In this paper, we develop a new attack on Damgård-Merkle hash functions, called the herding attack, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later "herd" any given starting part of a message to that hash value by the choice of an appropriate suffix. We focus on a property which hash functions should have-Chosen Target Forced Prefix (CTFP) preimage resistance-and show the distinction between Damgard-Merkle construction hashes and random oracles with respect to this property. We describe a number of ways that violation of this property can be used in arguably practical attacks on real-world applications of hash functions. An important lesson from these results is that hash functions susceptible to collision-finding attacks, especially brute-force collision-finding attacks, cannot in general be used to prove knowledge of a secret value. © International Association for Cryptologic Research 2006.
CITATION STYLE
Kelsey, J., & Kohno, T. (2006). Herding hash functions and the nostradamus attack. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 4004 LNCS, pp. 183–200). Springer Verlag. https://doi.org/10.1007/11761679_12
Mendeley helps you to discover research relevant for your work.