Otdfbt

Modeling an IPv4 Address

Can I ask the recruiters in my resume to put the reason why I am rejected?

Do I have a twin with permutated remainders?

Did Shadowfax go to Valinor?

Dragon forelimb placement

can i play a electric guitar through a bass amp?

Why doesn't Newton's third law mean a person bounces back to where they started when they hit the ground?

Adding span tags within wp_list_pages list items

Approximately how much travel time was saved by the opening of the Suez Canal in 1869?

Font hinting is lost in Chrome-like browsers (for some languages )

How could an uplifted falcon's brain work?

How to find program name(s) of an installed package?

What is the word for reserving something for yourself before others do?

Why are electrically insulating heatsinks so rare? Is it just cost?

Why did the Germans forbid the possession of pet pigeons in Rostov-on-Don in 1941?

Minkowski space

Voyeurism but not really

What do you call a Matrix-like slowdown and camera movement effect?

Do VLANs within a subnet need to have their own subnet for router on a stick?

What's the point of deactivating Num Lock on login screens?

Watching something be written to a file live with tail

How much RAM could one put in a typical 80386 setup?

Theorems that impeded progress

What would happen to a modern skyscraper if it rains micro blackholes?

Have there been efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction?

Why is Merkle-Damgård construction insecure?Generalize the Merkle–Damgård construction for any compression functionDoes length-prepending stop length-extension attacks?How to find collisions in a secret-prefix Merkle–Damgård given an adversary that can choose the IV?Is it accurate to say that SHA-3 (keccak) is based on Merkle-Damgård?How does the sponge construction avoid the weaknesses present in Merkle–Damgård hash function?Merkle trees instead of the Sponge or the Merkle-Damgård constructions for the design of cryptorgraphic hash functionsI didn't get the hash length extension attacksEase of breaking MD constructionsIs tweakable block-cipher based on the Merkle-Damgård construction secure if $F$ is a PRP

2

$begingroup$

Have there ever been some publicized efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction (MD5, SHA1, SHA2, ...)?

hash merkle-damgaard length-extension

share|improve this question

asked Apr 3 at 11:33

AleksanderRasAleksanderRas

2,9721935

$endgroup$

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  $begingroup$
  Double-Hashing and truncation?
  $endgroup$
  – SEJPM♦
  Apr 3 at 13:05
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  HMAC is the typical construction
  $endgroup$
  – Natanael
  2 days ago
  

  
  
  
  

add a comment | 

2

$begingroup$

Have there ever been some publicized efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction (MD5, SHA1, SHA2, ...)?

hash merkle-damgaard length-extension

share|improve this question

asked Apr 3 at 11:33

AleksanderRasAleksanderRas

2,9721935

$endgroup$

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  $begingroup$
  Double-Hashing and truncation?
  $endgroup$
  – SEJPM♦
  Apr 3 at 13:05
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  HMAC is the typical construction
  $endgroup$
  – Natanael
  2 days ago
  

  
  
  
  

add a comment | 

$begingroup$

Have there ever been some publicized efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction (MD5, SHA1, SHA2, ...)?

hash merkle-damgaard length-extension

share|improve this question

asked Apr 3 at 11:33

AleksanderRasAleksanderRas

2,9721935

$endgroup$

share|improve this question

asked Apr 3 at 11:33

AleksanderRasAleksanderRas

2,9721935

share|improve this question

asked Apr 3 at 11:33

AleksanderRasAleksanderRas

2,9721935

asked Apr 3 at 11:33

AleksanderRasAleksanderRas

2,9721935

asked Apr 3 at 11:33

AleksanderRasAleksanderRas

2,9721935

2 Answers
2

active

oldest

votes

6

$begingroup$

Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.

Quoting the paper:

A prefix-free code over the alphabet $0, 1^κ$is an efficiently computable injective function $g: 0, 1^∗ to (0, 1^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
prefix of $g(y)$.

One such encoding is given in the paper

Function g1(m): let $N$ be the message length of $m$ in bits.
write $m$ as $(m_1, ldots , m_l)$ where for all $i$, $|m_i| = k$.
and with the last block $m_l$ padded with $10^r$.
let $g1(m) = (langle N rangle, m_1, ldots , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.

share|improve this answer

edited yesterday

kelalaka

8,70522351

answered Apr 3 at 13:38

Marc IlungaMarc Ilunga

33617

$endgroup$

add a comment | 

2

$begingroup$

• Fixed output filters like SHA-256d


• Keyed output filters like HMAC, envelope-MAC, etc.
  


• Truncation like SHA-512/256


• Prefix-free message encoding like length-prefixed


• Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge

share|improve this answer

answered 2 days ago

Squeamish OssifrageSqueamish Ossifrage

22.2k132100

$endgroup$

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68502%2fhave-there-been-efforts-to-prevent-length-extension-attacks-of-hashing-algorithm%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

6

$begingroup$

Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.

Quoting the paper:

A prefix-free code over the alphabet $0, 1^κ$is an efficiently computable injective function $g: 0, 1^∗ to (0, 1^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
prefix of $g(y)$.

One such encoding is given in the paper

Function g1(m): let $N$ be the message length of $m$ in bits.
write $m$ as $(m_1, ldots , m_l)$ where for all $i$, $|m_i| = k$.
and with the last block $m_l$ padded with $10^r$.
let $g1(m) = (langle N rangle, m_1, ldots , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.

share|improve this answer

edited yesterday

kelalaka

8,70522351

answered Apr 3 at 13:38

Marc IlungaMarc Ilunga

33617

$endgroup$

add a comment | 

6

$begingroup$

Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.

Quoting the paper:

A prefix-free code over the alphabet $0, 1^κ$is an efficiently computable injective function $g: 0, 1^∗ to (0, 1^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
prefix of $g(y)$.

One such encoding is given in the paper

Function g1(m): let $N$ be the message length of $m$ in bits.
write $m$ as $(m_1, ldots , m_l)$ where for all $i$, $|m_i| = k$.
and with the last block $m_l$ padded with $10^r$.
let $g1(m) = (langle N rangle, m_1, ldots , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.

share|improve this answer

edited yesterday

kelalaka

8,70522351

answered Apr 3 at 13:38

Marc IlungaMarc Ilunga

33617

$endgroup$

add a comment | 

$begingroup$

Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.

Quoting the paper:

A prefix-free code over the alphabet $0, 1^κ$is an efficiently computable injective function $g: 0, 1^∗ to (0, 1^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
prefix of $g(y)$.

One such encoding is given in the paper

Function g1(m): let $N$ be the message length of $m$ in bits.
write $m$ as $(m_1, ldots , m_l)$ where for all $i$, $|m_i| = k$.
and with the last block $m_l$ padded with $10^r$.
let $g1(m) = (langle N rangle, m_1, ldots , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.

share|improve this answer

edited yesterday

kelalaka

8,70522351

answered Apr 3 at 13:38

Marc IlungaMarc Ilunga

33617

$endgroup$

share|improve this answer

edited yesterday

kelalaka

8,70522351

answered Apr 3 at 13:38

Marc IlungaMarc Ilunga

33617

edited yesterday

kelalaka

8,70522351

edited yesterday

kelalaka

8,70522351

answered Apr 3 at 13:38

Marc IlungaMarc Ilunga

33617

answered Apr 3 at 13:38

Marc IlungaMarc Ilunga

33617

2

$begingroup$

• Fixed output filters like SHA-256d


• Keyed output filters like HMAC, envelope-MAC, etc.
  


• Truncation like SHA-512/256


• Prefix-free message encoding like length-prefixed


• Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge

share|improve this answer

answered 2 days ago

Squeamish OssifrageSqueamish Ossifrage

22.2k132100

$endgroup$

add a comment | 

2

$begingroup$

• Fixed output filters like SHA-256d


• Keyed output filters like HMAC, envelope-MAC, etc.
  


• Truncation like SHA-512/256


• Prefix-free message encoding like length-prefixed


• Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge

share|improve this answer

answered 2 days ago

Squeamish OssifrageSqueamish Ossifrage

22.2k132100

$endgroup$

add a comment | 

$begingroup$

• Fixed output filters like SHA-256d


• Keyed output filters like HMAC, envelope-MAC, etc.
  


• Truncation like SHA-512/256


• Prefix-free message encoding like length-prefixed


• Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge

share|improve this answer

answered 2 days ago

Squeamish OssifrageSqueamish Ossifrage

22.2k132100

$endgroup$

share|improve this answer

answered 2 days ago

Squeamish OssifrageSqueamish Ossifrage

22.2k132100

answered 2 days ago

Squeamish OssifrageSqueamish Ossifrage

22.2k132100

answered 2 days ago

Squeamish OssifrageSqueamish Ossifrage

22.2k132100