Cryptophia's Short Combiner for Collision-Resistant Hash Functions

A combiner for collision-resistant hash functions takes two functions as input and implements a hash function with the guarantee that it is collision-resistant if one of the functions is. It has been shown that such a combiner cannot have short output (Pietrzak, Crypto 2008); that is, its output length is lower bounded by roughly 2n if the ingoing functions output n-bit hash values. In this paper, we present two novel definitions for hash function combiners that allow to bypass the lower bound: the first is an extended semi-black-box definition. The second is a new game-based, fully black-box definition which allows to better analyze combiners in idealized settings such as the random-oracle model or indifferentiability framework (Maurer, Renner, and Holenstein, TCC 2004). We then present a new combiner which is robust for pseudorandom functions (in the traditional sense), which does not increase the output length of its underlying functions and which is collision-resistant in the indifferentiability setting. Our combiner is particularly relevant in practical scenarios, where security proofs are often given in idealized models, and our combiner, in the same idealized model, yields strong security guarantees while remaining short.

[1]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[2]  Willi Meier,et al.  SHA-3 proposal BLAKE , 2009 .

[3]  Luca Trevisan,et al.  Amplifying Collision Resistance: A Complexity-Theoretic Treatment , 2007, CRYPTO.

[4]  Leonid Reyzin,et al.  Some Notions of Entropy for Cryptography ∗ , 2011 .

[5]  Bart Preneel,et al.  On the Indifferentiability of the Grøstl Hash Function , 2010, SCN.

[6]  Alan O. Freier,et al.  Internet Engineering Task Force (ietf) the Secure Sockets Layer (ssl) Protocol Version 3.0 , 2022 .

[7]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[8]  Marc Fischlin,et al.  Multi-property Preserving Combiners for Hash Functions , 2008, TCC.

[9]  Hovav Shacham,et al.  Careful with Composition: Limitations of the Indifferentiability Framework , 2011, EUROCRYPT.

[10]  Moses D. Liskov Constructing an Ideal Hash Function from Weak Ideal Compression Functions , 2006, Selected Areas in Cryptography.

[11]  Marc Stevens,et al.  Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate , 2009, CRYPTO.

[12]  Chi-Jen Lu,et al.  Conditional Computational Entropy, or Toward Separating Pseudoentropy from Compressibility , 2007, EUROCRYPT.

[13]  Yu Sasaki,et al.  Meet-in-the-Middle Preimage Attacks Against Reduced SHA-0 and SHA-1 , 2009, CRYPTO.

[14]  David Cash,et al.  Foundations of Non-malleable Hash and One-Way Functions , 2009, ASIACRYPT.

[15]  Thomas Shrimpton,et al.  Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance , 2004, FSE.

[16]  Marc Fischlin,et al.  Hash Function Combiners in TLS and SSL , 2010, CT-RSA.

[17]  Christophe De Cannière,et al.  Preimages for Reduced SHA-0 and SHA-1 , 2008, CRYPTO.

[18]  Stefan Dziembowski,et al.  Leakage-Resilient Cryptography , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[19]  Moti Yung,et al.  Indifferentiability of the Hash Algorithm BLAKE , 2011, IACR Cryptol. ePrint Arch..

[20]  Avi Wigderson,et al.  Computational Analogues of Entropy , 2003, RANDOM-APPROX.

[21]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[22]  Hongjun Wu,et al.  The Hash Function JH , 2009 .

[23]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[24]  Anja Lehmann On the security of hash function combiners , 2010 .

[25]  Marc Fischlin,et al.  Robust Multi-property Combiners for Hash Functions Revisited , 2008, ICALP.

[26]  Arno Mittelbach Hash Combiners for Second Pre-image Resistance, Target Collision Resistance and Pre-image Resistance Have Long Output , 2012, SCN.

[27]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[28]  Marc Fischlin,et al.  Notions of Black-Box Reductions, Revisited , 2013, IACR Cryptol. ePrint Arch..

[29]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[30]  David Pointcheval,et al.  Optimal Asymmetric Encryption and Signature Paddings , 2005, ACNS.

[31]  Krzysztof Pietrzak,et al.  Compression from Collisions, or Why CRHF Combiners Have a Long Output , 2008, CRYPTO.

[32]  Yevgeniy Dodis,et al.  Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model , 2009, CRYPTO.

[33]  Mridul Nandi,et al.  Indifferentiability Characterization of Hash Functions and Optimal Bounds of Popular Domain Extensions , 2009, INDOCRYPT.

[34]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[35]  Rafail Ostrovsky,et al.  Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data , 2004, SIAM J. Comput..

[36]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[37]  Arno Mittelbach Salvaging Indifferentiability in a Multi-stage Setting , 2013, IACR Cryptol. ePrint Arch..

[38]  Adam O'Neill,et al.  A Unified Approach to Deterministic Encryption: New Constructions and a Connection to Computational Entropy , 2012, Journal of Cryptology.

[39]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[40]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[41]  Bart Preneel,et al.  Breaking and Fixing Cryptophia's Short Combiner , 2014, CANS.

[42]  Stefan Lucks,et al.  The Skein Hash Function Family , 2009 .

[43]  Luca Trevisan,et al.  Notions of Reducibility between Cryptographic Primitives , 2004, TCC.

[44]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[45]  Dan Boneh,et al.  On the Impossibility of Efficiently Combining Collision Resistant Hash Functions , 2006, CRYPTO.

[46]  Hovav Shacham,et al.  Hedged Public-Key Encryption: How to Protect against Bad Randomness , 2009, ASIACRYPT.

[47]  Bruce Schneier One-way hash functions , 1991 .

[48]  Michal Rjasko On Existence of Robust Combiners for Cryptographic Hash Functions , 2009, ITAT.

[49]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[50]  Christophe De Cannière,et al.  Finding SHA-1 Characteristics: General Results and Applications , 2006, ASIACRYPT.

[51]  Mihir Bellare,et al.  Deterministic and Efficiently Searchable Encryption , 2007, CRYPTO.

[52]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[53]  Florian Mendel,et al.  Symmetric Cryptography , 2009 .

[54]  Krzysztof Pietrzak,et al.  Non-trivial Black-Box Combiners for Collision-Resistant Hash-Functions Don't Exist , 2007, EUROCRYPT.

[55]  Yu Sasaki,et al.  Finding Preimages in Full MD5 Faster Than Exhaustive Search , 2009, EUROCRYPT.