Security

Salvaging Merkle-Damg?ard for Practical Applications

Free registration required

Executive Summary

Many cryptographic applications of hash functions are analyzed in the random oracle model. Unfortunately, most concrete hash functions, including the SHA family, use the iterative (Strengthened) Merkle-Damg?ard transform applied to a corresponding compression function. Moreover, it is well known that the resulting "Structured" hash function cannot be generically used as a random oracle, even if the compression function is assumed to be ideal. This leaves a large disconnect between theory and practice: although no attack is known for many concrete applications utilizing existing (Merkle-Damg?ard based) hash functions, there is no security guarantee either, even by idealizing the compression function.

  • Format: PDF
  • Size: 390.64 KB