2014 | OriginalPaper | Chapter
Breaking and Fixing Cryptophia’s Short Combiner
Authors : Bart Mennink, Bart Preneel
Published in: Cryptology and Network Security
Publisher: Springer International Publishing
Activate our intelligent search to find suitable subject content or patents.
Select sections of text to find matching patents with Artificial Intelligence. powered by
Select sections of text to find additional relevant content using AI-assisted search. powered by
A combiner is a construction formed out of two hash functions that is secure if one of the underlying functions is. Conventional combiners are known not to support short outputs: if the hash functions have
n
-bit outputs the combiner should have at least almost 2
n
bits of output in order to be robust for collision resistance (Pietrzak, CRYPTO 2008). Mittelbach (ACNS 2013) introduced a relaxed security model for combiners and presented “Cryptophia’s short combiner,” a rather delicate construction of an
n
-bit combiner that achieves optimal collision, preimage, and second preimage security. We re-analyze Cryptophia’s combiner and show that a collision can be found in two queries and a second preimage in one query, invalidating the claimed results. We additionally propose a way to fix the design in order to re-establish the original security results.