Merkle–Damgård construction

The popularity of this construction is due to the fact, proven by Merkle and Damgård, that if the one-way compression function f is collision resistant, then so is the hash function constructed using it. Unfortunately, this construction also has several undesirable properties:

• Second preimage attacks against long messages are always much more efficient than brute force.[5]
• Multicollisions (many messages with the same hash) can be found with only a little more work than collisions.[6]
• "Herding attacks", which combines the cascaded construction for multicollision finding (similar to the above) with collisions found for a given prefix (chosen-prefix collisions). This allows for constructing highly specific colliding documents, and it can be done for more work than finding a collision, but much less than would be expected to do this for a random oracle.[7][8]
• Length extension: Given the hash ${\displaystyle H(X)}$ of an unknown input X, it is easy to find the value of ${\displaystyle H({\mathsf {Pad}}(X)\|Y)}$, where pad is the padding function of the hash. That is, it is possible to find hashes of inputs related to X even though X remains unknown.[9] Length extension attacks were actually used to attack a number of commercial web message authentication schemes such as one used by Flickr.[10]

The Wide pipe hash construction. The intermediate chaining values have been doubled.

Due to several structural weaknesses of Merkle–Damgård construction, especially the length extension problem and multicollision attacks, Stefan Lucks proposed the use of the wide-pipe hash[11] instead of Merkle–Damgård construction. The wide-pipe hash is very similar to the Merkle–Damgård construction but has a larger internal state size, meaning that the bit-length that is internally used is larger than the output bit-length. If a hash of n bits is desired, the compression function f takes 2n bits of chaining value and m bits of the message and compresses this to an output of 2n bits.

Therefore, in a final step a second compression function compresses the last internal hash value (2n bit) to the final hash value (n bit). This can be done as simply as discarding half of the last 2n-bit-output. SHA-512/224 and SHA-512/256 take this form since they are derived from a variant of SHA-512. SHA-384 and SHA-224 are similarly derived from SHA-512 and SHA-256, respectively, but the width of their pipe is much less than 2n.

The Fast wide pipe hash construction. Half of chaining value is used in the compression function.

It has been demonstrated by Mridul Nandi and Souradyuti Paul that the Widepipe hash function can be made approximately twice as fast if the widepipe state can be divided in half in the following manner: one half is input to the succeeding compression function while the other half is combined with the output of that compression function.[12]

The main idea of the hash construction is to forward half of the previous chaining value forward to XOR it to the output of the compression function. In so doing the construction takes in longer message blocks every iteration than the original widepipe. Using the same function f as before, it takes n bit chaining values and n+m bits of the message. However, the price to pay is the extra memory used in the construction for feed-forward.

As mentioned in the introduction, the padding scheme used in the Merkle–Damgård construction must be chosen carefully to ensure the security of the scheme. Mihir Bellare gives sufficient conditions for a padding scheme to possess to ensure that the MD construction is secure: the scheme must be "MD-compliant" (the original length-padding scheme used by Merkle is an example of MD-compliant padding).[1]^:145 Conditions:

• ${\displaystyle M}$ is a prefix of ${\displaystyle {\mathsf {Pad}}(M).}$
• If ${\displaystyle |M_{1}|=|M_{2}|}$ then ${\displaystyle |{\mathsf {Pad}}(M_{1})|=|{\mathsf {Pad}}(M_{2})|.}$
• If ${\displaystyle |M_{1}|\neq |M_{2}|}$ then the last block of ${\displaystyle {\mathsf {Pad}}(M_{1})}$ is different from the last block of ${\displaystyle {\mathsf {Pad}}(M_{2}).}$

With these conditions in place, we find a collision in the MD hash function exactly when we find a collision in the underlying compression function. Therefore, the Merkle–Damgård construction is provably secure when the underlying compression function is secure.[1]^:147

To be able to feed the message to the compression function, the last block needs to be padded with constant data (generally with zeroes) to a full block.

For example, let's say the message to be hashed is "HashInput" and the block size of the compression function is 8 bytes (64 bits). So we get two blocks looking like this:

HashInpu t0000000

But this is not enough since it would mean that distinct messages starting by the same data and terminated by zero or more bytes from the padding constant data would get fed into the reduction function using exactly the same blocks, producing the same final hash sum.

In our example, for instance, the modified message "HashInput00" would generate the same blocks as the original message "HashInput".

To prevent this, the first bit of the padded constant data must be changed. As the constant padding is generally made of zeroes, the first padding bit will be mandatorily changed into "1".

In our example, we get something like this:

HashInpu t1000000

To harden the hash even further also, the length of the message can be added in an extra block.

So in our example, we would get three blocks like this:

HashInpu t1000000 00000009

To avoid ambiguity, the message length value must be itself resistant to length extension attacks. Most common implementations use a fixed bit-size (generally 64 or 128 bits in modern algorithms) and a fixed position at end of the last block for encoding the message length value (see for explanation, SHA-1 pseudocode), although this would according to logic presented on this page, be less effective than placing the length at the start of the message, where it itself is not liable to length extension attack, but requires knowledge prior to initiating checksumming of the length of data being checksummed, or insertion of multiple of such values, blockwise, within the checksum stream.

Now that is a bit wasteful since it means hashing one full extra block for a length value. So there is a slight speed optimisation that most hash algorithms use. If there is space enough among the zeros padded to the last block the length value can instead be padded there.

Let's say here that, in our example the length value is encoded on 5 bytes (40 bits), thus it gets padded in the final block as "00009", not just "9" or with too many unnecessary zeroes. Like this:

HashInpu t1000009

Note that storing the message length out-of-band in metadata, or otherwise embedded at the start of the message is an effective mitigation of the length extension attack, as long as invalidation of either the message length and checksum are both considered failure of integrity checking.

• Handbook of Applied Cryptography by Menezes, van Oorschot and Vanstone (2001), chapter 9.
• Introduction to Modern Cryptography, by Jonathan Katz and Yehuda Lindell. Chapman and Hall/CRC Press, August 2007, page 134 (construction 4.13).