Herding, Second Preimage and Trojan Message Attacks beyond Merkle-Damgård

  • Elena Andreeva
  • Charles Bouillaguet
  • Orr Dunkelman
  • John Kelsey
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5867)


In this paper we present new attack techniques to analyze the structure of hash functions that are not based on the classical Merkle-Damgård construction. We extend the herding attack to concatenated hashes, and to certain hash functions that process each message block several times. Using this technique, we show a second preimage attack on the folklore “hash-twice” construction which process two concatenated copies of the message. We follow with showing how to apply the herding attack to tree hashes. Finally, we present a new type of attack — the trojan message attack, which allows for producing second preimages of unknown messages (from a small known space) when they are appended with a fixed suffix.


Herding attack Second preimage attack Trojan message attack Zipper hash Concatenated hash Tree hash 


  1. 1.
    Andreeva, E., Bouillaguet, C., Fouque, P.A., Hoch, J.J., Kelsey, J., Shamir, A., Zimmer, S.: Second Preimage Attacks on Dithered Hash Functions. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 270–288. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Rogaway, P.: Collision-Resistant Hashing: Towards Making UOWHFs Practical. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 470–484. Springer, Heidelberg (1997)Google Scholar
  3. 3.
    Biryukov, A., Mukhopadhyay, S., Sarkar, P.: Improved time-memory trade-offs with multiple data. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 110–127. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 1–13. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  5. 5.
    Coppersmith, D.: Another birthday attack. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 14–17. Springer, Heidelberg (1986)Google Scholar
  6. 6.
    Dean, R.D.: Formal Aspects of Mobile Code Security. PhD thesis, Princeton University (January 1999)Google Scholar
  7. 7.
    Hoch, J.J., Shamir, A.: Breaking the ice - finding multicollisions in iterated concatenated and expanded (ice) hash functions. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 179–194. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  8. 8.
    Joux, A.: Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004)Google Scholar
  9. 9.
    Kelsey, J., Kohno, T.: Herding Hash Functions and the Nostradamus Attack. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 183–200. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  10. 10.
    Kelsey, J., Schneier, B.: Second Preimages on n-Bit Hash Functions for Much Less than 2n Work. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 474–490. Springer, Heidelberg (2005)Google Scholar
  11. 11.
    Liskov, M.: Constructing an Ideal Hash Function from Weak Ideal Compression Functions. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 358–375. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  12. 12.
    Merkle, R.C.: One Way Hash Functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
  13. 13.
    Nandi, M., Stinson, D.R.: Multicollision attacks on some generalized sequential hash functions. IEEE Transactions on Information Theory 53(2), 759–767 (2007)CrossRefMathSciNetGoogle Scholar
  14. 14.
    Rivest, R.L.: The MD5 message-digest algorithm. RFC1321 (April 1992)Google Scholar
  15. 15.
    Rivest, R.L., Agre, B., Bailey, D.V., Crutchfield, C., Dodis, Y., Fleming, K.E., Khan, A., Krishnamurthy, J., Lin, Y., Reyzin, L., Shen, E., Sukha, J., Sutherland, D., Tromer, E., Yin, Y.L.: The md6 hash function, a proposal to nist for sha-3 (2008)Google Scholar
  16. 16.
    Sarkar, P.: Construction of universal one-way hash functions: Tree hashing revisited. Discrete Applied Mathematics 155(16), 2174–2180 (2007)zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: Short chosen-prefix collisions for md5 and the creation of a rogue ca certificate. Cryptology ePrint Archive, Report 2009/111 (2009),

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Elena Andreeva
    • 1
  • Charles Bouillaguet
    • 2
  • Orr Dunkelman
    • 2
  • John Kelsey
    • 3
  1. 1.ESAT/SCD — COSIC, Dept. of Electrical EngineeringKatholieke Universiteit Leuven and IBBT 
  2. 2.Ecole Normale Supérieure 
  3. 3.National Institute of Standards and Technology 

Personalised recommendations