Breaking and Fixing Cryptophia’s Short Combiner

Mennink, Bart; Preneel, Bart

doi:10.1007/978-3-319-12280-9_4

Cited by 6 publications

(9 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In particular I'd like to thank Bart Mennink and Bart Preneel for spotting the gap in the original work and for providing a nice patch [MP14]. This work was supported by CASED (www.cased.de).…”

Section: Acknowledgmentsmentioning

confidence: 99%

“…As pointed out by Mennink and Preneel there was a gap in the proof as we falsely assumed that the preprocessing of the messages is injective [MP14]. Mennink and Preneel provide a nice fix to our construction which ensures that preprocessed blocksm andm are different whenever m and m are different (except with negligible probability) which then allows to prove collision resistance (and second pre-image resistance/target collision resistance).…”

Section: Collision Resistancementioning

confidence: 99%

“…In the original work we claimed that the above construction is ideally secure for collision resistance, second-preimage resistance and target-collision resistance. However, Mennink and Preneel pointed out that the proof erroneously assumed injectivity of the preprocessing blocksm and presented attacks exploiting this oversight [MP14]. Nevertheless, their observations do not invalidate the security claims on pre-image resistance, pseudorandomness and message-authentication security, and we include the original analysis for these security properties.…”

Section: Ideally Secure Combinermentioning

confidence: 99%

“…Mennink and Preneel also present an elegant fix to the above construction which restores its original security claims. For the purpose of completeness, we present their adapted construction in Section 4.2 and refer to [MP14] for its security analysis.…”

Section: Ideally Secure Combinermentioning

confidence: 99%

“…Mennink and Preneel provide a nice fix to our construction which ensures that preprocessed blocksm andm are different whenever m and m are different (except with negligible probability) which then allows to prove collision resistance (and second pre-image resistance/target collision resistance). We present the adapted construction next and refer to [MP14] for a security proof of the adapted construction and for further information on the attack on Construction 4.1. For this additional keys l 1 and l 2 are introduced which are prepended to the function inputs.…”

Section: Collision Resistancementioning

confidence: 99%

See 4 more Smart Citations

Cryptophia’s Short Combiner for Collision-Resistant Hash Functions

Mittelbach

2013

Applied Cryptography and Network Security

View full text Add to dashboard Cite

Abstract.A combiner for collision-resistant hash functions takes two functions as input and implements a hash function with the guarantee that it is collision-resistant if one of the functions is. It has been shown that such a combiner cannot have short output (Pietrzak, Crypto 2008); that is, its output length is lower bounded by roughly 2n if the ingoing functions output n-bit hash values. In this paper, we present two novel definitions for hash function combiners that allow to bypass the lower bound: the first is an extended semi-black-box definition. The second is a new game-based, fully black-box definition which allows to better analyze combiners in idealized settings such as the random-oracle model or indifferentiability framework (Maurer, Renner, and Holenstein, TCC 2004). We then present a new combiner which is robust for pseudorandom functions (in the traditional sense), which does not increase the output length of its underlying functions and which is collision-resistant in the indifferentiability setting. Our combiner is particularly relevant in practical scenarios, where security proofs are often given in idealized models, and our combiner, in the same idealized model, yields strong security guarantees while remaining short.

show abstract

Section: Acknowledgmentsmentioning

confidence: 99%

Section: Collision Resistancementioning

confidence: 99%

Section: Ideally Secure Combinermentioning

confidence: 99%

Section: Ideally Secure Combinermentioning

confidence: 99%

Section: Collision Resistancementioning

confidence: 99%

See 3 more Smart Citations

Cryptophia’s Short Combiner for Collision-Resistant Hash Functions

Mittelbach

2013

Applied Cryptography and Network Security

View full text Add to dashboard Cite

show abstract

Random Oracle Combiners: Breaking the Concatenation Barrier for Collision-Resistance

Dodis

Ferguson

Goldin

et al. 2023

Advances in Cryptology – CRYPTO 2023

View full text Add to dashboard Cite

The Sum Can Be Weaker Than Each Part

Leurent

Wang

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

In this paper we study the security of summing the outputs of two independent hash functions, in an effort to increase the security of the resulting design, or to hedge against the failure of one of the hash functions. The exclusive-or (XOR) combiner H1(M)⊕H2(M) is one of the two most classical combiners, together with the concatenation combiner H1(M) H2(M). While the security of the concatenation of two hash functions is well understood since Joux's seminal work on multicollisions, the security of the sum of two hash functions has been much less studied. The XOR combiner is well known as a good PRF and MAC combiner, and is used in practice in TLS versions 1.0 and 1.1. In a hash function setting, Hoch and Shamir have shown that if the compression functions are modeled as random oracles, or even weak random oracles (i.e. they can easily be inverted-in particular H1 and H2 offer no security), H1 ⊕ H2 is indifferentiable from a random oracle up to the birthday bound. In this work, we focus on the preimage resistance of the sum of two narrowpipe n-bit hash functions, following the Merkle-Damgård or HAIFA structure (the internal state size and the output size are both n bits). We show a rather surprising result: the sum of two such hash functions, e.g. SHA-512 ⊕ Whirlpool, can never provide n-bit security for preimage resistance. More precisely, we present a generic preimage attack with a complexity ofÕ(2 5n/6). While it is already known that the XOR combiner is not preserving for preimage resistance (i.e. there might be some instantiations where the hash functions are secure but the sum is not), our result is much stronger: for any narrow-pipe functions, the sum is not preimage resistant. Besides, we also provide concrete preimage attacks on the XOR combiner (and the concatenation combiner) when one or both of the compression functions are weak; this complements Hoch and Shamir's proof by showing its tightness for preimage resistance. Of independent interests, one of our main technical contributions is a novel structure to control simultaneously the behavior of independent hash computations which share the same input message. We hope that breaking the pairwise relationship between their internal states will have applications in related settings.

show abstract

Breaking and Fixing Cryptophia’s Short Combiner

Cited by 6 publications

References 30 publications

Cryptophia’s Short Combiner for Collision-Resistant Hash Functions

Cryptophia’s Short Combiner for Collision-Resistant Hash Functions

Random Oracle Combiners: Breaking the Concatenation Barrier for Collision-Resistance

The Sum Can Be Weaker Than Each Part

Contact Info

Product

Resources

About