Herding Hash Functions and the Nostradamus Attack–DRAFT
نویسندگان
چکیده
In this paper, we develop a new attack on Damg̊ard-Merkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later “herd” any given starting part of a message to that hash value by the choice of an appropriate suffix. We introduce a new property which hash functions should have–Chosen Target Forced Prefix (CTFP) preimage resistance–and show the distinction between Damg̊ard-Merkle construction hashes and random oracles with respect to this property. We describe a number of ways that violation of this property can be used in arguably practical attacks on real-world applications of hash functions. An important lesson from these results is that hash functions susceptible to collision-finding attacks, especially brute-force collision-finding attacks, cannot be used to prove knowledge of a secret value.
منابع مشابه
Herding Hash Functions and the Nostradamus Attack
In this paper, we develop a new attack on Damg̊ard-Merkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later “herd” any given starting part of a message to that hash value by the choice of an appropriate suffix. We introduce a new property which hash functions should h...
متن کاملGeneralizing the Herding Attack to Concatenated Hashing Schemes⋆
In this paper we extend the herding attacks for concatenated hash functions, i.e., hash functions of the form h(x) = h1(x)||h2(x). Our results actually apply a much larger set of hash functions. We show that even when the compression function of h(·) can be written as two (or more) data paths, where one data path is not affected by the second (while the second may depend on the first), then the...
متن کاملProvable Chosen-Target-Forced-Midfix Preimage Resistance
This paper deals with definitional aspects of the herding attack of Kelsey and Kohno, and investigates the provable security of several hash functions against herding attacks. Firstly, we define the notion of chosen-target-forced-midfix (CTFM) as a generalization of the classical herding (chosen-target-forced-prefix) attack to the cases where the challenge message is not only a prefix but may a...
متن کاملHerding, Second Preimage and Trojan Message Attacks beyond Merkle-Damgård
In this paper we present new attack techniques to analyze the structure of hash functions that are not based on the classical Merkle Damg̊ard construction. We extend the herding attack to concatenated hashes, and to certain hash functions that process each message block several times. Using this technique, we show a second preimage attack on the folklore “hash-twice” construction which process ...
متن کاملSome Cryptanalytic Results on Zipper Hash and Concatenated Hash
At SAC 2006, Liskov proposed the zipper hash, a technique for constructing secure (indifferentiable from random oracles) hash functions based on weak (invertible) compression functions. Zipper hash is a two pass scheme, which makes it unfit for practical consideration. But, from the theoretical point of view it seemed to be secure, as it had resisted standard attacks for long. Recently, Andreev...
متن کامل