On the complexity of the herding attack and some related attacks on hash functions

AbstractIn this article, we analyze the complexity of the construction of the 2k-diamond structure proposed by Kelsey and Kohno (LNCS, Vol 4004, pp 183–200, 2006). We point out a flaw in their analysis and show that their construction may not produce the desired diamond structure. We then give a more rigorous and detailed complexity analysis of the construction of a diamond structure. For this, we appeal to random graph theory (in particular, to the theory of random intersection graphs), which allows us to determine sharp necessary and sufficient conditions for the message complexity (i.e., the number of hash computations required to build the required structure). We also analyze the computational complexity for constructing a diamond structure, which has not been previously studied in the literature. Finally, we study the impact of our analysis on herding and other attacks that use the diamond structure as a subroutine. Precisely, our results shows the following: 1.The message complexity for the construction of a diamond structure is $${\sqrt{k}}$$ times more than the amount previously stated in literature.2.The time complexity is n times the message complexity, where n is the size of hash value.Due to the above two results, the herding attack (Kelsey and Kohno, LNCS, Vol 4004, pp 183–200, 2006) and the second preimage attack (Andreeva et al., LNCS, Vol 4965, pp 270–288, 2008) on iterated hash functions have increased complexity. We also show that the message complexity of herding and second preimage attacks on “hash twice” is n times the complexity claimed by Andreeva et al. (LNCS, Vol 5867, pp 393–414, 2009), by giving a more detailed analysis of the attack.

[1]  James Allen Fill,et al.  Random intersection graphs when m=omega(n): An equivalence theorem relating the evolution of the G(n, m, p) and G(n, p) models , 2000, Random Struct. Algorithms.

[2]  Douglas R. Stinson,et al.  Cryptography: Theory and Practice,Second Edition , 2002 .

[3]  Rajeev Motwani,et al.  Average-case analysis of algorithms for matchings and related problems , 1994, JACM.

[4]  Erhard Godehardt,et al.  Two Models of Random Intersection Graphs for Classification , 2003 .

[5]  Virgil D. Gligor,et al.  A key-management scheme for distributed sensor networks , 2002, CCS '02.

[6]  Jeffrey Shallit,et al.  Automatic Sequences: Theory, Applications, Generalizations , 2003 .

[7]  Roberto Di Pietro,et al.  Redoubtable Sensor Networks , 2008, TSEC.

[8]  Jeffrey Shallit,et al.  Automatic Sequences by Jean-Paul Allouche , 2003 .

[9]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.

[10]  William Stallings,et al.  Cryptography and network security , 1998 .

[11]  Victor Shoup,et al.  A Composition Theorem for Universal One-Way Hash Functions , 2000, EUROCRYPT.

[12]  John Kelsey,et al.  Second Preimage Attacks on Dithered Hash Functions , 2008, EUROCRYPT.

[13]  John Kelsey,et al.  Herding, Second Preimage and Trojan Message Attacks beyond Merkle-Damgård , 2009, Selected Areas in Cryptography.

[14]  Veikko Keränen,et al.  New Abelian Square-Free DT0L-Languages over 4 Letters , 2003 .

[15]  B. Bollobás The evolution of random graphs , 1984 .

[16]  Katarzyna Rybarczyk,et al.  Sharp threshold functions for the random intersection graph via coupling method , 2009, 0910.0749.

[17]  Ronald L. Rivest,et al.  Abelian square-free dithering for iterated hash functions , 2005 .

[18]  Silvio Micali,et al.  An O(v|v| c |E|) algoithm for finding maximum matching in general graphs , 1980, 21st Annual Symposium on Foundations of Computer Science (sfcs 1980).

[19]  Yehuda Lindell,et al.  Introduction to Modern Cryptography (Chapman & Hall/Crc Cryptography and Network Security Series) , 2007 .

[20]  John Kelsey,et al.  Herding Hash Functions and the Nostradamus Attack , 2006, EUROCRYPT.

[21]  James Allen Fill,et al.  Random intersection graphs when m= w (n): an equivalence theorem relating the evolution of the G ( n, m, p ) and G ( n,P /italic>) models , 2000 .

[22]  Béla Bollobás,et al.  Random Graphs: Preface to the Second Edition , 2001 .

[23]  Willemien Kets,et al.  RANDOM INTERSECTION GRAPHS WITH TUNABLE DEGREE DISTRIBUTION AND CLUSTERING , 2009, Probability in the Engineering and Informational Sciences.

[24]  Béla Bollobás,et al.  Random Graphs: Notation , 2001 .

[25]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[26]  Gregory Neven,et al.  Hash function requirements for Schnorr signatures , 2009, J. Math. Cryptol..

[27]  J. Shallit,et al.  Automatic Sequences: Contents , 2003 .

[28]  Douglas R. Stinson,et al.  Cryptography: Theory and Practice , 1995 .

[29]  P. Erdos,et al.  On the evolution of random graphs , 1984 .

[30]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[31]  J. A. Bondy,et al.  Graph Theory , 2008, Graduate Texts in Mathematics.

[32]  P. Erdos,et al.  On the existence of a factor of degree one of a connected random graph , 1966 .

[33]  Veikko Keränen,et al.  Abelian Squares are Avoidable on 4 Letters , 1992, ICALP.

[34]  Mindaugas Bloznelis,et al.  Component evolution in a secure wireless sensor network , 2009 .

[35]  Stefanie Gerke,et al.  Connectivity of the uniform random intersection graph , 2008, Discret. Math..