Have there been efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction?Why is Merkle-Damgård construction insecure?Generalize the Merkle–Damgård construction for any compression functionDoes length-prepending stop length-extension attacks?How to find collisions in a secret-prefix Merkle–Damgård given an adversary that can choose the IV?Is it accurate to say that SHA-3 (keccak) is based on Merkle-Damgård?How does the sponge construction avoid the weaknesses present in Merkle–Damgård hash function?Merkle trees instead of the Sponge or the Merkle-Damgård constructions for the design of cryptorgraphic hash functionsI didn't get the hash length extension attacksEase of breaking MD constructionsIs tweakable block-cipher based on the Merkle-Damgård construction secure if $F$ is a PRP

How is it possible for user to changed after storage was encrypted? (on OS X, Android)

Shell script can be run only with sh command

Question about Goedel's incompleteness Proof

Do airline pilots ever risk not hearing communication directed to them specifically, from traffic controllers?

Copenhagen passport control - US citizen

Why is the design of haulage companies so “special”?

Validation accuracy vs Testing accuracy

What do you call a Matrix-like slowdown and camera movement effect?

A newer friend of my brother's gave him a load of baseball cards that are supposedly extremely valuable. Is this a scam?

Why has Russell's definition of numbers using equivalence classes been finally abandoned? ( If it has actually been abandoned).

TGV timetables / schedules?

How is it possible to have an ability score that is less than 3?

What is the offset in a seaplane's hull?

When blogging recipes, how can I support both readers who want the narrative/journey and ones who want the printer-friendly recipe?

How long does it take to type this?

Infinite past with a beginning?

I probably found a bug with the sudo apt install function

If Manufacturer spice model and Datasheet give different values which should I use?

Why don't electron-positron collisions release infinite energy?

How do we improve the relationship with a client software team that performs poorly and is becoming less collaborative?

Why is this code 6.5x slower with optimizations enabled?

How do I create uniquely male characters?

How can the DM most effectively choose 1 out of an odd number of players to be targeted by an attack or effect?

Draw simple lines in Inkscape



Have there been efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction?


Why is Merkle-Damgård construction insecure?Generalize the Merkle–Damgård construction for any compression functionDoes length-prepending stop length-extension attacks?How to find collisions in a secret-prefix Merkle–Damgård given an adversary that can choose the IV?Is it accurate to say that SHA-3 (keccak) is based on Merkle-Damgård?How does the sponge construction avoid the weaknesses present in Merkle–Damgård hash function?Merkle trees instead of the Sponge or the Merkle-Damgård constructions for the design of cryptorgraphic hash functionsI didn't get the hash length extension attacksEase of breaking MD constructionsIs tweakable block-cipher based on the Merkle-Damgård construction secure if $F$ is a PRP













2












$begingroup$


Have there ever been some publicized efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction (MD5, SHA1, SHA2, ...)?










share|improve this question









$endgroup$







  • 1




    $begingroup$
    Double-Hashing and truncation?
    $endgroup$
    – SEJPM
    Apr 3 at 13:05










  • $begingroup$
    HMAC is the typical construction
    $endgroup$
    – Natanael
    Apr 4 at 0:01















2












$begingroup$


Have there ever been some publicized efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction (MD5, SHA1, SHA2, ...)?










share|improve this question









$endgroup$







  • 1




    $begingroup$
    Double-Hashing and truncation?
    $endgroup$
    – SEJPM
    Apr 3 at 13:05










  • $begingroup$
    HMAC is the typical construction
    $endgroup$
    – Natanael
    Apr 4 at 0:01













2












2








2





$begingroup$


Have there ever been some publicized efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction (MD5, SHA1, SHA2, ...)?










share|improve this question









$endgroup$




Have there ever been some publicized efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction (MD5, SHA1, SHA2, ...)?







hash merkle-damgaard length-extension






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Apr 3 at 11:33









AleksanderRasAleksanderRas

2,9721935




2,9721935







  • 1




    $begingroup$
    Double-Hashing and truncation?
    $endgroup$
    – SEJPM
    Apr 3 at 13:05










  • $begingroup$
    HMAC is the typical construction
    $endgroup$
    – Natanael
    Apr 4 at 0:01












  • 1




    $begingroup$
    Double-Hashing and truncation?
    $endgroup$
    – SEJPM
    Apr 3 at 13:05










  • $begingroup$
    HMAC is the typical construction
    $endgroup$
    – Natanael
    Apr 4 at 0:01







1




1




$begingroup$
Double-Hashing and truncation?
$endgroup$
– SEJPM
Apr 3 at 13:05




$begingroup$
Double-Hashing and truncation?
$endgroup$
– SEJPM
Apr 3 at 13:05












$begingroup$
HMAC is the typical construction
$endgroup$
– Natanael
Apr 4 at 0:01




$begingroup$
HMAC is the typical construction
$endgroup$
– Natanael
Apr 4 at 0:01










2 Answers
2






active

oldest

votes


















6












$begingroup$

Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.



Quoting the paper:




A prefix-free code over the alphabet $0, 1^κ$is an efficiently computable injective function $g: 0, 1^∗ to (0, 1^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
prefix of $g(y)$.




One such encoding is given in the paper




Function g1(m): let $N$ be the message length of $m$ in bits.
write $m$ as $(m_1, ldots , m_l)$ where for all $i$, $|m_i| = k$.
and with the last block $m_l$ padded with $10^r$.
let $g1(m) = (langle N rangle, m_1, ldots , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.







share|improve this answer











$endgroup$




















    2












    $begingroup$

    • Fixed output filters like SHA-256d

    • Keyed output filters like HMAC, envelope-MAC, etc.

    • Truncation like SHA-512/256

    • Prefix-free message encoding like length-prefixed

    • Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge





    share|improve this answer









    $endgroup$













      Your Answer





      StackExchange.ifUsing("editor", function ()
      return StackExchange.using("mathjaxEditing", function ()
      StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
      StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
      );
      );
      , "mathjax-editing");

      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "281"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













      draft saved

      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68502%2fhave-there-been-efforts-to-prevent-length-extension-attacks-of-hashing-algorithm%23new-answer', 'question_page');

      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      6












      $begingroup$

      Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.



      Quoting the paper:




      A prefix-free code over the alphabet $0, 1^κ$is an efficiently computable injective function $g: 0, 1^∗ to (0, 1^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
      prefix of $g(y)$.




      One such encoding is given in the paper




      Function g1(m): let $N$ be the message length of $m$ in bits.
      write $m$ as $(m_1, ldots , m_l)$ where for all $i$, $|m_i| = k$.
      and with the last block $m_l$ padded with $10^r$.
      let $g1(m) = (langle N rangle, m_1, ldots , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.







      share|improve this answer











      $endgroup$

















        6












        $begingroup$

        Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.



        Quoting the paper:




        A prefix-free code over the alphabet $0, 1^κ$is an efficiently computable injective function $g: 0, 1^∗ to (0, 1^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
        prefix of $g(y)$.




        One such encoding is given in the paper




        Function g1(m): let $N$ be the message length of $m$ in bits.
        write $m$ as $(m_1, ldots , m_l)$ where for all $i$, $|m_i| = k$.
        and with the last block $m_l$ padded with $10^r$.
        let $g1(m) = (langle N rangle, m_1, ldots , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.







        share|improve this answer











        $endgroup$















          6












          6








          6





          $begingroup$

          Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.



          Quoting the paper:




          A prefix-free code over the alphabet $0, 1^κ$is an efficiently computable injective function $g: 0, 1^∗ to (0, 1^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
          prefix of $g(y)$.




          One such encoding is given in the paper




          Function g1(m): let $N$ be the message length of $m$ in bits.
          write $m$ as $(m_1, ldots , m_l)$ where for all $i$, $|m_i| = k$.
          and with the last block $m_l$ padded with $10^r$.
          let $g1(m) = (langle N rangle, m_1, ldots , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.







          share|improve this answer











          $endgroup$



          Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.



          Quoting the paper:




          A prefix-free code over the alphabet $0, 1^κ$is an efficiently computable injective function $g: 0, 1^∗ to (0, 1^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
          prefix of $g(y)$.




          One such encoding is given in the paper




          Function g1(m): let $N$ be the message length of $m$ in bits.
          write $m$ as $(m_1, ldots , m_l)$ where for all $i$, $|m_i| = k$.
          and with the last block $m_l$ padded with $10^r$.
          let $g1(m) = (langle N rangle, m_1, ldots , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.








          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 2 days ago









          kelalaka

          8,75532351




          8,75532351










          answered Apr 3 at 13:38









          Marc IlungaMarc Ilunga

          33617




          33617





















              2












              $begingroup$

              • Fixed output filters like SHA-256d

              • Keyed output filters like HMAC, envelope-MAC, etc.

              • Truncation like SHA-512/256

              • Prefix-free message encoding like length-prefixed

              • Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge





              share|improve this answer









              $endgroup$

















                2












                $begingroup$

                • Fixed output filters like SHA-256d

                • Keyed output filters like HMAC, envelope-MAC, etc.

                • Truncation like SHA-512/256

                • Prefix-free message encoding like length-prefixed

                • Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge





                share|improve this answer









                $endgroup$















                  2












                  2








                  2





                  $begingroup$

                  • Fixed output filters like SHA-256d

                  • Keyed output filters like HMAC, envelope-MAC, etc.

                  • Truncation like SHA-512/256

                  • Prefix-free message encoding like length-prefixed

                  • Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge





                  share|improve this answer









                  $endgroup$



                  • Fixed output filters like SHA-256d

                  • Keyed output filters like HMAC, envelope-MAC, etc.

                  • Truncation like SHA-512/256

                  • Prefix-free message encoding like length-prefixed

                  • Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge






                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Apr 4 at 0:51









                  Squeamish OssifrageSqueamish Ossifrage

                  22.2k132100




                  22.2k132100



























                      draft saved

                      draft discarded
















































                      Thanks for contributing an answer to Cryptography Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid


                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.

                      Use MathJax to format equations. MathJax reference.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68502%2fhave-there-been-efforts-to-prevent-length-extension-attacks-of-hashing-algorithm%23new-answer', 'question_page');

                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      រឿង រ៉ូមេអូ និង ហ្ស៊ុយលីយេ សង្ខេបរឿង តួអង្គ បញ្ជីណែនាំ

                      Crop image to path created in TikZ? Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)Crop an inserted image?TikZ pictures does not appear in posterImage behind and beyond crop marks?Tikz picture as large as possible on A4 PageTransparency vs image compression dilemmaHow to crop background from image automatically?Image does not cropTikzexternal capturing crop marks when externalizing pgfplots?How to include image path that contains a dollar signCrop image with left size given

                      Romeo and Juliet ContentsCharactersSynopsisSourcesDate and textThemes and motifsCriticism and interpretationLegacyScene by sceneSee alsoNotes and referencesSourcesExternal linksNavigation menu"Consumer Price Index (estimate) 1800–"10.2307/28710160037-3222287101610.1093/res/II.5.31910.2307/45967845967810.2307/2869925286992510.1525/jams.1982.35.3.03a00050"Dada Masilo: South African dancer who breaks the rules"10.1093/res/os-XV.57.1610.2307/28680942868094"Sweet Sorrow: Mann-Korman's Romeo and Juliet Closes Sept. 5 at MN's Ordway"the original10.2307/45957745957710.1017/CCOL0521570476.009"Ram Leela box office collections hit massive Rs 100 crore, pulverises prediction"Archived"Broadway Revival of Romeo and Juliet, Starring Orlando Bloom and Condola Rashad, Will Close Dec. 8"Archived10.1075/jhp.7.1.04hon"Wherefore art thou, Romeo? To make us laugh at Navy Pier"the original10.1093/gmo/9781561592630.article.O006772"Ram-leela Review Roundup: Critics Hail Film as Best Adaptation of Romeo and Juliet"Archived10.2307/31946310047-77293194631"Romeo and Juliet get Twitter treatment""Juliet's Nurse by Lois Leveen""Romeo and Juliet: Orlando Bloom's Broadway Debut Released in Theaters for Valentine's Day"Archived"Romeo and Juliet Has No Balcony"10.1093/gmo/9781561592630.article.O00778110.2307/2867423286742310.1076/enst.82.2.115.959510.1080/00138380601042675"A plague o' both your houses: error in GCSE exam paper forces apology""Juliet of the Five O'Clock Shadow, and Other Wonders"10.2307/33912430027-4321339124310.2307/28487440038-7134284874410.2307/29123140149-661129123144728341M"Weekender Guide: Shakespeare on The Drive""balcony"UK public library membership"romeo"UK public library membership10.1017/CCOL9780521844291"Post-Zionist Critique on Israel and the Palestinians Part III: Popular Culture"10.2307/25379071533-86140377-919X2537907"Capulets and Montagues: UK exam board admit mixing names up in Romeo and Juliet paper"Istoria Novellamente Ritrovata di Due Nobili Amanti2027/mdp.390150822329610820-750X"GCSE exam error: Board accidentally rewrites Shakespeare"10.2307/29176390149-66112917639"Exam board apologises after error in English GCSE paper which confused characters in Shakespeare's Romeo and Juliet""From Mariotto and Ganozza to Romeo and Guilietta: Metamorphoses of a Renaissance Tale"10.2307/37323537323510.2307/2867455286745510.2307/28678912867891"10 Questions for Taylor Swift"10.2307/28680922868092"Haymarket Theatre""The Zeffirelli Way: Revealing Talk by Florentine Director""Michael Smuin: 1938-2007 / Prolific dance director had showy career"The Life and Art of Edwin BoothRomeo and JulietRomeo and JulietRomeo and JulietRomeo and JulietEasy Read Romeo and JulietRomeo and Julieteeecb12003684p(data)4099369-3n8211610759dbe00d-a9e2-41a3-b2c1-977dd692899302814385X313670221313670221