A hash collision is any pair of values (preimages) that when hashed produce the same digest (image). Finding even one example of a collision should be infeasible in a cryptographically secure hash function.
2
votes
2answers
97 views
Hash function based on block cipher (and proof of security in the PRP model)
I wonder if there exists proofs of security of primitives like hash function (based on block cipher) in the PRP model.
I often see proofs in the random oracle model (for hash function based on ...
4
votes
1answer
191 views
Will rehashing an SHA256 hash continually, eventually produce every possible value?
So let's say you had infinite time and energy. You have a hashed string of some sort. Because you have infinite time and energy, you can produce a collision(or the original value) easily enough. But, ...
2
votes
5answers
191 views
Is it theoretically possible to construct a string that contain its own hash value?
After saw the xkcd comic self-description, I wonder is it theoretically possible to construct a self-descriptive string that contains its own hash value?
Let's say the string's md5 value is ...
10
votes
1answer
383 views
Is truncating a SHA512 hash to the first 40 characters as secure as using SHA1?
I am from a web development background (I don't know an awful lot about cryptography or how the algorithms themselves work), so I am asking this question in simple terms.
Consider a hash of the word ...
3
votes
1answer
52 views
Applications of 3-collisions
I recently read Improved Generic Algorithms for 3-Collisions by Joux and Lucks (Asiacrypt 2009), available as http://eprint.iacr.org/2009/305.pdf. I was wondering about applications of this technique ...
4
votes
4answers
228 views
Compare two hashes with different salt
I'm storing the salted hash of a credit card number in a database. What I'd like to be able to do is determine if two different entries in the same database correspond to the same credit card.
...
2
votes
1answer
88 views
Probability for collisions of a one-way compression function
Given a one-way compression function $h:\{0,1\}^n \rightarrow \{0,1\}^m$ and an attacker that picks $x_1 \ldots x_t \in \{0,1\}^n$ (uniformly distributed), I have to show that the probability to find ...
4
votes
1answer
217 views
Is it possible to actually verify a “sponge function” security claim?
When using a “sponge function” to create a cryptographic hash, we can look at the flat sponge claim, which flattens the claimed success probabilities of all attacks using a single parameter: the ...
1
vote
2answers
55 views
Digital Signature Scheme Count
My question is How I will be able to count digital signature Scheme that can sign many documents with one private key. There are signature scheme as long as exists private keys in the keys spaces? or ...
3
votes
1answer
125 views
Is there a hash function which has no collisions?
To clarify, it would be some function which would produce variable-length output, and never produce the same output for differing input. It would also be computationally hard to derive the input from ...
1
vote
2answers
92 views
Does collision resistance stay when extending a hash function to a set domain?
Given a Cryptographic hash function $h$ for element $x$, let's extend it to sets via $H(S)=\prod_{x\in{S}}{h(x)}$. I am asking if the new hash $H$ (in domain of set) is still collision resistant?
To ...
2
votes
1answer
47 views
How does the birthday attack work in AUTH and UF-CMA games?
In the AUTH and UF-CMA games, an adversary is required to forge a ciphertext or message/tag pair to win the game. Given an encryption scheme $E$ and a PRF $F$, let $\hat{E} = C || F_k(C)$ and $C = ...
9
votes
1answer
432 views
Is Wikipedia's table about SHA-2 collisions correct?
I was looking a Wikipedia article on SHA-2, and the "Comparison of SHA functions" table seems to indicate that SHA-2 is less secure than SHA-1.
Is this true, or is the table wrong / misleading?
...
5
votes
1answer
225 views
Using an MD5 hash as a password
Suppose Alice is using a password prompt that only accepts up to 32 characters for any particular password.
Memorization of long strings of random characters is not one of Alice's strengths, so she ...
7
votes
2answers
210 views
Finding hash almost-collisions
A few months ago, XKCD posted a challenge to find a plaintext which hashed (using Skein 1024 1024) to a specified value. Inputs were scored based on the hamming distance between the hash of the ...
3
votes
4answers
293 views
Increased CRC collision probability when adding bits to input message
The Scenario
I have a message string I need to transport over a wireless network that may be unreliable. This message string is about 100 bits long, and is packaged with an 8-bit CRC. When the ...
5
votes
2answers
235 views
Are cryptographic hash functions perfect hash functions?
For a cryptographic hash function and input values of shorter length than the hash function output, it's pretty obvious that there should be as few collisions as possible. But are there guaranteed to ...
1
vote
2answers
356 views
Even passwords are vulnerable to hash collision attacks?
As stated in this page large documents hashed using md5 maybe vulnerable to collision attacks. My question is even passwords of 6-30 character are vulnerable to such hash collision attacks? If yes, is ...
0
votes
0answers
56 views
Strength of Combining Hash functions [duplicate]
If I combine two hash functions, what will the impact on the strength of the resulting function.
If I combine in following way:
H1*H2 (multiply)
H1 + H2 (concat)
H1 Xor H2
H1 (H2)
EDIT:
Lets say H1 ...
2
votes
0answers
77 views
Is SHA-1 collision free on data up to 20 bytes long? [duplicate]
Is SHA-1 collision free on data up to 20 bytes long (lenght of hash / internal state)? That means that every input produce unique output, but you surely know that, i just write it in order my question ...
5
votes
2answers
184 views
Is SHA-1 still practical secure under specific scenarios?
It is conjectured that SHA-1 has been broken from the "research" perspective but no in real world. That is that there is an algebraic attack that explores weaknesses on its algrebraic construction. ...
7
votes
1answer
285 views
Can I find two specific words with the same md5 hash?
I want to find two strings containing special words like "yes" or "no", mixed with random characters, for which the MD5 hash is equal.
An example of what I'm looking for:
...
2
votes
2answers
377 views
what kind of hash function can provide a short hash and be collision resistant?
When you try to connect via SSH, you see a signature which is short but I heard it is even stronger than sha256. It is perhaps stronger because it uses more rounds. Is there a hash function or a ...
2
votes
1answer
134 views
Finding a collision for a hash function
I'm trying to find a collision for the following (modified) Merkle-Damgard hash function.
Suppose we already have a hash function $h : \mathbb{Z}_2^{2·n} \to \mathbb{Z}_2^n$ for fixed length bit ...
5
votes
3answers
208 views
How many bits of hash are realistically needed for key verification?
Say I'm connecting to a web server secured with TLS but with a self-signed certificate. Accordingly, I call the owner of the server and ask him what SHA1 fingerprint he has.
He starts reading out the ...
1
vote
1answer
82 views
Does a break in a collision resistance property of a hash function by definition implies an attack at the first pre-image attack?
Is there a formal security proof in the shape of reduction that states that if an attacker manages to break the collision resistance property of a cryptographic hash function (a random oracle) he will ...
-4
votes
1answer
336 views
finding collision for truncated SHA1 hash output
Suppose we truncate only 40 bits of sha1 hash output.hence it is insecure.how can we find two message as input which gives first 40 bits of hash as same value i.e we have to find collision for first ...
5
votes
4answers
171 views
Can there be two hash functions without common collisions?
Is there a way to prove/create (or are there known hash functions) two hash functions that never have the same collision? I mean, like provable in way that someone who took one cryptography class in ...
13
votes
1answer
1k views
No SHA-1 Collision? Yet SHA1 is broken?
Is there a known pair of distinct bit strings (A,B) such that SHA1(A) == SHA1(B)?
If the answer is no than how can SHA1 be considered broken?
3
votes
3answers
428 views
Is it possible to pick your Ed25519 public key?
Is it possible to generate an Ed25519 keypair that has a very similar public key as another keypair (fooling a casual visual comparison) or is this as hard as solving one of SHA-512 or the discrete ...
1
vote
1answer
94 views
MD5 pre-fixing with an unkown postfix
Is the MD5 prefixing attack still valuable to an attacker if he doesn't know the postfix of the string?
For instance, what if the following sanity check was being used:
...
5
votes
2answers
207 views
Do MD5's weaknesses affect Oplop?
Oplop is an algorithm that generates account-specific passwords from a master password and user-chosen nickname (typically username@domain). From the website:
Concatenate the master password with ...
5
votes
0answers
114 views
Pseudo preimage for a hash made from a cipher
Consider the Miyaguchi–Preneel construction:
$H_0 = E(0,m_0) \oplus m_0$ (0 here means a vector filled with zeros)
$H_1 = E(H_0,m_1) \oplus H_0 \oplus m_1$
where $E(K,M)$ is a block cipher (for ...
7
votes
1answer
1k views
How does a birthday attack on a hashing algorithm work?
A "normal", brute-force attack on a cryptographic hashing algorithm $H$ should have a complexity of about $2^{n}$ for a hash algorithm with an output length of $n$ bits.
That means it takes about ...
2
votes
2answers
685 views
Are there any known collisions for the SHA-2 family of hash functions?
Are there any known collisions for the hash functions SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512?
By that, I mean are there known values of a and ...
3
votes
1answer
292 views
Partial collisions for md5
Let $h$ be a bitstring and let $P(h, n)$ be the n-bit prefix of $h$. A partial collision of length $n$, for a hash function $H$ is a pair $(x,y)$, such that $P(H(x),n)=P(H(y),n)$.
What is known about ...
4
votes
2answers
222 views
Tunnels used in md5
I'm reading a paper about finding collisions for the MD5 hash algorithm involving the concept of tunnels.
But I couldn't understand about the difference between point of verification and point of ...
1
vote
1answer
224 views
How to represent a 32-byte SHA2 hash in the shortest possible string?
I'm calculating a SHA2 hash of a certain sensitive key value. I need to store files on disk using this hash a directory path prefix. So lets say I hash the key value 150023, I get a 32-byte value ...
1
vote
0answers
30 views
SHA-512 hash collisions [duplicate]
Possible Duplicate:
Is SHA-512 bijective when hashing a single 512-bit block?
Is there any guarantee that there are no collisions for all 512-bit input values for SHA-512(Every 512-bit ...
3
votes
3answers
968 views
Is it fair to assume that SHA1 collisions won't occur on a set of <100k strings
I'm building a system that has to take file paths, and generate a unique name for each one. I'm planning on using SHA1 as the hash function. My question is: do I have to deal with possible collisions ...
3
votes
1answer
140 views
Question about hash collisions
If we have a hash function $h(x)$ and then a hash function $H(X) = h(h(X_0) || h(X_1))$ where $X_0$ is the first half of $X$, $X_1$ is the second half of $X$ and $||$ is concatenation. Then assuming ...
5
votes
2answers
671 views
128 bit hash with least chance of collision
I'm building a storage system for JSON documents where they are looked up on a 128 bit key. These JSON documents have a timestamp within them, but apart from that are user-entered data. These JSON ...
7
votes
3answers
445 views
Counter mode secure hash algorithm
Ever since the SHA-3 competition, I've been wondering if it is possible to create a hash algorithm that is easier to parallelize. The current algorithms all seem to require building a tree of hashes. ...
1
vote
1answer
353 views
Creating a hash of XOR'd blocks
Suppose a message $m$ is divided into blocks of length $160$ bits: $m
> = M_1 || M_2 || ... || M_l$ And define $h(m) = M_1 \oplus M_2 \oplus ... \oplus M_l$
Which of the three desirable ...
9
votes
5answers
4k views
Are there two known strings which have the same MD5 hash value?
Is there an example of two known strings which have the same hash (MD5) value, i.e. an MD5 collision?
-2
votes
1answer
388 views
How many possible combinations of input files are possible using a 63-bit length?
I'm trying to calculate how many possible combinations of files there can be using a signed 64-bit file length, but can't seem to find a formula (or I'm using the wrong keywords). For example, the ...
8
votes
3answers
2k views
What is pre-image resistance, and how can the lack thereof be exploited?
What is preimage resistance, and how can the lack thereof be exploited?
How is this different from collision resistance?
Are there any known preimage attacks that would be considered feasible?
14
votes
4answers
7k views
Best way to reduce chance of hash collisions: Multiple hashes, or larger hash?
I would like to maintain a list of unique data blocks (up to 1MiB in size), using the SHA-256 hash of the block as the key in the index. Obviously there is a chance of hash collisions, so what is the ...
9
votes
2answers
203 views
Why would you expect to find a collision in a hash function after approximately $\sqrt{n}$ hashes?
I can't get an intuitive understanding of why it's $2^{(\frac{n}{2})}$ and not $2^n$, where $n$ is the number of bits of which the key consists.
3
votes
1answer
520 views
Why doesn't preimage resistance imply the second preimage resistance?
Let the preimage resistance be defined as »given a hash value $h$, it is hard to find any message $m$ such that $\operatorname{hash}(m)=h$«, and let the second preimage resistance be defined as »given ...
