At EUROCRYPT 2020, Hosoyamada and Sasaki proposed the first dedicated quantum collision attacks on hash functions. Their proposal presented a quantum adaptation of the rebound attack and revealed that differential trails, which have too low probability for use in classical settings, might be exploitable in quantum settings. After their work, subsequent research has actively delved into analyzing the security of hash functions in the quantum setting.In this paper, we revisit the quantum rebound attacks on the double block hash function Hirose instantiated with 10-round AES-256 (HCF-AES-256) and 7-round ARIA-256 (HCF-ARIA-256) proposed by Chauhan et al. and Baek et al., respectively. Initially, we identify the flaws in their work and reevaluate the complexity of the attacks. We reveal that the flaws stem from not considering the issue that the S-box differential equation has one solution on average. Earlier research addressed this problem by adding auxiliary bits to the search space. If this method is used to correct the flaws, the resulting time complexities are 217.36 and 220.94 times higher than their proposals. Consequently, in some settings, their attacks become less efficient than generic attacks.Subsequently, we propose improved quantum rebound attacks using nested quantum amplitude amplification and quantum state preparation. Our improved attack efficiently pre-filters the search space, leading to a reduction in overall time complexity. We first classically reduce the search space and employ quantum state preparation to generate a superposition state over the pre-filtered search space. We then use nested quantum amplitude amplification to further reduce the search space quantumly. As a result, we achieve a reduction in the time complexity of the quantum rebound attacks on HCF-AES-256 and HCF-ARIA-256 by factors of 211.2 and 219.5, respectively, making the attacks more efficient than generic attacks again.
Read full abstract