A Note on Quantum Collision Resistance of Double-Block-Length Compression Functions.

In 2005, Nandi presented a class of double-block-length compression functions specified as h π ( x ) : = ( h ( x ) , h ( π ( x ) ) ) , where h is assumed to be a random oracle producing an n -bit output and π is a non-cryptographic permutation. He showed that the collision resistance of h π is optimal if π has no fixed point. This manuscript discusses the quantum collision resistance of h π ( x ) . First, it shows that the quantum collision resistance of h π is not always optimal even if π has no fixed point: One can find a colliding pair of inputs for h π with only O ( 2 n / 2 ) queries to h by using the Grover search if π is an involution. Second, this manuscript shows that there really exist cases that the quantum collision resistance of h π is optimal. More precisely, a sufficient condition on π is presented for the optimal quantum collision resistance of h π , that is, any collision attack needs Ω ( 2 2 n / 3 ) queries to find a colliding pair of inputs. The proof uses the recent technique of Zhandry’s compressed oracle. Finally, this manuscript makes some remarks on double-block-length compression functions using a block cipher.