Skip to main content
SpringerLink
Log in

Time-Space Lower Bounds for Finding Collisions in Merkle–Damgård Hash Functions

  • Research Article
  • Published:
Journal of Cryptology Aims and scope Submit manuscript

Abstract

We revisit the problem of finding B-block-long collisions in Merkle–Damgård Hash Functions in the auxiliary-input random oracle model, in which an attacker gets a piece of S-bit advice about the random oracle and makes T oracle queries. Akshima, Cash, Drucker and Wee (CRYPTO 2020), based on the work of Coretti, Dodis, Guo and Steinberger (EUROCRYPT 2018), showed a simple attack for \(2\le B\le T\) (with respect to a random salt). The attack achieves advantage \(\widetilde{\Omega }(STB/2^n+T^2/2^n)\) where n is the output length of the random oracle. They conjectured that this attack is optimal. However, this so-called STB conjecture was only proved for \(B\approx T\) and \(B=2\). Very recently, Ghoshal and Komargodski (CRYPTO 2022) confirmed the STB conjecture for all constant values of B and provided an \(\widetilde{O}(S^4TB^2/2^n+T^2/2^n)\) bound for all choices of B. In this work, we prove an \(\widetilde{O}((STB/2^n)\cdot \max \{1,ST^2/2^n\}+ T^2/2^n)\) bound for every \(2< B < T\). Our bound confirms the STB conjecture for \(ST^2\le 2^n\) and is optimal up to a factor of S for \(ST^2>2^n\) (note as \(T^2\) is always at most \(2^n\), otherwise finding a collision is trivial by the birthday attack). Our result subsumes all previous upper bounds for all ranges of parameters except for \(B=\widetilde{O}(1)\) and \(ST^2>2^n\). We obtain our results by adopting and refining the technique of Chung, Guo, Liu and Qian (FOCS 2020). Our approach yields more modular proofs and sheds light on how to bypass the limitations of prior techniques. Along the way, we obtain a considerably simpler and illuminating proof for \(B=2\), recovering the main result of Akshima, Cash, Drucker and Wee.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14

Similar content being viewed by others

Notes

  1. The framework of Chung et al. [8] reduces to analyzing sequential multi-instance security for \(S+\log N + 1\) instances instead of S-instances. We slightly improve their parameters and obtain a considerably cleaner version in Theorem 3.

  2. In particular, they showed that “sequentially” inverting S random images (with T quantum queries per round to a given random function \(f:[N]\rightarrow [N]\)) admits security \(O(ST/N+T^2/N)^S\), and the corresponding “parallel” multi-instance problems admits an attack with advantage \(\Omega (ST^2/N)^S\)

  3. We do not prove it rigorously here. Instead, we focus on the more interesting case—offline queries do provide advantages.

  4. This is not a formal argument but captures the intuition behind our technique. For the formal proofs, please refer to Sect. 3.

  5. The set of Offline queries is the set of distinct queries made in the previous \((i-1)\) iterations. So, there are at most \((i-1)T\) of these queries and their outputs are independent and uniformly distributed. The set of Online queries is the set of distinct queries made in the i-th iteration after receiving the challenge input \(a_i\) that had not been made in any of the previous \((i-1)\) iterations. Note that the outputs of online queries are also independent and uniformly distributed.

References

  1. D.C. Akshima, A. Drucker, H. Wee, Time-space tradeoffs and short collisions in Merkle–Damgård hash functions, in D. Micciancio, T. Ristenpart (eds.) Advances in Cryptology - CRYPTO 2020, volume 12170 of Lecture Notes in Computer Science (Springer, 2020), pp. 157–186

  2. X.D. Akshima, S. Guo, Q. Liu, On time-space lower bounds for finding short collisions in sponge hash functions, in IACR Cryptol. ePrint Arch., 2023, p. 1444

  3. M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in Proceedings of the 1st ACM Conference on Computer and Communications Security (1993), pp. 62–73

  4. S. Coretti, Y. Dodis, S. Guo, Non-uniform bounds in the random-permutation, ideal-cipher, and generic-group models, in H. Shacham, A. Boldyreva (eds.) Advances in Cryptology - CRYPTO 2018 - 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2018, Proceedings, Part I. Lecture Notes in Computer Science, vol. 10991 (Springer, 2018), pp. 693–721

  5. S. Coretti, Y. Dodis, S. Guo, J.P. Steinberger, Random oracles and non-uniformity, in J.B. Nielsen, V. Rijmen (eds.) Advances in Cryptology - EUROCRYPT 2018 - 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tel Aviv, Israel, April 29 - May 3, 2018 Proceedings, Part I. Lecture Notes in Computer Science, vol. 10820 (Springer, 2018), pp. 227–258

  6. H. Corrigan-Gibbs, D. Kogan, The discrete-logarithm problem with preprocessing, in Annual International Conference on the Theory and Applications of Cryptographic Techniques (Springer, 2018), pp. 415–447

  7. H. Corrigan-Gibbs, D. Kogan, The function-inversion problem: barriers and opportunities, in Theory of Cryptography Conference (Springer, 2019), pp. 393–421

  8. K.-M. Chung, S. Guo, Q. Liu, L. Qian, Tight quantum time-space tradeoffs for function inversion, in S. Irani (ed.) 61st IEEE Annual Symposium on Foundations of Computer Science, FOCS 2020, Durham, NC, USA, November 16-19, 2020 (IEEE, 2020), pp. 673–684

  9. D. Chawin, I. Haitner, N. Mazor, Lower bounds on the time/memory tradeoff of function inversion, in Theory of Cryptography - 18th International Conference, TCC 2020, Durham, NC, USA, November 16-19, 2020, Proceedings, Part III (2020), pp. 305–334

  10. I. Damgård, A design principle for hash functions, in Advances in Cryptology - CRYPTO ’89, 9th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20-24, 1989, Proceedings (1989), pp. 416–427

  11. Y. Dodis, S. Guo, J. Katz, Fixing cracks in the concrete: random oracles with auxiliary input, revisited, in J.-S. Coron, J.B. Nielsen (eds.) Advances in Cryptology - EUROCRYPT 2017 - 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30 - May 4, 2017, Proceedings, Part II. Lecture Notes in Computer Science, vol. 10211 (2017), pp. 473–495

  12. A. De, L. Trevisan, M. Tulsiani, Time space tradeoffs for attacks against one-way functions and prgs, in Annual Cryptology Conference (Springer, 2010), pp. 649–665

  13. C. Freitag, A. Ghoshal, I. Komargodski, Time-space tradeoffs for sponge hashing: attacks and limitations for short collisions, in Y. Dodis, T, Shrimpton (eds.) Advances in Cryptology - CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Santa Barbara, CA, USA, August 15-18, 2022, Proceedings, Part III. Lecture Notes in Computer Science, vol. 13509 (Springer, 2022), pp. 131–160

  14. C. Freitag, A. Ghoshal, I. Komargodski, Optimal security for keyed hash functions: avoiding time-space tradeoffs for finding collisions, in C. Hazay, M. Stam (eds.) Advances in Cryptology - EUROCRYPT 2023 - 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, April 23-27, 2023, Proceedings, Part IV. Lecture Notes in Computer Science, vol. 14007 (Springer, 2023), pp. 440–469

  15. N. Gravin, S. Guo, T.C. Kwok, P. Lu, Concentration bounds for almost k-wise independence with applications to non-uniform security, in Proceedings of the 2021 ACM-SIAM Symposium on Discrete Algorithms, SODA 2021, Virtual Conference, January 10 - 13, 2021 (2021), pp. 2404–2423

  16. A. Golovnev, S. Guo, S. Peters, N. Stephens-Davidowitz, Revisiting time-space tradeoffs for function inversion, in H. Handschuh, A. Lysyanskaya (eds.) Advances in Cryptology - CRYPTO 2023 - 43rd Annual International Cryptology Conference, CRYPTO 2023, Santa Barbara, CA, USA, August 20-24, 2023, Proceedings, Part II. Lecture Notes in Computer Science, vol. 14082 (Springer, 2023), pp. 453–481

  17. A. Ghoshal, I. Komargodski, On time-space tradeoffs for bounded-length collisions in Merkle–Damgård hashing, in Annual International Cryptology Conference (Springer, 2022)

  18. S. Guo, Q. Li, Q. Liu, J. Zhang, Unifying presampling via concentration bounds, in Theory of Cryptography - 19th International Conference, TCC 2021, Raleigh, NC, USA, November 8-11, 2021, Proceedings, Part I (2021), pp. 177–208

  19. A. Ghoshal, S. Tessaro, The query-complexity of preprocessing attacks, in H. Handschuh, A. Lysyanskaya (eds.) Advances in Cryptology - CRYPTO 2023 - 43rd Annual International Cryptology Conference, CRYPTO 2023, Santa Barbara, CA, USA, August 20-24, 2023, Proceedings, Part II. Lecture Notes in Computer Science, vol. 14082 (Springer, 2023), pp. 482–513

  20. M.E. Hellman, A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory, 26(4), 401–406 (1980)

  21. R. Impagliazzo, V. Kabanets, Constructive proofs of concentration bounds, in Approximation, Randomization, and Combinatorial Optimization. Algorithms and Techniques, 13th International Workshop, APPROX 2010, and 14th International Workshop, RANDOM 2010, Barcelona, Spain, September 1-3, 2010. Proceedings (2010), pp. 617–631

  22. R.C. Merkle, A certified digital signature, in Advances in Cryptology - CRYPTO ’89, 9th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20-24, 1989, Proceedings (1989), pp. 218–238

  23. D. Unruh, Random oracles and auxiliary input, in A. Menezes (ed.) Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2007, Proceedings. Lecture Notes in Computer Science, vol. 4622 (Springer 2007), pp. 205–223

Download references

Acknowledgements

We thank Journal of Cryptology reviewers, CRYPTO reviewers and Xiaoqi Duan for their constructive comments. We thank Ashrujit Ghoshal and Ilan Komargodski for sharing an early draft of their work. Most of this work was done while Akshima was a PhD student at University of Chicago and supported in part by NSF Grant No. 1925288. Siyao Guo is supported by the National Natural Science Foundation of China Grant No. 62102260, Shanghai Municipal Education Commission (SMEC) Grant No. 0920000169, NYTP Grant No. 20121201 and NYU Shanghai Boost Fund. Most of the work was done while Qipeng Liu was a Postdoctoral researcher in Simons Institute, supported in part by the Simons Institute for the Theory of Computing, through a Quantum Postdoctoral Fellowship and by the DARPA SIEVE-VESPA grant No. HR00112020023. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Government or DARPA.

Author information

Authors and Affiliations

  1. Shanghai Frontiers Science Center of Artificial Intelligence and Deep Learning, NYU Shanghai, Shanghai, China

    Akshima & Siyao Guo

  2. UC San Diego, San Diego, USA

    Qipeng Liu

Authors
  1. Akshima
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Siyao Guo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Qipeng Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Siyao Guo.

Additional information

Communicated by Joan Daemen.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This paper was reviewed by Ashrujit Ghoshal and Ilan Komargodski.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Akshima, Guo, S. & Liu, Q. Time-Space Lower Bounds for Finding Collisions in Merkle–Damgård Hash Functions. J Cryptol 37, 10 (2024). https://doi.org/10.1007/s00145-024-09491-9

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s00145-024-09491-9

Search

Navigation