I'm Atil Noy Hoseyamada from NTT and Nagoya University.This is a talk on quantum collision attacks on reduced SHAR256 and SHAR512.This is a joint work with my colleague Yusasati.This is our results.We showed the first directly to quantum collision attacks on SHAR2.More concretely, we showed a 38-step attack on SHAR256 and 39-step attack on SHAR512.クラシカルセッティングで コリジョンアタックスを達成31-step for SHAR256 and 27-step for SHAR512.So, we extended the number of attack steps by 7 and 12.However, these steps are still far from full rounds, full steps,because the number of full steps are 6, T4, and 80 respectivelyfor SHAR256 and for SHAR512.The attack idea is like this.We convert classical semi-free start collisions on 38-step SHAR256and 39-step SHAR512 into collisions in the quantum setting.Our attacks are valid in the setting of time-space trade-off,but invalid in other quantum settings.So, in the quantum setting, we can consider three settings depending on available computational resources.I will explain details later.And next, first, I'd like to explain about the basics of classical collision attacks.So, in the classical setting, the generic attack or the birthday attackfinds a collision of a random function in time 2 to the power n over 2if the output length of the random function is n.And so, in the classical setting, a dedicated collision attackon a concrete hash function is considered to be validif and only if its time complexity is less than the birthday bound2 to the power n over 2.And next, I'd like to explain about the number of attack steps.So, usually, a hash function is made from a smaller primitivesuch as compression function or permutation and so on.And such compression function and permutation iterates many steps like this.And suppose compression function iterates 10 steps like this.Then, usually, it is very hard to find a valid collision attackon original primitive.And so, when an original primitive is hard to break,usually, symmetric equilibrium analysis try to break its reduced step variance.And this picture illustrates the case of a six-step variant.So, here, we try to find a valid collision attackon this six-step function.And if we succeed to find a valid collision attackon this function,then we try to find a dedicated collision attackon seven-step function.And then, we try to attack eight-step function and nine-step function.And then, finally, the original ten-step function.And if the original ten-step function is broken,then we consider that the hash function is broken.And the important thing is how many steps can we breakrather than the actual complexity.This is the important point.And next, I'd like to provide a brief remarkon differential cryptanalysis.So, in the classical setting, one of the most basic approachesto mount a collision attack is differential cryptanalysis.And very roughly speaking, when we have a suitable differentialtool over which probability is P,then we can mount a collision attack over time one over P.And this attack is valid if and only ifthe time complexity one over P is less than 2 to the power n over 2.So, it means that the differential tool is to a valid attackonly if the differential probability P is greater than the birthday bound2 to the power minus n over 2.And next, I'd like to explain about some observationson dedicated quantum collision attacksthat we presented at Euroflip 2020.So, as I mentioned before, we can consider three settingsin the quantum setting, depending on available computational resources.In the first setting, we assume that a small quantum computerof polynomial size and a large quantum realmof exponential size are available.In this setting, the best generic collision attackor the best generic algorithm is the BHD algorithmwhich finds a collision in time 2 to the power n over 3by using a quantum realm of size 2 to the power n over 3.However, it is unclear whether such a large quantum realmis available.So, we also consider these other two settings.In the second setting, we assume that the efficiencyofa quantum algorithm is measured by its time-space droid-off.And we assume that a quantum computerof sizesand classical computerof sizes are available.In this setting, the best generic collision attackis the parallel row method as observed by Bernstein.And its droid-off is t is equal to 2 to the power n over 2 over s.And in the third setting, we assume that a small quantum computerof polynomial size and a large classical memoryis available.In this setting, the best generic algorithm is the CNS algorithmwhich finds a collision in time 2 to the power 2 n over 5by using a classical memory of size 2 to the power n over 5.So, we consider these three settings and we considergeneric attack in each setting.And next, the important point is the quantum speedupfor generic quantum attack is always less than quadratic.Because in the classical setting, the generic complexity is 2 to the power n over 2.And in each quantum setting, the generic complexity does not achieve 2 to the power n over 4.So, we can say that the quantum speedup for generic collision attack is always less than quadratic.And next, I would like to explain about the speedupfor differential of cryptanalysis.Very roughly speaking, the time to find a collision with a differential path of probability p is in the classical setting 1 over p.But in the quantum setting, this can be speedup like this.The square root of 1 over p by using the global search.And so, very roughly speaking, we can obtain a quadratic speedup for differential cryptanalysis.And so, the situation can be summarized like this.For generic collision attack, we can obtain always less than quadratic speedup.But for differential cryptanalysis, we can obtaina quadratic speedup by using the global search.And so, the differential cryptanalysis becomes relatively stronger in the quantum setting.And this implies that the validity condition p is greater than 2 to the power minus n over 2 can be relaxed in the quantum setting.For example, in the first quantum setting where a smallcomputer and large quantum RAM is available, the generic complexity is 2 to the power n over 3.And the complexity of the differential cryptanalysis is like this.So, in this quantum setting, derogated collision attack based on differential cryptanalysis is valid only if the square root of 1 over p is less than the generic complexity 2 to the power n over 3.And this is equivalent to this condition.And here, please note that this condition is much relaxed from the classical condition p is greater than 2 to the power minus n over 2.And so, in particular, the differential probability p may lead to a valid attack even if p is this than the birthday bound 2 to the power minus n over 2.And similarly, in the second quantum setting of time-space tradeoff, the generic complexity is like this.And so, in this setting, a collision attack based on differential cryptanalysis that requires space S is valid only if the time complexity, the square root of 1 over p is less than the generic complexity, this one.And this is equivalent to this condition.And this means that the differential probability p may lead to a valid attack even if p is very close to 2 to the power minus n if the space S require to differential cryptanalysis is very small.And so, at Eurocrypt 2020, we observed that the condition for differential probability p can be relaxed in the quantum setting.And this means that derogated quantum collision attacks can rate more steps than classical attacks.And we indeed showed derogated quantum attacks quantum collision attacks on AIS-MMU and Warpul that break more steps than classical attacks.However, these functions AIS-MMU and Warpul are less popular compared to more popular functions such asSHA2 orSHA3.So after Eurocrypt 2020, we had this question.Can we similarly extend the number of attack steps over SHA2 in the quantum setting?This is the starting point of our research.And next, I'd like to explain about the basics of SHA2.So SHA2 is the current most popular hash function of the family standardized by NIST.And it consists of several functions, these functions.And the first one, SHA224, is a trans-liquid version of SHA256.And these functions are also trans-liquid versions of SHA512.And SHA2 is built based on the Davis-Meyer construction and the Margaret-Dangan construction.And recall that the Margaret-Dangan construction looks like this.First, the input message is parted and split it like this.And then, the first message block is processed with the compression functionwith the initial value.And then, this output, or chaining value,is again processed with the second message blockby using the compression function.And again, this chaining value is processedwith the third message block by using the compression function.And this value becomes the output.And the important point is this initial valueis specified and fixed constant.So this is the Margaret-Dangan construction.This construction converts a small compression functionof fixed input output links into a large hash functionof variable input links.And next, to make a compression function,we usually use block cipher.So we first make a block cipher and then convert itinto a compression function by using constructionssuch as Davis-Meyer construction,or MM construction,or MPA construction,and so on.And SHA2 uses the Davis-Meyer construction,which looks like this.So in this construction,T corresponds to the input messageof the block cipher corresponds tothe input message of the compression function.And the message of the block cipher correspondsto the chaining value of the compression function.And then, the output of the block cipheris addedwith the chaining value,like this.Actually, this operation is notmodular addition in SHA2,so the operation does not playa significant role.So I do not explain details here.Anyways, in summary, SHA2 is built like this.First, there is a block cipherand it is convertedinto a compression functionby using the Davis-Meyer construction.And then it is convertedinto a hash functionof variable input linksby using the Markl-Dungard construction.Next, I would like to explain aboutsemi-free-start collision.So recall that a collisionof a Markl-Dungard hash functionlooks like this.So messages are different,but outputs are equal.And next,so the initial values are also equal.And the important point isthis value is equal tothe original specified constant.This is the important point.And next,so this is a semi-free-start collisionof a hash function.Again,messages are different,and output values are equal.And iVis are equal.But now the important point isthis value, iVprime,is not necessarily equalto the original specified constant.So in summary,we talk about collision,we assume that iVis are equalto the specified,original specified value.And when we talk aboutsemi-free-start collision,we assume that iVis are the same,but not equal to the original specified constant.So this is the differencebetween collisionand semi-free-start collision.And next,I would like to explain aboutin the classical setting.So in the classical setting,Mendel et al. showed a 31-steporiginal attack on SHA-256and 38-stepsemi-free-start collision attack on SHA-256.These attacks are based on differentialclip-types,and differentialcharacteristic,and some partsof conforming message pairs,andinternal states are such simultaneouslywith automated tools.And the characteristic isvery complicatedlike this.So this is the 31-stepcharacteristic.And I do notexplain details,but this partcorresponds to some conditionsfor internal states.And this partcorresponds to some conditionsfor message walls.And very roughlyspeaking,these characters 0and 1and n and usays that there existsome strict conditions forGIS bits.And other bitsdeleted by hyphomemeans that these bitsdo not have such strict conditions.And so anyways,thecharacteristic is very complicated.And the important pointis the 31-step collision attackis mounted by combating31-stepsemi-free-start collisionsinto a collision.This isthe important point.And I would like to explain details next.So,menterator showed thatwe can make many semi-free-start collisions of the completion functionfrom that complicated differentialcharacteristic.So the part ofsome part of messagesand some part ofsome part of IVsand some part of internal statesare fixed by the differentialcharacteristic.However,some part still have somedegrees of freedom.Imean,this part stillcan be chosen freely.Andthis means thatthe semi-free-start collision attackwork for many IVs2 to the power 163choices of IV primes.However,unfortunately,thissemi-free-start collisioncannot be a collision of hash functionbecause this value isnot the same as the originalspecified value.Andso,menterator convertedthese many semi-free-start collisionsinto a two-block collision by usingthese degrees of freedom.So,suppose thatthis is the second block andthis will be the first block ofMarco Dangard hash function.Andsuppose that this is the originalspecified constant.And next.Sohere,when we testtwo to the power 96 random message here and compute the outputvalue,here96 comes from256and 160and 256is thelength of output and lengthof IV.And 160comes from here.Andwhen we test such manyM0,then oneof the outputs will matchan IV prime of the second messageof the block.Andif we find such match,thenit means that the pair ofM0 andM1andM0 andM1 prime will betwo-block collision ofthe Marco Dangard hash functionbecause this valueis the originalspecifiedconstant.Andso,this means that we can findtwo-block collision in timetwo to the power 96 by testingtwo to the power 96 messageshere.Andso,in the classicalsetting,this attackof complexity2 to the powernext to the power 19760x2 to the power 0.6 is considered to be valid only if this equation, this inequality holds. And this is equivalent to this condition.So this condition is the validity condition for the number of initial values in the classical setting.And the main derivative also does not only the 31 step collision attack, but also a 38 step semifree start collision attack in the same paper, but it is not converted into a collision attack.Sometimes the parameter x for the 38 step attack is not large enough.And next, in the quantum setting, our attack idea is the validity condition. This one may be relaxed in the quantum setting in the same way that the condition, validity condition for differential probability can be relaxed in the quantum setting.And next, I would like to explain about our idea of conversion of semifree start collisions into collisions in the quantum setting.So I recall that we can consider three quantum settings.And in our paper, our focus is this setting of time space droid off.And next, I recall that in the classical setting, the time complexity of two block collision attack is like this, 2 to the power n-x.And in the quantum setting, we can speed up this attack to the square root of2 to the power n-x by using the global search.And so if s qubits are available, the attack of a two block quantum collision attack can be paralyzed and the time complexity becomes the square root of 2 to the power n-x overs.And in the setting of time space droid off, the generic complexity is like this.And so the derivative attack of this complexity is valid if this inequality holds.And this is equivalent to this condition.So this condition, and please note that this condition, x is greater than 0, is much relaxed from the classical condition, x is greater than n over 2.But actually the condition for x, this condition will be stronger than this one, because hereI'm learning many things, for example, qubits require to implement global or time for sub procedures and so on.But still, the new condition, x is greater than 0, seems much weaker than x is greater than n over 2, the classical condition.And actually, so indeed, we mounted, delegated quantum collision attacks on shadow based on this idea.And next, I'd like to explain about our main results.So, in the quantum setting, based on that observation for the number of initial values, we converted the 38-step semi-free start collision attack on SHA-256 by Mendel-Eto and the 39-step semi-free start collision attacks on SHA-512 by Togranic-Eto into a two block collision.And so, these semi-free start collision attacks are not converted into a collision in the classical setting because the number of highways are not enough.And with some analysis and the computer experiments, we confirmed that the attacks are valid in the quantum setting.Actually, this sum of analysis is not so much trivial, but I cannot explain details, because I do not have enough time today, so please read our paper for details.And the time complexity of the attacks are like this.And finally, I'd like to provide the summary of today's my talk and some future directions.So, in our paper, we showed the first delegated quantum collision attacks on SHA-2, 31-step collision attack on SHA-256 and 39-step attack show for SHA-512.And the idea is, the attack idea is, we converted classical semi-free start collisions into collisions in the quantum setting.And next, so actually, there are many functions over which construction is similar to the construction of SHA-2.For example, live memory, 160 and so on.But so far, we haven't found any two block delegated quantum collision attacks on these functions, because existing characteristic on these functions are not suitable for our idea of a two block quantum collision attack.Nevertheless, finally, I'd like to emphasize that we should revisit differential characteristic start activities, and the possibility of quantum attacks should be taken into account.Because even if differential characteristic does not lead to a valid attack in the classical setting, it may lead to a valid collision attack in the quantum setting.That's all.Thank you for your attention.