Skip to main content
View expanded cover

Annual International Cryptology Conference

CRYPTO 2021: Advances in Cryptology – CRYPTO 2021 pp 616–646Cite as

Quantum Collision Attacks on Reduced SHA-256 and SHA-512

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12825)

Abstract

In this paper, we study dedicated quantum collision attacks on SHA-256 and SHA-512 for the first time. The attacks reach 38 and 39 steps, respectively, which significantly improve the classical attacks for 31 and 27 steps. Both attacks adopt the framework of the previous work that converts many semi-free-start collisions into a 2-block collision, and are faster than the generic attack in the cost metric of time-space tradeoff. We observe that the number of required semi-free-start collisions can be reduced in the quantum setting, which allows us to convert the previous classical 38 and 39 step semi-free-start collisions into a collision. The idea behind our attacks is simple and will also be applicable to other cryptographic hash functions.

Keywords

  • Symmetric key cryptography
  • Hash function
  • SHA-256
  • SHA-512
  • Collision attack
  • Quantum attack
  • Conversion from semi-free-start collisions

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-84242-0_22
  • Chapter length: 31 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-84242-0
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Learn about institutional subscriptions
Fig. 1.
Fig. 2.
Fig. 3.

Notes

  1. 1.

    For readers who are not familiar with various types of collisions, we explain the difference among collisions, semi-free-stard collisions, and free-start collisions in Section A of this paper’s full version [15].

  2. 2.

    There is no proof that the bound \(O(2^{n/2}/S)\) is the best, but achieving a better bound is hard.

  3. 3.

    From the view point of provable security, there is a previous work that suggests that the SHA-2 mode is reasonable in the quantum setting [16].

  4. 4.

    The generic attacks in other two settings are the BHT algorithm [5] and the CNS algorithm [6]. The BHT algorithm runs in time \(T=O(2^{n/3})\) and uses \(S=O(2^{n/3})\) qRAM. The CNS algorithm runs in time \(T=O(2^{2n/5})\) and uses no qRAM, but requires \(S=O(2^{n/5})\) classical memory.

  5. 5.

    Knowledge on quantum computations is required to fully understand our complexity analysis, though, essentially the quantum algorithms we use are only the (parallelized) Grover search, and we use them in an almost black-box manner.

  6. 6.

    More precisely, we run \(\mathsf {Grov}(F,\lfloor \pi /4 \theta \rfloor )\) in Step II, where \(\theta = \arcsin (\sqrt{p})\).

  7. 7.

    See Sect. 2 for details on parallelization. We use the quantum computer of size S as \(S/S_F\) independent small quantum computers.

  8. 8.

    We actually implemented to count the number of semi-free-start collisions for all \(2^{32}\) choices of \(W_6\) and accordingly modified \(W_5 \ldots , W_0\).

  9. 9.

    In Sects. 5 and 6, we considered the special case where s is the number of the starting step of a local collision.

  10. 10.

    In other words, \(2^f\) is the complexity to find a first block message M that can be connected to \(FIX_\mathrm {start}\).

  11. 11.

    While Table 2 shows only 26 conditions on \(\varDelta E_{13}\) to \(\varDelta E_{16}\), the original paper implies two additional conditions. Hence we deduce that \(p=28\). See also Remark 3.

  12. 12.

    The situation may change if we adopt the cost-metric that assumes the existence of quantum RAM instead of the cost-metric of time-memory tradeoff, but we expect that finding attacks that are valid in the latter is easier than finding ones valid in the former.

  13. 13.

    Recall that a collision \(((\mathrm {IV},M), (\mathrm {IV}',M'))\) for a compression function h is called a semi-free-start collision if \(\mathrm {IV} = \mathrm {IV}'\) and free-start collision if \(\mathrm {IV} \ne \mathrm {IV}'\).

References

  1. Aoki, K., Guo, J., Matusiewicz, K., Sasaki, Y., Wang, L.: Preimages for step-reduced SHA-2. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 578–597. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_34

  2. Bernstein, D.J.: Cost analysis of hash collisions: will quantum computers make SHARCS obsolete? In: SHARCS (2009)

    Google Scholar 

  3. Biryukov, A., Lamberger, M., Mendel, F., Nikolić, I.: Second-order differential collisions for reduced SHA-256. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 270–287. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_15

    CrossRef  Google Scholar 

  4. Boyer, M., Brassard, G., Høyer, P., Tapp, A.: Tight bounds on quantum searching. Fortschritte der Physik: Prog. Phys. 46(4–5), 493–505 (1998)

    CrossRef  Google Scholar 

  5. Brassard, G., Høyer, P., Tapp, A.: Quantum cryptanalysis of hash and claw-free functions. In: Lucchesi, C.L., Moura, A.V. (eds.) LATIN 1998. LNCS, vol. 1380, pp. 163–169. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054319

  6. Chailloux, A., Naya-Plasencia, M., Schrottenloher, A.: An efficient quantum collision search algorithm and implications on symmetric cryptography. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 211–240. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_8

    CrossRef  Google Scholar 

  7. Dobraunig, C., Eichlseder, M., Mendel, F.: Analysis of SHA-512/224 and SHA-512/256. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 612–630. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_25

    CrossRef  Google Scholar 

  8. Dobraunig, C., Eichlseder, M., Mendel, F.: Analysis of SHA-512/224 and SHA-512/256. IACR Cryptology ePrint Archive 2016/374 (2016). The full version of [7]

    Google Scholar 

  9. Dong, X., Sun, S., Shi, D., Gao, F., Wang, X., Hu, L.: Quantum collision attacks on AES-like hashing with low quantum random access memories. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 727–757. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_25

    CrossRef  Google Scholar 

  10. Eichlseder, M., Mendel, F., Schläffer, M.: Branching heuristics in differential collision search with applications to SHA-512. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 473–488. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46706-0_24

    CrossRef  Google Scholar 

  11. Flórez Gutiérrez, A., Leurent, G., Naya-Plasencia, M., Perrin, L., Schrottenloher, A., Sibleyras, F.: New results on Gimli: full-permutation distinguishers and improved collisions. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12491, pp. 33–63. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_2

    CrossRef  Google Scholar 

  12. Grover, L.K.: A fast quantum mechanical algorithm for database search. In: ACM STOC 1996, pp. 212–219. ACM (1996)

    Google Scholar 

  13. Guo, J., Ling, S., Rechberger, C., Wang, H.: Advanced meet-in-the-middle preimage attacks: first results on full tiger, and improved results on MD4 and SHA-2. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 56–75. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_4

    CrossRef  Google Scholar 

  14. Hosoyamada, A., Sasaki, Y.: Finding hash collisions with quantum computers by using differential trails with smaller probability than birthday bound. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 249–279. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_9

  15. Hosoyamada, A., Sasaki, Y.: Quantum collision attacks on reduced SHA-256 and SHA-512. IACR Cryptology ePrint Archive 2021/292 (2021). The full version of this paper

    Google Scholar 

  16. Hosoyamada, A., Yasuda, K.: Building quantum-one-way functions from block ciphers: Davies-Meyer and Merkle-Damgård constructions. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 275–304. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_10

    CrossRef  Google Scholar 

  17. Indesteege, S., Mendel, F., Preneel, B., Rechberger, C.: Collisions and other non-random properties for step-reduced SHA-256. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 276–293. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_18

    CrossRef  Google Scholar 

  18. Isobe, T., Shibutani, K.: Preimage attacks on reduced tiger and SHA-2. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 139–155. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03317-9_9

    CrossRef  Google Scholar 

  19. Jaques, S., Schanck, J.M.: Quantum cryptanalysis in the RAM model: claw-finding attacks on SIKE. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 32–61. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_2

    CrossRef  MATH  Google Scholar 

  20. Khovratovich, D., Rechberger, C., Savelieva, A.: Bicliques for preimages: attacks on Skein-512 and the SHA-2 family. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 244–263. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34047-5_15

    CrossRef  Google Scholar 

  21. Landelle, F., Peyrin, T.: Cryptanalysis of full RIPEMD-128. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 228–244. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_14

    CrossRef  Google Scholar 

  22. Leurent, G., Peyrin, T.: SHA-1 is a shambles: first chosen-prefix collision on SHA-1 and application to the PGP web of trust. In: Capkun, S., Roesner, F. (eds.) USENIX Security 2020, pp. 1839–1856. USENIX Association (2020)

    Google Scholar 

  23. Li, J., Isobe, T., Shibutani, K.: Converting meet-in-the-middle preimage attack into pseudo collision attack: application to SHA-2. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 264–286. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34047-5_16

    CrossRef  Google Scholar 

  24. Liu, F., Dobraunig, C., Mendel, F., Isobe, T., Wang, G., Cao, Z.: New semi-free-start collision attack framework for reduced RIPEMD-160. IACR Trans. Symmetric Cryptol. 2019(3), 169–192 (2019)

    CrossRef  Google Scholar 

  25. Liu, F., Mendel, F., Wang, G.: Collisions and semi-free-start collisions for round-reduced RIPEMD-160. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 158–186. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_6

    CrossRef  Google Scholar 

  26. Mendel, F., Nad, T., Schläffer, M.: Cryptanalysis of round-reduced HAS-160. In: Kim, H. (ed.) ICISC 2011. LNCS, vol. 7259, pp. 33–47. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31912-9_3

    CrossRef  Google Scholar 

  27. Mendel, F., Nad, T., Schläffer, M.: Finding SHA-2 characteristics: searching through a minefield of contradictions. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 288–307. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_16

    CrossRef  Google Scholar 

  28. Mendel, F., Nad, T., Schläffer, M.: Finding collisions for round-reduced SM3. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 174–188. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36095-4_12

    CrossRef  Google Scholar 

  29. Mendel, F., Nad, T., Schläffer, M.: Improving local collisions: new attacks on reduced SHA-256. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 262–278. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_16

    CrossRef  Google Scholar 

  30. Mendel, F., Peyrin, T., Schläffer, M., Wang, L., Wu, S.: Improved cryptanalysis of reduced RIPEMD-160. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 484–503. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42045-0_25

    CrossRef  Google Scholar 

  31. Mendel, F., Pramstaller, N., Rechberger, C., Rijmen, V.: Analysis of step-reduced SHA-256. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 126–143. Springer, Heidelberg (2006). https://doi.org/10.1007/11799313_9

    CrossRef  Google Scholar 

  32. National Institute of Standards and Technology: Secure Hash Standard (SHS). FIPS PUB 180–4 (August 2015)

    Google Scholar 

  33. Nikolić, I., Biryukov, A.: Collisions for step-reduced SHA-256. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 1–15. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71039-4_1

    CrossRef  Google Scholar 

  34. van Oorschot, P.C., Wiener, M.J.: Parallel collision search with application to hash functions and discrete logarithms. In: ACM CCS 1994, pp. 210–218. ACM (1994)

    Google Scholar 

  35. Sanadhya, S.K., Sarkar, P.: 22-step collisions for SHA-2. CoRR abs/0803.1220 (2008)

    Google Scholar 

  36. Sanadhya, S.K., Sarkar, P.: New collision attacks against up to 24-step SHA-2. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 91–103. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89754-5_8

    CrossRef  Google Scholar 

  37. Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full SHA-1. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 570–596. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_19

    CrossRef  Google Scholar 

  38. Zhandry, M.: A note on the quantum collision and set equality problems. Quantum Info. Comput. 15(7–8), 557–567 (2015)

    MathSciNet  Google Scholar 

Download references

Acknowledgments

We thank anonymous reviewers for their insightful comments, especially for pointing out errors in previous versions of the paper.

Author information

Authors and Affiliations

  1. NTT Secure Platform Laboratories, Tokyo, Japan

    Akinori Hosoyamada & Yu Sasaki

  2. Nagoya University, Nagoya, Japan

    Akinori Hosoyamada

Authors
  1. Akinori Hosoyamada
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yu Sasaki
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Akinori Hosoyamada .

Editor information

Editors and Affiliations

  1. Columbia University, New York City, NY, USA

    Tal Malkin

  2. University of Michigan, Ann Arbor, MI, USA

    Chris Peikert

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 International Association for Cryptologic Research

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Hosoyamada, A., Sasaki, Y. (2021). Quantum Collision Attacks on Reduced SHA-256 and SHA-512. In: Malkin, T., Peikert, C. (eds) Advances in Cryptology – CRYPTO 2021. CRYPTO 2021. Lecture Notes in Computer Science(), vol 12825. Springer, Cham. https://doi.org/10.1007/978-3-030-84242-0_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-84242-0_22

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-84241-3

  • Online ISBN: 978-3-030-84242-0

  • eBook Packages: Computer ScienceComputer Science (R0)