3

I'm reading the fourth edition of "Cryptography: Theory and Practice" by D.R. Stinson and M.B. Paterson. In the book, they have mentioned the concept of "collision-resistant hash" and I've stumbled upon the following question from another source:

Is there a collision resistant hash function $h(x)=h_1(x)\oplus h_2(x)$ so that $h_1$ and $h_2$ are not collision resistant?

It seems interesting to think about it, but I couldn't find any relevant answers for this topic…

fgrieu
  • 149,326
  • 13
  • 324
  • 622
Dniel BV
  • 31
  • 3

1 Answers1

2

Let $g$ be a collision-resistant hash. We build $h_1$ to be $g$ with the first half replaced with all zeros, and $h_2$ to be $g$ with the second half replaced with all zeros. Neither are collision-resistant as both have effectively half the bit strength they should. Yet their XOR is exactly $g$ we assumed to be collision resistant.

fgrieu
  • 149,326
  • 13
  • 324
  • 622
Meir Maor
  • 12,053
  • 1
  • 24
  • 55