3

I'm reading the fourth edition of "Cryptography: Theory and Practice" by D.R. Stinson and M.B. Paterson. In the book, they have mentioned the concept of "collision-resistant hash" and I've stumbled upon the following question from another source:

Is there a collision resistant hash function $h(x)=h_1(x)\oplus h_2(x)$ so that $h_1$ and $h_2$ are not collision resistant?

It seems interesting to think about it, but I couldn't find any relevant answers for this topic…

fgrieu
  • 140,762
  • 12
  • 307
  • 587
Dniel BV
  • 31
  • 3
  • 2
    HINT: Consider a 256-bit hash function where the last 128-bits of output are all set to zero. – Daniel S Dec 01 '22 at 17:31
  • Nice solution :) Thank you! – Dniel BV Dec 01 '22 at 18:47
  • 1
    @DnielBV Considering answering the question yourself using the hint. – tur11ng Dec 01 '22 at 20:55
  • @JAAAY This is considered a homework question, so we only provide hints in comments, see our current homework policy – Maarten Bodewes Dec 02 '22 at 12:24
  • @MaartenBodewes This is the reason I tagged OP in order to answer the question if he managed to figure out the solution and I didn't tag Daniel that provided the hint. – tur11ng Dec 02 '22 at 13:08
  • @JAAAY Oh, OK, but that would kind of defeat the purpose of only providing hints. That's not so much for the OP's purpose, but more for not answering exercises. A lot of these questions are only useful as part of an exercise. – Maarten Bodewes Dec 02 '22 at 13:18
  • 1
    It is worth noting that the current hint gives a quite inefficient example, in terms of the work factor to produce new collisions for the component hashes. One can construct examples where generating collisions for the components is essentially free (hint: think about preimages of zero). – Polytropos Dec 04 '22 at 07:30

1 Answers1

2

Let $g$ be a collision-resistant hash. We build $h_1$ to be $g$ with the first half replaced with all zeros, and $h_2$ to be $g$ with the second half replaced with all zeros. Neither are collision-resistant as both have effectively half the bit strength they should. Yet their XOR is exactly $g$ we assumed to be collision resistant.

fgrieu
  • 140,762
  • 12
  • 307
  • 587
Meir Maor
  • 11,835
  • 1
  • 23
  • 54