Provable Chosen-Target-Forced-Midfix Preimage Resistance
نویسندگان
چکیده
This paper deals with definitional aspects of the herding attack of Kelsey and Kohno, and investigates the provable security of several hash functions against herding attacks. Firstly, we define the notion of chosen-target-forced-midfix (CTFM) as a generalization of the classical herding (chosen-target-forced-prefix) attack to the cases where the challenge message is not only a prefix but may appear at any place in the preimage. Additionally, we identify four variants of the CTFM notion in the setting where salts are explicit input parameters to the hash function. Our results show that including salts without weakening the compression function does not add up to the CTFM security of the hash function. Our second and main technical result is a proof of CTFM security of the classical Merkle-Damg̊ard construction. The proof demonstrates in the ideal model that the herding attack of Kelsey and Kohno is optimal (asymptotically) and no attack with lower complexity exists. Our security analysis applies to a wide class of narrow-pipe Merkle-Damg̊ard based iterative hash functions, including enveloped Merkle-Damg̊ard, MerkleDamg̊ard with permutation, HAIFA, zipper hash and hash-twice hash functions. To our knowledge, this is the first positive result in this field. Finally, having excluded salts from the possible tool set for improving narrow-pipe designs’ CTFM resistance, we resort to various message modification techniques. Our findings, however, result in the negative and we demonstrate CTFM attacks with complexity of the same order as the Merkle-Damg̊ard herding attack on a broad class of narrow-pipe schemes with specific message modifications.
منابع مشابه
The Symbiosis between Collision and Preimage Resistance
We revisit the definitions of preimage resistance, focussing on the question of finding a definition that is simple enough to prove security against, yet flexible enough to be of use for most applications. We show that—counter to what was previously thought—Rogaway and Shrimpton’s notion of everywhere preimage resistance on its own does not fit this bill. We thus set out to fix the situation. O...
متن کاملOn the collision and preimage security of MDC-4 in the ideal cipher model
We present a collision and preimage security analysis of MDC-4, a 24 years old construction for transforming an n-bit block cipher into a 2n-bit hash function. We start with MDC-4 based on one single block cipher, and prove that any adversary with query access to the underlying block cipher requires at least 2 queries (asymptotically) to find a collision. For the preimage resistance, we present...
متن کاملCryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance
We consider basic notions of security for cryptographic hash functions: collision resistance,preimage resistance, and second-preimage resistance. We give seven different definitions thatcorrespond to these three underlying ideas, and then we work out all of the implications andseparations among these seven definitions within the concrete-security, provable-security frame-wor...
متن کاملDigital Signatures Out of Second-Preimage Resistant Hash Functions
We propose a new construction for Merkle authentication trees which does not require collision resistant hash functions; in contrast with previous constructions that attempted to avoid the dependency on collision resistance, our technique enjoys provable security assuming the well-understood notion of second-preimage resistance. The resulting signature scheme is existentially unforgeable when t...
متن کاملProvable Second Preimage Resistance Revisited
Most cryptographic hash functions are iterated constructions, in which a mode of operation specifies how a compression function or a fixed permutation is applied. The Merkle-Damg̊ard mode of operation is the simplest and more widely deployed mode of operation, yet it suffers from generic second preimage attacks, even when the compression
متن کامل