Designs, Codes and Cryptography

, Volume 64, Issue 1–2, pp 171–193 | Cite as

On the complexity of the herding attack and some related attacks on hash functions

  • Simon R. Blackburn
  • Douglas R. Stinson
  • Jalaj Upadhyay


In this article, we analyze the complexity of the construction of the 2 k -diamond structure proposed by Kelsey and Kohno (LNCS, Vol 4004, pp 183–200, 2006). We point out a flaw in their analysis and show that their construction may not produce the desired diamond structure. We then give a more rigorous and detailed complexity analysis of the construction of a diamond structure. For this, we appeal to random graph theory (in particular, to the theory of random intersection graphs), which allows us to determine sharp necessary and sufficient conditions for the message complexity (i.e., the number of hash computations required to build the required structure). We also analyze the computational complexity for constructing a diamond structure, which has not been previously studied in the literature. Finally, we study the impact of our analysis on herding and other attacks that use the diamond structure as a subroutine. Precisely, our results shows the following:
  1. 1.

    The message complexity for the construction of a diamond structure is \({\sqrt{k}}\) times more than the amount previously stated in literature.

  1. 2.

    The time complexity is n times the message complexity, where n is the size of hash value.

Due to the above two results, the herding attack (Kelsey and Kohno, LNCS, Vol 4004, pp 183–200, 2006) and the second preimage attack (Andreeva et al., LNCS, Vol 4965, pp 270–288, 2008) on iterated hash functions have increased complexity. We also show that the message complexity of herding and second preimage attacks on “hash twice” is n times the complexity claimed by Andreeva et al. (LNCS, Vol 5867, pp 393–414, 2009), by giving a more detailed analysis of the attack.


Hash function Herding attack Diamond structure 

Mathematics Subject Classification (2000)

05C80 94A60 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Allouche J.P., Shallit J.: Automatic Sequences: Theory, Applications, Generalizations. Cambridge University Press, Cambridge (2003)MATHCrossRefGoogle Scholar
  2. 2.
    Andreeva E., Bouillaguet C., Fouque P.A., Hoch J.J., Kelsey J., Shamir A., Zimmer S.: Second preimage attacks on dithered hash functions. In: EUROCRYPT, Lecture Notes in Computer Science, vol. 4965, pp. 270–288 (2008).Google Scholar
  3. 3.
    Andreeva E., Bouillaguet C., Dunkelman O., Kelsey J.: Herding, second preimage and Trojan message attacks beyond Merkle-Damgård. In: Selected Areas in Cryptography, Lecture Notes in Computer Science, vol. 5867, pp. 393–414 (2009).Google Scholar
  4. 4.
    Blackburn S.R., Gerke S.: Connectivity of the uniform random intersection graph. Discret. Math. 309(16), 5130–5140 (2009)MathSciNetMATHCrossRefGoogle Scholar
  5. 5.
    Bloznelis M., Jaworski J., Rybarczyk K: Component evolution in a secure wireless sensor network. Networks 53(1), 19–26 (2009)MathSciNetMATHCrossRefGoogle Scholar
  6. 6.
    Bollobás B.: Random Graphs, 2nd edn. Cambridge University Press, Cambridge (2001)MATHCrossRefGoogle Scholar
  7. 7.
    Bondy J.A., Murty U.S.R.: Graph Theory. Springer, New York (2008)MATHCrossRefGoogle Scholar
  8. 8.
    Erdös P., Renyi A.: On the evolution of random graphs. In: Proceedings of the Hungarian Academy of Sciences, vol. 5, pp. 17–61 (1960).Google Scholar
  9. 9.
    Erdös P., Rényi A.: On the existence of a factor of degree one of a connected random graph. Acta Mathematica Academiae Scientiarum Hungaricae Tomus 17(3–4), 359–368 (1966)MATHCrossRefGoogle Scholar
  10. 10.
    Eschenauer L., Gligor V.: A key-management scheme for distributed sensor networks. In: Proc. 9th ACM conference on Computer and Communications Security, pp. 41–47 (2002).Google Scholar
  11. 11.
    Fill J.A., Scheinerman E.R., Singer-Cohen K.B.: Random intersection graphs when m = Ω(n): An equivalence theorem relating the evolution of the g(n, m, p) and g(n, p) models. Random Struct. Algorithms 16(2), 156–176 (2000)MathSciNetMATHCrossRefGoogle Scholar
  12. 12.
    Godehardt E., Jaworski J.: Two models of random intersection graphs for classification. In: Optiz, O., Schwaiger, M. (eds) Studies in Classification, Data Analysis and Knowledge Organization, vol. 22, pp. 67–82. Springer, Berlin (2003)Google Scholar
  13. 13.
    Joux A.: Multicollisions in iterated hash functions. Application to cascaded constructions. In: CRYPTO, Lecture Notes in Computer Science, vol. 3152, pp. 306–316 (2004).Google Scholar
  14. 14.
    Katz J., Lindell Y.: Introduction to Modern Cryptography. Chapman and Hall, CRC Press, Boca Raton (2007)Google Scholar
  15. 15.
    Kelsey J., Kohno T.: Herding hash functions and the Nostradamus attack. In: EUROCRYPT, Lecture Notes in Computer Science, vol. 4004, pp. 183–200 (2006).Google Scholar
  16. 16.
    Kelsey J., Schneier B.: Second preimages on n-bit hash functions for much less than 2n work. In: EUROCRYPT, Lecture Notes in Computer Science, vol. 3494, pp. 474–490 (2005).Google Scholar
  17. 17.
    Keränen V.: Abelian squares are avoidable on 4 letters. In: ICALP, pp. 41–52 (1992).Google Scholar
  18. 18.
    Keränen V.: On abeliean square-free DT0L-languages over 4 letters. In: Proceedings of Conference on Combinatorics on Words, pp. 41–52 (2003).Google Scholar
  19. 19.
    Micali S., Vazirani V.V.: An \({{\rm O}(m\sqrt{n})}\) algorithm for finding maximum matching in general graphs. In: FOCS, pp. 17–27 (1980).Google Scholar
  20. 20.
    Motwani R.: Average-case analysis of algorithms for matchings and related problems. J. ACM 6, 1329–1356 (1994)MathSciNetCrossRefGoogle Scholar
  21. 21.
    Neven G., Smart N., Warinschi B.: Hash function requirements for Schnorr signatures. J. Math. Cryptol. 3, 69–87 (2009)MathSciNetMATHCrossRefGoogle Scholar
  22. 22.
    Pietro R.D., Mancini L., Mei A., Panconesi A., Radhakrishnan J.: Redoubtable sensor networks. ACM Trans. Inform. Systems Security 11, 1–22 (2008)CrossRefGoogle Scholar
  23. 23.
    Rivest R.: Abelian square-free dithering for iterated hash functions (2005).Google Scholar
  24. 24.
    Rybarczyk K.: Sharp threshold functions for the random intersection graph via coupling method., Nov (2009).
  25. 25.
    Shoup V.: A composition theorem for universal one-way hash functions. In: EUROCRYPT, Lecture Notes in Computer Science, vol. 1807, pp. 445–452, (2000).Google Scholar
  26. 26.
    Stallings W.: Cryptography and Network Security. PhD thesis, Johns Hopkins University, Baltimore, Maryland (1995).Google Scholar
  27. 27.
    Singer-Cohen K.B.: Random intersection graphs. Prentice Hall, New York (2006)Google Scholar
  28. 28.
    Stinson D.: Cryptography: Theory and Practice. Chapman & Hall/CRC Press Inc., Boca Raton (2006)MATHGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2011

Authors and Affiliations

  • Simon R. Blackburn
    • 1
  • Douglas R. Stinson
    • 2
  • Jalaj Upadhyay
    • 2
  1. 1.Department of MathematicsRoyal Holloway, University of LondonEghamUK
  2. 2.David R. Cheriton School of Computer ScienceUniversity of WaterlooWaterlooCanada

Personalised recommendations