Is the composition of a hash function with a block cipher collision resistant?

Question

Assume $H$ is a collision resistant and preimage resistant (unkeyed) hash function and $E(k,y)$ is a block cipher where $k$ is the key.

I am interested into the collision resistance of the composed function $F(k,x)=E(k,H(x))$. A collision for $F$ is defined as $(,)≠(′,′)$ such that $(,)=(′,′)$.

This post seems to say that $F$ should be collision resistant but I can't seem to find a way to formally prove it.

ps: Could you please indicate which definition of preimage resistance you would use to prove it? As there seems to be multiple ones.

edit: I have changed the formulation from permutation to block cipher. As explained by @poncho, the implication holds for permutation.

Answer 1

You can probably prove this to be collision-resistant if $E$ is an ideal cipher (and $H$ a random oracle). But it cannot be proven from the simple PRP (SPRP) security of $E$. A simple counterexample is to consider $E$ that ignores the last bit of $k$. Then $(k\|0, x)$ and $(k\|1,x)$ are a collision in your construction.

Answer 2

I imagine the following security experiment: 1) first the challenger (not the adversary) picks a key $K$ for $E$ uniformly at random from the key space of the block cipher; 2) the challenger then hands $K$ to the adversary; 3) the experiments ends with the adversary outputting $X$ and $Y$, and it wins if $F_K(X) = F_K(Y)$ and $X \neq Y$. Is this a fair interpretation of what you had in mind?

If so, here's a proof showing that $F$ is as collision-resistant as $H$. Suppose $X \neq Y$ are such that $F_K(X) = F_K(Y)$. Let $Z = H(X)$ and $Z' = H(Y)$, so in particular we have $E_K(Z) = E_K(Z')$. But since $E$ is a block cipher (i.e., $E_K(\cdot)$ is a permutation), we must have $Z = Z'$. But this means that $H(X) = H(Y) = Z$. In other words: a collision in $F$ implies a collision in $H$.

Answer 3

Under your non-standard definition of collision resistance given below, the composition of a hash and block cipher is not collision resistant at all:

Assume $H$ is a collision resistant and preimage resistant (unkeyed) hash function and $E(k,y)$ is a block cipher where $k$ is the key.

I am interested into the collision resistance of the composed function $F(k,x)=E(k,H(x))$. A collision for $F$ is defined as $(,)≠(′,′)$ such that $(,)=(′,′)$.

There are at least $2^{d+n}$ inputs $(k,x)$ to your function $F(k,x)$ assuming $k$ is $d$ bits long and the cipher blocklength is $n.$ If anything there are many more since a hash function takes inputs that are in general longer than its output bitlength of $n$ bits.

So even under this conservative assumption there are on average $2^d$ inputs that yield the same output. Just by randomly trying different $(k,x)$ pairs you can find a collision in roughly $2^{n/2}$ trials by the birthday paradox regardless of whether $H$ is collision resistant or not.