Homework 6
Homework 6
Homework 6
Problem 1.
Read Chapter 11 in [PP] and Chapter 6 in [BR] + Appendix A in [BR] (Birthday problem).
Problem 2.
Suppose we have three different hash functions producing output of lengths 64, 128 and
160 bits. How many random computations do you approximately need to find a collision
with probability p = 0.5? How many different random hash values do you approximately
need to find a collision with probability p = 0.1?
Problem 3.
Suppose H1 , H2 ; M → Y are two hash functions for which we know that at least one
is collision-resistant. Unfortunately, we don’t know which. Consider now the following
derived hash functions.
a) H : M → Y × Y, defined by H(X) = H1 (X)kH2 (X). Is H collision-resistant? Justify
your answer.
b) H : M → Y defined by H(X) = H2 (H1 (X)) (here we assume that Y ⊂ M). Is H
collision-resistant? What about H(X) = H1 (H2 (X))? Justify your answer.
Problem 4. [2nd-preimage-resistance]
The two main security properties for hash functions are collision-resistance and one-wayness.
However, there is also a third security property commonly defined for hash functions
called 2nd preimage-resistance. In a 2nd-preimage attack the adversary is given X ∈ M
and Y ← H(X), and then asked to find a different X 0 ∈ M that hash to the same value as
X. That is: given X and Y , find X 0 6= X such that H(X 0 ) = H(X) = Y . In other words,
the adversary is asked to find a second pre-image for Y , hence the name. See Fig.1 for
the formal definitions. Note that 2nd preimage-resistance is a weaker security requirement
than collision-resistance, i.e., we’re asking for more from the adversary. Indeed, for finite
M and Y, and assuming |M| >> |Y|, we have
1
ExpcrH (A): Exp2pre
H (A): Expow
H (A):
1: (X1 , X2 ) ← AH $ $
1: X←M 1: X←M
2: if X1 6= X2 ∧ H(X1 ) = H(X2 ):
2: Y ← H(X) 2: Y ← H(X)
3: return 1
3: X 0 ← AH (X, Y ) 3: X 0 ← AH (Y )
4: else
4: if X 0 6= X ∧ H(X 0 ) = Y : 4: if H(X 0 ) = Y :
5: return 0
5: return 1 5: return 1
6: else 6: else
7: return 0 7: return 0
Advcr cr
H (A) = Pr[ExpH (A) ⇒ 1]
Adv2pre 2pre
H (A) = Pr[ExpH (A) ⇒ 1]
Advow ow
H (A) = Pr[ExpH (A) ⇒ 1]
a) Explain why the first implication above holds, i.e., why collision-resistance implies
2nd preimage-resistance.
b) Suppose {0, 1}200 ⊂ M and that H : M → Y is a collision-resistant hash function.
Now define H 0 : M → Y as follows:
(
0200 if X = 0200 or X = 1200
H 0 (X) =
H(X) otherwise
Problem 5.
Suppose that F : {0, 1}m → {0, 1}m is a one-way secure permutation. Define H : {0, 1}2m →
{0, 1}m as follows. Given X ∈ {0, 1}2m , write
X = X 0 ||X 00 ,
H(X) = F (X 0 ⊕ X 00 ).
2
Problem 6.
Suppose H1 : {0, 1}2m → {0, 1}m is a collision resistant hash function.
h(V kM ) = E(M, V ) ⊕ V.
Here we look at some alternative constructions to Davies-Meyer that all turn out to be
insecure. For b) and c) we assume that b = n.
a) h1 (V kM ) = E(M, V )
b) h2 (V kM ) = E(M, V ) ⊕ M
c) h3 (V kM ) = E(V, V ⊕ M ) ⊕ V
3
References
[BR] Mihir Bellare and Phillip Rogaway. Introduction to Modern Cryptography. https:
//web.cs.ucdavis.edu/~rogaway/classes/227/spring05/book/main.pdf.
[PP] Christof Paar and Jan Pelzl. Understanding Cryptography - A Textbook for Students and
Practitioners. Springer, 2010.
[Ros] Mike Rosulek. The Joy of Cryptography, (draft Feb 6, 2020). https://web.engr.
oregonstate.edu/~rosulekm/crypto/crypto.pdf.