herding attack with a \(2^t\)-diamond structure, Benedikt et al. applied the BHT algorithm to find the \(M_{link}\) (as shown in Fig. 6). The overall complexity of the herding attack includes the complexity of building \(2^t\)-diamond structure and finding the \(M_{link}\), which is roughly \(\mathcal {O}(2^{(n+2t)/3}+2^{(n-t)/2})\). The optimal complexity is achieved when \(t=n/7\), i.e., the optimal time complexity is \(\mathcal {O}(2^{3n/7})\) with QRACM of size \(\mathcal {O}(2^{(n+2t)/3})=\mathcal {O}(2^{3n/7})\) to store Y when building \(2^t\)-diamond structure.

Fig. 5.
figure 5

Building diamond

Full size image

A New no-QRAM Quantum Algorithm to Build the Diamond Structure. In this section, we introduce a quantum algorithm to build the diamond structure in no-qRAM setting based on Benedikt et al.’s [9] method and CNS collision finding algorithm [21]. As shown in Fig. 5, again consider a level s of the \(2^t\)-diamond structure and try to connect \(2^{s}\) nodes \(\{x_{s,1}, \cdots , x_{s,2^s}\}\) in a pairwise manner.

  1. 1.

    Begin with \(2^t\) leaf nodes that share a common suffix of \(r_0\) 0s for the purpose of connectionFootnote 2.

  2. 2.

    Let’s consider a specific level \(s\le t\) of the tree where we aim to connect the \(2^s\) nodes {\(x_{s,1}\), ..., \(x_{s,2^s}\)} pairwise. Divide the \(2^s\) nodes into two halves, the upper half with \(2^{s-1}\) nodes \(\{x_{s,1}, \cdots , x_{s,2^{s-1}}\}\) and the lower half with \(2^{s-1}\) nodes \(\{x_{s,2^{s-1}+1}, x_{s,2^{s-1}+2},\cdots , x_{s,2^{s}}\}\). For the upper half, compute a list Y of \(2^{l}\) hash values \(h(m_j,x_{s,i})\) with \(i=1,\cdots , 2^{s-1}\), where the \(r_1\) MSBs of \(h(m_j,x_{s,i})\) are zero. The \(2^{l}\) hash values equally spread out over the \(2^{s-1}\) nodes, with \(\frac{2^{l}}{2^{s-1}}\) hash values for each node. Here, similar to CNS algorithm in Sect. 2.1 to build L whose elements are prefixed with r-bit zero, we also apply Grover’s algorithm to build Y. For each node \(x_{s,i}\) with \(i=1,\cdots , 2^{s-1}\), run Grover’s algorithm to find \(m_j\) so that the \(r_1\) MSBs of \(h(m_j,x_{s,i})\) are zero. The time to find one \(m_j\) is \(2^{r_1/2}\). In order to find \(\frac{2^{l}}{2^{s-1}}\) such \(m_j\) for node \(x_{s,i}\), we apply \(\frac{2^{l}}{2^{s-1}}\) times of Grover’s algorithm. Therefore, to build Y, the total time complexity is

    $$\begin{aligned} 2^{l}\times 2^{r_1/2}=2^{l+\frac{r_1}{2}}. \end{aligned}$$
    (8)
  3. 3.

    Store Y in a classical memory with \(2^{l}\) elements \((h(m_j,x_{s,i}), m_j, x_{s,i})\) indexed by \(h(m_j,x_{s,i})\). For the first node \(x_{s,2^{s-1}+1}\) of the lower half, apply CNS algorithm in Sect. 2.1 to find a message block \(m'\) so that \(h(m',x_{s,2^{s-1}+1})\) hits one of the entries of Y. According to Definition 2, apply \(\text {CNS}_{h}(m',Y)\) to find such \(m'\), whose time complexity is

    $$\begin{aligned} \sqrt{\frac{2^{n-r_1}}{2^{l}}}\cdot (2^{r_1/2}+2^{l}). \end{aligned}$$
    (9)
  4. 4.

    After \(m'\) is found, delete the partner node and all of its \(2^{l}/2^{s-1}\) entries from Y. Add \(2^{l}/2^{s-1}\) new values for Y with similar ways to Step 2 to fill Y up to \(2^{l}\) elements again. Now each node of the upper half corresponds to \(2^{l}/{(2^{s-1}-1)}\) elements. Delete the first node \(x_{s,2^{s-1}+1}\) from lower half. The time complexity to fill Y again is

    $$\begin{aligned} 2^{l}/2^{s-1}\times 2^{r_1/2}=2^{l-s+1+\frac{r_1}{2}}. \end{aligned}$$
    (10)
  5. 5.

    Repeat Step 3 and Step 4 until the lower half is empty. That means all the nodes of the layer of level s have been connected pairwise.

To build the layer of level s in Step 2, \(2^{s}\) nodes are divided into the upper half and the lower half, each with \(2^{s-1}\) nodes. We are going to connect all the \(2^{s-1}\) nodes in the lower half to the upper half. In step 3, the CNS algorithm (i.e., \(\text {CNS}_{h}(m',Y)\)) is applied to connect one node of the lower half (e.g., the first node \(x_{s,2^{s-1}+1}\)) to one node of the upper half by hitting one of the elements in Y. In Step 4, after the i-th node \(x_{s,2^{s-1}+i}\) (\(i=1,\cdots ,2^{s-1}-1\)) in the lower half has been connected to Y, \(\frac{2^{l}}{2^{s-1}-(i-1)}\) elements will be deleted from Y, and therefore, the same amount of new elements should be generated to fill up Y to \(2^{l}\) again, whose time complexity is

$$\begin{aligned} \frac{2^{l}}{2^{s-1}-(i-1)}\times 2^{r_1/2}. \end{aligned}$$
(11)

Since we have to connect all nodes in the lower half to the upper half, the elements in Y must be repeatedly deleted and filled up Y to \(2^l\) for all \(i =1,2,3,\ldots ,2^{(s-1)}-1\). For each i, the time to fill up Y is estimated by Eq. (11). Note that for the last node, i.e., the \(i=2^{s-1}\)-th node \(x_{s,2^s}\) in the lower half, we only need to apply the CNS algorithm to find a match in Y to connect the last node to the upper half, and we do not need to fill up Y again after that. Therefore, we got the component of summation in Eq. (12). Since Step 3 will be repeated for each node of the lower half, hence, \(\text {CNS}_{h}(m',Y)\) will be repeated for \(2^{s-1}\) times. Therefore, the total time complexity to build the layer of level s is

$$\begin{aligned} T_s=2^{l}\times 2^{r_1/2} + 2^{s-1}\cdot \sqrt{\frac{2^{n-r_1}}{2^{l}}}\cdot (2^{r_1/2}+2^{l})+\sum \limits _{i=1}^{2^{s-1}-1}\frac{2^{l}}{2^{s-1}-(i-1)}\times 2^{r_1/2}. \end{aligned}$$
(12)

To build the \(2^t\)-diamond structure which includes t layers, the total time is

$$\begin{aligned} \sum \limits _{s=t}^{1}T_s. \end{aligned}$$
(13)

We could calculate

$$T_s = 2^{s-1}\cdot \sqrt{\frac{2^{n-r_1}}{2^{l}}}\cdot (2^{r_1/2}+2^{l}) + 2^l\cdot 2^{r_1/2} \cdot \sum \limits _{j=1}^{2^{s-1}}\frac{1}{j} = 2^{s-1}\cdot \sqrt{\frac{2^{n-r_1}}{2^{l}}}\cdot (2^{r_1/2}+2^{l}) + O(s\cdot 2^{l+r_1/2})$$

using \(\sum _{j=1}^{q}\frac{1}{j}\le \ln q+c\) for the harmonic series. Then \(T_s\) could be minimized to \(\mathcal {O}(s^{1/5}\cdot 2^{(2n+4s+4)/5})\) by setting \(r_1=2l\) and \(l=\frac{n+2s+2-2\log _2 s}{5}\).

The final complexity is obtained from summing over all t levels:

$$\begin{aligned} \sum \limits _{s=1}^{t} \mathcal {O}(s^{1/5}\cdot 2^{(2n+4\,s+4)/5}) & \le & \mathcal {O}(2^{(2n+4+\log _2 t)/5}\cdot \sum \limits _{s=1}^{t} 2^{\frac{4\,s}{5}}) \\ & = & \mathcal {O}(2^{(2n+4+\log _2 t)/5}\cdot 2^{\frac{4t}{5}})\\ & = & \mathcal {O}(2^{(2n+4t+4+\log _2 t)/5}), \end{aligned}$$

which is about \(\mathcal {O}(2^{(2n+4t)/5})\). The classical memory is dominated by \(\mathcal {O}(2^{(n+2t)/5})\) to store Y for the first layer. The number of qubits is \(\mathcal {O}(n)\).

4 Herding Attack in Quantum Settings with no-QRAM

The herding attack on iterated hash function is first given by Kelsey and Kohno [42]. In the attack, the adversary chooses a public hash value \(h_T\), and then, she is challenged with a prefix P. Her goal is to find a suffix S such that \(h_T=H(P\Vert S)\). At ASIACRYPT 2022, Benedikt, Fischlin, and Huppert [9] presented the quantum herding attack with \(\root 3 \of {n}\cdot 2^{3n/7}\) on iterated hash function with n-bit digest based on BHT algorithm. Their quantum attack also needs exponential qRAM inherited from the BHT algorithm [20], i.e., \(2^{3n/7}\) QRACM. Therefore they left an open question on how to devise quantum herding attacks with low-qRAM. In this section, we answer the open question positively. As shown in Fig. 6, our herding attack consists in four steps:

Fig. 6.
figure 6

Herding Attack on Iterated Hash Function [7]

Full size image

  • Step 1 is to build a \(2^{k}\)-diamond structure. In classical herding attack by Kelsey and Kohno [42] and the quantum one by Benedikt et al. [9], the leaves \(x_i\) (\(1\le i\le 2^k\)) are randomly chosen. In our quantum attack, the r most significant bits (MSB) of \(x_i\) are zero. Store the leaves in D with classical memory

  • Step 2 and Step 3 is to find a single block message \(M_{link}\) such that \(h(P\Vert M_{link})\) collides with some value \(x_j\in D\).

  • Step 4 is to produce the message \(M=P\Vert M_{link}\Vert M_j\), where \(M_j\) is a sequence of message blocks linking \(x_j\) to \(h_T\) with the diamond structure.

figure b

Our quantum herding attack is given in Algorithm 1.

Complexity. The time complexity to build the \(2^{k}\) diamond structure is \(k^{1/5}\cdot 2^{(2n+4k)/5}\) with a classical memory \(k^{3/5}\cdot 2^{(n+2k)/5}\). The time complexity of the setup phase is \(2^{r/2}\) with Grover algorithm. According to the quantum membership algorithm [21], the time complexity to implement \(O_{f_{L}^{h}}\) is \(2^{k}\). For \((m,h(\bar{x},m))\in S_r^h\), \(f^h_L(m)=1\) holds with probability of \(2^{k-(n-r)}\). Therefore, about \(2^{\frac{n-r-k}{2}}\) calls of A, \(A^{\dagger }\), \(O_{f_{L}^{h}}\), \(O_{f_{L}^{h}}^{\dagger }\) are needed to produce the correct \(M_{link}=m\). Hence, the time complexity to find the \(M_{link}\) in Line 8 is \(2^{\frac{n-r-k}{2}}(2^{r/2}+2^{k})\) with a classical memory \(2^{k}\) to store L. Hence, the total time complexity is

$$\begin{aligned} 2^{\frac{n-r-k}{2}}(2^{r/2}+2^{k})+k^{1/5}\cdot 2^{(2n+4k)/5}. \end{aligned}$$
(15)

The classical memory complexity is bounded by the construction of the diamond structure, i.e., \(k^{3/5}\cdot 2^{(n+2k)/5}\).

The Best-Case Complexity. The optimal complexity is to balance the three formulas, i.e., \(\frac{n-k}{2}\), \(\frac{n-r+k}{2}\), and \(\frac{2n+4k}{5}\). When \(k=n/13\) and \(r=2n/13\), the optimal complexity is achieved which results in \(\mathcal {O}(2^{6n/13})=\mathcal {O}(2^{0.46n})\) time complexity and \(\mathcal {O}(2^{3n/13})=\mathcal {O}(2^{0.23n})\) classical memory.

Remark. Bao et al. [7] also proposed a no-qRAM herding attack based on a flawed method of building the diamond structure as shown in Sect. 3.2. After correcting with our right algorithm in Sect. 3.2, Bao et al.’s no-qRAM herding attack needs a time complexity of \(\mathcal {O}(2^{14n/29})=\mathcal {O}(2^{0.48n})\) with a classical memory \(\mathcal {O}(2^{7n/29})=\mathcal {O}(2^{0.24n})\), which is inferior to our attacks. For more details, please refer to Appendix B.

Fig. 7.
figure 7

Interchange structure and its building block [7]

Full size image

5 Interchange Structure and Preimage Attack on XOR Combiners

5.1 Basic Interchange Structure Technique [49]

At EUROCRYPT 2015, Leurent and Wang [49] invented the interchange structure (IS), which is used to devise a preimage attack on the XOR combiner, i.e., \(\mathcal {H}_1(IV_1,M)\oplus \mathcal {H}_2(IV_2,M)=T\). The interchange structure contains a set of messages \(\mathcal {M}_\texttt{IS}\) and two sets of states \(\mathcal {A}\) and \(\mathcal {B}\), so that for any state pair \((A_i,B_j | A_i\in \mathcal {A}, B_j\in \mathcal {B})\), the attacker can pick a message \(M \in \mathcal {M}_\texttt{IS}\) such that \(A_i=\mathcal {H}_1(IV_1,M)\) and \(B_j=\mathcal {H}_2(IV_2,M)\). Suppose there is a \(2^{k}\)-interchange structure (the sizes of \(\mathcal {A}\) and \(\mathcal {B}\) are both \(2^{k}\)). In order to reach the target value T, they select a random block m, and evaluate \(L_1=\{A'_i=h_1(A_i,m), i=1\cdots 2^{k}\}\) and \(L_2=\{B'_j=T\oplus h_2(B_j,m), j=1\cdots 2^{k}\}\), where \(h_1\) and \(h_2\) are the compression functions. If there is a match between the two lists \(L_1\) and \(L_2\), then

$$\begin{aligned} h_1(A_i,m)= T\oplus h_2(B_j,m) \Leftrightarrow \mathcal {H}_1(IV_1, M\Vert m)\oplus \mathcal {H}_2(IV_1, M\Vert m)=T. \end{aligned}$$
(16)

The above technique is exactly a Meet-in-the-Middle approach. For a given m, it produce the preimage with probability \(2^{2k-n}\) with time complexity \(2^{k}\). Therefore, to find the preimage, \(2^{n-2k}\) m should be exhausted with a time complexity of \(2^{n-2k}\times 2^k=2^{n-k}\).

To build a \(2^{k}\)-interchange structure (the sizes of \(\mathcal {A}\) and \(\mathcal {B}\) are both \(2^{k}\)), the classical time complexity is \(\tilde{O}(2^{2k+n/2})\) in [49].

figure c

5.2 Low qRAM Quantum Version of Interchange Structure

For the hash XOR combiners \(\mathcal {H}_1(IV_1,M)\oplus \mathcal {H}_2(IV_2,M)=T\), the basic technique to build interchange structure is to build a single switch, which allows to jump from an already reachable pair of chains \((a_i,b_k)\) to \((a_j,b_k)\) as shown in Fig. 7(a). As shown in Fig. 7(a), given the multi-collision set \(\mathcal {M}_\texttt{MC}\) of size \(2^t\), \(\forall M\in \mathcal {M}_\texttt{MC}\), \(h^*_2(b_k,M)=b'_k\). The single switch algorithm (Alg. 2) is to find a pair \(\hat{M},~\hat{M}' \in \mathcal {M}_\texttt{MC}\), such that \(h^*_1(a_j,\hat{M})=h^*_1(a_i,\hat{M}')\).

Complexity of Algorithm 2:

  • In Line 1, the time to build \(2^{t}\)-\(\mathcal {M}_\texttt{MC}\) is \(t\cdot 2^{2n/5}\), with classical memory \(2^{n/5}\) by applying CNS algorithm directly.

  • In Line 4, with the superposition in Eq. (18), Grover algorithm is applied to determine a \(M=(m_1^{l_1},m_2^{l_2},...,m_{t}^{l_t})\), such that the r MSBs of \(h_1^*(a_j,M)\) are zero, whose time complexity is \(2^{r/2}\). To find \(2^{x}\) such M, the time complexity is \(2^{x+r/2}\). A classical memory of size \(2^{x}\) is needed to store \(L_2\).

  • In Line 7 a), the setup phase is to produce the superposition of \(|\phi _r\rangle \), whose time complexity is about \(2^{r/2}\).

    In Line 7 b), the projector is a quantum membership checking, whose time complexity is about \(2^{x}\). To ensure that there is at least one collision, we have \(2^{t-r}\times 2^{x}\ge 2^{n-r}\), i.e., \(t+x\ge n\). The total time complexity is

    $$\begin{aligned} 2^{\frac{n-r-x}{2}}\cdot (2^{r/2}+2^{x})+ 2^{x+r/2} + t\cdot 2^{2n/5}. \end{aligned}$$
    (21)

    When \(x=\frac{r}{2}=\frac{n}{5}\) and \(t= \frac{4n}{5}\), we get the optimal time complexity, i.e., \(\mathcal {O}(\frac{4n}{5}\cdot 2^{2n/5})\). The QRACM to store \(L_1\) is of polynomial size, which is \(\mathcal {O}(t\cdot n)\). The classical memory used to store \(L_2\) and in Line 1 is \(\mathcal {O}(2^{n/5})\).

Comparison Between Our Herding Attack and the Interchange Structure Building Algorithm. The highlevel framework for herding attack (Algorithm 1) and the interchange structure (Algorithm 2) is different, but they both apply variants of CNS collision finding algorithm [21]. As shown in Sect. 2.1 of our paper, the original full CNS algorithm is divided into two parts: the Precomputing Part to prepare L and the Matching Part to find collision with L. For our herding attack, we mainly modify the Precomputing Part of the original CNS to prepare the diamond whose leaf nodes are then stored in L. For interchange structure, we mainly modify the Matching Part. It is because different from original CNS algorithm whose messages to collide with L are chosen freely, and thus an easy Hadamard transform applied to \(\left|0\right>^{\otimes n}\) is enough to get the quantum superposition of the messages. However, in our attack (Algorithm 2), the messages have to be chosen from the set \(\mathcal {M}_\texttt{MC}\) built by Joux’s multi-collision algorithm. Hence, the superposition of those messages is not trivial to obtain. To deal with it, we introduce an efficient way to build this superposition and make the attack successful.

5.3 Preimage Attack on XOR Combiners with Low qRAM

In classical setting, Leurent and Wang [49] built preimage attack on the XOR combiner with an Meet-in-the-Middle approach. Leurent and Wang first built a \(2^{k}\)-interchange structure (the sizes of \(\mathcal {A}\) and \(\mathcal {B}\) are both \(2^{k}\)) as shown in Sect. 5.1. In this section, in quantum setting, we perform three quantum attacks on XOR combiners based on three different quantum algorithms.

Attack based on Schrottenloher-Stevens’ Quantum MitM Attack [58]. As shown in Sect. 5.1, the sizes of \(L_1\) and \(L_2\) should be equal in Leurent and Wang’s classical attack to achieve the optimal time complexity. However, in quantum MitM attack, according to Eq. (7), \(L_1\) and \(L_2\) should be of different sizes. According to (16), the matching bits are n bits, therefore, the size of \(L_\texttt{merge}\) that contains messages satisfy (16) is very small when compared to \(L_1\) and \(L_2\). Actually, we only find one preimage, so that \(|L_\texttt{merge}|\) is about 1. Without loss of generality, we assume \(|L_1|\) is bigger. Then (7) is simplified as

$$\begin{aligned} |L_2|+\sqrt{|L_1|}. \end{aligned}$$
(22)

To reach an optimal balance, we choose \(|L_1|=2^{2k}\) and \(|L_2|=2^{k}\), so that the complexity of the quantum merging algorithm is \(\mathcal {O}(2^{k})\). We denote this kind of interchange structure as \((2^{2k},2^{k})\)-interchange structure, which is built by applying \(2^{3k}-1\) quantum single switches (Algorithm 2) as the following:

  1. 1.

    Build a single switch from \((a_0, b_0)\) to each of \((a_0, b_j)\) \(j = 0, ..., 2^{k}-1\),

  2. 2.

    For each j, build switches from \((a_0, b_j)\) to all \((a_i, b_j)\) for all \(i = 0, ..., 2^{2k}-1\),

  3. 3.

    To reach the chain \((a_i, b_j)\) from \((a_0, b_0)\), we first find the switch to jump from \((a_0, b_0)\) to \((a_0, b_j)\) in the first step, then find the switch to jump from \((a_0, b_j)\) to \((a_i, b_j)\) in the second step (see Fig. 7(b)).

The time complexity is \(\mathcal {O}(\frac{4n}{5}\cdot 2^{3k+2n/5})\) with \(\mathcal {O}(2^{n/5})\) classical memory to build the \((2^{2k},2^{k})\)-interchange structure.

According to Lemma 1, we first guess the message block \(m\in \mathbb {F}_2^{g}\), and compute the two lists \(L_1\) and \(L_2\) with \(|L_1|=2^{2k}\) and \(|L_2|=2^{k}\), then build the \(O_\texttt{merge}\) with complexity \(\mathcal {O}(2^{k})\) according to Eq. (22). To find at least one preimage, we have \(2^{g+k+2k}=2^n\), so that \(g=n-3k\). According to Eq. (6), the time complexity of the quantum MitM attack is about \(2^{\frac{n-3k}{2}}\times 2^{k}=2^{\frac{n-k}{2}}\). During the quantum MitM attack, the \((2^{2k},2^{k})\)-interchange structure precomputed should be stored in QRACM, and \(L_2\) should be stored in QRAQM. Therefore, the qRAM needed is \(2^{2k}\)QRACM\(+\) \(2^{k}\)QRAQM.

The overall time complexity, including the time to build \((2^{2k},2^{k})\)-interchange structure and the quantum MitM attack, is \(\frac{4n}{5}\cdot 2^{3k+2n/5}+2^{\frac{n-k}{2}}\). The optimal complexity is \(2^{17n/35}=2^{0.485n}\) by setting \(k = n/35\). The classical memory is \(\mathcal {O}(2^{n/5})\). The qRAM is \(2^{0.0571n}\)QRACM+\(2^{0.0285n}\)QRAQM.

We would like to thank one of the reviewers from ASIACRYPT 2023 for pointing out an error in the preliminary version of the attack based on Schrottenloher-Stevens’ method [58], and also thank him for inspiring the following two attacks.

Attack Based on Ambainis’ Element Distinctness Algorithm [1]. To apply Ambainis’ algorithm, a \((2^k,2^k)\)-interchange structure is first prepared and stored in QRACM of size about \(2^k\). For a guessed message block \(m\in \mathbb {F}_2^g\), we build two lists \(L_1\) and \(L_2\) of equal size \(2^k\), then apply Ambainis’ quantum element distinctness algorithm to detect the collision with the time complexity of \(2^{2(k+1)/3}\) and \(2^{2(k+1)/3}\) QRAQM. When applying Grover’s algorithm on \(m\in \mathbb {F}_2^g\), the overall time complexity (including the time to build \((2^k,2^k)\)-interchange structure) to find the preimage of XOR combiner is \(\frac{4n}{5}\cdot 2^{2k+2n/5}+2^{(n-2k)/2+2(k+1)/3}\approx 2^{(2k+2n/5)}+2^{(n/2-k/3)}\). The optimal time complexity is achieved when \(k=3n/70\), i.e., the time is \(2^{(17n/35)}=2^{(0.485n)}\), with \(2^{2(k+1)/3}=2^{0.0285n}\) QRAQM, \(2^k=2^{0.043n}\) QRACM, and \(2^{n/5}\) classical memory.

Attack Based on Jaques-Schrottenloher’s Golden Collision Finding Algorithm [39]. To apply Jaques-Schrottenloher’s algorithm, a \((2^k,2^k)\)-interchange structure is first prepared and stored in QRACM of size about \(2^k\). In [7], Bao et al. applied Jaques and Schrottenloher’s method [39] to find the collision between \(L_1\) and \(L_2\). Here we also apply this method in our attack. Note that Jaques and Schrottenloher found the single collision in a set of size N with \(N^{6/7}\) time complexity and \(N^{2/7}\) qubits, without QRAQM. Therefore, with a \((2^k,2^k)\)-interchange structure, the time complexity of our preimage attack on XOR combiner is \(2^{(2k+2n/5)}+2^{(n-2k)/2+6(k+1)/7}\approx 2^{2k+2n/5}+2^{n/2-k/7}\) with \(2^{2k/7}\) qubits, and \(2^{0.2n}\) classical memory. The optimal time complexity is achieved when \(k=7n/150\), where the time complexity is \(2^{37n/75} = 2^{0.493n}\), with \(2^{n/75} = 2^{0.0133n}\) qubits, \(2^k=2^{0.047n}\) QRACM, and \(2^{0.2n}\) classical memory.

In the no-QRAQM scenario, when compared our attack with the attack by Bao et al. [7], the time complexity is reduced from \(2^{0.495n}\) to \(2^{0.493n}\), and the number of qubits is significantly reduced from \(2^{0.143n}\) to our \(2^{0.0133n}\).

6 Collision Attack on Concatenation Combiners in Quantum Settings

For a hash concatenation combiner \(\mathcal {H}_1(IV_1,M)\Vert \mathcal {H}_2(IV_2,M)=T_1\Vert T_2\), the collision attack is to find two distinct M and \(M'\), so that \(\mathcal {H}_1(IV_1,M)\Vert \mathcal {H}_2(IV_2,M)=\mathcal {H}_1(IV_1,M')\Vert \mathcal {H}_2(IV_2,M')\). Classically, based Joux’s multi-collision method [40], the collision attack can be built in \(\mathcal {O}(2^{n/2})\). Here, we introduce a new quantum collision attack on the hash combiners in Algorithm 3.

figure d

Complexity of Algorithm 3. Algorithm 3 is quite similar to Algorithm 2. When we let \(t=n\), \(x=2^{n/5}\), \(r=2^{2n/5}\), the attack is optimal. The time complexity is \(n\cdot 2^{2n/5}\) with a classical memory of \(2^{n/5}\) and polynomial number of qubits.

7 Herding Attack on Concatenation Combiners in Quantum Setting

Fig. 8.
figure 8

Herding Attack on Concatenation Combiners in quantum settings [7]

Full size image
figure e
figure f

The herding attack on concatenation combiners in quantum settings is given in Fig. 8 and Algorithm 4. In the off-line precomputation phase (Line 2 to 6), two diamond structures \(\mathcal {M}_\texttt{DS1}\) and \(\mathcal {M}_\texttt{DS2}\) are built, two Joux’s multi-collisions \(\mathcal {M}_{\texttt{MC}_s}\) and \(\mathcal {M}_{\texttt{MC}_{\ell }}\) are built. The root node of \(\mathcal {M}_\texttt{DS1}\) is \(x_T\). The \(2^{t}\)-Joux’s multi-collision \(\mathcal {M}_{\texttt{MC}_s}\) links \(x_T\) to \(x_{M_0}\). Then the \(2^{k\cdot \frac{4n}{5}}\)-Joux’s multi-collision \(\mathcal {M}_{\texttt{MC}_{\ell }}\) is built to link \(x_{M_0}\) and \(T_1\). After that, \(2^k\)-diamond \(\mathcal {M}_\texttt{DS2}\) is built. Here, we only apply the CNS collision finding algorithm to build the diamond without using the method given in Sect. 3.2. This is because, in the diamond building algorithm given in Sect. 3.2, one has to frequently apply Grover’s algorithm to find message blocks to fill up Y to \(2^l\). For herding attack on MD hash (Algorithm 1), the message blocks are freely chosen. Therefore, the superposition of the message for Grover’s algorithm is easy to generate, and a trivial Hadamard transformation on \(\left|0\right>^{\otimes n}\) is enough. However, when building the \(2^k\)-diamond \(\mathcal {M}_\texttt{DS2}\), those message blocks have to be selected from a prefixed message set constructed by Joux’s multi-collision algorithm, i.e., \(\mathcal {M}_{\texttt{MC}_{\ell }}\). To frequently build the superposition of messages from \(\mathcal {M}_{\texttt{MC}_{\ell }}\) for applying Grover’s algorithm is not easy. Therefore, we use the trivial method that only uses CNS collision finding algorithm here. Since there are \(2^{k}-1\) collisions in a \(2^{k}\)-diamond, \(2^{k}-1\) times of CNS algorithm are needed to build the diamond. To build the \(2^{k}\)-diamond \(\mathcal {M}_\texttt{DS1}\), we can freely use diamond building algorithm in Sect. 3.2 or apply CNS algorithm trivially, since the time to build \(\mathcal {M}_{\texttt{MC}_{\ell }}\) already bound the complexity, we just choose CNS algorithm trivially to build \(\mathcal {M}_\texttt{DS1}\) without increasing the overall complexity. Similar reason also prevents us from applying diamond building algorithm given in Sect. 3.2 to Algorithm 5.

Complexity of Algorithm 4.

  • In the off-line precompuation phase (Line 2 to 6), the time complexity to build \(\mathcal {M}_\texttt{DS1}\), \(\mathcal {M}_{\texttt{MC}_s}\), \(\mathcal {M}_{\texttt{MC}_{\ell }}\), and \(\mathcal {M}_\texttt{DS2}\) is

    $$2^{k+2n/5} + {t}\cdot 2^{2n/5}+4nk/5\cdot 2^{2n/5}+2^{k+2n/5}\approx 2^{k+2n/5}, $$

    where \(t=\mathcal {O}(n)\).

  • In the online phase (Line 8 to 18), the time to find \(m^*\) and \(S_2\) are both \(2^{\frac{n-r-k}{2}}(2^{r/2}+2^{k})\).

Therefore, the overall optimal time complexity of Algorithm 4 is \(\mathcal {O}(2^{7n/15})\) by balancing the off-line and on-line computation phases and assigning \(k=n/15\), \(r=2k\), and \(t=n\). The memory cost is dominated by building Joux’s multi-collision with CNS, i.e., \(\mathcal {O}(2^{n/5})\) classical memory.

8 Quantum Herding Attack on Hash-Twice

The attack on Hash-Twice shares the fundamental ideas of the attack on the concatenation combiners, as depicted in Fig. 9. The attacker selects \(T_2\) as their commitment and subsequently faces a challenge involving an unknown prefix P. The attack is the same to the attack on concatenation combiner. Please see Algorithm 4 for details. The only difference is that the \(IV_2\) is replaced by \(T_1\). Therefore, the overall optimal time complexity is also \(\mathcal {O}(2^{7n/15})\) with a classical memory of \(\mathcal {O}(2^{n/5})\).

9 Quantum Herding Attack on Zipper Hash

As stated by Andreeva et al. [3], the traditional herding attack with a prefix P can not be applied to Zipper Hash. Therefore, Andreeva et al. [3] gave a variant of the herding attack, where the challenge is placed at the end: as shown in Fig. 10, the adversary commits to a hash value \(h_T\), then she is challenged with a suffix S, and has to produce \(S_1\Vert m^*\) such that \(\mathcal {H}(IV, S_1\Vert m^*\Vert S)=h_T\). The complexity of Andreeva et al.’s classical attack is \(\mathcal {O}(2^{2n/3})\).

In this section, we introduce a quantum version Andreeva et al.’s attack in Algorithm 5. The complexity of the off-line phase dominated by building \(\mathcal {M}_\texttt{DS}\), which is about \(\mathcal {O}(2^{k+2n/5})\). The on-line phase is \(2^{\frac{n-r-k}{2}}\cdot (2^{r/2}+2^{k})\) with \(t=n\). Let \(k=\frac{n}{15}\), \(r=2k\), the optimal complexity is achieved to be \(2^{7n/15}\). The memory is \(2^{n/5}\).

Fig. 9.
figure 9

Herding attack on Hash-Twice

Full size image
Fig. 10.
figure 10

Herding attack on Zipper Hash

Full size image

Conclusion

This paper evaluated the quantum attacks on iterated hash functions and various important hash combiners. Most of the attacks do not need qRAM anymore, and the quantum preimage attack on hash XOR combiner is improved by significantly reducing the number of qubits from previous \(2^{0.143n}\) to the current \(2^{0.013n}\). Since the existence of large qRAM is still questionable, building quantum attacks with low-qRAM is of more practical relevance. Since for hash functions, the attackers do not need online superposition queries, quantum attacks on hash functions are more friendly than on other keyed primitives like block ciphers. Therefore, exploring the quantum attacks on hash functions is of more practical relevance.