Linear-XOR and Additive Checksums Don't Protect Damgard-Merkle Hashes

Praveen Gauravaram, John Kelsey

    Research output: Chapter in Book/Report/Conference proceedingArticle in proceedingsResearchpeer-review

    Abstract

    We consider the security of Damg\aa{}rd-Merkle variants which compute linear-XOR or additive checksums over message blocks, intermediate hash values, or both, and process these checksums in computing the final hash value. We show that these Damg\aa{}rd-Merkle variants gain almost no security against generic attacks such as the long-message second preimage attacks and the herding attack.
    Original languageEnglish
    Title of host publicationRSA Conference 2008, Cryptographers' Track
    EditorsTal Malkin
    PublisherSpringer
    Publication date2008
    Pages36-51
    ISBN (Print)978-3-540-79262-8
    Publication statusPublished - 2008
    EventRSA Conference Cryptographer's Track - Moscone Center, San Francisco, CA, USA
    Duration: 1 Jan 2008 → …

    Conference

    ConferenceRSA Conference Cryptographer's Track
    CityMoscone Center, San Francisco, CA, USA
    Period01/01/2008 → …
    SeriesLecture Notes in Computer Science
    Number4964

    Keywords

    • Damgård-Merkle construction
    • multicollisions
    • Linear-XOR and additive checksums
    • second preimage and herding attacks

    Fingerprint

    Dive into the research topics of 'Linear-XOR and Additive Checksums Don't Protect Damgard-Merkle Hashes'. Together they form a unique fingerprint.

    Cite this