0

Suppose there is a cryptographic hash function $H : \{0,1\}^* \to \mathbb G$. Now, we want to define a hash function $H' : \{0,1\}^* \to \mathbb G \times \mathbb G $.

My first idea is to define $H'$ in the following way:

$H'(x) = (H(x||'0'), H(x||'1'))$

Is $H'$ cryptographically secure? If not, can you propose a secure construction that uses $H$?

The motivation behind this question is that some crypto libraries (e.g., Charm) provide functions for hashing to groups (e.g., $H$), but in some cases you need custom hash functions (e.g., $H'$)

cygnusv
  • 4,952
  • 1
  • 22
  • 47
  • Two comments: 1) your construction looks very much like KDF2, which is probably secure. 2) you won't double your security using this construction (but I don't think you intended to do that). If $x$ is relatively small you could use any KDF, using $x$ as secret. – Maarten Bodewes Apr 11 '16 at 12:22
  • 1
    You might want to clarify what it needs to be secure against. – Maarten Bodewes Apr 11 '16 at 12:25
  • 1
    @MaartenBodewes "your construction looks very much like KDF2, which is probably secure". Do you mean "probably" or "provably"? Regarding the intended security notion, I wasn't targeting anything in particular... I guess the usual stuff (pre-image resistance, collision resistance, etc). I basically wanted to know if my original idea has some inherent problem, or if maybe there is a standard way to do this. – cygnusv Apr 11 '16 at 13:17
  • No, probably secure. Note that I asked the question about the security KDF1/2 constructs. Lookfor something based on HMAC such as HKDF for better proofs. – Maarten Bodewes Apr 11 '16 at 13:21

0 Answers0