|
This is actually a pretty interesting question. The answer, at least for Merkle-Damgard hash functions (MD5, SHA-1, SHA-2, etc) is that concatenating (or "cascading") hash functions doesn't really improve the strength of the resulting construction. Merkle-Damgard hash functions look like this: function MD(M, H, C):
for M[i] in pad(M):
H := C(M[i], H)
return H
For message M, initial state H, and compression function C. In other words, pad the message, break it into blocks, and use the compression function to "mix" each block into the hash function's state. The final state is the result.Antoine Joux showed that for any MD hash function, generating many collisions is not much more difficult than generating one. Here's how: 1. Take the initial state H[0].
2. Find two single-block messages that collide under C with H[0] as the input state. Call the result H[1].
3. Now find another pair of single-block messages that collide under C with H[1] as the input state. Call the result H[2].
4. Iterate as needed.
Here's the trick: each single-block collision you find is actually doubling your set of colliding messages. This is because for each block of the message, you can select either of two candidate blocks. So if the effort required to find a collision in a b-bit hash function is 2^(b/2), the effort to find 2^n such collisions is only n * 2^(b/2).What does this mean for cascaded hash functions? Well, consider a hypothetical construction that simply concatenates a 128-bit hash function with a 160-bit function. A plan of attack might look like this: 1. Find 2^80 colliding messages under the 128-bit function. This should take roughly 80 * 2^64 ~= 2^70.3 units of "effort".
2. Evaluate each message under the 160-bit function. There's probably a collision in there somewhere. This will take around 2^80 work, dwarfing what we did in the first step.
The effort to find a collision under both functions is thus only about what it takes to find a collision under the stronger of the two.Shameless plug: we will have a few problems exploring the consequences of Joux collisions in set seven of the Matasano crypto challenges. |
What about non-concatenative methods? For example, could you do something like "shift and xor". For example, say you have a 4-byte hash function, so that:
then you shift one by a byte and xor like so And then you could iterate that to extend to as many bytes as you want? And then maybe you'd want to xor the first and last byte together so that nothing from the first hash remains - although now I'm thinking intuitively which generally seems to be a bad idea with crytpography.