4

For any hash functions $H_0$ and $H_1$, it is easily proved that their concatenation $H_0\|H_1$, defined by $(H_0\|H_1)(X)=H_0(X)\|H_1(X)$, is at least as resistant as the strongest of $H_0$ and $H_1$ with respect to collision-resistance, first preimage resistance, and second-preimage-resistance. Here we study another commonly assumed notion of preimage resistance, possessed by common hash functions, that (I believe) could be totally lost by concatenation for uncommon hash functions.

For a hash function $H$, define $m$-bit preimage resistance as: given $m$ and $h=H(M)$ for a random unknown $m$-bit message $M$, it is computationally hard to find a message $X$ with $H(X)=h$. For an ideal $n$-bit hash (random oracle), breaking $m$-bit preimage resistance requires about $2^{\min(m-1,n)}$ hashes (queries to the oracle). Common hashes are expected to reach that security level. $m$-bit preimage resistance is desirable e.g. when hashing an $m$-bit password (+salt).

From an $n$-bit hash $H$ secure in the Random Oracle Model, can we construct two $n$-bit hashes $H_0$ and $H_1$ such that:

  • $H_0$ and $H_1$ each are secure in the ROM, to near the theoretical optimum;
  • for any $m\le n$, $H_0\|H_1$ has no $m$-bit preimage resistance (there's a fast algorithm to solve the problem defining $m$-bit preimage resistance)?

My guess is yes. A simpler construction than what I had in mind shows just that.

What's the best level of $m$-bit preimage resistance that we can demonstrate for $H_0\|H_1$?

Community
  • 1
fgrieu
  • 140,762
  • 12
  • 307
  • 587
  • In bullet 2, did you mean to write "almost no $m$-bit preimage resistance?" Or do you mean the specific case where $m=n$? – cpast Mar 17 '15 at 22:41
  • 1
    Your first statement is wrong: Concatenating two hash functions may be good for second-preimage and collision resistance, but is less secure for first-preimage resistance. You only need to break the weaker of both hashes to get the original message, or you could use some common properties between the two hash functions to attack the result even better. – Nova Mar 18 '15 at 04:24
  • @Nova: My first statement was indeed wrong. However I'm not sure that I agree with your proof. I've been making the same proposition, and have since prudently backed out. Exactly what definition of first-preimage resistance are you taking? Find preimage for a random element of the destination set, or find preimage for the hash of a random unknown element of the source set? Or is it a random unknown element of some subset of the source set? – fgrieu Mar 18 '15 at 06:36
  • As far as I understand (first-)preimage resistance is if you can find the / a original message for a given hash value. Is that wrong? I would be glad if you could correct me then. – Nova Mar 18 '15 at 06:39
  • The definition of the HAC is: "preimage resistance — for essentially all pre-specified outputs, it is computationally infeasible to find any input which hashes to that output". There is no notion of finding the original message, or that it is short. The given is a random element among possible hashes (or is it the hash of a random thus presumably huge message). If we concatenate good independent hashes (like SHA-256 and SHA-512 truncated to 256 bits), we obtain one that is much more resistant to that than the originals. – fgrieu Mar 18 '15 at 09:02
  • 1
    Preimage resistance is indeed much more difficult to define than most basic texts pretend. Many natural definitions are defective in that obviously insecure constructions are secure according to the definition (e.g. choose an element at random from the co-domain: the preimage-finder must find a preimage of that element). I think a plausible definition is: the adversary chooses a suitable plaintext distribution, you sample from the distribution and compute the hash value, finally the adversary recovers any preimage. Under this definition, concatenation is not preimage-resistance-preserving. – K.G. Mar 18 '15 at 11:03
  • 1
    If $H_0$ and $H_1$ are independent hashes, the intuitive result holds in ROM, I guess. – K.G. Mar 18 '15 at 11:06
  • I do not understand the final question. Are you looking for a preimage secure concatenation? Why $H_0= H_1=H$ does not work? – Dmitry Khovratovich Mar 19 '15 at 10:00

1 Answers1

6

If we use $H_1(X) = H_0(X) \oplus firstnbits(X)$, this would seem to be trivial.

EDIT: As Cédric Van Rompay pointed out, this is only a counterexample if $H_1$ winds up being preimage-resistant. This may not be a necessary consequence of $H_0$ being preimage-resistant, but I really only need one case where it is.

Gordon Davisson
  • 608
  • 1
  • 4
  • 11
  • Yes, that's simplest (thus better) than what I had in mind! $;$ Can the last part of the question be so conclusively answered? – fgrieu Mar 18 '15 at 10:30
  • 1
    Could you explain why $H_1$ is secure ? I can't manage to prove it assuming $H_0$ is secure. One could say "$firstnbits(X)$ acts as a one-time pad in preimage (if you're given $H_1(X)$ and not $X$)", but I'm struggling at proving that if someone win preimage for $H_1$ then it can win preimage for $H_0$. – Cédric Van Rompay Mar 18 '15 at 12:27
  • 4
    @Cédric Van Rompay. I too fail to prove that (and have some doubt about if) preimage-resistance of $H_0$ implies preimage-resistance of $H_1$. However if we assume $H_0=H$ is secure in the Random Oracle Model (as in the question's statement), then it can be proven that $H_1$ is secure in the ROM, which implies whatever preimage resistance. As often is, security in the ROM is the most powerful and useful model for a good hash. – fgrieu Mar 18 '15 at 12:49
  • @CédricVanRompay I can't see a way to prove it either, so I'll just add it in as an assumption. – Gordon Davisson Mar 19 '15 at 01:14
  • The part of the question "What's the best level of $m$-bit preimage resistance that we can demonstrate for $H_0|H_1$?" remains unanswered. – fgrieu Mar 23 '15 at 18:34