Quantum Collision Resistance of Double-Block-Length Hashing

In 2005, Nandi introduced a class of double-block-length compression functions h pi(x) pi ( x ) := = ( h ( x ) , h("(x))), ( " ( x ))) , where h is a random oracle with an n-bit output and " is a non-cryptographic public permutation. Nandi demonstrated that the collision resistance of h pi is optimal if " has no fixed point in the classical setting. Our study explores the collision resistance of h pi and the Merkle-Damg & aring;rd hash function using h pi in the quantum random oracle model. Firstly, we reveal that the quantum collision resistance of h pi may not be optimal even if " has no fixed point. If " is an involution, then a colliding pair of inputs can be found for h pi with only O(2n/2) ( 2 n / 2 ) queries by the Grover search. Secondly, we present a sufficient condition on " for the optimal quantum collision resistance of h pi. pi . This condition states that any collision attack needs Q ( 2 2n / 3 ) queries to find a colliding pair of inputs. The proof uses the recent technique of Zhandry's compressed oracle. Thirdly, we show that the quantum collision resistance of the Merkle-Damg & aring;rd hash function using h pi can be optimal even if " is an involution. Finally, we discuss the quantum collision resistance of double-block-length compression functions using a block cipher.