Weimar-DM: A Highly Secure Double-Length Compression Function

  • Ewan Fleischmann
  • Christian Forler
  • Stefan Lucks
  • Jakob Wenzel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7372)


We present Weimar-DM, a double length compression function using two calls to a block cipher with 2n-bit key and n-bit block size to compress a 3n-bit string to a 2n-bit one. For Weimar-DM, we show that for n = 128, no adversary asking less than 2 n − 1.77 = 2126.23 queries can find a collision with probability greater than 1/2. This is the highest collision security bound ever shown for such a compression function. Even more important, our security analysis is much simpler than that for comparable functions as, e.g., Tandem-DM, Abreast-DM or Hirose-DM. We also give a preimage security analysis of Weimar-DM showing a near-optimal bound of 22n − 5 = 2251 queries. Our security bounds are asymptotically optimal.


double length compression function block cipher based ideal cipher model collision security preimage security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Armknecht, F., Fleischmann, E., Krause, M., Lee, J., Stam, M., Steinberger, J.: The Preimage Security of Double-Block-Length Compression Functions. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 233–251. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  2. 2.
    Black, J.A., Rogaway, P., Shrimpton, T.: Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–335. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  3. 3.
    Bos, J.W., Özen, O., Stam, M.: Efficient Hashing Using the AES Instruction Set. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 507–522. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  4. 4.
    Bosselaers, A., Preneel, B. (eds.): RIPE 1992. LNCS, vol. 1007. Springer, Heidelberg (1995)Google Scholar
  5. 5.
    Brachtl, B., Coppersmith, D., Hyden, M.M., Meyer, C.H., Matyas, S.M., Oseas, J., Pilpel, S., Schilling, M.: Data authentication using modification detection codes based on a public one way encryption function. U.S. Patent No. 4,908,861, March 13 (1990)Google Scholar
  6. 6.
    Brassard, G. (ed.): CRYPTO 1989. LNCS, vol. 435. Springer, Heidelberg (1990)zbMATHGoogle Scholar
  7. 7.
    Damgård, I.: A design principle for hash functions. In: Brassard [6], pp. 416–427Google Scholar
  8. 8.
    den Boer, B., Bosselaers, A.: Collisions for the Compression Function of MD-5. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 293–304. Springer, Heidelberg (1994)Google Scholar
  9. 9.
    Even, S., Mansour, Y.: A Construction of a Cipher From a Single Pseudorandom Permutation. In: Matsumoto, T., Imai, H., Rivest, R.L. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 210–224. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  10. 10.
    Fleischmann, E., Gorski, M., Lucks, S.: On the Security of Tandem-DM. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 84–103. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  11. 11.
    Fleischmann, E., Gorski, M., Lucks, S.: Security of Cyclic Double Block Length Hash Functions. In: Parker, M.G. (ed.) Cryptography and Coding 2009. LNCS, vol. 5921, pp. 153–175. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  12. 12.
    Dobbertin, H.: The status of MD5 after a recent attack (1996)Google Scholar
  13. 13.
    Hattori, M., Hirose, S., Yoshida, S.: Analysis of Double Block Length Hash Functions. In: Paterson, K.G. (ed.) Cryptography and Coding 2003. LNCS, vol. 2898, pp. 290–302. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  14. 14.
    Hirose, S.: Provably Secure Double-Block-Length Hash Functions in a Black-Box Model. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 330–342. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. 15.
    Hirose, S.: Some Plausible Constructions of Double-Block-Length Hash Functions. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 210–225. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  16. 16.
    Hohl, W., Lai, X., Meier, T., Waldvogel, C.: Security of Iterated Hash Functions Based on Block Ciphers. In: Stinson [40], pp. 379–390Google Scholar
  17. 17.
    ISO/IEC. ISO DIS 10118-2: Information technology - Security techniques - Hash-functions, Part 2: Hash-functions using an n-bit block cipher algorithm. First released in 1992 (2000)Google Scholar
  18. 18.
    Kilian, J., Rogaway, P.: How to Protect DES against Exhaustive Key Search. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 252–267. Springer, Heidelberg (1996)Google Scholar
  19. 19.
    Knudsen, L.R., Lai, X., Preneel, B.: Attacks on Fast Double Block Length Hash Functions. J. Cryptology 11(1), 59–72 (1998)MathSciNetzbMATHCrossRefGoogle Scholar
  20. 20.
    Knudsen, L.R., Muller, F.: Some Attacks Against a Double Length Hash Proposal. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 462–473. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  21. 21.
    Lee, J., Kwon, D.: The security of abreast-dm in the ideal cipher model. Cryptology ePrint Archive, Report 2009/225 (2009),
  22. 22.
    Lee, J., Kwon, D.: The Security of Abreast-DM in the Ideal Cipher Model. IACR Cryptology ePrint Archive, 2009, 225 (2009)Google Scholar
  23. 23.
    Lee, J., Stam, M.: MJH: A Faster Alternative to MDC-2. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 213–236. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  24. 24.
    Lee, J., Stam, M., Steinberger, J.: The Collision Security of Tandem-DM in the Ideal Cipher Model. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 561–577. Springer, Heidelberg (2011)Google Scholar
  25. 25.
    Rabin, M.: Digitalized Signatures (1978)Google Scholar
  26. 26.
    Menezes, A., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press (1996)Google Scholar
  27. 27.
    Merkle, R.C.: One Way Hash Functions and DES. In: Brassard [6], pp. 428–446Google Scholar
  28. 28.
    Nandi, M., Lee, W.I., Sakurai, K., Lee, S.: Security Analysis of a 2/3-Rate Double Length Compression Function in the Black-Box Model. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 243–254. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  29. 29.
    NIST National Institute of Standards and Technology. FIPS 180-1: Secure Hash Standard (April 1995),
  30. 30.
    NIST National Institute of Standards and Technology. FIPS 180-2: Secure Hash Standard (April 1995),
  31. 31.
    Preneel, B., Govaerts, R., Vandewalle, J.: Hash Functions Based on Block Ciphers: A Synthetic Approach. In: Stinson [40], pp. 368–378Google Scholar
  32. 32.
    Rivest, R.L.: RFC 1321: The MD5 Message-Digest Algorithm. Internet Activities Board (April 1992)Google Scholar
  33. 33.
    Rivest, R.L.: The MD4 Message Digest Algorithm. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991)Google Scholar
  34. 34.
    Rogaway, P., Shrimpton, T.: Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 371–388. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  35. 35.
    Rogaway, P., Steinberger, J.P.: Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 433–450. Springer, Heidelberg (2008)Google Scholar
  36. 36.
    Rogaway, P., Steinberger, J.P.: Security/Efficiency Tradeoffs for Permutation-Based Hashing. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 220–236. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  37. 37.
    Satoh, Haga, Kurosawa: Towards secure and fast hash functions. TIEICE: IEICE Transactions on Communications/Electronics/Information and Systems (1999)Google Scholar
  38. 38.
    Stam, M.: Blockcipher-Based Hashing Revisited. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 67–83. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  39. 39.
    Steinberger, J.P.: The Collision Intractability of MDC-2 in the Ideal-Cipher Model. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 34–51. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  40. 40.
    Stinson, D.R. (ed.): CRYPTO 1993. LNCS, vol. 773. Springer, Heidelberg (1994)zbMATHGoogle Scholar
  41. 41.
    Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the Hash Functions MD4 and RIPEMD. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  42. 42.
    Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
  43. 43.
    Winternitz, R.S.: A Secure One-Way Hash Function Built from DES. In: IEEE Symposium on Security and Privacy, pp. 88–90 (1984)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Ewan Fleischmann
    • 1
  • Christian Forler
    • 1
  • Stefan Lucks
    • 1
  • Jakob Wenzel
    • 1
  1. 1.Bauhaus-Universität WeimarGermany

Personalised recommendations