Abstract
Hash combiners are a practical way to make cryptographic hash functions more tolerant to future attacks and compatible with existing infrastructure. A combiner combines two or more hash functions in a way that is hopefully more secure than each of the underlying hash functions, or at least remains secure as long as one of them is secure. Two classical hash combiners are the exclusive-or (XOR) combiner \( \mathcal {H}_1(M) \oplus \mathcal {H}_2(M) \) and the concatenation combiner \( \mathcal {H}_1(M) \Vert \mathcal {H}_2(M) \). Both of them process the same message using the two underlying hash functions in parallel. Apart from parallel combiners, there are also cascade constructions sequentially calling the underlying hash functions to process the message repeatedly, such as Hash-Twice \(\mathcal {H}_2(\mathcal {H}_1(IV, M), M)\) and the Zipper hash \(\mathcal {H}_2(\mathcal {H}_1(IV, M), \overleftarrow{M})\), where \(\overleftarrow{M}\) is the reverse of the message M. In this work, we study the security of these hash combiners by devising the best-known generic attacks. The results show that the security of most of the combiners is not as high as commonly believed. We summarize our attacks and their computational complexities (ignoring the polynomial factors) as follows:
- 1.
Several generic preimage attacks on the XOR combiner:
A first attack with a best-case complexity of \( 2^{5n/6} \) obtained for messages of length \( 2^{n/3} \). It relies on a novel technical tool named interchange structure. It is applicable for combiners whose underlying hash functions follow the Merkle–Damgård construction or the HAIFA framework.
A second attack with a best-case complexity of \( 2^{2n/3} \) obtained for messages of length \( 2^{n/2} \). It exploits properties of functional graphs of random mappings. It achieves a significant improvement over the first attack but is only applicable when the underlying hash functions use the Merkle–Damgård construction.
An improvement upon the second attack with a best-case complexity of \( 2^{5n/8} \) obtained for messages of length \( 2^{5n/8} \). It further exploits properties of functional graphs of random mappings and uses longer messages.
These attacks show a rather surprising result: regarding preimage resistance, the sum of two n-bit narrow-pipe hash functions following the considered constructions can never provide n-bit security.
- 2.
A generic second-preimage attack on the concatenation combiner of two Merkle–Damgård hash functions. This attack finds second preimages faster than \( 2^n \) for challenges longer than \( 2^{2n/7} \) and has a best-case complexity of \( 2^{3n/4} \) obtained for challenges of length \( 2^{3n/4} \). It also exploits properties of functional graphs of random mappings.
- 3.
The first generic second-preimage attack on the Zipper hash with underlying hash functions following the Merkle–Damgård construction. The best-case complexity is \( 2^{3n/5} \), obtained for challenge messages of length \( 2^{2n/5} \).
- 4.
An improved generic second-preimage attack on Hash-Twice with underlying hash functions following the Merkle–Damgård construction. The best-case complexity is \( 2^{13n/22} \), obtained for challenge messages of length \( 2^{13n/22} \).
The last three attacks show that regarding second-preimage resistance, the concatenation and cascade of two n-bit narrow-pipe Merkle–Damgård hash functions do not provide much more security than that can be provided by a single n-bit hash function.
Our main technical contributions include the following:
- 1.
The interchange structure, which enables simultaneously controlling the behaviours of two hash computations sharing the same input.
- 2.
The simultaneous expandable message, which is a set of messages of length covering a whole appropriate range and being multi-collision for both of the underlying hash functions.
- 3.
New ways to exploit the properties of functional graphs of random mappings generated by fixing the message block input to the underlying compression functions.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
We note that this MD5/SHA-1 combiner has been replaced by primitives based on single hash function (e.g., SHA-256) since TLS version 1.2 [20].
Here, we generalize the syntax of hash functions to also regard the initial value IV as an input parameter.
The original specification of Hash-Twice is \( \mathcal {HT}(M) \triangleq \mathcal {H}(\mathcal {H}(IV, M), M) \), which processes the same message twice using a single hash function as shown in [2].
For simplicity of description, we omit the computation of the initial value \( IV_n = h(IV, n, 0, 0) \), which is used to support variable hash size in the specification of HAIFA in [6]. This does not influence the attacks.
The attacks essentially only require one of the functions to be iterated.
For example, for \(n=160\) and message block of length 512 bits (as in SHA-1), the attack is faster than \(2^{160}\) for messages containing at least \(2^{46}\) blocks, or \(2^{52}\) bytes.
The complexity formulas do not take into account (small) constant factors, which are generally ignored throughout this paper.
A collision between \(x_{d-i}\) and \(x'_{D-i}\) occurs if \(x_{d-i} = x'_{D-i}\) but \(x_{d-i-1} \ne x'_{D-i-1}\).
A more accurate analysis would take into account the event that the chains collide before \(x_{d-i}\), but the probability of this is negligible.
This is a very low probability that the set contains repeated values, particularly when t is significantly small compared with \(L_1\). Here, we omit the discussion.
Note that for simplicity of description, we omit the description of the finalization transformation on the internal state with the padding block and refer to Sect. 3.2 for the formal description.
From now on, we will use “optimal complexity” to mean the minimized complexity under the optimal choice of parameters for each attack.
It takes \(O(t \cdot 2^{t})\) operations by sorting the lists, but only \(2 \cdot 2^{t}\) using a hash table.
Note that \(\ell +2g_1-n = n - \ell < n-2\ell /3\).
The actual attack is slightly different, as it searches for deep iterates from which \((a_p,b_p)\) can be reached with a common message block.
Note that for \(\ell > n/3\), \(g_1 = 2/5 \cdot (2n-\ell )> 2n/3 > max(n/2, n-\ell )\), as required.
One may ask why we did not compute a larger set \(\mathcal {S}\), as we did in Phase 2 of Attack 2. The reason for this is that it can be shown that in this case, a set of size 1 is optimal.
One may also ask why we did not use cyclic nodes and multi-cycles to further improve this second-preimage attack on concatenation combiners as we did for the preimage attack on XOR combiners. The reason is that optimization on Phase 2 of Attack 4 has reached it limitation because of the limited number of candidate state pairs for \( (\bar{x}, \bar{y}) \). Thus, the complexity of Phase 2 becomes the bottleneck and cannot be improved using cyclic nodes.
A large multi-collisions can be built with a cost of roughly \(2^{n/2}\) in a narrow-pipe function, but this costs almost \(2^n\) for an ideal hash function.
However, the message length can be a problem with some hash functions that do not accept long inputs. For example, SHA-256 and SHA-224 are only defined for messages with less than \( 2^{64} \) bits (i.e., \( 2^{55} \) blocks). In this case, one can apply the attack with a smaller value of t: this reduces the length of the messages at the cost of more time spent in the preimage search step. Thus, to mount a preimage attack against \(\text {SHA-224} \oplus \text {BLAKE-224}\), we should use \( t = 24 \) instead of \( t = 32 \). Then, the optimal complexity is \( 2^{200} \) instead of \( 2^{199} \).
Note that \( n/3 + n'/3 > n'/2 \) when \( n'< 2n \).
References
E. Andreeva, C. Bouillaguet, O. Dunkelman, P.-A. Fouque, J.J. Hoch, J. Kelsey, A. Shamir, S. Zimmer, New second-preimage attacks on hash functions. J. Cryptol.29(4), 657–696 (2016)
E. Andreeva, C. Bouillaguet, O. Dunkelman, J. Kelsey, Herding, second preimage and trojan message attacks beyond Merkle–Damgård, in M.J. Jacobson Jr., V. Rijmen, R. Safavi-Naini, editors, Selected Areas in Cryptography, 16th Annual International Workshop, SAC 2009, Calgary, Alberta, Canada, August 13–14, 2009, Revised Selected Papers. Lecture Notes in Computer Science, vol. 5867 (Springer, 2009), pp. 393–414
E. Andreeva, C. Bouillaguet, P.-A. Fouque, J.J. Hoch, J. Kelsey, A. Shamir, S. Zimmer, Second preimage attacks on dithered hash functions, in N.P. Smart, editor, Advances in Cryptology—EUROCRYPT 2008, 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Istanbul, Turkey, April 13–17, 2008. Proceedings. Lecture Notes in Computer Science, vol. 4965 (Springer, 2008), pp. 270–288
L. Aceto, I. Damgård, L.A. Goldberg, M.M. Halldórsson, A. Ingólfsdóttir, I. Walukiewicz, editors. Automata, Languages and Programming, 35th International Colloquium, ICALP 2008, Reykjavik, Iceland, July 7-11, 2008, Proceedings, Part II—Track B: Logic, Semantics, and Theory of Programming & Track C: Security and Cryptography Foundations. Lecture Notes in Computer Science, vol. 5126 (Springer, 2008)
D. Boneh, X. Boyen. On the impossibility of efficiently combining collision resistant hash functions, in C. Dwork, editor, Advances in Cryptology—CRYPTO 2006, 26th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20–24, 2006, Proceedings. Lecture Notes in Computer Science, vol. 4117 (Springer, 2006), pp. 570–583
E. Biham, O. Dunkelman, A framework for iterative hash functions—HAIFA. IACR Cryptol. ePrint Arch.2007, 278 (2007)
Z. Bao, J. Guo, L. Wang, Functional graphs and their applications in generic attacks on iterated hash constructions. IACR Trans. Symmetric Cryptol.2018(1), 201–253 (2018)
G. Brassard, editor. Advances in Cryptology—CRYPTO ’89, 9th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20–24, 1989, Proceedings. Lecture Notes in Computer Science, vol. 435 (Springer, 1990)
S.R. Blackburn, D.R. Stinson, J. Upadhyay, On the complexity of the herding attack and some related attacks on hash functions. Des. Codes Cryptogr.64(1–2), 171–193 (2012)
Z. Bao, L. Wang, J. Guo, D. Gu, Functional graph revisited: updates on (second) preimage attacks on hash combiners, in J. Katz, H. Shacham, editors, Advances in Cryptology—CRYPTO 2017—37th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 20–24, 2017, Proceedings, Part II. Lecture Notes in Computer Science, vol. 10402 (Springer, 2017), pp. 404–427
S. Chen, C. Jin, A second preimage attack on Zipper hash. Secur. Commun. Netw.8(16), 2860–2866 (2015)
R. Cramer, editor. Advances in Cryptology—EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22–26, 2005, Proceedings. Lecture Notes in Computer Science, vol. 3494 (Springer, 2005)
R. Canetti, R.L. Rivest, M. Sudan, L. Trevisan, S.P. Vadhan, H. Wee, Amplifying collision resistance: a complexity-theoretic treatment, in Menezes [43], pp. 264–283.
R.D. Dean, A. Appel. Formal Aspects of Mobile Code Security. PhD thesis, Princeton University Princeton (1999)
T. Dierks, C. Allen, The TLS protocol version 1.0. RFC2246, 1–80 (1999)
I. Damgård, A design principle for hash functions, in Brassard [8], pp. 416–427
I. Dinur. New attacks on the concatenation and XOR hash combiners, in M. Fischlin, J.-S. Coron, editors, Advances in Cryptology—EUROCRYPT 2016—35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8–12, 2016, Proceedings, Part I. Lecture Notes in Computer Science, vol. 9665 (Springer, 2016), pp. 484–508
I. Dinur, G. Leurent, Improved generic attacks against hash-based MACs and HAIFA, in Garay and Gennaro [27], pp. 149–168
O. Dunkelman, B. Preneel, Generalizing the herding attack to concatenated hashing schemes, in In ECRYPT Hash Function Workshop (Citeseer, 2007)
T. Dierks, E. Rescorla, The transport layer security (TLS) protocol version 1.2. RFC5246, 1–104 (2008)
A.O. Freier, P. Karlton, P.C. Kocher, The secure sockets layer (SSL) protocol version 3.0. RFC6101:1–67 (2011)
M. Fischlin, A. Lehmann, Security-amplifying combiners for collision-resistant hash functions, in Menezes [43], pp. 224–243
M. Fischlin, A. Lehmann, Multi-property preserving combiners for hash functions, in R. Canetti, editor, Theory of Cryptography, Fifth Theory of Cryptography Conference, TCC 2008, New York, USA, March 19–21, 2008. Lecture Notes in Computer Science, vol. 4948 (Springer, 2008), pp. 375–392
M. Fischlin, A. Lehmann, K. Pietrzak, Robust multi-property combiners for hash functions revisited, in Aceto et al. [4], pp. 655–666
M. Fischlin, A. Lehmann, K. Pietrzak, Robust multi-property combiners for hash functions. J. Cryptol.27(3), 397–428 (2014)
P. Flajolet, A.M. Odlyzko, Random mapping statistics, in J.-J. Quisquater, J. Vandewalle, editors, Advances in Cryptology—EUROCRYPT ’89, Workshop on the Theory and Application of Cryptographic Techniques, Houthalen, Belgium, April 10–13, 1989, Proceedings. Lecture Notes in Computer Science, vol. 434 (Springer, 1989), pp. 329–354
J.A. Garay, R. Gennaro, editors. Advances in Cryptology—CRYPTO 2014—34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 17–21, 2014, Proceedings, Part I. Lecture Notes in Computer Science, vol. 8616 (Springer, 2014)
J. Guo, T. Peyrin, Y. Sasaki, L. Wang, Updates on generic attacks against HMAC and NMAC, in Garay and Gennaro [27], pp. 131–148
M.E. Hellman, A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory26(4), 401–406 (1980)
A. Herzberg, On tolerant cryptographic constructions, in A. Menezes, editor, Topics in Cryptology—CT-RSA 2005, The Cryptographers’ Track at the RSA Conference 2005, San Francisco, CA, USA, February 14–18, 2005, Proceedings. Lecture Notes in Computer Science, vol. 3376 (Springer, 2005), pp. 172–190
A. Herzberg, Folklore, practice and theory of robust combiners. J. Comput. Secur.17(2), 159–189 (2009)
J.J. Hoch, A. Shamir, Breaking the ICE—finding multicollisions in iterated concatenated and expanded (ICE) hash functions, in M.J.B. Robshaw, editor, Fast Software Encryption, 13th International Workshop, FSE 2006, Graz, Austria, March 15–17, 2006, Revised Selected Papers. Lecture Notes in Computer Science, vol. 4047 (Springer, 2006), pp. 179–194
J.J. Hoch, A. Shamir. On the strength of the concatenated hash combiner when all the hash functions are weak, in Aceto et al. [4], pp. 616–630
A. Jha, M. Nandi, Some cryptanalytic results on Zipper hash and concatenated hash. IACR Cryptol. ePrint Arch.2015, 973 (2015)
A. Joux, Multicollisions in iterated hash functions. Application to cascaded constructions, in M.K. Franklin, editor, Advances in Cryptology—CRYPTO 2004, 24th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15–19, 2004, Proceedings Lecture Notes in Computer Science, vol. 3152 (Springer, 2004), pp. 306–316
A. Joux, Algorithmic Cryptanalysis (Chapman and Hall/CRC, Boca Raton, 2009)
J. Kelsey, T. Kohno, Herding hash functions and the nostradamus attack, in Serge Vaudenay, editor, Advances in Cryptology—EUROCRYPT 2006, 25th Annual International Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, May 28–June 1, 2006, Proceedings. Lecture Notes in Computer Science, vol. 4004 (Springer, 2006), pp. 183–200
J. Kelsey, B. Schneier, Second preimages on n-bit hash functions for much less than \(2{}^{{\rm n}}\) work, in Cramer [12], pp. 474–490
A. Lehmann. On the Security of Hash Function Combiners. PhD thesis, Darmstadt University of Technology (2010)
M. Liskov, Constructing an ideal hash function from weak ideal compression functions, in E. Biham, A.M. Youssef, editors, Selected Areas in Cryptography, 13th International Workshop, SAC 2006, Montreal, Canada, August 17-18, 2006 Revised Selected Papers. Lecture Notes in Computer Science, vol. 4356 (Springer, 2006), pp. 358–375
G. Leurent, T. Peyrin, L. Wang, New generic attacks against hash-based MACs, in K. Sako, P. Sarkar, editors, Advances in Cryptology—ASIACRYPT 2013—19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 1–5, 2013, Proceedings, Part II. Lecture Notes in Computer Science, vol. 8270 (Springer, 2013), pp. 1–20
G. Leurent, L. Wang, The sum can be weaker than each part, in E. Oswald, M. Fischlin, editors, Advances in Cryptology—EUROCRYPT 2015—34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26–30, 2015, Proceedings, Part I. Lecture Notes in Computer Science, vol. 9056 (Springer, 2015), pp. 345–367
A. Menezes, editor. Advances in Cryptology—CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19–23, 2007, Proceedings. Lecture Notes in Computer Science, vol. 4622. (Springer, 2007)
R.C. Merkle. One way hash functions and DES, in Brassard [8], pp. 428–446
A. Mittelbach. Hash combiners for second pre-image resistance, target collision resistance and pre-image resistance have long output, in I. Visconti, R. De Prisco, editors, Security and Cryptography for Networks—8th International Conference, SCN 2012, Amalfi, Italy, September 5–7, 2012. Proceedings. Lecture Notes in Computer Science, vol. 7485 (Springer, 2012), pp. 522–539
A. Mittelbach, Cryptophia’s short combiner for collision-resistant hash functions, in M.J. Jacobson Jr., M.E. Locasto, P. Mohassel, R. Safavi-Naini, editors, Applied Cryptography and Network Security—11th International Conference, ACNS 2013, Banff, AB, Canada, June 25–28, 2013. Proceedings. Lecture Notes in Computer Science, vol. 7954 (Springer, 2013), pp. 136–153
B. Mennink, B. Preneel, Breaking and fixing cryptophia’s short combiner, in D. Gritzalis, A. Kiayias, I.G. Askoxylakis, editors, Cryptology and Network Security—13th International Conference, CANS 2014, Heraklion, Crete, Greece, October 22–24, 2014. Proceedings. Lecture Notes in Computer Science, vol. 8813 (Springer, 2014), pp. 50–63
F. Mendel, C. Rechberger, M. Schläffer, MD5 is weaker than weak: attacks on concatenated combiners, in M. Matsui, editor, Advances in Cryptology—ASIACRYPT 2009, 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, December 6–10, 2009. Proceedings. Lecture Notes in Computer Science, vol. 5912 (Springer, 2009), pp. 144–161
M. Nandi, D. R. Stinson, Multicollision attacks on some generalized sequential hash functions. IEEE Trans. Inf. Theory53(2), 759–767 (2007)
K. Pietrzak, Non-trivial black-box combiners for collision-resistant hash-functions don’t exist, in M. Naor, editor, Advances in Cryptology—EUROCRYPT 2007, 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Barcelona, Spain, May 20–24, 2007, Proceedings. Lecture Notes in Computer Science, vol. 4515 (Springer, 2007), pp. 23–33
K. Pietrzak, Compression from collisions, or Why CRHF combiners have a long output, in D.A. Wagner, editor, Advances in Cryptology—CRYPTO 2008, 28th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 17–21, 2008. Proceedings. Lecture Notes in Computer Science, vol. 5157 (Springer, 2008), pp. 413–432
L. Perrin, D. Khovratovich, Collision spectrum, entropy loss, T-sponges, and cryptanalysis of GLUON-64, in C. Cid, C. Rechberger, editors, Fast Software Encryption—21st International Workshop, FSE 2014, London, UK, March 3–5, 2014. Revised Selected Papers. Lecture Notes in Computer Science, vol. 8540 (Springer, 2014), pp. 82–103
B. Preneel, Analysis and Design of Cryptographic Hash Functions. PhD thesis, Katholieke Universiteit te Leuven (1993)
T. Peyrin, L. Wang, Generic universal forgery attack on iterative hash-based MACs, in P.Q. Nguyen, E. Oswald, editors, Advances in Cryptology—EUROCRYPT 2014—33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11–15, 2014. Proceedings. Lecture Notes in Computer Science, vol. 8441 (Springer, 2014), pp. 147–164
M. Rjasko, On existence of robust combiners for cryptographic hash functions. In P. Vojtás, editor, Proceedings of the Conference on Theory and Practice of Information Technologies, ITAT 2009, Horský hotel Kralova studna, Slovakia, September 25–29, 2009, volume 584 of CEUR Workshop Proceedings (CEUR-WS.org, 2009), pp. 71–76
P.C. van Oorschot, M.J. Wiener, Parallel collision search with cryptanalytic applications. J. Cryptol.12(1), 1–28 (1999)
D.A. Wagner, A generalized birthday problem, in M. Yung, editor, Advances in Cryptology—CRYPTO 2002, 22nd Annual International Cryptology Conference, Santa Barbara, California, USA, August 18–22, 2002, Proceedings. Lecture Notes in Computer Science, vol. 2442 (Springer, 2002), pp. 288–303
X. Wang, H. Yu, How to break MD5 and other hash functions, in Cramer [12], pp. 19–35
X. Wang, Y.L. Yin, H. Yu, Finding collisions in the full SHA-1, in V. Shoup, editor, Advances in Cryptology—CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14–18, 2005, Proceedings. Lecture Notes in Computer Science, vol. 3621 (Springer, 2005), pp. 17–36
Acknowledgements
This research is supported by the National Research Foundation, Prime Minister’s Office, Singapore, under its Strategic Capability Research Centres Funding Initiative, Nanyang Technological University under research Grant M4082123 and Singapore’s Ministry of Education under Grant M4012049. Itai Dinur is supported in part by the Israeli Science Foundation through Grant No. 573/16. Lei Wang is supported by National Natural Science Foundation of China (61602302, 61472250, 61672347), Natural Science Foundation of Shanghai (16ZR1416400), Shanghai Excellent Academic Leader Funds (16XD1401300), 13th five-year National Development Fund of Cryptography (MMJJ20170114).
Author information
Authors and Affiliations
Corresponding author
Appendices
A Pseudo-codes of Algorithms
B Optimized Interchange Structure
We now describe an optimized attack using only \((2^t-1)(2^t-1)\) switches rather than \(2^{2t}-1\). The attack also requires multi-collision structures, as introduced by Joux [35].
We replace the first \(2^t-1\) switches with a \(2^t\)-Joux’s multi-collision in \(\mathcal {H}_1\), and we use those messages to initialize all the \(b_k\) chains in \(\mathcal {H}_2\). We can also optimize the first series of switches in \(\mathcal {H}_2\) in the same way: we build a \(2^{t}\)-multi-collision in \(\mathcal {H}_2\) starting from \(b_0\), and we use those messages to initialize the \(a_j\) chains in \(\mathcal {H}_1\). This is illustrated in Fig. 14, and the detailed attack is given in Algorithm 6.
Optimized interchange structure
C On Problem Raised by Dependency Between Chain Evaluations
Suppose \( \bar{x} \) and \( \bar{y} \) are both of depth \( 2^{n - g_1} \). From Observation 2 in Sect. 2.7.1, we conclude that the probability of encountering \(\bar{x}\) and \(\bar{y}\) at the same distance in chains (of \(f_1\) and \(f_2\)) evaluated from \(x_0\) and \(y_0\) is approximately \(2^{n-3g_1}\). Thus, in Sect. 4.2.2 and Sect. 6.2.2, we conclude that if the trials of chain evaluations are independent, we need to compute about \(2^{3g_1-n}\) chains from different starting points. However, since various trials performed by selecting different starting points for the chains are dependent, it might require further proof for the conclusion.
More specifically, when the number of nodes evaluated along chains exceeding \( 2^{n - d} \), a new chain of length \( 2^d \) is very likely to collide with a previously evaluated node due to the birthday paradox (\( 2^d\times 2^{n - d} = 2^n\)). Thus, the outcome of this chain evaluation is determined. As a result, new chains are all related to already evaluated chains, and the dependency between them affects the outcome non-negligibly after having evaluated \( 2^{n - d} \) nodes.
However, we notice that in our attacks, the actual birthday bound for the non-negligible dependency between trials is \( 2^{2n - 2d} \) instead of \( 2^{n - d} \) because in each trail, there are two chain evaluations. One is in \( \mathcal {FG}_{f_1} \), and the other is in \( \mathcal {FG}_{f_2} \). The chain evaluation in \( \mathcal {FG}_{f_1} \) can be seen as independent with a chain evaluation in \( \mathcal {FG}_{f_2} \). After having evaluated \( 2^{n - d} \) nodes in each of the two functional graphs, there is indeed a high probability for each new chain colliding with previously evaluated chains. However, for a new pair of chain evaluations, the probability for both chains colliding with the chains evaluated in a previous trial is significant only after having evaluated \( 2^{2n - 2d} \) nodes due to the birthday paradox. That is, trials cannot be seen as independent only after having evaluated \( 2^{2n - 2d} \) nodes. Note that in our attacks, required number of trials is \( 2^{2n - 3d} \); thus, the total evaluated number of nodes is \( 2^{2n - 3d} \cdot 2^{d + 1} \approx 2^{2n - 2d} \) which exactly falls on the birthday bound. Thus, the dependency between the trials is negligible and the complexity analysis of the corresponding attacks is justified.
Rights and permissions
About this article
Cite this article
Bao, Z., Dinur, I., Guo, J. et al. Generic Attacks on Hash Combiners. J Cryptol 33, 742–823 (2020). https://doi.org/10.1007/s00145-019-09328-w
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00145-019-09328-w