The Preimage Security of Double-Block-Length Compression Functions

  • Frederik Armknecht
  • Ewan Fleischmann
  • Matthias Krause
  • Jooyoung Lee
  • Martijn Stam
  • John Steinberger
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7073)


We present new techniques for deriving preimage resistance bounds for block cipher based double-block-length, double-call hash functions. We give improved bounds on the preimage security of the three “classical” double-block-length, double-call, block cipher-based compression functions, these being Abreast-DM, Tandem-DM and Hirose’s scheme. For Hirose’s scheme, we show that an adversary must make at least 22n − 5 block cipher queries to achieve chance 0.5 of inverting a randomly chosen point in the range. For Abreast-DM and Tandem-DM we show that at least 22n − 10 queries are necessary. These bounds improve upon the previous best bounds of Ω(2 n ) queries, and are optimal up to a constant factor since the compression functions in question have range of size 22n .


Hash Function Preimage Resistance Block Cipher Beyond Birthday Bound Foundations 


  1. 1.
    Fleischmann, E., Gorski, M., Lucks, S.: On the Security of Tandem-DM. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 84–103. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  2. 2.
    Fleischmann, E., Gorski, M., Lucks, S.: Security of Cyclic Double Block Length Hash Functions. In: Parker, M.G. (ed.) Cryptography and Coding 2009. LNCS, vol. 5921, pp. 153–175. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  3. 3.
    Hirose, S.: Provably Secure Double-Block-Length Hash Functions in a Black-Box Model. In: Park, C.-s., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 330–342. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  4. 4.
    Hirose, S.: Some Plausible Constructions of Double-Block-Length Hash Functions. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 210–225. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Lai, X., Massey, J.L.: Hash Functions Based on Block Ciphers. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 55–70. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  6. 6.
    Lee, J., Kwon, D.: The security of Abreast-DM in the ideal cipher model,
  7. 7.
    Lee, J., Stam, M., Steinberger, J.: The Collision Security of Tandem-DM in the Ideal Cipher Model. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 561–577. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  8. 8.
    Özen, O., Stam, M.: Another Glance at Double-Length Hashing. In: Parker, M.G. (ed.) Cryptography and Coding 2009. LNCS, vol. 5921, pp. 176–201. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    Rabin, M.: Digitalized signatures. In: Foundations of Secure Computations, pp. 155–166. Academic Press (1978)Google Scholar
  10. 10.
    Rogaway, P., Shrimpton, T.: Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision-Resistance. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 371–388. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  11. 11.
    Stam, M.: Blockcipher-Based Hashing Revisited. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 67–83. Springer, Heidelberg (2009)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Frederik Armknecht
    • 1
  • Ewan Fleischmann
    • 2
  • Matthias Krause
    • 1
  • Jooyoung Lee
    • 3
  • Martijn Stam
    • 4
  • John Steinberger
    • 5
  1. 1.Arbeitsgruppe Theoretische Informatik und DatensicherheitUniversity of MannheimGermany
  2. 2.Chair of Media SecurityBauhaus-University WeimarGermany
  3. 3.Faculty of Mathematics and StatisticsSejong UniversitySeoulKorea
  4. 4.Dept. of Computer ScienceUniversity of BristolUnited Kingdom
  5. 5.Institute of Theoretical Computer ScienceTsinghua UniversityBeijingChina

Personalised recommendations