Conference paper
Cryptanalysis of MDC-2
We provide a collision attack and preimage attacks on the MDC-2 construction, which is a method (dating back to 1988) of turning an $n$-bit block cipher into a $2n$-bit hash function. The collision attack is the first below the birthday bound to be described for MDC-2 and, with $n=128$, it has complexity $2^{124.5}$, which is to be compared to the birthday attack having complexity $2^{128}$.
The preimage attacks constitute new time/memory trade-offs; the most efficient attack requires time and space about $2^n$, which is to be compared to the previous best known preimage attack of Lai and Massey (Eurocrypt '92), having time complexity $2^{3n/2}$ and space complexity $2^{n/2}$, and to a brute force preimage attack having complexity $2^{2n}$.
| Language: | English |
|---|---|
| Publisher: | Springer |
| Year: | 2009 |
| Pages: | 106-120 |
| Proceedings: | EUROCRYPT 2009 |
| Series: | Lecture Notes in Computer Science |
| Journal subtitle: | 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cologne, Germany, April 26-30, 2009. Proceedings |
| Types: | Conference paper |
| DOI: | 10.1007/978-3-642-01001-9_6 |
| ORCIDs: | Knudsen, Lars Ramkilde |
