Compression function is not collision resistant but Merkle-Damgard is collision resistantGeneralize the Merkle–Damgård construction for any compression functionCollision in Merkle–Damgård without a collision in compression functionWhat is the “compression function” in Merkle-Damgård?Does Lamport's authentication scheme still work if the hash function is not collision-resistant?Different literature padding for Merkle-DamgardMerkle–Damgård padded block concatenated outside the compression function hash?Why can an arbitrary compression function mapping $0,1^m+2^m rightarrow 0,1^m$ not seriously be considered collision resistant?Confused about Merkle Damgard Transform - short messages?Why do you need padding block at the end of Merkle damgard if the input is multiple of block length?AES-128 as compression function in Merkle-Damgard construction

Are all passive ability checks floors for active ability checks?

How do I hide Chekhov's Gun?

Does this sum go infinity?

Do the common programs (for example: "ls", "cat") in Linux and BSD come from the same source code?

Simplify an interface for flexibly applying rules to periods of time

Why does overlay work only on the first tcolorbox?

Tikz picture of two mathematical functions

What is the significance behind "40 days" that often appears in the Bible?

If I am holding an item before I cast Blink, will it move with me through the Ethereal Plane?

Is it insecure to send a password in a `curl` command?

Why do passenger jet manufacturers design their planes with stall prevention systems?

Why do newer 737s use two different styles of split winglets?

Official degrees of earth’s rotation per day

What is "focus distance lower/upper" and how is it different from depth of field?

Why does a Star of David appear at a rally with Francisco Franco?

Math equation in non italic font

Planetary tidal locking causing asymetrical water distribution

Knife as defense against stray dogs

Is a party consisting of only a bard, a cleric, and a warlock functional long-term?

Describing a chess game in a novel

As a new Ubuntu desktop 18.04 LTS user, do I need to use ufw for a firewall or is iptables sufficient?

How could a scammer know the apps on my phone / iTunes account?

Examples of transfinite towers

What options are left, if Britain cannot decide?



Compression function is not collision resistant but Merkle-Damgard is collision resistant


Generalize the Merkle–Damgård construction for any compression functionCollision in Merkle–Damgård without a collision in compression functionWhat is the “compression function” in Merkle-Damgård?Does Lamport's authentication scheme still work if the hash function is not collision-resistant?Different literature padding for Merkle-DamgardMerkle–Damgård padded block concatenated outside the compression function hash?Why can an arbitrary compression function mapping $0,1^m+2^m rightarrow 0,1^m$ not seriously be considered collision resistant?Confused about Merkle Damgard Transform - short messages?Why do you need padding block at the end of Merkle damgard if the input is multiple of block length?AES-128 as compression function in Merkle-Damgard construction













6












$begingroup$


Is it possible that you can still have a collision resistance in Merkle-Damgard even if the compression function has a collision?










share|improve this question











$endgroup$
















    6












    $begingroup$


    Is it possible that you can still have a collision resistance in Merkle-Damgard even if the compression function has a collision?










    share|improve this question











    $endgroup$














      6












      6








      6


      1



      $begingroup$


      Is it possible that you can still have a collision resistance in Merkle-Damgard even if the compression function has a collision?










      share|improve this question











      $endgroup$




      Is it possible that you can still have a collision resistance in Merkle-Damgard even if the compression function has a collision?







      hash collision-resistance merkle-damgaard






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Mar 12 at 9:50









      kelalaka

      8,43822351




      8,43822351










      asked Mar 12 at 7:57









      ZoeyZoey

      404




      404




















          2 Answers
          2






          active

          oldest

          votes


















          7












          $begingroup$

          Yes, a hash built per the Merkle-Damgård construction can be collision-resistant even if its compression function has a known collision.



          Consider SHA-256. Note its round function $F:0,1^256times0,1^512to0,1^256$ where the first argument is the state and the second is a message block. Now define $F'$ identical to $F$, except that $F'(0^256,0^512)$ is defined to be $F(0^256,1^512)$.



          $F'$ has a known collision, yet the variant of SHA-256 using $F'$ is collision resistant, because we can't find a way to bring the state of SHA-256 to all-zero, which would essentially be a preimage attack.






          share|improve this answer











          $endgroup$




















            2












            $begingroup$

            For a very realistic example, see the analysis contained in Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV by Black, Rogaway, and Shrimpton.



            They explore all the ways of building a Merkle-Damgaard hash function with an ideal cipher as the underlying compression function, finally classifying which are secure and which are not.



            Interestingly, they find a category of constructions with the property you mention:




            ... group-2 schemes ... are collision resistant even though their compression functions are not.




            As an example, their $H_13$ uses $f(h_i, m_i) = E_h_i oplus m_i(m_i)$ as the compression function. Although this round function leads to a secure MD hash function, by itself it is not even one-way. To find a preimage of $y$, first choose arbitrary $k$, then compute $m : = E^-1_k(y)$ and $h := m oplus k$. Then $(h,m)$ is a preimage of $y$.






            share|improve this answer









            $endgroup$












              Your Answer





              StackExchange.ifUsing("editor", function ()
              return StackExchange.using("mathjaxEditing", function ()
              StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
              StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
              );
              );
              , "mathjax-editing");

              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "281"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: false,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              imageUploader:
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              ,
              noCode: true, onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );













              draft saved

              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f67959%2fcompression-function-is-not-collision-resistant-but-merkle-damgard-is-collision%23new-answer', 'question_page');

              );

              Post as a guest















              Required, but never shown

























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              7












              $begingroup$

              Yes, a hash built per the Merkle-Damgård construction can be collision-resistant even if its compression function has a known collision.



              Consider SHA-256. Note its round function $F:0,1^256times0,1^512to0,1^256$ where the first argument is the state and the second is a message block. Now define $F'$ identical to $F$, except that $F'(0^256,0^512)$ is defined to be $F(0^256,1^512)$.



              $F'$ has a known collision, yet the variant of SHA-256 using $F'$ is collision resistant, because we can't find a way to bring the state of SHA-256 to all-zero, which would essentially be a preimage attack.






              share|improve this answer











              $endgroup$

















                7












                $begingroup$

                Yes, a hash built per the Merkle-Damgård construction can be collision-resistant even if its compression function has a known collision.



                Consider SHA-256. Note its round function $F:0,1^256times0,1^512to0,1^256$ where the first argument is the state and the second is a message block. Now define $F'$ identical to $F$, except that $F'(0^256,0^512)$ is defined to be $F(0^256,1^512)$.



                $F'$ has a known collision, yet the variant of SHA-256 using $F'$ is collision resistant, because we can't find a way to bring the state of SHA-256 to all-zero, which would essentially be a preimage attack.






                share|improve this answer











                $endgroup$















                  7












                  7








                  7





                  $begingroup$

                  Yes, a hash built per the Merkle-Damgård construction can be collision-resistant even if its compression function has a known collision.



                  Consider SHA-256. Note its round function $F:0,1^256times0,1^512to0,1^256$ where the first argument is the state and the second is a message block. Now define $F'$ identical to $F$, except that $F'(0^256,0^512)$ is defined to be $F(0^256,1^512)$.



                  $F'$ has a known collision, yet the variant of SHA-256 using $F'$ is collision resistant, because we can't find a way to bring the state of SHA-256 to all-zero, which would essentially be a preimage attack.






                  share|improve this answer











                  $endgroup$



                  Yes, a hash built per the Merkle-Damgård construction can be collision-resistant even if its compression function has a known collision.



                  Consider SHA-256. Note its round function $F:0,1^256times0,1^512to0,1^256$ where the first argument is the state and the second is a message block. Now define $F'$ identical to $F$, except that $F'(0^256,0^512)$ is defined to be $F(0^256,1^512)$.



                  $F'$ has a known collision, yet the variant of SHA-256 using $F'$ is collision resistant, because we can't find a way to bring the state of SHA-256 to all-zero, which would essentially be a preimage attack.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited Mar 12 at 8:21

























                  answered Mar 12 at 8:13









                  fgrieufgrieu

                  81.6k7175347




                  81.6k7175347





















                      2












                      $begingroup$

                      For a very realistic example, see the analysis contained in Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV by Black, Rogaway, and Shrimpton.



                      They explore all the ways of building a Merkle-Damgaard hash function with an ideal cipher as the underlying compression function, finally classifying which are secure and which are not.



                      Interestingly, they find a category of constructions with the property you mention:




                      ... group-2 schemes ... are collision resistant even though their compression functions are not.




                      As an example, their $H_13$ uses $f(h_i, m_i) = E_h_i oplus m_i(m_i)$ as the compression function. Although this round function leads to a secure MD hash function, by itself it is not even one-way. To find a preimage of $y$, first choose arbitrary $k$, then compute $m : = E^-1_k(y)$ and $h := m oplus k$. Then $(h,m)$ is a preimage of $y$.






                      share|improve this answer









                      $endgroup$

















                        2












                        $begingroup$

                        For a very realistic example, see the analysis contained in Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV by Black, Rogaway, and Shrimpton.



                        They explore all the ways of building a Merkle-Damgaard hash function with an ideal cipher as the underlying compression function, finally classifying which are secure and which are not.



                        Interestingly, they find a category of constructions with the property you mention:




                        ... group-2 schemes ... are collision resistant even though their compression functions are not.




                        As an example, their $H_13$ uses $f(h_i, m_i) = E_h_i oplus m_i(m_i)$ as the compression function. Although this round function leads to a secure MD hash function, by itself it is not even one-way. To find a preimage of $y$, first choose arbitrary $k$, then compute $m : = E^-1_k(y)$ and $h := m oplus k$. Then $(h,m)$ is a preimage of $y$.






                        share|improve this answer









                        $endgroup$















                          2












                          2








                          2





                          $begingroup$

                          For a very realistic example, see the analysis contained in Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV by Black, Rogaway, and Shrimpton.



                          They explore all the ways of building a Merkle-Damgaard hash function with an ideal cipher as the underlying compression function, finally classifying which are secure and which are not.



                          Interestingly, they find a category of constructions with the property you mention:




                          ... group-2 schemes ... are collision resistant even though their compression functions are not.




                          As an example, their $H_13$ uses $f(h_i, m_i) = E_h_i oplus m_i(m_i)$ as the compression function. Although this round function leads to a secure MD hash function, by itself it is not even one-way. To find a preimage of $y$, first choose arbitrary $k$, then compute $m : = E^-1_k(y)$ and $h := m oplus k$. Then $(h,m)$ is a preimage of $y$.






                          share|improve this answer









                          $endgroup$



                          For a very realistic example, see the analysis contained in Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV by Black, Rogaway, and Shrimpton.



                          They explore all the ways of building a Merkle-Damgaard hash function with an ideal cipher as the underlying compression function, finally classifying which are secure and which are not.



                          Interestingly, they find a category of constructions with the property you mention:




                          ... group-2 schemes ... are collision resistant even though their compression functions are not.




                          As an example, their $H_13$ uses $f(h_i, m_i) = E_h_i oplus m_i(m_i)$ as the compression function. Although this round function leads to a secure MD hash function, by itself it is not even one-way. To find a preimage of $y$, first choose arbitrary $k$, then compute $m : = E^-1_k(y)$ and $h := m oplus k$. Then $(h,m)$ is a preimage of $y$.







                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered Mar 13 at 0:00









                          MikeroMikero

                          5,63311725




                          5,63311725



























                              draft saved

                              draft discarded
















































                              Thanks for contributing an answer to Cryptography Stack Exchange!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid


                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.

                              Use MathJax to format equations. MathJax reference.


                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f67959%2fcompression-function-is-not-collision-resistant-but-merkle-damgard-is-collision%23new-answer', 'question_page');

                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              Solar Wings Breeze Design and development Specifications (Breeze) References Navigation menu1368-485X"Hang glider: Breeze (Solar Wings)"e

                              Kathakali Contents Etymology and nomenclature History Repertoire Songs and musical instruments Traditional plays Styles: Sampradayam Training centers and awards Relationship to other dance forms See also Notes References External links Navigation menueThe Illustrated Encyclopedia of Hinduism: A-MSouth Asian Folklore: An EncyclopediaRoutledge International Encyclopedia of Women: Global Women's Issues and KnowledgeKathakali Dance-drama: Where Gods and Demons Come to PlayKathakali Dance-drama: Where Gods and Demons Come to PlayKathakali Dance-drama: Where Gods and Demons Come to Play10.1353/atj.2005.0004The Illustrated Encyclopedia of Hinduism: A-MEncyclopedia of HinduismKathakali Dance-drama: Where Gods and Demons Come to PlaySonic Liturgy: Ritual and Music in Hindu Tradition"The Mirror of Gesture"Kathakali Dance-drama: Where Gods and Demons Come to Play"Kathakali"Indian Theatre: Traditions of PerformanceIndian Theatre: Traditions of PerformanceIndian Theatre: Traditions of PerformanceIndian Theatre: Traditions of PerformanceMedieval Indian Literature: An AnthologyThe Oxford Companion to Indian TheatreSouth Asian Folklore: An Encyclopedia : Afghanistan, Bangladesh, India, Nepal, Pakistan, Sri LankaThe Rise of Performance Studies: Rethinking Richard Schechner's Broad SpectrumIndian Theatre: Traditions of PerformanceModern Asian Theatre and Performance 1900-2000Critical Theory and PerformanceBetween Theater and AnthropologyKathakali603847011Indian Theatre: Traditions of PerformanceIndian Theatre: Traditions of PerformanceIndian Theatre: Traditions of PerformanceBetween Theater and AnthropologyBetween Theater and AnthropologyNambeesan Smaraka AwardsArchivedThe Cambridge Guide to TheatreRoutledge International Encyclopedia of Women: Global Women's Issues and KnowledgeThe Garland Encyclopedia of World Music: South Asia : the Indian subcontinentThe Ethos of Noh: Actors and Their Art10.2307/1145740By Means of Performance: Intercultural Studies of Theatre and Ritual10.1017/s204912550000100xReconceiving the Renaissance: A Critical ReaderPerformance TheoryListening to Theatre: The Aural Dimension of Beijing Opera10.2307/1146013Kathakali: The Art of the Non-WorldlyOn KathakaliKathakali, the dance theatreThe Kathakali Complex: Performance & StructureKathakali Dance-Drama: Where Gods and Demons Come to Play10.1093/obo/9780195399318-0071Drama and Ritual of Early Hinduism"In the Shadow of Hollywood Orientalism: Authentic East Indian Dancing"10.1080/08949460490274013Sanskrit Play Production in Ancient IndiaIndian Music: History and StructureBharata, the Nāṭyaśāstra233639306Table of Contents2238067286469807Dance In Indian Painting10.2307/32047833204783Kathakali Dance-Theatre: A Visual Narrative of Sacred Indian MimeIndian Classical Dance: The Renaissance and BeyondKathakali: an indigenous art-form of Keralaeee

                              Method to test if a number is a perfect power? Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 23, 2019 at 00:00UTC (8:00pm US/Eastern)Detecting perfect squares faster than by extracting square rooteffective way to get the integer sequence A181392 from oeisA rarely mentioned fact about perfect powersHow many numbers such $n$ are there that $n<100,lfloorsqrtn rfloor mid n$Check perfect squareness by modulo division against multiple basesFor what pair of integers $(a,b)$ is $3^a + 7^b$ a perfect square.Do there exist any positive integers $n$ such that $lfloore^nrfloor$ is a perfect power? What is the probability that one exists?finding perfect power factors of an integerProve that the sequence contains a perfect square for any natural number $m $ in the domain of $f$ .Counting Perfect Powers