New Second-Preimage Attacks on Hash Functions

Elena Andreeva, Charles Bouillaguet, Orr Dunkelman, Pierre Alain Fouque, Jonathan Hoch, John Kelsey, Adi Shamir, Sébastien Zimmer

Research output: Contribution to journalArticlepeer-review


In this work, we present several new generic second-preimage attacks on hash functions. Our first attack is based on the herding attack and applies to various Merkle–Damgård-based iterative hash functions. Compared to the previously known long-message second-preimage attacks, our attack offers more flexibility in choosing the second-preimage message at the cost of a small computational overhead. More concretely, our attack allows the adversary to replace only a few blocks in the original target message to obtain the second preimage. As a result, our new attack is applicable to constructions previously believed to be immune to such second-preimage attacks. Among others, these include the dithered hash proposal of Rivest, Shoup’s UOWHF, and the ROX constructions. In addition, we also suggest several time-memory-data tradeoff attack variants, allowing for a faster online phase, and even finding second preimages for shorter messages. We further extend our attack to sequences stronger than the ones suggested in Rivest’s proposal. To this end we introduce the kite generator as a new tool to attack any dithering sequence over a small alphabet. Additionally, we analyse the second-preimage security of the basic tree hash construction. Here we also propose several second-preimage attacks and their time-memory-data tradeoff variants. Finally, we show how both our new and the previous second-preimage attacks can be applied even more efficiently when multiple short messages, rather than a single long target message, are available.

Original languageEnglish
Pages (from-to)657-696
Number of pages40
JournalJournal of Cryptology
Issue number4
StatePublished - 1 Oct 2016

Bibliographical note

Publisher Copyright:
© 2015, International Association for Cryptologic Research.


  • Cryptanalysis
  • Dithering sequence
  • Hash function
  • Herding attack
  • Kite Generator
  • Second-preimage attack

ASJC Scopus subject areas

  • Software
  • Computer Science Applications
  • Applied Mathematics


Dive into the research topics of 'New Second-Preimage Attacks on Hash Functions'. Together they form a unique fingerprint.

Cite this