Herding, Second Preimage and Trojan Message Attacks beyond Merkle-Damgård
نویسندگان
چکیده
In this paper we present new attack techniques to analyze the structure of hash functions that are not based on the classical Merkle Damg̊ard construction. We extend the herding attack to concatenated hashes, and to certain hash functions that process each message block several times. Using this technique, we show a second preimage attack on the folklore “hash-twice” construction which process two concatenated copies of the message. We follow with showing how to apply the herding attack to tree hashes. Finally, we present a new type of attack — the trojan message attack, which allows for producing second preimages of unknown messages (from a small known space) when they are appended with a fixed suffix.
منابع مشابه
On Diamond Structures and Trojan Message Attacks
The first part of this paper considers the diamond structures which were first introduced and applied in the herding attack by Kelsey and Kohno [7]. We present a new method for the construction of a diamond structure with 2 chaining values the message complexity of which is O(2 n+d 2 ) . Here n is the length of the compression function used. The aforementioned complexity was (with intuitive rea...
متن کاملProvable Chosen-Target-Forced-Midfix Preimage Resistance
This paper deals with definitional aspects of the herding attack of Kelsey and Kohno, and investigates the provable security of several hash functions against herding attacks. Firstly, we define the notion of chosen-target-forced-midfix (CTFM) as a generalization of the classical herding (chosen-target-forced-prefix) attack to the cases where the challenge message is not only a prefix but may a...
متن کاملOn iteration-based security flaws in modern hash functions
The design principles proposed independently by both Ralph Merkle and Ivan Damgård in 1989 are applied widely in hash functions that are used in practice. The construction reads the message in one message block at a time and applies iteratively a compression function that, given a single message block and a hash value, outputs a new hash value. This iterative structure has some security weaknes...
متن کاملSecond Preimage Attacks on Dithered Hash Functions
The goal of this paper is to analyze the security of dithered variants of the Merkle-Damgård mode of operation that use a third input to indicate the position of a block in the message to be hashed. These modes of operation for hash functions have been proposed to avoid some structural weaknesses of the Merkle-Damgard paradigm, e.g. that second preimages can be constructed in much less than 2 w...
متن کاملIncreasing the flexibility of the herding attack
Chosen-target-forced-prefix (CTFP) preimage resistance is a hash function security property guaranteeing the inability of an attacker to commit to a hash function outcome h without knowing the prefix of the message to be hashed in advance. At EUROCRYPT 2006, Kelsey and Kohno described the herding attack against the Merkle-Damg̊ard design that results in a CTFP-preimage of length about n/3 blocks...
متن کامل