[OT] Reasons not to use multiple hash functions for "more security"

John Arbash Meinel john at arbash-meinel.com
Sun Jan 21 20:30:42 GMT 2007

```I found this slashdot post quite interesting.

It basically says that trying to use both MD5 and SHA1 as an improved
overall hash is:

1) Better than just one. If MD5 has a security of 2^64 and SHA1 has
2^80, then MD5 + SHA1 is better than 2^80

2) Much worse than a single well designed hash of the total length. So
even with (1) you end up with an additive function rather than
multiplicative. In the case of SHA1 + MD5 the complexity should be:

m*2^(n/2) + 2^(m/2)

(128)*2^(160/2) + 2^(128/2)
= 128 * 2^80 + 2^64
= 2^7 * 2^80 + 2^64
= 2^87 + 2^64

Since 2^87 >> 2^64 this is approximately 2^87.

Another way to put it is the final security is approx:

2^((n/2)*log2(m))

Compare that to a well designed hash of size n+m where the security
should be:

2^((n+m)/2)

3) Summary, SHA256 is *much* more secure (with a theoretical security of
2^128 versus MD5+SHA1 @ 2^87, and it has fewer bytes (256 versus 288).

I guess it has to do with how collisions work. That once you've found a
collision, it is easy to generate many collisions. So instead of having
to solve the whole MD5 + SHA1 problem, you just solve multi-collision
MD5, and check if any of  those collide in SHA1. (Or maybe you need to
do it the other way).

I mostly posted this because I thought people would find it interesting,
and because the argument had come up in the group in the past. (It even
has a journal reference to give it some credibility.)

John
=:->

```