5

It is possible to convert a pre-image resistant function $f:\{0,1\}^{n}\rightarrow \{0,1\}^{n}$ to a second-preimage resistant function? I am thinking to use a pseudo-random generator and construct that second pre-image resistant function in this way:

$$F(x)=f(x)+\text{PRNG}(x).$$

What kind of tests I need to make to verify this function is second-preimage resistant?

yyyyyyy
  • 12,081
  • 4
  • 47
  • 68
juaninf
  • 2,701
  • 2
  • 18
  • 28
  • Just let me quickly recap this: $f$ is pre-image resistant and $F$ should be pre-image resistant and second pre-image resistant? – SEJPM Jul 26 '15 at 13:01
  • @SEJPM Yes it is – juaninf Jul 26 '15 at 13:06
  • 1
    Related: http://crypto.stackexchange.com/questions/27071/converting-a-pre-image-resistance-to-second-pre-image-resistance – otus Jul 26 '15 at 13:30
  • The constructions of that paper are not for preimage-resistance. – juaninf Jul 26 '15 at 13:36
  • You would need to make the same tests as for any arbitrary construction: http://crypto.stackexchange.com/q/183/991 –  Jul 26 '15 at 13:57
  • @juaninf Is the restriction of the input of $f$ to ${0,1}^n$ (instead of ${0,1}^*$) for a particular reason? – mikeazo Jul 29 '15 at 15:06
  • 2
    @mikeazo The length preservation indeed makes things a bit trivial. to "convert" just ignore the function and use the identity function instead (or any other permutation for that matter). Since there is only one preimage for each image, there can be no second preimage attack. – Maeher Jul 29 '15 at 16:04
  • 1
    @Maeher but with the identity function, you don't have preimage resistance. – mikeazo Jul 29 '15 at 16:23
  • @Maeher: to add to mikeazo's comment, if $f$ is pre-image resistant and injective then it is trivially second pre-image resistant. But it could be the case that the image of $f$ is only a subset of ${0,1}^n$. – ckamath Feb 14 '17 at 19:48

0 Answers0