Herding hash functions and the Nostradamus attack

Herding hash functions and the Nostradamus attack (2006)

Cached

Download Links

[www.cs.washington.edu]
[eprint.iacr.org]

Other Repositories/Bibliography

DBLP

by John Kelsey , Tadayoshi Kohno

Venue:	of Lecture Notes in Computer Science
Citations:	16 - 7 self

BibTeX

@INPROCEEDINGS{Kelsey06herdinghash,
    author = {John Kelsey and Tadayoshi Kohno},
    title = {Herding hash functions and the Nostradamus attack},
    booktitle = {of Lecture Notes in Computer Science},
    year = {2006},
    pages = {183--200},
    publisher = {Springer}
}

Years of Citing Articles

Bookmark

OpenURL

Abstract

Abstract. In this paper, we develop a new attack on Damg˚ard-Merkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later “herd ” any given starting part of a message to that hash value by the choice of an appropriate suffix. We focus on a property which hash functions should have–Chosen Target Forced Prefix (CTFP) preimage resistance–and show the distinction between Damg˚ard-Merkle construction hashes and random oracles with respect to this property. We describe a number of ways that violation of this property can be used in arguably practical attacks on real-world applications of hash functions. An important lesson from these results is that hash functions susceptible to collision-finding attacks, especially brute-force collision-finding attacks, cannot in general be used to prove knowledge of a secret value. 1

Citations

1130	Random oracles are practical: A paradigm for designing efficient protocols - Bellare, Rogaway - 1993
231	A design principle for hash functions - Damgård - 1989
150	How to break MD5 and other hash functions - Wang, Yu - 2005
138	One way hash functions and DES - Merkle
124	Parallel collision search with cryptanalytic applications - Oorschot, Wiener - 1999
123	H.: Finding collisions in the full SHA-1 - Wang, Yin, et al. - 2005
73	Multicollisions in Iterated Hash Functions: Application to Cascaded Constructions - Joux
51	Merkle-Damgård Revisited: How to Construct a Hash Function - Coron, Dodis, et al. - 2005
49	Near-Collisions of SHA-0 - Biham, Chen - 2004
45	Efficient Collision Search Attacks on SHA-0 - Wang, Yin, et al. - 2005
41	One way hash functions and - Merkle - 1990
37	Formal Aspects of Mobile Code Security - Dean - 1999
33	Hash function based on block ciphers - Lai, Massey - 1993
29	Finding MD5 Collisions on a Notebook PC Using Multi-message Modifications - Klima - 2005
27	Preimages on n-Bit Hash Functions for Much Less than 2 n Work - Second
26	How to swindle Rabin - Yuval - 1979
22	Cryptanalysis of the hash functions MD4 and RIPEMD - Wang, Lai, et al. - 2005
21	Update on SHA-1 - Rijmen, Oswald
17	Colliding X.509 certificates, Cryptology ePrint Archive - Lenstra, Wang, et al.
12	Attacking hash functions by poisoned messages: The Story of Alice and her boss - Daum, Lucks - 2005
12	Collisions of SHA-0 and reduced SHA-1 - Biham, Chen, et al.
10	A Note on the Practical Value of Single Hash Collisions for Special File Formats - Gebhardt, Illies, et al. - 2005
6	Confirmation that Some Hash Functions Are Not Collision Free - Miyaguchi, Ohta, et al. - 1990
5	MD5 To Be Considered Harmful Someday, Cryptology ePrint Archive - Kaminsky - 2004
1	Hash functions based on block ciphers - Brown, Johnson - 2001