Re: Added hashes.

David Wagner <daw-usenet@taverner.cs.berkeley.edu> wrote:
>Here's another way to put it. Suppose n = 160, and the world chooses
>a random 320-bit input to send to each hash. Define G,H by
> G(x) = first160bits(x) H(x) = last160bits(x).
>Then G,H form a pair of hashes that would be considered "secure" under
>your definition, but that are clearly cryptographically useless.

I do not think this was intended a definition of security, only as
a definition of independence. I'd say that H and G are independent,
in the sense that the hash value G(x) does not give you any knowledge
about the hash value H(x).

One concrete problem with the proposed definition is that H and G
may be independent in this sense for "most" messages, but still be
dependent for specially chosen messages. If for example r1 and r2
are random bit strings of some length and for almost all x we define
H(x)=SHA1(r1||x) and G(x) = SHA1(r2||x). But if x starts with 200
ones, we define H(x) = G(x) = SHA1(x).

H(x) xor G(x) is certainly not collision resistant.

-- 
Kristian Gjøsteen