Advances in Cryptology - EUROCRYPT 2007

Volume 4515 of the series Lecture Notes in Computer Science pp 34-51

The Collision Intractability of MDC-2 in the Ideal-Cipher Model

  • John P. SteinbergerAffiliated withDept. of Mathematics, University of California


We provide the first proof of security for MDC-2, the most well-known construction for turning an n-bit blockcipher into a 2n-bit cryptographic hash function. Our result, which is in the ideal-cipher model, shows that MDC-2, when built from a blockcipher having blocklength and keylength n, has security much better than that delivered by any hash function that has an n-bit output. When the blocklength and keylength are n = 128 bits, as with MDC-2 based on AES-128, an adversary that asks fewer than 274.9 queries usually cannot find a collision.


Collision-resistant hashing cryptographic hash functions ideal-cipher model MDC-2