1

I'm looking at scheme on Wikipedia:

https://en.wikipedia.org/wiki/Merkle–Damgård_construction

And it looks like function f takes two inputs. So do we have to use in this scheme OWF which can take two inputs or maybe we can somehow combine IV with message block, for example by xoring them? Then f can technically take only one (combined) input?

Tom
  • 1,221
  • 6
  • 16

1 Answers1

2

Indeed, in the Merkle-Damgård construction, the One Way compression function has two inputs.:

  • The state, that is a fixed constant†, in the first round; or the output of the previous invocation of the OWF, in subsequent rounds.
  • The message block of (padded) data to be hashed.

Maybe we can somehow combine [state] with message block, for example by xoring them?

Yes we can combine state and message block into a single input of a One Way compression function, but no that can't be by xoring: that would make creating collision trivial. A better way of combining the two into a single input is concatenation.

If we only have a One Way function with the same input and output size (that is not compressing), we can't directly use the Merkle-Damgård construction.

† That constant is sometime called Initialization Vector (IV). It is part of the definition of the hash, just like the One Way compression function. A standard security arguments of the Merkle-Damgård construction for hashes assumes that the IV is chosen arbitrarily and non-maliciously, so that the hash is a random member of the family of hashes obtained with the IV as a parameter. If not, some attacks could be easier. In practice, the IV is often a nothing-up-my-sleeves number.

fgrieu
  • 140,762
  • 12
  • 307
  • 587
  • In MD, it is one-way compression function, not full set OWFs. – kelalaka Oct 07 '22 at 10:35
  • @fgrieu but if OWF is let's say 256-bits (and can take inly one 256-bit input), we have to use 128-bit IV and 128-bit message, to get 256-bit result of concatenation, am I right? So we have to use smaller IV than if we would have OWF able to take two 256-bit inputs. Will a smaller initialization vector not result in lower security of such a solution? – Tom Oct 07 '22 at 11:31
  • 1
    That is not a compression function! MD based on a compression function! – kelalaka Oct 07 '22 at 11:38
  • Does initialization vector have to be random? It is known for all in this case, but generatoed ad hoc before hashing, yes? – Tom Oct 07 '22 at 22:37
  • @fgrieu thanks, now it is more clear to me. – Tom Oct 08 '22 at 06:55