Security-Amplifying Combiners for Collision-Resistant Hash Functions

  • Marc Fischlin
  • Anja Lehmann
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4622)


The classical combiner \(\mathsf{Comb}_{\text{class}}^{H_0,H_1}(M)=H_0(M)|| H_1(M)\) for hash functions H 0,H 1 provides collision-resistance as long as at least one of the two underlying hash functions is secure. This statement is complemented by the multi-collision attack of Joux (Crypto 2004) for iterated hash functions H 0,H 1 with n-bit outputs. He shows that one can break the classical combiner in \({{n}\over{2}}. T_0 + T_1\) steps if one can find collisions for H 0 and H 1 in time T 0 and T 1, respectively. Here we address the question if there are security-amplifying combiners where the security of the building blocks increases the security of the combined hash function, thus beating the bound of Joux. We discuss that one can indeed have such combiners and, somewhat surprisingly in light of results of Nandi and Stinson (ePrint 2004) and of Hoch and Shamir (FSE 2006), our solution is essentially as efficient as the classical combiner.


Hash Function Compression Function Classical Combiner Message Block Oracle Access 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Boneh, D., Boyen, X.: On the Impossibility of Efficiently Combining Collision Resistant Hash Functions. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 570–583. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Rogaway, P.: Collision-Resistant Hashing: Towards Making UOWHFs Practical. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 470–484. Springer, Heidelberg (1997)Google Scholar
  3. 3.
    Canetti, R., Rivest, R., Sudan, M., Trevisan, L., Vadhan, S., Wee, H.: Amplifying Collision Resistance: A Complexity-Theoretic Treatment. In: Advances in Cryptology — Crypto 2007. LNCS, Springer, Heidelberg (2007)Google Scholar
  4. 4.
    Damgård, I.: A Design Principle for Hash Functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  5. 5.
    Goldreich, O., Impagliazzo, R., Levin, L., Venkatesan, R., Zuckerman, D.: Security Preserving Amplification of Hardness. In: FOCS 1990. Proceedings of the Annual Symposium on Foundations of Computer Science, pp. 318–326. IEEE Computer Society Press, Los Alamitos (1990)Google Scholar
  6. 6.
    Herzberg, A.: On Tolerant Cryptographic Constructions. In: Menezes, A.J. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 172–190. Springer, Heidelberg (2005)Google Scholar
  7. 7.
    Hoch, J., Shamir, A.: Breaking the ICE — Finding Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, Springer, Heidelberg (2006)CrossRefGoogle Scholar
  8. 8.
    Joux, A.: Multicollisions in Iterated Hash Functions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, Springer, Heidelberg (2004)Google Scholar
  9. 9.
    Lin, H., Trevisan, L., Wee, H.: On Hardness Amplification of One-Way Functions. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 34–49. Springer, Heidelberg (2005)Google Scholar
  10. 10.
    Merkle, R.: One Way Hash Functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
  11. 11.
    Nandi, M., Stinson, D.: Multicollision Attacks on a Class of Hash Functions. Number 2004/330 in Cryptology eprint archive (2004),
  12. 12.
    Pietrzak, K.: Non-Trivial Black-Box Combiners for Collision-Resistant Hash-Functions don’t Exist. In: Advances in Cryptology — Eurocrypt 2007. LNCS, Springer, Heidelberg (2007)Google Scholar
  13. 13.
    Yao, A.: Theory and Applications of Trapdoor Functions. In: FOCS. Proceedings of the Annual Symposium on Foundations of Computer Science, IEEE Computer Society Press, Los Alamitos (1982)Google Scholar
  14. 14.
    Yu, H., Wang, X.: MultiCollision Attack on the Compression Functions of MD4 and 3-Pass HAVAL. Number 2007/085 in Cryptology eprint archive (2007),

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Marc Fischlin
    • 1
  • Anja Lehmann
    • 1
  1. 1.Darmstadt University of TechnologyGermany

Personalised recommendations