2
$\begingroup$

Let's say I have three messages: A B C

And I run each of these through two different Hashing algorithms: MD5 and SHA1 for this example

MD5(A) = X MD5(B) = Y MD5(C) = Y SHA1(A) = N SHA1(B) = N SHA1(C) = M

Notice the MD5 hash of B and C collide. And the SHA hash of A and B collide.

If I simply concatenate the digests, however, the results would be unique:

Combined Digest of A: XN Combined Digest of B: YN Combined Digest of C: YM

The underlying principle would be that whatever pair of messages could be found or constructed to form a collision with one hashing algorithm, wouldn't also form a collision with another hashing algorithm.

The combined digest length (for MD5/SHA1) would be 288 bits (128+160) -- but unless I'm missing something, this would be significantly more secure than a single hashing algorithm with a 288-bit digest.

Granted, in the example above I'm using MD5 and SHA1 which are both known to be effectively broken, but I'm hoping an answer exists that applies more conceptually to the premise than simply the choice of algorithms.

i.e., In a situation where collision resistance is critical, wouldn't the combination of SHA2-256 + SHA3-256 concatenated be more secure than a single iteration of SHA2-512, or SHA3-512?

Improve this question
$\endgroup$
10
  • $\begingroup$ FYI, the closest question I found that is similar is this one: crypto.stackexchange.com/questions/81634/… But it didn't quite ask the exact premise of my question. $\endgroup$ Commented Mar 1, 2023 at 18:52
  • 2
    $\begingroup$ The short answer is no: a collision for MD5 || SHA-1 is almost as easy as a collision for SHA-1 alone — much worse than SHA-256 despite SHA-256 being slightly shorter, but unbroken. $\endgroup$ Commented Mar 1, 2023 at 19:25
  • 3
    $\begingroup$ No, it's not specific to MD5 and SHA1: the fact that the attack on the concatenation is basically only as hard as the attack on the longest hash is mostly generic. $\endgroup$ Commented Mar 1, 2023 at 20:41
  • 2
    $\begingroup$ What leads you to believe "whatever pair of messages could be found or constructed to form a collision with one hashing algorithm, wouldn't also form a collision with another hashing algorithm"? $\endgroup$ Commented Mar 2, 2023 at 4:33
  • 2
    $\begingroup$ The pigeon-hole principle alone tells us that collisions are still possible. $\endgroup$ Commented Mar 2, 2023 at 16:16

2 Answers 2

Reset to default
4
$\begingroup$

No, concatenating the result of two different hashing algorithms does not defeat all collisions. You've overlooked the case where $\text{MD5}(A)=\text{MD5}(B)=X$ and $\text{SHA1}(A)=\text{SHA1}(B)=N$. In English, that's when a pair of inputs collides for both hash functions.

Furthermore, assuming a hash function's output is truly uniformly distributed for any given set of inputs (this isn't actually true, but for our purposes, it's close enough to true for modern cryptographic has functions), the collision resistance of $\text{HASH}^P_\text{256-bit}(A) +\text{HASH}^Q_\text{256-bit}(A)$ is exactly equal to the collision resistance of $\text{HASH}_\text{512-bit}(A)$.

Again, assuming a uniform distribution, the chance two inputs collide for an N-bit hash is $\left(\frac{1}{2}\right)^N$, or one in two for each bit of output. Assuming the chance that a pair of inputs collides for hash $P$ is independent of the chance of collision of the pair for hash $Q$, the chance a pair collides for both is the product of the chance it collides for each hash individually. Given this, it's clear the chance of collision is identical either way, since $\left(\frac{1}{2}\right)^{256}\cdot\left(\frac{1}{2}\right)^{256}=\left(\frac{1}{2}\right)^{512}$.

Improve this answer
$\endgroup$
3
  • 2
    $\begingroup$ Perhaps some people are sufficiently paranoid that they would prefer not to assume a uniform distribution -- e.g. if in the future it turns out that one of the hashing algorithms contains an exploitable flaw but the other algorithm does not, then using the concatenation of the two algorithms' output could be more resistant to exploitation than just using a single algorithm to generate twice the number of hash-bits? $\endgroup$ Commented Mar 2, 2023 at 6:14
  • $\begingroup$ This was the confirmation I was seeking. Thank you. Follow on question, is there a reason why doing a single 512-bit hash is "better" than concatenating two different 256-bit hashes (faster, more secure, simpler, lower cpu, anything)? $\endgroup$ Commented Mar 2, 2023 at 15:44
  • $\begingroup$ @Eddie This will depend entirely on the specific hash functions. For example, some processors implement hardware acceleration for specific hash functions, so one method may be significantly faster than the other on some hardware. In general though, assuming none of the hash functions have a known weakness, I don't think there's a strong technical reason to choose one or the other. That said, I think many people would find the decision to concatenate two cryptographic hashes perplexing in the absence of a strong technical reason, since it presumably increases implementation complexity. $\endgroup$ Commented Mar 2, 2023 at 23:41
4
$\begingroup$

No, concatenating two hashes gives you at least the collision resistance of either but in many practical cases it will give you little more.

This is especially truely for MD hash functions where we know how to convert collisions into many way multi collisions. We can make 2^64 multi way sha1 collision and expect one will collide also in MD5.

Improve this answer
$\endgroup$
2
  • $\begingroup$ but in many practical cases it will give you little more -- could you expand on this a bit? And specifically speak to why it wouldn't give you an additional "the full collision resistance" of the other hashing algorithm? $\endgroup$ Commented Mar 1, 2023 at 20:23
  • $\begingroup$ try this question: crypto.stackexchange.com/questions/103630/… $\endgroup$ Commented Mar 2, 2023 at 11:00

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.