Advances in Cryptology – ASIACRYPT 2011

Volume 7073 of the series Lecture Notes in Computer Science pp 233-251

The Preimage Security of Double-Block-Length Compression Functions

  • Frederik ArmknechtAffiliated withArbeitsgruppe Theoretische Informatik und Datensicherheit, University of Mannheim
  • , Ewan FleischmannAffiliated withChair of Media Security, Bauhaus-University Weimar
  • , Matthias KrauseAffiliated withArbeitsgruppe Theoretische Informatik und Datensicherheit, University of Mannheim
  • , Jooyoung LeeAffiliated withFaculty of Mathematics and Statistics, Sejong University
  • , Martijn StamAffiliated withDept. of Computer Science, University of Bristol
  • , John SteinbergerAffiliated withInstitute of Theoretical Computer Science, Tsinghua University


We present new techniques for deriving preimage resistance bounds for block cipher based double-block-length, double-call hash functions. We give improved bounds on the preimage security of the three “classical” double-block-length, double-call, block cipher-based compression functions, these being Abreast-DM, Tandem-DM and Hirose’s scheme. For Hirose’s scheme, we show that an adversary must make at least 22n − 5 block cipher queries to achieve chance 0.5 of inverting a randomly chosen point in the range. For Abreast-DM and Tandem-DM we show that at least 22n − 10 queries are necessary. These bounds improve upon the previous best bounds of Ω(2 n ) queries, and are optimal up to a constant factor since the compression functions in question have range of size 22n .


Hash Function Preimage Resistance Block Cipher Beyond Birthday Bound Foundations