Linear-XOR and Additive Checksums Don't Protect Damgard-Merkle Hashes

Praveen Gauravaram, John Kelsey

    Research output: Chapter in Book/Report/Conference proceedingArticle in proceedingsResearchpeer-review


    We consider the security of Damg\aa{}rd-Merkle variants which compute linear-XOR or additive checksums over message blocks, intermediate hash values, or both, and process these checksums in computing the final hash value. We show that these Damg\aa{}rd-Merkle variants gain almost no security against generic attacks such as the long-message second preimage attacks and the herding attack.
    Original languageEnglish
    Title of host publicationRSA Conference 2008, Cryptographers' Track
    EditorsTal Malkin
    Publication date2008
    ISBN (Print)978-3-540-79262-8
    Publication statusPublished - 2008
    EventRSA Conference Cryptographer's Track - Moscone Center, San Francisco, CA, USA
    Duration: 1 Jan 2008 → …


    ConferenceRSA Conference Cryptographer's Track
    CityMoscone Center, San Francisco, CA, USA
    Period01/01/2008 → …
    SeriesLecture Notes in Computer Science


    • Damgård-Merkle construction
    • multicollisions
    • Linear-XOR and additive checksums
    • second preimage and herding attacks


    Dive into the research topics of 'Linear-XOR and Additive Checksums Don't Protect Damgard-Merkle Hashes'. Together they form a unique fingerprint.

    Cite this