Security-Amplifying Combiners for Collision-Resistant Hash Functions

The classical combiner Comb01 class (M) = H0(M)||H1(M) for hash functions H0, H1 provides collision-resistance as long as at least one of the two underlying hash functions is secure. This statement is complemented by the multi-collision attack of Joux (Crypto 2004) for iterated hash functions H0, H1 with n-bit outputs. He shows that one can break the classical combiner in n 2 · T0 + T1 steps if one can find collisions for H0 and H1 in time T0 and T1, respectively. Here we address the question if there are security-amplifying combiners where the security of the building blocks increases the security of the combined hash function, thus beating the bound of Joux. We discuss that one can indeed have such combiners and, somewhat surprisingly in light of results of Nandi and Stinson (ePrint 2004) and of Hoch and Shamir (FSE 2006), our solution is essentially as efficient as the classical combiner.