Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Herding, Second Preimage, and Trojan Message Attacks Beyond Merkle-Damgaard



Elena Andreeva, Charles Bouillaguet , Orr Dunkelman, John M. Kelsey


In this paper we present new attack techniques to analyze the structure of hash functions that are not based on the classical Merkle-Damgaard construction. We extend the herding attack to concatenated hashes, and to certain hash functions that process each message block several times. Using this technique, we show a second preimage attack on the folklore "hash-twice" construction which process two concatenated copies of the message. We follow with showing how to apply the herding attack to tree hashes. Finally, we present a new type of attack - the trojan message attack, which allows for producing second preimages of unknown messages (from a small known space) when they are appended with a fixed suffix.
Proceedings Title
Selected Areas in Cryptography (Lecture Notes in Computer Science)
Conference Dates
August 13-14, 2009
Conference Location
Calgary, CA
Conference Title
16th Annual International Workshop, Selected Areas in Cryptography (SAC 2009)


concatenated hash, herding attack, second preimage attack, tree hash, Trojan message attack, zipper hash


Andreeva, E. , Bouillaguet, C. , Dunkelman, O. and Kelsey, J. (2009), Herding, Second Preimage, and Trojan Message Attacks Beyond Merkle-Damgaard, Selected Areas in Cryptography (Lecture Notes in Computer Science), Calgary, CA, [online],, (Accessed July 12, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created November 2, 2009, Updated October 12, 2021