Matching and covering the vertices of a random graph by copies of a given graph
Discrete Mathematics
Perfect matchings in random s-uniform hypergraphs
Random Structures & Algorithms
A Design Principle for Hash Functions
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
One Way Hash Functions and DES
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
Formal aspects of mobile code security
Formal aspects of mobile code security
Triangle Factors in Random Graphs
Combinatorics, Probability and Computing
Random Structures & Algorithms
Herding, Second Preimage and Trojan Message Attacks beyond Merkle-Damgård
Selected Areas in Cryptography
On hash functions using checksums
International Journal of Information Security
Seven-property-preserving iterated hashing: ROX
ASIACRYPT'07 Proceedings of the Advances in Crypotology 13th international conference on Theory and application of cryptology and information security
Linear-XOR and additive checksums don't protect Damgård-Merkle hashes from generic attacks
CT-RSA'08 Proceedings of the 2008 The Cryptopgraphers' Track at the RSA conference on Topics in cryptology
Merkle-Damgård revisited: how to construct a hash function
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Second preimages on n-bit hash functions for much less than 2n work
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Herding hash functions and the nostradamus attack
EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
Provable chosen-target-forced-midfix preimage resistance
SAC'11 Proceedings of the 18th international conference on Selected Areas in Cryptography
On the complexity of the herding attack and some related attacks on hash functions
Designs, Codes and Cryptography
| Hi-index | 0.89 |
Chosen-target-forced-prefix (CTFP) preimage resistance is a hash function security property guaranteeing the inability of an attacker to commit to a hash function outcome h without knowing the prefix of the message to be hashed in advance. At EUROCRYPT 2006, Kelsey and Kohno described the herding attack against the Merkle-Damgard design that results in a CTFP-preimage of length about n/3 blocks in approximately n@?2^2^n^/^3 compression function calls. Using an additional parameter @?, the attack can be sped-up at the cost of exponentially large preimages (the elongated herding attack). In this work, we re-investigate speed vs. message length tradeoffs for the herding attack. Using a third parameter d, we introduce the generalized elongated multidimensional herding attack. The parameters @? and d allow for full control over the efficiency of the attack versus the length of the preimages: increasing @? results in faster attacks with longer messages, while increasing d results in shorter messages with higher attack complexity. Using advanced methods in graph theory we analyze the complexity of the generalized attack, and we describe several variants for different values of @?, d. On the extreme, a CTFP-preimage of 2^n^/^2 blocks can be found in n@?2^n^/^2 queries. One can find a CTFP-preimage of length about n/8 blocks in n3@?2^3^n^/^4 work.