Herding, second preimage and trojan message attacks beyond merkle-damgård

Elena Andreeva, Charles Bouillaguet, Orr Dunkelman, John Kelsey

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review


In this paper we present new attack techniques to analyze the structure of hash functions that are not based on the classical Merkle-Damgård construction. We extend the herding attack to concatenated hashes, and to certain hash functions that process each message block several times. Using this technique, we show a second preimage attack on the folklore "hash-twice" construction which process two concatenated copies of the message. We follow with showing how to apply the herding attack to tree hashes. Finally, we present a new type of attack - the trojan message attack, which allows for producing second preimages of unknown messages (from a small known space) when they are appended with a fixed suffix.

Original languageEnglish
Title of host publicationSelected Areas in Cryptography - 16th Annual International Workshop, SAC 2009, Revised Selected Papers
Number of pages22
StatePublished - 2009
Externally publishedYes
Event16th Annual International Workshop on Selected Areas in Cryptography, SAC 2009 - Calgary, AB, Canada
Duration: 13 Aug 200914 Aug 2009

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume5867 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference16th Annual International Workshop on Selected Areas in Cryptography, SAC 2009
CityCalgary, AB


  • Concatenated hash
  • Herding attack
  • Second preimage attack
  • Tree hash
  • Trojan message attack
  • Zipper hash

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science


Dive into the research topics of 'Herding, second preimage and trojan message attacks beyond merkle-damgård'. Together they form a unique fingerprint.

Cite this