Have there been efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction?Why is Merkle-Damgård construction insecure?Generalize the Merkle–Damgård construction for any compression functionDoes length-prepending stop length-extension attacks?How to find collisions in a secret-prefix Merkle–Damgård given an adversary that can choose the IV?Is it accurate to say that SHA-3 (keccak) is based on Merkle-Damgård?How does the sponge construction avoid the weaknesses present in Merkle–Damgård hash function?Merkle trees instead of the Sponge or the Merkle-Damgård constructions for the design of cryptorgraphic hash functionsI didn't get the hash length extension attacksEase of breaking MD constructionsIs tweakable block-cipher based on the Merkle-Damgård construction secure if $F$ is a PRP
How is it possible for user to changed after storage was encrypted? (on OS X, Android)
Shell script can be run only with sh command
Question about Goedel's incompleteness Proof
Do airline pilots ever risk not hearing communication directed to them specifically, from traffic controllers?
Copenhagen passport control - US citizen
Why is the design of haulage companies so “special”?
Validation accuracy vs Testing accuracy
What do you call a Matrix-like slowdown and camera movement effect?
A newer friend of my brother's gave him a load of baseball cards that are supposedly extremely valuable. Is this a scam?
Why has Russell's definition of numbers using equivalence classes been finally abandoned? ( If it has actually been abandoned).
TGV timetables / schedules?
How is it possible to have an ability score that is less than 3?
What is the offset in a seaplane's hull?
When blogging recipes, how can I support both readers who want the narrative/journey and ones who want the printer-friendly recipe?
How long does it take to type this?
Infinite past with a beginning?
I probably found a bug with the sudo apt install function
If Manufacturer spice model and Datasheet give different values which should I use?
Why don't electron-positron collisions release infinite energy?
How do we improve the relationship with a client software team that performs poorly and is becoming less collaborative?
Why is this code 6.5x slower with optimizations enabled?
How do I create uniquely male characters?
How can the DM most effectively choose 1 out of an odd number of players to be targeted by an attack or effect?
Draw simple lines in Inkscape
Have there been efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction?
Why is Merkle-Damgård construction insecure?Generalize the Merkle–Damgård construction for any compression functionDoes length-prepending stop length-extension attacks?How to find collisions in a secret-prefix Merkle–Damgård given an adversary that can choose the IV?Is it accurate to say that SHA-3 (keccak) is based on Merkle-Damgård?How does the sponge construction avoid the weaknesses present in Merkle–Damgård hash function?Merkle trees instead of the Sponge or the Merkle-Damgård constructions for the design of cryptorgraphic hash functionsI didn't get the hash length extension attacksEase of breaking MD constructionsIs tweakable block-cipher based on the Merkle-Damgård construction secure if $F$ is a PRP
$begingroup$
Have there ever been some publicized efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction (MD5, SHA1, SHA2, ...)?
hash merkle-damgaard length-extension
asked Apr 3 at 11:33
AleksanderRasAleksanderRas
2,9721935
$endgroup$
add a comment |
$begingroup$
Have there ever been some publicized efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction (MD5, SHA1, SHA2, ...)?
hash merkle-damgaard length-extension
asked Apr 3 at 11:33
AleksanderRasAleksanderRas
2,9721935
$endgroup$
1
$begingroup$
Double-Hashing and truncation?
$endgroup$
– SEJPM♦
Apr 3 at 13:05
$begingroup$
HMAC is the typical construction
$endgroup$
– Natanael
Apr 4 at 0:01
add a comment |
$begingroup$
Have there ever been some publicized efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction (MD5, SHA1, SHA2, ...)?
hash merkle-damgaard length-extension
asked Apr 3 at 11:33
AleksanderRasAleksanderRas
2,9721935
$endgroup$
Have there ever been some publicized efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction (MD5, SHA1, SHA2, ...)?
hash merkle-damgaard length-extension
hash merkle-damgaard length-extension
asked Apr 3 at 11:33
AleksanderRasAleksanderRas
2,9721935
asked Apr 3 at 11:33
AleksanderRasAleksanderRas
2,9721935
asked Apr 3 at 11:33
AleksanderRasAleksanderRas
2,9721935
asked Apr 3 at 11:33
AleksanderRasAleksanderRas
2,9721935
asked Apr 3 at 11:33
AleksanderRasAleksanderRas
2,9721935
2,9721935
1
$begingroup$
Double-Hashing and truncation?
$endgroup$
– SEJPM♦
Apr 3 at 13:05
$begingroup$
HMAC is the typical construction
$endgroup$
– Natanael
Apr 4 at 0:01
add a comment |
1
$begingroup$
Double-Hashing and truncation?
$endgroup$
– SEJPM♦
Apr 3 at 13:05
$begingroup$
HMAC is the typical construction
$endgroup$
– Natanael
Apr 4 at 0:01
1
1
$begingroup$
Double-Hashing and truncation?
$endgroup$
– SEJPM♦
Apr 3 at 13:05
$begingroup$
Double-Hashing and truncation?
$endgroup$
– SEJPM♦
Apr 3 at 13:05
$begingroup$
HMAC is the typical construction
$endgroup$
– Natanael
Apr 4 at 0:01
$begingroup$
HMAC is the typical construction
$endgroup$
– Natanael
Apr 4 at 0:01
add a comment |
2 Answers
2
active
oldest
votes
$begingroup$
Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.
Quoting the paper:
A prefix-free code over the alphabet $0, 1^κ$is an efficiently computable injective function $g: 0, 1^∗ to (0, 1^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
prefix of $g(y)$.
One such encoding is given in the paper
Function g1(m): let $N$ be the message length of $m$ in bits.
write $m$ as $(m_1, ldots , m_l)$ where for all $i$, $|m_i| = k$.
and with the last block $m_l$ padded with $10^r$.
let $g1(m) = (langle N rangle, m_1, ldots , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.
edited 2 days ago
kelalaka
8,75532351
answered Apr 3 at 13:38
Marc IlungaMarc Ilunga
33617
$endgroup$
add a comment |
$begingroup$
- Fixed output filters like SHA-256d
- Keyed output filters like HMAC, envelope-MAC, etc.
- Truncation like SHA-512/256
- Prefix-free message encoding like length-prefixed
- Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge
answered Apr 4 at 0:51
Squeamish OssifrageSqueamish Ossifrage
22.2k132100
$endgroup$
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68502%2fhave-there-been-efforts-to-prevent-length-extension-attacks-of-hashing-algorithm%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.
Quoting the paper:
A prefix-free code over the alphabet $0, 1^κ$is an efficiently computable injective function $g: 0, 1^∗ to (0, 1^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
prefix of $g(y)$.
One such encoding is given in the paper
Function g1(m): let $N$ be the message length of $m$ in bits.
write $m$ as $(m_1, ldots , m_l)$ where for all $i$, $|m_i| = k$.
and with the last block $m_l$ padded with $10^r$.
let $g1(m) = (langle N rangle, m_1, ldots , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.
edited 2 days ago
kelalaka
8,75532351
answered Apr 3 at 13:38
Marc IlungaMarc Ilunga
33617
$endgroup$
add a comment |
$begingroup$
Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.
Quoting the paper:
A prefix-free code over the alphabet $0, 1^κ$is an efficiently computable injective function $g: 0, 1^∗ to (0, 1^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
prefix of $g(y)$.
One such encoding is given in the paper
Function g1(m): let $N$ be the message length of $m$ in bits.
write $m$ as $(m_1, ldots , m_l)$ where for all $i$, $|m_i| = k$.
and with the last block $m_l$ padded with $10^r$.
let $g1(m) = (langle N rangle, m_1, ldots , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.
edited 2 days ago
kelalaka
8,75532351
answered Apr 3 at 13:38
Marc IlungaMarc Ilunga
33617
$endgroup$
add a comment |
$begingroup$
Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.
Quoting the paper:
A prefix-free code over the alphabet $0, 1^κ$is an efficiently computable injective function $g: 0, 1^∗ to (0, 1^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
prefix of $g(y)$.
One such encoding is given in the paper
Function g1(m): let $N$ be the message length of $m$ in bits.
write $m$ as $(m_1, ldots , m_l)$ where for all $i$, $|m_i| = k$.
and with the last block $m_l$ padded with $10^r$.
let $g1(m) = (langle N rangle, m_1, ldots , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.
edited 2 days ago
kelalaka
8,75532351
answered Apr 3 at 13:38
Marc IlungaMarc Ilunga
33617
$endgroup$
Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.
Quoting the paper:
A prefix-free code over the alphabet $0, 1^κ$is an efficiently computable injective function $g: 0, 1^∗ to (0, 1^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
prefix of $g(y)$.
One such encoding is given in the paper
Function g1(m): let $N$ be the message length of $m$ in bits.
write $m$ as $(m_1, ldots , m_l)$ where for all $i$, $|m_i| = k$.
and with the last block $m_l$ padded with $10^r$.
let $g1(m) = (langle N rangle, m_1, ldots , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.
edited 2 days ago
kelalaka
8,75532351
answered Apr 3 at 13:38
Marc IlungaMarc Ilunga
33617
edited 2 days ago
kelalaka
8,75532351
edited 2 days ago
kelalaka
8,75532351
edited 2 days ago
kelalaka
8,75532351
8,75532351
answered Apr 3 at 13:38
Marc IlungaMarc Ilunga
33617
answered Apr 3 at 13:38
Marc IlungaMarc Ilunga
33617
answered Apr 3 at 13:38
Marc IlungaMarc Ilunga
33617
33617
add a comment |
add a comment |
$begingroup$
- Fixed output filters like SHA-256d
- Keyed output filters like HMAC, envelope-MAC, etc.
- Truncation like SHA-512/256
- Prefix-free message encoding like length-prefixed
- Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge
answered Apr 4 at 0:51
Squeamish OssifrageSqueamish Ossifrage
22.2k132100
$endgroup$
add a comment |
$begingroup$
- Fixed output filters like SHA-256d
- Keyed output filters like HMAC, envelope-MAC, etc.
- Truncation like SHA-512/256
- Prefix-free message encoding like length-prefixed
- Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge
answered Apr 4 at 0:51
Squeamish OssifrageSqueamish Ossifrage
22.2k132100
$endgroup$
add a comment |
$begingroup$
- Fixed output filters like SHA-256d
- Keyed output filters like HMAC, envelope-MAC, etc.
- Truncation like SHA-512/256
- Prefix-free message encoding like length-prefixed
- Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge
answered Apr 4 at 0:51
Squeamish OssifrageSqueamish Ossifrage
22.2k132100
$endgroup$
- Fixed output filters like SHA-256d
- Keyed output filters like HMAC, envelope-MAC, etc.
- Truncation like SHA-512/256
- Prefix-free message encoding like length-prefixed
- Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge
answered Apr 4 at 0:51
Squeamish OssifrageSqueamish Ossifrage
22.2k132100
answered Apr 4 at 0:51
Squeamish OssifrageSqueamish Ossifrage
22.2k132100
answered Apr 4 at 0:51
Squeamish OssifrageSqueamish Ossifrage
22.2k132100
answered Apr 4 at 0:51
Squeamish OssifrageSqueamish Ossifrage
22.2k132100
22.2k132100
add a comment |
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68502%2fhave-there-been-efforts-to-prevent-length-extension-attacks-of-hashing-algorithm%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
$begingroup$
Double-Hashing and truncation?
$endgroup$
– SEJPM♦
Apr 3 at 13:05
$begingroup$
HMAC is the typical construction
$endgroup$
– Natanael
Apr 4 at 0:01