[78689] in cryptography@c2.net mail archive
RE: length-extension and Merkle-Damgard hashes
daemon@ATHENA.MIT.EDU (Jeremy Hansen)
Sat Feb 3 10:45:20 2007
Date: Tue, 30 Jan 2007 14:03:58 -0500
From: "Jeremy Hansen" <jhansen@rairtech.com>
To: "Travis H." <travis+ml-cryptography@subspacefield.org>,
"Cryptography" <cryptography@metzdowd.com>
See Section 3.3 of Coron, Dodis, Malinaud and Puniya's "A New Design
Criteria for Hash-Functions". They address this and several other
problems with the M-D construction in this paper submitted to the 2005
NIST Hash Workshop. (http://cs.nyu.edu/~puniya/papers/nist.pdf)
Jeremy
> -----Original Message-----
> From: owner-cryptography@metzdowd.com=20
> [mailto:owner-cryptography@metzdowd.com] On Behalf Of Travis H.
> Sent: Sunday, January 28, 2007 1:34 PM
> To: Cryptography
> Subject: length-extension and Merkle-Damgard hashes
>=20
> So I was reading this:
> http://en.wikipedia.org/wiki/Merkle-Damgard
>=20
> It seems to me the length-extension attack (given one=20
> collision, it's easy to create others) is not the only one,=20
> though it's obviously a big concern to those who rely on it.
>=20
> This attack thanks to Schneier:
>=20
> If the ideal hash function is a random mapping,=20
> Merkle-Damgard hashes which don't use a finalization function=20
> have the following property:
>=20
> If h(m0||m1||...mk) =3D H, then h(m0||m1||...mk||x) =3D h(H||x)=20
> where the elements of m are the same size as the block size=20
> of the hash, and x is an arbitrary string. Note that=20
> encoding the length at the end permits an attack for some x,=20
> but I think this is difficult or impossible if the length is=20
> prepended.
>=20
> --
> The driving force behind innovation is sublimation.
> -><- <URL:http://www.subspacefield.org/~travis/>
> For a good time on my UBE blacklist, email john@subspacefield.org.
>=20
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
