In this paper we extend the herding attacks for concatenated hash functions, i.e., hash functions of the form h(x) = h1(x)||h2(x). Our results actually apply a much larger set of hash functions. We show that even when the compression function of h (·) can be written as two (or more) data paths, where one data path is not affected by the second (while the second may depend on the first), then the generalized herding attack can be applied. This result along with Joux's original observations show that schemes that aim to improve the resistance of hash functions against these attacks, must use diffusion between the various data paths.
|Number of pages||14|
|State||Published - 1 Jan 2007|