Introduction to Cryptography

TEK 4500 (Fall 2020)

Problem Set 6

Problem 1.
Read Chapter 11 in [PP] and Chapter 6 in [BR] + Appendix A in [BR] (Birthday problem).

Problem 2.
Suppose we have three different hash functions producing output of lengths 64, 128 and
160 bits. How many random computations do you approximately need to find a collision
with probability p = 0.5? How many different random hash values do you approximately
need to find a collision with probability p = 0.1?

Hint: Use whatever formulation of the birthday paradox you want.

Problem 3.
Suppose H1 , H2 ; M → Y are two hash functions for which we know that at least one
is collision-resistant. Unfortunately, we don’t know which. Consider now the following
derived hash functions.
a) H : M → Y × Y, defined by H(X) = H1 (X)kH2 (X). Is H collision-resistant? Justify
your answer.
b) H : M → Y defined by H(X) = H2 (H1 (X)) (here we assume that Y ⊂ M). Is H
collision-resistant? What about H(X) = H1 (H2 (X))? Justify your answer.

Problem 4. [2nd-preimage-resistance]
The two main security properties for hash functions are collision-resistance and one-wayness.
However, there is also a third security property commonly defined for hash functions
called 2nd preimage-resistance. In a 2nd-preimage attack the adversary is given X ∈ M
and Y ← H(X), and then asked to find a different X 0 ∈ M that hash to the same value as
X. That is: given X and Y , find X 0 6= X such that H(X 0 ) = H(X) = Y . In other words,
the adversary is asked to find a second pre-image for Y , hence the name. See Fig.1 for
the formal definitions. Note that 2nd preimage-resistance is a weaker security requirement
than collision-resistance, i.e., we’re asking for more from the adversary. Indeed, for finite
M and Y, and assuming |M| >> |Y|, we have

1
ExpcrH (A): Exp2pre
H (A): Expow
H (A):
1: (X1 , X2 ) ← AH $ $
1: X←M 1: X←M
2: if X1 6= X2 ∧ H(X1 ) = H(X2 ):
2: Y ← H(X) 2: Y ← H(X)
3: return 1
3: X 0 ← AH (X, Y ) 3: X 0 ← AH (Y )
4: else
4: if X 0 6= X ∧ H(X 0 ) = Y : 4: if H(X 0 ) = Y :
5: return 0
5: return 1 5: return 1
6: else 6: else
7: return 0 7: return 0

Advcr cr
H (A) = Pr[ExpH (A) ⇒ 1]
Adv2pre 2pre
H (A) = Pr[ExpH (A) ⇒ 1]
Advow ow
H (A) = Pr[ExpH (A) ⇒ 1]

Figure 1: Security definitions for collision-resistance, 2nd preimage-resistance, and one-wayness

for a hash function H : M → Y.

collision-resistance =⇒ 2nd preimage-resistance =⇒ one-wayness.

a) Explain why the first implication above holds, i.e., why collision-resistance implies
2nd preimage-resistance.
b) Suppose {0, 1}200 ⊂ M and that H : M → Y is a collision-resistant hash function.
Now define H 0 : M → Y as follows:
(
0200 if X = 0200 or X = 1200
H 0 (X) =
H(X) otherwise

Show that H 0 is 2nd preimage-resistant, but not collision-resistant.

Problem 5.
Suppose that F : {0, 1}m → {0, 1}m is a one-way secure permutation. Define H : {0, 1}2m →
{0, 1}m as follows. Given X ∈ {0, 1}2m , write

X = X 0 ||X 00 ,

where X 0 , X 00 ∈ {0, 1}m . Then define

H(X) = F (X 0 ⊕ X 00 ).

Is H one-way? Is it 2nd preimage-resistant? Justify your answers.

2
Problem 6.
Suppose H1 : {0, 1}2m → {0, 1}m is a collision resistant hash function.

a) Define H2 : {0, 1}4m → {0, 1}m as follows:

• Write X ∈ {0, 1}4m as X = X1 ||X2 , where X1 , X2 ∈ {0, 1}2m

• Define H2 (X) = H1 (H1 (X1 )||H1 (X2 )).

Prove that H2 is collision resistant.

i
b) For an integer i ≥ 2, define a hash function Hi : {0, 1}2 m → {0, 1}m as follows:
i i−1 m
• Write X ∈ {0, 1}2 m as X = X1 ||X2 , where X1 , X2 ∈ {0, 1}2
• Define Hi (x) = H1 (Hi−1 (X1 )||Hi−1 (X2 )).

Prove that Hi is collision resistant.

Problem 7. [Problem 11.3 in [Ros]]

I’ve designed a hash function H : {0, 1}∗ → {0, 1}n . One of my ideas is to make H(X) = X
if X is an n-bit string (assume the behavior of H is much more complicated on inputs of
other lengths). That way, we know with certainty that there are no collisions among n-bit
strings. Have I made a good design decision?

Problem 8. [Davies-Meyer alternatives]

Recall that the Davies-Meyer construction is a way of turning a block cipher E : {0, 1}b ×
{0, 1}n → {0, 1}n into a collision-resistant compression function h : {0, 1}n+b → {0, 1}n as:

h(V kM ) = E(M, V ) ⊕ V.

Here we look at some alternative constructions to Davies-Meyer that all turn out to be
insecure. For b) and c) we assume that b = n.

a) h1 (V kM ) = E(M, V )

b) h2 (V kM ) = E(M, V ) ⊕ M

c) h3 (V kM ) = E(V, V ⊕ M ) ⊕ V

Show that none of the compression functions above are collision-resistant.

3
References
[BR] Mihir Bellare and Phillip Rogaway. Introduction to Modern Cryptography. https:
//web.cs.ucdavis.edu/~rogaway/classes/227/spring05/book/main.pdf.

[PP] Christof Paar and Jan Pelzl. Understanding Cryptography - A Textbook for Students and
Practitioners. Springer, 2010.

[Ros] Mike Rosulek. The Joy of Cryptography, (draft Feb 6, 2020). https://web.engr.
oregonstate.edu/~rosulekm/crypto/crypto.pdf.