Time-Space Lower Bounds for Finding Collisions in Merkle–Damgård Hash Functions

Abstract

We revisit the problem of finding B-block-long collisions in Merkle–Damgård Hash Functions in the auxiliary-input random oracle model, in which an attacker gets a piece of S-bit advice about the random oracle and makes T oracle queries. Akshima, Cash, Drucker and Wee (CRYPTO 2020), based on the work of Coretti, Dodis, Guo and Steinberger (EUROCRYPT 2018), showed a simple attack for \(2\le B\le T\) (with respect to a random salt). The attack achieves advantage \(\widetilde{\Omega }(STB/2^n+T^2/2^n)\) where n is the output length of the random oracle. They conjectured that this attack is optimal. However, this so-called STB conjecture was only proved for \(B\approx T\) and \(B=2\). Very recently, Ghoshal and Komargodski (CRYPTO 2022) confirmed the STB conjecture for all constant values of B and provided an \(\widetilde{O}(S^4TB^2/2^n+T^2/2^n)\) bound for all choices of B. In this work, we prove an \(\widetilde{O}((STB/2^n)\cdot \max \{1,ST^2/2^n\}+ T^2/2^n)\) bound for every \(2< B < T\). Our bound confirms the STB conjecture for \(ST^2\le 2^n\) and is optimal up to a factor of S for \(ST^2>2^n\) (note as \(T^2\) is always at most \(2^n\), otherwise finding a collision is trivial by the birthday attack). Our result subsumes all previous upper bounds for all ranges of parameters except for \(B=\widetilde{O}(1)\) and \(ST^2>2^n\). We obtain our results by adopting and refining the technique of Chung, Guo, Liu and Qian (FOCS 2020). Our approach yields more modular proofs and sheds light on how to bypass the limitations of prior techniques. Along the way, we obtain a considerably simpler and illuminating proof for \(B=2\), recovering the main result of Akshima, Cash, Drucker and Wee.