Hash Combiners for Second Pre-image Resistance, Target Collision Resistance and Pre-image Resistance Have Long Output
نویسنده
چکیده
A (k, l) hash-function combiner for property P is a construction that, given access to l hash functions, yields a single cryptographic hash function which has property P as long as at least k out of the l hash functions have that property. Hash function combiners are used to hedge against the failure of one or more of the individual components. One example of the application of hash function combiners are the previous versions of the TLS and SSL protocols [10, 8]. The concatenation combiner which simply concatenates the outputs of all hash functions is an example of a robust combiner for collision resistance. However, its output length is, naturally, significantly longer than each individual hash-function output, while the security bounds are not necessarily stronger than that of the strongest input hash-function. In 2006 Boneh and Boyen asked whether a robust black-box combiner for collision resistance can exist that has an output length which is significantly less than that of the concatenation combiner [4]. Regrettably, this question has since been answered in the negative for fully black-box constructions (where hash function and adversary access is being treated as blackbox), that is, combiners (in this setting) for collision resistance roughly need at least the length of the concatenation combiner to be robust [4, 5, 16, 17]. In this paper we examine weaker notions of collision resistance, namely: second pre-image resistance and target collision resistance [20] and pre-image resistance. As a generic brute-force attack against any of these would take roughly 2 queries to an n-bit hash function, in contrast to only 2 queries it would take to break collision resistance (due to the birthday bound), this might indicate that combiners for weaker notions of collision resistance can exist which have a significantly shorter output than the concatenation combiner (which is, naturally, also robust for these properties). Regrettably, this is not the case.
منابع مشابه
Multi-property Preserving Combiners for Hash Functions
A robust combiner for hash functions takes two candidate implementations and constructs a hash function which is secure as long as at least one of the candidates is secure. So far, hash function combiners only aim at preserving a single property such as collision-resistance or pseudorandomness. However, when hash functions are used in protocols like TLS they are often required to provide severa...
متن کاملRobust Multi-property Combiners for Hash Functions Revisited
A robust multi-property combiner for a set of security properties merges two hash functions such that the resulting function satisfies each of the properties which at least one of the two starting functions has. Fischlin and Lehmann (TCC 2008) recently constructed a combiner which simultaneously preserves collision-resistance, target collision-resistance, message authentication, pseudorandomnes...
متن کاملSPN-Hash: Improving the Provable Resistance against Differential Collision Attacks
Collision resistance is a fundamental property required for cryptographic hash functions. One way to ensure collision resistance is to use hash functions based on public key cryptography (PKC) which reduces collision resistance to a hard mathematical problem, but such primitives are usually slow. A more practical approach is to use symmetric-key design techniques which lead to faster schemes, b...
متن کاملOn Existence of Robust Combiners for Cryptographic Hash Functions
A (k, l)-robust combiner for collision resistant hash functions is a construction, which takes l hash functions and combines them so that if at least k of the components are collision resistant, then so is the resulting combination. A black-box (k, l)-robust combiner is robust combiner, which takes its components as black-boxes. A trivial black-box combiner is concatenation of any (l−k+1) of th...
متن کاملOn the security of hash function combiners
A hash function is an algorithm that compresses messages of arbitrary length into short digests of fixed length. If the function additionally satisfies certain security properties, it becomes a powerful tool in the design of cryptographic protocols. The most important property is collision-resistance, which requires that it should be hard to find two distinct messages that evaluate to the same ...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2012 شماره
صفحات -
تاریخ انتشار 2012