Finding hash collisions with quantum computers by using differential trails with smaller probability than birthday bound. (English) Zbl 1492.81040
Canteaut, Anne (ed.) et al., Advances in cryptology – EUROCRYPT 2020. 39th annual international conference on the theory and applications of cryptographic techniques, Zagreb, Croatia, May 10–14, 2020. Proceedings. Part II. Cham: Springer. Lect. Notes Comput. Sci. 12106, 249-279 (2020).
Summary: In this paper we spot light on dedicated quantum collision attacks on concrete hash functions, which has not received much attention so far. In the classical setting, the generic complexity to find collisions of an \(n\)-bit hash function is \(O(2^{n/2})\), thus classical collision attacks based on differential cryptanalysis such as rebound attacks build differential trails with probability higher than \(2^{-n/2}\). By the same analogy, generic quantum algorithms such as the BHT algorithm find collisions with complexity \(O(2^{n/3})\). With quantum algorithms, a pair of messages satisfying a differential trail with probability \(p\) can be generated with complexity \(p^{-1/2}\). Hence, in the quantum setting, some differential trails with probability up to \(2^{-2n/3}\) that cannot be exploited in the classical setting may be exploited to mount a collision attack in the quantum setting. In particular, the number of attacked rounds may increase. In this paper, we attack two international hash function standards: AES-MMO and Whirlpool. For AES-MMO, we present a 7-round differential trail with probability \(2^{-80}\) and use it to find collisions with a quantum version of the rebound attack, while only 6 rounds can be attacked in the classical setting. For Whirlpool, we mount a collision attack based on a 6-round differential trail from a classical rebound distinguisher with a complexity higher than the birthday bound. This improves the best classical attack on 5 rounds by 1. We also show that those trails are optimal in our approach. Our results have two important implications. First, there seems to exist a common belief that classically secure hash functions will remain secure against quantum adversaries. Indeed, several second-round candidates in the NIST post-quantum competition use existing hash functions, say SHA-3, as quantum secure ones. Our results disprove this common belief. Second, our observation suggests that differential trail search should not stop with probability \(2^{-n/2}\) but should consider up to \(2^{-2n/3}\). Hence it deserves to revisit the previous differential trail search activities.
For the entire collection see [Zbl 1482.94003].
For the entire collection see [Zbl 1482.94003].
MSC:
| 81P94 | Quantum cryptography (quantum-theoretic aspects) |
| 81P70 | Quantum coding (general) |
| 81P68 | Quantum computation |
| 94A60 | Cryptography |
| 81P73 | Computational stability and error-correcting codes for quantum computation and communication processing |
| 68Q12 | Quantum algorithms and complexity in the theory of computing |
| 81Q93 | Quantum control |
Keywords:
symmetric key cryptography; hash function; cryptanalysis; collision; quantum attack; AES-MMO; whirlpool; rebound attackSoftware:
WhirlpoolReferences:
| [1] | ZigBee Alliance: ZigBee -2007 Specification (2007). https://zigbee.org/. Document 053474r17 |
| [2] | Banegas, G.; Bernstein, DJ; Adams, C.; Camenisch, J., Low-communication parallel quantum multi-target preimage search, Selected Areas in Cryptography - SAC 2017, 325-335 (2018), Cham: Springer, Cham · Zbl 1384.94030 · doi:10.1007/978-3-319-72565-9_16 |
| [3] | Barreto, P.S., Rijmen, V.: The WHIRLPOOL Hashing Function. Submitted to NESSIE (2000). Accessed 24 May 2003 |
| [4] | Bernstein, D.J.: Cost analysis of hash collisions: will quantum computers make SHARCS obsolete? In: SHARCS (2009) |
| [5] | Boneh, D.; Dagdelen, Ö.; Fischlin, M.; Lehmann, A.; Schaffner, C.; Zhandry, M.; Lee, DH; Wang, X., Random oracles in a quantum world, Advances in Cryptology - ASIACRYPT 2011, 41-69 (2011), Heidelberg: Springer, Heidelberg · Zbl 1227.94033 · doi:10.1007/978-3-642-25385-0_3 |
| [6] | Bonnetain, X.; Hosoyamada, A.; Naya-Plasencia, M.; Sasaki, Y.; Schrottenloher, A.; Galbraith, SD; Moriai, S., Quantum attacks without superposition queries: the offline Simon’s algorithm, Advances in Cryptology - ASIACRYPT 2019, 552-583 (2019), Cham: Springer, Cham · Zbl 1456.94052 · doi:10.1007/978-3-030-34578-5_20 |
| [7] | Bonnetain, X.; Naya-Plasencia, M.; Schrottenloher, A.; Paterson, KG; Stebila, D., On quantum slide attacks, Selected Areas in Cryptography - SAC 2019, 492-519 (2020), Cham: Springer, Cham · Zbl 1453.94062 · doi:10.1007/978-3-030-38471-5_20 |
| [8] | Bonnetain, X.; Naya-Plasencia, M.; Schrottenloher, A., Quantum security analysis of AES, IACR Trans. Symmetric Cryptol., 2019, 2, 55-93 (2019) · doi:10.46586/tosc.v2019.i2.55-93 |
| [9] | Boyer, M.; Brassard, G.; Høyer, P.; Tapp, A., Tight bounds on quantum searching, Fortschritte der Physik: Progress of Physics, 46, 4-5, 493-505 (1998) · doi:10.1002/(SICI)1521-3978(199806)46:4/5<493::AID-PROP493>3.0.CO;2-P |
| [10] | Brassard, G.; Hoyer, P.; Mosca, M.; Tapp, A., Quantum amplitude amplification and estimation, Contemp. Math., 305, 53-74 (2002) · Zbl 1063.81024 · doi:10.1090/conm/305/05215 |
| [11] | Brassard, G.; Høyer, P.; Tapp, A.; Lucchesi, CL; Moura, AV, Quantum cryptanalysis of hash and claw-free functions, LATIN’98: Theoretical Informatics, 163-169 (1998), Heidelberg: Springer, Heidelberg · Zbl 1508.68118 · doi:10.1007/BFb0054319 |
| [12] | Campagna, M., Zaverucha, G., Corp, C.: A Cryptographic Suite for Embedded Systems (SuiteE). Internet-Draft, October 2012 |
| [13] | Chailloux, A.; Naya-Plasencia, M.; Schrottenloher, A.; Takagi, T.; Peyrin, T., An efficient quantum collision search algorithm and implications on symmetric cryptography, Advances in Cryptology - ASIACRYPT 2017, 211-240 (2017), Cham: Springer, Cham · Zbl 1380.81085 · doi:10.1007/978-3-319-70697-9_8 |
| [14] | Daemen, J.; Rijmen, V., The Design of Rijndeal: AES - The Advanced Encryption Standard (AES) (2002), Heidelberg: Springer, Heidelberg · Zbl 1065.94005 · doi:10.1007/978-3-662-04722-4 |
| [15] | Damgård, IB; Brassard, G., A design principle for hash functions, Advances in Cryptology — CRYPTO 1989 Proceedings, 416-427 (1990), New York: Springer, New York · Zbl 0724.68029 · doi:10.1007/0-387-34805-0_39 |
| [16] | Gilbert, H.; Peyrin, T.; Hong, S.; Iwata, T., Super-Sbox cryptanalysis: improved attacks for AES-like permutations, Fast Software Encryption, 365-383 (2010), Heidelberg: Springer, Heidelberg · Zbl 1279.94077 · doi:10.1007/978-3-642-13858-4_21 |
| [17] | Grover, L.K.: A fast quantum mechanical algorithm for database search. In: ACM STOC 1996, pp. 212-219. ACM (1996) · Zbl 0922.68044 |
| [18] | Grover, LK; Rudolph, T., How significant are the known collision and element distinctness quantum algorithms?, Quantum Inf. Comput., 4, 3, 201-206 (2004) · Zbl 1175.81056 |
| [19] | Guo, C., Katz, J., Wang, X., Yu, Y.: Efficient and secure multiparty computation from fixed-key block ciphers. IACR Cryptology ePrint Archive 2019/74 (2019) |
| [20] | Hosoyamada, A.; Sasaki, Y.; Catalano, D.; De Prisco, R., Quantum Demiric-Selçuk meet-in-the-middle attacks: applications to 6-round generic Feistel constructions, Security and Cryptography for Networks, 386-403 (2018), Cham: Springer, Cham · Zbl 1514.81107 · doi:10.1007/978-3-319-98113-0_21 |
| [21] | Hosoyamada, A., Sasaki, Y.: Finding hash collisions with quantum computers by using differential trails with smaller probability than birthday bound. IACR Cryptology ePrint Archive 2020/213 (2020) |
| [22] | ISO: IT Security techniques - Hash-functions - Part 3: Dedicated hash-functions, ISO/IEC 10118-3:2018 (2018) |
| [23] | Jean, J.; Naya-Plasencia, M.; Peyrin, T.; Canteaut, A., Improved rebound attack on the finalist Grøstl, Fast Software Encryption, 110-126 (2012), Heidelberg: Springer, Heidelberg · Zbl 1312.94062 · doi:10.1007/978-3-642-34047-5_7 |
| [24] | Kaplan, M.; Leurent, G.; Leverrier, A.; Naya-Plasencia, M.; Robshaw, M.; Katz, J., Breaking symmetric cryptosystems using quantum period finding, Advances in Cryptology - CRYPTO 2016, 207-237 (2016), Heidelberg: Springer, Heidelberg · Zbl 1391.94766 · doi:10.1007/978-3-662-53008-5_8 |
| [25] | Kaplan, M.; Leurent, G.; Leverrier, A.; Naya-Plasencia, M., Quantum differential and linear cryptanalysis, IACR Trans. Symmetric Cryptol., 2016, 1, 71-94 (2016) · doi:10.46586/tosc.v2016.i1.71-94 |
| [26] | Katz, J.; Menezes, AJ; Van Oorschot, PC; Vanstone, SA, Handbook of Applied Cryptography (1996), Boca Raton: CRC Press, Boca Raton · Zbl 0868.94001 |
| [27] | Keller, M., Orsini, E., Scholl, P.: MASCOT: faster malicious arithmetic secure computation with oblivious transfer. In: ACM SIGSAC 2016, pp. 830-842 (2016) |
| [28] | Kuwakado, H., Morii, M.: Quantum distinguisher between the 3-round Feistel cipher and the random permutation. In: ISIT 2010, pp. 2682-2685. IEEE (2010) |
| [29] | Kuwakado, H., Morii, M.: Security on the quantum-type Even-Mansour cipher. In: ISITA 2012, pp. 312-316. IEEE (2012) |
| [30] | Lamberger, M.; Mendel, F.; Rechberger, C.; Rijmen, V.; Schläffer, M.; Matsui, M., Rebound distinguishers: results on the full Whirlpool compression function, Advances in Cryptology - ASIACRYPT 2009, 126-143 (2009), Heidelberg: Springer, Heidelberg · Zbl 1267.94079 · doi:10.1007/978-3-642-10366-7_8 |
| [31] | Lamberger, M.; Mendel, F.; Schläffer, M.; Rechberger, C.; Rijmen, V., The rebound attack and subspace distinguishers: application to Whirlpool, J. Cryptol., 28, 2, 257-296 (2015) · Zbl 1314.94082 · doi:10.1007/s00145-013-9166-5 |
| [32] | Mendel, F.; Rechberger, C.; Schläffer, M.; Thomsen, SS; Dunkelman, O., The rebound attack: cryptanalysis of reduced Whirlpool and Grøstl, Fast Software Encryption, 260-276 (2009), Heidelberg: Springer, Heidelberg · Zbl 1291.94130 · doi:10.1007/978-3-642-03317-9_16 |
| [33] | Merkle, RC; Brassard, G., A certified digital signature, Advances in Cryptology — CRYPTO 1989 Proceedings, 218-238 (1990), New York: Springer, New York · doi:10.1007/0-387-34805-0_21 |
| [34] | Mouha, N.; Wang, Q.; Gu, D.; Preneel, B.; Wu, C-K; Yung, M.; Lin, D., Differential and linear cryptanalysis using mixed-integer linear programming, Information Security and Cryptology, 57-76 (2012), Heidelberg: Springer, Heidelberg · Zbl 1292.94118 · doi:10.1007/978-3-642-34704-7_5 |
| [35] | Nielsen, MA; Chuang, IL, Quantum Computation and Quantum Information: 10th Anniversary Edition (2010), Cambridge: Cambridge University Press, Cambridge · Zbl 1288.81001 · doi:10.1017/CBO9780511976667 |
| [36] | NIST: Post-quantum cryptography standardization, 26 September 2019. See https://csrc.nist.gov/Projects/post-quantum-cryptography/Post-Quantum-Cryptography-Standardization |
| [37] | van Oorschot, P.C., Wiener, M.J.: Parallel collision search with application to hash functions and discrete logarithms. In: ACM CCS 1994, pp. 210-218. ACM (1994) |
| [38] | Sasaki, Y.; Joux, A., Meet-in-the-middle preimage attacks on AES hashing modes and an application to Whirlpool, Fast Software Encryption, 378-396 (2011), Heidelberg: Springer, Heidelberg · Zbl 1307.94094 · doi:10.1007/978-3-642-21702-9_22 |
| [39] | Sasaki, Y.; Wang, L.; Wu, S.; Wu, W.; Wang, X.; Sako, K., Investigating fundamental security requirements on Whirlpool: improved preimage and collision attacks, Advances in Cryptology - ASIACRYPT 2012, 562-579 (2012), Heidelberg: Springer, Heidelberg · Zbl 1292.94134 · doi:10.1007/978-3-642-34961-4_34 |
| [40] | Simon, DR, On the power of quantum computation, SIAM J. Comput., 26, 5, 1474-1483 (1997) · Zbl 0883.03024 · doi:10.1137/S0097539796298637 |
| [41] | Wang, X.; Yin, YL; Yu, H.; Shoup, V., Finding collisions in the full SHA-1, Advances in Cryptology - CRYPTO 2005, 17-36 (2005), Heidelberg: Springer, Heidelberg · Zbl 1145.94454 · doi:10.1007/11535218_2 |
| [42] | Wang, X.; Yu, H.; Cramer, R., How to break MD5 and other hash functions, Advances in Cryptology - EUROCRYPT 2005, 19-35 (2005), Heidelberg: Springer, Heidelberg · Zbl 1137.94359 · doi:10.1007/11426639_2 |
| [43] | Wu, S.; Feng, D.; Wu, W.; Guo, J.; Dong, L.; Zou, J.; Canteaut, A., (Pseudo) preimage attack on round-reduced Grøstl hash function and others, Fast Software Encryption, 127-145 (2012), Heidelberg: Springer, Heidelberg · Zbl 1312.94101 · doi:10.1007/978-3-642-34047-5_8 |
| [44] | Xie, H., Yang, L.: Quantum impossible differential and truncated differential cryptanalysis. CoRR abs/1712.06997 (2017) |
| [45] | Zhandry, M., A note on the quantum collision and set equality problems, Quantum Inf. Comput., 15, 7-8, 557-567 (2015) |
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.
