2

Possible Duplicate:
Are different hash algorithms ever used together?

For example, Is possible to combine (Concatenate or Chain or XOR) Skein SHA-3 candidate with Grostl SHA-3 candidate to increase security?

Note: I just want more secure output and CPU cycles does not matter. I would like to come up with my two combine hash functions to protect a certain document's data integrity that I have. And of course, I want this protection to last for the next few years, So I decided to choose to combine two of SHA-3 candidates, Any suggestions?

Koko1100
  • 29
  • 1
  • 2
    Possible duplicate: [Doubling up or cycling encryption algorithms](http://security.stackexchange.com/q/2900/5501), [Are different hash algorithms ever used together?](http://security.stackexchange.com/q/8940/5501) – Andrei Botalov Sep 14 '12 at 18:24
  • 4
    Cross-post from [crypto.SE](http://crypto.stackexchange.com/questions/3753/can-i-combine-two-of-sha-3-candidates-cryptography-hash-functions-and-obtain-mor) – CodesInChaos Sep 14 '12 at 18:34
  • I'd be careful using SHA-3 candidates as their implementation NOW might differ from the implementation when the winner is announced. There could be some final modifications. If that happens you will have huge problems if you somehow lose the source of the implementation that you use. Keeping the source might be simple now, but in 5 years, it will probably be hard to find the implementation and version you use. Just look at AES competition. You'd be hard pressed to find a final version of Serpent cipher implementation for use in all popular programming languages today, let alone old version. – Matrix Sep 15 '12 at 14:39

1 Answers1

4

For increased protection against collision vulnerabilities, compute both hashes and store them both. Combining them is an unnecessary step. The resulting protection is equal to the stronger of the two.

Keep in mind that there are some other scenarios to keep in mind:

  • If you hash a message with H1(H2(m)) you only get collision resistance from H2.
  • If you hash a message as H1(m) ⊕ H2(m) you get exactly the same security as not xoring the two together, since a collision on H1 will be negated by the fact that H2 changes the resulting hash.
  • It may turn out that if an attacker knows both H1(m) and H2(m), where H1 and H2 are different hash algorithms, they can deduce some information about m. This is unlikely, and I'm unaware of any attacks that do this, but it's an interesting concept. This is not applicable to your scenario, since you're only dealing with integrity, but it's an interesting concept.
Polynomial
  • 133,763
  • 43
  • 302
  • 380
  • A minor nitpick: Your second point is only true if H1 and H2 have uncorrelated output. (Consider the trivial case where H1 = H2, or where any subset of their output has high probability of being the same/different.) This should be true for any of the SHA-3 contestants, but from the theory perspective that qualification is necessary. – B-Con Sep 14 '12 at 20:18
  • @B-Con Yeah, I probably should've mentioned that H1 and H2 must be different. A hash of `0000000000000000...` for every message isn't very useful! – Polynomial Sep 15 '12 at 09:49