|
|
|
|
|
|
by dfox
897 days ago
|
|
|
The paper refers to the case where you build a even more secure hash function by concatenating output of multiple presumably secure hash functions. The resulting construction will still be as secure as the strongest component hash function used, which is what you want for the case of long term archival hashes/signatures (the obvious question is exactly what asymetric construction you are going to use to sign the resulting hash which preserves this property). Of note is that when you look at the multiple parallel executions of an iterated hash function at the level of whatever round structure that it is inside its compression function it becomes quite obvious that the result will not have the security level of 2^(m+n+...) as one would expect from the output length, but somewhere around 2^m+2^n (=2^m if m>n) as there is absolutely no mixing of state between the parallel executions. |
|
|
If you have a moment can you please elaborate a little more on your second paragraph? Are you describing applying a similar method inside the compression function of the hash function? Any hash function? Where does the parallelism come in? Thank you!