Advertisement

Designs, Codes and Cryptography

, Volume 73, Issue 1, pp 121–150 | Cite as

On the collision and preimage security of MDC-4 in the ideal cipher model

  • Bart Mennink
Article

Abstract

We present a collision and preimage security analysis of MDC-4, a 24-years-old construction for transforming an n-bit block cipher into a 2n-bit hash function. We start with MDC-4 based on one single block cipher, and prove that any adversary with query access to the underlying block cipher requires at least \(2^{5n/8}\) queries (asymptotically) to find a collision. For the preimage resistance, we present a surprising negative result: for a target image with the same left and right half, a preimage for the full MDC-4 hash function can be found in \(2^n\) queries. Yet, restricted to target images with different left and right halves, we prove that at least \(2^{5n/4}\) queries (asymptotically) are required to find a preimage. Next, we consider MDC-4 based on two independent block ciphers, a model that is less general but closer to the original design, and prove that the collision bound of \(2^{5n/8}\) queries and the preimage bound of \(2^{5n/4}\) queries apply to the MDC-4 compression function and hash function design. With these results, we are the first to formally confirm that MDC-4 offers a higher level of provable security compared to MDC-2.

Keywords

MDC-4 Double block length Hash function Collision resistance Preimage resistance 

Mathematics Subject Classification (2000)

94A60 

Notes

Acknowledgments

This work has been funded in part by the IAP Program P6/26 BCRYPT of the Belgian State (Belgian Science Policy), in part by the European Commission through the ICT program under contract ICT-2007-216676 ECRYPT II, and in part by the Research Council K.U.Leuven: GOA TENSE. The author is supported by a Ph.D. Fellowship from the Institute for the Promotion of Innovation through Science and Technology in Flanders (IWT-Vlaanderen).

References

  1. 1.
    Meyer C., Schilling M.: Secure program load with manipulation detection code. In: Proc. Securicom, pp. 111–130 (1988).Google Scholar
  2. 2.
    Brachtl B., Coppersmith D., Hyden M., Matyas S., Meyer C., Oseas J., Pilpel S., Schilling M.: Data authentication using modification detection codes based on a public one way encryption function. U.S. Patent Number 4,908,861 (1990).Google Scholar
  3. 3.
    Brachtl B., Coppersmith D., Hyden M., Matyas S., Meyer C., Oseas J., Pilpel S., Schilling M.: ISO/IEC 10118–2:2010. Information technology—Security techniques—Hash-functions—Part 2: Hash-functions using an \(n\)-bit block cipher (1994, revised in 2010).Google Scholar
  4. 4.
    Knudsen L., Mendel F., Rechberger C., Thomsen S.: Cryptanalysis of MDC-2. In: Advances in Cryptology—EUROCRYPT 2009. Lecture Notes in Computer Science, vol. 5479, pp. 106–120. Springer, Heidelberg (2009).Google Scholar
  5. 5.
    Steinberger J.: The collision intractability of MDC-2 in the ideal-cipher model. In: Advances in Cryptology—EUROCRYPT 2007. Lecture Notes in Computer Science, vol. 4515, pp. 34–51. Springer, Heidelberg (2007).Google Scholar
  6. 6.
    FIPS 140–2: Security Policy for IBM ‘CryptoLite in C’ (CLiC) (2003).Google Scholar
  7. 7.
    Fleischmann E., Forler C., Lucks S.: The collision security of MDC-4. In: Progress in Cryptology—AFRICACRYPT 2012. Lecture Notes in Computer Science, vol. 7374, pp. 252–269. Springer, Heidelberg (2012).Google Scholar
  8. 8.
    Damgård I.: A design principle for hash functions. In: Advances in Cryptology—CRYPTO ’89. Lecture Notes in Computer Science, vol. 435, pp. 416–427. Springer, Heidelberg (1990).Google Scholar
  9. 9.
    Merkle R.: One way hash functions and DES. In: Advances in Cryptology—CRYPTO ’89. Lecture Notes in Computer Science, vol. 435, pp. 428–446. Springer, Heidelberg (1990).Google Scholar
  10. 10.
    Matyas S., Meyer C., Oseas, J.: Generating strong one-way functions with cryptographic algorithm. IBM Tech. Discl. Bull. 27(10A), 5658–5659 (1985).Google Scholar
  11. 11.
    Knudsen L., Preneel B.: Fast and secure hashing based on codes. In: Advances in Cryptology—CRYPTO ’97. Lecture Notes in Computer Science, vol. 1294, pp. 485–498. Springer, Heidelberg (1997).Google Scholar
  12. 12.
    Hong D., Kwon D.: New preimage attack on MDC-4. Cryptology ePrint Archive, Report 2012/633 (2012).Google Scholar
  13. 13.
    Fleischmann E., Forler C., Lucks S., Wenzel J.: The collision security of MDC-4. Cryptology ePrint Archive, Report 2012/096. Full version of [7] (2012).Google Scholar
  14. 14.
    Black J., Rogaway P., Shrimpton T.: Black-box analysis of the block-cipher-based hash-function constructions from PGV. In: Advances in Cryptology—CRYPTO 2002. Lecture Notes in Computer Science, vol. 2442, pp. 320–335. Springer, Heidelberg (2002).Google Scholar
  15. 15.
    Armknecht F., Fleischmann E., Krause M., Lee J., Stam M., Steinberger J.: The preimage security of double-block-length compression functions. In: Advances in Cryptology—ASIACRYPT 2011. Lecture Notes in Computer Science, vol. 7073, pp. 233–251. Springer, Heidelberg. (2011).Google Scholar
  16. 16.
    Lee J., Stam M., Steinberger J.: The preimage security of double-block-length compression functions. Cryptology ePrint Archive, Report 2011/210 (2011).Google Scholar
  17. 17.
    Andreeva E., Neven G., Preneel B., Shrimpton T.: Seven-property-preserving iterated hashing: ROX. In: Advances in Cryptology—ASIACRYPT 2007. Lecture Notes in Computer Science, vol. 4833, pp. 130–146. Springer, Heidelberg (2007).Google Scholar
  18. 18.
    Lai X., Massey J.: Hash function based on block ciphers. In: Advances in Cryptology—EUROCRYPT ’92. Lecture Notes in Computer Science, vol. 658, pp. 55–70. Springer, Heidelberg (1992).Google Scholar
  19. 19.
    Hirose S.: Some plausible constructions of double-block-length hash functions. In: Fast Software Encryption 2006. Lecture Notes in Computer Science, vol. 4047, pp. 210–225. Springer, Heidelberg (2006).Google Scholar
  20. 20.
    Hirose S.: Provably secure double-block-length hash functions in a black-box model. In: Information Security and Cryptology 2004. Lecture Notes in Computer Science, vol. 3506, pp. 330–342. Springer, Heidelberg (2005).Google Scholar
  21. 21.
    Özen O., Stam M.: Another glance at double-length hashing. In: IMA International Conference 2009. Lecture Notes in Computer Science, vol. 5921, pp. 176–201. Springer, Heidelberg (2009).Google Scholar
  22. 22.
    Fleischmann E., Gorski M., Lucks S.: Security of cyclic double block length hash functions. In: IMA International Conference 2009. Lecture Notes in Computer Science, vol. 5921, pp. 153–175. Springer, Heidelberg (2009).Google Scholar
  23. 23.
    Lee J., Kwon D.: The security of Abreast-DM in the ideal cipher model. Cryptology ePrint Archive, Report 2009/225 (2009).Google Scholar
  24. 24.
    Lee J., Stam M., Steinberger J.: The collision security of Tandem-DM in the ideal cipher model. In: Advances in Cryptology—CRYPTO 2011. Lecture Notes in Computer Science, vol. 6841, pp. 561–577. Springer, Heidelberg (2011).Google Scholar
  25. 25.
    Jetchev D., Özen O., Stam M.: Collisions are not incidental: A compression function exploiting discrete geometry. In: Theory of Cryptography Conference 2012. Lecture Notes in Computer Science, vol. 7194, pp. 303–320. Berlin, Springer (2012).Google Scholar
  26. 26.
    Mennink B.: Optimal collision security in double block length hashing with single length key. In: Advances in Cryptology—ASIACRYPT 2012. Lecture Notes in Computer Science, vol. 7658, pp. 526–543. Springer, Heidelberg (2012).Google Scholar
  27. 27.
    Rogaway P., Shrimpton T.: Cryptographic hash-function basics: Definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance. In: Fast Software Encryption 2004. Lecture Notes in Computer Science, vol. 3017, pp. 371–388. Springer, Heidelberg (2004).Google Scholar
  28. 28.
    Lee J., Stam M., Steinberger J.: The collision security of Tandem-DM in the ideal cipher model. Cryptology ePrint Archive, Report 2010/409. Full version of [24] (2010).Google Scholar

Copyright information

© Springer Science+Business Media New York 2013

Authors and Affiliations

  1. 1.Department of Electrical Engineering, ESAT/COSIC Katholieke Universiteit Leuven and i mindsLeuvenBelgium

Personalised recommendations