Results 1 
5 of
5
Herding hash functions and the Nostradamus attack
 of Lecture Notes in Computer Science
, 2006
"... Abstract. In this paper, we develop a new attack on Damg˚ardMerkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later “herd ” any given starting part of a message to that ..."
Abstract

Cited by 25 (6 self)
 Add to MetaCart
Abstract. In this paper, we develop a new attack on Damg˚ardMerkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later “herd ” any given starting part of a message to that hash value by the choice of an appropriate suffix. We focus on a property which hash functions should have–Chosen Target Forced Prefix (CTFP) preimage resistance–and show the distinction between Damg˚ardMerkle construction hashes and random oracles with respect to this property. We describe a number of ways that violation of this property can be used in arguably practical attacks on realworld applications of hash functions. An important lesson from these results is that hash functions susceptible to collisionfinding attacks, especially bruteforce collisionfinding attacks, cannot in general be used to prove knowledge of a secret value. 1
Second preimages on nbit hash functions for much less than 2^n work
"... We expand a previous result of Dean [Dea99] to provide a second preimage attack on all nbit iterated hash functions with DamgårdMerkle strengthening and nbit intermediate states, allowing a second preimage to be found for a 2 kmessageblock message with about k × 2 n/2+1 +2 n−k+1 work. Using RI ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
We expand a previous result of Dean [Dea99] to provide a second preimage attack on all nbit iterated hash functions with DamgårdMerkle strengthening and nbit intermediate states, allowing a second preimage to be found for a 2 kmessageblock message with about k × 2 n/2+1 +2 n−k+1 work. Using RIPEMD160 as an example, our attack can find a second preimage for a 2^60 byte message in about 2^106 work, rather than the previously expected 2^160 work. We also provide slightly cheaper ways to find multicollisions than the method of Joux [Jou04]. Both of these results are based on expandable messages–patterns for producing messages of varying length, which all collide on the intermediate hash result immediately after processing the message. We provide an algorithm for finding expandable messages for any nbit hash function built using the DamgårdMerkle construction, which requires only a small multiple of the work done to find a single collision in the hash function.
Differential Attack on Message Authentication Codes
, 1994
"... We discuss the security of Message Authentication Code (MAC) schemes from the viewpoint of differential attack, and propose an attack that is effective against DESMAC and FEALMAC. The attack derives the secret authentication key in the chosen plaintext scenario. For example, DES(8round)MAC can b ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
We discuss the security of Message Authentication Code (MAC) schemes from the viewpoint of differential attack, and propose an attack that is effective against DESMAC and FEALMAC. The attack derives the secret authentication key in the chosen plaintext scenario. For example, DES(8round)MAC can be broken with 2 34 pairs of plain text, while FEAL8MAC can be broken with 2 22 pairs. The proposed attack is applicable to any MAC scheme, even if the 32bits are randomly selected from among the 64bits of ciphertext generated by a cryptosystem vulnerable to differential attack in the chosen plaintext scenario.
Attacks on Double Block Length Hash Functions
 in Fast Software Encryption
, 1993
"... Attacks on double block length hash functions using a block cipher are considered in this paper. We present a general freestart attack, in which the attacker is free to choose the initial value, and a real attack on a large class of hash functions. Recent results on the complexities of attacks on d ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Attacks on double block length hash functions using a block cipher are considered in this paper. We present a general freestart attack, in which the attacker is free to choose the initial value, and a real attack on a large class of hash functions. Recent results on the complexities of attacks on double block hash functions are summarized. 1 Introduction A hash function is an easily implementable mapping from the set of all binary sequences of some specified minimum length or greater to the set of binary sequences of some fixed length. In cryptographic applications, hash functions are used within digital signature schemes and within schemes to provide data integrity (e.g., to detect modification of a message). An iterated hash function is a hash function Hash(\Delta) determined by an easily computable function h(\Delta; \Delta) from two binary sequences of respective lengths m and l to a binary sequence of length m in the manner that the message M = (M 1 ; M 2 ; :::; M n ), where M i...
Cryptographic Hash Functions: A Review
"... Cryptographic Hash functions are used to achieve a number of security objectives. In this paper, we bring out the importance of hash functions, its various structures, design techniques, attacks and the progressive recent development in this field. ..."
Abstract
 Add to MetaCart
Cryptographic Hash functions are used to achieve a number of security objectives. In this paper, we bring out the importance of hash functions, its various structures, design techniques, attacks and the progressive recent development in this field.