FROM MERKLE–DAMGÅRD TO SPONGE: ARCHITECTURAL IMPACT ON HASH FUNCTION SECURITY
DOI:
https://doi.org/10.31548/itees.2026.01.045Keywords:
Cryptographic Hash Functions, SHA-3, SHA-2, Merkle–Damgård Architecture, Sponge Architecture, Crypto Resistance, Safety Margin, Post-quantum SecurityAbstract
The paper investigates the influence of cryptographic hash function architecture on their cryptographic strength. The main focus is on a comparative analysis of the classical Merkle–Damgård architecture used in the SHA-2 family and the Sponge architecture implemented in the SHA-3 standard. It is shown how the design features of the Sponge architecture, in particular the division of the internal state into speed (rate) and capacity parts, provide an increased margin of cryptographic strength and ensure low vulnerability to the inherent Merkle–Damgård constructions, including the message extension attack. The possibility of estimating the dispersion index for attributing a hash function to a cryptographic type has been confirmed. At the same time, the question remains about the unambiguity of the correspondence between theoretical statistical indicators of the quality of hash functions. The only known indicator of the quality of hash functions is based on the variance indicator and unambiguously shows only whether a particular hash function belongs to cryptographic or non-cryptographic. At the same time, it has been confirmed that the χ² test, as a “bias detector” can prove that the hash function is hack-resistant with high probability. But the question remains about the unambiguity of the correspondence between theoretical statistical indicators of the hash functions quality.
Received 2026-03-19
Accepted 2026-04-13
References
1. Wang, X., & Yu, H. (2005). How to break MD5 and other hash functions. In R. Cramer (Ed.), Advances in cryptology – EUROCRYPT 2005 (Lecture Notes in Computer Science, Vol. 3494, pp. 19–35). Springer. https://doi.org/10.1007/11426639_2.
2. Bertoni, G., Daemen, J., Peeters, M., & Van Assche, G. (2015). Keccak. Cryptology ePrint Archive, Paper 2015/389. https://eprint.iacr.org/2015/389.
3. Bertoni, G., Daemen, J., Peeters, M., & Van Assche, G. (2007). Sponge functions [Public comment to NIST]. Ecrypt Hash Workshop. http://www.csrc.nist.gov/pki/HashWorkshop/PublicComments/2007 May.html.
4. Damgård, I. (1989). A design principle for hash functions. In G. Brassard (Ed.), Advances in cryptology – CRYPTO '89 (Lecture Notes in Computer Science, Vol. 435, pp. 416–427). Springer. https://doi.org/10.1007/0-387-34805-0_39.
5. Hamlin, B., & Song, F. (2019). Quantum security of hash functions and property-preservation of iterated hashing. In A. Boldyreva & D. Micciancio (Eds.), Advances in cryptology – CRYPTO 2019 (Lecture Notes in Computer Science, Vol. 11692, pp. 329–349). Springer. https://doi.org/10.1007/978-3-030-25510-7_18.
6. Sahun, A., Nikitenko, Y., Gikalo, P., Panasko, O., & Dudykevych, V. (2025). Method of quick hash functions quality determination. In I. Opirskyy et al. (Eds.), Proceedings of the Cyber Security and Data Protection (CSDP 2025) (CEUR Workshop Proceedings, Vol. 4042, pp. 291–299). CEUR-WS. https://ceur-ws.org/Vol-4042/short2.pdf.
7. Hoch, Jonathan J.; Shamir, Adi (2008). "On the Strength of the Concatenated Hash Combiner when All the Hash Functions Are Weak". Automata, Languages and Programming. Lecture Notes in Computer Science. Vol. 5126. pp. 616–630. doi:10.1007/978-3-540-70583-3_50.
8. Biham, Eli & Dunkelman, Orr. (2007). A framework for iterative hash functions-HAIFA. IACR Cryptology ePrint Archive. 2007. 278. https://eprint.iacr.org/2007/278.
9. Menezes, A. J., van Oorschot, P. C., & Vanstone, S. A. (1996). Hash functions and data integrity. In Handbook of applied cryptography (Chap. 9). CRC Press. https://cacr.uwaterloo.ca/hac/about/chap9.pdf.
10. Joux, A. (2004). Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions. In: Franklin, M. (eds) Advances in Cryptology – CRYPTO 2004. CRYPTO 2004. Lecture Notes in Computer Science, vol 3152. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-28628-8_19.
11. Kelsey, John & Kohno, Tadayoshi. (2005). Herding Hash Functions and the Nostradamus Attack.. IACR Cryptology ePrint Archive. 2005. 281.
12. Kelsey, J., & Schneier, B. (2004). Second preimages on n-bit hash functions for much less than 2ⁿ work. Cryptology ePrint Archive, Paper 2004/304. https://eprint.iacr.org/2004/304.
13. Nielsen, M. A., & Chuang, I. L. (2010). Quantum computation and quantum information (10th anniversary ed.). Cambridge University Press. https://profmcruz.wordpress.com/wp-content/uploads/2017/08/quantum-computation-and-quantum-information-nielsen-chuang.pdf.
14. Rivest, R. (1992). The MD5 message-digest algorithm (RFC 1321). Internet Engineering Task Force (IETF). https://doi.org/10.17487/RFC1321
15. Bertoni, G., Daemen, J., Peeters, M., & Van Assche, G. (2011). The Keccak SHA-3 submission. Keccak Team. https://keccak.team/files/Keccak-submission-3.pdf.
16. Greenwood, C., & Nikulin, M. S. (1996). A guide to chi-squared testing. Wiley.
Downloads
Published
Issue
Section
License
Copyright (c) 2026 Information technologies in economics and environmental sciences
Усі матеріали розповсюджуються згідно з умовами міжнародної публічної ліцензії Creative Commons Attribution 4.0 International Public License, що дозволяє іншим поширювати статтю з визнанням авторства та першої публікації в цьому журналі.
