The Collision Intractability of MDC-2 in the Ideal-Cipher Model

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4515)


We provide the first proof of security for MDC-2, the most well-known construction for turning an n-bit blockcipher into a 2n-bit cryptographic hash function. Our result, which is in the ideal-cipher model, shows that MDC-2, when built from a blockcipher having blocklength and keylength n, has security much better than that delivered by any hash function that has an n-bit output. When the blocklength and keylength are n = 128 bits, as with MDC-2 based on AES-128, an adversary that asks fewer than 274.9 queries usually cannot find a collision.


Collision-resistant hashing cryptographic hash functions ideal-cipher model MDC-2 


  1. 1.
    ANSI X9.31. Public key cryptography using reversible algorithms for the financial services industry. American National Standards Institute (1998)Google Scholar
  2. 2.
    den Boer, B., Bosselaers, A.: Collisions for the compression function of MD5. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 293–304. Springer, Heidelberg (1994)Google Scholar
  3. 3.
    Black, J., Cochran, M., Shrimpton, T.: On the impossibility of highly efficient blockcipher-based hash functions. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, Springer, Heidelberg (2005)CrossRefGoogle Scholar
  4. 4.
    Black, J., Rogaway, P., Shrimpton, T.: Black-box analysis of the block-cipher-based hash-function constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–355. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. 5.
    Brachtl, B., Coppersmith, D., Hyden, M., Matyas, S., Meyer, C., Oseas, J., Pilpel, S., Schilling, M.: Data authentication using modification detection codes based on a public one-way encryption function. US Patent #4,908,861. Awarded March 13, 1990 (filed August 28, 1987)Google Scholar
  6. 6.
    Damgård, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  7. 7.
    Dobbertin, H.: The status of MD5 after a recent attack. CryptoBytes 2(2) (1996)Google Scholar
  8. 8.
    Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. In: Matsumoto, T., Imai, H., Rivest, R.L. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 210–224. Springer, Heidelberg (1993)Google Scholar
  9. 9.
    Hattori, M., Hirose, S., Yoshida, S.: Analysis of double block length hash functions. In: Paterson, K.G. (ed.) Cryptography and Coding 2003. LNCS, vol. 2898, pp. 290–302. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  10. 10.
    Hirose, S.: Provably secure double-block-length hash functions in a black box model. In: Park, C.-s., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 330–342. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  11. 11.
    Hirose, S.: Some plausible constructions of double-block-length hash functions. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 210–225. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. 12.
    Hohl, W., Lai, X., Meier, T., Waldvogel, C.: Security of iterated hash functions based on block ciphers. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 379–390. Springer, Heidelberg (1994)Google Scholar
  13. 13.
    ISO/IEC 10118-2:2000. Information technology – Security techniques – Hash functions – Hash functions using an n-bit block cipher. International Organization for Standardization, Geneva, Switzerland (2000), First released in (1992)Google Scholar
  14. 14.
    Joux, A.: Multicollisions in iterated hash functions. Application to cascaded constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004)Google Scholar
  15. 15.
    Kilian, J., Rogaway, P.: How to Protect DES Against Exhaustive Key Search. Journal of Cryptology 14(1), 17–35 (2001)zbMATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    Knudsen, L., Lai, X., Preneel, B.: Attacks on fast double block length hash functions. Journal of Cryptology 11(1), 59–72 (1998)zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    Lai, X., Massey, J.: Hash functions based on block ciphers. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 55–70. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  18. 18.
    Lee, W., Nandi, M., Sarkar, P., Chang, D., Lee, S., Sakurai, K.: PGV-style block-cipher-based hash families and black-box analysis. IEICE Transactions 88-A(1), 39–48 (2005)Google Scholar
  19. 19.
    Lucks, S.: Design principles for iterated hash functions. Cryptology ePrint Archive, Report 2004/253 (2004)Google Scholar
  20. 20.
    Matyas, S., Meyer, C., Oseas, J.: Generating strong one-way functions with cryptographic algorithm. IBM Technical Disclosure Bulletin 27, 5658–5659 (1985)Google Scholar
  21. 21.
    Merkle, R.: One way hash functions and DES. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 428–446. Springer, Heidelberg (1990)Google Scholar
  22. 22.
    Meyer, C., Matyas, S.: Secure program load with manipulation detection code. In: Proceedings of the 6th Worldwide Congress on Computer and Communications Security and Protection (SECURICOM ’88), pp. 111–130 (1988)Google Scholar
  23. 23.
    Nandi, M., Lee, W., Sakurai, K., Lee, S.: Security analysis of a 2/3-rate double length compression function in the black-box model. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 243–254. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  24. 24.
    Nandi, M.: Towards optimal double-length hash functions. In: Maitra, S., Veni Madhavan, C.E., Venkatesan, R. (eds.) INDOCRYPT 2005. LNCS, vol. 3797, pp. 77–89. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  25. 25.
    Rabin, M.: Digitalized signatures. In: DeMillo, R., Dobkin, D., Jones, A., Lipton, R. (eds.) Foundations of Secure Computation, pp. 155–168. Academic Press, London (1978)Google Scholar
  26. 26.
    Rivest, R.: The MD4 message digest algorithm. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991)Google Scholar
  27. 27.
    Rogaway, P., Shrimpton, T.: Cryptographic hash-function basics: definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision Resistance. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 371–388. Springer, Heidelberg (2004)Google Scholar
  28. 28.
    Satoh, T., Haga, M., Kurosawa, K.: Towards secure and fast hash functions. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences E82–A(1), 55–62 (1999)Google Scholar
  29. 29.
    Steinberger, J.: The collision intractability of MDC-2 in the ideal-cipher model. Full version of this paper, Cryptology ePrint Archive, Report 2006/294 (2006)Google Scholar
  30. 30.
    Viega, J.: The AHASH mode of operation. Manuscript (2004), Available from
  31. 31.
    Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the hash functions MD4 and RIPEMD. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  32. 32.
    Wang, X., Yin, Y., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  1. 1.Dept. of MathematicsUniversity of CaliforniaDavisUSA

Personalised recommendations