We need to show $H'(x) =H_1(H_2(x))$ need not be a secure CRHF even if one of $H_1$ or $H_2$ is secure. The case when $H_2$ is insecure is clear as the pair of messages $m,m'$ given as output for $H_2$ will work for showing $H'$ insecure. How can I get the pair of messages for $H'$ when for $H_1$ being insecure.
3
-
$\begingroup$ Hint: If $H_1$ is insecure, it's insecure against potentially any/all input. $\endgroup$DannyNiu– DannyNiu2025-10-16 11:38:54 +00:00Commented Oct 16 at 11:38
-
1$\begingroup$ Actually, if $H_2$ is insecure than any deterministic function is insecure. Take two colliding pairs and see. $\endgroup$kelalaka– kelalaka2025-10-16 12:41:08 +00:00Commented Oct 16 at 12:41
-
$\begingroup$ Hint: the part of the question "How can I get the pair of messages for $H′$ when for $H_1$ being insecure." is asking something that can't be answered (even after replacing "when for" with "assuming that"). You want to understand the assignment "show $H'(x) =H_1(H_2(x))$ need not be a secure CRHF even if one of $H_1$ or $H_2$ is secure" differently. $\endgroup$fgrieu– fgrieu ♦2025-10-17 18:15:02 +00:00Commented Oct 17 at 18:15
Add a comment
|