increasing the flexibility of the herding attack

8
Information Processing Letters 112 (2012) 98–105 Contents lists available at SciVerse ScienceDirect Information Processing Letters www.elsevier.com/locate/ipl Increasing the flexibility of the herding attack Bart Mennink Katholieke Universiteit Leuven, ESAT/COSIC and IBBT, Kasteelpark Arenberg 10, 3001 Leuven, Belgium article info abstract Article history: Received 20 July 2011 Received in revised form 17 October 2011 Accepted 18 October 2011 Available online 20 October 2011 Communicated by D. Pointcheval Keywords: Cryptography Hash functions Chosen-target-forced-prefix Generalized herding attack Hypergraphs Chosen-target-forced-prefix (CTFP) preimage resistance is a hash function security property guaranteeing the inability of an attacker to commit to a hash function outcome h without knowing the prefix of the message to be hashed in advance. At EUROCRYPT 2006, Kelsey and Kohno described the herding attack against the Merkle–Damgård design that results in a CTFP-preimage of length about n/3 blocks in approximately n · 2 2n/3 compression function calls. Using an additional parameter , the attack can be sped-up at the cost of exponentially large preimages (the elongated herding attack). In this work, we re- investigate speed vs. message length tradeoffs for the herding attack. Using a third parameter d, we introduce the generalized elongated multidimensional herding attack. The parameters and d allow for full control over the efficiency of the attack versus the length of the preimages: increasing results in faster attacks with longer messages, while increasing d results in shorter messages with higher attack complexity. Using advanced methods in graph theory we analyze the complexity of the generalized attack, and we describe several variants for different values of , d. On the extreme, a CTFP-preimage of 2 n/2 blocks can be found in n · 2 n/2 queries. One can find a CTFP-preimage of length about n/8 blocks in 3 n · 2 3n/4 work. © 2011 Elsevier B.V. All rights reserved. 1. Introduction Practical hash functions are traditionally built accord- ing to the Merkle–Damgård (MD) iterated design princi- ple [9,23]. Given a fixed-input-length compression function f :{0, 1} n ×{0, 1} m →{0, 1} n , and an initial state value iv of n bits, a variable-input-length hash function hash is con- structed as follows: an input message M is first injectively padded into message blocks of length m bits, and then these message blocks are compressed iteratively with the state using f . Although this design is adequate for collision and preimage resistance, second preimage resistance can- not be guaranteed [5,10,20]. Additionally, multicollisions can be found much faster than expected [18], and the de- sign does not resist the length extension attack [8]. In 2006, Kelsey and Kohno [19] considered the chosen- target-forced-prefix (CTFP) preimage resistance of hash * Tel.: +32 16 321800; fax: +32 16 321969. E-mail address: [email protected]. functions: an attacker commits to a digest h, and upon being challenged on a message prefix P (throughout, P is of length one message block, but the same results hold for larger prefixes P ), he returns a preimage M = P S for h, for some string S . Many hash function applications, most prominently commitment and signature schemes, rely on CTFP-preimage resistance of hash functions [24]. Ideally, if the hash function outputs strings of n bits, an attacker needs about 2 n hash function calls to ob- tain a CTFP-preimage. However, Kelsey and Kohno [19] introduced the herding attack that allows finding CTFP- preimages for the MD iterative design in approximately k · 2 (n+k)/2 offline (we follow the complexity analysis by Blackburn et al. [6]) and 2 nk online compression func- tion calls, and the attack results in preimages of length approximately k blocks. Here, the parameter k ensures a tradeoff between the offline and online complexity of the attack, with an optimal amount of work of n · 2 2n/3 calls achieved for k = n/3. It has been shown by Andreeva et al. [2] and Gauravaram et al. [14,15] that many modes of operation derived from the classical MD construction 0020-0190/$ – see front matter © 2011 Elsevier B.V. All rights reserved. doi:10.1016/j.ipl.2011.10.014

Upload: bart-mennink

Post on 05-Sep-2016

219 views

Category:

Documents


4 download

TRANSCRIPT

Page 1: Increasing the flexibility of the herding attack

Information Processing Letters 112 (2012) 98–105

Contents lists available at SciVerse ScienceDirect

Information Processing Letters

www.elsevier.com/locate/ipl

Increasing the flexibility of the herding attack

Bart Mennink ∗

Katholieke Universiteit Leuven, ESAT/COSIC and IBBT, Kasteelpark Arenberg 10, 3001 Leuven, Belgium

a r t i c l e i n f o a b s t r a c t

Article history:Received 20 July 2011Received in revised form 17 October 2011Accepted 18 October 2011Available online 20 October 2011Communicated by D. Pointcheval

Keywords:CryptographyHash functionsChosen-target-forced-prefixGeneralized herding attackHypergraphs

Chosen-target-forced-prefix (CTFP) preimage resistance is a hash function security propertyguaranteeing the inability of an attacker to commit to a hash function outcome h withoutknowing the prefix of the message to be hashed in advance. At EUROCRYPT 2006, Kelseyand Kohno described the herding attack against the Merkle–Damgård design that resultsin a CTFP-preimage of length about n/3 blocks in approximately

√n · 22n/3 compression

function calls. Using an additional parameter �, the attack can be sped-up at the costof exponentially large preimages (the elongated herding attack). In this work, we re-investigate speed vs. message length tradeoffs for the herding attack. Using a thirdparameter d, we introduce the generalized elongated multidimensional herding attack. Theparameters � and d allow for full control over the efficiency of the attack versus thelength of the preimages: increasing � results in faster attacks with longer messages, whileincreasing d results in shorter messages with higher attack complexity. Using advancedmethods in graph theory we analyze the complexity of the generalized attack, and wedescribe several variants for different values of �, d. On the extreme, a CTFP-preimage of2n/2 blocks can be found in n · 2n/2 queries. One can find a CTFP-preimage of length aboutn/8 blocks in 3

√n · 23n/4 work.

© 2011 Elsevier B.V. All rights reserved.

1. Introduction

Practical hash functions are traditionally built accord-ing to the Merkle–Damgård (MD) iterated design princi-ple [9,23]. Given a fixed-input-length compression functionf : {0,1}n × {0,1}m → {0,1}n , and an initial state value ivof n bits, a variable-input-length hash function hash is con-structed as follows: an input message M is first injectivelypadded into message blocks of length m bits, and thenthese message blocks are compressed iteratively with thestate using f . Although this design is adequate for collisionand preimage resistance, second preimage resistance can-not be guaranteed [5,10,20]. Additionally, multicollisionscan be found much faster than expected [18], and the de-sign does not resist the length extension attack [8].

In 2006, Kelsey and Kohno [19] considered the chosen-target-forced-prefix (CTFP) preimage resistance of hash

* Tel.: +32 16 321800; fax: +32 16 321969.E-mail address: [email protected].

0020-0190/$ – see front matter © 2011 Elsevier B.V. All rights reserved.doi:10.1016/j.ipl.2011.10.014

functions: an attacker commits to a digest h, and uponbeing challenged on a message prefix P (throughout, P isof length one message block, but the same results hold forlarger prefixes P ), he returns a preimage M = P‖S for h,for some string S . Many hash function applications, mostprominently commitment and signature schemes, rely onCTFP-preimage resistance of hash functions [24].

Ideally, if the hash function outputs strings of n bits,an attacker needs about 2n hash function calls to ob-tain a CTFP-preimage. However, Kelsey and Kohno [19]introduced the herding attack that allows finding CTFP-preimages for the MD iterative design in approximately√

k · 2(n+k)/2 offline (we follow the complexity analysis byBlackburn et al. [6]) and 2n−k online compression func-tion calls, and the attack results in preimages of lengthapproximately k blocks. Here, the parameter k ensuresa tradeoff between the offline and online complexity ofthe attack, with an optimal amount of work of

√n · 22n/3

calls achieved for k = n/3. It has been shown by Andreevaet al. [2] and Gauravaram et al. [14,15] that many modesof operation derived from the classical MD construction

Page 2: Increasing the flexibility of the herding attack

B. Mennink / Information Processing Letters 112 (2012) 98–105 99

suffer this herding attack or a variant of it. In [4], Andreevaand Mennink confirmed optimality of the herding attackby [19] and of most of the attacks by [2,14,15].

The herding attack of Kelsey and Kohno can be de-scribed as follows. Let k � 0 be any integer.

1. The attacker A constructs a diamond of k levels: he ar-bitrarily takes 2k state values h(1)

0 , . . . ,h(2k)0 , and tries

to find 2k−1 disjoint compression function collisionsfor these, by varying the message inputs. For the re-

sulting 2k−1 state values h(1)1 , . . . ,h(2k−1)

1 he finds 2k−2

disjoint compression function collisions, etc., until heis left with one state value hdiam at level 0. By con-struction, starting from any state value h(i)

0 he knowsa path of k message blocks to hdiam;

2. A computes a commitment h = f (hdiam, Mpad), whereMpad includes the length strengthening of the mes-sage;

3. A receives a challenge P , and computes hP = f (iv, P );4. A finds a message Mlink such that f (hP , Mlink) = h(i)

0for some i ∈ {1, . . . ,2k}. He outputs a CTFP-preimageP‖Mlink‖Mdiam‖Mpad, where Mdiam consists of the k

message blocks that connect h(i)0 with hdiam.

Here, k provides a tradeoff between the offline complexity(step 1) and the online complexity (step 4). The resultingCTFP-preimage is of length k + 3 message blocks (and theforged suffix is of length k + 2). Kelsey and Kohno intro-duce also a generalization, the elongated herding attack, thatallows to speed up the attack at the cost of larger preim-ages [19]. Let � � 0 be an integer. In step 1, the attackerappends a sequence of 2� compression function executionsto each starting state value h(i)

0 (i = 1, . . . ,2k), and the at-tack succeeds in step 4 if the attacker hits any of the 2k+�

state values.1 This attack results in a preimage of lengthslightly larger than 2� blocks.

1.1. Our contributions

We re-investigate the possibilities in the herding attackof Kelsey and Kohno to sacrifice message length for effi-ciency and vice versa. As explained above, the elongatedherding attack [19] allows for faster attacks at the cost oflarger preimages. In this work we investigate the possibil-ity to reduce the length of the preimages at a reasonableprice. A naive solution is to use the original herding at-tack, with values k for which the offline/online equilibriumis not achieved, but as we will show, better results can beobtained.

To this end we introduce the elongated multidimensionalherding attack as a generalization to the classical herd-ing attack. At a high level, the generalized attack differsfrom the original one in the sense that the internal dia-mond consists of d-way collisions only, for some integerd � 2. The generalized attack employs an elongated mul-

1 With the minor difference that the attacker needs to employ an algo-rithm for expandable messages ([20], see Section 2.3) in order to set thelength of the CTFP-preimage in advance.

tidimensional diamond with parameters k, �, d. Here, k isthe number of levels in the diamond, � is the length ofthe tails attached to each end node of the diamond, and dprescribes the type of collisions within the diamond. Us-ing advanced methods in graph theory, we compute thecomplexity of the attack: a preimage of about 2� + k + �

blocks is found in approximately 2�+k log(d) + dln(d)

· d√

k ·2n d−1

d +k log(d)d + � · 2n/2+1 + 2� offline and 2n−�−k log(d) online

compression function executions.The elongated multidimensional herding attack is a uni-

form attack description that covers a wide variety of herd-ing attack variants. The original attack is naturally coveredfor parameters (�,d) = (0,2). Increasing the tail length �

results in faster attacks with larger messages, which cor-responds to the elongated herding attack. Increasing dresults in shorter messages for slightly larger costs, andwe refer to it as the multidimensional herding attack. Inan entirely different setting, namely for finding secondpreimages on dithered hash functions, the approach of in-creasing d has appeared before in Andreeva et al. [3, Sec-tion 6.1]. We note that our findings improve the bound ofAndreeva et al. considerably.

For various values of �,d, we summarize the com-plexity of the attack, where k is used to obtain an of-fline/online equilibrium. With respect to the elongatedherding attack, one needs n · 2n/2 compression functioncalls to find a preimage of length 2n/2 blocks. Approxi-mately

√n · 231n/48 calls are needed to find a preimage of

size about 2n/16. Not surprisingly, the attack complexitiesof the elongated herding attack variants meet the securitybound derived in [4]. Using the multidimensional herdingattack, one can obtain messages of length about n/8 blocksin 3

√n · 23n/4 work, much faster than when using the tradi-

tional herding attack. Several other variants of the attacksare summarized in Tables 1 and 2.

1.2. Outline

We present background information on cryptographyand graph theory in Section 2. The elongated multidimen-sional diamond is described and analyzed in Section 3. Thegeneralized herding attack is given in Section 4, and sev-eral variants are given in Section 5. We conclude this workin Section 6.

2. Preliminaries

By ln(x) we denote the natural logarithm of x with re-spect to base e, and by log(x) we denote the logarithm of xwith respect to base 2.

2.1. Random graphs and hypergraphs

We briefly highlight basic definitions and results fromthe area of random graph theory. Although the analysisin this work centers around hypergraphs, we first discusssome results on basic graph theory. We refer readers inter-ested in this area to [16].

Page 3: Increasing the flexibility of the herding attack

100 B. Mennink / Information Processing Letters 112 (2012) 98–105

2.1.1. GraphsLet v be an integer. A (simple undirected) graph on v

vertices is defined as G(v) = (V , E). Here, V denotes a setof v vertices, and E consists of different subsets of V ofsize 2, the edges. A matching M is a subset of E with nocommon vertices. We call M a perfect matching if it coversevery vertex v ∈ V . A perfect matching exists only if v iseven.

Let p ∈ [0,1]. We denote by G(v, p) an Erdös–Rényirandom graph [11] on v nodes with edge probability p.That is, each of the

(v2

)subsets of V is included in E

with probability p. A central question in the area of graphtheory is to evaluate the event that G(v, p) has a perfectmatching. It has been shown by Erdös and Rényi [12] thatG(v, p) contains a perfect matching (with high probability)if p � ln(v)/v . Related to this question is the problem of,given a graph F on v f vertices, determining a thresholdfor p for which the random graph G(v, p) contains v/v f

disjoint copies of F (more formally, disjoint subgraphs ofG(v, p) isomorphic to F ) [1,22,25,27].

2.1.2. HypergraphsHypergraphs differ from basic graphs essentially in how

the edges are defined. A hypergraph on v vertices is de-fined as H(v) = (V , E). Here, V denotes a set of v vertices,but E can contain different subsets of V of arbitrary size,called hyperedges. A hypergraph is called d-uniform, andwe write Hd(v), if each hyperedge is of size d. Notice thata 2-uniform hypergraph H2(v) covers the notion of a stan-dard graph as defined before. For a hypergraph, a perfectmatching is a set of pairwise disjoint edges whose unionequals V . A perfect matching for Hd(v) consists of v/dedges of size d vertices, and exists only if d divides v .

Similar to before, for p ∈ [0,1] we denote by Hd(v, p)

an Erdös–Rényi random hypergraph on v nodes with edgeprobability p: each of the

(vd

)subsets of V of size d is

included in E with probability p. Extending the theoremof Erdös and Rényi [12], Schmidt and Shamir [26] con-jectured2 that Hd(v, p) contains a perfect matching withhigh probability if p � ln(v)/

(v−1d−1

). Several attempts to

prove this conjecture have been taken by Schmidt andShamir [26], Frieze and Janson [13] and Kim [21]. The bestresult to date is by Johansson et al. [17], namely the fol-lowing sharp threshold.

Proposition 1. The threshold for a perfect matching in a d-uniform random hypergraph on v vertices is Θ(

ln(v)

vd−1 ) [17,Cor. 2.6].

In other words, Hd(v, p) with high probability containsa perfect matching if p � ln(v)/vd−1. Notice that the ba-sic result of Erdös and Rényi [12] for a graph G(v, p) =H2(v, p) directly follows from Proposition 1.

2 The claim by Schmidt and Shamir is somewhat different, the alterna-tive interpretation is taken from [7].

2.2. Merkle–Damgård hash function design

We briefly discuss the classical Merkle–Damgård (MD)hash function construction. Let f : {0,1}n × {0,1}m →{0,1}n be a compression function, and let iv ∈ {0,1}n bean initial value. Let pad : {0,1}∗ → ({0,1}m)∗ be a paddingfunction. The hash function hash : {0,1}∗ → {0,1}n is de-fined as follows:

hash(M) = hz, where: (M1, . . . , Mz) = pad(M),

h0 = iv,

hi = f (hi−1, Mi) for i = 1, . . . , z.

As padding function, we consider the standard paddingfunction with length strengthening. On input of the mes-sage M , it is first split into blocks of length m, the lastblock filled with 1 and sufficiently many 0s. Appended tothis is a block 〈(|M| + 1)/m〉m that encodes the length ofthe message in blocks. We note that our results also holdif a more compact encoding of the message is appended.

The complexity analysis in this work is done in termsof the amount of compression function executions. Bya “(compression function) call”, we denote the event of onecompression function execution.

2.3. Expandable messages

The generalized herding attack described in this workemploys an algorithm introduced by Kelsey and Schneier[20], and we will briefly discuss it. On input of a statevalue h and a nonnegative integer k, this algorithm gen-erates a set of 2k messages of length varying from k tok + 2k − 1 blocks, that on input of h render a 2k-waycollision. We call this set of messages a (k,k + 2k − 1)-expandable message. The algorithm is derived from themulticollision-finding technique of Joux [18], and operatesas follows. On input of state value h, one generates a multi-collision of length k in the following way: the first colli-sion in the chain involves messages of length 20 + 1 and1 blocks, the second collision messages of length 21 + 1and 1, etc., until the last chain in which messages oflength 2k−1 + 1 and 1 blocks collide. The construction of a(k,k + 2k − 1)-expandable message requires approximatelyk · 2n/2+1 + 2k calls.

3. Elongated multidimensional diamond

As a building block of our generalized herding attack,we revisit the elongated diamond structure of [19], andgeneralize it in the sense that each node in the diamondmay have more than two ramifications. Formally, for threeintegers k, � � 0 and d � 2, we consider a diamond of sizek levels and only consisting of d-way collisions, with a tailof length 2� − 1 state values attached to each end node.A visualization is given in Fig. 1. We now elaborate on theconstruction of this elongated multidimensional diamond,and its corresponding complexity.

Page 4: Increasing the flexibility of the herding attack

B. Mennink / Information Processing Letters 112 (2012) 98–105 101

Fig. 1. A (k, �,d) elongated multidimensional diamond (cf. Section 3).

3.1. Construction of dk tails

For i = 1, . . . ,dk , the attacker takes an arbitrary statevalue h(i)

0 , and generates an arbitrary path of length 2� − 1.For each i, this phase results in the following compressionfunction evaluations, for some M(i)

1 , . . . , M(i)2�−1

:

f(h(i)

0 , M(i)1

) = h(i)1 ,

...

f(h(i)

2�−2, M(i)

2�−1

) = h(i)2�−1

.

The construction of these dk tails requires dk(2� − 1) com-pression function executions.

3.2. Construction of multidimensional diamond

Starting from the nodes h(1)

2�−1, . . . ,h(dk)

2�−1, the attacker

generates a d-dimensional diamond structure of k levels.The approach to build this diamond is fairly similar tothe procedure described by [19]: firstly, the attacker findsdk−1 different d-way collisions starting from the dk startingvalues, secondly he finds dk−2 different d-way collisionsstarting from the dk−1 intermediate state values, etc., untila single state value h(1)

2�+k−1is left (see Fig. 1). The attacker

finds these collisions by making L compression functionexecutions, where the value L is determined later, fromeach state value for different message blocks M .

The analysis of the costs for producing a multidimen-sional diamond follows and generalizes the work of Black-burn et al. [6]. First, we determine the value L in order forthe attacker to succeed with high probability, and then wecompute the total complexity. Let j � 1 and consider theattacker mapping d j values to d j−1 by ways of d-way colli-sions. For each of the d j state values, the attacker makes Lcompression function calls. Notice that any d state valuesresult in a d-way collision with probability ≈ Ld/(2n)d−1.Consequently, we can model this problem as an Erdös–Rényi random hypergraph H := Hd(d j, Ld/(2n)d−1), andthe goal is to obtain a perfect matching in H . By Propo-sition 1, H contains a perfect matching with high proba-bility if

Ld

(2n)d−1≈ ln(d j)

(d j)d−1,

or equivalently if

L ≈ d√

j ln(d) · 2(n− j log(d)) d−1d .

In total, the attacker needs to make d j L ≈ d√

j ln(d) ·2n d−1

d + j log(d)d compression function calls to reduce the set of

state values from d j to d j−1. The total work to reduce fromdk to 1 values can then be computed as (cf. Appendix A)

k∑j=1

d√

j ln(d) · 2n d−1d + j log(d)

d

= Θ

(d

ln(d)· d√

k · 2n d−1d +k log(d)

d

). (1)

3.3. Total complexity

The total amount of queries needed for constructing theelongated multidimensional diamond is about

dk(2� − 1) + d

ln(d)· d√

k · 2n d−1d +k log(d)

d . (2)

4. Generalized herding attack

We are ready to describe the generalized herding at-tack. A visualization of the attack is given in Fig. 2. Let(k, �,d) � (0,0,2) be three integral parameters.

1. The attacker constructs an elongated multidimensionaldiamond for parameters (k, �,d) (see Section 3). De-note its intermediate chaining values as in Fig. 1. This

step requires dk(2� − 1) + dln(d)

· d√

k · 2n d−1d +k log(d)

d com-pression function executions;

2. Starting from h(1)

2�+k−1, the attacker A generates

a (log(k + 2�), log(k + 2�) + k + 2� − 1)-expandablemessage (see Section 2.3). Denote the final state valueby hexp. This step requires approximately log(k + 2�) ·2n/2+1 + k + 2� compression function executions;

3. A computes a commitment h = f (hexp, Mpad), whereMpad = 〈log(k + 2�) + k + 2� + 1〉m . He commits to thishash value h. This step requires 1 compression func-tion execution;

4. A receives a challenge P , and computes hP = f (iv, P ).This step requires 1 compression function execution;

5. A finds a message Mlink such that f (hP , Mlink) = h(i)j

for some j ∈ {0, . . . ,2� + k − 1}, i ∈ {1, . . . ,dk}. Heoutputs a CTFP-preimage P‖Mlink‖Mdiam‖Mexp‖Mpad,

Page 5: Increasing the flexibility of the herding attack

102 B. Mennink / Information Processing Letters 112 (2012) 98–105

Fig. 2. A sketch of the generalized herding attack of Section 4. The EMD block denotes a (k, �,d) elongated multidimensional diamond (Fig. 1). The ExpMblock denotes a (log(k + 2�), log(k + 2�) + k + 2� − 1)-expandable message (Section 2.3).

where Mdiam is the message of length 2� + k − 1 − jblocks that connects h(i)

j with h(1)

2�+k−1, and Mexp is the

message of length log(k + 2�) + j blocks coming fromthe expandable message phase. As there are

2�dk + dk−1 + dk−2 + · · · + 1 = 2�dk + dk − 1

d − 1

state values h(i)j for which a hit yields success of

the attack (and with high probability these are al-most all different), this phase requires approximately

2n/(2�dk + dk−1d−1 ) calls.

4.1. Total complexity

The described generalized herding attack consists of anoffline phase (parts 1 and 2) and an online phase (parts 3,4 and 5). In its offline phase, the attack requires about

dk(2� − 1) + d

ln(d)· d√

k · 2n d−1d +k log(d)

d

+ log(k + 2�

) · 2n/2+1 + k + 2� + 1

calls. The online phase requires approximately

1 + 2n

2�dk + dk−1d−1

calls. The resulting preimage is of length k + 2� + log(k +2�) + 2 blocks, 1 block of which corresponds to the prefix.

5. Concrete attack variants

The general herding attack of Section 4 can be tweakedvia three parameters (k, �,d) � (0,0,2). The original herd-ing attack of Kelsey and Kohno is covered for minimalvalues of �,d, and for arbitrary k.3 The attack requiresabout

√k · 2(n+k)/2 offline and 2n−k online computations.

An equilibrium is achieved at k = n/3, for which the at-tack requires about

√n · 22n/3 calls and the preimage is of

length about n/3 + log(n) + 2 blocks.The parameters �, d can be used to influence the rela-

tion between the efficiency of the protocol and the lengthof the CTFP-preimage: increasing � results in faster attackswith longer messages, while increasing d results in shortermessages but with less efficient attacks. We elaborate onthese two scenarios.

3 With the negligible difference that expandable messages are not used,and the attacker succeeds in phase 5 of the attack only if he hits h0(i) forsome i ∈ {1, . . . ,2k}.

5.1. Higher efficiency with longer messages

We consider the affect of parameter � on the efficiencyof the attack. Therefore, we set d = 2. This attack cor-responds to the elongated herding attack of [19]. It re-quires approximately 2k+� − 2k + √

k · 2(n+k)/2 + log(k +2�) · 2n/2+1 + k + 2� offline and 2n−k−� online compres-sion function calls. The resulting preimage is of lengthk + 2� + log(k + 2�) + 2 blocks. To exemplify the strengthof this attack, we only consider equilibria: we use � to ad-just the aimed length of the preimage, and k is set so as tomake the dominating factors in both complexities approx-imately equal: k = n−2�

3 .For n = 512, the graph in Fig. 3 shows the total com-

plexity and the length of the message as functions of �. Atthe one extreme we have the classical herding attack for� = 0, k = n/3. At the other extreme, for � = n/2 and k = 0the algorithm requires approximately n · 2n/2 work and themessage is of length slightly more than 2n/2 blocks. Othervariants are summarized in Table 1. These attacks meet thesecurity bound derived by Andreeva and Mennink for theMD mode of operation [4].

5.2. Shorter messages with lower efficiency

In order to carry out the herding attack for messagesconsiderably shorter than the one from [19], we considerthe value d and set � = 0. We call this attack the mul-tidimensional herding attack. This attack requires approxi-

mately dln(d)

· d√

k ·2n d−1d +k log(d)

d + log(k) ·2n/2+1 +k offline and

2n−k log(d) online compression function calls, and results ina preimage of length k + log(k + 1) + 3 blocks. Again, weconsider equilibria to analyze this attack: d is used to ad-just the aimed length of the preimage, and k is set so as tomake the dominating factors in both complexities equal:k = n

(d+1) log(d).

For n = 512, the graph in Fig. 4 shows the total com-plexity and the length of the message as functions of d. Atthe extreme we have the classical herding attack for d = 2,k = n/3. For increasing d, the complexity increases but themessage length decreases. For instance, d = 4 results in anattack in about 24n/5 work and with messages of lengthn/14 + log(n) blocks. For larger values of m, the attackapproaches the generic attack. Other variants are summa-rized in Table 2.

6. Conclusions

At EUROCRYPT 2006, Kelsey and Kohno describeda herding attack for the MD iterated hash function design

Page 6: Increasing the flexibility of the herding attack

B. Mennink / Information Processing Letters 112 (2012) 98–105 103

Fig. 3. The efficiency and the size of the message for the elongated herding attack, as functions of �. The functions are plotted in log2 scale. The blue(decreasing) line denotes the amount of work, and the red (increasing) line the length of the message in blocks. For various values of �, the details aregiven in Table 1.

Table 1The elongated herding attack (Section 5.1) and various variants. Here, � is chosen in order to adjust the message length, and k is set so as to obtain anequal amount of work in both phases of the protocol. Negligible terms are removed for clarity.

(�,d) k Offline work (≈) Online work (≈) Message length (blocks)

Elongated herding [19] (�,2) k 2k+� − 2k + √k · 2(n+k)/2

+ log(k + 2�) · 2n/2+1 + k + 2�

2n−k−� log(k + 2�) + k + 2� + 2

|msg| ≈ 2n/2 (n/2,2) 0 n · 2n/2 2n/2 2n/2 + n/2 + 2|msg| ≈ 2n/4 (n/4,2) n/6

√n · 27n/12 27n/12 2n/4 + 5n/12 + 3

|msg| ≈ 2n/16 (n/16,2) 7n/24√

n · 231n/48 231n/48 2n/16 + 17n/48 + 3|msg| ≈ 2n/32 (n/32,2) 15n/48

√n · 263n/96 263n/96 2n/32 + 33n/96 + 3

Herding [19] (0,2) n/3√

n · 22n/3 22n/3 n/3 + log(n) + 2

that requires approximately√

n · 22n/3 compression func-tion calls, as well as an elongated herding attack that usinga parameter � allows for increasing efficiency at the cost ofexponentially large messages. In this paper, we re-analyzedand generalized these findings to allow for a bidirectionaltradeoff between the efficiency of the attack and the lengthof its preimages. Together with an additional parameters d,the attack allows for a full tradeoff between the efficiencyand the length of the messages.

In the attack with shorter messages, the multidimen-sional herding attack, the diamond consists of d-way colli-sions only. Consequently, the construction of such diamondof k levels results in dk state values that eventually ren-der a collision. An approach to improve the flexibility maybe to allow for more variation within the diamond: forinstance, the first part of the diamond layers consists ofd1-way collisions, while the second part consists of d2-way collisions. We leave it as a further research questionto analyze whether this generalized diamond renders in-teresting complexity results.

Acknowledgements

This work has been funded in part by the IAP ProgramP6/26 BCRYPT of the Belgian State (Belgian Science Pol-icy), in part by the European Commission through the ICTprogram under contract ICT-2007-216676 ECRYPT II, andin part by the Research Council K.U.Leuven: GOA TENSE.The author is supported by a Ph.D. Fellowship from the

Institute for the Promotion of Innovation through Scienceand Technology in Flanders (IWT-Vlaanderen).

Appendix A. Proof of Eq. (1)

We will provide an upper and lower bound for

W :=k∑

j=1

d√

j ln(d) · 2n d−1d + j log(d)

d .

In order to bound this quantity, we first derive the follow-ing two results for integral d � 2:√

ln(2) � d√

ln(d) � 2, (A.1)

d

ln(d)� d1/d

d1/d − 1� 2d

ln(d). (A.2)

Note that (A.1) indeed holds: the upper bound is clear, andfor the lower bound we particularly have d

√ln(d) � 1 �√

ln(2) for d � 3. Eq. (A.2) directly follows if we show that

ln(x) � x − 1 � ln(x)/2 (A.3)

holds for any e−1/e � x � 1. This is true if we put x =d−1/d (which is indeed � e−1/e for all d � 2). As ln(x) isa concave function, it lies below any of its tangents. Inother words, we obtain ln(a) � ln(b) + (a − b)[ d

dy ln(y)]b

for any a, b. The lower bound of (A.3) is now obtainedby putting (a,b) = (x,1). For the upper bound of (A.3),

Page 7: Increasing the flexibility of the herding attack

104 B. Mennink / Information Processing Letters 112 (2012) 98–105

Fig. 4. The efficiency and the size of the message for the multidimensional herding attack, as functions of d. The efficiency is plotted in log2 scale whilethe message size is plotted in linear scale. The blue (increasing) line denotes the amount of work, and the red (decreasing) line the length of the messagein blocks. The case d > 5 is noninteresting due to the minor differences. For various values of d, the details are given in Table 2.

Table 2The multidimensional herding attack (Section 5.2) and various variants. Here, d is chosen in order to adjust the message length, and k is set so as to obtainan equal amount of work in both phases of the protocol. Negligible terms are removed for clarity.

(�,d) k Offline work (≈) Online work (≈) Message length (blocks)

Multidimensional herding (0,d) k dln(d)

· d√

k · 2n d−1d +k log(d)

d

+ log(k) · 2n/2+1 + k

2n−k log(d) k + log(k + 1) + 3

Herding (d = 2) [19] (0,2) n/3√

n · 22n/3 22n/3 n/3 + log(n) + 2d = 3 (0,3) 0.158n 3

√n · 23n/4 23n/4 0.126n + log(n)

d = 4 (0,4) n/10 4√

n · 24n/5 24n/5 n/14 + log(n)

d = 5 (0,5) 0.072n 5√

n · 25n/6 25n/6 0.048n + log(n)

putting (a,b) = (1, x) gives ln(x) � (x − 1)/x, which is� 2(x − 1) for 1/2 � e−1/e � x � 1. We next derive upperand lower bounds for W .

A.1. Upper bound for W

W � 2 · d√

k · 2n d−1d ·

k∑j=1

d j/d, by Eq. ( A.1)

= 2 · d√

k · 2n d−1d · d1/d(dk/d − 1)

d1/d − 1

= 2 · d1/d

d1/d − 1· d√

k · 2n d−1d +k log(d)

d

= O

(d

ln(d)· d√

k · 2n d−1d +k log(d)

d

), by Eq. (A.2).

A.2. Lower bound for W

W �√

ln(2) · d√

k/2 · 2n d−1d ·

k∑j=k/2

d j/d, by Eq. (A.1)

= √ln(2) · d

√k/2 · 2n d−1

d · dk/(2d)(d(k+2)/(2d) − 1)

d1/d − 1

�√

ln(2)

2 d√

2· d1/d

d1/d − 1· d√

k · 2n d−1d +k log(d)

d

= Ω

(d · d

√k · 2n d−1

d +k log(d)d

), by Eq. (A.2).

ln(d)

References

[1] Noga Alon, Raphael Yuster, Threshold functions for H-factors, Probab.Comput. 2 (1993) 137–144.

[2] Elena Andreeva, Charles Bouillaguet, Orr Dunkelman, John Kelsey,Herding, second preimage and trojan message attacks beyondMerkle–Damgård, in: Selected Areas in Cryptography 2009, in: Lec-ture Notes in Computer Science, vol. 5867, Springer-Verlag, Berlin,2009, pp. 393–414.

[3] Elena Andreeva, Charles Bouillaguet, Pierre-Alain Fouque, JonathanHoch, John Kelsey, Adi Shamir, Sébastien Zimmer, New second preim-age attacks on hash functions, J. Cryptol., submitted for publication,http://www.di.ens.fr/~bouillaguet/pub/JOC2010.pdf.

[4] Elena Andreeva, Bart Mennink, Provable chosen-target-forced-midfixpreimage resistance, in: Selected Areas in Cryptography 2011, in: Lec-ture Notes in Computer Science, vol. 7118, Springer-Verlag, Berlin,2011, in press.

[5] Elena Andreeva, Gregory Neven, Bart Preneel, Thomas Shrimpton,Seven-property-preserving iterated hashing: ROX, in: Advances inCryptology – ASIACRYPT 2007, in: Lecture Notes in Computer Sci-ence, vol. 4833, Springer-Verlag, Berlin, 2007, pp. 130–146.

[6] Simon Blackburn, Douglas Stinson, Jalaj Upadhyay, On the complexityof the herding attack and some related attacks on hash functions,Des. Codes Cryptography, in press, doi:10.1007/s10623-010-9481-x.

[7] Colin Cooper, Alan Frieze, Michael Molloy, Bruce Reed, Perfect match-ings in random r-regular, s-uniform hypergraphs, Combin. Probab.Comput. 5 (1996) 1–14.

[8] Jean-Sébastien Coron, Yevgeniy Dodis, Cécile Malinaud, PrashantPuniya, Merkle–Damgård revisited: How to construct a hash func-tion, in: Advances in Cryptology – CRYPTO 2005, in: Lecture Notes inComputer Science, vol. 3621, Springer-Verlag, Berlin, 2005, pp. 430–448.

[9] Ivan Damgård, A design principle for hash functions, in: Advancesin Cryptology – CRYPTO’89, in: Lecture Notes in Computer Science,vol. 435, Springer-Verlag, Berlin, 1990, pp. 416–427.

Page 8: Increasing the flexibility of the herding attack

B. Mennink / Information Processing Letters 112 (2012) 98–105 105

[10] Richard Dean, Formal aspects of mobile code security, PhD thesis,Princeton University, Princeton, 1999.

[11] Paul Erdös, Alfréd Rényi, On the evolution of random graphs, Publ.Math. Inst. Hungar. Acad. Sci. 5 (1960) 17–61.

[12] Paul Erdös, Alfréd Rényi, On the existence of a factor of degree oneof a connected random graph, Acta Math. Hungar. 17 (3) (1966) 359–368.

[13] Alan Frieze, Svante Janson, Perfect matchings in random s-uniformhypergraph, Random Struct. Algorithms 7 (1997) 41–57.

[14] Praveen Gauravaram, John Kelsey, Linear-XOR and additive check-sums don’t protect Damgård–Merkle hashes from generic attacks,in: CT-RSA 2008, in: Lecture Notes in Computer Science, vol. 4964,Springer-Verlag, Berlin, 2008, pp. 36–51.

[15] Praveen Gauravaram, John Kelsey, Lars Knudsen, Thomsen Søren, Onhash functions using checksums, Int. J. Inform. Secur. 9 (2) (2010)137–151.

[16] Svante Janson, Tomasz Łuczak, Andrzej Rucinski, Random Graphs,Wiley, 2000.

[17] Anders Johansson, Jeff Kahn, Van Vu, Factors in random graphs,Random Struct. Algorithms 33 (1) (2008) 1–28, http://onlinelibrary.wiley.com/doi/10.1002/rsa.20224/pdf.

[18] Antoine Joux, Multicollisions in iterated hash functions. Applicationto cascaded constructions, in: Advances in Cryptology – CRYPTO2004, in: Lecture Notes in Computer Science, vol. 3152, Springer-Verlag, Berlin, 2004, pp. 306–316.

[19] John Kelsey, Tadayoshi Kohno, Herding hash functions and the Nos-

tradamus attack, in: Advances in Cryptology – EUROCRYPT 2006, in:Lecture Notes in Computer Science, vol. 4004, Springer-Verlag, Berlin,2006, pp. 183–200.

[20] John Kelsey, Bruce Schneier, Second preimages on n-bit hash func-tions for much less than 2n work, in: Advances in Cryptology –EUROCRYPT 2005, in: Lecture Notes in Computer Science, vol. 3494,Springer-Verlag, Berlin, 2005, pp. 474–490.

[21] Jeong Han Kim, Perfect matchings in random uniform hypergraphs,Random Struct. Algorithms 23 (2003) 111–132.

[22] Michael Krivelevich, Triangle factors in random graphs, Combin.Probab. Comput. 6 (1997) 337–347.

[23] Ralph Merkle, One way hash functions and DES, in: Advances inCryptology – CRYPTO’89, in: Lecture Notes in Computer Science,vol. 435, Springer-Verlag, Berlin, 1990, pp. 428–446.

[24] Gregory Neven, Nigel Smart, Bogdan Warinschi, Hash function re-quirements for Schnorr signatures, J. Math. Cryptol. 3 (1) (2009) 69–87.

[25] Andrzej Rucinski, Matching and covering the vertices of a randomgraph by copies of a given graph, Discrete Math. 105 (1–3) (1992)185–197.

[26] Jeanette Schmidt, Eli Shamir, A threshold for perfect matchings inrandom d-pure hypergraphs, Discrete Math. 45 (2–3) (1983) 287–295.

[27] Yun-Zhi Yan, Han-Xing Wang, Jun Wang, Xiang-Feng Yin, H(n)-factors in random graphs, Statist. Probab. Lett. 78 (11) (2008) 1255–1258.