Hash combiners are a practical way to make cryptographic hash functions more tolerant to future attacks and compatible with existing infrastructure. A combiner combines two or more hash functions in a way that is hopefully more secure than each of the underlying hash functions, or at least remains secure as long as one of them is secure. Two classical hash combiners are the exclusive-or (XOR) combiner $$ \mathcal {H}_1(M) \oplus \mathcal {H}_2(M) $$ H 1 ( M ) ⊕ H 2 ( M ) and the concatenation combiner $$ \mathcal {H}_1(M) \Vert \mathcal {H}_2(M) $$ H 1 ( M ) ‖ H 2 ( M ) . Both of them process the same message using the two underlying hash functions in parallel. Apart from parallel combiners, there are also cascade constructions sequentially calling the underlying hash functions to process the message repeatedly, such as Hash-Twice $$\mathcal {H}_2(\mathcal {H}_1(IV, M), M)$$ H 2 ( H 1 ( I V , M ) , M ) and the Zipper hash $$\mathcal {H}_2(\mathcal {H}_1(IV, M), \overleftarrow{M})$$ H 2 ( H 1 ( I V , M ) , M ← ) , where $$\overleftarrow{M}$$ M ← is the reverse of the message M . In this work, we study the security of these hash combiners by devising the best-known generic attacks. The results show that the security of most of the combiners is not as high as commonly believed. We summarize our attacks and their computational complexities (ignoring the polynomial factors) as follows: 1. Several generic preimage attacks on the XOR combiner: A first attack with a best-case complexity of $$ 2^{5n/6} $$ 2 5 n / 6 obtained for messages of length $$ 2^{n/3} $$ 2 n / 3 . It relies on a novel technical tool named interchange structure. It is applicable for combiners whose underlying hash functions follow the Merkle–Damgård construction or the HAIFA framework. A second attack with a best-case complexity of $$ 2^{2n/3} $$ 2 2 n / 3 obtained for messages of length $$ 2^{n/2} $$ 2 n / 2 . It exploits properties of functional graphs of random mappings. It achieves a significant improvement over the first attack but is only applicable when the underlying hash functions use the Merkle–Damgård construction. An improvement upon the second attack with a best-case complexity of $$ 2^{5n/8} $$ 2 5 n / 8 obtained for messages of length $$ 2^{5n/8} $$ 2 5 n / 8 . It further exploits properties of functional graphs of random mappings and uses longer messages. These attacks show a rather surprising result: regarding preimage resistance, the sum of two n -bit narrow-pipe hash functions following the considered constructions can never provide n -bit security. 2. A generic second-preimage attack on the concatenation combiner of two Merkle–Damgård hash functions. This attack finds second preimages faster than $$ 2^n $$ 2 n for challenges longer than $$ 2^{2n/7} $$ 2 2 n / 7 and has a best-case complexity of $$ 2^{3n/4} $$ 2 3 n / 4 obtained for challenges of length $$ 2^{3n/4} $$ 2 3 n / 4 . It also exploits properties of functional graphs of random mappings. 3. The first generic second-preimage attack on the Zipper hash with underlying hash functions following the Merkle–Damgård construction. The best-case complexity is $$ 2^{3n/5} $$ 2 3 n / 5 , obtained for challenge messages of length $$ 2^{2n/5} $$ 2 2 n / 5 . 4. An improved generic second-preimage attack on Hash-Twice with underlying hash functions following the Merkle–Damgård construction. The best-case complexity is $$ 2^{13n/22} $$ 2 13 n / 22 , obtained for challenge messages of length $$ 2^{13n/22} $$ 2 13 n / 22 . The last three attacks show that regarding second-preimage resistance, the concatenation and cascade of two n -bit narrow-pipe Merkle–Damgård hash functions do not provide much more security than that can be provided by a single n -bit hash function. Our main technical contributions include the following: 1. The interchange structure, which enables simultaneously controlling the behaviours of two hash computations sharing the same input. 2. The simultaneous expandable message, which is a set of messages of length covering a whole appropriate range and being multi-collision for both of the underlying hash functions. 3. New ways to exploit the properties of functional graphs of random mappings generated by fixing the message block input to the underlying compression functions.

中文翻译：

---

对哈希组合器的通用攻击

散列组合器是一种实用的方法，可以使加密散列函数更能容忍未来的攻击并与现有基础设施兼容。组合器以一种希望比每个底层散列函数更安全的方式组合两个或多个散列函数，或者至少只要其中一个是安全的就保持安全。两个经典的哈希组合器是异或 (XOR) 组合器 $$ \mathcal {H}_1(M) \oplus \mathcal {H}_2(M) $$ H 1 ( M ) ⊕ H 2 ( M ) 和串联组合器 $$ \mathcal {H}_1(M) \Vert \mathcal {H}_2(M) $$ H 1 ( M ) ‖ H 2 ( M ) 。它们都使用两个底层散列函数并行处理相同的消息。除了并行组合器，还有级联结构依次调用底层哈希函数重复处理消息，例如 Hash-Twice $$\mathcal {H}_2(\mathcal {H}_1(IV, M), M)$$ H 2 ( H 1 ( IV , M ) , M ) 和拉链哈希 $$\ mathcal {H}_2(\mathcal {H}_1(IV, M), \overleftarrow{M})$$ H 2 ( H 1 ( IV , M ) , M ← ) ，其中 $$\overleftarrow{M}$ $ M ← 是消息 M 的反向。在这项工作中，我们通过设计最著名的通用攻击来研究这些哈希组合器的安全性。结果表明，大多数合路器的安全性并没有人们普遍认为的那么高。我们将我们的攻击及其计算复杂性（忽略多项式因子）总结如下： 1. 对 XOR 组合器的几种通用原像攻击：第一次攻击的最佳情况复杂度为 $$ 2^{5n/6} $$ 2 5 n / 6 为长度 $$ 2^{n/3} $$ 2 n / 3 的消息获得。它依赖于一种名为交换结构的新型技术工具。它适用于其底层哈希函数遵循 Merkle-Damgård 构造或 HAIFA 框架的组合器。对于长度为 $$ 2^{n/2} $$ 2 n / 2 的消息获得的最佳情况复杂度为 $$ 2^{2n/3} $$ 2 2 n / 3 的第二次攻击。它利用随机映射的功能图的特性。它比第一次攻击取得了显着的改进，但仅适用于底层哈希函数使用 Merkle-Damgård 构造的情况。对第二次攻击的改进，最佳情况复杂度为 $$ 2^{5n/8} $$ 2 5 n / 8 获得长度为 $$ 2^{5n/8} $$ 2 5 n / 8 的消息. 它进一步利用随机映射的功能图的特性并使用更长的消息。这些攻击显示了一个相当令人惊讶的结果：关于原像抗性，遵循所考虑的构造的两个 n 位窄管散列函数的总和永远不能提供 n 位安全性。2. 对两个 Merkle-Damgård 哈希函数的连接组合器的通用第二原像攻击。对于长于 $$ 2^{2n/7} $$ 2 2 n / 7 的挑战，此攻击找到比 $$ 2^n $$ 2 n 更快的第二个原像，并且最佳情况复杂度为 $$ 2^{3n /4} $$ 2 3 n / 4 为长度 $$ 2^{3n/4} $$ 2 3 n / 4 的挑战获得。它还利用随机映射的功能图的特性。3. 使用 Merkle-Damgård 构造之后的底层散列函数对 Zipper 散列进行的第一次通用第二原像攻击。最佳情况的复杂度是 $$ 2^{3n/5} $$ 2 3 n / 5 ，获得的挑战消息长度为 $$ 2^{2n/5} $$ 2 2 n / 5 。4. 在 Merkle-Damgård 构造之后，使用底层散列函数对 Hash-Twice 进行改进的通用第二原像攻击。最佳情况的复杂度是 $$ 2^{13n/22} $$ 2 13 n / 22 ，是针对长度 $$ 2^{13n/22} $$ 2 13 n / 22 的挑战消息获得的。最后三个攻击表明，关于第二原像抵抗，两个 n 位窄管 Merkle-Damgård 散列函数的串联和级联并没有提供比单个 n 位散列函数提供的安全性高得多的安全性。我们的主要技术贡献包括： 1. 交换结构，它能够同时控制共享相同输入的两个哈希计算的行为。2.同时可扩展的消息，这是一组长度覆盖整个适当范围并且对两个底层散列函数进行多次碰撞的消息。3. 利用通过将消息块输入固定到底层压缩函数而生成的随机映射的函数图的特性的新方法。