{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,28]],"date-time":"2026-02-28T13:01:16Z","timestamp":1772283676365,"version":"3.50.1"},"publisher-location":"Berlin, Heidelberg","reference-count":36,"publisher":"Springer Berlin Heidelberg","isbn-type":[{"value":"9783642010002","type":"print"},{"value":"9783642010019","type":"electronic"}],"license":[{"start":{"date-parts":[[2009,1,1]],"date-time":"2009-01-01T00:00:00Z","timestamp":1230768000000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2009]]},"DOI":"10.1007\/978-3-642-01001-9_22","type":"book-chapter","created":{"date-parts":[[2009,4,15]],"date-time":"2009-04-15T08:38:25Z","timestamp":1239784705000},"page":"371-388","source":"Crossref","is-referenced-by-count":65,"title":["Salvaging Merkle-Damg\u00e5rd for Practical Applications"],"prefix":"10.1007","author":[{"given":"Yevgeniy","family":"Dodis","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Thomas","family":"Ristenpart","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Thomas","family":"Shrimpton","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","reference":[{"key":"22_CR1","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"48","DOI":"10.1007\/978-3-540-30539-2_4","volume-title":"Advances in Cryptology - ASIACRYPT 2004","author":"M. Bellare","year":"2004","unstructured":"Bellare, M., Palacio, A.: Towards Plaintext-Aware Public-Key Encryption Without Random Oracles. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol.\u00a03329, pp. 48\u201362. Springer, Heidelberg (2004)"},{"key":"22_CR2","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"299","DOI":"10.1007\/11935230_20","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2006","author":"M. Bellare","year":"2006","unstructured":"Bellare, M., Ristenpart, T.: Multi-Property-Preserving Hash Domain Extension and the EMD Transform. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol.\u00a04284, pp. 299\u2013314. Springer, Heidelberg (2006)"},{"key":"22_CR3","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"399","DOI":"10.1007\/978-3-540-73420-8_36","volume-title":"Automata, Languages and Programming","author":"M. Bellare","year":"2007","unstructured":"Bellare, M., Ristenpart, T.: Hash Functions in the Dedicated-Key Setting: Design Choices and MPP Transforms. In: Arge, L., Cachin, C., Jurdzi\u0144ski, T., Tarlecki, A. (eds.) ICALP 2007. LNCS, vol.\u00a04596, pp. 399\u2013410. Springer, Heidelberg (2007)"},{"key":"22_CR4","first-page":"62","volume-title":"CCS 1993","author":"M. Bellare","year":"1993","unstructured":"Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: CCS 1993, pp. 62\u201373. ACM Press, New York (1993)"},{"key":"22_CR5","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"92","DOI":"10.1007\/BFb0053428","volume-title":"Advances in Cryptology - EUROCRYPT \u201994","author":"M. Bellare","year":"1995","unstructured":"Bellare, M., Rogaway, P.: Optimal asymmetric encryption \u2013 How to encrypt with RSA. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol.\u00a0950, pp. 92\u2013111. Springer, Heidelberg (1995)"},{"key":"22_CR6","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"399","DOI":"10.1007\/3-540-68339-9_34","volume-title":"Advances in Cryptology - EUROCRYPT \u201996","author":"M. Bellare","year":"1996","unstructured":"Bellare, M., Rogaway, P.: The Exact Security of Digital Signatures - How to Sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol.\u00a01070, pp. 399\u2013416. Springer, Heidelberg (1996)"},{"key":"22_CR7","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"320","DOI":"10.1007\/3-540-45708-9_21","volume-title":"Advances in Cryptology - CRYPTO 2002","author":"J.A. Black","year":"2002","unstructured":"Black, J.A., Rogaway, P., Shrimpton, T.: Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol.\u00a02442, pp. 320\u2013325. Springer, Heidelberg (2002)"},{"key":"22_CR8","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"223","DOI":"10.1007\/978-3-540-24676-3_14","volume-title":"Advances in Cryptology - EUROCRYPT 2004","author":"D. Boneh","year":"2004","unstructured":"Boneh, D., Boyen, X.: Efficient Selective-ID Secure Identity-Based Encryption Without Random Oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol.\u00a03027, pp. 223\u2013238. Springer, Heidelberg (2004)"},{"key":"22_CR9","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"213","DOI":"10.1007\/3-540-44647-8_13","volume-title":"Advances in Cryptology - CRYPTO 2001","author":"D. Boneh","year":"2001","unstructured":"Boneh, D., Franklin, M.: Identity-Based Encryption from the Weil Pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol.\u00a02139, pp. 213\u2013229. Springer, Heidelberg (2001)"},{"key":"22_CR10","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"514","DOI":"10.1007\/3-540-45682-1_30","volume-title":"Advances in Cryptology - ASIACRYPT 2001","author":"D. Boneh","year":"2001","unstructured":"Boneh, D., Lynn, B., Shacham, H.: Short Signatures from the Weil Pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol.\u00a02248, pp. 514\u2013532. Springer, Heidelberg (2001)"},{"key":"22_CR11","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"449","DOI":"10.1007\/978-3-540-70583-3_37","volume-title":"Automata, Languages and Programming","author":"R. Canetti","year":"2008","unstructured":"Canetti, R., Dakdouk, R.R.: Extractable Perfectly One-Way Functions. In: Aceto, L., Damg\u00e5rd, I., Goldberg, L.A., Halld\u00f3rsson, M.M., Ing\u00f3lfsd\u00f3ttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol.\u00a05126, pp. 449\u2013460. Springer, Heidelberg (2008)"},{"key":"22_CR12","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"595","DOI":"10.1007\/978-3-642-00457-5_35","volume-title":"TCC 2009","author":"R. Canetti","year":"2009","unstructured":"Canetti, R., Dakdouk, R.: Towards a Theory of Extractable Functions. In: Reingold, O. (ed.) TCC 2009. LNCS, vol.\u00a05444, pp. 595\u2013614. Springer, Heidelberg (2009)"},{"issue":"4","key":"22_CR13","doi-asserted-by":"publisher","first-page":"557","DOI":"10.1145\/1008731.1008734","volume":"51","author":"R. Canetti","year":"2004","unstructured":"Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM\u00a051(4), 557\u2013594 (2004)","journal-title":"J. ACM"},{"issue":"3","key":"22_CR14","doi-asserted-by":"publisher","first-page":"265","DOI":"10.1007\/s00145-006-0442-5","volume":"20","author":"R. Canetti","year":"2007","unstructured":"Canetti, R., Halevi, S., Katz, J.: A Forward-Secure Public-Key Encryption Scheme. J. Cryptology (JOC)\u00a020(3), 265\u2013294 (2007)","journal-title":"J. Cryptology (JOC)"},{"key":"22_CR15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"272","DOI":"10.1007\/3-540-46035-7_18","volume-title":"Advances in Cryptology - EUROCRYPT 2002","author":"J.-S. Coron","year":"2002","unstructured":"Coron, J.-S.: Optimal Security Proofs for PSS and Other Signature Schemes. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol.\u00a02332, pp. 272\u2013287. Springer, Heidelberg (2002)"},{"key":"22_CR16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"430","DOI":"10.1007\/11535218_26","volume-title":"Advances in Cryptology \u2013 CRYPTO 2005","author":"J.-S. Coron","year":"2005","unstructured":"Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damg\u00e5rd Revisited: How to Construct a Hash Function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol.\u00a03621, pp. 430\u2013448. Springer, Heidelberg (2005)"},{"key":"22_CR17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"416","DOI":"10.1007\/0-387-34805-0_39","volume-title":"Advances in Cryptology - CRYPTO \u201989","author":"I.B. Damg\u00e5rd","year":"1990","unstructured":"Damg\u00e5rd, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol.\u00a0435, pp. 416\u2013427. Springer, Heidelberg (1990)"},{"key":"22_CR18","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"250","DOI":"10.1007\/3-540-48329-2_22","volume-title":"Advances in Cryptology - CRYPTO \u201993","author":"I.B. Damg\u00e5rd","year":"1994","unstructured":"Damg\u00e5rd, I.B., Pedersen, T.P., Pfitzmann, B.: On the Existence of Statistically Hiding Bit Commitment Schemes and Fail-Stop Sigantures. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol.\u00a0773, pp. 250\u2013265. Springer, Heidelberg (1994)"},{"key":"22_CR19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"198","DOI":"10.1007\/978-3-540-78967-3_12","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2008","author":"Y. Dodis","year":"2008","unstructured":"Dodis, Y., Pietrzak, K., Puniya, P.: A New Mode of Operation for Block Ciphers and Length-Preserving MACs. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol.\u00a04965, pp. 198\u2013219. Springer, Heidelberg (2008)"},{"key":"22_CR20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"156","DOI":"10.1007\/978-3-540-68914-0_10","volume-title":"Applied Cryptography and Network Security","author":"Y. Dodis","year":"2008","unstructured":"Dodis, Y., Puniya, P.: Getting the Best Out of Existing Hash Functions; or What if We Are Stuck with SHA? In: Bellovin, S.M., Gennaro, R., Keromytis, A.D., Yung, M. (eds.) ACNS 2008. LNCS, vol.\u00a05037, pp. 156\u2013173. Springer, Heidelberg (2008)"},{"key":"22_CR21","doi-asserted-by":"crossref","unstructured":"Dodis, Y., Ristenpart, T., Shrimpton, T.: Salvaging Merkle-Damg\u00e5rd for Practical Applications (full version of this paper). IACR ePrint Archive (2009)","DOI":"10.1007\/978-3-642-01001-9_22"},{"key":"22_CR22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"186","DOI":"10.1007\/3-540-47721-7_12","volume-title":"Advances in Cryptology - CRYPTO \u201986","author":"A. Fiat","year":"1987","unstructured":"Fiat, A., Shamir, A.: How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol.\u00a0263, pp. 186\u2013194. Springer, Heidelberg (1987)"},{"key":"22_CR23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"330","DOI":"10.1007\/11496618_24","volume-title":"Information Security and Cryptology \u2013 ICISC 2004","author":"S. Hirose","year":"2005","unstructured":"Hirose, S.: Provably Secure Double-Block-Length Hash Functions in a Black-Box Model. In: Park, C.-s., Chee, S. (eds.) ICISC 2004. LNCS, vol.\u00a03506, pp. 330\u2013342. Springer, Heidelberg (2005)"},{"key":"22_CR24","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"210","DOI":"10.1007\/11799313_14","volume-title":"Fast Software Encryption","author":"S. Hirose","year":"2006","unstructured":"Hirose, S.: Some Plausible Constructions of Double-Block-Length Hash Functions. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol.\u00a04047, pp. 210\u2013225. Springer, Heidelberg (2006)"},{"key":"22_CR25","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"113","DOI":"10.1007\/978-3-540-76900-2_7","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2007","author":"S. Hirose","year":"2007","unstructured":"Hirose, S., Park, J.H., Yun, A.: A Simple Variant of the Merkle-Damg\u00e5rd Scheme with a Permutation. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol.\u00a04833, pp. 113\u2013129. Springer, Heidelberg (2007)"},{"key":"22_CR26","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"21","DOI":"10.1007\/978-3-540-24638-1_2","volume-title":"Theory of Cryptography","author":"U.M. Maurer","year":"2004","unstructured":"Maurer, U.M., Renner, R.S., Holenstein, C.: Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol.\u00a02951, pp. 21\u201339. Springer, Heidelberg (2004)"},{"key":"22_CR27","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"428","DOI":"10.1007\/0-387-34805-0_40","volume-title":"Advances in Cryptology - CRYPTO \u201989","author":"R.C. Merkle","year":"1990","unstructured":"Merkle, R.C.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol.\u00a0435, pp. 428\u2013446. Springer, Heidelberg (1990)"},{"key":"22_CR28","unstructured":"National Institute of Standards and Technology. FIPS PUB 180-1: Secure Hash Standard, Supersedes FIPS PUB 180 (May 11, 1995)"},{"key":"22_CR29","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"368","DOI":"10.1007\/3-540-48329-2_31","volume-title":"Advances in Cryptology - CRYPTO \u201993","author":"B. Preneel","year":"1994","unstructured":"Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: A synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol.\u00a0773, pp. 368\u2013378. Springer, Heidelberg (1994)"},{"key":"22_CR30","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"147","DOI":"10.1007\/978-3-540-76900-2_9","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2007","author":"T. Ristenpart","year":"2007","unstructured":"Ristenpart, T., Shrimpton, T.: How to Build a Hash Function from Any Collision-Resistant Function. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol.\u00a04833, pp. 147\u2013163. Springer, Heidelberg (2007)"},{"key":"22_CR31","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"220","DOI":"10.1007\/978-3-540-78967-3_13","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2008","author":"P. Rogaway","year":"2008","unstructured":"Rogaway, P., Steinberger, J.P.: Security\/Efficiency Tradeoffs for Permutation-Based Hashing. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol.\u00a04965, pp. 220\u2013236. Springer, Heidelberg (2008)"},{"key":"22_CR32","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"433","DOI":"10.1007\/978-3-540-85174-5_24","volume-title":"Advances in Cryptology \u2013 CRYPTO 2008","author":"P. Rogaway","year":"2008","unstructured":"Rogaway, P., Steinberger, J.P.: Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol.\u00a05157, pp. 433\u2013450. Springer, Heidelberg (2008)"},{"key":"22_CR33","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"643","DOI":"10.1007\/978-3-540-70583-3_52","volume-title":"Automata, Languages and Programming","author":"T. Shrimpton","year":"2008","unstructured":"Shrimpton, T., Stam, M.: Building a Collision-Resistant Compression Function from Non-compressing Primitives. In: Aceto, L., Damg\u00e5rd, I., Goldberg, L.A., Halld\u00f3rsson, M.M., Ing\u00f3lfsd\u00f3ttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol.\u00a05126, pp. 643\u2013654. Springer, Heidelberg (2008)"},{"key":"22_CR34","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"334","DOI":"10.1007\/BFb0054137","volume-title":"Advances in Cryptology - EUROCRYPT \u201998","author":"D.R. Simon","year":"1998","unstructured":"Simon, D.R.: Findings Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions? In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol.\u00a01403, pp. 334\u2013345. Springer, Heidelberg (1998)"},{"key":"22_CR35","unstructured":"Wang, L.: Personal correspondence (2009)"},{"key":"22_CR36","doi-asserted-by":"crossref","unstructured":"Yoneyama, K., Miyagawa, S., Ohta, K.: Leaky Random Oracle (Extended Abstract). In: Provable Security\u00a0\u2013 ProvSec 2008. LNCS, vol.\u00a05324, pp. 226\u2013240 (2008)","DOI":"10.1007\/978-3-540-88733-1_16"}],"container-title":["Lecture Notes in Computer Science","Advances in Cryptology - EUROCRYPT 2009"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-642-01001-9_22","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,5,19]],"date-time":"2019-05-19T09:11:36Z","timestamp":1558257096000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-642-01001-9_22"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2009]]},"ISBN":["9783642010002","9783642010019"],"references-count":36,"URL":"https:\/\/doi.org\/10.1007\/978-3-642-01001-9_22","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2009]]}}}