Have there been efforts to prevent length extension attacks of hashing algorithms that are based on the...
$begingroup$
Have there ever been some publicized efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction (MD5, SHA1, SHA2, ...)?
hash merkle-damgaard length-extension
$endgroup$
add a comment |
$begingroup$
Have there ever been some publicized efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction (MD5, SHA1, SHA2, ...)?
hash merkle-damgaard length-extension
$endgroup$
1
$begingroup$
Double-Hashing and truncation?
$endgroup$
– SEJPM♦
12 hours ago
$begingroup$
HMAC is the typical construction
$endgroup$
– Natanael
1 hour ago
add a comment |
$begingroup$
Have there ever been some publicized efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction (MD5, SHA1, SHA2, ...)?
hash merkle-damgaard length-extension
$endgroup$
Have there ever been some publicized efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction (MD5, SHA1, SHA2, ...)?
hash merkle-damgaard length-extension
hash merkle-damgaard length-extension
asked 14 hours ago
AleksanderRasAleksanderRas
2,9471935
2,9471935
1
$begingroup$
Double-Hashing and truncation?
$endgroup$
– SEJPM♦
12 hours ago
$begingroup$
HMAC is the typical construction
$endgroup$
– Natanael
1 hour ago
add a comment |
1
$begingroup$
Double-Hashing and truncation?
$endgroup$
– SEJPM♦
12 hours ago
$begingroup$
HMAC is the typical construction
$endgroup$
– Natanael
1 hour ago
1
1
$begingroup$
Double-Hashing and truncation?
$endgroup$
– SEJPM♦
12 hours ago
$begingroup$
Double-Hashing and truncation?
$endgroup$
– SEJPM♦
12 hours ago
$begingroup$
HMAC is the typical construction
$endgroup$
– Natanael
1 hour ago
$begingroup$
HMAC is the typical construction
$endgroup$
– Natanael
1 hour ago
add a comment |
2 Answers
2
active
oldest
votes
$begingroup$
Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.
Quoting the paper:
A prefix-free code over the alphabet ${0, 1}^κ$is an efficiently computable injective function $g: {0, 1}^∗ to ({0, 1}^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
prefix of $g(y)$.
One such encoding is given in the paper
Function g1(m): let $N$ be the message length of $m$ in bits.
write $m$ as $(m1, . . . , m_l)$ where for all $i$, $|m_i| = k$.
and with the last block $m_l$ padded with $10^r$.
let $g1(m) = (langle N rangle, m_1, . . . , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.
$endgroup$
add a comment |
$begingroup$
- Fixed output filters like SHA-256d
- Keyed output filters like HMAC, envelope-MAC, etc.
- Truncation like SHA-512/256
- Prefix-free message encoding like length-prefixed
- Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge
$endgroup$
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68502%2fhave-there-been-efforts-to-prevent-length-extension-attacks-of-hashing-algorithm%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.
Quoting the paper:
A prefix-free code over the alphabet ${0, 1}^κ$is an efficiently computable injective function $g: {0, 1}^∗ to ({0, 1}^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
prefix of $g(y)$.
One such encoding is given in the paper
Function g1(m): let $N$ be the message length of $m$ in bits.
write $m$ as $(m1, . . . , m_l)$ where for all $i$, $|m_i| = k$.
and with the last block $m_l$ padded with $10^r$.
let $g1(m) = (langle N rangle, m_1, . . . , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.
$endgroup$
add a comment |
$begingroup$
Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.
Quoting the paper:
A prefix-free code over the alphabet ${0, 1}^κ$is an efficiently computable injective function $g: {0, 1}^∗ to ({0, 1}^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
prefix of $g(y)$.
One such encoding is given in the paper
Function g1(m): let $N$ be the message length of $m$ in bits.
write $m$ as $(m1, . . . , m_l)$ where for all $i$, $|m_i| = k$.
and with the last block $m_l$ padded with $10^r$.
let $g1(m) = (langle N rangle, m_1, . . . , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.
$endgroup$
add a comment |
$begingroup$
Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.
Quoting the paper:
A prefix-free code over the alphabet ${0, 1}^κ$is an efficiently computable injective function $g: {0, 1}^∗ to ({0, 1}^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
prefix of $g(y)$.
One such encoding is given in the paper
Function g1(m): let $N$ be the message length of $m$ in bits.
write $m$ as $(m1, . . . , m_l)$ where for all $i$, $|m_i| = k$.
and with the last block $m_l$ padded with $10^r$.
let $g1(m) = (langle N rangle, m_1, . . . , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.
$endgroup$
Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.
Quoting the paper:
A prefix-free code over the alphabet ${0, 1}^κ$is an efficiently computable injective function $g: {0, 1}^∗ to ({0, 1}^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
prefix of $g(y)$.
One such encoding is given in the paper
Function g1(m): let $N$ be the message length of $m$ in bits.
write $m$ as $(m1, . . . , m_l)$ where for all $i$, $|m_i| = k$.
and with the last block $m_l$ padded with $10^r$.
let $g1(m) = (langle N rangle, m_1, . . . , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.
answered 11 hours ago
Marc IlungaMarc Ilunga
30117
30117
add a comment |
add a comment |
$begingroup$
- Fixed output filters like SHA-256d
- Keyed output filters like HMAC, envelope-MAC, etc.
- Truncation like SHA-512/256
- Prefix-free message encoding like length-prefixed
- Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge
$endgroup$
add a comment |
$begingroup$
- Fixed output filters like SHA-256d
- Keyed output filters like HMAC, envelope-MAC, etc.
- Truncation like SHA-512/256
- Prefix-free message encoding like length-prefixed
- Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge
$endgroup$
add a comment |
$begingroup$
- Fixed output filters like SHA-256d
- Keyed output filters like HMAC, envelope-MAC, etc.
- Truncation like SHA-512/256
- Prefix-free message encoding like length-prefixed
- Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge
$endgroup$
- Fixed output filters like SHA-256d
- Keyed output filters like HMAC, envelope-MAC, etc.
- Truncation like SHA-512/256
- Prefix-free message encoding like length-prefixed
- Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge
answered 47 mins ago
Squeamish OssifrageSqueamish Ossifrage
22k132100
22k132100
add a comment |
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68502%2fhave-there-been-efforts-to-prevent-length-extension-attacks-of-hashing-algorithm%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
$begingroup$
Double-Hashing and truncation?
$endgroup$
– SEJPM♦
12 hours ago
$begingroup$
HMAC is the typical construction
$endgroup$
– Natanael
1 hour ago