Score:2

Davies-Meyer block cipher and IV

ls flag

I have three questions regarding Davies-Meyer construction :

  1. What is the name of the underlying block cipher?
  2. How is generated the first input hash value (IV) passed to the block cipher?
  3. What is padded to last original message block?
Score:3
in flag

In order:

  1. unspecified, it may be any block cipher (with the desired output block and key size);
  2. unspecified, it may be any constant of the right block size;
  3. unspecified, it may be any padding type that suites the key size.

Davies-Meyer is a construction for a compression function, not an actual algorithm that can be used out of the box. Usually these parameters would be described for a specific algorithm that employs the Davies-Meyer construction.

In principle they could be left as configuration parameters as well (similar to HMAC where the hash is a configuration parameter, e.g. HMAC-SHA-256). However, for hash functions this is not common.

One of the uses of these kind of abstractions is that it is possible to create a proof for them, independent of the block cipher used - you'd have to assume that the block cipher isn't broken for the particular use case of course.


Here is the relevant part of the Wikipedia article on one way functions:

The hash function can only be considered secure if at least the following conditions are met:

  • The block cipher has no special properties that distinguish it from ideal ciphers, such as weak keys or keys that lead to identical or related encryptions (fixed points or key-collisions).
  • The resulting hash size is big enough. According to the birthday attack a security level of 280 (generally assumed to be infeasible to compute today)[citation needed] is desirable thus the hash size should be at least 160 bits.
  • The last block is properly length padded prior to the hashing. (See Merkle–Damgård construction.) Length padding is normally implemented and handled internally in specialised hash functions like SHA-1 etc.

The constructions presented below: Davies–Meyer, Matyas–Meyer–Oseas, Miyaguchi–Preneel and Hirose have been shown to be secure under [the] black-box analysis.


For a specific hash-function implementation that uses Davies-Meyer you can have a look at SHA-2 hash family. Note that SHA-2 doesn't use a named block cipher; it uses a specialized cipher specific to SHA-2. The padding mode is bit padding, but it has a length indication. The IV's are specified for each hash function separately, cannot miss them.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.