How to Fill Up Merkle-Damgård Hash Functions

Many of the popular Merkle-Damg̊ard hash functions have turned out to be not collision-resistant (CR). The problem is that we no longer know if these hash functions are even second-preimage-resistant (SPR) or one-way (OW), without the underlying compression functions being CR. We remedy this situation by introducing the “split padding” into a current Merkle-Damg̊ard hash function H. The patched hash function H̄ resolves the problem in the following ways: (i) H̄ is SPR if the underlying compression function h satisfies an “SPR-like” property, and (ii) H̄ is OW if h satisfies an “OW-like” property. The assumptions we make about h are provided with simple definitions and clear relations to other security notions. In particular, they belong to the class whose existence is ensured by that of OW functions, revealing an evident separation from the strong CR requirement. Furthermore, we get the full benefit from the patch at almost no expense: The new scheme requires no change in the internals of a hash function, runs as efficiently as the original, and as usual inherits CR from h. Thus the patch has significant effects on systems and applications whose security relies heavily on the SPR or OW property of Merkle-Damg̊ard hash functions.