{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,5]],"date-time":"2026-05-05T07:01:09Z","timestamp":1777964469166,"version":"3.51.4"},"publisher-location":"Cham","reference-count":34,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783031230196","type":"print"},{"value":"9783031230202","type":"electronic"}],"license":[{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022]]},"DOI":"10.1007\/978-3-031-23020-2_39","type":"book-chapter","created":{"date-parts":[[2022,12,6]],"date-time":"2022-12-06T07:03:04Z","timestamp":1670310184000},"page":"687-711","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":6,"title":["Evaluating the Security of Merkle-Damg\u00e5rd Hash Functions and Combiners in Quantum Settings"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-2839-6687","authenticated-orcid":false,"given":"Zhenzhen","family":"Bao","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8847-6748","authenticated-orcid":false,"given":"Jian","family":"Guo","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7663-8321","authenticated-orcid":false,"given":"Shun","family":"Li","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5806-2154","authenticated-orcid":false,"given":"Phuong","family":"Pham","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2022,12,7]]},"reference":[{"issue":"4","key":"39_CR1","doi-asserted-by":"publisher","first-page":"595","DOI":"10.1145\/1008731.1008735","volume":"51","author":"S Aaronson","year":"2004","unstructured":"Aaronson, S., Shi, Y.: Quantum lower bounds for the collision and the element distinctness problems. J. ACM (JACM) 51(4), 595\u2013605 (2004)","journal-title":"J. ACM (JACM)"},{"issue":"1","key":"39_CR2","doi-asserted-by":"publisher","first-page":"210","DOI":"10.1137\/S0097539705447311","volume":"37","author":"A Ambainis","year":"2007","unstructured":"Ambainis, A.: Quantum walk algorithm for element distinctness. SIAM J. Comput. 37(1), 210\u2013239 (2007)","journal-title":"SIAM J. Comput."},{"issue":"4","key":"39_CR3","doi-asserted-by":"publisher","first-page":"657","DOI":"10.1007\/s00145-015-9206-4","volume":"29","author":"E Andreeva","year":"2016","unstructured":"Andreeva, E., et al.: New second-preimage attacks on hash functions. J. Cryptol. 29(4), 657\u2013696 (2016)","journal-title":"J. Cryptol."},{"key":"39_CR4","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"393","DOI":"10.1007\/978-3-642-05445-7_25","volume-title":"Selected Areas in Cryptography","author":"E Andreeva","year":"2009","unstructured":"Andreeva, E., Bouillaguet, C., Dunkelman, O., Kelsey, J.: Herding, second preimage and trojan message attacks beyond Merkle-Damg\u00e5rd. In: Jacobson, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 393\u2013414. Springer, Heidelberg (2009). https:\/\/doi.org\/10.1007\/978-3-642-05445-7_25"},{"key":"39_CR5","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"270","DOI":"10.1007\/978-3-540-78967-3_16","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2008","author":"E Andreeva","year":"2008","unstructured":"Andreeva, E., Bouillaguet, C., Fouque, P.-A., Hoch, J.J., Kelsey, J., Shamir, A., Zimmer, S.: Second preimage attacks on dithered hash functions. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 270\u2013288. Springer, Heidelberg (2008). https:\/\/doi.org\/10.1007\/978-3-540-78967-3_16"},{"key":"39_CR6","doi-asserted-by":"crossref","unstructured":"Bao, Z., Dinur, I., Guo, J., Leurent, G., Wang, L.: Generic attacks on hash combiners. J. Cryptol. 1\u201382 (2019)","DOI":"10.1007\/s00145-019-09328-w"},{"key":"39_CR7","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"404","DOI":"10.1007\/978-3-319-63715-0_14","volume-title":"Advances in Cryptology \u2013 CRYPTO 2017","author":"Z Bao","year":"2017","unstructured":"Bao, Z., Wang, L., Guo, J., Gu, D.: Functional graph revisited: updates on (second) preimage attacks on hash combiners. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 404\u2013427. Springer, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-63715-0_14"},{"key":"39_CR8","unstructured":"Blackburn, S.R., Stinson, D.R., Upadhyay, J.: On the Complexity of the Herding Attack and Some Related Attacks on Hash Functions. Cryptology ePrint Archive, Report 2010\/030 (2010). http:\/\/eprint.iacr.org\/2010\/030"},{"key":"39_CR9","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"163","DOI":"10.1007\/BFb0054319","volume-title":"LATIN\u201998: Theoretical Informatics","author":"G Brassard","year":"1998","unstructured":"Brassard, G., H\u00d8yer, P., Tapp, A.: Quantum cryptanalysis of hash and claw-free functions. In: Lucchesi, C.L., Moura, A.V. (eds.) LATIN 1998. LNCS, vol. 1380, pp. 163\u2013169. Springer, Heidelberg (1998). https:\/\/doi.org\/10.1007\/BFb0054319"},{"key":"39_CR10","doi-asserted-by":"crossref","unstructured":"Canteaut, A., et al.: Saturnin: a suite of lightweight symmetric algorithms for post-quantum security. IACR Trans. Symmetric Cryptol. 2020(S1), 160\u2013207 (2020). https:\/\/doi.org\/10.13154\/tosc.v2020.iS1.160-207","DOI":"10.46586\/tosc.v2020.iS1.160-207"},{"key":"39_CR11","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"211","DOI":"10.1007\/978-3-319-70697-9_8","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2017","author":"A Chailloux","year":"2017","unstructured":"Chailloux, A., Naya-Plasencia, M., Schrottenloher, A.: An efficient quantum collision search algorithm and implications on symmetric cryptography. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 211\u2013240. Springer, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-70697-9_8"},{"key":"39_CR12","doi-asserted-by":"crossref","unstructured":"Damg\u00e5rd, I.: A design principle for hash functions. In: Brassard, G. (ed.) Advances in Cryptology - CRYPTO\u201989. LNCS, vol. 435, pp. 416\u2013427. Springer, Heidelberg, Germany, Santa Barbara, CA, USA (Aug 20\u201324, 1990)","DOI":"10.1007\/0-387-34805-0_39"},{"key":"39_CR13","doi-asserted-by":"publisher","unstructured":"Dierks, T., Allen, C.: The TLS protocol version 1.0. RFC 2246, 1\u201380 (1999). https:\/\/doi.org\/10.17487\/RFC2246","DOI":"10.17487\/RFC2246"},{"key":"39_CR14","doi-asserted-by":"publisher","unstructured":"Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.1. RFC 4346, 1\u201387 (2006). https:\/\/doi.org\/10.17487\/RFC4346","DOI":"10.17487\/RFC4346"},{"key":"39_CR15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"484","DOI":"10.1007\/978-3-662-49890-3_19","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2016","author":"I Dinur","year":"2016","unstructured":"Dinur, I.: New attacks on the concatenation and XOR hash combiners. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 484\u2013508. Springer, Heidelberg (2016). https:\/\/doi.org\/10.1007\/978-3-662-49890-3_19"},{"key":"39_CR16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"268","DOI":"10.1007\/978-3-642-11925-5_19","volume-title":"Topics in Cryptology - CT-RSA 2010","author":"M Fischlin","year":"2010","unstructured":"Fischlin, M., Lehmann, A., Wagner, D.: Hash function combiners in TLS and SSL. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 268\u2013283. Springer, Heidelberg (2010). https:\/\/doi.org\/10.1007\/978-3-642-11925-5_19"},{"key":"39_CR17","doi-asserted-by":"publisher","unstructured":"Freier, A.O., Karlton, P., Kocher, P.C.: The secure sockets layer (SSL) protocol version 3.0. RFC 6101, 1\u201367 (2011). https:\/\/doi.org\/10.17487\/RFC6101","DOI":"10.17487\/RFC6101"},{"key":"39_CR18","unstructured":"Google: Google Quantum Computing. https:\/\/research.google\/teams\/applied-science\/quantum\/"},{"key":"39_CR19","doi-asserted-by":"crossref","unstructured":"Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-eighth Annual ACM Symposium on Theory of Computing, pp. 212\u2013219 (1996)","DOI":"10.1145\/237814.237866"},{"key":"39_CR20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"275","DOI":"10.1007\/978-3-030-03326-2_10","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2018","author":"A Hosoyamada","year":"2018","unstructured":"Hosoyamada, A., Yasuda, K.: Building quantum-one-way functions from block ciphers: davies-meyer and merkle-damg\u00e5rd constructions. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 275\u2013304. Springer, Cham (2018). https:\/\/doi.org\/10.1007\/978-3-030-03326-2_10"},{"key":"39_CR21","unstructured":"IBM: IBM Quantum Computing. https:\/\/www.ibm.com\/quantum-computing\/"},{"key":"39_CR22","unstructured":"Jaques, S., Schrottenloher, A.: Low-gate quantum golden collision finding. Cryptology ePrint Archive, Report 2020\/424 (2020). https:\/\/eprint.iacr.org\/2020\/424"},{"key":"39_CR23","unstructured":"Jha, A., Nandi, M.: Some Cryptanalytic Results on Zipper Hash and Concatenated Hash. Cryptology ePrint Archive, Report 2015\/973 (2015). http:\/\/eprint.iacr.org\/2015\/973"},{"key":"39_CR24","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"306","DOI":"10.1007\/978-3-540-28628-8_19","volume-title":"Advances in Cryptology \u2013 CRYPTO 2004","author":"A Joux","year":"2004","unstructured":"Joux, A.: Multicollisions in iterated hash functions. application to cascaded constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306\u2013316. Springer, Heidelberg (2004). https:\/\/doi.org\/10.1007\/978-3-540-28628-8_19"},{"key":"39_CR25","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"183","DOI":"10.1007\/11761679_12","volume-title":"Advances in Cryptology - EUROCRYPT 2006","author":"J Kelsey","year":"2006","unstructured":"Kelsey, J., Kohno, T.: Herding hash functions and the nostradamus attack. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 183\u2013200. Springer, Heidelberg (2006). https:\/\/doi.org\/10.1007\/11761679_12"},{"key":"39_CR26","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"474","DOI":"10.1007\/11426639_28","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2005","author":"J Kelsey","year":"2005","unstructured":"Kelsey, J., Schneier, B.: Second Preimages on n-Bit Hash Functions for Much Less than 2n Work. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 474\u2013490. Springer, Heidelberg (2005). https:\/\/doi.org\/10.1007\/11426639_28"},{"key":"39_CR27","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"524","DOI":"10.1007\/978-3-642-42045-0_27","volume-title":"Advances in Cryptology - ASIACRYPT 2013","author":"T Kortelainen","year":"2013","unstructured":"Kortelainen, T., Kortelainen, J.: On diamond structures and trojan message attacks. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 524\u2013539. Springer, Heidelberg (2013). https:\/\/doi.org\/10.1007\/978-3-642-42045-0_27"},{"key":"39_CR28","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"345","DOI":"10.1007\/978-3-662-46800-5_14","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2015","author":"G Leurent","year":"2015","unstructured":"Leurent, G., Wang, L.: The sum can be weaker than each part. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 345\u2013367. Springer, Heidelberg (2015). https:\/\/doi.org\/10.1007\/978-3-662-46800-5_14"},{"key":"39_CR29","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"428","DOI":"10.1007\/0-387-34805-0_40","volume-title":"Advances in Cryptology \u2014 CRYPTO\u2019 89 Proceedings","author":"RC Merkle","year":"1990","unstructured":"Merkle, R.C.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428\u2013446. Springer, New York (1990). https:\/\/doi.org\/10.1007\/0-387-34805-0_40"},{"key":"39_CR30","unstructured":"National Institute for Standards and Technology, USA: Post-Quantum Cryptography Standardization (2017). https:\/\/csrc.nist.gov\/projects\/post-quantum-cryptography"},{"key":"39_CR31","doi-asserted-by":"publisher","unstructured":"Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, Santa Fe, New Mexico, USA, 20\u201322 November 1994, pp. 124\u2013134. IEEE Computer Society (1994). https:\/\/doi.org\/10.1109\/SFCS.1994.365700","DOI":"10.1109\/SFCS.1994.365700"},{"issue":"4","key":"39_CR32","doi-asserted-by":"publisher","first-page":"2746","DOI":"10.1103\/PhysRevA.60.2746","volume":"60","author":"C Zalka","year":"1999","unstructured":"Zalka, C.: Grover\u2019s quantum searching algorithm is optimal. Phys. Rev. 60(4), 2746 (1999)","journal-title":"Phys. Rev."},{"key":"39_CR33","unstructured":"Zhandry, M.: A note on the quantum collision and set equality problems. arXiv preprint arXiv:1312.1027 (2013)"},{"key":"39_CR34","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"239","DOI":"10.1007\/978-3-030-26951-7_9","volume-title":"Advances in Cryptology \u2013 CRYPTO 2019","author":"M Zhandry","year":"2019","unstructured":"Zhandry, M.: How to record quantum queries, and applications to quantum indifferentiability. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 239\u2013268. Springer, Cham (2019). https:\/\/doi.org\/10.1007\/978-3-030-26951-7_9"}],"container-title":["Lecture Notes in Computer Science","Network and System Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-23020-2_39","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,12,6]],"date-time":"2022-12-06T07:20:11Z","timestamp":1670311211000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-23020-2_39"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022]]},"ISBN":["9783031230196","9783031230202"],"references-count":34,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-23020-2_39","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022]]},"assertion":[{"value":"7 December 2022","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"NSS","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Network and System Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Denarau Island","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Fiji","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2022","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"9 December 2022","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"12 December 2022","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"16","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"nss2022","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"http:\/\/nsclab.org\/nss2022\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Double-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Easy chair","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"83","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"23","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"18","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"28% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}