Compression from Collisions, or Why CRHF Combiners Have a Long Output

  • Krzysztof Pietrzak
Conference paper

DOI: 10.1007/978-3-540-85174-5_23

Part of the Lecture Notes in Computer Science book series (LNCS, volume 5157)
Cite this paper as:
Pietrzak K. (2008) Compression from Collisions, or Why CRHF Combiners Have a Long Output. In: Wagner D. (eds) Advances in Cryptology – CRYPTO 2008. CRYPTO 2008. Lecture Notes in Computer Science, vol 5157. Springer, Berlin, Heidelberg


A black-box combiner for collision resistant hash functions (CRHF) is a construction which given black-box access to two hash functions is collision resistant if at least one of the components is collision resistant.

In this paper we prove a lower bound on the output length of black-box combiners for CRHFs. The bound we prove is basically tight as it is achieved by a recent construction of Canetti et al [Crypto’07]. The best previously known lower bounds only ruled out a very restricted class of combiners having a very strong security reduction: the reduction was required to output collisions for both underlying candidate hash-functions given a single collision for the combiner (Canetti et al [Crypto’07] building on Boneh and Boyen [Crypto’06] and Pietrzak [Eurocrypt’07]).

Our proof uses a lemma similar to the elegant “reconstruction lemma” of Gennaro and Trevisan [FOCS’00], which states that any function which is not one-way is compressible (and thus uniformly random function must be one-way). In a similar vein we show that a function which is not collision resistant is compressible. We also borrow ideas from recent work by Haitner et al. [FOCS’07], who show that one can prove the reconstruction lemma even relative to some very powerful oracles (in our case this will be an exponential time collision-finding oracle).

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Krzysztof Pietrzak
    • 1
  1. 1.CWI AmsterdamThe Netherlands

Personalised recommendations