Questions tagged [collision-resistance]
Difficulty of finding two different inputs that hash to the same value
743
questions
1
vote
1
answer
39
views
Low-Collision Abbreviation For Public Key Hex Representation
I am writing an application where each client generates its own public/private key pair that uniquely identifies it to other clients. Clients are using the Web Crypto API to generate ECDSA P-384 keys. ...
4
votes
4
answers
3k
views
Is the XOR of hashes a good hash function?
Definitions:
Let $h$ be a hash function with output size $n$ bytes. Suppose the file $F$ can be divided into chunks of size $n$ bytes $F=f_0+f_1+\dots +f_i$ where the operator "$+$" stands ...
1
vote
2
answers
97
views
Why does HMAC-SHA1-96 need to pad message to a multiple of 160 bits?
HMAC-SHA1-96 is performed in AH of IPSec, to have data authentication and integrity.
I don't understand why I need to pad message M to a multiple of 160 bit, which is the output length of SHA1. Why is ...
3
votes
2
answers
125
views
How can a attacker find a collision of a keyed digest without knowing the key? Are collisions not an issue anymore if we apply a keyed-digest?
Same as the title.
How can an attacker find a collision in a keyed digest without knowing the key? Does using a keyed digest eliminate the problem of collisions?
1
vote
2
answers
128
views
Looking for a lightweight hashing algorithm
I'm looking for a hashing algorithm with some unique properties:
Most important: It has to be small. Ideally ~400 bytes of x86 assembly
Resistant to preimage & collision attacks with no known ...
0
votes
2
answers
107
views
Adding 2 hash values
hash(a) + hash(b) = hash(c)
When adding 2 hashes values can it be equal to another hash value? Is it unlikely for this to happen? If so why?
1
vote
1
answer
63
views
Necessity of all three MD-Compliant padding conditions
For Merkle-Damgård hashing, MD-compliant padding is defined as any padding scheme satisfying:
$M$ is a prefix of $\text{Pad}(M)$
$|M_1|=|M_2|\Rightarrow |\text{Pad}(M_1)|=|\text{Pad}(M_2)|$
$|M_1|\...
0
votes
0
answers
13
views
How many extra bits of security can I get from an intermediate finalisation of SipHash-2-4?
I'm currently using SipHash-2-4 to hash 4096-byte blocks into 64-bit hashes. The key is secret, as that is required by SipHash.
I have 128 bits of space available for hashes, but I don't want to use ...
1
vote
0
answers
47
views
Are saltless PoW's ok?
So, I'm building a system loosely based on the S/Kademlia principles and I have a question.
I generate IDs from hashing a public key such that $ID = H(PK)$. Further, I say that for an ID to be valid ...
4
votes
1
answer
90
views
Security impact of weakened collision resistance for 128-bit Fiat-Shamir challenges
As I understand, to achieve a security level of $\lambda$, a hash function's output should be at least $2\lambda$ in length, since the search space is halved for collision resistance.
However, I am ...
2
votes
0
answers
67
views
Inequalities in collision search on the separation between the classical and quantum random oracle (ROM vs QROM)
I'm trying to read the separation between the classical and quantum random oracle through a paper "Random Oracles in a Quantum World" by Dan Boneh, Ozgur Dagdelen, Marc Fischlin, Anja ...
1
vote
0
answers
47
views
Suffix-free padding scheme for hash function
I would like an easy to read proof that shows that it is sufficient for a padding scheme to be suffix-free for it to be collision resistant.
Whenever I have come across such a proof it always seems to ...
2
votes
1
answer
74
views
How to design a reversible shifted XOR with an S-box?
According to this post, S-boxes are invertible.
Inverting S-boxes can be very easy: you simply create a lookup table that reverse all the possible substitutions of the S-box. E.g. if the S-box maps ...
1
vote
0
answers
68
views
I do not understand the result of 'proposition 2' of "MDx-MAC and building fast MACs from hash functions"
I saw the difference between the proof and the statement of "proposition 2" in the paper "MDx-MAC and building fast MACs from hash functions" by Bart Preneel & Paul C. van ...
0
votes
0
answers
40
views
Proving Insecure Hash Function Through Not Collision Resistant
There is a function H : {0, 1}* → {0, 1}^n. On input a message m and two
shares of it x, w such that m = x ⊕ w, the function outputs y = H(m) =
H(x) ⊕ H(w). How would I find that this NOT a collision ...