Wikipedia

One-way compression function: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
One-way: The images of functions hash do not equal- formatted as math
The Merkle–Damgård construction: Minus sign, italicize mathematical variables, URLs for cited papers, explain cost of Kelsey & Schneier attack better
Line 39:
The last block processed should also be [[Padding (cryptography)|length padded]], this is crucial to the security of this construction. This construction is called the [[Merkle–Damgård construction]]. Most widely used hash functions, including [[SHA-1]] and [[MD5]], take this form.
 
When length padding (also called MD-strengthening) is applied, attacks cannot find collisions faster than the birthday paradox (2<sup>''n''/2</sup>, ''n'' isbeing the block size in bits) if the used ''f''-function is collision-resistant.<ref name="damgard89">Ivan Damgård. [https://link.springer.com/content/pdf/10.1007%2F0-387-34805-0_39.pdf A design principle for hash functions]. In Gilles Brassard, editor, CRYPTO, volume 435 of LNCS, pages 416–427. Springer, 1989.</ref><ref name="merkle89">Ralph Merkle. [https://link.springer.com/content/pdf/10.1007%2F0-387-34805-0_40.pdf One way hash functions and DES]. In Gilles Brassard, editor, CRYPTO, volume 435 of LNCS, pages 428–446. Springer, 1989.</ref> Hence, the Merkle–Damgård hash construction reduces the problem of finding a proper hash function to finding a proper compression function.
 
A second preimage attack (given a message m1''m''<sub>1</sub> an attacker finds another message m2''m''<sub>2</sub> to satisfy hash(m1''m''<sub>1</sub>) = hash(m2''m''<sub>2</sub>)) can be done according to Kelsey and Schneier<ref name="ks05">John Kelsey and Bruce Schneier. [https://www.schneier.com/academic/paperfiles/paper-preimages.pdf Second preimages on ''n''-bit hash functions for much less than 2<sup>''n''</sup> work]. In Ronald Cramer, editor, EUROCRYPT, volume 3494 of LNCS, pages 474–490. Springer, 2005.</ref> for a 2<sup>''k''</sup>-message-block message in time ''k'' &times;× 2<sup>''n''/2+1</sup> + 2<sup>''n-''−''k''+1</sup>. Note that the complexity isof abovethis attack reaches a minimum of 2<sup>3''n''/4+2</sup> butfor belowlong messages when ''k'' = 2<sup>''n''/4</sup> when messages are long and that when messages get shorter the complexity of the attack approaches 2<sup>''n''</sup> when messages are short.
{{clear}}
 
Retrieved from "https://en.wikipedia.org/wiki/One-way_compression_function"