Cryptanalysis of MDC-2

  • Lars R. Knudsen
  • Florian Mendel
  • Christian Rechberger
  • Søren S. Thomsen
Conference paper

DOI: 10.1007/978-3-642-01001-9_6

Part of the Lecture Notes in Computer Science book series (LNCS, volume 5479)
Cite this paper as:
Knudsen L.R., Mendel F., Rechberger C., Thomsen S.S. (2009) Cryptanalysis of MDC-2. In: Joux A. (eds) Advances in Cryptology - EUROCRYPT 2009. EUROCRYPT 2009. Lecture Notes in Computer Science, vol 5479. Springer, Berlin, Heidelberg

Abstract

We provide a collision attack and preimage attacks on the MDC-2 construction, which is a method (dating back to 1988) of turning an n-bit block cipher into a 2n-bit hash function. The collision attack is the first below the birthday bound to be described for MDC-2 and, with n = 128, it has complexity 2124.5, which is to be compared to the birthday attack having complexity 2128. The preimage attacks constitute new time/memory trade-offs; the most efficient attack requires time and space about 2n, which is to be compared to the previous best known preimage attack of Lai and Massey (Eurocrypt ’92), having time complexity 23n/2 and space complexity 2n/2, and to a brute force preimage attack having complexity 22n.

Keywords

MDC-2 hash function collision preimage 
Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Lars R. Knudsen
    • 1
  • Florian Mendel
    • 2
  • Christian Rechberger
    • 2
  • Søren S. Thomsen
    • 1
  1. 1.Department of MathematicsTechnical University of DenmarkLyngbyDenmark
  2. 2.Institute for Applied Information Processing and Communications (IAIK)Graz University of TechnologyGrazAustria

Personalised recommendations