This article presents a sequential domain extension scheme with minimum padding for hashing using a compression function. The proposed domain extension scheme is free from the length extension property. The collision resistance of a hash function using the proposed domain extension is shown to be reduced to the collision resistance and the everywhere preimage resistance of the underlying compression function in the standard model, where the compression function is assumed to be chosen at random from a function family in some efficient way. Its indifferentiability from a random oracle up to the birthday bound is also shown on the assumption that the underlying compression function is a fixed-input-length random oracle or the Davies-Meyer mode of a block cipher chosen uniformly at random. The proposed domain extension is also applied to the sponge construction and the resultant hash function is shown to be indifferentiable from a random oracle up to the birthday bound in the ideal permutation model. The proposed domain extension scheme is expected to be useful for processing short messages.
展开▼
