Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [merkle-damgaard]

The Merkle–Damgård construction — used in the design of many popular hash algorithms such as MD5, SHA1 and SHA2 — is a method of building collision-resistant cryptographic hash functions from collision-resistant one-way compression functions. The Merkle–Damgård construction is also referred to as the Merkle–Damgård hash function.

The Merkle–Damgård construction — used in the design of many popular hash algorithms such as MD5, SHA1 and SHA2 — is a method of building collision-resistant cryptographic hash functions from collision-resistant one-way compression functions. The Merkle–Damgård construction is also referred to as the Merkle–Damgård hash function.

98 questions
26
votes
4 answers

Attacks of the MAC construction $\mathcal{H}(m\mathbin\|k)$ for common hashes $\mathcal{H}$?

Consider a common practically-collision-resistant hash function $\mathcal{H}$ (e.g. SHA-1, SHA-256, SHA-512, RIPEMD-160), perhaps based on the Merkle–Damgård construction as are the first three. We define a Message Authentication Code…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
24
votes
3 answers

Why does the padding in Merkle–Damgård hash functions like MD5 contain the message length?

I understand the need for padding in MD5 and other hash algorithms such as SHA-1, SHA-256, SHA-384 and SHA-512. But why do we append the message length to the padding? I heard it strengthens the hash but how? Please provide an example if possible…
Ibrahim Najjar
  • 341
  • 2
  • 6
14
votes
2 answers

Why was Davies–Meyer chosen over Miyaguchi–Preneel most of the time?

The only Miyaguchi–Preneel MD hash I know is Whirlpool. I suppose there are likely others. Why do most MD hashes choose Davies–Meyer? If anything, Davies–Meyer relies on related-key resistance while Miyaguchi–Preneel relies on chosen-plaintext…
MikeDav77741
  • 173
  • 5
14
votes
1 answer

Is a second preimage attack on MD5 feasible?

What's the practical status of MD5 w.r.t. second-preimage? Integrity of a piece of data is protected by an MD5 hash, itself assumed genuine. The data (and thus the hash) is known to the adversary. The adversary can change the data, and wants to do…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
12
votes
1 answer

Why is H(message||secret_key) not vulnerable to length-extension attack?

Given a Merkle-Damgård hash function $H$, I know that an attacker can forge a message protected by a MAC computed as $H(\textrm{secret_key}||\textrm{message})$. Why can't he perform the same extension attack on a MAC construction…
Peter
  • 123
  • 1
  • 4
9
votes
1 answer

Why is EdDSA collision-resilient with SHA-512?

In the Bernstein et al. paper about EdDSA, the authors claim EdDSA is resilient against collisions (i.e. it can still be secure even if the hash function used isn't collision-resistant), drawing on a result from Neven et al. that says that Schnorr…
cpast
  • 3,652
  • 1
  • 16
  • 28
8
votes
2 answers

What happens if a SHA-256 input is too long (longer than 512 bits)?

What I understand is: When we parse a message into 512 bit message blocks. Then we extend the first message block to 64 entry array and start with the compression function. What happens if the message is longer than 512 bits? As a result, we would…
Lizz4rd merge me
  • 83
  • 1
  • 1
  • 3
8
votes
1 answer

Would finding a Merkle-Damgård preimage that doesn't change the initial state allow an attacker to prepend it to any hashed message?

Suppose, a message M was found so that MD5(M) = S, where S is the initial state of the MD5 function (0x01234567, ...). Given a hash MD5(m), would this allow computing MD5(M∥m∥padding), where padding is an empty block to get the length right?
Mark
  • 835
  • 7
  • 24
8
votes
1 answer

How does the sponge construction avoid the weaknesses present in Merkle–Damgård hash function?

How are the weaknesses of the Merkle–Damgård construction (i.e. the Herding attack, multicollisions, length extension, expandable messages) avoided in the sponge construction?
user47987
  • 97
  • 3
8
votes
1 answer

Why does SHA-2 call for doing 10* padding in addition to appending the message length?

Appending the length of the message when padding of a SHA-2 message is sufficient to satisfy the Merkle-Damgård construction. However the padding in SHA-2 also pads with 10* between the end of the message and the message length data. I know that…
Russell O'Connor
  • 181
  • 4
8
votes
2 answers

What is the "compression function" in Merkle-Damgård?

Is the "compression function" in Merkle-Damgård just a collision-resistant, one-way hash function but one that operates only on fixed size inputs? If so, is MD just a way to extend it to work on arbitrary length strings?
wlad
  • 1,259
  • 1
  • 13
  • 24
7
votes
2 answers

If hash functions append the length, why does length extension attack work?

I have understood that it's trivial to reconstruct the internal state of a hasher for many hash functions, if one only knows the output hash. Then, one can append data after the original data and obtain a valid hash for the original data plus the…
juhist
  • 1,643
  • 1
  • 13
  • 18
6
votes
0 answers

Security implications of using the low-order bits for Merkle–Damgård message length

According to RFC 1321 § 3.2 (MD5), the length of the message ($b$) is encoded as $b \bmod 2^{64}$: A 64-bit representation of b (the length of the message before the padding bits were added) is appended to the result of the previous step. In the…
forest
  • 15,626
  • 2
  • 49
  • 103
6
votes
2 answers

Compression function is not collision resistant but Merkle-Damgard is collision resistant

Is it possible that you can still have a collision resistance in Merkle-Damgard even if the compression function has a collision?
Zoey
  • 261
  • 1
  • 9
6
votes
2 answers

Purpose of hashing last block in Merkle-Damgård?

Is hashing the last block in the Merkle-Damgård necessary in preventing collisions? i.e. What if I just outputted $z_B || L$, where $z_i$ is the hash of the last block of the message, L is the length of the message and B is the number of blocks,…
enormousporpoise
  • 63
  • 3
1
2 3 4 5 6 7