Ë Blockinóò Èööñ Øøø Blockin× Óò Øööö Àà×× Ùò Blockinøøóò× Ðò Òöööú

Abstra t. We develop a new generi long-message se ond preimage atta k, based on ombining the te hniques in the se ond preimage atta ks of Dean [8℄ and Kelsey and S hneier [16℄ with the herding atta k of Kelsey and Kohno [15℄. We show that these generi atta ks apply to hash fun tions using the Merkle-Damgård onstru tion with only slightly more work than the previously known atta k, but allow enormously more ontrol of the ontents of the se ond preimage found. Additionally, we show that our new atta k applies to several hash fun tion onstru tions whi h are not vulnerable to the previously known atta k, in luding the dithered hash proposal of Rivest [25℄, Shoup's UOWHF[26℄ and the ROX hash onstru tion [2℄. We analyze the properties of the dithering sequen e used in [25℄, and develop a time-memory tradeo whi h allows us to apply our se ond preimage atta k to a wide range of dithering sequen es, in luding sequen es whi h are mu h stronger than those in Rivest's proposals. Finally, we show that both the existing se ond preimage atta ks [8, 16℄ and our new atta k an be applied even more e iently to multiple target messages; in general, given a set of many target messages with a total of 2 message blo ks, these se ond preimage atta ks an nd a se ond preimage for one of those target messages with no more work than would be ne essary to nd a se ond preimage for a single target message of 2 message blo ks.