Does Merkle–Damgård construction requires OWF with two inputs?

Tom

10/7/23, 3:30 AM

I'm looking at scheme on Wikipedia:

https://en.wikipedia.org/wiki/Merkle–Damgård_construction

And it looks like function f takes two inputs. So do we have to use in this scheme OWF which can take two inputs or maybe we can somehow combine IV with message block, for example by xoring them? Then f can technically take only one (combined) input?

129

1 + 1

merkle-damgaard

kelalaka

10/7/23, 7:24 AM

[Generalize the Merkle–Damgård construction for any compression function](https://crypto.stackexchange.com/q/15772/18298)

Score:2

Crypto

fgrieu

10/7/23, 5:24 AM

Indeed, in the Merkle-Damgård construction, the One Way compression function has two inputs.:

The state, that is a fixed constant†, in the first round; or the output of the previous invocation of the OWF, in subsequent rounds.
The message block of (padded) data to be hashed.

Maybe we can somehow combine [state] with message block, for example by xoring them?

Yes we can combine state and message block into a single input of a One Way compression function, but no that can't be by xoring: that would make creating collision trivial. A better way of combining the two into a single input is concatenation.

If we only have a One Way function with the same input and output size (that is not compressing), we can't directly use the Merkle-Damgård construction.

† That constant is sometime called Initialization Vector (IV). It is part of the definition of the hash, just like the One Way compression function. A standard security arguments of the Merkle-Damgård construction for hashes assumes that the IV is chosen arbitrarily and non-maliciously, so that the hash is a random member of the family of hashes obtained with the IV as a parameter. If not, some attacks could be easier. In practice, the IV is often a nothing-up-my-sleeves number.

+ 5

kelalaka

10/7/23, 10:35 AM

In MD, it is one-way compression function, not full set OWFs.

Tom

10/7/23, 11:31 AM

@fgrieu but if OWF is let's say 256-bits (and can take inly one 256-bit input), we have to use 128-bit IV and 128-bit message, to get 256-bit result of concatenation, am I right? So we have to use smaller IV than if we would have OWF able to take two 256-bit inputs. Will a smaller initialization vector not result in lower security of such a solution?

kelalaka

10/7/23, 11:38 AM

That is not a compression function! MD based on a compression function!

Tom

10/7/23, 10:37 PM

Does initialization vector have to be random? It is known for all in this case, but generatoed ad hoc before hashing, yes?

Tom

10/8/23, 6:55 AM

@fgrieu thanks, now it is more clear to me.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Does Merkle–Damgård construction requires OWF with two inputs?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.