## Herding hash functions and the Nostradamus attack (2006)

### Cached

### Download Links

- [www.cs.washington.edu]
- [homes.cs.washington.edu]
- [www.iacr.org]
- [www.sysnet.ucsd.edu]
- [eprint.iacr.org]
- DBLP

### Other Repositories/Bibliography

Venue: | of Lecture Notes in Computer Science |

Citations: | 25 - 6 self |

### BibTeX

@INPROCEEDINGS{Kelsey06herdinghash,

author = {John Kelsey and Tadayoshi Kohno},

title = {Herding hash functions and the Nostradamus attack},

booktitle = {of Lecture Notes in Computer Science},

year = {2006},

pages = {183--200},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. In this paper, we develop a new attack on Damg˚ard-Merkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later “herd ” any given starting part of a message to that hash value by the choice of an appropriate suffix. We focus on a property which hash functions should have–Chosen Target Forced Prefix (CTFP) preimage resistance–and show the distinction between Damg˚ard-Merkle construction hashes and random oracles with respect to this property. We describe a number of ways that violation of this property can be used in arguably practical attacks on real-world applications of hash functions. An important lesson from these results is that hash functions susceptible to collision-finding attacks, especially brute-force collision-finding attacks, cannot in general be used to prove knowledge of a secret value. 1

### Citations

1334 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...s attack, Nostradamus computes and outputs some string S. Nostradamus compromises the CTFP preimage resistance of the hash function if hash(P �S) = H. If we model the hash function as a random oracle =-=[1]-=-, then unless Nostradamus is lucky and guesses P in the first phase of his attack, we would expect him to have to try O(2 n ) values for S in the second phase before finding one such that hash(P �S) =... |

288 |
A Design Principle for Hash Functions
- Damg˚ard
- 1989
(Show Context)
Citation Context ...brute-force collision attacks[20]. We show that the natural intuition above is incorrect. Namely, we uncover (what we believe to be) subtle ways of exploiting the iterative property of Damg˚ard-Merkle=-=[6, 16]-=- hash functions to extend certain classes of collision-finding attacks against the compression function to attack commitment schemes and other uses of hash function that do not initially appear to be ... |

215 | How to Break MD5 and Other Hash Functions
- Wang, Yu
- 2005
(Show Context)
Citation Context ...lied in practice. By contrast, our herding attacks require quite short suffixes, and appear to be practical in many situations. Similarly, many recent cryptanalytic results on hash functions, such as =-=[22, 23]-=-, require very careful control over the format of the messages to be attacked. This is not generally true of our herding attacks, though more efficient variants that make use of cryptanalytic results ... |

175 | One way hash functions and DES - Merkle - 1990 |

168 | Finding collisions in the full SHA-1
- Wang, Yin, et al.
- 2005
(Show Context)
Citation Context ...lied in practice. By contrast, our herding attacks require quite short suffixes, and appear to be practical in many situations. Similarly, many recent cryptanalytic results on hash functions, such as =-=[22, 23]-=-, require very careful control over the format of the messages to be attacked. This is not generally true of our herding attacks, though more efficient variants that make use of cryptanalytic results ... |

146 | Parallel Collision Search with Cryptanalytic Applications
- Oorschot, Wiener
- 1999
(Show Context)
Citation Context ... light of the many recent attacks on collision resistance of existing hash functions[2, 3, 13, 19, 21–24] and the widespread use of hash functions short enough to fall to brute-force collision attacks=-=[20]-=-. We show that the natural intuition above is incorrect. Namely, we uncover (what we believe to be) subtle ways of exploiting the iterative property of Damg˚ard-Merkle[6, 16] hash functions to extend ... |

93 |
Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions
- Joux
- 2004
(Show Context)
Citation Context ...ction attacks. 1.5 Related Work The herding attack is closely related to the long message second preimage attacks in [8] and [12], and is ultimately built upon the multicollision-finding technique of =-=[10]-=-. Our technique for herding is related to the result of Lai and Massey [14] showing a meet-in-the-middle second preimage attack when pseudopreimages can be found cheaper than exhaustive search; in our... |

74 | Merkle-Damg˚ard revisited: How to construct a hash function
- Coron, Dodis, et al.
- 2005
(Show Context)
Citation Context ...sion searches, and then do a meet-in-the-middle type attack to find a large set of possible second preimages on our own chosen message. Our results complement Coron, Dodis, Malinaud, and Puniya’s work=-=[5]-=-, which does not present attacks like the ones we present, but which shows that iterative hash functions like MD5 and SHA1 are not random oracles, even when their compression functions are. Variants o... |

62 | Near collisions of SHA-0
- Biham, Chen
(Show Context)
Citation Context ...ate hashes in the structure requires adding an additional lg(k) + 1 message blocks for a (lg(k), k + lg(k))expandable message, and decreases the work required to 2 n−k−1 + 2 n/2+k/2+2 + k × 2 n/2+1 , =-=(2)-=- the k × 2 n/2+1 term arising from the search for an expandable message[12]. The cheapest herding attack with a reasonably short suffixes can be determined by setting the work done for constructing th... |

53 | Hash functions based on block ciphers
- Lai, Massey
(Show Context)
Citation Context ...e long message second preimage attacks in [8] and [12], and is ultimately built upon the multicollision-finding technique of [10]. Our technique for herding is related to the result of Lai and Massey =-=[14]-=- showing a meet-in-the-middle second preimage attack when pseudopreimages can be found cheaper than exhaustive search; in our attack, instead of finding pseudopreimages, we construct a message by repe... |

51 | Y.: Efficient Collision Search Attacks on SHA-0 - Wang, Yu, et al. - 2005 |

48 |
One Way Hash Functions and
- Merkle
- 1989
(Show Context)
Citation Context ...brute-force collision attacks[20]. We show that the natural intuition above is incorrect. Namely, we uncover (what we believe to be) subtle ways of exploiting the iterative property of Damg˚ard-Merkle=-=[6, 16]-=- hash functions to extend certain classes of collision-finding attacks against the compression function to attack commitment schemes and other uses of hash function that do not initially appear to be ... |

46 |
Formal Aspects of Mobile Code Security
- Dean
- 1999
(Show Context)
Citation Context ...lieve to be of independent interest, and which may be useful in many other hash function attacks. 1.5 Related Work The herding attack is closely related to the long message second preimage attacks in =-=[8]-=- and [12], and is ultimately built upon the multicollision-finding technique of [10]. Our technique for herding is related to the result of Lai and Massey [14] showing a meet-in-the-middle second prei... |

38 |
Preimages on n-Bit Hash Functions for Much Less than 2 n Work
- Second
- 2005
(Show Context)
Citation Context ...256 SHA256 84 92 2 172 512 Whirlpool 169 178 2 343 n (n − 5)/3 k + lg(k) + 1 2 n−k Our techniques for carrying out herding attacks have much in common with the long message second preimage attacks of =-=[12]-=-. However, those attacks required implausibly long messages, and so probably could never be applied in practice. By contrast, our herding attacks require quite short suffixes, and appear to be practic... |

29 | Finding MD5 Collisions on a Notebook PC Using Multi-message Modifications, Cryptology ePrint Archive, Report 2005/102 - Klima - 2005 |

28 |
How to Swindle Rabin
- Yuval
- 1979
(Show Context)
Citation Context ... other messages. Instead, she needs to produce a suffix which is at least somewhat meaningful or plausible. There are a number of tricks for doing this. Using Yuval’s Trick. Using Yuval’s clever trick=-=[25]-=-, the attacker can prepare a basic long document appropriate to her intended deception, and produce many independent variation points in the document. This allows the use of meaningfullooking messages... |

27 | Cryptanalysis of the Hash Functions MD4 and RIPEMD - Wang, Lai, et al. |

23 | Update on SHA-1 - Rijmen, Oswald - 2005 |

18 | Colliding X.509 Certificates,” Cryptology ePrint Archive - Lenstra, Wang, et al. |

17 |
Attacking Hash Functions by Poisoned Messages, “The Story of Alice and her Boss”, available at www.cits.rub.de/MD5Collisions
- Daum, Lucks
(Show Context)
Citation Context ...e some clever attackssFig. 4. Committing to an Ordering Using a “Hash Router” have gotten around this by using some bits of the two colliding messages to change the meaning of later parts of a message=-=[7, 9]-=-, these attacks are easy to detect by looking at the underlying data. The herding attack may be used to “backdate” a collision. That is, the attacker sets up a collision today, and commits to its hash... |

15 | Collisions of SHA-0 and Reduced SHA-1 - Biham, Chen, et al. |

9 |
A Note on the Practical Value of Single Hash Collisions for Special File Formats,” Sicherheit 2006
- Gebhardt, Illies, et al.
(Show Context)
Citation Context ...e some clever attackssFig. 4. Committing to an Ordering Using a “Hash Router” have gotten around this by using some bits of the two colliding messages to change the meaning of later parts of a message=-=[7, 9]-=-, these attacks are easy to detect by looking at the underlying data. The herding attack may be used to “backdate” a collision. That is, the attacker sets up a collision today, and commits to its hash... |

7 |
Confirmation that some Hash Functions are not Collisions Free
- Miyaguchi, Ohta, et al.
- 1990
(Show Context)
Citation Context ...the message next, without reference to previous choices. Further, any message can be “herded” to this set of fixed points with about 2 n−k work and k appended blocks. For completeness, we recall that =-=[17]-=- show how to find single-block fixed points in Davies-Meyer constructions and [12] show how to find single-block fixed points in Snefru. 7 Conclusions In this paper, we have defined a property of a ha... |

5 | MD5 To Be Considered Harmful Someday, Cryptology ePrint Archive - Kaminsky - 2004 |

1 |
Hash functions based on block ciphers
- Brown, Johnson
- 2001
(Show Context)
Citation Context ...t a previous use of the same idea: In one of three independent proofs of the security of Pinstov-Vanstone signatures, the same property with a different name, “target value resistance,” was used. See =-=[4]-=-, in which it was conjectured that SHA1 had this property; our result shows that it does not if one can find collisions starting from two arbitrary IVs.sthen selects some prefix P and supplies it to N... |