1. Quantum algorithms in cryptography
Quantum computing offers efficient algorithms that solve problems for which known classical methods are impractical. A prime example is Shor’s algorithm for factoring and the discrete logarithm which runs in polynomial time [Sho97]. Many public key cryptographic protocols are based on these two, or closely related, problems. In order to prepare for future quantum computers, there is an active search of quantum resistant cryptographic systems, which are collectively known as postquantum cryptography [BL17].
For many other classical cryptographic protocols, known quantum algorithms are of little or no consequence. For brute force search of the key space in symmetric cryptography, Grover’s algorithm [Gro97] can only offer a quadratic speedup, which can quickly be solved by doubling the key length. Similarly, for ideal hash functions, quantum computer can only offer modest speedups [CNPS17].
While these general attacks are limited, there are still quantum attacks that are efficient against particular families of symmetric cryptosystems. For instance, symmetric ciphers based on the EvenMansour construction become insecure in a quantum setting [KM12] and certain common modes of operation in authentication and authenticated encryption can be attacked with quantum period finding [KLLNP16].
In this paper, we show that certain families of cryptographic hash functions that are additive or multiplicative are vulnerable to quantum attacks. These functions are sometimes the basic element in homomorphic hash applications [KFM04].
2. Cryptographic hash functions
An ideal hash function is a function which takes an input binary string of an arbitrary length into an output with a fixed number of bits . Depending on the intended use, there are many definitions of what constitutes a proper cryptographic hash function. Some common requirements, in a broad formulation, are [MVO96]:

Collision resistance: It should be infeasible to find two values with such that .

Preimage resistance: For a fixed hash value it should be infeasible to find a string such that .

Second preimage resistance: For a fixed input it should be infeasible to find a second string such that .
In practice, we can consider ideal hash functions as random transformations that take any input into a random string of bits and for which even the smallest change in (1 flipped bit) results in completely new output (which has, on average, only half bits in common with the first hash).
We present a second preimage attack for hash functions that are additive or multiplicative (see Section 2.1). This automatically gives a family of collisions. With a number of operations polynomial in the number of input bits we can find an exhaustive list of collisions for any desired input.
2.1. Homomorphic hash functions
A general hash function works on lengths of an arbitrary ouput. In the following we are adopting a definition with a fixed input size:
Definition 2.1.
An to hash function is a function that takes an bit string into an bit string with .
In the following, we will use the term hash function to talk about to hash functions. This covers some existing fixedsize hash functions and the general case, where we have to restrict to inputs of the same size as the string for which we want a collision. In both cases we can obtain a valid collision (or a second preimage).
Hash functions in cryptography should be inversion, collision and preimage resistant. In many cases, this resistance is assumed from the statistical mixing inside the function. However, in the functions generally known as provably secure hash functions, resistance to attacks is founded on reductions to assumed hard problems (like factoring or the discrete logarithm problem). Proofs are possible because of an additional imposed structure on the functions. Similarly, for some applications like homomorphic encryption, there are additional properties which prevent the concerned hash functions to behave as fully random transformations. This is usually not a problem for many applications as long as we can keep collision resistance or similar properties.
Many provable hash functions have an additive or multiplicative property, depending on the group operation. These functions are defined by a homomorphism in that group.
Definition 2.2.
A hash function is homomorphic if, for any input pair and , for the group operation in the input and output groups.
For instance, bit strings, together with the XOR operation, form an Abelian group so that a hash function for the bitwise XOR for (input) and bits (output) is an additive hash function.
In the paper we will speak of additive functions and work with groups . In some contexts, the most natural way to think of the group operation is as a product (and to replace the null element by a unit element). Apart from this unimportant nomenclature issue, additive (or multiplicative) hash functions have the same behaviour and are subject to quantum attacks that can help to find collisions.
3. The hidden subgroup problem and hash collisions
The most notable quantum algorithms which offer superpolynomial speedups over classical known methods, like Shor’s algorithm, solve instances of the hidden subgroup problem [BL95, Lom04, CvD10].
Definition 3.1.
Let be a finite group with a group operation which can be computed efficiently for any pair . Let be a function on the group for some set of values that defines a subgroup . The hidden subgroup problem consists in finding a set of generators of this given and .
For Abelian groups, quantum computers can solve the hidden subgroup problem efficiently [Lom04].
The additive hash functions of Definition 2.2 take the elements of a Boolean group to the set and play the role of the hidding function . For any , .
For the collision attack, we consider the hidden subgroup defined by elements for which is the identity element with respect to in . We call this identity element the null element of the sum and denote it by . The subgroup is the kernel of the hash function .
The additive hash functions we consider are group homomorphisms and their kernel is a normal subgroup of [Lau03].
If we can find an element in the subgroup we have a preimage attack. and we have two inputs and mapping to the same output. The only exception is the equal to the identity element in the origin group , which is always an element of . For hash functions, and the order (number of elements) of the input group is always greater that the order of the output set (). The hash function can never be injective and the kernel has at least one element apart from the identity of .
3.1. Quantum computers
In a quantum computer, we will represent each element in a group with by states with a label for each integer . When we can alternatively write the integer as the corresponding binary string. These states will form a basis for all the possible states with complex so that . For binary strings, we can also write state in terms of
individual qubits
.All the operations on the state, except for measurement, are reversible and can be written as a unitary matrix . We use the usual notation and
to denote the tensor product of the operations
and and the operation applied to different inputs (of the corresponding dimension) respectively.One particularly useful evolution on a single qubit is given by the Hadamard gate . Among other uses, it can be used to prepare uniform superpositions starting from an initial state.
While quantum states can be in superpositions of multiple values, in order to retrieve information from the system we need to perform a measurement and we can only recover a single value. Thus the advantage of quantum computing lies not in superpositions alone but in being able to choose a quantum evolution which results in a destructive interference for the states we are not interested in and a constructive interference between the states we want. For that reason, where quantum computers really shine is in problems with a strong hidden structure where we can extract global properties which are usually inaccessible to classical computers without heavy sampling (checking most of the possible values)
3.1.1. Quantum Fourier Transform in finite Abelian groups
A key operation in quantum computers is the Quantum Fourier Transform, which helps us to produce the necessary constructive and destructive interference which reveals the solution we search for. In this Section, we describe its implementation for Abelian groups. We first need a few definitions.
Definition 3.2.
A finite Abelian group has distinct onedimensional irreducible representations called characters. A character is a multiplicative function so that, for the operation in , for any pair .
From the structure theorem for finite abelian groups, can be written as a direct sum of cyclic groups of orders . The elements can be described as tuples taking each as an integer modulo . The identity of becomes .
We can now define a decomposition in terms of each of the cyclic groups from the tuples , with all these [Lom04]. For any
(3.1) 
where the effect of on any is completely determined from the values it takes on the .
For each , we can define a character for and the roots of unity .
For any fixed character of a finite Abelian group :
(3.2) 
where is the identitity character which sends any to 1.
We define a quantum Fourier transform over , from a character as the operator:
(3.3) 
For a cyclic group , the characters are defined from the roots of unity. We can similarly compute the characters for any group that is a known direct product of cyclic groups.
We can build efficient quantum circuits giving the operation for finite Abelian groups. For , the most common group when working with binary strings, the operation (a Hadamard gate on each qubit) gives an efficient implementation. Similarly, for any cyclic group , even for an unknown , the Quantum Fourier Transform
(3.4) 
with can be computed efficiently (and is indeed the QFT used in Shor’s algorithm) [HH00, Lom04].
For a group with a know factorization (using a direct product notation), there are also efficient constructions using the unitary evolution resulting from the tensor product of the QFT in each known cyclic group.
3.1.2. Orthogonal subgroups and cosets
We also used two important results related to any subgroup .
Definition 3.3.
For a subset , we say is orthogonal to if for all .
Definition 3.4.
For any subgroup , the orthogonal subgroup is the set of all the elements in orthogonal to . This is a subgroup of and determines uniquely.
Definition 3.5.
Let be a subgroup of . For a fixed element , the left coset is the set and the right coset is . For an Abelian group both cosets are the same.
A key result for the Fourier Transform over Abelian groups is that it takes uniform superpositions from a subgroup into a uniform superposition in the orthogonal subgroup [Lom04]
(3.5) 
Proof.
We have
(3.6)  
(3.7) 
The character of is also a character of and the sum is 0 unless it is the identity on , when it becomes (see Eq. (3.2)). That for all the elements is precisely the definition of the elements of the orthogonal subgroup (see Definition 3.4). So
(3.8) 
which is a uniform superposition over which is and has elements.
∎
Assuming an Abelian group, which is the case for the additive hash functions under study, we call to the coset . We are concerned with the Fourier Transform
(3.9) 
for any fixed (representative) giving the coset .
A quantum collision algorithm will sample random elements from until it can deduce a generating set for . Each element of gives one condition in a system of equations which completely describes after sampling a number of orthogonal elements logarithmic with the size of .
4. General collision algorithm
The tools from the previous sections allow us to define a general collision finding algorithm with the following steps:

Prepare an initial state with two registers, the first with qubits, the second with .

Create a uniform superposition
(4.1) This can be done with a or, depending on our group, .

Call the hash oracle to transform the uniform superposition into
(4.2) For binary strings, we use the usual unitary , which can be always implemented for functions with an efficient classical implementation (as hash functions should). In other groups, such as the multiplicative group of integers modulo , we can use modular addition. In general, for a operation in the image group of , we have an efficient method to map the null element into .

Measure the second register. The new quantum state is
(4.3) We use that for the . For (any useful hash function), there will be more than one value mapping to the same . We call to the smallest such value.
The result is a uniform superposition over the values for all the in the desired subgroup (the kernel of the hash function ). The second register can be ignored from this point.

Compute the of the first register in the corresponding Abelian group. The first register has a uniform superposition of the elements in the coset and the result will be a uniform superposition of the elements of the orthogonal subgroup with
(4.4) Before , measuring the first register would only give an input/output pair. We exploit the hidden structure to force a destructive intereference for all the elements outside the orthogonal group.

Measure the first register to find a random element of
with equal probability.
This finishes the quantum part. Once we have a random sample of the orthogonal subgroup, we obtain a new restriction to the possible elements in the generating set of . We repeat the process until we have enough information to find the whole generator. Strictly speaking, for a collision or preimage attack, it suffices to find one element . We can stop as soon as we get the first random element of which is not the identity. Then, for any input string , we can generate a message so that .
The method is efficient as long as:

We can efficiently generate a uniform superposition over the group .
Typically, we need access to inputs which are arbitary binary strings (we can restrict to bits with each attack) or integers in a range from to (usually converted from a binary string). In both cases it is easy to create the superposition either from the string and a Hadamard gate for each bit (input bits) or from the state and the as used in Shor’s algorithm (integers).

We have an efficient quantum function computing for . The classical hash function must have a reasonable computation time in order to be useful. Any classical binary function can be converted into a reversible function if we keep the input and compute for a bitwise XOR operation , which is enough to go from to .

There is an efficient Quantum Fourier Transform. For Abelian groups, we have seen in Section 3.1.1 there are either efficient quantum circuits or good approximations which can still be used to find elements in the orthogonal subgroup.
In particular, for binary strings and the XOR operation, we have simple quantum circuits. The set of binary strings with bits, together with the bitwise XOR operation, forms an Abelian group which can be written as with factors. For this decomposition, in each of the cyclic groups associated to each bit, is a root of unity and the character is a valid character for the possible values that correspond to th bits of and . Then, we have a valid character for bit strings and the XOR operation:
(4.5) 
where is the inner product on the bit strings representing and (the parity of the bitwise AND of the strings).
For this character, the quantum Fourier transform in the group can be written as
(4.6) 
which corresponds to the quantum operation (applying a Hadamard gate to each qubit).
With this Fourier transform we get a random in the subgroup orthogonal to the kernel, for all . Any two elements and obey .
Each measurement gives a restriction to the possible values of the elements in , which allows us to discover a generating set of after a number of measurements polynomial in the number of bits .
Furthermore, once we have a generating set of , we can compute a random element in efficiently (polynomial time in ) and, from that, a generating set of in expected polynomial time. The classical method is described in [Lom04, Dam04]. Basically, each measurement gives, with high probability, a new equation from a linear system which can be solved to obtain a generating set for . For additive hash functions the system will always have a solution and the result can be used to find collisions or a second preimage to any input . This completes the attack.
5. Examples
In this Section, we examine some hash proposals which would be insecure under our quantum attack. Somewhat ironically, these functions try to guarantee security against collisions by reduction to a hard problem, but the additional structure imposed on the functions allow for a quantum attack.
5.1. linear hash functions
In [Kra94] Krawczyk presented two families of linear hash functions which are additive with respect to the XOR operation. For any two inputs , .
The designs are based on Cyclic Redundancy Codes and Linear Feedback Shift Registers and have some some desirable properties. For instance, uniformity can be proved instead of assumed like in most hash functions. Unfortunately, the linearity also opens the door for a quantum attack.
The attack is, basically, a quantum algorithm for a generalized Simon’s problem. In the original Simon’s algorithm we have a promise that a function such that only for two values (with a secret string ). Here we have a slightly different problem. For a balanced function there will be strings with the same output value. The group is and the hidden subgroup is the kernel of . After the quantum algorithm we get elements with so that .
5.2. Homomorphic hash function with multiplication
The attack can be translated to multiplicative hashes in groups where the group operation is more naturally cast as a multiplication and the null element as the unit.
We are going to see two examples with hashes in the multiplicative group of integers modulo (the group of units in ). The group operation is multiplication modulo and the identity element is the integer 1.
Our first example is the RSA hash for an with unknown factorization, which has a multiplicative property: . The proposed attack finds the kernel consisting in all the messages for which . This particular example is not useful as a hash function. It depends on trusting no one knows the factorization of .
However, multiplicative and additive properties appear in many proposals for homomorphic encryption and any hash function derived from them should be checked against quantum attacks.
For instance, the collision resistant hash function used in the homomorphic hash scheme proposed by Krohn, Freedman and Mazières [KFM04] is vulnerable to a quantum attack. The basic transformation is defined as
(5.1) 
for a message block composed of integers from 0 to a prime dividing . The integer is a random prime and are randomly chosen integers of order modulo . For any two blocks and ,
(5.2) 
where
is a vector with elements
to .The inputs are vectors with elements in the additive group of integers modulo and the hash takes them into the group of units modulo . Finding a kernel for gives blocks with , which yield collisions for any desired input block .
The hash function is a compression function and the kernel will contain multiple elements. Most of them will be useful for collisions with two exceptions. First, the kernel will always contain a trivial zero block which maps each block to itself and for which all the are 0. Second, some of the blocks might not correspond to valid binary sequences. The number of binary digits for each block is chosen so that and, if any of the is greater than , there is no binary input corresponding to that integer. In the attack we can always fix some of the blocks of the input to 0 so that this happens with an acceptably small probability.
6. Discussion
We have shown quantum computers can find collisions for additive hash functions by finding its kernel subgroup. The attack is valid for hash functions with a strong structure, such as those usually proposed for provably secure hashing.
We have given examples of the attack working on the linear hash functions of Krawczyk [Kra94] and on certain homomorphic hashing schemes [KFM04].
As opposed to some previous quantum decryption algorithms, which should have access to a quantum oracle encrypting with an unknown key, the attacker can always find a quantum version of the function and produce the required superpositions.
Like all collision attacks, quantum collision finding can be performed offline using any fixed input . Once the kernel of has been found, it can be directly used for second preimage attacks in real time to find by adding to the known input any linear combination of the in the kernel.
The kernel can also help to craft fake messages that replace a signed string. For instance, for the group of binary strings of bits under the XOR operation, the attacker can try to alter specific bits from a message by XORing the input string with elements from the kernel that change only the target part of the message and, maybe, also unimportant bits which will not be noticed (like color or gray level bits in a picture). It is not obvious how to perform this kind of attack and it would be highly dependent on the particular structure of the kernel and the concrete addition operation of the relevant group, but it could reduce the complexity of a forgery, at least for some specific scenarios.
The attack exposes a general problem of hash functions: either there is a formal proof of security at the cost of imposing a structure or we are limited to transformations which appear to be random but are difficult to analyze.
In that respect, many provable hash functions use reductions to problems which can be solved efficiently on a quantum computer, such as factoring, and could be vulnerable to quantum attacks. The quantum security of these hash functions should be studied further. The attacks might not be straightforward. In many cases the reduction is not shown in both directions: finding a collision might solve factoring but it is not known whether factoring provides a collision or not.
Acknowledgements
The first author has been funded by the Spanish Government and FEDER grant PID2020119418GBI00 (MICINN) and by Junta de Castilla y León (project VA296P18). The second author has been partially supported by the Research Program of the University Jaume I–Project UJIB201835, as well as by the Spanish Government and FEDER grant PID2020115930GAI00 (MICINN). The third author was partially supported by the Spanish Government, Ministerios de Ciencia e Innovación y de Universidades, grant PGC2018096446BC22, as well as by Universitat Jaume I, grant UJIB201810.
References
 [BL95] D. Boneh and R. J. Lipton, Quantum cryptanalysis of hidden linear functions, Advances in Cryptology — CRYPT0’ 95 (Berlin, Heidelberg) (Don Coppersmith, ed.), Springer Berlin Heidelberg, 1995, pp. 424–437.
 [BL17] D. J. Bernstein and T. Lange, Postquantum cryptography, Nature 549 (2017), 188–194.
 [BM97] M. Bellare and D. Micciancio, A new paradigm for collisionfree hashing: Incrementality at reduced cost, Advances in Cryptology — EUROCRYPT ’97 (Berlin, Heidelberg) (Walter Fumy, ed.), Springer Berlin Heidelberg, 1997, pp. 163–192.
 [CLS06] S. Contini, A. K. Lenstra, and R. Steinfeld, VSH, an efficient and provable collisionresistant hash function, Advances in Cryptology  EUROCRYPT 2006 (Berlin, Heidelberg) (Serge Vaudenay, ed.), Springer Berlin Heidelberg, 2006, pp. 165–182.
 [CNPS17] A. Chailloux, M. NayaPlasencia, and A. Schrottenloher, An efficient quantum collision search algorithm and implications on symmetric cryptography, Advances in Cryptology – ASIACRYPT 2017 (Cham) (T. Takagi and T. Peyrin, eds.), Springer International Publishing, 2017, pp. 211–240.
 [CvD10] A. M. Childs and W. van Dam, Quantum algorithms for algebraic problems, Reviews Modern Physics 82 (2010), 1–52.
 [Dam04] I. Damgård, QIP note: on the quantum Fourier transform and applications, Published on http://www. brics. dk/~ ivan/Fourier.pdf (2004).
 [Gro97] L. K. Grover, Quantum mechanics helps in searching for a needle in a haystack, Physical Review Letters 79 (1997), no. 2, 325.

[GSVV01]
M. Grigni, L. Schulman, M. Vazirani, and U. Vazirani,
Quantum mechanical algorithms for the nonabelian hidden subgroup
problem
, Proceedings of the ThirtyThird Annual ACM Symposium on Theory of Computing (New York, NY, USA), STOC ’01, Association for Computing Machinery, 2001, pp. 68–74.
 [HH00] L. Hales and S. Hallgren, An improved quantum Fourier transform algorithm and applications, Proceedings 41st Annual Symposium on Foundations of Computer Science, 2000, pp. 515–525.
 [KFM04] M.N. Krohn, M.J. Freedman, and D. Mazieres, Onthefly verification of rateless erasure codes for efficient content distribution, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004, 2004, pp. 226–240.
 [KLLNP16] M. Kaplan, G. Leurent, A. Leverrier, and M. NayaPlasencia, Breaking symmetric cryptosystems using quantum period finding, Advances in Cryptology – CRYPTO 2016 (Berlin, Heidelberg) (M. Robshaw and J. Katz, eds.), Springer Berlin Heidelberg, 2016, pp. 207–237.
 [KM12] H. Kuwakado and M. Morii, Security on the quantumtype EvenMansour cipher, 2012 International Symposium on Information Theory and its Applications, 2012, pp. 312–316.
 [Kra94] H. Krawczyk, LFSRbased hashing and authentication, Advances in Cryptology — CRYPTO ’94 (Berlin, Heidelberg) (Yvo G. Desmedt, ed.), Springer Berlin Heidelberg, 1994, pp. 129–139.
 [Lau03] N. Lauritzen, Concrete abstract algebra: From numbers to Gröbner bases, Cambridge University Press, 2003.
 [Lom04] C. Lomont, The hidden subgroup problem  review and open problems, quantph/0411037 (2004).
 [Mer07] N. D. Mermin, Quantum Computer Science, first ed., Cambridge, UK, 2007.
 [MRR06] C. Moore, D. Rockmore, and A. Russell, Generic quantum Fourier transforms, ACM Transactions Algorithms 2 (2006), no. 4, 707–723.
 [MVO96] A J. Menezes, S. A. Vanstone, and P.C. Van Oorschot, Handbook of applied cryptography, 1st ed., CRC Press, Inc., USA, 1996.
 [NC00] M. A. Nielsen and I. L. Chuang, Quantum Computation and Quantum Information, first ed., Cambridge, UK, 2000.
 [Sho97] P.W. Shor, Polynomialtime algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM Journal on Computing 26 (1997), no. 5, 1484.
Comments
There are no comments yet.