The Collision Intractability of MDC-2 in the Ideal-Cipher Model

  • Authors:
  • John P. Steinberger

  • Affiliations:
  • Dept. of Mathematics, University of California, Davis, California 95616, USA

  • Venue:
  • EUROCRYPT '07 Proceedings of the 26th annual international conference on Advances in Cryptology
  • Year:
  • 2007

Quantified Score

Hi-index 0.00

Visualization

Abstract

We provide the first proof of security for MDC-2, the most well-known construction for turning an n-bit blockcipher into a 2n-bit cryptographic hash function. Our result, which is in the ideal-cipher model, shows that MDC-2, when built from a blockcipher having blocklength and keylength n, has security much better than that delivered by any hash function that has an n-bit output. When the blocklength and keylength are n= 128 bits, as with MDC-2 based on AES-128, an adversary that asks fewer than 274.9queries usually cannot find a collision.