Why narrow-pipe cryptographic hash functions are not a match to wide-pipe cryptographic hash functions?
Danilo Gligoroski

In the last 7-8 months me and Klima have discovered several deficiencies of narrow-pipe cryptographic hash designs. It all started with a note to the hash-forum list that narrow-pipe hash functions are giving outputs that are pretty different than the output that we would expect from a random oracle that is mapping messages of arbitrary length to hash values of n-bits. Then together with Klima we have investigated the consequences of that aberration to some practical protocols for key derivation that are using iterative and repetitive calls to a hash function. Finally, during the third SHA-3 conference I have shown that narrow-pipe hash functions cannot offer n-bits of security against the length-extension attack (a requirement that NIST has put as one of the conditions for the SHA-3 competition). In my talk I will explain in details all these problems with narrow-pipe hash designs and I will explain why wide-pipe hash functions such as Blue Midnight Wish do not suffer from the mentioned deficiencies.