Provable Chosen-Target-Forced-Midfix Preimage Resistance

This paper deals with definitional aspects of the herding attack of Kelsey and Kohno, and investigates the provable security of several hash functions against herding attacks. Firstly, we define the notion of chosen-target-forced-midfix (CTFM) as a generalization of the classical herding (chosen-target-forced-prefix) attack to the cases where the challenge message is not only a prefix but may appear at any place in the preimage. Additionally, we identify four variants of the CTFM notion in the setting where salts are explicit input parameters to the hash function. Our results show that including salts without weakening the compression function does not add up to the CTFM security of the hash function. Our second and main technical result is a proof of CTFM security of the classical Merkle-Damg̊ard construction. The proof demonstrates in the ideal model that the herding attack of Kelsey and Kohno is optimal (asymptotically) and no attack with lower complexity exists. Our security analysis applies to a wide class of narrow-pipe Merkle-Damg̊ard based iterative hash functions, including enveloped Merkle-Damg̊ard, MerkleDamg̊ard with permutation, HAIFA, zipper hash and hash-twice hash functions. To our knowledge, this is the first positive result in this field. Finally, having excluded salts from the possible tool set for improving narrow-pipe designs’ CTFM resistance, we resort to various message modification techniques. Our findings, however, result in the negative and we demonstrate CTFM attacks with complexity of the same order as the Merkle-Damg̊ard herding attack on a broad class of narrow-pipe schemes with specific message modifications.