1

Suppose I have some password x, and two different hash functions h1 and h2. I can then compute the hash y1 = h1(x) and y2 = h2(x).

  1. Is there any sort of vulnerability in this case? More specifically, is it possible to get y1 from y2 and vise versa? Is there anything else I need to look out for?

This is more of a theoretical question, which is partly why I am not specifying any specific hash functions. Another way to phrase this question is as follows.

  1. Does security in this specific case come down to the "correct" selection of the hash function pairs? Or does it not matter?

  2. Now, replace "hash" in this question with "key derivation function". Does it make any difference?

nehcsivart
  • 133
  • 5

1 Answers1

3

Is there any sort of vulnerability in this case? More specifically, is it possible to get y1 from y2 and vise versa? Is there anything else I need to look out for?

You can construct a pair of secure hash functions where y1 can be computed from y2 and vise versa:

  • function#1: SHA-256
  • function#2: SHA-256 with the first two bits swapped

Both functions are obviously different and both are secure in that you cannot get the input from the output nor do collision attacks. But obviously you can compute the result from function#1 if you know the result from function#2 and vise versa.

Does security in this specific case come down to the "correct" selection of the hash function pairs? Or does it not matter?

I think with hash functions based on completely different ideas the chances are high that you will not find a dependency between the outputs. But on the other hand lots of seemingly unrelated problems in math are found to be related at the end. Thus I think you would need to prove the independence for each pair of hash algorithms.

Now, replace "hash" in this question with "key derivation function". Does it make any difference?

You can create a KDF with dependent outputs the same way I've created the two dependent hash functions. Also KDF are often based on hash functions so I would suggest that one can use the same argumentation I've used for hashes.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424