Quantum Collision Resistance of Double-Block-Length Hashing

Abstract

In 2005, Nandi introduced a class of double-block-length compression functions h^π (x) := (h(x) , h( π(x) ) ), where h is a random oracle with an n-bit output and π is a non-cryptographic public permutation. Nandi demonstrated that the collision resistance of h^π is optimal if π has no fixed point in the classical setting. Our study explores the collision resistance of h^π and the Merkle-Damåard hash function using h^π in the quantum random oracle model. Firstly, we reveal that the quantum collision resistance of h^π may not be optimal even if π has no fixed point. If π is an involution, then a colliding pair of inputs can be found for h^π with only O(2^n/2) queries by the Grover search. Secondly, we present a sufficient condition on π for the optimal quantum collision resistance of h^π. This condition states that any collision attack needs Ω(2^2n/3) queries to find a colliding pair of inputs. The proof uses the recent technique of Zhandry's compressed oracle. Thirdly, we show that the quantum collision resistance of the Merkle-Damgård hash function using h^π can be optimal even if π is an involution. Finally, we discuss the quantum collision resistance of double-block-length compression functions using a block cipher.