Evaluating the Security of Merkle-Damgard Hash Functions and Combiners in Quantum Settings

In this work, we evaluate the security of Merkle-Damgard (MD) hash functions and their combiners (XOR and concatenation combiners) in quantum settings. Two main quantum scenarios are considered, including the scenario where a substantial amount of cheap quantum random access memory (qRAM) is available and where qRAM is limited and expensive to access. We first convert a rich set of known tools invented for generic attacks in the classical setting to quantum versions. That includes Joux's multi-collision, expandable message, diamond structure, and interchange structure. With these basic tools in hand, we then present generic quantum attacks on the MD hash functions and hash combiners, and carefully analyze the complexities under both quantum scenarios. The considered securities are fundamental requirements for hash functions, including the resistance against collision, (second-)preimage, and herding attacks. The results are consistent with the conclusions in the classical setting, that is, the considered resistances of the MD hash functions and their combiners are far less than ideal, despite the significant differences in the expected security bounds between the classical and quantum settings. Particularly, the generic attacks can be improved significantly using quantum computers under both scenarios. These results serve as an indication that classical hash constructions require careful security re-evaluation before being deployed to the post-quantum cryptography schemes.