Robust Multi-Property Combiners for Hash Functions

Fischlin, Marc; Lehmann, Anja; Pietrzak, Krzysztof

doi:10.1007/s00145-013-9148-7

Robust Multi-Property Combiners for Hash Functions

Published: 28 March 2013

Volume 27, pages 397–428, (2014)
Cite this article

Download PDF

Journal of Cryptology Aims and scope Submit manuscript

Robust Multi-Property Combiners for Hash Functions

Download PDF

Marc Fischlin¹,
Anja Lehmann² &
Krzysztof Pietrzak³

1249 Accesses
12 Citations
Explore all metrics

Abstract

A robust combiner for hash functions takes two candidate implementations and constructs a hash function which is secure as long as at least one of the candidates is secure. So far, hash function combiners only aim at preserving a single property such as collision-resistance or pseudorandomness. However, when hash functions are used in protocols like TLS they are often required to provide several properties simultaneously. We therefore put forward the notion of robust multi-property combiners and elaborate on different definitions for such combiners. We then propose a combiner that provably preserves (target) collision-resistance, pseudorandomness, and being a secure message authentication code. This combiner satisfies the strongest notion we propose, which requires that the combined function satisfies every security property which is satisfied by at least one of the underlying hash function. If the underlying hash functions have output length n, the combiner has output length 2n. This basically matches a known lower bound for black-box combiners for collision-resistance only, thus the other properties can be achieved without penalizing the length of the hash values. We then propose a combiner which also preserves the property of being indifferentiable from a random oracle, slightly increasing the output length to 2n+ω(logn). Moreover, we show how to augment our constructions in order to make them also robust for the one-wayness property, but in this case require an a priory upper bound on the input length.

Cryptophia’s Short Combiner for Collision-Resistant Hash Functions

Breaking and Fixing Cryptophia’s Short Combiner

Security Definitions for Hash Functions: Combining UCE and Indifferentiability

1 Introduction

Recent attacks on collision-resistant hash functions [13, 30–32] caused a decrease of confidence that today’s candidates really have this property and have raised the question how to devise constructions that are more tolerant to cryptanalytic results. Hence, approaches like robust combiners [18–20] which “merge” several candidate functions into a single failure-tolerant one, are of great interest and have triggered a long line of research [11, 12, 15–17, 21, 28, 29]. Informally, a hash combiner takes two hash functions H ₀,H ₁ and combines them in such a way that the resulting function satisfies some security property, whenever one of the underlying candidates H ₀ or H ₁ is satisfies it. For example, the “concatenation combiner” $\mathsf {Comb} ^{H_{0},H_{1}}_{\|}(M) = H_{0}(M) \|H_{1}(M)$ preserves the property of being collision-resistant because a collision M≠M′ for the combiner is always also a collision for both components H ₀ or H ₁. Thus if either of the hash functions H ₀ or H ₁ is collision-resistant, then so is the combined function.

However, hash functions are currently used for various tasks that require numerous properties beyond collision resistance, e.g., the HMAC construction [3] based on a keyed hash function is used (amongst others) in the IPSec and TLS protocols as a pseudorandom function and as a MAC. In the standardized protocols RSA-OAEP [6] and RSA-PSS [7] even stronger properties are required (cf. [9, 10]), prompting Coron et al. [14] to give constructions which propagate the random-oracle property from the compression function to the hash function. A further example for the need of multiple properties is given by Katz and Shin [22], where collision-resistant pseudorandom functions are required in order to protect authenticated group key exchange protocols against insider attacks.^{Footnote 1}

While one could in principle always employ a suitable hash combiner tailored to the individual security property needed by one particular cryptographic scheme, common practices such as code re-use, call for the design of a single (combiner) function satisfying as many properties as possible. On the level of hash functions this point of view has also been adopted by NIST in its on-going SHA-3 competition [27] and motivated a series of works [2, 4, 23], which, e.g., show how to lift multiple properties provided by a compression functions to a full-grown hash function.

Thus, also for hash combiners one would ideally like to have a single construction that is robust for many properties simultaneously. Combiners which preserve a single property such as collision-resistance or pseudorandomness are quite well understood. Robust multi-property combiners, on the other hand, are not covered by these strategies and require new techniques instead. As an example we discuss this issue for the case of collision-resistance and pseudorandomness.

The Problem with Multiple Properties

The simplest combiner for collision-resistance simply concatenates the outputs of both hash functions Comb _∥(M)=H ₀(M)∥H ₁(M). Obviously, the combiner is collision-resistant as long es either H ₀ or H ₁ has this property. Yet, it does not guarantee for example pseudorandomness (assuming that the hash functions are keyed) if only one of the underlying hash functions is pseudorandom. An adversary can immediately distinguish the concatenated output from a truly random value by simply examining the part of the insecure hash function.

An obvious approach to obtain a hash combiner that is robust for pseudorandomness is to set Comb _⊕(M)=H ₀(M)⊕H ₁(M). However, this combiner is not known to preserve collision-resistance anymore, since a collision for the combiner does not necessarily require collisions on both hash functions. In fact, this combiner also violates the conditions of [11, 28, 29] and [12], who have shown that the output of a (black-box) collision-resistant combiner cannot be significantly shorter than the concatenation of the outputs from all employed hash functions. Thus, already the attempt of combining only two properties in a robust manner indicates that finding a robust multi-property combiner is far from trivial.

Our Result

In this work we show how to build combiners that provably preserve multiple properties in a robust manner. We concentrate on the most common properties as proposed in [5], namely, collision-resistance (CR), target collision-resistance (TCR), pseudorandomness (PRF), message authentication (MAC), one-wayness (OW) and indifferentiability from a random oracle (IRO).

The Combiner Comb _4P

Our first construction is a combiner Comb _4P which robustly preserves the four properties collision-resistance, target collision-resistance, pseudorandomness and message authentication. If the underlying hash functions have output length n bits, the combiner has output length 2n, which basically matches known lower bounds for combiners which preserve collision-resistance only [11, 28, 29].

The idea for our combiner is to use the concatenation combiner Comb _∥, followed by a three-round Feistel permutation. In the first round of the Feistel permutation no round function is applied, whereas the two subsequent rounds are constructed by using the XOR-combiner Comb _⊕ (cf. Fig. 1). The round functions are made somewhat independent by prepending the round number to the input.

The rationale here is that applying the Feistel (or any other) permutation to the output of Comb _∥ still preserves the CR, TCR, and MAC properties, e.g., collisions for Comb _∥ are pulled through the downstream permutation and can be traced back to collisions for Comb _∥. At the same time, one achieves robustness for the PRF property. The latter can be seen as follows: if either H ₀ or H ₁ is pseudorandom, then the round functions in the Feistel network are pseudorandom as Comb _⊕ is a secure combiner for pseudorandom functions. The Luby–Rackoff [24] result now states that a three-round Feistel-network, instantiated with pseudorandom functions, is a pseudorandom permutation. We note that the formal argument also needs to take into account that finding collisions in the keyed version of the initial Comb _∥ computation is infeasible.

Our Comb _4P combiner was recently implemented in an open source project [1].

Preserving $\textsf{\textit{IRO}}$

In Sect. 4 we modify the Comb _4P construction such that it also preserves indifferentiability from a random oracle. The obstruction of the IRO robustness in the Comb _4P combiner stems from the invertibility of the Feistel permutation: an adversary trying to distinguish the output of the combiner from a random function (given access to the underlying hash functions, as opposed to the case of pseudorandom functions for example) can partly “reverse engineer” images under the combiner. Hence, we introduce a “signature” value α _M (depending on the input message M), entering the round functions in the Feistel network and basically allowing combiner computations in the forward direction only.

The description of our enhanced combiner Comb _4P&IRO is given in Fig. 2. The signature α _M is taken as (a prefix of) the XOR of the output halves of the Comb _∥ combiner and is used as additional input parameter in the Feistel round functions, allowing us to also save one round of the Feistel structure. Note that this essentially means that different Feistel permutations may be used for different inputs M,M′, because the signatures α _M,α _M′ may be distinct. In order to apply again the argument that the Feistel permutation does not interfere with the CR,TCR, and MAC robustness of the concatenating combiner, we therefore also need to ensure that finding “bad” pairs α _M and α _M′ is infeasible. To this end we introduce another output branch which basically guarantees collision-resistance of the signatures. This additional is of length 3m for some m=ω(logn), yielding an overall output length of 2n+ω(logn).

Preserving One-Wayness

Even though both our solutions are robust for an important set of properties they are not good combiners for one-wayness. Our results so far merely show that they are one-way functions making for example the potentially stronger assumption that one of the two hash functions is collision-resistant. In Sect. 5 we therefore show how to augment our constructions such that also the one-wayness property is preserved.

By apply a pairwise-independent permutation (PIP) to the input of H ₀ (or H ₁) in the concatenation combiner Comb _∥, we get a construction which still is a combiner for collision-resistance, but now also combines the one-wayness property. Using this extended concatenation combiner in the initial stages of our previous constructions we additionally achieve robustness for one-wayness. As the description length of a PIP is linear in its input length, now the input length of the combiner must be a priory fixed.

Weak vs. Strong Robustness

We call a multi-property combiner strongly robust for a set of properties, if the combined function satisfies every property which is satisfied by at least one hash function, i.e. if H ₀ or H ₁ has property MAC, then so does the combined function, independently of the other properties. All our constructions achieve this strongest notion. We also define weaker notions of multi-property robustness (MPR), which we denote by weak MPR and mild MPR. In the weak case the combiner only inherits a set of multiple properties if they are all provided by at least one hash function (i.e., if there is a strong candidate which has all properties at the same time). Mild MPR combiners are between strong MPR and weak MPR combiners, here we also require that all properties hold, but different hash functions may cover different properties.

We then address several questions related to the different notions of multi-property robustness. In particular, we show that strong MPR is strictly stronger than mild MPR which is strictly stronger than weak MPR. We finally discuss the case of general tree-based combiners for more than two hash functions built out of combiners for two hash functions, as suggested in a more general setting by Harnik et al. [18]. As part of this result we show that such tree-combiners inherit the weakly and strongly MPR property of two-function combiners, whereas mildly MPR two-function combiners surprisingly do not propagate their security to trees.

Organization

We start by defining the three notions of robust multi-property combiners and give definitions of the security properties considered in Sect. 2. In Sect. 3 we present the construction of our most efficient MPR combiner that is robust for CR, TCR, PRF, and MAC according to our strongest notion. A combiner which additionally preserves the IRO property, slightly increasing the output length and computational costs, is then discussed in Sect. 4. In Sect. 5 we show that a twist on our combiners also makes them robust for one-wayness (but at the price of a fixed input length). In Sect. 6 we prove separations for the different notions of multi-property robustness. We address the problem of composing more than just two hash functions in Sect. 7.

2 Preliminaries

We denote by {0,1}ⁿ the set of bit-strings x of length |x|=n, and 1ⁿ stands for n in unary encoding, i.e., the string that consist of n ones. For two strings x,y we write x∥y for the concatenation and x⊕y for the bitwise exclusive-or of x and y. For the latter we assume that x and y have equal length.

An adversary $\mathcal{A} $ is a probabilistic algorithm. We write $\mathcal{A} ^{\mathcal {O}}(y)$ for an adversary that runs on input y and has oracle access to $\mathcal {O}$. The shorthand x←X denotes that x is sampled from the random variable X. Similarly we write $x \leftarrow \mathcal{A} (y)$ for the output of $\mathcal{A} $ for input y. We say an adversary is efficient if it runs in polynomial-time. That is, if there exists a polynomial p(n) such that $\mathcal{A} $ takes at most p(n) steps where n is the length of the input.

2.1 Hash Functions and Their Properties

A hash function $\mathcal {H} =( \mathsf {HKGen} , \mathsf {H} )$ is a pair of efficient algorithms such that HKGen for input 1ⁿ returns (the description of) a hash function H (which contains 1ⁿ), and H for input H and M∈{0,1}^∗ deterministically outputs a digest H(M). We often identify the hash function with its digest values H(⋅) if the key generation algorithm is clear from the context.

In this work we consider the following six important security properties for hash functions (cf. [5]): the unkeyed properties of (target) collision-resistance and one-wayness and the keyed properties of being a pseudorandom function or a message authentication code. The final property—indifferentiability from a random oracle—is special, as one considers idealized components. In particular, there is no efficient key-generation algorithm, but rather the hash function is given directly by an oracle.

Depending on the security property we are interested in, the access of the adversary to the hash function is modeled differently. For unkeyed primitives, the description of H is given to the adversary, whereas for keyed primitives the adversary only gets black-box access to the hash function. We could also consider a somewhat more general notion, where the key-generation algorithm outputs a pair H ^p, H ^s of values, which together define the hash function H, and where in the keyed setting, only H ^s (but not H ^p) is kept secret. For example in the HMAC construction, H ^p would define the underlying compression function, and the secret key H ^s would be the randomly chosen initial value IV. All our results also hold in this setting, but we avoid using such a fine-grained definition as to save on notation which would only distract from the main ideas.

Collision resistance (CR)::

Informally, collision-resistance of a hash function H requires that it should be infeasible to find two distinct messages M≠M′ that map under H to the same value H(M)=H(M′). For the formal treatment we consider families of hash functions and call a hash function collision-resistant if for any efficient adversary $\mathcal{A} $ the advantage

is negligible (as a function of n).

Target collision-resistance (TCR)::

Target collision-resistance is a weaker security notion than collision-resistance which obliges the adversary to first commit to a target message M before getting the description H←HKGen(1ⁿ) of the hash function. For the given H the adversary must then find a second message M′≠M such that H(M)=H(M′).

More formally, a hash function is target collision-resistant if for any efficient adversary $\mathcal{A} =( \mathcal{A} ^{1}, \mathcal {A} ^{2})$ the following advantage is negligible in n:

One-wayness (OW)::

The definition of one-wayness intuitively requires that it is infeasible to determine the preimage of a hash value. A hash function is called one-way, if for any efficient algorithm $\mathcal{A} $ the advantage

is negligible in n.

Pseudorandomness (PRF)::

A hash function can be used as a pseudorandom function if, e.g., the initial value IV is replaced by a randomly chosen key K of the same size. We capture such a keyed setting by granting the adversary only black-box access to the (randomly chosen) hash function H(⋅). The hash function is then called pseudorandom, if no efficient adversary can distinguish H from a uniformly random function f (with the same range and same domain) with noticeable advantage. More formally, we require that for any efficient adversary $\mathcal{A} $ the advantage

$$\mathbf{Adv}^{\text{prf}}_ \mathcal{A} (n) = \bigl \vert \operatorname{Prob}\bigl[{ \mathcal {A} ^{H(\cdot)} \bigl(1^n\bigr) = 1}\bigr] - \operatorname{Prob}\bigl[{ \mathcal{A} ^f\bigl(1^n \bigr)=1}\bigr] \bigr\vert $$

is negligible, where the probability in the first case is over $\mathcal{A} $’s coin tosses and the choice of H←HKGen(1ⁿ), and in the second case over $\mathcal{A} $’s coin tosses and the choice of the random function f:{0,1}^∗→{0,1}ⁿ.

Message authentication (MAC)::

A message authentication code is a symmetric primitive which allows a sender and receiver, both sharing a secret, to exchange information in an authenticated manner. When a hash function is used as a MAC, the description H←HKGen(1ⁿ) constitutes the shared secret, and the sender augments a message M by the tag τ←H(M). The receiver of (M,τ) then verifies whether τ=H(M) holds.

A MAC is considered secure, if it is unforgeable under chosen message attacks, i.e., an adversary after adaptively learning several tags (M ₁,τ ₁),(M ₂,τ ₂),…,(M _q,τ _q) should not be able to compute a forgery for a fresh message M ^∗. Note that the adversary has again only oracle access to H(⋅). More compactly, a hash function is called a secure MAC, if for any efficient adversary $\mathcal{A} $ the following advantage is negligible in n:

Indifferentiability from random oracles (IRO)::

Indifferentiability [25] is a generalization of indistinguishability allowing to consider random oracles that are used as a public component. More formally, a hash function H ^f based on a random oracle f is indifferentiable from a random oracle $\mathcal {F} $ if for any efficient adversary $\mathcal{A} $ there exists an efficient algorithm $\mathcal {S} $ such that the advantage

is negligible in n, where the probability in the first case is over $\mathcal{A} $’s coin tosses and the choice of the random function f, and in the second case over the coin tosses of $\mathcal{A} $ and $\mathcal {S} $, and over the choice of $\mathcal {F} $.

Thus, the goal of the simulator $\mathcal {S} ^{ \mathcal {F} }$ is to mimic the ideal compression function f, such that no adversary $\mathcal{A} $ can decide whether its interacting with H ^f and f or with $\mathcal {F} $ and $\mathcal {S} ^{ \mathcal {F} }$. To this end, $\mathcal {S} ^{ \mathcal {F} }$ has to produce output that is random but consistent with the values the adversary can obtain from the random oracle $\mathcal {F} $. Note that the simulator has oracle access to $\mathcal {F} $ too, but it does not get to see the queries $\mathcal{A} $ issues to $\mathcal {F} $.

2.2 Robust Multi-Property Hash Combiners

A hash function combiner $\mathcal {C} =( \mathsf {CKGen} , \mathsf {Comb} )$ for some security property P is a pair of algorithms which, when instantiated with two hash functions $\mathcal {H} _{0}, \mathcal {H} _{1}$, itself implements a hash function, such that the combined function satisfies P if at least one of the two candidates satisfies P.

For multiple properties prop={P ₁,P ₂,…,P _N} one can either demand that the combiner inherits the properties if one of the candidate hash functions is strong and has all the properties (weakly robust), or that for each property at least one of the two hash functions has the property (strongly robust). We also consider a notion in between but somewhat closer to the weak case, called mildly robust, in which case all properties from prop must hold, albeit different functions may cover different properties (instead of one function as in the case of weakly robust combiners).^{Footnote 2} In the following, we denote by $\textsc {prop} ( \mathcal {H} )\subseteq \textsc {prop} $ for a set prop={P ₁,P ₂,…,P _N} the properties which a hash function $\mathcal {H} $ has.

More formally,

Definition 2.1

(Multi-property robustness)

For a set prop={P ₁,P ₂,…,P _N} of properties a hash function combiner $\mathcal {C} =( \mathsf {CKGen} , \mathsf {Comb} )$ for hash functions $\mathcal {H} _{0}, \mathcal {H} _{1}$ is called:

weakly multi-property robust (wMPR) for prop iff
$$\textsc {prop} = \textsc {prop} ( \mathcal {H} _0)\text{ or } \textsc {prop} = \textsc {prop} ( \mathcal {H} _1) \quad\Longrightarrow\quad \textsc {prop} = \textsc {prop} ( \mathcal {C} ), $$
mildly multi-property robust (mMPR) for prop iff
$$\textsc {prop} = \textsc {prop} ( \mathcal {H} _0)\cup \textsc {prop} ( \mathcal {H} _1) \quad\Longrightarrow \quad \textsc {prop} = \textsc {prop} ( \mathcal {C} ), $$
strongly multi-property robust (sMPR) for prop iff for all P _i∈prop,
$$\mathsf {P} _i\in \textsc {prop} ( \mathcal {H} _0)\cup \textsc {prop} ( \mathcal {H} _1) \quad\Longrightarrow\quad \mathsf {P} _i\in \textsc {prop} ( \mathcal {C} ). $$

We remark that for weak and mild robustness all individual properties P ₁,P ₂,…,P _N from prop are guaranteed to hold, either by a single function as in weak robustness, or possibly by different functions as in mild robustness. The combiner may therefore depend on some strong property P _i∈prop which one of the hash functions has, and which helps to implement some other property P _j in the combined hash function. But then, for a subset prop′⊆prop which, for instance, misses this strong property P _i, the combiner may no longer preserve the properties prop′. This is in contrast to strongly robust combiners which support such subsets of properties by definition.

Note that for a singleton prop={P} all notions coincide and we simply say that $\mathcal {C} $ is P-robust in this case. However, for two or more properties the notions become strictly stronger from weak to mild to strong, as we show in Sect. 6. Finally, we remark that our definition allows the case $\mathcal {H} _{0}= \mathcal {H} _{1}$, which may require some care when designing combiners, especially if the hash functions are based on random oracles.

3 The $\mathcal {C} _{4 \mathsf {P} } $ Combiner for CR, PRF, TCR, and MAC

In this section we introduce the construction of our basic combiner $\mathcal {C} _{4 \mathsf {P} } $ as illustrated in Fig. 1. Recall that the idea of this combiner is to apply a Feistel permutation (with quasi-independent round functions given by the XOR combiner) to the concatenating combiner to ensure CR, PRF, TCR, and MAC robustness.

3.1 Our Construction

The three-round Feistel permutation P ³ over {0,1}²ⁿ is given by the round functions $H^{i}_{\oplus}(\cdot)=H^{i}_{0}(\cdot)\oplus H_{1}^{i}(\cdot)$ for i=2,3, with $H_{b}^{i}(\cdot)$ denoting the function H _b(〈i〉₂∥⋅) where 〈i〉₂ is the binary representation of the integer i with two bits. The first round function is the identity function, which we denote for notational convenience as $H^{1}_{\oplus}(X) = X$. In the ith round the input (L _i,R _i) is mapped to the output $(R_{i},L_{i}\oplus H^{i}_{\oplus}(R_{i}))$. We occasionally denote this Feistel permutation more explicitly by $P^{3}=\psi[H^{1}_{\oplus},H^{2}_{\oplus},H^{3}_{\oplus}](\cdot)$.

Our combiner, instantiated with hash functions $\mathcal {H} _{0}, \mathcal {H} _{1}$, is a pair of efficient algorithms $\mathcal {C} _{4 \mathsf {P} }=( \mathsf {CKGen} _{4 \mathsf {P} }, \mathsf {Comb} _{{4 \mathsf {P} }})$ where the key generation algorithm CKGen _4P(1ⁿ) samples H ₀←HKGen ₀(1ⁿ) and H ₁←HKGen ₁(1ⁿ). The evaluation algorithm $\mathsf {Comb} _{{4 \mathsf {P} }}^{H_{0},H_{1}}$ for parameters H ₀,H ₁ and input message M outputs

$$\mathsf {Comb} ^{H_0,H_1}_{4 \mathsf {P} }(M) = P^3 \bigl(H_0^0(M) \|H_1^0(M) \bigr). $$

3.2 Multi-Property Robustness

We next show that the construction satisfies the strongest notion for robust multi-property combiners:

Theorem 3.1

The combiner $\mathcal {C} _{4 \mathsf {P} }$ is a strongly robust multi-property combiner for $\textsc {prop} =\{\textsf{\textit{CR}},\textsf{\textit{PRF}},\textsf{\textit{TCR}},\textsf{\textit{MAC}}\}$.

Recall that a strongly robust multi-property combiner inherits all properties that are provided by at least one of the underlying hash functions. Thus, we have to prove that each property CR,PRF,TCR and MAC is preserved independently.

Lemma 3.2

The combiner $\mathcal {C} _{4 \mathsf {P} }$ is $\textsf{\textit{CR}}$-robust.

Proof

Observe that any collision M≠M′ for $\mathsf {Comb} ^{H_{0},H_{1}}_{4 \mathsf {P} }(\cdot)$ directly gives a collision 00∥M≠00∥M′ for H ₀(⋅) and H ₁(⋅). Thus any adversary that finds collisions for Comb _4P when instantiated with H ₀,H ₁ with non-negligible probability, can be used to find collision (with the same probability) for H ₀ and H ₁ respectively: to find a collision for H _b←HKGen _b(1ⁿ) with b∈{0,1}, run $H_{\overline{b}} \leftarrow \mathsf {HKGen} _{\overline{b}}(1^{n})$ and then invoke the adversary on input $H_{b},H_{\overline{b}}$. If the adversary outputs a collision for $\mathsf {Comb} ^{H_{0},H_{1}}_{4 \mathsf {P} }(\cdot)$, this is also a collision for H _b(⋅). □

Lemma 3.3

The combiner $\mathcal {C} _{4 \mathsf {P} }$ is $\textsf{\textit{TCR}}$-robust.

Proof

Assume towards contradiction that there exist an efficient adversary $\mathcal{A} _{ \mathsf {Comb} } = ( \mathcal{A} ^{1}_{ \mathsf {Comb} },\allowbreak \mathcal{A} ^{2}_{ \mathsf {Comb} })$ that commits to a message M before getting H ₀ and H ₁ and then finds some M′ such that $\mathsf {Comb} ^{H_{0},H_{1}}_{4 \mathsf {P} }(M) = \mathsf {Comb} ^{H_{0},H_{1}}_{4 \mathsf {P} }(M')$ with noticeable probability. Then we can use this attacker to construct a successful target-collision adversary $\mathcal{A} _{b} = ( \mathcal{A} ^{1}_{b}, \mathcal{A} ^{2}_{b})$ against the underlying hash functions H _b for b∈{0,1}, which contradicts the assumption that at least one of the two hash functions is target collision-resistant.

First, the adversary $\mathcal{A} ^{1}_{b}(1^{n})$ runs $\mathcal{A} ^{1}_{ \mathsf {Comb} }(1^{n})$ to receive the target message M and some state information st. $\mathcal{A} ^{1}_{b}$ then commits to 00∥M. On input H _b the adversary $\mathcal{A} ^{2}_{b}$ samples the second hash function $H_{\overline{b}} \leftarrow \mathsf {HKGen} _{\overline{b}}(1^{n})$ and passes $H_{b}, H_{\overline{b}}$ together with (M,st) to $\mathcal{A} ^{2}_{ \mathsf {Comb} }$. When $\mathcal{A} ^{2}_{ \mathsf {Comb} }$ outputs a message M′≠M with $\mathsf {Comb} ^{H_{0},H_{1}}_{4 \mathsf {P} }(M) = \mathsf {Comb} ^{H_{0},H_{1}}_{4 \mathsf {P} }(M')$ the adversary $\mathcal {A} ^{2}_{b}$ returns 00∥M′.

Since P ³(⋅) is an invertible permutation, a collision of M,M′ for the combiner can be traced back to the input of P ³(⋅) and thus we have

$$H_0(00\|M) \|H_1(00\|M) = \allowbreak H_0 \bigl(00\|M'\bigr) \| H_1 \bigl(00\|M'\bigr). $$

Hence, both adversaries $\mathcal{A} _{b}$ for b=0,1 succeed in finding a message 00∥M′ that together with the target message 00∥M leads to a collision under H _b with the same noticeable probability as $\mathcal{A} _{ \mathsf {Comb} }$. □

Lemma 3.4

The combiner $\mathcal {C} _{4 \mathsf {P} }$ is $\textsf{\textit{PRF}}$-robust.

Proof

As the XOR combiner is a good combiner for pseudorandom functions (PRFs), the round functions $H^{2}_{\oplus},H^{3}_{\oplus}$ in the Feistel network are instantiated with PRFs, as long as at least H ₀ or H ₁ is a PRF. Prepending the unique prefix 〈i〉₂ for i=2,3 to the input of $H^{i}_{\oplus}(\cdot)=H_{\oplus}(\langle i\rangle_{2}\| \cdot)$ in each round ensures that the functions in different rounds are never invoked on the same input, which means they are indistinguishable from two independent random functions. The first round of our Feistel permutation, which does not apply a round function, simply prepares the input for the second round function $H_{\oplus}^{2}(\cdot)$ by xor-ing both input halves $H_{0}^{0}(M) \oplus H_{1}^{0}(M)$. Thus, if at least one hash function is a PRF then the input to the second round function is already a pseudorandom value, which prevents an adversary from directly choosing the inputs to the second Feistel round.

We can now apply the results due to Luby–Rackoff [24] and Naor–Reingold [26] which state that a two-round Feistel-network invoked on an unpredictable input and instantiated with independent pseudorandom functions is a pseudorandom permutation (PRP).

Further, if either H ₀ or H ₁ is a PRF, then the initial concatenation combiner $\mathsf {Comb} ^{H_{0},H_{1}}_{\|}$ is weakly collision-resistant,^{Footnote 3} thus the probability that the adversary will invoke the combiner on distinct inputs M,M′ where a collision $H^{0}_{0}(M)\|H^{0}_{1}(M)=H^{0}_{0}(M')\|H^{0}_{1}(M')$ occurs, is negligible. So with overwhelming probability, all the adversary sees is the output of a PRP on distinct inputs. This distribution is indistinguishable from uniformly random (this follows from the PRP/PRF switching lemma [8]), thus $\mathcal {C} _{4 \mathsf {P} }$ is PRF robust.

More precisely, from any adversary $\mathcal{A} _{ \mathsf {Comb} }$ who has advantage ϵ in distinguishing $\mathsf {Comb} ^{H_{0},H_{1}}_{4 \mathsf {P} }$ making q queries, we can construct an attacker $\mathcal{A} _{b}$, for b∈{0,1}, that distinguishes H _b←HKGen _b(1ⁿ) from random with advantage $\epsilon-\mathcal{O}(q^{2}/2^{n})$. For b=0 (the case b=1 is symmetric) the adversary $\mathcal{A} _{0}$ first samples H ₁←HKGen ₁(1ⁿ) and then simulates the experiment of $\mathcal{A} _{ \mathsf {Comb} }$ using this knowledge of H ₁ and its oracle access to H ₀. Finally, $\mathcal{A} _{0}$ returns the output of $\mathcal{A} _{ \mathsf {Comb} }$. If H ₀ is a uniformly random function f:{0,1}^∗→{0,1}ⁿ, then any (even computationally unbounded) adversary making q queries has advantage at most $\mathcal{O}(q^{2}/2^{n})$ in distinguishing $\mathsf {Comb} ^{f,H_{1}}_{4 \mathsf {P} }$ from a random function (as the advantage from the PRP/PRF switching lemma and the advantage in the Luby–Rackoff result are both $\mathcal {O}(q^{2}/2^{n})$). Thus, if $\mathcal{A} _{ \mathsf {Comb} }$ distinguishes $\mathsf {Comb} ^{H_{0},H_{1}}_{4 \mathsf {P} }$ from a truly random function F:{0,1}^∗→{0,1}²ⁿ with advantage ϵ, it has advantage $\epsilon-\mathcal{O}(q^{2}/2^{n})$ to distinguish $\mathsf {Comb} ^{H_{0},H_{1}} _{4 \mathsf {P} }$ from $\mathsf {Comb} ^{f,H_{1}}_{4 \mathsf {P} }$. The latter is by definition also $\mathcal{A} _{0}$’s advantage for f and H ₀. □

Lemma 3.5

The combiner $\mathcal {C} _{4 \mathsf {P} }$ is $\textsf{\textit{MAC}}$-robust.

Proof

Assume towards contradiction that an adversary $\mathcal{A} _{ \mathsf {Comb} }$ with oracle access to the combiner $\mathsf {Comb} ^{H_{0},H_{1}}_{4 \mathsf {P} }(\cdot)$ finds with non-negligible probability a valid pair (M,τ), such that $\tau= \mathsf {Comb} ^{H_{0},H_{1}}_{4 \mathsf {P} }(M)$ but the message M was never queried to the MAC-oracle. Given $\mathcal{A} _{ \mathsf {Comb} }$ we can construct a successful adversary $\mathcal{A} _{b}$ against the underlying hash function H _b for b∈{0,1}. To forge H _b(⋅), the adversary $\mathcal {A} _{b}$ first samples $H_{\overline{b}} \leftarrow \mathsf {HKGen} _{\overline{b}}(1^{n})$, and then lets $\mathcal{A} _{ \mathsf {Comb} }$ attack $\mathsf {Comb} ^{H_{0},H_{1}}_{4 \mathsf {P} }(\cdot)$, and let $\mathcal{A} _{b}$ use his oracle access to H _b(⋅) and the knowledge of $H_{\overline{b}}$ to compute the answers to $\mathcal{A} _{ \mathsf {Comb} }$’s oracle queries. When finally $\mathcal{A} _{ \mathsf {Comb} }$ outputs (M,τ), the adversary $\mathcal{A} _{b}$ computes its forgery (00∥M,τ _b) by inverting the permutation $P^{3} = \psi[H^{1}_{\oplus},H^{2}_{\oplus},H^{3}_{\oplus}]$ (recall that $H^{i}_{\oplus}(\cdot) = H_{0}(\langle i\rangle_{2}\|\cdot) \oplus H_{1}(\langle i\rangle_{2}\|\cdot)$ for i=2,3 and that the required hash function evaluations can be made with the help of the MAC oracle):

$$\tau_0 \|\tau_1={P^3}^{-1}( \tau). $$

The adversary $\mathcal{A} _{b}$ then outputs the message 00∥M and τ _b. If M was not previously queried by $\mathcal{A} _{ \mathcal {C} }$, then 00∥M is distinct from all of $\mathcal{A} _{b}$’s previous queries, because all additional queries are prepended by 〈i〉₂ where i∈{2,3}. By construction, if (M,τ) is a valid forgery for $\mathsf {Comb} ^{H_{0},H_{1}}_{4 \mathsf {P} }(\cdot)$, then $H^{0}_{0}(M) \|H^{0}_{1}(M) = \tau_{0} \| \tau_{1}$ and thus (00∥M,τ _b) is a valid forgery for H _b(⋅). □

4 Preserving Indifferentiability: The $\mathcal {C} _{4 \mathsf {P} \&\textsf {IRO}} $ Combiner

First, we give a brief idea why our $\mathcal {C} _{4 \mathsf {P} }$ combiner does not guarantee the IRO property. To be IRO-robust the combiner has to be indifferentiable from a random oracle for any efficient adversary $\mathcal{A} $, if H _b is a random oracle for some b∈{0,1}. Thereby the adversary $\mathcal{A} $ has oracle access either to the combiner $\mathsf {Comb} ^{H_{0},H_{1}}_{4 \mathsf {P} }$ and the random oracle H _b, or to $\mathcal {F} $ and a simulator $\mathcal {S} ^{ \mathcal {F} }$. The simulator’s goal is to mimic H _b such that $\mathcal{A} $ cannot have a significant advantage on deciding whether its interacting with $\mathsf {Comb} ^{H_{0},H_{1}}_{4 \mathsf {P} }$ and H _b, or with $\mathcal {F} $ and $S^{ \mathcal {F} }$.

Usually, the strategy for designing such a simulator is to check if a query is a potential attempt of $\mathcal{A} $ to imitate the construction of the combiner and then to precompute further answers that are consistent with the information $\mathcal{A} $ can get from $\mathcal {F} $. However, for $\mathsf {Comb} ^{H_{0},H_{1}}_{4 \mathsf {P} }$ the simulator may be unable to precompute those consistent values, because an adversary $\mathcal{A} $ can compute the permutation part of the combiner backwards such that $\mathcal {S} ^{ \mathcal {F} }$ has to commit to its round values used in the permutation P ³ before knowing the initial input M. To this end, $\mathcal{A} $ first queries the random oracle $\mathcal {F} $ on input M and uses the response $Y \leftarrow \mathcal {F} (M)$ to compute X=P ³ ⁻¹(Y) with the help of $\mathcal {S} ^{ \mathcal {F} }$ simulating H _b and the function $H_{\overline{b}}$, which is accessible in a black-box manner. Then the answers of $\mathcal {S} ^{ \mathcal {F} }$, in order to be indistinguishable from those of H _b, must lead to a value X=S(00∥M)∥H ₁(00∥M) if b=0, and X=H ₀(00∥M)∥S(00∥M) else.

While the part of X corresponding to S(00∥M) can simply be set as response to a further query 00∥M by the simulator, the part of $H_{\overline{b}}(00 \|M)$ is determined by the oracle $H_{\overline{b}}(\cdot)$ and the message M. However, since the simulator does not know the message M when answering $\mathcal{A} $’s queries for computing P ³ ⁻¹, it is not able to call the $H_{\overline{b}}$ oracle about 00∥M and to choose those answers accordingly. Thus, the probability that the responses provided by $\mathcal {S} ^{ \mathcal {F} }$ will lead in P ³ ⁻¹(Y) to a value that is consistent with the structure of the combiner, is negligible and the adversary $\mathcal{A} $ can distinguish between $( \mathsf {Comb} ^{H_{0},H_{1}}_{4 \mathsf {P} }, H_{b})$ and $( \mathcal {F} , \mathcal {S} ^{ \mathcal {F} })$ with noticeable probability.

In order to guarantee the IRO property, we modify the $\mathsf {Comb} ^{H_{0},H_{1}}_{4 \mathsf {P} }$ combiner such that the adversary is forced to query the message M before he can create meaningful queries aiming to imitate the construction. By this the simulator becomes able to switch to the common strategy of preparing consistent answers in advance. As explained in the introduction, adding a signature value α _M into the computation does the job.

4.1 The Combiner $\mathcal {C} _{4 \mathsf {P} \&\textsf {IRO}} $

In this section we consider the modified combiner $\mathcal {C} _{4 \mathsf {P} \&\textsf {IRO}} $ as illustrated in Fig. 2. The combiner $\mathcal {C} _{4 \mathsf {P} \&\textsf {IRO}} =( \mathsf {CKGen} _{4 \mathsf {P} \&\textsf {IRO}} , \mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} )$ is defined as follows: CKGen _4P&IRO first samples H ₀←HKGen ₀(1ⁿ),H ₁←HKGen ₁(1ⁿ) and a pairwise independent function g:{0,1}^m→{0,1}^3m for some m≤n/3 (the larger m, the better the security level, but the longer the output, too):

Definition 4.1

(Pairwise-independent function/permutation)

A family of functions G:A→B from domain A to range B is called pairwise independent iff for all x≠x′∈A and z≠z′∈B we have Prob_g∈G[g(x)=z∧g(x′)=z′]=|B|⁻².

A family of function Π:A→A is a pairwise independent permutation, if for x≠x′ and z≠z′∈A we have $\mathrm{Prob}_{g\in G}[g(x)=z\wedge g(x')=z']=\frac {1}{|B|(|B|-1)}$.

One gets a simple construction of a pairwise independent function (PIF) mapping {0,1}ⁿ to {0,1}ⁿ, by sampling a,b∈{0,1}ⁿ at random, which then defines the function g _(a,b)(x)=(ax+b), where addition and multiplication are in the field GF(2ⁿ). For a smaller range {0,1}^m with m<n, one can simply drop n−m bits of the output. This construction is also a pairwise-independent permutation (PIP), if a is chosen at random from {0,1}ⁿ∖0ⁿ (instead of {0,1}ⁿ).

The evaluation algorithm $\mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g}(M)$ first computes $\mathsf {Comb} ^{H_{0},H_{1}}_{\|}(M)= \allowbreak H_{0}^{0}(M) \|\allowbreak H_{1}^{0}(M)$ and a value α _M—which we call the “signature of M”—as $\alpha_{M}=\mathit {lsb}_{m}(H^{0}_{\oplus}(M))$ where $H^{0}_{\oplus}(M) = H_{0}^{0}(M) \oplus H_{1}^{0}(M)$ and lsb _a(x) denotes the a least significant bits of x. The value α _M is used as an extra prefix in the round functions of the two-round Feistel permutation $P^{2}_{\alpha}(\cdot) = \psi[H^{1}_{\oplus}(\alpha_{M}\|\cdot),H_{\oplus}^{2}(\alpha_{M}\|\cdot )]$. Applying $P^{2}_{\alpha}$ on $H_{0}^{0}(M) \|H_{1}^{0}(M)$ then gives the first part of the combiners output.

The construction as described so far, is already a robust combiner for IRO and PRF, but not for CR and TCR. The reason is that now distinct input messages M,M′ where α _M≠α _M′ lead to distinct Feistel permutations $P^{2}_{\alpha _{M}}\neq P^{2}_{\alpha_{M'}}$, and thus we cannot compute a collision for $\mathsf {Comb} ^{H_{0},H_{1}}$ (and thus for H ₀ and H ₁) from a collision $\mathsf {Comb} ^{H_{0},H_{1}}_{\|}(P^{2}_{\alpha_{M}}(M))= \mathsf {Comb} ^{H_{0},H_{1} }_{\|}(P^{2}_{\alpha_{M}'}(M'))$.

To solve this problem, we could append the signature to the output of the combiner, which would enforce that two inputs can only collide if they have the same signature. Unfortunately, outputting the signature α directly would make the permutation $P^{2}_{\alpha}$ invertible, and ruin the IRO robustness of our construction again. This is why we only output a “blinded” version of the signature computed as $\mathit{lsb}_{3m}(H^{3}_{\oplus}(\alpha_{M}))\oplus g(\alpha_{M})$. This way the signature α _M gets not leaked when H ₀ or H ₁ is a random oracle, which is necessary for the combiner to be IRO robust. Moreover with high probability (over the choice of the pairwise-independent function g) the blinding, which maps {0,1}^m to {0,1}^3m, will be injective (i.e., contain no collisions), which as explained before is necessary to get robustness for CR and TCR.

Overall, the combiner—as illustrated in Fig. 2—computes for input message M and its corresponding signature $\alpha_{M}=\mathit {lsb}_{m}(H^{0}_{\oplus}(M))$ the following output:

$$\mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_0,H_1,g}(M) = P^2_{\alpha} \bigl(H_0^0(M) \| H_1^0(M)\bigr) \parallel \mathit{lsb}_{3m} \bigl(H^3_\oplus(\alpha_M)\bigr)\oplus g(\alpha_M). $$

4.2 $\mathcal {C} _{4 \mathsf {P} \&\textsf {IRO}} $ is IRO-Robust

We show that our combiner is indifferentiable from a random oracle when instantiated with two functions H ₀,H ₁, where one of them is a random oracle (we refer to it as H _b,b∈{0,1}), and the other function $H_{\overline{b}}$ is arbitrary.^{Footnote 4} Like the random oracle H _b, also $H_{\overline{b}}$ is given as an oracle and accessible by all parties. The pairwise independent function g that comes up in this construction is only needed to prove that $\mathcal {C} _{4 \mathsf {P} \&\textsf {IRO}} $ still preserves the CR and TCR properties; for the IRO property this function can be arbitrary.

Lemma 4.2

The combiner $\mathcal {C} _{4 \mathsf {P} \&\textsf {IRO}} $ is $\textsf{\textit{IRO}}$-robust.

Remark

Note that the security of Comb _4P&IRO as a random oracle combiner depends on m, and thus on the output length, which is 2n+3m. This can be slightly improved to 2n+2m+m′ for some m′<m (by simply replacing 3m with 2m+m′ in Fig. 2), though m′ should not be too small, as $\mathcal {C} _{4 \mathsf {P} \&\textsf {IRO}} $ is a good combiner for the CR and TCR with probability 2^−m′ (this probability is over the choice of the PIF, as we explain later in Sect. 4.3).

Proof

For the proof we assume that b=0, i.e., the hash function H ₀:{0,1}^∗→{0,1}ⁿ is a random oracle. The case b=1 is proved analogously. The adversary $\mathcal{A} $ has then access either to the combiner Comb _4P&IRO and H ₀ or to a random oracle $\mathcal {F} : \{0,1\} ^{*} \rightarrow \{0,1\} ^{2n+3m}$ and a simulator $\mathcal {S} ^{ \mathcal {F} }$. Our combiner is indifferentiable from a random oracle $\mathcal {F} $ if there exists a simulator $\mathcal {S} ^{ \mathcal {F} }$, such that the adversary $\mathcal{A} $ can distinguish between Comb _4P&IRO, H ₀ and $\mathcal {F} , \mathcal {S} ^{ \mathcal {F} }$ only with negligible probability. The proof consists of two parts: we first provide the description of our simulator $\mathcal {S} ^{ \mathcal {F} }$ and then we show that $\mathcal{A} $ has only negligible advantage in distinguishing the ideal setting (with $\mathcal {S} ^{ \mathcal {F} }$) and the real setting.

The simulator keeps as state the function table of a (partially defined) function $\hat{H}_{0}: \{0,1\} ^{*}\rightarrow \{0,1\} ^{n}$, which initially is empty, i.e., $\hat{H}_{0}(X)=\bot$ for all X. We define $\hat{H}_{0}^{i}(M)=\hat{H}_{0}(\langle i \rangle_{2} \|M)$ to mimic the notion used in Fig. 2. The goal of $\mathcal {S} ^{ \mathcal {F} }$ is to define $\hat{H}_{0}$ in such a way that, from $\mathcal{A} $’s point of view, $( \mathcal {F} ,\hat{H}_{0})$ look like $( \mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g},H_{0})$, i.e., the output of $\hat{H}_{0}$ has to be random and consistent with what the distinguisher can obtain from $\mathcal {F} $. Therefore, our simulator $\mathcal {S} ^{ \mathcal {F} }$ parses each query X it is invoked on as X=〈i〉₂∥M and proceeds as follows:

Whenever $\mathcal {S} ^{ \mathcal {F} }$ is invoked on a query X where $\hat{H}_{0}(X)\neq\bot$, $\mathcal {S} ^{ \mathcal {F} }$ simply outputs $\hat{H}_{0}(M)$. Thus from now on we only consider queries X where $\hat{H}_{0}(X)=\bot$. In this case, $\mathcal {S} ^{ \mathcal {F} }$ will define the output of $\hat{H}_{0}(X)$, and in some cases also on some additional inputs. On a query X=〈i〉₂∥M where $\hat {H}_{0}^{i}(M)=\bot$ and i≠0, the simulator samples a random Y∈{0,1}ⁿ, sets $\hat{H}_{0}^{i}(M)=Y$ and outputs Y.

The interesting queries are the queries of the form X=〈0〉₂∥M, which could be an attempt of $\mathcal{A} $ to simulate the construction of the combiner, such that the simulator has to compute in addition consistent answers to potential subsequent queries of $\mathcal{A} $. The simulator starts by sampling a random y ₀∈{0,1}ⁿ and sets $\hat{H}_{0}^{0}(M)=y_{0}$. To define the “signature” α _M of M, $\mathcal {S} ^{ \mathcal {F} }$ queries its oracle H ₁ on 〈0〉₂∥M and uses the answer $y_{1} = H^{0}_{1}(M)$ to compute α _M=lsb _m(y ₀⊕y ₁). The simulator then defines the outputs of the intermediate functions $\hat{H}_{0}^{1},\hat{H}_{0}^{2}$ and $\hat {H}_{0}^{3}$ such that $\mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{\hat{H}_{0},H_{1},g}(M)= \mathcal {F} (M)$. Therefore $\mathcal {S} ^{ \mathcal {F} }$ invokes its random oracle $\mathcal {F} $ on input M and computes the corresponding outputs of $\hat{H}_{0}$ by retracing the combiners construction as defined in the simulators description. Note that this is possible in a unique way, except for the n−3m last bits of $\hat{H}_{0} ^{3}(\alpha_{M})$, which must be chosen uniformly at random.

We now prove that from $\mathcal{A} $’s point of view $( \mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g}, H_{0})$ and $( \mathcal {F} , \mathcal {S} ^{ \mathcal {F} })$ are indistinguishable, when making at most q queries to each oracle. To this end we consider a sequence of hybrid games, starting with a game where $\mathcal{A} $ interacts with $( \mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g}, H_{0})$ and ending in the ideal setting where the distinguisher has access to $( \mathcal {F} , \mathcal {S} ^{ \mathcal {F} })$. The game structure of this proof is depicted in Fig. 4.

Game 0: The adversary interacts with $\mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g}$ and H ₀.

Game 1: We change the way $\mathcal{A} $’s queries to H ₀ are answered, by giving $\mathcal{A} $ access to an algorithm $\mathcal {S} ^{*}$ instead of direct access to the random oracle. The algorithm $\mathcal {S} ^{*}$ works as our simulator $\mathcal {S} $, except that it queries H ₀ instead of simulating it via lazy sampling, and it calls $\mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g}(M)$ instead of $\mathcal {F} (M)$. Thus, $\mathcal {S} ^{*}$ basically relays all queries of $\mathcal {A} $ to H ₀ but also keeps a table of answered values. For all queries of the form X=〈0〉₂∥M the algorithm additionally precomputes further values as described in Fig. 3 (the lines where $\mathcal {S} ^{*}$ deviates from $\mathcal {S} $ are marked with ⁎). Note that $\mathcal {S} ^{*}$’s answers and stored values are (with one exception) exactly the same as the values one would obtain directly from H ₀. In particular, the values $\mathcal {S} ^{*}$ defines for $\hat{H}_{0} ^{1},\hat{H}_{0}^{2}$ by querying $\mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g}$ are identical to the real values of $H^{1}_{0},H^{2}_{0}$. The only difference occurs when in the precomputations of $\mathcal {S} ^{*}$ a value for $\hat{H}_{0}^{3}(\alpha_{M})$ is set, since only the first 3m bits will equal the value of $H^{3}_{0}(\alpha_{M})$. However, the final n−3m bits are set to random such that also $\hat{H}_{0} ^{3}(\alpha_{M})$ is a truly random string. Thus, the only way for $\mathcal {A} $ to recognize the discrepancy to the real $H^{3}_{0}(\alpha_{M})$ value, is by querying 〈3〉₂∥α _M before sending a query 〈0〉₂∥M that will lead to α _M. We denote this event by Bad ₁. As all signature values α _M that originate from a query to $H^{0}_{0}$ are uniform random values of length m and $\mathcal{A} $ makes at most q queries to its $\mathcal {S} ^{*}$ oracle, this event happens with overall probability at most q ²⋅2^−m. Unless $\mathcal{A} $ provokes Bad ₁, Game 0 and Game 1 are identical (we denote by Game i⇒1 the event that $\mathcal{A} $ outputs 1 in Game i):

Game 2: In our second game we replace the combiner $\mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g}$ with the random oracle $\mathcal {F} $. Due to that change, the algorithm $\mathcal {S} ^{*}$ now obtains $\mathcal {F} (M)$ instead of $\mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g}(M)$ when doing its precomputations. Thus, the additional values that $\mathcal {S} ^{*}$ stores in $\hat{H}_{0}^{i}$ for i∈{1,2,3} when responding to a 〈0〉₂∥M query, are now consistent with $\mathcal {F} (M)$ and thereby with high probability different from the real values of $H^{i}_{0}$ for i∈{1,2,3}. Again, this only matters if $\mathcal{A} $ manages to first issue a query 〈i〉₂∥α _M∥∗ and subsequently invokes $\mathcal {S} ^{*}$ on 〈0〉₂∥M that will lead to α _M. Otherwise, all $\mathcal{A} $ gets to see from $\mathcal {S} ^{*}$ are random and consistent answers. To capture that case where $\mathcal {S} ^{*}$ “fails”, we consider by Bad ₂ the event that the function $\hat{H}_{0}^{i}$ for i∈{1,2} is already defined on any input of the form α _M∥∗ when $\mathcal {S} ^{*}$ wants to set a value in the course of a precomputation. (Note that the case for i=3 is already handled by Bad ₁ in Game 1.) As α _M∈{0,1}^m is uniformly random, the probability that Bad ₂ occurs in the qth query is at most q⋅2^−m (as each $\hat{H}_{0}^{i}$ for i∈{1,2} is defined on at most q−1 inputs). Then the overall probability that Bad ₂ in any of $\mathcal{A} $’s queries happens is at most 2q ²⋅2^−m.

Furthermore, the outputs provided by $\mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g}$ are indistinguishable from $\mathcal {F} $, as long as no collision on the signature values occurs, i.e., M≠M′ but $\alpha_{M} = \alpha_{M}'$ (we omit a formal proof, as it follows the argumentation of Lemma 4.4 closely). Since $\mathcal{A} $ sends at most q queries to $\mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g}$, such a collision occurs with probability at most q ²⋅2^−m. By adding the probabilities of both events we obtain

Game 3: In the final game the adversary interacts with $\mathcal {F} $ and $\mathcal {S} ^{ \mathcal {F} }$. That is, Game 2 and Game 3 only differ in the fact that $\mathcal {S} ^{ \mathcal {F} }$ simulates the random responses from H ₀ by using lazy sampling instead of querying H ₀. Thus, from $\mathcal{A} $’s viewpoint both games are identical:

Overall, we have

Hence, the advantage of $\mathcal{A} $ in distinguishing $( \mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g},H_{0})$ from $( \mathcal {F} , \mathcal {S} ^{ \mathcal {F} })$ is negligible. This proves our claim. □

4.3 $\mathcal {C} _{4 \mathsf {P} \&\textsf {IRO}} $ is Robust for CR,TCR,MAC,PRF

We now prove that, like the $\mathcal {C} _{4 \mathsf {P} } $ combiner, $\mathcal {C} _{4 \mathsf {P} \&\textsf {IRO}} $ also preserves the CR, TCR, MAC, and PRF property in a robust manner.

Lemma 4.3

The combiner $\mathcal {C} _{4 \mathsf {P} \&\textsf {IRO}} $ is $\textsf{\textit{CR}}$- and $\textsf{\textit{TCR}}$-robust.

Proof

We will prove that for any H ₀,H ₁, with probability 1−2^−m over the choice of the pairwise independent function g, any collision for $\mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g}$ is simultaneously a collision for $H^{0}_{0}$ and $H^{0}_{1}$. To this end, let M≠M′ be a collision for $\mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g}$ and let α _M and α _M′ denote their signatures. Let $Y\|Y'= \mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g}(M)$ where Y∈{0,1}²ⁿ and Y′∈{0,1}^3m.

If α _M=α _M′, then M,M′ must be a collision for $H^{0}_{0}$ and $H^{0}_{1}$, as we have

$$ H^0_0(M)\|H^0_1(M)= {P^2_{\alpha}}^{-1}(Y) = {P^2_{\alpha'}}^{-1}(Y)= H^0_0\bigl(M'\bigr)\|H^0_1 \bigl(M'\bigr) $$

(1)

and the Feistel permutations $P^{2}_{\alpha},P^{2}_{\alpha'}$ are identical if α _M=α _M′.

For M,M′ where α _M≠α _M′, a collision on the combiner $\mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g}(M)= \mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g}(M')$ does not imply (1), and thus will in general not be a collision for H ₀ and H ₁. Yet, as with probability 1−2^−m over the choice of the pairwise independent function g:{0,1}^m→{0,1}^3m, there does not exist a collision M,M′ for $\mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g}$ where α _M≠α _M′. Note that for this it is sufficient to prove that for any two potential signatures α≠α′∈{0,1}^m, we have

$$ \mathit{lsb}_{3m}\bigl(H^3_\oplus(\alpha) \bigr)\oplus g(\alpha)\neq\mathit{lsb}_{3m}\bigl(H^3_\oplus \bigl(\alpha'\bigr)\bigr)\oplus g\bigl(\alpha'\bigr) $$

(2)

as this implies that the final outputs are distinct for any two messages with different signatures. As g is pairwise independent, for any particular α≠α′, Eq. (2) holds with probability 1−2^−3m. Taking the union bound over all 2^m(2^m−1)/2<2^2m distinct values α≠α′, we see that the probability that there exists some α≠α′ not satisfying (2) is at most 2^2m/2^3m=2^−m.

The proof of TCR-robustness follows a similar argumentation. A collision M≠M′ on the combiner implies with overwhelming probability a collision $H^{0}_{0}(M)\| H^{0}_{1}(M) = H^{0}_{0}(M')\|H^{0}_{1}(M')$ on the first evaluation of both hash functions. Thus, given an adversary $\mathcal{A} _{ \mathsf {Comb} }$ against the combiner that commits to a target message M and later outputs a colliding message M′, one can build an adversary $\mathcal{A} _{b}$ against hash function H _b that commits to 00∥M and outputs in the second stage 00∥M′. □

Lemma 4.4

The combiner $\mathcal {C} _{4 \mathsf {P} \&\textsf {IRO}} $ is $\textsf{\textit{PRF}}$-robust.

Remark

To compute the first part of the output, our combiner $\mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g}$ applies a two-round Feistel network, which in general does not preserve the (pseudo)-randomness from an underlying round function $H^{i}_{\oplus}$, because it maps an input (L ₀,R ₀) to (L ₂,R ₂) where $R_{2} = H^{1}_{\oplus}(R_{0}) \oplus L_{0}$ depends only on the given input values. When evaluating the Feistel network with two distinct inputs (L ₀,R ₀) and $(L'_{0},R_{0})$, the difference $L_{0} \oplus L'_{0}$ then propagates to the outputs, i.e., $L_{0} \oplus L'_{0}= R_{2} \oplus R'_{2}$, which can be exploited by an adversary. In our construction we destroy this dependence by prepending the value α _M to the input of each round function, where $\alpha_{M} = \mathit{lsb}_{m}(H^{0}_{\oplus}(M))$ is a uniformly random value if H _b,b∈{0,1} is a uniformly random function. Thus we have $R_{2} = H^{1}_{\oplus}(\alpha_{M} || R_{0}) \oplus L_{0}$ with $L_{0} = H^{0}_{0}(M)$ and $R_{0} = H^{0}_{1}(M)$ such that for two distinct inputs M≠M′, the probability for $R_{2} \oplus R_{2}' = H^{0}_{0}(M) \oplus H^{0}_{0}(M')$ is $\operatorname{Prob}[{\alpha_{M} = \alpha _{M'}}] = 2^{-m}$.

Proof

Assume that the hash function H ₀ is a pseudorandom function, but the combiner $\mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g}$ is not (the proof for H ₁ can be done analogously). Hence, there exists a successful adversary $\mathcal {A} _{ \mathsf {Comb} }$ which can distinguish the construction $\mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g}$ from a truly random function F:{0,1}^∗→{0,1}^2n+3m with non-negligible probability. We show that this allows to construct an adversary $\mathcal{A} _{0}$ that can distinguish H ₀ from a random function f:{0,1}^∗→{0,1}ⁿ.

Algorithm $\mathcal{A} _{0}$ simulates the oracle of $\mathcal{A} _{ \mathsf {Comb} }$, which is either $\mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g}$ or F, with his own oracle and the knowledge of H ₁←HKGen ₁ and g that he samples accordingly. For each query of $\mathcal{A} _{ \mathsf {Comb} }$, the adversary $\mathcal{A} _{0}$ computes an answer by emulating the combiner Comb _4P&IRO using H ₁(⋅),g and his oracle which serves as H ₀.

For the analysis recall that the underlying oracle of $\mathcal{A} _{0}$ is either a random function f or the hash function H ₀(⋅). In the latter case $\mathcal{A} _{0}$ provides outputs that are identically distributed to the values $\mathcal{A} _{ \mathsf {Comb} }$ would obtain from $\mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g}$. Hence, we have

$$\operatorname{Prob}\bigl[{ \mathcal {A} _0^{H_0}\bigl(1^n\bigr)=1}\bigr] = \operatorname{Prob} \bigl[{ \mathcal{A} _ \mathsf {Comb} ^{ \mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_0,H_1,g}}\bigl(1^n\bigr)=1}\bigr] . $$

If the underlying oracle is the random function f, then the computed answers of $\mathcal{A} _{0}$ have to look like a truly random function as well. We show that this is true if, for q queries M ₁…M _q and for all i≠j, we have $\alpha_{M_{i}}\neq \alpha_{M_{j}}$. The probability of this not being the case is at most q ²⋅2^−m, since $\alpha_{M} = \mathit{lsb}_{m}(H^{0}_{\oplus}(M))$ is a random value when H ₀ gets replaced by the random function f.

Hence, with high probability $\mathcal{A} _{0}$ will create for each query M _i of $\mathcal{A} _{ \mathsf {Comb} }$ a fresh signature $\alpha _{M_{i}}$. To analyze the corresponding output of $\mathcal{A} _{0}$ we parse his answer in three parts, namely $\mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{f,H_{1},g}(M_{i}) = U_{1} \|U_{2} \|U_{3}$ with |U ₁|=|U ₂|=n and |U ₃|=3m. The last part U ₃ results from the computation $\mathit{lsb}_{3m}(f(\langle 3\rangle_{2} \| \alpha_{M_{i}}) \oplus H^{3}_{1}(\alpha_{M_{i}})) \oplus g(\alpha_{M_{i}})$. Since $\alpha_{M_{i}}$ is uniformly distributed and gets extended by the unique prefix 〈3〉₂, the input value of $f(\langle3\rangle_{2} \|\alpha_{M_{i}})$ is distinct from all other queries to f during the $\mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{f,H_{1},g}(M_{i})$ computation, and hence the corresponding output is an independently and uniformly distributed value. As xor-ing is a good combiner for random functions, the randomness of f gets preserved in the computation of U ₃. For the second part U ₂ we just consider the final calculation, i.e., $U_{2} = f(\langle0\rangle_{2} \|M_{i}) \oplus f(\langle1\rangle_{2} \|\alpha_{M_{i}} \|Y) \oplus H^{1}_{1}(\alpha_{M_{i}} \| Y)$ for some Y∈{0,1}ⁿ. Here we prepend the bits 〈1〉₂ to the random value $\alpha_{M_{i}}$, such that we have again distinct evaluations of f, which gives us uniformly random images. A similar argumentation holds for $U_{1} = Y' \oplus f(\langle2\rangle_{2} \|\alpha_{M_{i}} \|Y'') \oplus H^{2}_{1}(\alpha_{M_{i}} \|Y'')$ for Y′,Y″∈{0,1}ⁿ, where we use the unique prefix 〈2〉₂ when querying f in order to obtain values that are independently and uniformly distributed. Thus, if for all queried messages M _i≠M _j of $\mathcal {A} _{ \mathsf {Comb} }$ there occurs no collision on the signatures, i.e., $\alpha_{M_{i}} \neq\alpha_{M_{j}}$, the values U ₁∥U ₂∥U ₃ are independent random strings.

Overall, the output distribution of $\mathcal {A} _{ \mathsf {Comb} }$ satisfies

$$\operatorname{Prob}\bigl[{ \mathcal {A} ^f_0 \bigl(1^n\bigr)=1}\bigr] \le \operatorname{Prob} \bigl[{ \mathcal{A} ^F_ \mathsf {Comb} \bigl(1^n\bigr) = 1}\bigr] + q^2 \cdot2^{-m}. $$

Thus, the probability that $\mathcal{A} _{0}$ can distinguish H ₀ from f is not negligible, which contradicts the assumption that H ₀ is a pseudorandom function. □

Lemma 4.5

The combiner $\mathcal {C} _{4 \mathsf {P} \&\textsf {IRO}} $ is $\textsf{\textit{MAC}}$-robust.

Proof

The proof is by contradiction. Assume that an adversary $\mathcal{A} _{ \mathsf {Comb} }$ with oracle access to the combiner $\mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g}$ outputs with noticeable probability a valid pair (M,τ) where $\tau= \mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g}(M)$ and M is distinct from all previous queries to the MAC-oracle. This allows to construct an adversary $\mathcal{A} _{b}$ against the hash function H _b for b∈{0,1}.

Adversary $\mathcal{A} _{b}$ first samples $H_{\overline {b}} \leftarrow \mathsf {HKGen} _{1}$ that it uses together with its own oracle H _b(⋅) to answer all queries by $\mathcal{A} _{ \mathsf {Comb} }$ in a black-box simulation. When $\mathcal{A} _{ \mathsf {Comb} }$ returns a valid forgery (M,τ), where M≠M ₁,M ₂,…,M _q, the adversary $\mathcal{A} _{b}$ flips a coin c←{0,1} and proceeds as follows:

If c=0, then $\mathcal{A} _{b}$ randomly chooses an index k between 1 and q and looks up the corresponding signature value $\alpha_{M_{k}}$. It then computes $\tau_{0} \|\tau_{1} = {P^{2}_{\alpha}}^{-1}(\mathit{lsb}_{2n}(\tau))$ using $\alpha_{M_{k}}$ and stops with the output (〈0〉₂∥M,τ _b).
If c=1, then $\mathcal{A} _{b}$ queries its oracle about 〈0〉₂∥M to receive an answer y ₀ and computes α _M=y ₀⊕y ₁ with $y_{1} = H^{0}_{1}(M)$. It then calculates the first round of the Feistel permutation, i.e., until the evaluation of $H^{2}_{\oplus}$ where $x = y_{0} \oplus H^{1}_{0}(\alpha_{M} \|y_{1})$ would be used as input to this function. It outputs as forgery the message (〈2〉₂∥α _M∥x) with tag $\tau' = \tau_{b} \oplus H_{\overline{b}}(\langle 2\rangle_{2} \|\alpha_{M} \|x) \oplus y_{1}$ where τ ₀∥τ ₁=lsb _n(τ).

For the analysis we have to consider two cases of a successful adversary $\mathcal{A} _{ \mathsf {Comb} }$. In the first case, $\mathcal{A} _{ \mathsf {Comb} }$ returns a pair (M,τ), such that $\alpha_{M} = \alpha_{M_{j}}$ for some j=1,2,…,q, i.e., the signature value of M has already been computed for another message M _j≠M during A _b’s process of simulating the combiner. Then, if c=0, the adversary $\mathcal{A} _{b}$ obtains a valid forgery (〈0〉₂∥M,τ _b) if it guesses the index j correctly and then inverts the Feistel step for input lsb _2n(τ) and $\alpha_{M_{j}}$. The message 〈0〉₂∥M is distinct from all of $\mathcal{A} _{b}$’s queries, because 〈0〉₂∥M is distinct from all 〈0〉₂∥M _i and the additional queries of $\mathcal{A} _{b}$ start with a prefix 〈i〉₂ where i∈1,2,3. Hence, if $\mathcal{A} _{ \mathsf {Comb} }$ forges such a MAC with non-negligible probability ϵ, then $\mathcal{A} _{b}$ succeeds with probability ϵ/2q.

In the second case, $\mathcal{A} _{ \mathsf {Comb} }$ outputs (M,τ) where α _M has not occurred in $\mathcal{A} _{b}$’s computations, i.e., $\alpha_{M} \neq\alpha_{M_{j}}$ for all j=1,2,…,q. In this case, we have c=1 with probability 1/2 where $\mathcal{A} _{b}$ starts its forgery by computing the first round of the Feistel permutation for input $H^{0}_{0}(M) \|H^{0}_{1}(M)$ and $\alpha_{M} = \mathit{lsb}_{m}(H^{0}_{\oplus }(M))$, which requires a further oracle query about 00∥M. The left part of the computed Feistel output is then $x = H^{0}_{0}(M) \oplus H^{1}_{0}(\alpha_{M} \| H^{0}_{1}(M))$ and would serve as input for $H^{2}_{\oplus}$. The adversary uses this value together with the fresh signature α _M as its output message (〈2〉₂∥α _M∥x) and reconstructs the corresponding tag with the knowledge about the other parameters. Since α _M is distinct from all $\alpha_{M_{j}}$, the message (〈2〉₂∥α _M∥x) was never queried by $\mathcal{A} _{b}$ before.

In both cases a successful attack against the combiner $\mathsf {Comb} _{4 \mathsf {P} \&\textsf {IRO}} ^{H_{0},H_{1},g}$ allows successful attacks on H ₀ and H ₁, contradicting the assumption that at least one hash function is a secure MAC. □

5 Preserving One-Wayness and the $\mathcal {C} _{4 \mathsf {P} \&\textsf {OW}} $ Combiner

In this section we first propose a combiner which is simultaneously a combiner for CR, and OW. At the end of this section we discuss how to plug this combiner into our combiners Comb _4P and Comb _4P&IRO to derive our constructions Comb _4P&OW (cf. Fig. 1) and Comb _6P (cf. Fig. 2), respectively.

Recall that the concatenation combiner

$$\mathsf {Comb} _\|^{H_0,H_1}(M)=H_0(M)\|H_1(M) $$

is a robust combiner for the CR property, but its not hard to see that this combiner is not robust for the one-wayness property OW.^{Footnote 5} On the other hand, the combiner

$$\mathsf {Comb} _\mathsf {OW}^{H_0,H_1}(M_L\|M_R)=H_0(M_L)\| H_1(M_R) $$

is robust for the OW property, i.e. $\mathsf {Comb} _{\mathsf{OW}}^{H_{0},H_{1}}(M_{L}\|M_{R})$ is hard to invert on a random input from {0,1}^2m, if either H ₀ or H ₁ is hard to invert on {0,1}^m. Unfortunately, this combiner is not robust for CR.^{Footnote 6}

The basic idea to construct a combiner which is robust for CR and OW is to use the $\mathsf {Comb} _{\|}^{H_{0},H_{1}}$ combiner, and to apply a pairwise independent permutation (PIP) to the input of one of the two components. As the length of a description of a PIP is twice its input length, we have to assume an upper bound on the input length of the components. We fix the domain of H ₀ and H ₁ to {0,1}⁵ⁿ, but remark that any longer input length kn,k>5 would work, but then also the 2kn-bits key for the PIP grows accordingly. Allowing (much) shorter input length kn for some k<5 is not possible, as we use the fact that the input is (at least) 5n bits in the proof.

5.1 A Combiner for CR and OW

We define the combiner $\mathcal {C} _{\textsf {CR}\&\textsf {OW}} $ for preserving collision-resistance and one-wayness in a robust manner as follows. The key generation algorithm of the combiner CKGen _CR&OW(1ⁿ) generates H ₀←HKGen ₀(1ⁿ) and H ₁←HKGen ₁(1ⁿ) and picks a permutation π from a family Π of pairwise independent permutations over {0,1}⁵ⁿ. It outputs (H ₀,H ₁,π). The evaluation algorithm $\mathsf {Comb} _{\textsf {CR}\&\textsf {OW}} ^{H_{0},H_{1},\pi}$ on input M∈{0,1}⁵ⁿ returns H ₀(π(M))∥H ₁(M). By the following theorem $\mathcal {C} _{\textsf {CR}\&\textsf {OW}} $ preserves the properties of Comb _∥ and Comb _OW simultaneously.

Theorem 5.1

The combiner $\mathcal {C} _{\textsf {CR}\&\textsf {OW}} $ is a strongly robust multi-property combiner for $\textsc {prop} =\{\textsf{\textit{CR}},\textsf{\textit{TCR}},\textsf{\textit{MAC}},\textsf{\textit{OW}}\}$.

The proof is again split into lemmas for the individual properties.

Lemma 5.2

The combiner $\mathcal {C} _{\textsf {CR}\&\textsf {OW}} $ is $\textsf{\textit{CR}}$-, $\textsf{\textit{TCR}}$- and $\textsf {\textit{MAC}}$-robust.

Proof

As for the CR and TCR properties, note that given any collision M≠M′ for $\mathsf {Comb} _{\textsf {CR}\&\textsf {OW}} ^{H_{0},H_{1},\pi}$, we get a collision M,M′ for H ₁ and a collision π(M),π(M′) for H ₀. Note that π(M)≠π(M′) as π is a permutation.

To see that the MAC property is preserved, observe that given any forgery (M,τ) for $\mathsf {Comb} _{\textsf {CR}\&\textsf {OW}} ^{H_{0},H_{1},\pi}$, we get a forgery (π(M),τ ₀) for H ₀ and a forgery (M,τ ₁) for H ₁ where τ ₀∥τ ₁=τ. □

Lemma 5.3

The combiner $\mathcal {C} _{\textsf {CR}\&\textsf {OW}} $ is OW-robust.

Technically, we show the following. Let H ₀,H ₁:{0,1}⁵ⁿ→{0,1}ⁿ be any hash functions, T=T(n) be arbitrary and Π be a family of pairwise independent permutations over {0,1}⁵ⁿ. Then with probability 1−2/T over the choice of π←Π the following holds: any adversary $\mathcal{A} $ that inverts $\mathsf {Comb} _{\textsf {CR}\&\textsf {OW}} ^{H_{0},H_{1},\pi}(\cdot)$ on a random output with probability at least 2/T, can be used to invert $\mathsf {Comb} _{\textsf {OW}} ^{H_{0},H_{1}}(\cdot)$ with probability 2/T ³. Thus, if we assume that the advantage of every efficient adversary in inverting $\mathsf {Comb} _{\textsf {OW}} ^{H_{0},H_{1}}(\cdot)$ is some negligible value ϵ=2/T ³, then for an overwhelming 1−2/T fraction of the π’s, the advantage of every adversary inverting $\mathsf {Comb} _{\textsf {CR}\&\textsf {OW}} ^{H_{0},H_{1},\pi}(\cdot)$ is bounded by a negligible term 2/T.

To get some intuition for our proof, assume there is a “perfect” adversary $\mathcal{A} $ who inverts $\mathsf {Comb} _{\textsf {CR}\&\textsf {OW}} ^{H_{0},H_{1},\pi}(\cdot)$ on every value in its range. We can simply invoke this algorithm $\mathcal{A} $ on an output y ₀∥y ₁ generated by the “plain” combiner $\mathsf {Comb} _{\textsf {OW}} ^{H_{0},H_{1}} (\cdot)=H_{0}(\cdot)\|H_{1}(\cdot)$, and if now $\mathcal{A} $ gives us a preimage M with $y_{0}\| y_{1}= \mathsf {Comb} _{\textsf {CR}\&\textsf {OW}} ^{H_{0},H_{1},\pi}(M)$ for our advanced combiner, then this gives us a preimage π(M)∥M with $y_{0}\|y_{1}= \mathsf {Comb} _{\textsf {OW}} ^{H_{0},H_{1}}(\pi(M)\|M)$ for the plain combiner. There is one caveat here, namely, even such an ideal $\mathcal{A} $ will not invert an output $y_{0}\|y_{1}= \mathsf {Comb} _{\textsf {OW}} ^{H_{0},H_{1}}(M)$ if y ₀∥y ₁ is not in the range of $\mathsf {Comb} _{\textsf {CR}\&\textsf {OW}} ^{H_{0},H_{1},\pi}(\cdot)$. Using the fact that the H ₀,H ₁ are shrinking and π is a PIP, this can be shown to happen with only small probability (over the choice of π,M).

The general case where $\mathcal{A} $ only inverts $\mathsf {Comb} _{\textsf {CR}\&\textsf {OW}} ^{H_{0},H_{1},\pi}(\cdot)$ with some small probability ϵ is more tricky as here $\mathcal {A} $ might invert exactly on these outputs y ₀∥y ₁, which are much more likely to be outputs of $\mathsf {Comb} _{\textsf {CR}\&\textsf {OW}} ^{H_{0},H_{1},\pi}(\cdot)$ than of $\mathsf {Comb} _{\textsf {OW}} ^{H_{0},H_{1}}(\cdot)$, and thus would be of limited use for inverting $\mathsf {Comb} _{\textsf {OW}} ^{H_{0},H_{1}}(\cdot)$. In the proof below we show that for most choices of π, $\mathcal{A} $ has still success probability Ω(ϵ ³) in inverting $\mathsf {Comb} _{\textsf {OW}} ^{H_{0},H_{1}}(\cdot)$ even if $\mathcal{A} $ shows such worst-case behavior.

Proof of Lemma 5.3

Let H ₀,H ₁ be fixed, we prove that for a 1−2/T fraction of the π∈Π the following holds: If an adversary $\mathcal{A} $ inverts $\mathsf {Comb} _{\textsf {CR}\&\textsf {OW}} ^{H_{0},H_{1},\pi}(\cdot)$ with probability 2/T, this adversary also inverts the one-way combiner $\mathsf {Comb} _{\textsf {OW}} ^{H_{0},H_{1}}(\cdot)$ (and thus also H ₀ and H ₁) with probability at least 1/2T ³.

We first relate the output distribution of the combiner $\mathsf {Comb} _{\textsf {CR}\&\textsf {OW}} ^{H_{0},H_{1},\pi}$ with the output distribution of the one-wayness combiner $\mathsf {Comb} _{\textsf {OW}} ^{H_{0},H_{1}}$. Call a tuple (π,y ₀∥y ₁) bad if it is more than 2T ² times more likely to be an output of $\mathsf {Comb} _{\textsf {CR}\&\textsf {OW}} ^{H_{0},H_{1},\pi}$ than of $\mathsf {Comb} _{\textsf {OW}} ^{H_{0},H_{1}}(\cdot)=H_{0}(\cdot)\| H_{1}(\cdot)$. That is, (π,y ₀∥y ₁) is called bad iff

(3)

which, by definition, means

(4)

The following Claim bounds the probability of a tuple (sampled in a particular way) to be bad:

Claim 1

$$\mathrm {Prob}_{\pi,M} \bigl[ \bigl(\pi, \mathsf {Comb} _{\textsf {CR}\&\textsf {OW}} ^{H_0,H_1,\pi}(M)\bigr)\text{ \textit{is} \textit{bad}}\bigr]\le2/T^2. $$

Proof

To save on notation, we let τ denote the probability space defined by the following process:

$$ \pi\gets\varPi,\qquad M\gets \{0,1\} ^{5n},\qquad y_0:=H_0 \bigl(\pi(M)\bigr),\qquad y_1:=H_1(M). $$

(5)

With this, we can write the statement of the claim as

$$ \mathrm {Prob}_\tau\bigl[(\pi,y_0\|y_1) \text{ is bad}\bigr]\le2/T^2. $$

(6)

Plugging the definition (4) of “being bad” into (6) we get

(7)

For fixed y ₀,y ₁∈{0,1}ⁿ,π∈Π, we let $\mathcal{M}_{b}$ denote the preimages of y _b under H _b, that is,

See Fig. 5 for an illustration. We can now express the terms in (7) as

(8)

(9)

Equation (8) is simply the probability that the random M ₀←{0,1}⁵ⁿ falls into $\mathcal{M}_{0}$ and that M ₁←{0,1}⁵ⁿ falls into $\mathcal{M}_{1}$. To see Eq. (9) note that H ₀(m(M′))∥H ₁(M′)=y ₀∥y ₁ if and only if $M'\in\pi^{-1}(\mathcal{M}_{0})\cap\mathcal{M}_{1}$.

Plugging (8), (9) into (7) (and multiplying with 2⁵ⁿ) we can rewrite the statement of the claim as

$$ \mathrm {Prob}_\tau\biggl[{\bigl|\pi^{-1}(\mathcal{M}_0)\cap \mathcal{M}_1 \bigr|} \ge T^2\cdot2\frac{|\mathcal{M}_0||\mathcal{M}_1|}{2^{5n}} \biggr] \le\frac{2}{T^2}. $$

(10)

We claim that $\mathbb{E}_{\tau}[|\pi^{-1}(\mathcal{M}_{0})\cap\mathcal{M}_{1}| ]$, the expected number of preimages of y ₀∥y ₁ (sampled according to τ) under $\mathsf {Comb} _{\textsf {CR}\&\textsf {OW}} ^{H_{0},H_{1},\pi}$, can be expressed as

$$ \mathbb{E}_\tau\bigl[ \bigl|\pi^{-1}(\mathcal{M}_0)\cap\mathcal {M}_1\bigr|\bigr] = \mathbb{E}_\tau\biggl[ 1+\frac{(|\mathcal{M}_0|-1)(|\mathcal {M}_1|-1)}{2^{5n}-1} \biggr]. $$

(11)

This can be seen as follows. A way to sample a variable with the same expectation as $|\pi^{-1}(\mathcal{M}_{0})\cap \mathcal{M}_{1}|$ is to sample M,π(M) (i.e., only the output of π on input M, but not the entire π) which defines y ₀∥y ₁:=H ₀(π(M))∥H ₁(M). Now, one preimage of y ₀∥y ₁ is M (this is accounted for by the term “1+” above), and for every of the $|\mathcal{M}_{1}|-1$ other $M'\in\mathcal{M}_{1}$ we have another preimage if $\pi(M')\in\mathcal{M}_{0}$. As π is pairwise independent, π(M′) is uniform in $\mathcal{M}_{0}\setminus\pi(M)$, thus this happens with probability $(|\mathcal{M}_{0}|-1)/ (2^{5n}-1)$.

To get some intuition, assume for the moment that $\mathcal{M}_{0}$ and $\mathcal{M}_{1}$ are “large”, say of size at least 2³ⁿ. Then we can essentially ignore the “1+” and “−1” terms in (11) and the statement becomes roughly

$$\mathbb{E}_\tau\bigl[ \bigl|\pi^{-1}(\mathcal{M}_0)\cap\mathcal {M}_1\bigr| \bigr ]\approx \mathbb{E}_\tau\bigl[|\mathcal{M}_0||\mathcal{M}_1|/2^{5n} \bigr]. $$

This would allow us to relate the probabilities (8) and (9), and applying Markov’s inequality would prove the claim. Thus to prove the claim we first show that $\mathcal{M}_{0}$, $\mathcal{M}_{1}$ are indeed very large with high probability, and then we will work out the details of the outlined intuition.

For any function f:{0,1}⁵ⁿ→{0,1}ⁿ, the probability that a random image has less than 2³ⁿ preimages is at most 2⁻ⁿ, i.e.

$$ \mathrm {Prob}_{x\gets \{0,1\} ^{5n}} \bigl[ \bigl| \bigl\{x' : f \bigl(x'\bigr)=f(x) \bigr\} \bigr| < 2^{3n} \bigr] \le 2^{-n}. $$

(12)

This holds as at most 2ⁿ−1 (i.e. all except one) values in the range {0,1}ⁿ of f can have <2³ⁿ preimages. So at most (2ⁿ−1)(2³ⁿ−1)<2⁴ⁿ values in {0,1}⁵ⁿ are mapped by f to an image with <2³ⁿ preimages under f. The probability that a random x←{0,1}⁵ⁿ falls into this set is ≤2⁵ⁿ/2⁴ⁿ=2⁻ⁿ. Using (12) and the definitions of $\mathcal{M}_{0}$, $\mathcal {M}_{1}$, we conclude

$$\mathrm {Prob}_\tau\bigl[|\mathcal{M}_0|<2^{3n}\bigr]\le2^{-n} \quad\text{and}\quad \mathrm {Prob}_\tau\bigl[ |\mathcal{M}_1|<2^{3n}\bigr]\le 2^{-n}. $$

Applying the union bound we get an upper bound on the probability that either set is small as

$$ \mathrm {Prob}_\tau\bigl[|\mathcal{M}_0|<2^{3n}\vee| \mathcal{M}_1|<2^{3n}\bigr]\le2\cdot2^{-n}. $$

(13)

Hence, except with probability 2⋅2⁻ⁿ (which becomes smaller than 1/T ² for sufficiently large n’s), we have $|\mathcal{M}_{0}|\ge2^{3n}$ and $|\mathcal{M}_{1}|\ge2^{3n}$, let us call this event $\mathcal{E}$. A short calculation shows that in this case

$$ \mathcal{E}\quad\mathrm{implies}\quad1+\frac{(|\mathcal {M}_0|-1)(|\mathcal{M}_1 |-1)}{2^{5n}-1}\le2 \frac{|\mathcal{M}_0||\mathcal{M}_1|}{2^{5n}}. $$

(14)

We can now prove (10). For this, let $Z={|\pi^{-1}(\mathcal{M}_{0} )\cap\mathcal{M}_{1}|}$. In the second step below we use the fact, established by Eqs. (11) to (14), that conditioned on $\mathcal{E}$ we have $\mathbb{E} _{\tau}[Z]\le \mathbb{E}_{\tau}[2{|\mathcal{M}_{0}||\mathcal{M}_{1}|}/{2^{5n}}]$. We use Markov’s inequality and Eq. (13) in the third step below:

This concludes the proof of the claim. □

Using Markov’s inequality once more the claim implies

$$ \mathrm {Prob}_{\pi}\bigl[\mathrm {Prob}_{M}\bigl[\bigl(\pi, \mathsf {Comb} _{\textsf {CR}\&\textsf {OW}} ^{H_0,H_1,\pi} (M)\bigr)\text{ is bad}\bigr]\le1/T\bigr]\ge1-2/T. $$

(15)

We will now show that with probability 1−2/T over the choice of π←Π the following holds: any adversary $\mathcal{A} $ that inverts $\mathsf {Comb} _{\textsf {CR}\&\textsf {OW}} ^{H_{0},H_{1},\pi}(\cdot)$ on a random output with probability at least 2/T, can be used to invert $\mathsf {Comb} _{\textsf {OW}} ^{H_{0},H_{1}}(\cdot)$ with probability 2/T ³. This will imply the lemma as explained in the paragraph after the statement of the lemma.

The 1−2/T fraction of π’s we will consider are all π∈Π where

(16)

by Eq. (15) a random π←Π will indeed satisfy this with probability 1−2/T.

Now consider any π satisfying (16) and any adversary $\mathcal{A} $ who inverts a random output $y_{0}\| y_{1}= \mathsf {Comb} _{\textsf {CR}\&\textsf {OW}} ^{H_{0},H_{1},\pi}(M)$ with probability 2/T (wlog. we assume $\mathcal{A} $ is deterministic). As by Eq. (16) such a random output (π,y ₀∥y ₁) is bad with probability at most 1/T, it follows that such a random output simultaneously is good and $\mathcal{A} $ finds a preimage with probability at least 2/T−1/T=1/T. Let $\mathcal {Y}\subset \{0,1\} ^{2n}$ denote this set, i.e.

$$\mathcal{Y}=\bigl\{y_0\|y_0 : (\pi,y_0\|y_1)\mbox{ is good and } \mathsf {Comb} _{\textsf {CR}\&\textsf {OW}} ^{H_0,H_1,\pi} \bigl( \mathcal{A} ^{H_0,H_1}(\pi ,y_0\|y_1)\bigr)=y_0\|y_1\bigr\}. $$

As explained above

$$\mathrm {Prob}_M \bigl[ \mathsf {Comb} _{\textsf {CR}\&\textsf {OW}} ^{H_0,H_1,\pi}(M)\in\mathcal{Y}\bigr]\ge1/T. $$

As $\mathcal{Y}$ only contains good outputs, by definition (cf. Eq. (3)) the probability that the output of the one-way combiner $\mathsf {Comb} _{\textsf {OW}} ^{H_{0},H_{1}}(\cdot)$ on a random input falls into $\mathcal{Y}$ is at most 2T ² times smaller than the probability that the output of $\mathsf {Comb} _{\textsf {CR}\&\textsf {OW}} ^{H_{0},H_{1},\pi}(\cdot)$ on a random input falls into $\mathcal{Y}$, which as just shown is at least 1/T, thus

$$\mathrm {Prob}_{M_0,M_1}\bigl[ \mathsf {Comb} _{\textsf {OW}} ^{H_0,H_1}(M_0\|M_1)\in\mathcal{Y}\bigr] \ge\frac{1}{T}\cdot\frac{1}{2T^2}=\frac{1}{2T^3}. $$

As by definition of $\mathcal{Y}$ the adversary $\mathcal{A} $ inverts all values in $\mathcal{Y}$, $\mathcal{A} $ on input a random output y ₀∥y ₁ of $\mathsf {Comb} _{\textsf {OW}} ^{H_{0},H_{1}}$ will find a preimage M′ for this output with probability at least 1/2T ³. Although $\mathcal{A} $ outputs a preimage M′ for the wrong combiner $\mathsf {Comb} _{\textsf {CR}\&\textsf {OW}} ^{H_{0},H_{1},\pi}(M')=y_{0}\|y_{1}$, from this we can easily compute a preimage $M'_{0}\|M'_{1}:=\pi(M')\|M'_{1}$ for the one-way combiner $\mathsf {Comb} _{\textsf {OW}} (M'_{0}\|M'_{1})=y_{0}\|y_{1}$. □

5.2 Combining Things

We can now plug the combiner $\mathcal {C} _{\textsf {CR}\&\textsf {OW}} $ into the initial computation of our combiner $\mathcal {C} _{4 \mathsf {P} }$. That is, we replace the initial computation $H^{0}_{0}(M)\|H^{0}_{1}(M)$ in our original combiner by $H^{0}_{0}(\pi(M))\|H^{0}_{1}(M)$ for messages of 5n bits. Note that if H _b(⋅) is one way on inputs of length 5n+2, then also $H^{0}_{b}(\cdot)$ is one-way on inputs of length 5n, and we only lose a factor of 4 in the security.

More formally, in our combiner $\mathcal {C} _{4 \mathsf {P} \&\textsf{OW}}=( \mathsf {CKGen} _{4 \mathsf {P} \&\textsf{OW}}, \mathsf {Comb} _{{4 \mathsf {P} \&\textsf{OW}}})$ for functions $\mathcal {H} _{0}, \mathcal {H} _{1}$ the key generation algorithm generates a tuple (π,H ₀,H ₁) consisting of a pairwise independent permutation π (over {0,1}⁵ⁿ) and two hash functions H ₀←HKGen ₀(1ⁿ) and H ₁←HKGen ₁(1ⁿ). The evaluation algorithm $\mathsf {Comb} _{{4 \mathsf {P} \&\textsf{OW}}}^{H_{0},H_{1},\pi}$ for input M∈{0,1}⁵ⁿ computes $P^{3}(H^{0}_{0}(\pi(M))\|H^{0}_{1}(M))$ where P ³ is the Feistel permutation $P^{3}=\psi[H^{1}_{\oplus},H_{\oplus}^{2},H^{3}_{\oplus}]$. Note that applying a permutation to the output of a one-way function does not violate the one-way property. We have already proved that the other three properties CR,TCR,MAC, which are preserved by $\mathcal {C} _{\textsf {CR}\&\textsf {OW}} $, are not affected by applying a permutation in Sect. 3.

Theorem 5.4

The combiner $\mathcal {C} _{4 \mathsf {P} \&\textsf{\textit{OW}}}$ is a strongly robust multi-property combiner for $\textsc {prop} =\{\textsf{\textit{CR}},\textsf{\textit{PRF}},\textsf{\textit{TCR}},\textsf {\textit{MAC}},\textsf{\textit{OW}}\}$.

Applying the modifications from Sect. 5 and the combiner Comb _4P&IRO from Sect. 4 together, we derive our construction $\mathcal {C} _{6 \mathsf {P} }$ (cf. Fig. 2). This construction is defined like $\mathcal {C} _{4 \mathsf {P} \&\textsf {IRO}}$, where one additionally applies a pairwise-independent permutation over {0,1}^kn (with k≥5) to the input of $H^{0}_{0}$.

Theorem 5.5

The combiner $\mathcal {C} _{6 \mathsf {P} }$ is a strongly robust multi-property combiner for $\textsc {prop} =\{\textsf{\textit{CR}},\textsf{\textit{TCR}},\textsf{\textit{PRF}},\textsf{\textit{MAC}},\textsf{\textit{OW}}, \textsf{\textit{IRO}}\}$.

6 Weak vs. Mild vs. Strong Robustness

In this section we revert to our different notions of multi-property robustness as introduced in Sect. 2.2, and analyze the relations among the three variants. The first proposition shows that strong robustness implies mild robustness which, in turn, implies weak robustness. The proof is straightforward and given only for sake of completeness:

Proposition 6.1

Let prop be a set of properties. Then any strongly robust multi-property combiner for prop is also mildly robust for prop, and any mildly robust combiner for prop is also weakly robust for prop.

Proof

Assume that the combiner is sMPR for prop. Suppose further that $\textsc {prop} ( \mathcal {C} )\not\subseteq \textsc {prop} $ such that there is some property $\mathsf {P} _{i}\in \textsc {prop} - \textsc {prop} ( \mathcal {C} )$. Then, since the combiner is sMPR, we must also have $\mathsf {P} _{i}\notin \textsc {prop} ( \mathcal {H} _{0})\cup \textsc {prop} ( \mathcal {H} _{1})$, else we derive a contradiction to the strong robustness. We therefore have $\textsc {prop} \not\subseteq \textsc {prop} ( \mathcal {H} _{0})\cup \textsc {prop} ( \mathcal {H} _{1})$, implying mild robustness via the contrapositive statement.

Now consider an mMPR combiner and assume $\textsc {prop} = \textsc {prop} ( \mathcal {H} _{0})$ or $\textsc {prop} = \textsc {prop} ( \mathcal {H} _{1})$. Then, in particular, $\textsc {prop} = \textsc {prop} ( \mathcal {H} _{0})\cup \textsc {prop} ( \mathcal {H} _{1})$ and the mMPR property says that also $\textsc {prop} = \textsc {prop} ( \mathcal {C} )$. This proves sMPR. □

To separate the notions we consider the collision-resistance property CR and the property NZ (non-zero output) that the hash function should return 0⋯0 with small probability only. This may be for example required if the hash value should be inverted in a field:

Non-zero output (NZ)::: A hash function $\mathcal {H} $ has property NZ if for any efficient adversary $\mathcal{A} $ the probability that for H←HKGen(1ⁿ) and $M \leftarrow \mathcal{A} (H)$ we have H(M)=0⋯0, is negligible.

Lemma 6.2

Let $\textsc {prop} =\{\textsf{\textit{CR}},\textsf{\textit{NZ}}\}$ and assume that collision-resistant hash functions exist. Then there is a hash function combiner which is weakly multi-property robust for prop, but not mildly multi-property robust for prop.

Proof

Consider the following combiner (with the standard key generation, (H ₀,H ₁)←CKGen(1ⁿ) for H ₀←HKGen ₀(1ⁿ) and H ₁←HKGen ₁(1ⁿ)):

The combiner for input M first checks that the length of M is even, and if so, divides M=L∥R into halves L and R, and checks

that H ₀(L)≠H ₀(R) if L≠R, and that H ₀(M)≠0⋯0,

that H ₁(L)≠H ₁(R) if L≠R, and that H ₁(M)≠0⋯0.

If the length of M is odd or any of the two properties above holds, then the combiner outputs H ₀(M)∥H ₁(M). In any other case, it returns 0²ⁿ.

We first show that the combiner is weakly robust. For this assume that the hash function H _b for b∈{0,1} has both properties. Then the combiner returns the exceptional output 0²ⁿ only with negligible probability, namely, if one finds an input with a non-trivial collision under H _b, which also refutes property NZ. In any other case, the combiner’s output H ₀(M)∥H ₁(M) inherits the properties CR and NZ from hash function H _b.

Next we show that the combiner is not mMPR. Let $H_{1}'$ be a collision-resistant hash function with n−1 bits output (and let H ₁ include a description of $H_{1}'$). Define the following hash functions:

$$H_0(M)=1^n, \qquad H_1(M)= \begin{cases} 0^n & \text{if $M=0^{n}1^{n}$}, \\ 1\|H_1'(M) & \text{else}. \end{cases} $$

Clearly, H ₀ has property NZ but is not collision-resistant. On the other hand, H ₁ obeys CR but not NZ, as 0ⁿ1ⁿ is mapped to zeros. But then we have prop={CR,NZ}=prop(H ₀)∪prop(H ₁) and mild robustness now demands that the combiner, too, has these two properties. Yet, for input M=0ⁿ1ⁿ the combiner returns 0²ⁿ since the length of M is even, but L=0ⁿ and R=1ⁿ collide under H ₀, and M is thrown to 0ⁿ under H ₁. This means that the combiner does not obey property NZ. □

Lemma 6.3

Let $\textsc {prop} =\{\textsf{\textit{CR}},\textsf{\textit{NZ}}\}$. Then there exists a hash function combiner which is mildly multi-property robust for prop, but not strongly multi-property robust for prop.

Proof

Consider the following combiner (again with standard key generation):

The combiner for input M first checks that the length of M is even, and if so, divides M=L∥R into halves L and R and then verifies that H ₀(L)≠H ₀(R) or H ₁(L)≠H ₁(R) or L=R. If any of the latter conditions holds, or the length of M is odd, then the combiner outputs H ₀(M)∥H ₁(M). In any other case it returns 0²ⁿ.

We first prove that the combiner is mMPR. Given that prop⊆prop(H ₀)∪prop(H ₁) at least one of the two hash functions is collision-resistant. Hence, even for M=L∥R with even length and L≠R, the hash values only collide with negligible probability. In other words, the combiner outputs H ₀(M)∥H ₁(M) with overwhelming probability, implying that the combiner too has properties CR and NZ.

Now consider the constant hash functions H ₀(M)=H ₁(M)=1ⁿ for all M. Clearly, both hash functions obey property NZ∈prop(H ₀)∪prop(H ₁). Yet, for input 0ⁿ1ⁿ the combiner returns 0²ⁿ such that $\textsf{NZ}\notin \textsc {prop} ( \mathcal {C} )$, implying that the combiner is not strongly robust. □

The proof indicates how mildly (or weakly) robust combiners may take advantage of further properties to implement other properties. It remains open if one can find similar separations for the popular properties like CR and PRF, or for CR and IRO.

7 Multiple Hash Functions and Tree-Based Composition of Combiners

So far we have considered combiners for two hash functions. The multi-property robustness definition extends to the case of more hash functions as follows:

Definition 7.1

For a set prop={P ₁,P ₂,…,P _N} of properties an m-function combiner $\mathcal {C} =( \mathsf {CKGen} , \mathsf {Comb} )$ for hash functions $\mathcal {H} _{0}, \mathcal {H} _{1},\dots, \mathcal {H} _{m-1}$ is called

weakly multi-property robust (wMPR) for prop iff
$$\text{$\exists j\in\{0,1,\dots,m-1\}$ s.t.~$ \textsc {prop} = \textsc {prop} ( \mathcal {H} _{j})$} \quad\Longrightarrow\quad \textsc {prop} = \textsc {prop} ( \mathcal {C} ), $$
mildly multi-property robust (mMPR) for prop iff
$$\textsc {prop} = \bigcup_{j=0}^{m-1} \textsc {prop} ( \mathcal {H} _j) \quad\Longrightarrow\quad \textsc {prop} = \textsc {prop} ( \mathcal {C} ), $$
and strongly multi-property robust (sMPR) for prop iff for all P _i∈prop,
$$\mathsf {P} _i\in\bigcup _{j=0}^{m-1} \textsc {prop} ( \mathcal {H} _j) \quad \Longrightarrow\quad \mathsf {P} _i\in \textsc {prop} ( \mathcal {C} ). $$

For the above definitions we still find that sMPR implies mMPR and mMPR implies wMPR. The proof is a straightforward adaption of the case of two hash functions.

Given a combiner for two hash functions one can build a combiner for three or more hash functions by considering the two-function combiner itself as a hash function and applying it recursively. For instance, to combine three hash functions $\mathcal {H} _{0}, \mathcal {H} _{1}, \mathcal {H} _{2}$ one may define the “cascaded” combiner by $\mathcal {C} _{2}( \mathcal {C} _{2}( \mathcal {H} _{0}, \mathcal {H} _{1}), \mathcal {H} _{2})$, where we assume that the output of $\mathcal {C} _{2}$ allows to be used again as input to the combiner on the next level.

More generally, given m hash functions and a two-function combiner $\mathcal {C} _{2}$ we define an m-function combiner $\mathcal {C} _{\text{multi}}$ as a binary tree, as suggested for general combiners by [18]. Each leaf is labeled by one of the m hash functions (different leaves may be labeled by the same hash function). Each inner node, including the root, with two descendants labeled by $\mathcal {F}_{0}$ and $\mathcal{F}_{1}$, is labeled by $\mathcal {C} _{2}(\mathcal{F}_{0},\mathcal{F}_{1})$.

The key generation algorithm for this tree-based combiner now runs the key generation algorithm for the label at each node (each run independent of the others, even if two nodes contain the same label). To evaluate the multi-hash function combiner one inputs M into each leaf and computes the functions outputs recursively up to the root. The output of the root node is then the output of $\mathcal {C} _{\text{multi}}$. We call this a combiner tree for $\mathcal {C} _{2}$ and $\mathcal {H} _{0}, \mathcal {H} _{1},\dots , \mathcal {H} _{m-1}$.

For efficiency reasons we assume that there are at most polynomially many combiner evaluations in a combiner tree. Also, to make the output dependent on all hash functions we assume that each hash function appears in (at least) one of the leaves. If a combiner tree obeys these properties, we call it an admissible combiner tree for $\mathcal {C} _{2}$ and $\mathcal {H} _{0}, \mathcal {H} _{1},\dots, \mathcal {H} _{m-1}$.

We first show that weak MPR and strong MPR preserve their properties for admissible combiner trees:

Proposition 7.2

Let $\mathcal {C} _{2}$ be a weakly (resp. strongly) multi-property robust two-function combiner for prop. Then any admissible combiner tree for $\mathcal {C} _{2}$ and functions $\mathcal {H} _{0},\allowbreak \mathcal {H} _{1},\dots,\allowbreak \mathcal {H} _{m-1}$ for m≥2 is also weakly (resp. strongly) multi-property robust for prop.

Proof

We give the proof by induction for the depth of the tree. For depth d=1 we have m=2 and $\mathcal {C} _{\text{multi}}( \mathcal {H} _{0}, \mathcal {H} _{1})= \mathcal {C} _{2}( \mathcal {H} _{0}, \mathcal {H} _{1})$ or $\mathcal {C} _{\text{multi}}( \mathcal {H} _{0}, \mathcal {H} _{1})= \mathcal {C} _{2}( \mathcal {H} _{1}, \mathcal {H} _{0})$ and the claim follows straightforwardly for both cases.

Now assume d>1 and that combiner $\mathcal {C} _{2}$ is wMPR. Then the root node applies $\mathcal {C} _{2}$ to two nodes N ₀ and N ₁, labeled by $\mathcal{F}_{0}$ and $\mathcal{F}_{1}$. Note that by the wMPR prerequisite we assume that there exists one hash function $\mathcal {H} _{j}$ which has all properties in prop. Since this hash functions appears in at least one of the subtrees under N ₀ or N ₁, it follows by induction that at least one of the functions $\mathcal{F}_{0}$ and $\mathcal{F}_{1}$, too, has properties prop. But then the combiner application in the root node also inherits these properties from its descendants.

Now consider d>1 and the case of strong MPR. It follows analogously to the previous case that for each property P _i∈prop, one of the hash functions in the subtrees rooted at N ₀ and N ₁ must have property P _i as well. This carries over to the combiners at nodes N ₀ or N ₁ by induction, and therefore to the root combiner. □

Somewhat surprisingly, mild MPR in general does not propagate security for tree combiners, as we show by a counter-example below. Note that we still find, via the previous proposition, that the mMPR combiner is also wMPR and that the resulting tree combiner is thus also wMPR. Yet, it loses its mMPR property.

Proposition 7.3

Let prop={CR,NZ} and assume that there are collision-resistant hash functions. Then there exists a two-function mildly robust multi-property combiner $\mathcal {C} _{2}$ for prop, and hash functions $\mathcal {H} _{0}$, $\mathcal {H} _{1}$, $\mathcal {H} _{2}$ such that the admissible tree combiner for $\mathcal {C} _{2}$ is not mildly multi-property robust for prop.

Proof

Consider the following two-function combiner $\mathcal {C} _{2}$ for hash functions $\mathcal {H} _{0}, \mathcal {H} _{1}$ (again with standard key generation):

For input M check that the length of M is even and, if so, divide M=L∥R into halves L and R. If H ₀(L)=H ₀(R) and H ₁(L)=H ₁(R) and L≠R, or we have H ₀(M)=0⋯0 and H ₁(M)=0⋯0, then output $0^{|H_{0}(M)|+|H_{1}(M)|}$. Else, or if the length of M is odd, return H ₀(M)∥H ₁(M).

It is easy to verify that this is an mMPR two-function combiner for prop. Now consider the following hash functions, where $H_{2}'$ is a collision-resistant hash function with n−1 bits output:

$$H_0(M)=1^n, \qquad H_1(M)=1^n, \qquad H_2(M)= \begin{cases} 0^n & \text{if $M=0^{n}1^{n}$,} \\ 1\|H_2'(M) & \text{else}. \end{cases} $$

Then $\textsc {prop} ( \mathcal {H} _{0})= \textsc {prop} ( \mathcal {H} _{1})=\{\textsf{NZ}\}$ and $\textsc {prop} ( \mathcal {H} _{2})=\{\textsf{CR}\}$ such that $\textsc {prop} =\bigcup \textsc {prop} ( \mathcal {H} _{j})$.

Consider the following tree combiner defined through $\mathcal {C} ( \mathcal {H} _{0}, \mathcal {H} _{1}, \mathcal {H} _{2})= \mathcal {C} _{2}( \mathcal {C} _{2}( \mathcal {H} _{0}, \mathcal {H} _{1}), \mathcal {H} _{2})$, i.e., which cascades the three hash functions. Then the inner application of $\mathcal {C} _{2}$ yields a hash function which returns 0²ⁿ for message M=0ⁿ1ⁿ. Since this message also causes H ₂ to return 0ⁿ the tree combiner runs into the exception case and returns 0³ⁿ for this input. Hence, the tree combiner does not have property NZ. □

Note that the cascading combiner can also be applied to all our proposed MPR combiners to compose three or more hash functions. The derived combiner, however, is less efficient than the direct construction sketched there.

Notes

Technically, they require statistical collision-resistance for the keys of the pseudorandom function.
One may also refine these notions further. We focus on these three “natural” cases.
Weak collision-resistance is defined similarly to collision resistance, except that here the function is keyed and the key is secret, i.e., the adversary only gets black-box access to the function.
There is a small caveat here. Our definition of combiners allows to use the same hash function H ₀=H ₁, albeit our combiner samples independent instances of the hash functions then. In this sense, it is understood that, if the hash function H _b is given by a random oracle, then in case $H_{b}=H_{\overline{b}}$ the other hash function instance uses an independent random oracle.
Consider e.g. the case where H ₀(⋅) is a one-way function on the first n bits of its input (and ignoring the rest), and H ₁(⋅) outputs the first n bits of its input.
Consider e.g. the case where H ₀(⋅) is collision resistant, and H ₁(⋅) outputs a constant, then any pair $M_{L}\|M_{R},M_{L}\|M'_{R}$ gives a collision.

References

Open source implementation of the Com4P combiner (2010). http://files.randombit.net/botan/doxygen/html/classBotan_1_1Comb4P.html
E. Andreeva, G. Neven, B. Preneel, T. Shrimpton, Seven-property-preserving iterated hashing: ROX, in Advances in Cryptology—Asiacrypt 2007. LNCS, vol. 4833 (Springer, Berlin, 2007), pp. 130–146
Chapter Google Scholar
M. Bellare, R. Canetti, H. Krawczyk, Keying hash functions for message authentication, in Advances in Cryptology—Crypto 1996. LNCS, vol. 96 (Springer, Berlin, 1996), pp. 1–15
Google Scholar
M. Bellare, T. Ristenpart, Multi-property preserving hash domain extensions and the EMD transform, in Advances in Cryptology—Asiacrypt 2006. LNCS, vol. 4284 (Springer, Berlin, 2006), pp. 299–314
Chapter Google Scholar
M. Bellare, T. Ristenpart, Hash functions in the dedicated-key setting: design choices and MPP transforms, in International Colloquium on Automata, Languages, and Programming (ICALP) 2007. LNCS, vol. 4596 (Springer, Berlin, 2007), pp. 399–410
Google Scholar
M. Bellare, P. Rogaway, Optimal asymmetric encryption—how to encrypt with RSA, in Advances in Cryptology—Eurocrypt 1994. LNCS, vol. 950 (Springer, Berlin, 1994), pp. 92–111
Google Scholar
M. Bellare, P. Rogaway, The exact security of digital signatures—how to sign with RSA and Rabin, in Advances in Cryptology—Eurocrypt 1996. LNCS, vol. 1070 (Springer, Berlin, 1996), pp. 399–416
Google Scholar
M. Bellare, P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, in Advances in Cryptology—Eurocrypt 2006. LNCS, vol. 4004 (Springer, Berlin, 2006), pp. 409–426
Chapter Google Scholar
A. Boldyreva, M. Fischlin, Analysis of random oracle instantiation scenarios for OAEP and other practical schemes, in Advances in Cryptology—Crypto 2005. LNCS, vol. 3621 (Springer, Berlin, 2005), pp. 412–429
Chapter Google Scholar
A. Boldyreva, M. Fischlin, On the security of OAEP, in Advances in Cryptology—Asiacrypt 2006. LNCS, vol. 4284 (Springer, Berlin, 2006), pp. 210–225
Chapter Google Scholar
D. Boneh, X. Boyen, On the impossibility of efficiently combining collision resistant hash functions, in Advances in Cryptology—Crypto 2006. LNCS, vol. 4117 (Springer, Berlin, 2006), pp. 570–583
Chapter Google Scholar
R. Canetti, R.L. Rivest, M. Sudan, L. Trevisan, S.P. Vadhan, H. Wee, Amplifying collision resistance: a complexity-theoretic treatment, in Advances in Cryptology—Crypto 2007. LNCS, vol. 4622 (Springer, Berlin, 2007), pp. 264–283
Chapter Google Scholar
C. De Cannière, C. Rechberger, Preimages for reduced SHA-0 and SHA-1, in Advances in Cryptology—Crypto 2008. LNCS, vol. 5157 (Springer, Berlin, 2008), pp. 179–202
Chapter Google Scholar
J.-S. Coron, Y. Dodis, C. Malinaud, P. Puniya, Merkle–Damgård revisited: how to construct a hash function, in Advances in Cryptology—Crypto 2005. LNCS, vol. 3621 (Springer, Berlin, 2005), pp. 430–448
Chapter Google Scholar
M. Fischlin, A. Lehmann, Security-amplifying combiners for hash functions, in Advances in Cryptology—Crypto 2007. LNCS, vol. 4622 (Springer, Berlin, 2007), pp. 224–243
Chapter Google Scholar
M. Fischlin, A. Lehmann, Multi-property preserving combiners for hash functions, in Theory of Cryptography Conference (TCC) 2008. LNCS, vol. 4948 (Springer, Berlin, 2008), pp. 375–392
Google Scholar
M. Fischlin, A. Lehmann, K. Pietrzak, Robust multi-property combiners for hash functions revisited, in International Colloquium on Automata, Languages, and Programming (ICALP) 2008. LNCS, vol. 5126 (Springer, Berlin, 2008), pp. 655–666
Google Scholar
D. Harnik, J. Kilian, M. Naor, O. Reingold, A. Rosen, On robust combiners for oblivious transfer and other primitives, in Advances in Cryptology—Eurocrypt 2005. LNCS, vol. 3494 (Springer, Berlin, 2005), pp. 96–113
Chapter Google Scholar
A. Herzberg, On tolerant cryptographic constructions, in Topics in Cryptology—Cryptographer’s Track, RSA Conference (CT-RSA) 2005. LNCS, vol. 3376 (Springer, Berlin, 2005), pp. 172–190
Chapter Google Scholar
A. Herzberg, Folklore, practice and theory of robust combiners. J. Comput. Secur. 17(2), 159–189 (2009)
Google Scholar
J. Hoch, A. Shamir, On the strength of the concatenated hash combiner when all the hash functions are weak, in International Colloquium on Automata, Languages, and Programming (ICALP) 2008. LNCS, vol. 5126 (Springer, Berlin, 2008), pp. 616–630
Google Scholar
J. Katz, J.S. Shin, Modeling insider attacks on group key-exchange protocols, in Proceedings of the Annual Conference on Computer and Communications Security (CCS) (ACM, New York, 2005)
Google Scholar
A. Lehmann, S. Tessaro, A modular design for hash functions: towards making the mix-compress-mix approach practical, in Advances in Cryptology—Asiacrypt 2009. LNCS, vol. 5912 (Springer, Berlin, 2009), pp. 364–381
Chapter Google Scholar
M. Luby, C. Rackoff, How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)
Article MATH MathSciNet Google Scholar
U. Maurer, R. Renner, C. Holenstein, Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology, in Theory of Cryptography Conference (TCC) 2004. LNCS, vol. 2951 (Springer, Berlin, 2004), pp. 21–39
Google Scholar
M. Naor, O. Reingold, On the construction of pseudorandom permutations: Luby–Rackoff revisited. J. Cryptol. 12(1), 29–66 (1999)
Article MATH MathSciNet Google Scholar
NIST. National institute of standards and technology: SHA-3 competition. http://csrc.nist.gov/groups/ST/hash/sha-3/
K. Pietrzak, Non-trivial black-box combiners for collision-resistant hash-functions don’t exist, in Advances in Cryptology—Eurocrypt 2007. LNCS, vol. 4515 (Springer, Berlin, 2007), pp. 23–33
Chapter Google Scholar
K. Pietrzak, Compression from collisions, or why CRHF combiners have a long output, in Advances in Cryptology—Crypto 2008. LNCS, vol. 5157 (Springer, Berlin, 2008), pp. 413–432
Chapter Google Scholar
M. Stevens, A. Sotirov, J. Appelbaum, A. Lenstra, D. Molnar, D.A. Osvik, B. de Weger, Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate, in Advances in Cryptology—Crypto 2009. LNCS, vol. 5677 (Springer, Berlin, 2009), pp. 55–73
Chapter Google Scholar
X. Wang, Y.L. Yin, H. Yu, Finding collisions in the full SHA-1, in Advances in Cryptology—Crypto 2005. LNCS, vol. 3621 (Springer, Berlin, 2005), pp. 17–36
Chapter Google Scholar
X. Wang, H. Yu, How to break MD5 and other hash functions, in Advances in Cryptology—Eurocrypt 2005. LNCS, vol. 3494 (Springer, Berlin, 2005), pp. 19–35
Chapter Google Scholar

Download references

Acknowledgements

We thank the anonymous reviewers for valuable comments. Most of this work was done while the second author was at Darmstadt University of Technology. The first and second author were supported by the Emmy Noether Program Fi 940/2-1 of the German Research Foundation (DFG). The first author is also supported by a Heisenberg grant Fi 940/3-1 of the German Research Foundation (DFG).

Author information

Authors and Affiliations

Darmstadt University of Technology, Darmstadt, Germany
Marc Fischlin
IBM Research, Zurich, Switzerland
Anja Lehmann
Institute of Science and Technology, Klosterneuburg, Austria
Krzysztof Pietrzak

Authors

Marc Fischlin
View author publications
You can also search for this author in PubMed Google Scholar
Anja Lehmann
View author publications
You can also search for this author in PubMed Google Scholar
Krzysztof Pietrzak
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Anja Lehmann.

Additional information

Communicated by Yevgeniy Dodis.

This is the full version of the papers Multi-Property Preserving Combiners for Hash Functions (appeared in Theory of Cryptography—TCC 2008, LNCS 4948, pp. 372–389, Springer, 2008) and Robust Multi-Property Combiners for Hash Functions Revisited (appeared in ICALP 2008, LNCS 5125, pp. 655–667, Springer, 2008).

Rights and permissions

Reprints and permissions

About this article

Cite this article

Fischlin, M., Lehmann, A. & Pietrzak, K. Robust Multi-Property Combiners for Hash Functions. J Cryptol 27, 397–428 (2014). https://doi.org/10.1007/s00145-013-9148-7

Download citation

Received: 27 October 2010
Published: 28 March 2013
Issue Date: July 2014
DOI: https://doi.org/10.1007/s00145-013-9148-7

Key words

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

Robust Multi-Property Combiners for Hash Functions

Abstract

Similar content being viewed by others

Cryptophia’s Short Combiner for Collision-Resistant Hash Functions

Breaking and Fixing Cryptophia’s Short Combiner

Security Definitions for Hash Functions: Combining UCE and Indifferentiability

1 Introduction

The Problem with Multiple Properties

Our Result

The Combiner Comb 4P

Preserving \(\textsf{\textit{IRO}}\)

Preserving One-Wayness

Weak vs. Strong Robustness

Organization

2 Preliminaries

2.1 Hash Functions and Their Properties

2.2 Robust Multi-Property Hash Combiners

Definition 2.1

3 The \(\mathcal {C} _{4 \mathsf {P} } \) Combiner for CR, PRF, TCR, and MAC

3.1 Our Construction

3.2 Multi-Property Robustness

Theorem 3.1

Lemma 3.2

Proof

Lemma 3.3

Proof

Lemma 3.4

Proof

Lemma 3.5

Proof

4 Preserving Indifferentiability: The \(\mathcal {C} _{4 \mathsf {P} \&\textsf {IRO}} \) Combiner

4.1 The Combiner \(\mathcal {C} _{4 \mathsf {P} \&\textsf {IRO}} \)

Definition 4.1

4.2 \(\mathcal {C} _{4 \mathsf {P} \&\textsf {IRO}} \) is IRO-Robust

Lemma 4.2

Remark

Proof

4.3 \(\mathcal {C} _{4 \mathsf {P} \&\textsf {IRO}} \) is Robust for CR,TCR,MAC,PRF

Lemma 4.3

Proof

Lemma 4.4

Remark

Proof

Lemma 4.5

Proof

5 Preserving One-Wayness and the \(\mathcal {C} _{4 \mathsf {P} \&\textsf {OW}} \) Combiner

5.1 A Combiner for CR and OW

Theorem 5.1

Lemma 5.2

Proof

Lemma 5.3

Proof of Lemma 5.3

Claim 1

Proof

5.2 Combining Things

Theorem 5.4

Theorem 5.5

6 Weak vs. Mild vs. Strong Robustness

Proposition 6.1

Proof

Lemma 6.2

Proof

Lemma 6.3

Proof

7 Multiple Hash Functions and Tree-Based Composition of Combiners

Definition 7.1

Proposition 7.2

Proof

Proposition 7.3

Proof

Notes

References

Acknowledgements

Author information

Authors and Affiliations

Corresponding author

Additional information

Rights and permissions

About this article

Cite this article

The Combiner Comb _4P