[Cryptography] BLAKE2: "Harder, Better, Faster, Stronger" Than MD5

Zooko Wilcox-OHearn zooko at leastauthority.com
Tue Mar 25 00:43:21 EDT 2014

On Tue, Mar 25, 2014 at 1:38 AM, Bill Frantz <frantz at pwpconsult.com> wrote:
> BTW, this paper talks of concatenates the outputs of the hashes because it is trying for additional strength. If we just want, "As strong as the best of the bunch", can we XOR instead of concatenating? The result is more likely to fit in with existing protocols and will be cheaper to transmit on the wire.

The problem with the XOR combiner (i.e. H⊕(x) = H₀(x) ⊕ H₁(x)) is that
we can't prove an attacker wouldn't be able to generate collisions in
H⊕ — i.e. find x1 and x2 (different from each other) such that H⊕(x1)
= H⊕(x2) — even though he cannot generate collisions in either H₀ or
in H₁.

On the other hand, it is obviously proven that any possible technique
that would result in collisions in the concatenation combiner (i.e.
H|(x) = H₀(x) | H₁(x)) would imply a collision in both H₀ *and* H₁.

We explored this issues in the Tahoe-LAFS "One Hundred Year
Cryptography" project. Here are a few more of our notes:


Also keep in mind that historically hash functions failed a lot more
often at collision-resistance than at anything else they have been
called upon to do. So therefore if you have to just pick one combiner,
then pick one that is strong against collisions. H| and Comb4P are
collision-resistant if either of their substrate hash functions is.


Zooko Wilcox-O'Hearn

Founder, CEO, and Customer Support Rep
Freedom matters.

More information about the cryptography mailing list