3

I'm wondering if there is any collision-resistant hash function $h^s(\cdot)$ satisfying that there is a fixed value $c$ such that, for each $s$, a value $x_s$ satisfying $h^s(x_s) = c$ is known. This would not contradict the collision-resistance property, nor preimage-resistance, but I have not been able to come up with any construction of this kind.

Does anyone know if this is possible, and if so, can point me to a particular construction?

Thanks

Some context...

I'm working on an exercise which asks to analyze the security of Merkle–Damgård transform when no $IV$ is used (or, equivalently, when it is set as the first block of the message). If a hash function like that I mention can be constructed, then I can build collisions on this construction.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
Cristina
  • 124
  • 9

1 Answers1

3

Take any standard hash function family $\{h_s(\cdot)\}_s$, a point $c$ and a list of inputs $(x_s)_s$ and define $h'_s : x \mapsto h_s(x)$ if $x\neq x_s$, and $c$ otherwise. As you said, it does not contradict collision resistance or preimage resistance - in other words, you can prove that if $(h_s)_s$ is a family of (say) collision-resistant hash functions, then so is $(h'_s)_s$. If you have a collision on Merkle-Damgård applied to $(h'_s)_s$ without $IV$, then you are done. The existence of any collision-resistant hash function implies the existence of a hash with the properties you want, via this trivial method.

Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
Geoffroy Couteau
  • 21,719
  • 2
  • 55
  • 78