Merkle-Damgård Construction
sha3
12.3: Merkle-Damgård Construction
Constructing a hash function seems like a challenging task, especially given that it must accept strings of arbitrary length as input. In this section, we’ll see one approach for constructing hash functions, called the Merkle-Damgård construction.
Instead of a full-fledged hash function, imagine that we had a collision-resistant function (family) whose inputs were of a single fixed length, but longer than its outputs. In other words, suppose we had a family ℋ of functions h : {0,1}n+t → {0,1}n, where t > 0. We call such an h a compression function. This is not compression in the usual sense of data compression — we are not concerned about recovering the input from the output. We call it a compression function because it “compresses” its input by t bits (analogous to how a pseudorandom generator “stretches” its input by some amount).
We can apply the standard definition of collision-resistance to a family of compression functions, by restricting our interest to inputs of length exactly n + t. The functions in the family are not defined for any other input length.
The following construction is one way to extend a compression function into a full-edged hash function accepting arbitrary-length inputs:
Construction 12.4: Merkle-Damgård
Let h : {0,1}n + t → {0,1}n be a compression function. Then the Merkle-Damgård transformation of h is MDh : {0,1}∗ → {0,1}n, where:
The idea of the Merkle-Damgård construction is to split the input x into blocks of size t. The end of the string is filled out with 0s if necessary. A final block called the “padding block” is added, which encodes the (original) length of x in binary.
We are presenting a simplified version, in which MDh accepts inputs whose maximum length is 2t − 1 bits (the length of the input must fit into t bits). By using multiple padding blocks (when necessary) and a suitable encoding of the original string length, the construction can be made to accomodate inputs of arbitrary length (see the exercises).
The value y0 is called the initialization vector (IV), and it is a hard-coded part of the algorithm. In practice, a more “random-looking” value is used as the initialization vector. Or one can think of the Merkle-Damgård construction as defining a family of hash functions, corresponding to the different choices of IV.
Claim 12.5
Let ℋ be a family of compression functions, and define MDℋ = {MDh | h∈ ℋ} (a family of hash functions). If ℋ is collision-resistant, then so is MDℋ.
Proof
While the proof can be carried out in the style of our library-based security definitions, it’s actually much easier to simply show the following: given any collision under MDh, we can efficiently find a collision under h. This means that any successful adversary violating the collision-resistance of MDℋ can be transformed into a successful adversary violating the collision resistance of ℋ. So if ℋ is collision-resistant, then so is MDℋ.
Suppose that x,x’ are a collision under MDh. Define the values x1,. . . ,xk + 1 and y1,. . . ,yk + 1 as in the computation of MDh (x). Similarly, define x’1,. . . ,x’k’+1 and y’1,. . . ,y’k’ + 1 as in the computation of MDh (x’). Note that, in general, k may not equal k’.
Recall that:
MDh (x) = yk + 1 = h(yk‖xk + 1)
MDh (x’) = y’k’ + 1 = h(y’k’‖x’k’ + 1)
Since we are assuming MDh(x) = MDh(x’), we have yk + 1 = y’k’ + 1. We consider two cases:
Case 1: If |x| ≠ |x’|, then the padding blocks xk + 1 and x’k’ + 1 which encode |x| and |x’| are not equal. Hence we have yk‖xk + 1 ≠ y’k’‖x’k’ + 1, so yk‖xk + 1 and y’k’‖x’k’ + 1 are a collision under h and we are done.
Case 2: : If |x| = |x’|, then x
and x’ are broken into the same number of blocks, so k = k’. Let us work backwards from the final step in the computations of MDh (x) and MDh(x’). We know that:
If yk‖xk + 1 and y’k‖x’k + 1 are not equal, then they are a collision under h and we are done. Otherwise, we can apply the same logic again to yk and y’k, which are equal by our assumption.
More generally, if yi = y’i, then either yi − 1‖xi and y’i − 1‖x’i are a collision under h (and we say we are “lucky”), or else yi − 1 = y’i − 1 (and we say we are “unlucky”). We start with the premise that yk = y’k. Can we ever get “unlucky” every time, and not encounter a collision when propagating this logic back through the computations of MDh(x) and MDh(x’)? The answer is no, because encountering the unlucky case every time would imply that xi = x’i for all i. That is, x = x’. But this contradicts our original assumption that x ≠ x’. Hence we must encounter some “lucky” case and therefore a collision in h.
原文地址:https://www.cnblogs.com/Janly/p/15129007.html
- JavaScript 教程
- JavaScript 编辑工具
- JavaScript 与HTML
- JavaScript 与Java
- JavaScript 数据结构
- JavaScript 基本数据类型
- JavaScript 特殊数据类型
- JavaScript 运算符
- JavaScript typeof 运算符
- JavaScript 表达式
- JavaScript 类型转换
- JavaScript 基本语法
- JavaScript 注释
- Javascript 基本处理流程
- Javascript 选择结构
- Javascript if 语句
- Javascript if 语句的嵌套
- Javascript switch 语句
- Javascript 循环结构
- Javascript 循环结构实例
- Javascript 跳转语句
- Javascript 控制语句总结
- Javascript 函数介绍
- Javascript 函数的定义
- Javascript 函数调用
- Javascript 几种特殊的函数
- JavaScript 内置函数简介
- Javascript eval() 函数
- Javascript isFinite() 函数
- Javascript isNaN() 函数
- parseInt() 与 parseFloat()
- escape() 与 unescape()
- Javascript 字符串介绍
- Javascript length属性
- javascript 字符串函数
- Javascript 日期对象简介
- Javascript 日期对象用途
- Date 对象属性和方法
- Javascript 数组是什么
- Javascript 创建数组
- Javascript 数组赋值与取值
- Javascript 数组属性和方法
- Python-时间及日期-07-获取本周或上周几具体日期
- Spark Job-Stage-Task实例理解
- 想查看微信好友撤回的消息?Python帮你搞定
- MySQL 案例:同步中断与SQL线程类型转换
- Android端Charles抓包
- Spring boot 启动提示数据源错误
- leetcode树之从上到下打印二叉树
- 整理C/C++的可变参数
- ThingJS结合Web地图API开发,让数据展示更加出色!
- 如何分析交易记录?
- [技术创作101训练营]小程序云开发实战:从零搭建科技爱好者周刊小程序
- 【技术创作101训练营】innerHTML插入运行js字符串问题探究
- 组合体惯量法A: matlab程序—机械臂动力学建模
- vue+echarts 实现两个小例子
- 2020CV秋招求职的若干思考