Is there a concrete case where chaining cryptographic hash functions reduces security?
I'm thinking of things like md5(md5(x)) or sha256(sha1(x)), as common in password hashing (even though neither function above is suitable for it).
Asked
Active
Viewed 851 times
1 Answers
5
Yes, there are concrete cases where chaining cryptographic hash functions reduces security; and you gave one. SHA-256(SHA-1(x)) is in particular less collision-resistant than SHA-256(x). We now know collisions for SHA-1(x), and these give collisions for SHA-256(SHA-1(x)), but not SHA-256(x).
More generally, a chain of hashes is neither more collision-resistant, nor second-preimage-resitant, than the first hash performed is. Thus inserting a weak hash as the first/inner is a recipe for weakening an otherwise fine hash.
On the other hand, SHA-256(SHA-1(x)) resists length-extension attack when neither SHA-256(x) nor SHA-1(x) do; and SHA-256(SHA-1(x)) can be more resistant than SHA-256(SHA-256(x)) is to some attacks in some Proof-of-Work protocol; thus chaining hashes, including different hashes, can have some benefit.
fgrieu
- 149,326
- 13
- 324
- 622