Compression from Collisions, or Why CRHF Combiners Have a Long Output

A black-box combiner for collision resistant hash functions (CRHF) is a construction which given black-box access to two hash functions is collision resistant if at least one of the components is collision resistant. In this paper we prove a lower bound on the output length of black-box combiners for CRHFs. The bound we prove is basically tight as it is achieved by a recent construction of Canetti et al [Crypto'07]. The best previously known lower bounds only ruled out a very restricted class of combiners having a very strong security reduction: the reduction was required to output collisions for both underlying candidate hash-functions given a single collision for the combiner (Canetti et al [Crypto'07] building on Boneh and Boyen [Crypto'06] and Pietrzak [Eurocrypt'07]). Our proof uses a lemma similar to the elegant "reconstruction lemma" of Gennaro and Trevisan [FOCS'00], which states that any function which is not one-way is compressible (and thus uniformly random function must be one-way). In a similar vein we show that a function which is not collision resistant is compressible. We also borrow ideas from recent work by Haitner et al. [FOCS'07], who show that one can prove the reconstruction lemma even relative to some very powerful oracles (in our case this will be an exponential time collision-finding oracle).

[1]  Omer Reingold,et al.  Finding Collisions in Interactive Protocols - A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments , 2007, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[2]  Alfred Menezes,et al.  Topics in Cryptology – CT-RSA 2005 , 2005 .

[3]  Daniel R. Simon,et al.  Limits on the efficiency of one-way permutation-based hash functions , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[4]  Amir Herzberg,et al.  On Tolerant Cryptographic Constructions , 2005, CT-RSA.

[5]  Krzysztof Pietrzak,et al.  Non-trivial Black-Box Combiners for Collision-Resistant Hash-Functions Don't Exist , 2007, EUROCRYPT.

[6]  Bartosz Przydatek,et al.  On Robust Combiners for Private Information Retrieval and Other Primitives , 2006, CRYPTO.

[7]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[8]  Kaisa Nyberg,et al.  Advances in Cryptology — EUROCRYPT'98 , 1998 .

[9]  Phong Q. Nguyen Progress in Cryptology - VIETCRYPT 2006 , 2007 .

[10]  Marc Fischlin,et al.  Robust Multi-property Combiners for Hash Functions Revisited , 2008, ICALP.

[11]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[12]  Russell Impagliazzo,et al.  Limits on the Provable Consequences of One-way Permutations , 1988, CRYPTO.

[13]  Marc Fischlin,et al.  Security-Amplifying Combiners for Collision-Resistant Hash Functions , 2007, CRYPTO.

[14]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[15]  Luca Trevisan,et al.  Lower bounds on the efficiency of generic cryptographic constructions , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[16]  Jürg Wullschleger,et al.  Robuster Combiners for Oblivious Transfer , 2007, TCC.

[17]  Boaz Barak,et al.  How to go beyond the black-box simulation barrier , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[18]  Victor Shoup Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings , 2005, CRYPTO.

[19]  Luca Trevisan,et al.  Amplifying Collision Resistance: A Complexity-Theoretic Treatment , 2007, CRYPTO.

[20]  Phillip Rogaway,et al.  Formalizing Human Ignorance , 2006, VIETCRYPT.

[21]  Cynthia Dwork,et al.  Advances in Cryptology – CRYPTO 2020: 40th Annual International Cryptology Conference, CRYPTO 2020, Santa Barbara, CA, USA, August 17–21, 2020, Proceedings, Part III , 2020, Annual International Cryptology Conference.

[22]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[23]  A. J. Menezes,et al.  Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2007, Proceedings , 2007, CRYPTO.

[24]  Moni Naor Advances in Cryptology - EUROCRYPT 2007, 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Barcelona, Spain, May 20-24, 2007, Proceedings , 2007, EUROCRYPT.

[25]  Luca Trevisan,et al.  Notions of Reducibility between Cryptographic Primitives , 2004, TCC.

[26]  Moni Naor,et al.  On Robust Combiners for Oblivious Transfer and Other Primitives , 2005, EUROCRYPT.

[27]  Daniel R. Simon,et al.  Finding Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions? , 1998, EUROCRYPT.

[28]  Dan Boneh,et al.  On the Impossibility of Efficiently Combining Collision Resistant Hash Functions , 2006, CRYPTO.