[Cryptography] blake2b 160

Jonathan Thornburg jthorn4242 at gmail.com
Sun Dec 30 11:03:50 EST 2018 

On Sun, Dec 30, 2018 at 01:33:29PM +0800, jamesd at echeque.com wrote:
> I have an application that requires that no one can ever produce a hash
> collision on two data blocks of moderate size.
> 
> Seems to me that Blake2b 160 suffices, and Blake2b 256 is overkill.

What's your threat model?

If your thread model is truly "no one" and "ever", this is going to be
very, very hard.

Ok, so let's relax the thread model to say that (as an approximation to
"no one" and "ever") you want resistance to (say) the sort of effort the
NSA might mount against a major Rusian or Chinese cryptosystem, i.e.,
several hundred PhD-level researchers, a budget measured in billions of
dollars, and a decade of effort.  And you don't care about the CPU/memory
cost of computing the hash function.

So now you probably want to think very carefully before using the word
"overkill" in your system design.

Are there any constraints on the colliding data blocks?  I.e., does the
attacker have complete freedom to choose *any* data blocks in trying to
construct a collision?

Can you combine multiple "good" hash functions in a way that makes the
combination much harder to break than any individual one?  What sort of
breaks are now known against (say) MD5 (a "good" hash function from a
while back, which is now rather broken), and how can you combine multiple
(todays-state-of-the-art) hash functions in a way which would defeat
those breaks?

Can you inject nonces in key places?

As a non-crypto-guru, I would think along the lines of
  # random constants have lengths which makes the different hash fn's
  # blocks straddle each other
  H1 = hash_fn1(data)
  H2 = hash_fn2(H1, 0xarandomconstant, data)
  H3 = hash_fn3(H1, 0xsomerandomconstant, H2, 0xanotherrandomconstant, data)
  final_hash = H1 || H2 || H3
or even
  # nonces also have varying lengths chosen to make hash fn block straddle
  H1 = hash_fn1(nonce1, data, nonce2)
  H2 = hash_fn2(nonce3, H1, nonce4, data, nonce5)
  H3 = hash_fn3(nonce6, H1, nonce7, H2, nonce8, data, nonce9)
  final_hash = H1 || H2 || H3
  final_nonce = nonce1 || nonce2 || nonce3 || nonce4
                || nonce5 || nonce6 || nonce7 || nonce8 || nonce9

-- 
-- "Jonathan Thornburg [remove -animal to reply]" <jthorn at astro.indiana-zebra.edu>
   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   "There was of course no way of knowing whether you were being watched
    at any given moment.  How often, or on what system, the Thought Police
    plugged in on any individual wire was guesswork.  It was even conceivable
    that they watched everybody all the time."  -- George Orwell, "1984"

More information about the cryptography mailing list