7

In this answer and discussion, it is considered a distributable hash

$$\tilde H(m)\ =\ H\Bigl(\bigl(H(m_1\mathbin\| 1)\oplus H(m_2\mathbin\|2)\oplus\dots\oplus H(m_n\mathbin\|n)\bigr)\mathbin\|n\Bigr)$$

where the $m_i$ are $n$ segments (say of fixed size) of message $m$, and $H$ is a cryptographic hash (say of $b$-bit and assumed secure in the ROM).

What can we say about the collision-resistance of $\tilde H$ as a function of $b$ ?

fgrieu
  • 140,762
  • 12
  • 307
  • 587
  • 1
    Thanks for questioning my handrolled crypto! Whoops! Although IIUC it is still a valid answer, just weaker than I realised. – cypherfox Mar 15 '18 at 17:56

2 Answers2

11

What can we say about the collision-resistance of $\tilde H$ as a function of $b$ ?

That it is effectively nonexistent; it is easy to generate collisions (and second preimages).

You can generate a second preimage by selecting two blocks $m'_i, m''_i$ to correspond to each original block $m_i$; you compute $H(m'_i \mathbin\| i), H(m''_i \mathbin\| i)$, and then use linear algebra (e.g. Gaussian Elimination) to see which combination of $m'_i, m''_i$ all xor the same as the original sequence of $m_i$; that combination hashes to the same value. As long as the original message is at least $b$ blocks long (that is, $n \ge b$), such a combination exists with good probability.

Once you can create second preimages, you can generate collisions by picking a message and generating a second preimage for it.

Geoffroy Couteau
  • 19,919
  • 2
  • 46
  • 68
poncho
  • 147,019
  • 11
  • 229
  • 360
  • Would this not imply an attack against PMAC? Or does the keyed-PRP defend against this? What about if we fix the key? – cypherfox Mar 15 '18 at 17:43
  • 2
    @cypherfox: it doesn't apply to PMAC, because in PMAC, the $H$ function (using the above terminology) uses a secret key (and hence the attacker can't compute it directly). If you fix the key, well yes, PMAC rather falls apart (as do a bunch of other MACs); MACs (in general) have no guaranteed security properties if the attacker knows the key – poncho Mar 15 '18 at 17:46
  • Well that is unfortunate. :/ – cypherfox Mar 15 '18 at 17:48
  • Updated my answer. – cypherfox Mar 15 '18 at 17:49
  • OR maybe my answer is still valid as they don't ask for collision resistance and intend to use it for weak-integrity (where CRC is valid) and we already don't trust the distributed participants. Thoughts? – cypherfox Mar 15 '18 at 17:51
  • 1
    Reference: M. Bellare and D. Micciancio, ‘A New Paradigm for collision-free hashing: Incrementality at reduced cost’, In W. Fumy, ed., Advances in Cryptology—EUROCRYPT'97, Springer LNCS 1233, 1997. Full paper, where it is called XHASH with details on poncho's answer in Appendix A, and related work. – Squeamish Ossifrage Mar 16 '18 at 01:17
5

While the other answer is correct, I want to point out that the construction is theoretically collision-resistant when $n$ is a fixed constant (independent of the security parameter) and $H$ is modeled as a random oracle.

Specifically, to find a collision, the adversary would (with overwhelming probability) have to find a structure like $H(m_1 \| 1) \oplus \cdots \oplus H(m_n \| n) = H(m'_1 \| 1) \oplus \cdots \oplus H(m'_n \| n) $. For a random oracle with $b$ output bits, and an adversary who makes $q$ queries, the probability of any subset of the queries satisfying such a relation is at most $q^{2n}/2^b$.

$q^{2n}/2^b$ is technically a negligible function, which makes this construction technically collision resistant in the asymptotic sense. But it's really bad/impractical, since in practice your parameters should satisfy $b\ge 256n$.

Mikero
  • 13,187
  • 2
  • 33
  • 51