3

Does the Merkle–Damgård hash function still offer Collision Resistance (CR) when the following changes are made? Each case is independent from the other.

Here is what I want to modify:

  1. Say I want to get rid of the IV at the beginning and replace it with the first block of the message ($M_1$). That is, $T_0 = M_1$ and the 2nd tag $T_1$ will be generated using the compression function $h$, so that $T_1 = h(M_1,M_1)$. Instead of what it should have been: $T_1 = h(IV,M_1)$.

  2. Instead of using IV as the first tag $T_0$ and adding the message length in the last block, set $T_0$ to be the the message length $q$ (such that it is padded to the block length).

  3. Instead of outputting the result of Merkle–Damgård $H(m) = h(T[i-1]; M[i])$ we just output $T[i-1] || M[i]$, where $||$ denotes concatenation. Assuming in this version of Merkle–Damgård, the last block will just be the length of the message.

Can someone tell me if any of this cases offers Collision Resistance? Please explain why this is the case.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
user43738
  • 91
  • 1
  • 1
    In 3. where is the compression ? – Biv Feb 15 '17 at 09:28
  • 1
    For 1, there's a practical complexity: in common hashes, the two inputs of the compression function $h$ have different size; e.g. 256-bit and 512-bit for SHA-256. Modification 2 would require knowing the length when starting the hash, which often is inconvenient. A remark (which might be, or not, a valid hint if this is an exercise): for 1 and 2, it is possible to construct a pathological $h$ so that the construction is not collision-resistant, when for the same $h$ the construction would be collision-resistant for public IV chosen randomly independently of $h$. – fgrieu Feb 15 '17 at 11:38
  • I vote to close this question because the author asked the same question (at least for part 1) here , part 2 has been also answered in the same place and part 3 is irrelevant because there is no compression. – Biv Feb 16 '17 at 12:19

0 Answers0