For any hash functions $H_0$ and $H_1$, it is easily proved that their concatenation $H_0\|H_1$, defined by $(H_0\|H_1)(X)=H_0(X)\|H_1(X)$, is at least as resistant as the strongest of $H_0$ and $H_1$ with respect to collision-resistance, first preimage resistance, and second-preimage-resistance. Here we study another commonly assumed notion of preimage resistance, possessed by common hash functions, that (I believe) could be totally lost by concatenation for uncommon hash functions.
For a hash function $H$, define $m$-bit preimage resistance as: given $m$ and $h=H(M)$ for a random unknown $m$-bit message $M$, it is computationally hard to find a message $X$ with $H(X)=h$. For an ideal $n$-bit hash (random oracle), breaking $m$-bit preimage resistance requires about $2^{\min(m-1,n)}$ hashes (queries to the oracle). Common hashes are expected to reach that security level. $m$-bit preimage resistance is desirable e.g. when hashing an $m$-bit password (+salt).
From an $n$-bit hash $H$ secure in the Random Oracle Model, can we construct two $n$-bit hashes $H_0$ and $H_1$ such that:
- $H_0$ and $H_1$ each are secure in the ROM, to near the theoretical optimum;
- for any $m\le n$, $H_0\|H_1$ has no $m$-bit preimage resistance (there's a fast algorithm to solve the problem defining $m$-bit preimage resistance)?
My guess is yes. A simpler construction than what I had in mind shows just that.
What's the best level of $m$-bit preimage resistance that we can demonstrate for $H_0\|H_1$?
