The Preimage Security of Double-Block-Length Compression Functions

* Final gross prices may vary according to local VAT.

Get Access


We present new techniques for deriving preimage resistance bounds for block cipher based double-block-length, double-call hash functions. We give improved bounds on the preimage security of the three “classical” double-block-length, double-call, block cipher-based compression functions, these being Abreast-DM, Tandem-DM and Hirose’s scheme. For Hirose’s scheme, we show that an adversary must make at least 22n − 5 block cipher queries to achieve chance 0.5 of inverting a randomly chosen point in the range. For Abreast-DM and Tandem-DM we show that at least 22n − 10 queries are necessary. These bounds improve upon the previous best bounds of Ω(2 n ) queries, and are optimal up to a constant factor since the compression functions in question have range of size 22n .