One-way compression function

A hash function must be able to process an arbitrary-length message into a fixed-length output. This can be achieved by breaking the input up into a series of equal-sized blocks, and operating on them in sequence using a compression function. The compression function can either be specially designed for hashing or be built from a block cipher.

The last block processed should also be length padded, this is crucial to the security of this construction. This construction is called the Merkle-Damgård structure. Most widely used hash functions, including SHA-1 and MD5, take this form.

In the diagram, the compression function is denoted by f, and transforms a fixed length input to an output of the same size. The algorithm starts with an initial value, the initialization vector (IV). The IV is a fixed value (algorithm or implementation specific). For each message block, the compression (or compacting) function f takes the result so far, combines it with the message block, and produces an intermediate result. The last block is padded with zeros as needed and bits representing the length of the entire message are appended. (This is called length padding, see below for detailed example.)

To harden the hash further the last result is then often fed through a finalisation function. The finalisation function can have several purposes such as compressing a bigger internal state (the last result) into a smaller output hash size or to guarantee a better mixing and avalanche effect on the bits in the hash sum. The finalisation function is often built by using the compression function.

The popularity of this construction is due to the fact, proven by Merkle and Damgård, that if the compression function f is collision-resistant, then so is the hash function constructed using it. Unfortunately, this construction also has several undesirable properties:

• Length extension - once an attacker has one collision, he can find more very cheaply.
• Second-preimage attacks against long messages are always much more efficient than brute force.
• Multicollisions (many messages with the same hash) can be found with only a little more work than collisions.
• "Herding attacks" (first committing to an output h, then mapping messages with arbitrary starting values to h) are possible for more work than finding a collision, but much less than would be expected to do this for a random oracle.

Let's say the message to be hashed is "Wikipedia" and the block size of the compression function is 8 bytes (64 bits).

So, to be able to feed the message to the compression function the last block needs to be zero padded to a full block. So we get two blocks looking like this:

Wikipedi  a0000000

But this is not enough since it would mean that for instance the message "Wikipedia00" would get the same hash sum. Therefore also the length of the message is added in an extra block, so we get three blocks like this:

Wikipedi  a0000000  00000009

Now that is a bit wasteful since it means hashing one extra block. So there is a slight speed optimisation that most hash implementations use. If there is space enough among the zeros padded to the last block the length value can instead be padded there. Like this:

Wikipedi  a0000009

Note that to avoid confusion the implementation must use a fixed bit-size for the length value, say 40-bit. So the length value padded in the end really is "00009" not just "9".

The Davies-Meyer hash compression function feeds each block of the message (m_i) as the key to the block cipher. It feeds the previous hash value (H_i-1) as the cleartext to be encrypted. The output ciphertext is then also XORed (${\displaystyle \oplus }$ ) with the previous hash value (H_i-1) to produce the next hash value (H_i). In the first round when there is no previous hash value it uses a constant pre-specified initial value (H₀).

${\displaystyle H_{i}=E_{m_{i}}(H_{i-1})\oplus H_{i-1}}$ 

If the block cipher uses for instance 256-bit keys then each message block (m_i) is a 256-bit chunk of the message. If the same block cipher uses a block size of 128 bits then the input and output hash values in each round is 128 bits.

Variations of this method replace XOR with any other group operation, such as addition on 32-bit unsigned integers.

Note: There is some more information in the old Davies-Meyer article that has not been merged to this article yet.

The Matyas-Meyer-Oseas hash compression function can be considered the dual (the opposite) of Davies-Meyer.

It feeds each block of the message (m_i) as the cleartext to be encrypted. The output ciphertext is then also XORed (${\displaystyle \oplus }$ ) with the same message block (m_i) to produce the next hash value (H_i). The previous hash value (H_i-1) is fed as the key to the block cipher. In the first round when there is no previous hash value it uses a constant pre-specified initial value (H₀).

If the block cipher have different block and key size the hash value (H_i-1) will have the wrong size for use as the key. The cipher might also have other special requirements on the key. Then the hash value is first fed through the function g( ) to be converted/padded to fit as key for the cipher.

${\displaystyle H_{i}=E_{g(H_{i-1})}(m_{i})\oplus m_{i}}$ 

The Miyaguchi-Preneel hash compression function is an extended variant of Matyas-Meyer-Oseas. It was independently proposed by Shoji Miyaguchi and Bart Preneel.

It feeds each block of the message (m_i) as the cleartext to be encrypted. The output ciphertext is then XORed (${\displaystyle \oplus }$ ) with the same message block (m_i) and then also XORed with the previous hash value (H_i-1) to produce the next hash value (H_i). The previous hash value (H_i-1) is fed as the key to the block cipher. In the first round when there is no previous hash value it uses a constant pre-specified initial value (H₀).

If the block cipher have different block and key size the hash value (H_i-1) will have the wrong size for use as the key. The cipher might also have other special requirements on the key. Then the hash value is first fed through the function g( ) to be converted/padded to fit as key for the cipher.

${\displaystyle H_{i}=E_{g(H_{i-1})}(m_{i})\oplus H_{i-1}\oplus m_{i}}$ 

The roles of m_i and H_i-1 may be switched, so that H_i-1 is encrypted under the key m_i. Thus making this method an extension of Davies-Meyer instead.

• WHIRLPOOL - A cryptographic hash function built using the Miyaguchi-Preneel hash construction and a block cipher similar to Square and AES.
• CBC-MAC, OMAC and PMAC - Methods to turn block ciphers into message authentication codes (MACs). Note, there is a slight difference in function and purpose between MACs and hashes.

• Handbook of Applied Cryptography by Menezes, van Oorschot and Vanstone (2001), chapter 9.