On the security of hash function combiners

A hash function is an algorithm that compresses messages of arbitrary length into short digests of fixed length. If the function additionally satisfies certain security properties, it becomes a powerful tool in the design of cryptographic protocols. The most important property is collision-resistance, which requires that it should be hard to find two distinct messages that evaluate to the same hash value. When a hash function deploys secret keys, it can also be used as a pseudorandom function or message authentication code. However, recent attacks on collision-resistant hash functions [WLF+05, WYY05, WY05, SSA+09] caused a decrease of confidence that today’s candidates really have this property and have raised the question how to devise constructions that are more tolerant to cryptanalytic results. Hence, approaches like robust combiners [Her05, Her09, HKN+05] which “merge” several candidate functions into a single failure-tolerant one, are of great interest and have triggered a series of research [BB06, Pie07, CRS+07, FL07, Pie08, FLP08]. In general, a hash combiner takes two hash functions H0, H1 and combines them in such a way that the resulting function remains secure as long as at least one of the underlying candidates H0 or H1 is secure. For example, the classical combiner for collision-resistance simply concatenates the outputs of both hash functions Comb(M) = H0(M)∣∣H1(M) in order to ensure collisionresistance as long as either of H0, H1 obeys the property. However, this classical approach is complemented by two negative results: On the one hand, the combiner requires twice the output length of an ordinary hash function and this was even shown to be optimal for collisionresistance [BB06, Pie07, CRS+07, Pie08]. On the other hand, the security of the combiner does not increase with the enlarged output length, i.e., the combiner is not significantly stronger than the sum of its components [Jou04]. In this thesis we address the question if there are security-amplifying combiners where the combined hash function provides a higher security level than the building blocks, thus going beyond the additive limit. We show that one can indeed have such combiners and propose a solution that is essentially as efficient as the concatenated combiner. Another issue is that, so far, hash function combiners only aim at preserving a single property such as collision-resistance or pseudorandomness. However, when hash functions are used in protocols like TLS to secure http