Creating a stronger cryptographic hash given a cryptographic hash

Question

I need a cryptographic hash function that will hopefully be strong even in 50 years. Performance is not an issue. Calculating and verifying can take a huge amount of time if needed. The size of the hash can be huge too (let's say up to 10MB). Collisions are not a big threat. I mainly want it to be second-preimage-resistant.

Of course I have no problem using one or more existing hashes.

My first thought was:

$h'(x) := h(a_1 \parallel x) \parallel h(a_2 \parallel x) \parallel h(a_3 \parallel x) \parallel \dots$

where $a_n$ are known prefixes. But I don't know how good it is. If $h$ is md4, how hard is it to find a second preimage to $h'$?

Other ideas?

if the collision is not a threat then use a 512 bit hash function. That will protect you against classical and quantum attacks. SHA-512, SHA3-512 should be enough for you. — kelalaka, Jul 11 '21 at 12:38
If any attack is found it is not the output size that matters; it's the hash function that gets broken. Creating a hash from e.g. SHA-512 and SHA-3-512 would make more sense as they use rather different methods; it's unlikely that they get broken simultaneously. Early TLS protocols concatenated an MD5 and SHA-1 hash within the signature format, if I remember correctly. — Maarten Bodewes, Jul 11 '21 at 12:45
Please check how much is already answered in this answer. I would have closed it as a dupe already if you hadn't excluded collisions. — Maarten Bodewes, Jul 11 '21 at 12:56
@MaartenBodewes Thanks. Though it has completely different focus than mine. The author cares mostly about "the original preimage". — ashidc, Jul 11 '21 at 13:06
@MaartenBodewes Regarding "it not the output size that matters". I didn't think it does. I just though it is harder to find this preimage. because you need to find one x, so h(a1 || x) == output1 AND h(a2 || x) == output2 — ashidc, Jul 11 '21 at 13:08
Just a quickie: Why do you need a cryptographic hash function that will hopefully be strong even in 50 years? — Paul Uszak, Jul 11 '21 at 14:13
Are you limiting yourself to building off of a single existing hash function? One obvious approach would just be to combine the output of several different ones. — bmm6o, Aug 10 '21 at 17:21

score 3 · Answer 1 · answered Dec 08 '21 at 16:21

As mentioned in the comments, an existing 512 bit hash is quite likely to be sufficient.

However, if you are truly paranoid (and want to protect yourself against potential cryptographical breakthroughs), the obvious thing to do is rely on several cryptographically distinct hash functions concatinated together. For example:

$$H(x) = SHA2\text{-} 512(x) | SHA3\text{-}512(x) | Whirlpool(x)$$

By concatinating them together, we ensure that any second-preimage attack would have to be a second-preimage attack on all three; all three are (to the best of our knowledge) individually secure (actually, overkill). And, the internals of the three are sufficiently different that it appears quite unlikely that a cryptographical attack on one would apply to the other two.

score -1 · Answer 2 · answered Jul 11 '21 at 14:12

Err, 50 years?

You can't. You're predicting the future. These are also predictions of the future. I truly believe that the flame throwing snow ploughs are right around the corner.

Total future proof security does exists as a concept. One time pads and secret sharing are informationally secure, which means for all time. That's why we still use one time pads for diplomatic messages. Consider this polynomial hash then. But given the earlier link, how do we convince anyone that a security metric of $2^{-32}$ or even $2^{512}$ can't be overcome. I didn't say brute forced, I said overcome. Re-linearisation, the Algomorov technique, parallel quantum computing, mathematical advances and flame throwers demonstrate that we can't see more than a few years into the future. Cough, cough I feel really hot...

Remember:-

"I think there is a world market for about five computers."

-- Thomas J Watson, President IBM.

I understand of course. Nonetheless, I'd love to have some best-effort solution. If it breaks, it breaks. My life doesn't depend on this. But like I asked, I'd like to understand how can I make a stronger hash, given my constraints, and existing hashes, and flexibility (calculation and validation time, and storage can be huge). — ashidc, Jul 13 '21 at 18:39

Creating a stronger cryptographic hash given a cryptographic hash

2 Answers2