Suppose these requirements are given for a cryptographic hash function:
1) x != y -> hash(x) != hash(y) (with high probability) 2) hash(x) != hash(y) -> x != y (with high probability) 3) It is intractable to discover x given only hash(x)
None of them prohibit the existince of a fixed point:
Not a rule: hash(x) != x
hash(x) == x for some
x, then you discover
x when you’re given
hash(x), so it doesn’t violate property #3.
If you were to simply pick an
x and redefine
hash(x) == x, as long as
hash(x) doesn’t have known preimages,
the fixed hash continues to satisfy all of the properties.
(In fact, you can set the output of any input value to any output value that doesn’t have a known preimage).
fixhash takes a hash function and a point, and replaces the hash function’s value at that point.
fixhash(hash,fixin,fixout) = H where H(fixin) = fixout | H(x) = hash(x)
Again, the key to using
fixhash is to ensure
fixout has no known preimage.
Since you have one choice before a preimage is known for your fixed hash,
to keep it simple you could choose
fixout == fixin.
H0 function or nullable hash
H0(x) function is defined with respect to a given hash function as:
H0 = fixhash(hash, 0, 0)
In other words,
H0(0) = 0 H0(x) = hash(x)
Everyone already knows
hash(0), it’s a canonical test case for
No usage of the primitive can depend on the preimage of
hash(0) being impossible to discover, because it is known:
Likewise knowing that the preimage of constant
0 could not
somehow break a protocol that depended on the cryptographic properties of
That protocol would be insecure to begin with.
And yet, nobody knows
unhash(0). The probability of ever encountering a collision remains negligible!
- Writing hash-linked data structures with
L2, … : Nullifying a region of the hash domain
- Hash-domain kernel: DHT lookup as trap mechanism