2

There have been several attacks against hash functions such as $h_{sha1}$ and $h_{md5}$.

Professor A suggests a new function $h_{666}$ with an output length of 666 bits.

Professor B suggests combining the two functions $h_B=h_{sha1}(h_{md5}(m))$.

Professor C suggests combining all four functions $h_C=h_{md5}(m) \oplus h_{sha1}(m) \oplus h_B(m) \oplus h_{666}(m)$, where short messages are padded with zeros where necessary.

Explain / prove why each and every one of these functions may be less safe than $h_{sha1}$.

I couldn't think of anything to say about $h_{666}$, since we know nothing about it, except that it has a constant output length, which I know many other hash function have. I thought it might have to do with the length not being a multiplication of 2, but couldn't reach a specific conclusion.

I think $h_B$ is bad because we know that $h_{md5}$ is known to have collisions, and such collisions will affect $h_B$ as well.

Couldn't exactly understand what's wrong with $h_C$, unless again it has to do with collisions of $h_{md5}$ and/or the safety of $h_{666}$.

Any help would be appreciated, thanks!

Cauthon
  • 153
  • 6
  • Which security properties do you want? – CodesInChaos Jun 21 '15 at 21:35
  • I'm looking for any security problems that shows that these "improvements" aren't really better than the standard $SHA-1$ hash (i.e. collisions, cannot be inverted, etc.) – Cauthon Jun 21 '15 at 21:38
  • @CodesInChaos I think I see what you mean - knowing nothing about this $h_{666}$, it can collide and produce zeros for $h_C$. – Cauthon Jun 21 '15 at 21:41
  • I didn't quite get @fgrieu's comment though. – Cauthon Jun 21 '15 at 21:41
  • 1
    @fgrieu I think the zero-padding referred to the individual hashes, expanding them all to 666 bits so you can xor them, not the the messages. – CodesInChaos Jun 21 '15 at 21:43
  • 1
    Since there are no restrictions on what $h_{666}$ is, and the question says "may be less safe", you're allowed to assume the worst about $h_{666}$. For A) you could assume that it returns a constant value. For C) what if $h_{666}=h_{md5}(m) \oplus h_{sha1}(m) \oplus h_B(m)$ plus some constant padding? – CodesInChaos Jun 21 '15 at 21:44
  • I think the meaning for $h_{666}$ is that it is a hash function, i.e. it doesn't return a constant value, but there's something wrong with having a constant output size of 666 bits. Maybe I'm wrong though, and that would be a great refutation of $h_{666}$ :) – Cauthon Jun 21 '15 at 21:45
  • @CodeInChaos: ah your reading makes sense and I rescind my former $h_{666}$. Your's is fine, and I immediately see no trivial attack against it in isolation. It's thus better than my idea of leaking $m$, going like: the right $218$ bits of $h_{666}$ are the left $218$ bits of ($m$ right padded with zeroes), the left of $h_{666}$ is some proper hash; which is not safe against first-preimage for messages up to $218$ bits, and $h_C$ inherits that weakness. – fgrieu Jun 21 '15 at 21:55

0 Answers0