Skip to content
Hash Generator

Glossary

Merkle–Damgård Construction

The Merkle–Damgård construction builds a hash from a compression function by chaining fixed-size message blocks — the basis of MD5, SHA-1, and SHA-2.

The Merkle–Damgård construction is the classic recipe for turning a fixed-size compression function into a hash that accepts inputs of any length. It underlies MD5, SHA-1, and the SHA-2 family.

How it works:

  1. Pad the message and append its length (Merkle–Damgård strengthening), then split it into fixed-size blocks.
  2. Start from a fixed initialization vector (IV).
  3. For each block, feed the current chaining value and the block into the compression function; its output becomes the new chaining value.
  4. The final chaining value is the digest.

Its main weakness is the length-extension attack: knowing H(m) lets an attacker compute H(m ‖ padding ‖ extra) without knowing m. That is why you should never build a MAC as H(key ‖ message) — use HMAC instead — and why the sponge construction behind SHA-3 was designed to avoid the problem.

See how cryptographic hashing works for the broader context.