3

Assuming that performances do not matter, is there any real benefit in terms of security (in general) in combine hashes in this way:

hash functions:

Blake512 (b)
Groestl512 (g)
Kekkack512 (k)
Skein512 (s)

Output:

## imagine the outputs of each function as 512 single bit:
b1b2b3b4......b512
g1g2g3g4......g512
k1k2k3k4......k512
s1s2s3s4......s512

Mix:

## combine the top 128bits of each output into a 512-bit hash
b1g1k1s1 + b2g2k2s2 + ....... + b128g128k128s128

Does this make sense? If yes, do I loose security (in general) by truncating each hash to 128 bit?

ps. it's not meant to store passwords

user197675
  • 133
  • 3

1 Answers1

1

The main question about this topic is: Guarding against cryptanalytic breakthroughs: combining multiple hash functions. There you will find some better combiners for multiple hash functions. I would generally recommend against the extra complexity - a single good hash ought to be enough.

Now, regarding your way of combining them:

Does this make sense? If yes, do I loose security (in general) by truncating each hash to 128 bit?

By truncating a hash to 128 bits you make brute force attacks against the hash easier and may also make other attacks easier. A 128-bit hash alone would not be secure, since a $2^{64}$ collision attack is within plausible estimates of strong attackers' (e.g. national security agencies') capabilities.

Some hash functions, e.g. SHA-2, explicitly state that you can truncate them and assume the lower resistance implied by the shorter output size. Others do not.

By concatenating four 128-bit hashes you are back to "secure against collision attacks" if at least two of them are 64-bit secure. (Preimage attacks are another matter. It depends on which notion of preimage resistance you consider, but if one of the hashes somehow leaked some bits of the input you could lose preimage resistance.)

otus
  • 32,462
  • 5
  • 75
  • 167