Abstract. In this paper, we develop a new attack on Damg˚ard-Merkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later “herd ” any given starting part of a message to that hash value by the choice of an appropriate suffix. We focus on a property which hash functions should have–Chosen Target Forced Prefix (CTFP) preimage resistance–and show the distinction between Damg˚ard-Merkle construction hashes and random oracles with respect to this property. We describe a number of ways that violation of this property can be used in arguably practical attacks on real-world applications of hash functions. An important lesson from these results is that hash functions susceptible to collision-finding attacks, especially brute-force collision-finding attacks, cannot in general be used to prove knowledge of a secret value. 1

We expand a previous result of Dean [Dea99] to provide a second preimage attack on all n-bit iterated hash functions with Damgård-Merkle strengthening and n-bit intermediate states, allowing a second preimage to be found for a 2 k-message-block message with about k × 2 n/2+1 +2 n−k+1 work. Using RIPEMD-160 as an example, our attack can find a second preimage for a 2^60 byte message in about 2^106 work, rather than the previously expected 2^160 work. We also provide slightly cheaper ways to find multicollisions than the method of Joux [Jou04]. Both of these results are based on expandable messages–patterns for producing messages of varying length, which all collide on the intermediate hash result immediately after processing the message. We provide an algorithm for finding expandable messages for any n-bit hash function built using the Damgård-Merkle construction, which requires only a small multiple of the work done to find a single collision in the hash function.

We discuss the security of Message Authentication Code (MAC) schemes from the viewpoint of differential attack, and propose an attack that is effective against DES-MAC and FEAL-MAC. The attack derives the secret authentication key in the chosen plaintext scenario. For example, DES(8-round)-MAC can be broken with 2 34 pairs of plain text, while FEAL8-MAC can be broken with 2 22 pairs. The proposed attack is applicable to any MAC scheme, even if the 32-bits are randomly selected from among the 64-bits of ciphertext generated by a cryptosystem vulnerable to differential attack in the chosen plaintext scenario.

Attacks on double block length hash functions using a block cipher are considered in this paper. We present a general free-start attack, in which the attacker is free to choose the initial value, and a real attack on a large class of hash functions. Recent results on the complexities of attacks on double block hash functions are summarized. 1 Introduction A hash function is an easily implementable mapping from the set of all binary sequences of some specified minimum length or greater to the set of binary sequences of some fixed length. In cryptographic applications, hash functions are used within digital signature schemes and within schemes to provide data integrity (e.g., to detect modification of a message). An iterated hash function is a hash function Hash(\Delta) determined by an easily computable function h(\Delta; \Delta) from two binary sequences of respective lengths m and l to a binary sequence of length m in the manner that the message M = (M 1 ; M 2 ; :::; M n ), where M i...