Abstract:A combiner is a construction formed out of two hash functions that is secure if one of the underlying functions is. Conventional combiners are known not to support short outputs: if the hash functions have n-bit outputs the combiner should have at least almost 2n bits of output in order to be robust for collision resistance (Pietrzak, CRYPTO 2008). Mittelbach (ACNS 2013) introduced a relaxed security model for combiners and presented "Cryptophia's short combiner," a rather delicate construction of an n-bit com… Show more
“…In particular I'd like to thank Bart Mennink and Bart Preneel for spotting the gap in the original work and for providing a nice patch [MP14]. This work was supported by CASED (www.cased.de).…”
Section: Acknowledgmentsmentioning
confidence: 99%
“…As pointed out by Mennink and Preneel there was a gap in the proof as we falsely assumed that the preprocessing of the messages is injective [MP14]. Mennink and Preneel provide a nice fix to our construction which ensures that preprocessed blocksm andm are different whenever m and m are different (except with negligible probability) which then allows to prove collision resistance (and second pre-image resistance/target collision resistance).…”
Section: Collision Resistancementioning
confidence: 99%
“…In the original work we claimed that the above construction is ideally secure for collision resistance, second-preimage resistance and target-collision resistance. However, Mennink and Preneel pointed out that the proof erroneously assumed injectivity of the preprocessing blocksm and presented attacks exploiting this oversight [MP14]. Nevertheless, their observations do not invalidate the security claims on pre-image resistance, pseudorandomness and message-authentication security, and we include the original analysis for these security properties.…”
Section: Ideally Secure Combinermentioning
confidence: 99%
“…Mennink and Preneel also present an elegant fix to the above construction which restores its original security claims. For the purpose of completeness, we present their adapted construction in Section 4.2 and refer to [MP14] for its security analysis.…”
Section: Ideally Secure Combinermentioning
confidence: 99%
“…Mennink and Preneel provide a nice fix to our construction which ensures that preprocessed blocksm andm are different whenever m and m are different (except with negligible probability) which then allows to prove collision resistance (and second pre-image resistance/target collision resistance). We present the adapted construction next and refer to [MP14] for a security proof of the adapted construction and for further information on the attack on Construction 4.1. For this additional keys l 1 and l 2 are introduced which are prepended to the function inputs.…”
Abstract.A combiner for collision-resistant hash functions takes two functions as input and implements a hash function with the guarantee that it is collision-resistant if one of the functions is. It has been shown that such a combiner cannot have short output (Pietrzak, Crypto 2008); that is, its output length is lower bounded by roughly 2n if the ingoing functions output n-bit hash values. In this paper, we present two novel definitions for hash function combiners that allow to bypass the lower bound: the first is an extended semi-black-box definition. The second is a new game-based, fully black-box definition which allows to better analyze combiners in idealized settings such as the random-oracle model or indifferentiability framework (Maurer, Renner, and Holenstein, TCC 2004). We then present a new combiner which is robust for pseudorandom functions (in the traditional sense), which does not increase the output length of its underlying functions and which is collision-resistant in the indifferentiability setting. Our combiner is particularly relevant in practical scenarios, where security proofs are often given in idealized models, and our combiner, in the same idealized model, yields strong security guarantees while remaining short.
“…In particular I'd like to thank Bart Mennink and Bart Preneel for spotting the gap in the original work and for providing a nice patch [MP14]. This work was supported by CASED (www.cased.de).…”
Section: Acknowledgmentsmentioning
confidence: 99%
“…As pointed out by Mennink and Preneel there was a gap in the proof as we falsely assumed that the preprocessing of the messages is injective [MP14]. Mennink and Preneel provide a nice fix to our construction which ensures that preprocessed blocksm andm are different whenever m and m are different (except with negligible probability) which then allows to prove collision resistance (and second pre-image resistance/target collision resistance).…”
Section: Collision Resistancementioning
confidence: 99%
“…In the original work we claimed that the above construction is ideally secure for collision resistance, second-preimage resistance and target-collision resistance. However, Mennink and Preneel pointed out that the proof erroneously assumed injectivity of the preprocessing blocksm and presented attacks exploiting this oversight [MP14]. Nevertheless, their observations do not invalidate the security claims on pre-image resistance, pseudorandomness and message-authentication security, and we include the original analysis for these security properties.…”
Section: Ideally Secure Combinermentioning
confidence: 99%
“…Mennink and Preneel also present an elegant fix to the above construction which restores its original security claims. For the purpose of completeness, we present their adapted construction in Section 4.2 and refer to [MP14] for its security analysis.…”
Section: Ideally Secure Combinermentioning
confidence: 99%
“…Mennink and Preneel provide a nice fix to our construction which ensures that preprocessed blocksm andm are different whenever m and m are different (except with negligible probability) which then allows to prove collision resistance (and second pre-image resistance/target collision resistance). We present the adapted construction next and refer to [MP14] for a security proof of the adapted construction and for further information on the attack on Construction 4.1. For this additional keys l 1 and l 2 are introduced which are prepended to the function inputs.…”
Abstract.A combiner for collision-resistant hash functions takes two functions as input and implements a hash function with the guarantee that it is collision-resistant if one of the functions is. It has been shown that such a combiner cannot have short output (Pietrzak, Crypto 2008); that is, its output length is lower bounded by roughly 2n if the ingoing functions output n-bit hash values. In this paper, we present two novel definitions for hash function combiners that allow to bypass the lower bound: the first is an extended semi-black-box definition. The second is a new game-based, fully black-box definition which allows to better analyze combiners in idealized settings such as the random-oracle model or indifferentiability framework (Maurer, Renner, and Holenstein, TCC 2004). We then present a new combiner which is robust for pseudorandom functions (in the traditional sense), which does not increase the output length of its underlying functions and which is collision-resistant in the indifferentiability setting. Our combiner is particularly relevant in practical scenarios, where security proofs are often given in idealized models, and our combiner, in the same idealized model, yields strong security guarantees while remaining short.
In this paper we study the security of summing the outputs of two independent hash functions, in an effort to increase the security of the resulting design, or to hedge against the failure of one of the hash functions. The exclusive-or (XOR) combiner H1(M)⊕H2(M) is one of the two most classical combiners, together with the concatenation combiner H1(M) H2(M). While the security of the concatenation of two hash functions is well understood since Joux's seminal work on multicollisions, the security of the sum of two hash functions has been much less studied. The XOR combiner is well known as a good PRF and MAC combiner, and is used in practice in TLS versions 1.0 and 1.1. In a hash function setting, Hoch and Shamir have shown that if the compression functions are modeled as random oracles, or even weak random oracles (i.e. they can easily be inverted-in particular H1 and H2 offer no security), H1 ⊕ H2 is indifferentiable from a random oracle up to the birthday bound. In this work, we focus on the preimage resistance of the sum of two narrowpipe n-bit hash functions, following the Merkle-Damgård or HAIFA structure (the internal state size and the output size are both n bits). We show a rather surprising result: the sum of two such hash functions, e.g. SHA-512 ⊕ Whirlpool, can never provide n-bit security for preimage resistance. More precisely, we present a generic preimage attack with a complexity ofÕ(2 5n/6). While it is already known that the XOR combiner is not preserving for preimage resistance (i.e. there might be some instantiations where the hash functions are secure but the sum is not), our result is much stronger: for any narrow-pipe functions, the sum is not preimage resistant. Besides, we also provide concrete preimage attacks on the XOR combiner (and the concatenation combiner) when one or both of the compression functions are weak; this complements Hoch and Shamir's proof by showing its tightness for preimage resistance. Of independent interests, one of our main technical contributions is a novel structure to control simultaneously the behavior of independent hash computations which share the same input message. We hope that breaking the pairwise relationship between their internal states will have applications in related settings.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.