Cryptanalysis of MDC-2

We provide a collision attack and preimage attacks on the MDC-2 construction, which is a method (dating back to 1988) of turning an n -bit block cipher into a 2n -bit hash function. The collision attack is the first below the birthday bound to be described for MDC-2 and, with n = 128, it has complexity 2124.5, which is to be compared to the birthday attack having complexity 2128. The preimage attacks constitute new time/memory trade-offs; the most efficient attack requires time and space about 2 n , which is to be compared to the previous best known preimage attack of Lai and Massey (Eurocrypt '92), having time complexity 23n /2 and space complexity 2 n /2, and to a brute force preimage attack having complexity 22n .

[1]  Richard P. Brent,et al.  An improved Monte Carlo factorization algorithm , 1980 .

[2]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[3]  Robert W. Floyd,et al.  Nondeterministic Algorithms , 1967, JACM.

[4]  Mridul Nandi Towards Optimal Double-Length Hash Functions , 2005, INDOCRYPT.

[5]  Gaëtan Leurent,et al.  MD4 is Not One-Way , 2008, FSE.

[6]  Detlef Kraus Integrity Mechanisms in German and International Payment Systems , 2002, IICIS.

[7]  Bart Preneel,et al.  Attacks on Fast Double Block Length Hash Functions , 1998, Journal of Cryptology.

[8]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[9]  Kouichi Sakurai,et al.  Security Analysis of a 2/3-Rate Double Length Compression Function in the Black-Box Model , 2005, FSE.

[10]  Feller William,et al.  An Introduction To Probability Theory And Its Applications , 1950 .

[11]  Shoichi Hirose,et al.  Some Plausible Constructions of Double-Block-Length Hash Functions , 2006, FSE.

[12]  Wu Wen Hash Functions Based on Block Ciphers , 2009 .

[13]  Stelvio Cimato,et al.  Encyclopedia of Cryptography and Security , 2005 .

[14]  Vincent Rijmen,et al.  Weaknesses in the HAS-V Compression Function , 2007, ICISC.

[15]  Christophe De Cannière,et al.  Preimages for Reduced SHA-0 and SHA-1 , 2008, CRYPTO.

[16]  John P. Steinberger,et al.  The Collision Intractability of MDC-2 in the Ideal Cipher Model , 2007, IACR Cryptol. ePrint Arch..

[17]  Bart Preneel,et al.  Fast and Secure Hashing Based on Codes , 1997, CRYPTO.

[18]  Stefan Lucks,et al.  A Failure-Friendly Design Principle for Hash Functions , 2005, ASIACRYPT.

[19]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[20]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[21]  Henk C. A. van Tilborg,et al.  Encyclopedia of Cryptography and Security, 2nd Ed , 2005 .

[22]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.