Score:2

Crypto

Why this function isn't second preimage resistant?

Emma

5/2/23, 2:34 AM

Why is $h(k,m)$ not second-preimage resistant? Let $E_k$ be a block cipher where the message space is the same as the key space. $$h(k,m)=E_k(m\oplus k)\oplus k$$

I've been reading about second preimage resistance and attempting to try this example.

What I currently know is that given an input $m$, and therefore the hash $h(k,m)$, I need to find another input $\hat{m} \ne m$ such that $h(k,m) = h(k,\hat{m})$.

I have a feeling that a collision might be something like this (but I'm not sure): \begin{align*} E_k(m\oplus k)\oplus k & = E_k(\hat{m}\oplus k)\oplus k= E_k(h(k,m)\oplus k)\oplus k \end{align*}

108

0 + 0

hash

preimage-resistance

2nd-preimage-resistance

collision-resistance

poncho

5/2/23, 3:40 AM

Why do you believe that it is not second-preimage resistant?

kelalaka

5/2/23, 9:00 AM

How do you control the $k$ ?

Emma

5/2/23, 10:39 AM

I've corrected the formula, it should XOR with the $k$ instead of $m$. Thank you @kelalaka for pointing that out.

Emma

5/2/23, 10:42 AM

@poncho I made a mistake before, now that I have edited the question, do you believe that it is second-preimage resistant?

fgrieu

5/2/23, 12:28 PM

"I need to find another input $\hat{m} \ne m$ such that $h(k,m) = h(k,\hat{m})$" is wrong. To exhibit a second preimage for a function given an input, you need to find another input with the same output. What's an "input" for the function at hand? What's the given input? So what exactly do you need to exhibit? Now, just do that.

Emma

5/2/23, 12:40 PM

@fgrieu I'm not sure I understand your point correctly, so please correct me if I am wrong. The given (fixed) input is $m$, so I need to find another input $\hat{m}$, s.t. $\hat{m} \ne m \wedge h(k,m) = h(k,\hat{m})$. Have I misunderstood something?

Emma

5/2/23, 1:11 PM

@kelalaka I think the key $k$ is known to the adversary if that is what you atually asking.

kelalaka

5/2/23, 1:15 PM

Do we have a fixed key $k$ or not? For a fixed $k$, the $h(k,m)$ is a permutation.

Emma

5/2/23, 1:19 PM

the key is fixed. yes $h(k,m)$ is assumed to be a bijective function.

kelalaka

5/2/23, 1:50 PM

In this case, there is only one pre-image. If the key is known to the adversary it is easy to find the pre-image.

fgrieu

5/2/23, 1:52 PM

My reading of the question: "why is $h(k,m)=E_k(m\oplus k)\oplus k$ not second preimage resistant?" is that it asks how, given input $(k,m)$, we can find an input $(\hat k,\hat m)$ with $h(\hat k,\hat m)=h(k,m)$ and $(\hat k,\hat m)\ne(k,m)$ (that is $\hat k\ne k$ or/and $\hat m\ne m$). Just do that!