Universal one-way hash functions and their cryptographic applications
STOC '89 Proceedings of the twenty-first annual ACM symposium on Theory of computing
Non-trivial Black-Box Combiners for Collision-Resistant Hash-Functions Don't Exist
EUROCRYPT '07 Proceedings of the 26th annual international conference on Advances in Cryptology
Preimages for Reduced SHA-0 and SHA-1
CRYPTO 2008 Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology
Compression from Collisions, or Why CRHF Combiners Have a Long Output
CRYPTO 2008 Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology
Finding Preimages in Full MD5 Faster Than Exhaustive Search
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate
CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
Meet-in-the-Middle Preimage Attacks Against Reduced SHA-0 and SHA-1
CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
Amplifying collision resistance: a complexity-theoretic treatment
CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
Finding SHA-1 characteristics: general results and applications
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Finding collisions in the full SHA-1
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
How to break MD5 and other hash functions
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
On the impossibility of efficiently combining collision resistant hash functions
CRYPTO'06 Proceedings of the 26th annual international conference on Advances in Cryptology
Cryptophia's short combiner for collision-resistant hash functions
ACNS'13 Proceedings of the 11th international conference on Applied Cryptography and Network Security
Hi-index | 0.00 |
A (k,l) hash-function combiner for property P is a construction that, given access to l hash functions, yields a single cryptographic hash function which has property P as long as at least k out of the l hash functions have that property. Hash function combiners are used to hedge against the failure of one or more of the individual components. One example of the application of hash function combiners are the previous versions of the TLS and SSL protocols [7,6]. The concatenation combiner which simply concatenates the outputs of all hash functions is an example of a robust combiner for collision resistance. However, its output length is, naturally, significantly longer than each individual hash-function output, while the security bounds are not necessarily stronger than that of the strongest input hash-function. In 2006 Boneh and Boyen asked whether a robust black-box combiner for collision resistance can exist that has an output length which is significantly less than that of the concatenation combiner [2]. Regrettably, this question has since been answered in the negative for fully black-box constructions (where hash function and adversary access is being treated as black-box), that is, combiners (in this setting) for collision resistance roughly need at least the length of the concatenation combiner to be robust [2,3,11,12]. In this paper we examine weaker notions of collision resistance, namely: second pre-image resistance and target collision resistance [15] and pre-image resistance. As a generic brute-force attack against any of these would take roughly 2n queries to an n-bit hash function, in contrast to only 2n/2 queries it would take to break collision resistance (due to the birthday bound), this might indicate that combiners for weaker notions of collision resistance can exist which have a significantly shorter output than the concatenation combiner (which is, naturally, also robust for these properties). Regrettably, this is not the case.