1. IntroductionHash
combiners are a practical way to make cryptographic hash functions more
tolerant of future attacks and compatible with existing infrastructure. A
combiner combines two or more hash functions in a way that is hopefully more
secure than each of the underlying hash functions, or at least remains secure
as long as one of them is secure.
This webpage will present the security stature of some hash combiners,
specifically on the security upper bound obtained by devising the bestknown generic attacks.
The results show that the security of most of the combiners is not as
high as commonly believed. Some crucial and interesting techniques, such as the
Interchange Structure and the Random Functional Graph are exploited.
2. Hash Combiners
Two classical hash combiners are the exclusiveor (XOR) combiner H_{1}(M)⊕H_{2}(M) and the concatenation combiner H_{1}(M)∥H_{2}(M). Both of them process the same message using two (independent) hash functions H_{1 }and H_{2 }in parallel. Then, the former XORs their outputs, H_{1}(M)⊕H_{2}(M) and the latter concatenates them H_{1}(M)∥H_{2}(M).
More generally, cryptographers have also studied cascade constructions of two (or more) hash functions, that is, to compute H_{1 }and H_{2 }in sequential order. Examples are HashTwice H_{2}(H_{1}(IV, M), M), which processes the same message twice using a single hash function (the original specification processes using a single hash function as shown in [ABDK09]), and the Zipper hash H_{2}(H_{1}(IV, M), M*), where M* is the message with the same blocks but in reversed order [Lis06] (such kinds of cascade constructions are not strictly blackbox hash combiners compared with the XOR combiner and the concatenated combiner).
2.1 XOR Combiner
H_{1}(M)⊕H_{2}(M)
2.2 Concatenation Combiner
H_{1}(M)∥H_{2}(M)
2.3 Zipper Hash
2.4 HashTwice
H_{2}(H_{1}(IV, M), M)  3. Security Status of Various Combiners of Two NarrowPipe Hashes
3.1 Tradeoffs curves on the complexity of attacks on parallel combiners
3.2 Tradeoffs curves on the complexity of attacks on cascade combiners
3.3 Security status of various combiners of two narrowpipe hashes
