5 research outputs found
Compression from Collisions, or Why CRHF Combiners Have a Long Output
A black-box combiner for collision resistant hash functions (CRHF)
is a construction which given black-box access to two hash functions is
collision resistant if at least one of the components is
collision resistant.
In this paper we prove a lower bound on the output length of black-box
combiners for CRHFs. The bound we prove is basically tight as it is
achieved by a recent construction of Canetti et al [CRYPTO'07]. The
best previously known lower bounds only ruled out a very restricted
class of combiners having a very strong security reduction: the
reduction was required to output collisions for both underlying
candidate hash-functions given a single collision for the combiner
(Canetti et al [CRYPTO'07] building on Boneh and Boyen [CRYPTO'06] and
Pietrzak [EUROCRYPT'07]).
Our proof uses a lemma similar to the elegant ``reconstruction lemma''
of Gennaro and Trevisan [FOCS'00], which states that any function
which is not one-way is compressible (and thus uniformly random
function must be one-way). In a similar vein we show that a function
which is not collision resistant is compressible. We also borrow
ideas from recent work by Haitner et al. [FOCS'07], who show that one
can prove the reconstruction lemma even relative to some very powerful
oracles (in our case this will be an exponential time
collision-finding oracle)
Combining properties of cryptographic hash functions
A ``strong\u27\u27 cryptographic hash function suitable for practical applications should simultaneously satisfy many security properties, like pseudo-randomness, collision resistance and unforgeability. This paper shows how to combine two hash function families each satisfying different security property into one hash function family, which satisfies both properties. In particular, given two hash function families and , where is pseudo-random and is collision resistant, we construct a combiner which satisfies pseudo-randomness and collision resistance. We also present a combiner for collision resistance and everywhere preimage resistance. When designing a new hash function family for some particular application, we can use such combiners with existing primitives and thus combine a hash function family satisfying all needed properties
Ideal-Cipher (Ir)reducibility for Blockcipher-Based Hash Functions
Preneel et al.~(Crypto 1993) assessed 64 possible ways to construct a compression function out of a blockcipher. They conjectured that 12 out of these 64 so-called PGV constructions achieve optimal security bounds for collision resistance and preimage resistance. This was proven by Black et al.~(Journal of Cryptology, 2010), if one assumes that the blockcipher is ideal. This result, however, does not apply to ``non-ideal\u27\u27 blockciphers such as AES. To alleviate this problem, we revisit the PGV constructions in light of the recently proposed idea of random-oracle reducibility (Baecher and Fischlin, Crypto 2011). We say that the blockcipher in one of the 12 secure PGV constructions reduces to the one in another construction, if \emph{any} secure instantiation of the cipher, ideal or not, for one construction also makes the other secure. This notion allows us to relate the underlying assumptions on blockciphers in different constructions, and show that the requirements on the blockcipher for one case are not more demanding than those for the other. It turns out that this approach divides the 12 secure constructions into two groups of equal size, where within each group a blockcipher making one construction secure also makes all others secure. Across the groups this is provably not the case, showing that the sets of ``good\u27\u27 blockciphers for each group are qualitatively distinct. We also relate the ideal ciphers in the PGV constructions with those in double-block-length hash functions such as Tandem-DM, Abreast-DM, and Hirose-DM. Here, our results show that, besides achieving better bounds, the double-block-length hash functions rely on weaker assumptions on the blockciphers to achieve collision and everywhere preimage resistance