## Non-trivial black-box combiners for collision-resistant hash-functions don’t exist (2007)

Venue: | In Proc. Eurocrypt ’07 |

Citations: | 9 - 1 self |

### BibTeX

@INPROCEEDINGS{Pietrzak07non-trivialblack-box,

author = {Krzysztof Pietrzak},

title = {Non-trivial black-box combiners for collision-resistant hash-functions don’t exist},

booktitle = {In Proc. Eurocrypt ’07},

year = {2007},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

1 Introduction A function H: f0; 1g

### Citations

214 | H.: How to break MD5 and other hash functions
- Wang, Yu
(Show Context)
Citation Context ... can find two inputs M �= M ′ where H(M) = H(M ′ ), such a pair (M, M ′ ) is called a collision for H. 1 In the last few years we saw several attacks on popular CRHFs previously believed to be secure =-=[17, 18]-=-. Although provably secure 2 hash-functions exist (see e.g. [3] and references therein), they are rather inefficient and rarely used in practice. As we do not know which of the CRHFs used today will s... |

197 | One-way functions are necessary and sufficient for secure signatures
- Rompel
- 1990
(Show Context)
Citation Context ...that for some applications (in particular for signature schemes) collision resistance is not necessary, as universal one-way hash-functions are enough. Those can be constructed from one-way functions =-=[10, 15]-=-. Merkle and Damg˚ard show that by iterating a CRHF with fixed input length, one gets a CRHF for inputs of arbitrary length. Most CRHFs used today follow this approach. Coron et al. [4] show that the ... |

168 | Finding collisions in the full SHA-1
- Wang, Yin, et al.
- 2005
(Show Context)
Citation Context ... can find two inputs M �= M ′ where H(M) = H(M ′ ), such a pair (M, M ′ ) is called a collision for H. 1 In the last few years we saw several attacks on popular CRHFs previously believed to be secure =-=[17, 18]-=-. Although provably secure 2 hash-functions exist (see e.g. [3] and references therein), they are rather inefficient and rarely used in practice. As we do not know which of the CRHFs used today will s... |

93 |
Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions
- Joux
- 2004
(Show Context)
Citation Context ... the time a burglar needs to break the k locks by a factor of k, but there’s hope that some particular lock might turn out to be much harder to come by than the others.ssome small modifications. Joux =-=[9]-=- shows that for iterated hash-functions (like the Merkle-Damg˚ard construction) finding many values which hash to the same value is not much harder than finding an ordinary collision. As a consequence... |

72 | Finding Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions
- Simon
- 1998
(Show Context)
Citation Context ...ven more in the recent years as widely used (presumably) collision-resistant hash-functions as MD5 or SHA-1 have been broken [17, 18]. Here we only mention some of the generic results on CRHFs. Simon =-=[16]-=- shows that collision-resistant hash-functions cannot be constructed form one-way functions via a black-box reduction. On the positive side, Naor and Yung [13] show that for some applications (in part... |

39 |
Yevgeniy Dodis, Cécile Malinaud, and Prashant Puniya. Merkle-Damg˚ard revisited: How to construct a hash function
- Coron
- 2005
(Show Context)
Citation Context ...functions [10, 15]. Merkle and Damg˚ard show that by iterating a CRHF with fixed input length, one gets a CRHF for inputs of arbitrary length. Most CRHFs used today follow this approach. Coron et al. =-=[4]-=- show that the Merkle-Damg˚ard construction does not give a random function if instantiated with a random function (which was not the design goal of this construction), but that this can be achieved w... |

35 | Chosen-ciphertext security of multiple encryption
- Dodis, Katz
- 2005
(Show Context)
Citation Context ... (k, ℓ)-robust combiners.sprimitives is secure is quite old. 6 The early results are on symmetric encryption schemes [1, 6, 11]. Combiners for asymmetric primitives were constructed by Dodis and Katz =-=[5]-=- (for CCA secure encryption schemes) and Harnik et al. [7] (for key-agreement). The general notion of a combiner was put forward by Herzberg [8] who calls them “tolerant combiners”. In recent works on... |

29 | On robust combiners for oblivious transfer and other primitives - Harnik, Kilian, et al. - 2005 |

29 |
On the power of cascade ciphers
- Even, Goldreich
- 1985
(Show Context)
Citation Context ...detail in the next section. 5 Or for ℓ − k + 1 of the hash-functions if we consider (k, ℓ)-robust combiners.sprimitives is secure is quite old. 6 The early results are on symmetric encryption schemes =-=[1, 6, 11]-=-. Combiners for asymmetric primitives were constructed by Dodis and Katz [5] (for CCA secure encryption schemes) and Harnik et al. [7] (for key-agreement). The general notion of a combiner was put for... |

25 | Cascade ciphers: The importance of being first - Maurer, Massey - 1993 |

22 | Formalizing Human Ignorance: Collision-Resistant Hashing without the Keys
- Rogaway
- 2006
(Show Context)
Citation Context ...RYPT. 1 This definition is very informal as there are some issues which make it hard to have a definition for collision-resistant hash-functions which is theoretically and practically satisfying, see =-=[14]-=- for recent discussion on that topic. 2 Provably secure means that finding a collision can be shown to be at least as hard as solving some concrete (usually number theoretic) problem.sAs any collision... |

15 | On the Impossibility of Efficiently Combining Collision Resistant Hash Functions
- Boneh, Boyen
- 2006
(Show Context)
Citation Context ...tely the length of the output of H is the sum of the output lengths of H1 and H2, this makes the combiner quite unattractive for practical purposes. 1.1 The Boneh-Boyen and Our Result Boneh and Boyen =-=[2]-=- ask whether one can combine CRHFs such that the output length is (significantly) less than what can be achieved by concatenation. They prove a first negative result in this direction, namely that the... |

13 | On robust combiners for private information retrieval and other primitives
- Meier, Przydatek
- 2006
(Show Context)
Citation Context ...tive combiner the combined primitive is different from the components used, one can think of this as simultaneously being a reduction and a combiner. This notion was introduced by Meier and Przydatek =-=[12]-=- who construct a 1-2 private information retrieval to oblivious transfer cross-primitive combiner, which is interesting as normal 1-2 combiners for oblivious transfer might not exist [7]. Efficiency a... |

11 | An efficient algorithm for constructing a cryptosystem which is harder to break than two other cryptosystems - Asmuth, Blakely - 1981 |

11 |
On tolerant cryptographic constructions
- Herzberg
- 2005
(Show Context)
Citation Context ...symmetric primitives were constructed by Dodis and Katz [5] (for CCA secure encryption schemes) and Harnik et al. [7] (for key-agreement). The general notion of a combiner was put forward by Herzberg =-=[8]-=- who calls them “tolerant combiners”. In recent works one often calls them “robust combiners”, a term introduced in [7]. Combiners have been generalized in several ways: (k, ℓ)-Robust Combiners: [7] p... |

10 |
an Efficient and Provable CollisionResistant Hash Function
- VSH
- 2006
(Show Context)
Citation Context ...(U ′ i ) for some of the i ∈ J. The probability of this is at most |J|/2v ≤ k/2v . Taking everything together: Adv k P [( ˆ H1, . . . , ˆ Hℓ), (M, M ′ )] ≤ α ≤ Pr[CqP ] + k/2v ≤ (qP + qC) 2 + k 2 v . =-=(3)-=- We’re almost done, except that in the above inequality, the ˆ Hi’s are not deterministic as required by the lemma, but randomized (as the Ri’s were chosen at random). We can get fixed ˆ Hi’s for whic... |

9 |
On Constructing Universal One-Way Hash Functions from Arbitrary One-Way Functions. Journal of Cryptology, 2008. To appear. Preliminary version available on http://www.cs.umd.edu/~jkatz/. [NY89] M. Naor and
- Katz, Koo
- 1989
(Show Context)
Citation Context ...that for some applications (in particular for signature schemes) collision resistance is not necessary, as universal one-way hash-functions are enough. Those can be constructed from one-way functions =-=[10, 15]-=-. Merkle and Damg˚ard show that by iterating a CRHF with fixed input length, one gets a CRHF for inputs of arbitrary length. Most CRHFs used today follow this approach. Coron et al. [4] show that the ... |