Mrthdrb

Does Unearthed Arcana render Favored Souls redundant?

Do VLANs within a subnet need to have their own subnet for router on a stick?

How to find program name(s) of an installed package?

Voyeurism but not really

Arthur Somervell: 1000 Exercises - Meaning of this notation

Why "Having chlorophyll without photosynthesis is actually very dangerous" and "like living with a bomb"?

What's the output of a record cartridge playing an out-of-speed record

Why do falling prices hurt debtors?

Why was the small council so happy for Tyrion to become the Master of Coin?

Dragon forelimb placement

I'm planning on buying a laser printer but concerned about the life cycle of toner in the machine

Is it possible to do 50 km distance without any previous training?

Can divisibility rules for digits be generalized to sum of digits

How is the claim "I am in New York only if I am in America" the same as "If I am in New York, then I am in America?

Is it legal for company to use my work email to pretend I still work there?

Minkowski space

Accidentally leaked the solution to an assignment, what to do now? (I'm the prof)

What would happen to a modern skyscraper if it rains micro blackholes?

US citizen flying to France today and my passport expires in less than 2 months

Modeling an IP Address

Email Account under attack (really) - anything I can do?

How can bays and straits be determined in a procedurally generated map?

Why Is Death Allowed In the Matrix?

What's the point of deactivating Num Lock on login screens?

Have there been efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction?

Why is Merkle-Damgård construction insecure?Generalize the Merkle–Damgård construction for any compression functionDoes length-prepending stop length-extension attacks?How to find collisions in a secret-prefix Merkle–Damgård given an adversary that can choose the IV?Is it accurate to say that SHA-3 (keccak) is based on Merkle-Damgård?How does the sponge construction avoid the weaknesses present in Merkle–Damgård hash function?Merkle trees instead of the Sponge or the Merkle-Damgård constructions for the design of cryptorgraphic hash functionsI didn't get the hash length extension attacksEase of breaking MD constructionsIs tweakable block-cipher based on the Merkle-Damgård construction secure if $F$ is a PRP

2

$begingroup$

Have there ever been some publicized efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction (MD5, SHA1, SHA2, ...)?

hash merkle-damgaard length-extension

share|improve this question

asked Apr 3 at 11:33

AleksanderRasAleksanderRas

2,9721935

$endgroup$

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  $begingroup$
  Double-Hashing and truncation?
  $endgroup$
  – SEJPM♦
  Apr 3 at 13:05
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  HMAC is the typical construction
  $endgroup$
  – Natanael
  2 days ago
  

  
  
  
  

add a comment | 

2

$begingroup$

Have there ever been some publicized efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction (MD5, SHA1, SHA2, ...)?

hash merkle-damgaard length-extension

share|improve this question

asked Apr 3 at 11:33

AleksanderRasAleksanderRas

2,9721935

$endgroup$

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  $begingroup$
  Double-Hashing and truncation?
  $endgroup$
  – SEJPM♦
  Apr 3 at 13:05
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  HMAC is the typical construction
  $endgroup$
  – Natanael
  2 days ago
  

  
  
  
  

add a comment | 

$begingroup$

Have there ever been some publicized efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction (MD5, SHA1, SHA2, ...)?

hash merkle-damgaard length-extension

share|improve this question

asked Apr 3 at 11:33

AleksanderRasAleksanderRas

2,9721935

$endgroup$

share|improve this question

asked Apr 3 at 11:33

AleksanderRasAleksanderRas

2,9721935

share|improve this question

asked Apr 3 at 11:33

AleksanderRasAleksanderRas

2,9721935

asked Apr 3 at 11:33

AleksanderRasAleksanderRas

2,9721935

asked Apr 3 at 11:33

AleksanderRasAleksanderRas

2,9721935

2 Answers
2

active

oldest

votes

6

$begingroup$

Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.

Quoting the paper:

A prefix-free code over the alphabet $0, 1^κ$is an efficiently computable injective function $g: 0, 1^∗ to (0, 1^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
prefix of $g(y)$.

One such encoding is given in the paper

Function g1(m): let $N$ be the message length of $m$ in bits.
write $m$ as $(m_1, ldots , m_l)$ where for all $i$, $|m_i| = k$.
and with the last block $m_l$ padded with $10^r$.
let $g1(m) = (langle N rangle, m_1, ldots , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.

share|improve this answer

edited yesterday

kelalaka

8,69522351

answered Apr 3 at 13:38

Marc IlungaMarc Ilunga

33617

$endgroup$

add a comment | 

2

$begingroup$

• Fixed output filters like SHA-256d


• Keyed output filters like HMAC, envelope-MAC, etc.
  


• Truncation like SHA-512/256


• Prefix-free message encoding like length-prefixed


• Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge

share|improve this answer

answered 2 days ago

Squeamish OssifrageSqueamish Ossifrage

22.1k132100

$endgroup$

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68502%2fhave-there-been-efforts-to-prevent-length-extension-attacks-of-hashing-algorithm%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

6

$begingroup$

Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.

Quoting the paper:

A prefix-free code over the alphabet $0, 1^κ$is an efficiently computable injective function $g: 0, 1^∗ to (0, 1^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
prefix of $g(y)$.

One such encoding is given in the paper

Function g1(m): let $N$ be the message length of $m$ in bits.
write $m$ as $(m_1, ldots , m_l)$ where for all $i$, $|m_i| = k$.
and with the last block $m_l$ padded with $10^r$.
let $g1(m) = (langle N rangle, m_1, ldots , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.

share|improve this answer

edited yesterday

kelalaka

8,69522351

answered Apr 3 at 13:38

Marc IlungaMarc Ilunga

33617

$endgroup$

add a comment | 

6

$begingroup$

Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.

Quoting the paper:

A prefix-free code over the alphabet $0, 1^κ$is an efficiently computable injective function $g: 0, 1^∗ to (0, 1^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
prefix of $g(y)$.

One such encoding is given in the paper

Function g1(m): let $N$ be the message length of $m$ in bits.
write $m$ as $(m_1, ldots , m_l)$ where for all $i$, $|m_i| = k$.
and with the last block $m_l$ padded with $10^r$.
let $g1(m) = (langle N rangle, m_1, ldots , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.

share|improve this answer

edited yesterday

kelalaka

8,69522351

answered Apr 3 at 13:38

Marc IlungaMarc Ilunga

33617

$endgroup$

add a comment | 

$begingroup$

Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.

Quoting the paper:

A prefix-free code over the alphabet $0, 1^κ$is an efficiently computable injective function $g: 0, 1^∗ to (0, 1^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
prefix of $g(y)$.

One such encoding is given in the paper

Function g1(m): let $N$ be the message length of $m$ in bits.
write $m$ as $(m_1, ldots , m_l)$ where for all $i$, $|m_i| = k$.
and with the last block $m_l$ padded with $10^r$.
let $g1(m) = (langle N rangle, m_1, ldots , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.

share|improve this answer

edited yesterday

kelalaka

8,69522351

answered Apr 3 at 13:38

Marc IlungaMarc Ilunga

33617

$endgroup$

share|improve this answer

edited yesterday

kelalaka

8,69522351

answered Apr 3 at 13:38

Marc IlungaMarc Ilunga

33617

edited yesterday

kelalaka

8,69522351

edited yesterday

kelalaka

8,69522351

answered Apr 3 at 13:38

Marc IlungaMarc Ilunga

33617

answered Apr 3 at 13:38

Marc IlungaMarc Ilunga

33617

2

$begingroup$

• Fixed output filters like SHA-256d


• Keyed output filters like HMAC, envelope-MAC, etc.
  


• Truncation like SHA-512/256


• Prefix-free message encoding like length-prefixed


• Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge

share|improve this answer

answered 2 days ago

Squeamish OssifrageSqueamish Ossifrage

22.1k132100

$endgroup$

add a comment | 

2

$begingroup$

• Fixed output filters like SHA-256d


• Keyed output filters like HMAC, envelope-MAC, etc.
  


• Truncation like SHA-512/256


• Prefix-free message encoding like length-prefixed


• Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge

share|improve this answer

answered 2 days ago

Squeamish OssifrageSqueamish Ossifrage

22.1k132100

$endgroup$

add a comment | 

$begingroup$

• Fixed output filters like SHA-256d


• Keyed output filters like HMAC, envelope-MAC, etc.
  


• Truncation like SHA-512/256


• Prefix-free message encoding like length-prefixed


• Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge

share|improve this answer

answered 2 days ago

Squeamish OssifrageSqueamish Ossifrage

22.1k132100

$endgroup$

share|improve this answer

answered 2 days ago

Squeamish OssifrageSqueamish Ossifrage

22.1k132100

answered 2 days ago

Squeamish OssifrageSqueamish Ossifrage

22.1k132100

answered 2 days ago

Squeamish OssifrageSqueamish Ossifrage

22.1k132100