Compression from Collisions, or Why CRHF Combiners Have a Long Output

A black-box combiner for collision resistant hash functions (CRHF) is a construction which given black-box access to two hash functions is collision resistant if at least one of the components is collision resistant. In this paper we prove a lower bound on the output length of black-box combiners for CRHFs. The bound we prove is basically tight as it is achieved by a recent construction of Canetti et al [CRYPTO'07]. The best previously known lower bounds only ruled out a very restricted class of combiners having a very strong security reduction: the reduction was required to output collisions for both underlying candidate hash-functions given a single collision for the combiner (Canetti et al [CRYPTO'07] building on Boneh and Boyen [CRYPTO'06] and Pietrzak [EUROCRYPT'07]). Our proof uses a lemma similar to the elegant ``reconstruction lemma'' of Gennaro and Trevisan [FOCS'00], which states that any function which is not one-way is compressible (and thus uniformly random function must be one-way). In a similar vein we show that a function which is not collision resistant is compressible. We also borrow ideas from recent work by Haitner et al. [FOCS'07], who show that one can prove the reconstruction lemma even relative to some very powerful oracles (in our case this will be an exponential time collision-finding oracle)

Combining properties of cryptographic hash functions

A ``strong\u27\u27 cryptographic hash function suitable for practical applications should simultaneously satisfy many security properties, like pseudo-randomness, collision resistance and unforgeability. This paper shows how to combine two hash function families each satisfying different security property into one hash function family, which satisfies both properties. In particular, given two hash function families $H_1$ and $H_2$, where $H_1$ is pseudo-random and $H_2$ is collision resistant, we construct a combiner which satisfies pseudo-randomness and collision resistance. We also present a combiner for collision resistance and everywhere preimage resistance. When designing a new hash function family for some particular application, we can use such combiners with existing primitives and thus combine a hash function family satisfying all needed properties

Ideal-Cipher (Ir)reducibility for Blockcipher-Based Hash Functions

Preneel et al.~(Crypto 1993) assessed 64 possible ways to construct a compression function out of a blockcipher. They conjectured that 12 out of these 64 so-called PGV constructions achieve optimal security bounds for collision resistance and preimage resistance. This was proven by Black et al.~(Journal of Cryptology, 2010), if one assumes that the blockcipher is ideal. This result, however, does not apply to ``non-ideal\u27\u27 blockciphers such as AES. To alleviate this problem, we revisit the PGV constructions in light of the recently proposed idea of random-oracle reducibility (Baecher and Fischlin, Crypto 2011). We say that the blockcipher in one of the 12 secure PGV constructions reduces to the one in another construction, if \emph{any} secure instantiation of the cipher, ideal or not, for one construction also makes the other secure. This notion allows us to relate the underlying assumptions on blockciphers in different constructions, and show that the requirements on the blockcipher for one case are not more demanding than those for the other. It turns out that this approach divides the 12 secure constructions into two groups of equal size, where within each group a blockcipher making one construction secure also makes all others secure. Across the groups this is provably not the case, showing that the sets of ``good\u27\u27 blockciphers for each group are qualitatively distinct. We also relate the ideal ciphers in the PGV constructions with those in double-block-length hash functions such as Tandem-DM, Abreast-DM, and Hirose-DM. Here, our results show that, besides achieving better bounds, the double-block-length hash functions rely on weaker assumptions on the blockciphers to achieve collision and everywhere preimage resistance