## Merkle–Damgård revisited: How to construct a hash function (2005)

Citations: | 74 - 8 self |

### BibTeX

@INPROCEEDINGS{Coron05merkle–damgårdrevisited:,

author = {Jean-Sébastien Coron and Yevgeniy Dodis and Cécile Malinaud and Prashant Puniya},

title = {Merkle–Damgård revisited: How to construct a hash function},

booktitle = {},

year = {2005},

pages = {430--448},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

The most common way of constructing a hash function (e.g., SHA-1) is to iterate a compression function on the input message. The compression function is usually designed from scratch or made out of a block-cipher. In this paper, we introduce a new security notion for hash-functions, stronger than collision-resistance. Under this notion, the arbitrary length hash function H must behave as a random oracle when the fixed-length building block is viewed as a random oracle or an ideal block-cipher. The key property is that if a particular construction meets this definition, then any cryptosystem proven secure assuming H is a random oracle remains secure if one plugs in this construction (still assuming that the underlying fixed-length primitive is ideal). In this paper, we show that the current design principle behind hash functions such as SHA-1 and MD5 — the (strengthened) Merkle–Damgård transformation — does not satisfy this security notion. We provide several constructions that provably satisfy this notion; those new constructions introduce minimal changes to the plain Merkle–Damgård construction and are easily implementable in practice.