Cryptanalysis of MDC-2

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5479)


We provide a collision attack and preimage attacks on the MDC-2 construction, which is a method (dating back to 1988) of turning an n-bit block cipher into a 2n-bit hash function. The collision attack is the first below the birthday bound to be described for MDC-2 and, with n = 128, it has complexity 2124.5, which is to be compared to the birthday attack having complexity 2128. The preimage attacks constitute new time/memory trade-offs; the most efficient attack requires time and space about 2 n , which is to be compared to the previous best known preimage attack of Lai and Massey (Eurocrypt ’92), having time complexity 23n/2 and space complexity 2 n/2, and to a brute force preimage attack having complexity 22n .


MDC-2 hash function collision preimage 


  1. 1.
    Brachtl, B.O., Coppersmith, D., Hyden, M.M., Matyas Jr., S.M., Meyer, C.H.W., Oseas, J., Pilpel, S., Schilling, M.: Data authentication using modification detection codes based on a public one way encryption function, March 13, 1990, US Patent no. 4,908,861. Assigned to IBM. Filed (August 28, 1987), (2008/09/02)
  2. 2.
    Brent, R.P.: An improved Monte Carlo factorization algorithm. BIT Numerical Mathematics 20(2), 176–184 (1980)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Cormen, T.H., Leiserson, C.E., Rivest, R.L.: Introduction to Algorithms. MIT Press, Cambridge (1990)zbMATHGoogle Scholar
  4. 4.
    De Cannière, C., Rechberger, C.: Preimages for Reduced SHA-0 and SHA-1. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 179–202. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    Feller, W.: An Introduction to Probability Theory and Its Applications, 3rd edn., vol. 1. Wiley, Chichester (1968)zbMATHGoogle Scholar
  6. 6.
    Floyd, R.W.: Nondeterministic Algorithms. Journal of the Association for Computing Machinery 14(4), 636–644 (1967)CrossRefzbMATHGoogle Scholar
  7. 7.
    Hellman, M.E.: A Cryptanalytic Time–Memory Trade-Off. IEEE Transactions on Information Theory IT-26(4), 401–406 (1980)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Hirose, S.: Some Plausible Constructions of Double-Block-Length Hash Functions. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 210–225. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    International Organization for Standardization. ISO/IEC 10118-2:1994. Information technology – Security techniques – Hash-functions – Part 2: Hash-functions using an n-bit block cipher algorithm (1994) (Revised in 2000)Google Scholar
  10. 10.
    International Organization for Standardization. ISO 9735-6:2002. Electronic data interchange for administration, commerce and transport (EDIFACT) – Application level syntax rules (Syntax version number: 4, Syntax release number: 1) – Part 6: Secure authentication and acknowledgement message (message type – AUTACK) (2002), (2008/09/02)
  11. 11.
    Joux, A.: Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  12. 12.
    Kelsey, J., Schneier, B.: Second Preimages on n-Bit Hash Functions for Much Less than 2n Work. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 474–490. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  13. 13.
    Knudsen, L.R., Lai, X., Preneel, B.: Attacks on Fast Double Block Length Hash Functions. Journal of Cryptology 11(1), 59–72 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Knudsen, L.R., Preneel, B.: Fast and Secure Hashing Based on Codes. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 485–498. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  15. 15.
    Kraus, D.: Integrity mechanism in German and international payment systems (2002), (2008/09/02)
  16. 16.
    Lai, X., Massey, J.L.: Hash Functions Based on Block Ciphers. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 55–70. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  17. 17.
    Leurent, G.: MD4 is Not One-Way. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 412–428. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    Lucks, S.: A Failure-Friendly Design Principle for Hash Functions. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 474–494. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  19. 19.
    Mendel, F., Rijmen, V.: Weaknesses in the HAS-V Compression Function. In: Nam, K.-H., Rhee, G. (eds.) ICISC 2007. LNCS, vol. 4817, pp. 335–345. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  20. 20.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997)zbMATHGoogle Scholar
  21. 21.
    Meyer, C.H., Schilling, M.: Secure Program Load with Manipulation Detection Code. In: Proceedings of SECURICOM 1988, pp. 111–130 (1988)Google Scholar
  22. 22.
    Nandi, M.: Towards Optimal Double-Length Hash Functions. In: Maitra, S., Veni Madhavan, C.E., Venkatesan, R. (eds.) INDOCRYPT 2005. LNCS, vol. 3797, pp. 77–89. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  23. 23.
    Nandi, M., Lee, W., Sakurai, K., Lee, S.: Security Analysis of a 2/3-Rate Double Length Compression Function in the Black-Box Model. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 243–254. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  24. 24.
    National Bureau of Standards. Data Encryption Standard (DES), Federal Information Processing Standards Publication (FIPS PUB) 46 (January 15, 1977)Google Scholar
  25. 25.
    Steinberger, J.P.: The Collision Intractability of MDC-2 in the Ideal-Cipher Model. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 34–51. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  26. 26.
    Struif, B.: German Health Professional Card and Security Module Card, Specification, Pharmacist & Physician, v. 2.0 (2003), (2008/09/02)
  27. 27.
    van Tilborg, H.C.A. (ed.): Encyclopedia of Cryptography and Security. Springer, Heidelberg (2005)zbMATHGoogle Scholar
  28. 28.
    Viega, J.: The AHASH Mode of Operation, Manuscript (September 2004), (2008/09/02)

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  1. 1.Department of MathematicsTechnical University of DenmarkLyngbyDenmark
  2. 2.Institute for Applied Information Processing and Communications (IAIK)Graz University of TechnologyGrazAustria

Personalised recommendations