New Second-Preimage Attacks on Hash Functions

Elena Andreeva, Charles Bouillaguet, Orr Dunkelman, Pierre Alain Fouque, Jonathan Hoch, John Kelsey, Adi Shamir, Sébastien Zimmer

Research output: Contribution to journalArticlepeer-review


In this work, we present several new generic second-preimage attacks on hash functions. Our first attack is based on the herding attack and applies to various Merkle–Damgård-based iterative hash functions. Compared to the previously known long-message second-preimage attacks, our attack offers more flexibility in choosing the second-preimage message at the cost of a small computational overhead. More concretely, our attack allows the adversary to replace only a few blocks in the original target message to obtain the second preimage. As a result, our new attack is applicable to constructions previously believed to be immune to such second-preimage attacks. Among others, these include the dithered hash proposal of Rivest, Shoup’s UOWHF, and the ROX constructions. In addition, we also suggest several time-memory-data tradeoff attack variants, allowing for a faster online phase, and even finding second preimages for shorter messages. We further extend our attack to sequences stronger than the ones suggested in Rivest’s proposal. To this end we introduce the kite generator as a new tool to attack any dithering sequence over a small alphabet. Additionally, we analyse the second-preimage security of the basic tree hash construction. Here we also propose several second-preimage attacks and their time-memory-data tradeoff variants. Finally, we show how both our new and the previous second-preimage attacks can be applied even more efficiently when multiple short messages, rather than a single long target message, are available.

Original languageEnglish
Pages (from-to)657-696
Number of pages40
JournalJournal of Cryptology
Issue number4
StatePublished - 1 Oct 2016

Bibliographical note

Funding Information:
We thank Lily Chen and Barbara Guttman for their useful comments. We also thanks Jean-Paul Allouche, Jeffrey Shallit, and James D. Currie for pointing out the existence of abelian square-free sequences of high complexity. In addition, we are grateful for the anonymous reviewers for their constructive comments and suggestions. This work has been funded in part by the Research Council KU Leuven: GOA TENSE (GOA/11/007) and OT/13/071, the IAP Program P6/26 BCRYPT of the Belgian State (Belgian Science Policy), and in part by the European Commission through the ICT program under contract ICT-2007-216676 ECRYPT II. The first author is supported by a Postdoctoral Fellowship from the Flemish Research Foundation (FWO-Vlaanderen). The third author was supported in part by the France Telecom Chair and in part by ISF Grant 827/12.

Publisher Copyright:
© 2015, International Association for Cryptologic Research.


  • Cryptanalysis
  • Dithering sequence
  • Hash function
  • Herding attack
  • Kite Generator
  • Second-preimage attack

ASJC Scopus subject areas

  • Software
  • Computer Science Applications
  • Applied Mathematics


Dive into the research topics of 'New Second-Preimage Attacks on Hash Functions'. Together they form a unique fingerprint.

Cite this