Ttdfjt

Were any external disk drives stacked vertically?

Watching something be written to a file live with tail

What do you call someone who asks many questions?

Is "remove commented out code" correct English?

What exploit are these user agents trying to use?

SSH "lag" in LAN on some machines, mixed distros

When a company launches a new product do they "come out" with a new product or do they "come up" with a new product?

I Accidentally Deleted a Stock Terminal Theme

Arrow those variables!

Do I have a twin with permutated remainders?

How do conventional missiles fly?

In a Spin are Both Wings Stalled?

What killed these X2 caps?

Python: return float 1.0 as int 1 but float 1.5 as float 1.5

What is the intuition behind short exact sequences of groups; in particular, what is the intuition behind group extensions?

Is it possible to run Internet Explorer on OS X El Capitan?

Did Shadowfax go to Valinor?

Why does Arabsat 6A need a Falcon Heavy to launch

Why does Kotter return in Welcome Back Kotter

What's the point of deactivating Num Lock on login screens?

Could gravitational lensing be used to protect a spaceship from a laser?

If human space travel is limited by the G force vulnerability, is there a way to counter G forces?

Is Lorentz symmetry broken if SUSY is broken?

Can I ask the recruiters in my resume to put the reason why I am rejected?

Have there been efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction?

Why is Merkle-Damgård construction insecure?Generalize the Merkle–Damgård construction for any compression functionDoes length-prepending stop length-extension attacks?How to find collisions in a secret-prefix Merkle–Damgård given an adversary that can choose the IV?Is it accurate to say that SHA-3 (keccak) is based on Merkle-Damgård?How does the sponge construction avoid the weaknesses present in Merkle–Damgård hash function?Merkle trees instead of the Sponge or the Merkle-Damgård constructions for the design of cryptorgraphic hash functionsI didn't get the hash length extension attacksEase of breaking MD constructionsIs tweakable block-cipher based on the Merkle-Damgård construction secure if $F$ is a PRP

1

$begingroup$

Have there ever been some publicized efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction (MD5, SHA1, SHA2, ...)?

hash merkle-damgaard length-extension

share|improve this question

asked yesterday

AleksanderRasAleksanderRas

2,9471935

$endgroup$

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  $begingroup$
  Double-Hashing and truncation?
  $endgroup$
  – SEJPM♦
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  HMAC is the typical construction
  $endgroup$
  – Natanael
  yesterday
  

  
  
  
  

add a comment | 

1

$begingroup$

Have there ever been some publicized efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction (MD5, SHA1, SHA2, ...)?

hash merkle-damgaard length-extension

share|improve this question

asked yesterday

AleksanderRasAleksanderRas

2,9471935

$endgroup$

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  $begingroup$
  Double-Hashing and truncation?
  $endgroup$
  – SEJPM♦
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  HMAC is the typical construction
  $endgroup$
  – Natanael
  yesterday
  

  
  
  
  

add a comment | 

$begingroup$

Have there ever been some publicized efforts to prevent length extension attacks of hashing algorithms that are based on the Merkle–Damgård construction (MD5, SHA1, SHA2, ...)?

hash merkle-damgaard length-extension

share|improve this question

asked yesterday

AleksanderRasAleksanderRas

2,9471935

$endgroup$

share|improve this question

asked yesterday

AleksanderRasAleksanderRas

2,9471935

share|improve this question

asked yesterday

AleksanderRasAleksanderRas

2,9471935

asked yesterday

AleksanderRasAleksanderRas

2,9471935

asked yesterday

AleksanderRasAleksanderRas

2,9471935

2 Answers
2

active

oldest

votes

5

$begingroup$

Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.

Quoting the paper:

A prefix-free code over the alphabet $0, 1^κ$is an efficiently computable injective function $g: 0, 1^∗ to (0, 1^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
prefix of $g(y)$.

One such encoding is given in the paper

Function g1(m): let $N$ be the message length of $m$ in bits.
write $m$ as $(m1, . . . , m_l)$ where for all $i$, $|m_i| = k$.
and with the last block $m_l$ padded with $10^r$.
let $g1(m) = (langle N rangle, m_1, . . . , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.

share|improve this answer

answered yesterday

Marc IlungaMarc Ilunga

32617

$endgroup$

add a comment | 

1

$begingroup$

• Fixed output filters like SHA-256d


• Keyed output filters like HMAC, envelope-MAC, etc.
  


• Truncation like SHA-512/256


• Prefix-free message encoding like length-prefixed


• Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge

share|improve this answer

answered yesterday

Squeamish OssifrageSqueamish Ossifrage

22.1k132100

$endgroup$

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68502%2fhave-there-been-efforts-to-prevent-length-extension-attacks-of-hashing-algorithm%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

5

$begingroup$

Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.

Quoting the paper:

A prefix-free code over the alphabet $0, 1^κ$is an efficiently computable injective function $g: 0, 1^∗ to (0, 1^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
prefix of $g(y)$.

One such encoding is given in the paper

Function g1(m): let $N$ be the message length of $m$ in bits.
write $m$ as $(m1, . . . , m_l)$ where for all $i$, $|m_i| = k$.
and with the last block $m_l$ padded with $10^r$.
let $g1(m) = (langle N rangle, m_1, . . . , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.

share|improve this answer

answered yesterday

Marc IlungaMarc Ilunga

32617

$endgroup$

add a comment | 

5

$begingroup$

Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.

Quoting the paper:

A prefix-free code over the alphabet $0, 1^κ$is an efficiently computable injective function $g: 0, 1^∗ to (0, 1^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
prefix of $g(y)$.

One such encoding is given in the paper

Function g1(m): let $N$ be the message length of $m$ in bits.
write $m$ as $(m1, . . . , m_l)$ where for all $i$, $|m_i| = k$.
and with the last block $m_l$ padded with $10^r$.
let $g1(m) = (langle N rangle, m_1, . . . , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.

share|improve this answer

answered yesterday

Marc IlungaMarc Ilunga

32617

$endgroup$

add a comment | 

$begingroup$

Yes. In this paper, Coron and al. showed that a plain MD construction is secure when it's inputs are prefix-free. They actually proved the indifferentiability of the construction. In other words messages need to be encoded in a prefix-free manner.

Quoting the paper:

A prefix-free code over the alphabet $0, 1^κ$is an efficiently computable injective function $g: 0, 1^∗ to (0, 1^κ)^∗$such that for all $x neq y$, $g(x)$ is not a
prefix of $g(y)$.

One such encoding is given in the paper

Function g1(m): let $N$ be the message length of $m$ in bits.
write $m$ as $(m1, . . . , m_l)$ where for all $i$, $|m_i| = k$.
and with the last block $m_l$ padded with $10^r$.
let $g1(m) = (langle N rangle, m_1, . . . , m_l)$ where $langle N rangle$ is a $κ$-bit binary encoding of $N$.

share|improve this answer

answered yesterday

Marc IlungaMarc Ilunga

32617

$endgroup$

share|improve this answer

answered yesterday

Marc IlungaMarc Ilunga

32617

answered yesterday

Marc IlungaMarc Ilunga

32617

answered yesterday

Marc IlungaMarc Ilunga

32617

1

$begingroup$

• Fixed output filters like SHA-256d


• Keyed output filters like HMAC, envelope-MAC, etc.
  


• Truncation like SHA-512/256


• Prefix-free message encoding like length-prefixed


• Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge

share|improve this answer

answered yesterday

Squeamish OssifrageSqueamish Ossifrage

22.1k132100

$endgroup$

add a comment | 

1

$begingroup$

• Fixed output filters like SHA-256d


• Keyed output filters like HMAC, envelope-MAC, etc.
  


• Truncation like SHA-512/256


• Prefix-free message encoding like length-prefixed


• Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge

share|improve this answer

answered yesterday

Squeamish OssifrageSqueamish Ossifrage

22.1k132100

$endgroup$

add a comment | 

$begingroup$

• Fixed output filters like SHA-256d


• Keyed output filters like HMAC, envelope-MAC, etc.
  


• Truncation like SHA-512/256


• Prefix-free message encoding like length-prefixed


• Non-MD designs like BLAKE2 with HAIFA, SHA-3 with a sponge

share|improve this answer

answered yesterday

Squeamish OssifrageSqueamish Ossifrage

22.1k132100

$endgroup$

share|improve this answer

answered yesterday

Squeamish OssifrageSqueamish Ossifrage

22.1k132100

answered yesterday

Squeamish OssifrageSqueamish Ossifrage

22.1k132100

answered yesterday

Squeamish OssifrageSqueamish Ossifrage

22.1k132100