Characterizing Padding Rules of MD Hash Functions Preserving Collision Security

This paper characterizes collision preserving padding rules and provides variants of Merkle-Damg̊ard (MD) which are having less or no overhead costs due to length. We first show that suffix-free property of padding rule is necessary as well as sufficient to preserve the collision security of MD hash function for an arbitrary domain {0, 1}∗. Knowing this, we propose a simple suffix-free padding rule padding only log |M | bits for a message M , which is less than that of Damg̊ard’s and Sarkar’s padding rules. We also prove that the length-padding is not absolutely necessary. We show that a simple variant of MD with 10-padding (or any injective padding) is collision resistant provided that the underlying compression function is collision resistant after chopping the last-bit. Finally, we design another variant of MD hash function preserving all three basic security notions of hash functions, namely collision and (2nd) preimage. This is an improvement over a recently designed (SAC-08) three-property preserving hash function in terms of both salt size and efficiency.