We have a collision resistant hash function (based MD construction) H with 2n bits hash value size. Call chop(H) is a chopping n-bits from H's hash output. How can I prove a chop(H) is collision resistant with n-bit?
Asked
Active
Viewed 163 times
0
-
Welcome to Cryptography. The chop actually is called truncation. Hint: Consider that it is not collision-resistant. What can you say about H? Also, the truncated version may not be collision-resistant due to the truncated bit size. – kelalaka May 15 '20 at 17:03
-
What hypothesis do you have on the compression function iterated in the MD construction? And in your definition of collision-resistance, does the cost scale with the width of the hash? – fgrieu May 15 '20 at 17:27
2 Answers
1
It's not true. Let G be a collision resistant hash function from arbitrary input to n bit output. Let $H(x) = 0^n || G(x)$ i.e prepend a bunch of zeros to G.
It therefore follows chop(H) = 0. Which is by no means collision resistant nor does it have any desireable cryptographic properties.
If you want to use MD you can use the flawed H construction above as the compression function and you get same result.
Meir Maor
- 11,835
- 1
- 23
- 54
0
How to prove a chop(H) is collision resistant with n-bit?
Is this statement true? Is it true that all collision resistant hash functions remain collision resistant after chopping?
As a hint, you might want to consider this question.
poncho
- 147,019
- 11
- 229
- 360
-
-
Well, what's the answer? Could you define a collision resistant hash function that becomes non-collision resistant after chopping? – poncho May 15 '20 at 17:42
-
OP is likely confusing it with length extension attacks. Hash functions that are vulnerable to length extension attacks are not in their truncated versions, OP probably mixed them up because these two are probably the most talked about attacks for hash functions. – Manish Adhikari Jun 11 '21 at 05:41