EUROCRYPT 2006: Advances in Cryptology - EUROCRYPT 2006 pp 183-200

Herding Hash Functions and the Nostradamus Attack

  • John Kelsey
  • Tadayoshi Kohno
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4004)


In this paper, we develop a new attack on Damgård-Merkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later “herd” any given starting part of a message to that hash value by the choice of an appropriate suffix. We focus on a property which hash functions should have–Chosen Target Forced Prefix (CTFP) preimage resistance–and show the distinction between Damgård-Merkle construction hashes and random oracles with respect to this property. We describe a number of ways that violation of this property can be used in arguably practical attacks on real-world applications of hash functions. An important lesson from these results is that hash functions susceptible to collision-finding attacks, especially brute-force collision-finding attacks, cannot in general be used to prove knowledge of a secret value.

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • John Kelsey
    • 1
  • Tadayoshi Kohno
    • 2
  1. 1.National Institute of Standards and Technology 
  2. 2.CSE DepartmentUC San Diego 

Personalised recommendations