Characterizing Padding Rules of MD Hash Functions Preserving Collision Security

  • Authors:

  • Mridul Nandi

  • Affiliations:

  • National Institute of Standards and Technology,

  • Venue:
  • ACISP '09 Proceedings of the 14th Australasian Conference on Information Security and Privacy
  • Year:
  • 2009

Quantified Score

Hi-index 0.00

Visualization

Abstract

This paper characterizes collision preserving padding rules and provides variants of Merkle-Damgård (MD) which are having less or no overhead costs due to length. We first show that suffix-free property of padding rule is necessary as well as sufficient to preserve the collision security of MD hash function for an arbitrary domain {0,1}*. Knowing this, we propose a simple suffix-free padding rule padding only log|M | bits for a message M , which is less than that of Damgard's and Sarkar's padding rules. We also prove that the length-padding is not absolutely necessary. We show that a simple variant of MD with 10 d -padding (or any injective padding) is collision resistant provided that the underlying compression function is collision resistant after chopping the last-bit. Finally, we design another variant of MD hash function preserving all three basic security notions of hash functions, namely collision and (2nd) preimage, which is an improvement over a recently designed (SAC-08) three-property preserving hash function.