Cryptanalysis of Some Double-Block-Length Hash Modes of Block Ciphers with n-bit Block and n-bit Key

Transcription

1 Cryptanalyss of Some Double-Block-Length Hash Modes of Block Cphers wth n-bt Block and n-bt Key Deukjo Hong and Daesung Kwon Abstract In ths paper, we make attacks on DBL (Double-Block-Length) hash modes of block cphers wth n-bt key and n-bt block. Our premage attack on the hash functon of MDC-4 scheme requres the tme complexty 2 3n/2, whch s sgnfcantly mproved compared to the prevous results. Our collson attack on the hash functon of MJH scheme has tme complexty less than for n = 128. Our premage attack on the compresson functon of MJH scheme fnd a premage wth tme complexty of 2 n. It s converted to a premage attack on the hash functon wth tme complexty of 2 3n/2+2. Our premage attack on the compresson functon of Mennnk s scheme fnd a premage wth tme complexty of 2 3n/2. It s converted to a premage attack on the hash functon wth tme complexty of 2 7n/4+1. These attacks are helpful for understandng the securty of the hash modes together wth ther securty proofs. Key words: Hash Functon, Hash Mode, Collson, Premage 1 Introducton Block cphers and hash functons are the most wdely used prmtves for cryptographc applcatons. For secure buldng, hash functons are often desgned based on block-cpher-lke components. Preneel, Govaerts, and Vandewalle [19] analyzed the securtes of 64 ways to make a compresson functon wth 2nbt nput and n-bt output from a sngle call of the underlyng block cpher wth n-bt block and n-bt key, under the assumpton of the use of Merkle-Damgård doman extender, and suggested 12 of them as secure ones. Later, ther objects are called PGV schemes. Black et al. [2] proved that the 12 schemes suggested n [19] make compresson functons collson-resstant and premage-resstant upto O(2 n/2 ) queres to the underlyng block cpher n the deal cpher model, and showed that for 8 of the remanng 52 schemes, the resultng compresson functons are weak but the resultng hash functons by usng Merkle-Damgård doman extender are collson-resstant and premage-resstant upto O(2 n/2 ) queres to the underlyng block cpher n the deal cpher model. In [20], Stam extended Black et al. s work to more generalzed verson of PGV schemes. Snce [2], most researches for provable securty of hash modes have used the assumptons of Merkle-Damgård doman extender and deal cpher model. Snce the length of the hash value from PGV hash modes s the same as the block length of the underlyng block cpher and block cphers usually have too short block length to provde conventonal securtes for hash functons, double-block-length (DBL) hash modes have often been researched. Abreast- DM [11], Tandem-DM [11], and Hrose s [6] schemes make the compresson functons wth 3n-bt nput and 2n-bt output from two calls of the underlyng block cpher wth n-bt block and 2n-bt key. These DBL hash modes are proved to have the securty bounds of O(2 n ) for collson resstance [6, 12, 13] and the securty bounds close to 2 2n for premage resstance [1], so they are very secure as long as the underlyng block cpher s secure. On the other hand, t seems to be more dffcult to buld secure hash modes from the block cpher wth n-bt block and n-bt key. We can model MDC-2 and MDC-4 schemes [7, 17] as such cases, although the orgnal ones used DS [4], whch s the block cpher wth 64-bt block and 56-bt key. MDC-2 scheme makes the compresson functon wth 3n-bt nput and 2n-bt output from two calls of the underlyng block cpher wth n-bt block and n-bt key, and MDC-4 scheme does the smlar work from four calls of 1

2 the underlyng block cpher. MDC-2 and MDC-4 schemes are proved to have the securty bound O(2 3n/5 ) for collson resstance [21, 5]. MJH [14] and Mennnk s [16] schemes are recently proposed DBL hash modes. The desgners of MJH proved that t has securty bound O(2 2n/3 log n ) for collson resstance. Mennnk proved hs scheme has securty bound O(2 n ) for collson resstance and securty bound O(2 3n/2 ) for premage resstance. Note that the except Mennnk s scheme, the above mentoned DBL hash modes of the underlyng block cpher wth n-bt block and n-bt key have securty bound not close to the conventonal level n bts of collson resstance requred for hash functons. ven Mennnk s scheme does not reach the conventonal level 2n bts of premage resstance requred for hash functons. Some one may use those hash modes by consderng the block length sutable for certan securty goals. However, what we want to address s that the proofs provdng partal securty do not gve us any knowledge about the securty for the adversary wth much more query access than the bounds. There exst some attacks on MDC-2 and MDC-4. [10] and [18] presented several attacks on MDC-2 and MDC-4 schemes wth DS, whch are translated for the underlyng block cpher wth n-bt block and n-bt key nto, as follows: collson attacks on compresson functons of MDC-2 and MDC-4 schemes wth tme complextes 2 n/2 and 2 3n/4, resp.; premage attacks on compresson functons of MDC-2 and MDC-4 schemes wth 2 n and 2 3n/2, resp.; premage attacks on hash functons of MDC-2 and MDC-4 schemes wth 2 3n/2+1 and 2 7n/4+1, respectvely. Knudsen et al. [9] presented the collson attack on the hash functon of MDC-2 scheme wth the tme complexty for n = 128, and the premage attack on the hash functon of MDC-2 scheme wth the tme complexty 2 n. These results are helpful for understandng the securty of the hash modes together wth the proofs. For example, for n = 128 Stenberger s proof of the collson resstance of MDC-2 mples any adversary makng less than has only a neglgble chance of fndng a collson n the deal cpher model, but Knudsen s attack shows an adversary computng compresson functons can fnd a collson wth hgh probablty. In ths paper, we present some attacks on MDC-4, MJH, and Mennnk s schemes as follows. 1. Premage attack on MDC-4 scheme: It requres the tme complexty 2 3n/2, whch s sgnfcantly mproved compared to the prevous result [10, 18]. 2. Collson and premage attacks on MJH scheme: Our collson attack on the hash functon of MJH scheme has tme complexty less than for n = 128. We show that a premage s found for the compresson functon of MJH scheme wth tme complexty of 2 n. Ths premage attack on the compresson functon s converted to a premage attack on the hash functon wth tme complexty of 2 3n/ Premage attack on Mennnk s scheme: We make a premage attack on the compresson functon n a dfferent way from the prevous one n [16], and convert t to a premage attack on the hash functon wth tme complexty of 2 7n/ Descrpton of DBL Hash Modes In ths secton, we gve a bref descrpton of MDC-4, MJH and Mennnk s schemes. We assume Merkle- Damgård doman extender s used for constructng the hash functon from the compresson functons of DBL schemes. Let K (P ) denote the encrypton of a plantext P usng a key K wth the block cpher, whch s assumed to be secure. If X s an n-bt strng, then we let X L denote the leftmost n/2 bts of X, and X R denote the rghtmost n/2 bts of X. For -th call of the compresson functon CF : {0, 1} n {0, 1} n {0, 1} n {0, 1} n {0, 1} n n Merkle-Damgård doman extender, we consder the nput channg varable (H, S ) {0, 1} n {0, 1} n, the message block M {0, 1} n, and the output channg varable (H +1, S +1 ) {0, 1} n {0, 1} n. Then, for the message blocks M 0, M 1,..., M l 1 {0, 1} n after paddng the message and the ntal value (H 0, S 0 ), Merkle-Damgård doman extender terates the compresson functon CF to produce the 2

3 H A A L X X L H +1 A R X R M S B B L Y Y L S +1 B R Y R Fgure 1: CF MDC-4 (H, S, M ) = (H +1, S +1 ) hash value (H l, S l ) as follows: (H +1, S +1 ) CF(H, S, M ) 0 l 1. We consder the paddng rule followng MD strengthen [15]. 2.1 MDC-4 Scheme MDC-4 scheme [7, 17] was orgnally defned usng DS [4] as the underlyng block cpher, but we assume that the underlyng block cpher has n-bt block and n-bt key. Gven a block cpher, the MDC- 4 compresson functon CF MDC-4 has 2n-bt channg varable and n-bt message block. For the nput channg varable (H, S ) and the message block M, (H +1, S +1 ) = CF MDC-4 (H, S, M ) s computed as follows: A H (M ) M ; B S (M ) M ; C B L A R ; D A L B R ; X C (H ) H ; Y D (S ) S ; H +1 Y L X R ; S +1 X L Y R. 2.2 MJH Scheme MJH scheme [14] has two auxlary components σ and θ. σ s an nvoluton on {0, 1} n wth no fxed pont, and θ s a multplcaton by a constant θ 0, 1 n GF (2 n ). The MJH compresson functon CF MJH has 2n-bt channg varable and n-bt message block, based on the block cpher wth n-bt block and n-bt key. For the nput channg varable (H, S ) and the message block M, (H +1, S +1 ) = CF MJH (H, S, M ) s computed as follows: X H M ; H +1 S (X) X; Y S (σ(x)) σ(x); S +1 (Y θ) H. 3

4 M H X H +1 S s Y q S +1 Fgure 2: CF MJH (H, S, M ) = (H +1, S +1 ) U a 1 (U,V,X) Y V A a 2 (U,V,X,W) a 3 (U,V,X) Z W a 3 (U,V,X,W) Fgure 3: CF Mennnk (U, V, W ) = (Y, Z) 2.3 Mennnk s Scheme Mennnk s scheme [16] comprses three calls of the underlyng block cpher and a 4 4 matrx A over GF (2 n ), defned as follows: a 11 a 12 a 13 0 A = a 21 a 22 a 23 a 24 a 31 a 32 a 33 a 34. a 41 a 42 a 43 a 44 Note that A s nvertble and a 24, a For clarty, we use the notatons a 1 = (a 11, a 12, a 13 ), a 3 = (a 31, a 32, a 33 ) GF (2 n ) 3, a 2 = (a 21, a 22, a 23, a 24 ), a 4 = (a 41, a 42, a 43, a 44 ) GF (2 n ) 4 n the descrpton. The compresson functon CF Mennnk of Mennnk s scheme has 3n-bt nput and 2n-bt output. For the nput (U, V, W ), (Y, Z) = CF Mennnk (U, V, W ) s computed as follows: X U (V ); K 1 a 1 (U, V, X); P 1 a 2 (U, V, X, W ); Y K1 (P 1 ) P 1 ; K 2 a 3 (U, V, X); P 2 a 4 (U, V, X, W ); Z K2 (P 2 ) P 2. In [16], t was not specfed how to correspond the varables (H, S, M ) and (H +1, V +1 ) to (U, V, W ) and (Y, Z), respectvely. We wll consder some cases for t n our attack. 4

5 3 Premage Attack on MDC-4 Hash Functon Consder CF MDC-4 (H, S, M ) = (H +1, S +1 ). If the followng equaton ( H (M ) M ) L = ( S (M ) M ) L (1) holds, then we can wrte H (M ) M (H ) H = X; S (M ) M (S ) S = Y, where A and B are n-bt values such that X = (S +1 ) L (H +1 ) R ; Y = (H +1 ) L (S +1 ) R. Note that the match n (1) s for n 2 bts. That s, the event occurs wth the probablty of 2 n/2. Usng the above observaton, we construct a premage attack on MDC-4 hash functon wth tme complexty of 2 3n 2 as follows, whch s also based on the tme-memory trade-off premage attack whch Knudsen et al. proposed for MDC-2 [9]. 1. Choose 2 n 2 +1 n-bt message blocks M. For each M, compute x(m) M(x) x for all x {0, 1} n and store the results n the table T M. After ths precomputaton, we get 2 n 2 +1 tables {T M }, where each has 2 n entres. 2. Compute X and Y for the target hash value (H l, S l ), and look up the tables to get the soluton (a, b) to the followng equatons: a(m) M(a) a = X; b (M) M(b) b = Y. On average, t s expected that at least 2 n 2 +1 solutons are found. Fnally, t s expected that there are two solutons satsfyng ( a (M) M) L = ( b (M) M) L. Wth ths soluton, two chld nodes of (H l, S l ) are made by lettng H l 1 = a and S l 1 = b and labelng the each edge wth the correspondng message block M. 3. For the new nodes, make ther chld nodes wth the same tables. Repeat ths procedure untl 2 n leaves are produced. 4. If the tree wth 2 n leaves has the depth t, take l = t + 1, and perform a brute force search startng from the ntal value (H 0, S 0 ) to fnd a match of (H 1, S 1 ) and the 2 n targets. If a match s found, then a premage s comprsed of the correspondng message blocks. The tme complexty of the above attack s 2 3n/2 and the memory requrement s about 2 3n/2 cells for 2n-bt values. 5

6 4 Collson Attack on MJH 4.1 Collson Attack on MJH Compresson Functon We fnd that we do not need to consder the rght half of the hash value n the collson attack for the MJH compresson functon, because after fndng a collson for the left half of the hash value, we can easly compute the left halves of the nput channg varable and the message blocks such that they gve a same hash value. The followng collson attack on the MJH compresson functon reflects on our observaton. 1. Randomly choose S and S +1, and fx them. 2. Randomly choose r dstnct X = H M : X (1), X (2),..., X (r), compute H (s) +1 = S (X (s) ) X (s) for s = 1,..., r, and then check whether there are at least one par of (s, j) such that X s X j and H (s) +1 = H(j) +1. (2) 3. If a par (s 1, s 2 ) satsfyng (2) s found, then compute H (s 1), H (s 2), M (s 1), and M (s 2) as follows: H (s j) = ( S (σ(x (sj) )) σ(x (sj) )) θ S +1 for j = 0, 1; M (s j) = H (s j) M (s j) for j = 0, Output (H (s 1), S, M (s 1) ) and (H (s 2), S, M (s 2) ) as a collson of the MJH compresson functon. The tme complexty of the above attack s domnated by r encryptons of the block cpher. Wth r = 2 n/2, we expect at least one collson for MJH compresson functon, because the rght half of the hash value s fxed. 4.2 Collson Attack on MJH Hash Functon We provde a 2-block collson attack on MJH hash functon. The frst step to fnd a collson for MJH hash functon s smlar to Knudsen et al. s attack for MDC-2 [9]. We make a mult-collson for the rght half S 1 of the 2n-bt output channg value n the frst block. The mult-collson from the frst block fx the key nputs to the block cphers n the second step. In the second step, we take a dfferent approach of choosng X = M 1 H 1 at random, nstead of M 1. Due to the fxed key nput, the computatons n the second block are almost ndependent of the frst block. Wth ths observaton, we make a collson attack on MJH hash functon as follows. 1. Choose suffcently many message blocks n the frst block, and obtan an r-collson for S 1. Denote the correspondng left halves of the output channg varable and the message blocks by H (1) 1, H(2) (1) 1,..., H(r) 1, and M 0, M (2) (r) 0,..., M 0, respectvely. 2. Choose randomly q dstnct X = H 1 M 1 : X (1), X (2),..., X (q), compute H () 2 = S1 (X () ) X () for = 1, 2,..., q, and collect the pars of (, j) such that j and H () 2 = H (j) 2 for 1, j q. 3. For the pars of (, j) colldng on H 2, compute Y (k) for k = and j as follows: Y (k) = ( S1 (σ(x (k) )) σ(x (k) )) θ, and check whether there s at least one par of (u, v) for 1 u, v r such that u v and H (u) 1 Y () = H (v) 1 Y (j). For such a tuple (, j, u, v), the same S 2 s produced from H (u) 1 Y () and H (v) 1 Y (j) or from H (v) 1 Y () and H (u) 1 Y (j). If such a tuple s found, output M (u) 0 (H (u) 1 X () ) and M (v) 0 (H(v) 1 X (j) ), or M (v) 0 (H(v) 1 X () ) and M (u) 0 (H (u) 1 X (j) ) as a collson. 6

7 Table 1: Tme complexty of the collson attack on MJH wth an n-bt block cpher, compared to brthday complexty, where T = TK. n r Collson Attack Brthday Attack Table 2: Tme complexty of the collson attack on MJH wth an n-bt block cpher, compared to brthday complexty, where T T K. n r Collson Attack Brthday Attack For more precse estmaton of tme complexty, we separate the costs of encrypton and key schedule n a call of block cpher. We consder that the compresson functon of MJH requres two encryptons and one key schedule operatons. Let T, T K, T K, and T CF be the tme costs wasted n one encrypton, one key schedule operaton, one block cpher call and one compresson functon operaton, respectvely. We estmate the complexty for the case that T s almost equal to T K (so, T K = 2T and T CF = 3 T ), and the case that T s much larger than T K (so, T K = T and T CF = 2 T ). In the frst step, we need ((r!) 2 (r 1)n ) 1/r block cpher encryptons wth key schedule operatons to get an r-collson for H R. The second step requres q block cpher encryptons. The tme complexty of the last step s neglgble compared to other steps. Snce there are ( r q 2)( 2) possbltes for parng (X (), X (j) ) s and (H (u) 1, H (v) 1 ) s, we expect a collson for V wth ( r q ) 2)( 2 = 2 2n, where ( r q ) = (rq) 2)( and q = 2 n+1 /r. Overall, the tme complexty of the above attack s estmated as (3) s approxmated to for the case of T = TK, and ((r!) 2 (r 1)n ) 1/r T K + 2 n+1 /rt. (3) ((r!) 2 (r 1)n ) 1/r n+1 /r 1 3 (((r!) 2 (r 1)n ) 1/r + 2 n+1 /r) 1 2 for the case of T T K., respectvely. For n = 128, we get the most effcent complextes of wth r = 14 for (4) and wth r = 15 for (5). 5 Premage Attack on MJH Scheme 5.1 Premage Attack on MJH Compresson Functon It s easy to fnd a premage of MJH compresson functon wth tme complexty of about 2 n T. The premage attack on MJH compresson functon s as follows. 1. Gven a 2n-bt target hash value (H +1, S +1 ), choose randomly S {0, 1} n and fx t. (4) (5) 7

8 2. Fnd X {0, 1} n such that S (X) X = H +1 wth brute force attack. 3. If such X s found, compute Y = ( S (σ(x)) σ(x)) θ, H = Y S +1, and M = H X. Then, (H, S, M ) s a premage. 5.2 Premage Attack on MJH Hash Functon We have to consder the paddng rule for constructng a premage attack on a hash functon from a premage attack on a compresson functon. We assume that the last message block contans a length nformaton of the message. In the attack descrbed n Secton, the attacker does not have a control on the message block unlke the premage attack on MDC-4 compresson functon descrbed n Secton. So, the attacker can not ntend to embed a predetermned length nformaton to the premage, and we can not use Knudsen et al. s tme-memory trade off technque to make a premage attack for MJH hash functon from the premage attack for MJH compresson functon. Alternatvely, we make t usng the meet-n-the-mddle technque [15, Fact 9.99] and expandable messages wth fxed-ponts [3, 8]. A fxed-pont for a compresson functon CF s defned as (H, S, M) such that CF(H, S, M) = (H, S). We can fnd fxed-ponts for MJH compresson functon as follows. 1. Choose randomly M {0, 1} n and S {0, 1} n, fx them. 2. Compute X = 1 S (M), H = M X, Y = ( S(σ(X)) σ(x)) θ, and H Y = S. 3. If S = S, then output (H, S, M) as a fxed-pont; else, repeat the computatons n step 2 wth new random choces of M and S. On average, we expect to fnd a fxed-pont wth tme complexty of 2 n. An expandable message s constructed as follows. 1. Collect 2 n/2 fxed-ponts (H (1), S (1), M (1) 2 ),..., (H(2n/2), S (2n/2), M (2n/2 ) 2 ) by repeatng the above search. 2. Repeat to compute CF MJH (CF MJH (H 0, S 0, M 0 ), M 1 ) for a randomly chosen two-block message (M 0, M 1 ) untl the result s matched wth any (H (), S () ) for = 1,..., 2 n/2. 3. If a match s found, then output the correspondng (M 0, M 1, M () 2 ) as a (2, )-expandable message. On average, the number of repetton n the step 2 should be 2 3n/2 to expect a match. So, the tme complexty for the above constructon of an expandable message s about 2 3n/2+1. Assume that we are gven a (2, )-expandable message (M 0, M 1, M 2 ) made from a fxed-pont (H, M 2 ). Let len(m) be the length nformaton of the hashed message M contaned n the last message block. Wth ths expandable message, we can construct a premage attack on MJH hash functon as follows. 1. Gven a target hash value (H, S), collect 2 n/2 premages (U (1), V (1), M (1) L ), (U (2), V (2), M (2) L ),..., (U (2n/2), V (2n/2), M (2n/2 ) L ) for the last compresson functon. 2. Repeat to compute CF MJH (H, S, M L 1 ) for a randomly chosen one-block message M L 1 untl the result s matched wth any U () for = 1,..., 2 n/2. 3. If a match s found, then output the correspondng (M 0, M 1, M 2,..., M 2, M L 1, M L ) as a premage for V, where the repetton number of M 2 depends on len(m) contaned n M L. On average, the number of repetton n the step 2 should be 2 3n/2 to expect a match. So, the tme complexty for the above constructon of an expandable message s about 2 3n/2+1. Fnally, a premage attack on MJH hash functon s made from the premage attack on MJH compresson functon and the expandable message by the meet-n-the-mddle technque n [15, Fact 9.99]. Overall tme complexty s about 2 3n/2+2. 8

9 6 Premage Attack on Mennnk s Scheme In [16], t was not specfed how to correspond the varables (H, S, M ) and (H +1, V +1 ) to (U, V, W ) and (Y, Z), respectvely. In the cases of M = U or M = V, we can make a premage attack on the hash functon of Mennnk s scheme. Wthout loss of generalty, we assume M = U. 6.1 Premage Attack on Mennnk s Compresson functon For a gven target mage (Y, Z) GF (2 n ) 2, our premage attack works as follows. 1. Choose 2 n/2 P 1 randomly. They are denoted by P (0) 1,..., P (2n/2 1) q. 2. For 0 2 n/2 1, fnd (U (), V (), X () ) s such that U ()(V () ) = X () and P () 1 = a 1 (U (), V (), X () ) n the followng way: (a) Choose U (). (b) Fnd V () such that P () 1 = a 1 (U (), V (), U ()(V () )) wth a brute-force method. (c) Compute X () = U ()(V () ). 3. For 0 j 2 n/2 1, fnd K (j) 1 such that (j) K (P (j) 1 ) P (j) 1 = Y Make 2 n tuples (U (), V (), X (), W (ρ(,j)) ) such that K (j) 1 = a 2 (U (), V (), X (), W (ρ(,j)) ) for 0, j 2 n/2 1, where ρ(, j) s an ndex dependent on and j. Renumber the tuples as (U (), V (), X (), W () ) for 0 2 n For 0 2 n 1, compute P () 2 = a 3 (U (), V (), X () ) and K () 2 = a 4 (U (), V (), X (), W () ), ) soluton s expected for the and check whether the relaton () K (P () 2 ) P () 2 = Z. One (P () 2, K() 2 2 relaton. Then, the correspondng tuple (U (), V (), W () ) s a premage of the compresson functon. The tme complexty of the above attack s 2 3n/2 because steps 2 and 3 requre more domnant cost than the others. 6.2 Premage Attack on Mennnk s Hash Functon Our premage attack on the compresson functon explaned n Secton 6.1 s converted to a premage attack n the case of M = U or M = V because the attacker has the control on the message length n the last block, whle the prevous attack n [16] cannot lead to a premage attack on the hash functon. Agan, a premage attack on the hash functon of Mennnnk s scheme s made from the premage attack on the compresson functon by the meet-n-the-mddle technque n [15, Fact 9.99]. Overall tme complexty s about 2 7n/ Concluson We presented several attacks on MDC-4, MJH, and Mennnk s schemes whch are DBL hash modes. The premage attacks on MDC-4 and Mennnk s sgnfcantly mproves the prevous results, and the attacks on MJH scheme are the frst cryptanalytc results. Our attacks provde deeper understandng about the securtes of our target hash modes. Some of them show that there are gaps between the complextes of ours and the bounds stated n the securty proofs. Studyng how to reduce the gaps s nterestng; whether the attacks are more developed or the proofs are more mproved. 9

10 References [1] F. Armknecht,. Fleschmann, M. Krause, J. Lee, M. Stam, and J. Stenberger, The Premage Securty of Double-Block-Length Compresson Functons, ASIACRYPT 2011, LNCS 7073, pp , Sprnger, [2] J. Black, P. Rogaway, and T. Shrmpton, Black-Box Analyss of the Block-Cpher-Based Hash- Functon Constructons from PGV, CRYPTO 2002, LNCS 2442, pp , Sprnger, [3] R. D. Dean, Formal Aspects of Moble Code Securty, Ph. D Dsserton, Prnceton Unversty, January [4] U. S. Department of Commerce/ Natonal Insttute of Standards and Technology, Data ncrypton Standard (DS), FIPS PUB 46-3, Reaffrmed October 25th [5]. Fleschmann, C. Forler, and S. Lucks, The Collson Securty of MDC-4, AFRICACRYPT 2012, LNCS 7374, pp , [6] S. Hrose, Some Plausble Constructons of Double-Block-Length Hash Functons, In M. J. B. Robshaw (d.), FS 2006, LNCS 4047, pp , Sprnger, [7] ISO/IC :2010, Informaton technology Securty technques Hash-functons Part 2: Hash-functons usng an n-bt block cpher, 1994, revsed n [8] J. Kelsey and B. Schneer, Second Premages on n-bt Hash Functons for Much Less than 2 n Work, UROCRYPT 2005, LNCS 3494, pp , Sprnger, [9] L. R. Knudsen, F. Mendel, C. Rechberger, and S. Thomsen, Cryptanalyss of MDC-2, URO- CRYPT 2009, LNCS 5479, pp , Sprnger, [10] L. R. Knudsen and B. Preneel, Fast and Secure Hashng Based on Codes, CRYPTO 97, LNCS 1294, pp , Sprnger, [11] X. La and J. L. Massey, Hash functon based on block cphers, In R. A. Rueppel (d.), URO- CRYPT 92, LNCS 658, pp , Sprnger, [12] J. Lee and D. Kwon, The Securty of Abreast-DM n the Ideal Cpher Model, IIC Transactons on Fundamentals, Vol. 95-A, No. 1, pp , [13] J. Lee, M. Stam, and J. Stenberger, The Collson Securty of Tandem-DM n the Ideal Cpher Model, CRYPTO 2011, LNCS 6841, pp , Sprnger, [14] J. Lee and M. Stam, MJH: A Faster Alternatve to MDC-2, In A. Kayas (d.), CT-RSA 2011, LNCS 6558, pp , Sprnger, [15] A. J. Menezes, P. C. Oorschot and S. A. Vanstone, Handbook of Appled Cryptography, CRC Press, [16] B. Mennnk, Optmal Collson Securty n Double Block Length Hashng wth Sngle Length Key, ASIACRYPT 2012, LNCS 7658, pp , Sprnger, [17] C. Meyer and M. Schllng, Secure Program Load wth Manpulaton Detecton Code, Proc. Securcom, pp , [18] B. Preneel, Analyss and Desgn of Cryptographc Hash Functons, Doctoral Dssertaton, Katholeke Unverstet Leuven,

11 [19] B. Preneel, R. Govaerts and J. Vandewalle, Hash Functons Based on Block Cphers: A Synthetc Approach, In D. R. Stnson (d.), CRYPTO 1993, LNCS 773, pp , Sprnger, [20] M. Stam, Blockcpher-Based Hashnf Revsted, FS 2009, LNCS 5665, pp , Sprnger, [21] J. P. Stenberger, The Collson Intractablty of MDC-2 n the Ideal-Cpher Model, UROCRYPT 2007, LNCS 4515, pp , Sprnger,