Quantum computing’s rapid advancement poses a significant threat to currently deployed cryptographic systems. While much attention has been focused on public-key cryptography, hash functions, a cornerstone of digital security, have often been assumed to remain secure in a post-quantum world. This article challenges that assumption by exploring how differential trails with probabilities previously considered insignificant in classical cryptanalysis can be exploited using quantum algorithms to find 213 Collisions, jeopardizing the security of hash functions like AES-MMO and Whirlpool.
The birthday paradox dictates that finding collisions in an n-bit hash function classically requires approximately 2^(n/2) operations. Consequently, classical collision attacks using differential cryptanalysis, such as rebound attacks, focus on identifying differential trails with probabilities exceeding 2^(-n/2). However, quantum algorithms like the Brassard-Høyer-Tapp (BHT) algorithm reduce this complexity to approximately 2^(n/3). This allows for the exploitation of differential trails with probabilities as low as 2^(-2n/3) to mount successful collision attacks in the quantum setting. This shift fundamentally alters the landscape of hash function security.
This new reality allows for attacks on a greater number of rounds in hash functions. For instance, AES-MMO, a widely used hash function, is classically vulnerable to a 6-round collision attack. Our research demonstrates a quantum rebound attack exploiting a 7-round differential trail with a probability of 2^(-80), exceeding the limitations of classical cryptanalysis. Similarly, Whirlpool, another international hash function standard, can be attacked using a 6-round differential trail derived from a classical rebound distinguisher, surpassing the previous 5-round classical attack.
These findings are significant because they demonstrate that differential trails previously dismissed as impractical for classical attacks can be leveraged in the quantum realm. This has profound implications for the selection and design of hash functions in a post-quantum world. The common belief that classically secure hash functions are inherently quantum-resistant is demonstrably false. Our research highlights the urgent need to reconsider the security of existing hash functions and to revise differential trail search methodologies to encompass probabilities up to 2^(-2n/3).
The use of existing hash functions like SHA-3 in second-round candidates of the NIST post-quantum competition underscores the prevailing assumption of their quantum security. Our work directly challenges this assumption, demonstrating the vulnerability of even standardized hash functions to sophisticated quantum attacks leveraging 213 collisions. This necessitates a reassessment of the long-term security of cryptographic systems relying on these functions. Moving forward, the development and deployment of genuinely quantum-resistant hash functions are crucial to maintaining the integrity of digital infrastructure in the face of emerging quantum threats. Further research is needed to explore the full extent of quantum vulnerabilities in hash functions and to develop robust mitigation strategies.
