TransWikia.com

How do herding attacks on hash functions work?

Cryptography Asked on October 24, 2021

I read this paper Herding Hash Functions and the Nostradamus Attack, 2005 of Kelsey and Kohno on herding attacks but I do not understand how it works.

Would anyone be able to give me a summary of how herding attack as well as the diamond tree structure works?

It is mentioned "In the diagram, the attacker starts with eight different first message
blocks, each leading to a different hash value; he then searches for collisions between pairs of these
hash values, yielding four resulting intermediate hash values". What does it mean by searching for collisions between pairs of these hash values? Hashing 8 different message blocks will produce 8 different hash values so how would there be a collision? Diamond Structure

One Answer

Herding attack is introduced by Kelsey and Kohno in 2005. The attack is applicable to hash commitments. Nostradamus's example from the article is key of the idea. First Nostradamus produces the MD5 (MD is enough) hash of the future prediction of S&P500 before the business year finishes. After Nostradamus publish his message with precise closing prices of the S&P500's companies with some garbage text after it. The message has the same hash the committed hash.

At first, to achieve this, Nostradamus need pre-image attack on MD5, which has still $2^{123.4}$ complexity achieved after this work in 2009 (Finding Preimages in Full MD5 Faster Than Exhaustive Search). Instead of pre-image attack, this work introduces a new required property; Chosen Target Forced Prefix Pre-image resistance.

  • In the first step, Nostradamus has a Chosen Target by committing n-bit Hash value, $H$.
  • In the challenge step, the challenger provides $P$ to Nostradamus as Forced-Prefix so that the hash $H = Hash(Pmathbin|S) $ where $S$ is the suffix (garbage).

The Herding

The herding attack uses a diamond structure to find the hash. The below figure uses 8 different starting messages, one can consider this all possible outcome of the prediction of the Nostradamus prediction.

Remember that, this attack utilizes the Merkle-Damgard structure of the hash function. MOD constructions divide the hash into the block ( for example 512-bit blocks for MD5) after the appropriate padding. Each block then used in the compression function in order.

enter image description here

In the above figure, the first 512-bit part of each message is hashed. Then the crucial part begins. This is actually internal collision on MD construction. Randomly generating 512-bit block to see that $C(h[0,0], m_i) = C(h[0,0], m_j)$ where the $C$ is the internal compression function. With the generic collision, this has $8 cdot2^{n/2}$ complexity. And as mentioned in the article A diamond structure is essentially a Merkle tree built by brute force.

The committer actually can do better than this instead of a fixed structure for collision finding, one can go dynamically. In the generalized form mapping $2^k$ hash nodes in the diamond structure to $2^{k-1}$ they generate $2^{n/2+1/2-k/2}$ candidate block parts and looks for the collisions altogether. This has $2^{n/2+k/2+2}$

This attack can also be applied to longer messages - elongated Diamond structure.

The complexity of the attack on MD5 with 41 diamond width and 48 suffix length requires $2^{87}$ complexity. On impractically long suffixes the attack on MD5 with 5 diamond width and $2^{55}$ suffix length requires $2^{69}$ complexity.

Answered by kelalaka on October 24, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP