6

Is there a concrete case where chaining cryptographic hash functions reduces security?

I'm thinking of things like md5(md5(x)) or sha256(sha1(x)), as common in password hashing (even though neither function above is suitable for it).

Filip Haglund
  • 1,043
  • 1
  • 8
  • 17
  • Certainly. You can break sha256( fnv1a(m)) with ease. – Thomas M. DuBuisson Mar 05 '17 at 22:03
  • @Thomas fnv doesn't seem to be a cryptographic hash function https://tools.ietf.org/html/draft-eastlake-fnv-12#section-7.1 – Filip Haglund Mar 05 '17 at 22:08
  • 3
    An obvious limitation is that breaking the collision resistance of the inner has breaks the collision resistance of the combined hash. (The outer hash is less critical, it'd require a statistical weakness not just a cryptographic attack for it to break the combined hash) – CodesInChaos Mar 05 '17 at 22:09
  • @CodesInChaos Couldn't collision resistance be weaker than that? If you get a collision in the outer hash, I mean. – Filip Haglund Mar 05 '17 at 22:11
  • @FilipHaglund It is easier to create a collision if you control the input data then when you just have a statically sized, pseudo random input. – Maarten Bodewes Mar 05 '17 at 22:34
  • @FilipHaglund Yes, exactly my point. And CodesInChaos was rather explicit about the implication there. Perhaps you should improve your question. Consider "Is there a real life instance in which the composition of two cryptographic hash functions result in a new function that is weaker than either one individually?". – Thomas M. DuBuisson Mar 05 '17 at 22:47
  • 1
    You have to define "security": is "availability" something you are concerned with? – Ella Rose Mar 05 '17 at 23:53

1 Answers1

5

Yes, there are concrete cases where chaining cryptographic hash functions reduces security; and you gave one. SHA-256(SHA-1(x)) is in particular less collision-resistant than SHA-256(x). We now know collisions for SHA-1(x), and these give collisions for SHA-256(SHA-1(x)), but not SHA-256(x).

More generally, a chain of hashes is neither more collision-resistant, nor second-preimage-resitant, than the first hash performed is. Thus inserting a weak hash as the first/inner is a recipe for weakening an otherwise fine hash.

On the other hand, SHA-256(SHA-1(x)) resists length-extension attack when neither SHA-256(x) nor SHA-1(x) do; and SHA-256(SHA-1(x)) can be more resistant than SHA-256(SHA-256(x)) is to some attacks in some Proof-of-Work protocol; thus chaining hashes, including different hashes, can have some benefit.

fgrieu
  • 140,762
  • 12
  • 307
  • 587