As old as TANDEM-DM, the compression function ABREAST-DM is one of the most well-known constructions for double block length compression functions. In this paper, we give a security proof for ABREAST-DM in terms of collision resistance and preimage resistance. The bounds on the number of queries for collision resistance and preimage resistance are given by Ω(2n). Based on a novel technique using query-response cycles, our security proof is simpler than those for MDC-2 and TANDEM-DM. We also present a wide class of ABREAST-DM variants that enjoy a birthday-type security guarantee with a simple proof*.

We present attacks on the generalized Feistel schemes, where each round function consists of a subkey XOR, S-boxes, and then a linear transformation (i.e. a Substitution-Permutation (SP) round function). Our techniques are based on rebound attacks. We assume that the S-boxes have a good differential property and the linear transformation has an optimal branch number. Under this assumption, we firstly describe known-key distinguishers on the type-1, -2, and -3 generalized Feistel schemes up to 21, 13 and 8 rounds, respectively. Then, we use the distinguishers to make several attacks on hash functions where Merkle-Damgård domain extender is used and the compression function is constructed with Matyas-Meyer-Oseas or Miyaguchi-Preneel hash modes from generalized Feistel schemes. Collision attacks are made for 11 rounds of type-1 Feistel scheme. Near collision attacks are made for 13 rounds of type-1 Feistel scheme and 9 rounds of type-2 Feistel scheme. Half collision attacks are made for 15 rounds of type-1 Feistel scheme, 9 rounds of type-2 Feistel scheme, and 5 rounds of type-3 Feistel scheme.

MDC-4 is the enhanced version of MDC-2, which is a well-known hash mode of block ciphers. However, it does not guarantee sufficient securities required for a cryptographic hash function. In the ideal cipher model, the MDC-4 compression function has the collision security bound close to 25n/8 and the preimage security bound close to 25n/4, where the underlying block cipher has the block size of n bits. We have studied how to improve MDC-4 with simple modification to strengthen its security. It is meaningful work because users often want to improve their familiar systems with low cost. In this paper, we achieve it by proposing MDC-4+, which is a light variation of MDC-4. We prove that MDC-4+ is much more secure than MDC-4 by showing that it has the collision security bound close to optimal 2n and the preimage security bound close to 24n/3. We also discuss its efficiency by comparing existing hash modes.

We give some attacks on the DBL hash modes MDC-4 and MJH. Our preimage attack on the MDC-4 hash function requires the time complexity O(23n/2) for the block length n of the underlying block cipher, which significantly improves the previous results. Our collision attack on the MJH hash function has a time complexity less than 2124 for n=128. Our preimage attack on the the MJH compression function finds a preimage with the time complexity of 2n. It is converted to a preimage attack on the hash function with the time complexity of O(23n/2). As far as we know, any cryptanalytic result for MJH has not been published before. Our results are helpful for understanding the security of the hash modes together with their security proofs.

We assume that the domain extender is the Merkle-Damgård (MD) scheme and he message is padded by a ‘1', and minimum number of ‘0' s, followed by a fixed size length information so that the length of padded message is multiple of block length. Under this assumption, we analyze securities of the hash mode when the compression function follows the Davies-Meyer (DM) scheme and the underlying block cipher is one of the plain Feistel or Misty scheme or the generalized Feistel or Misty schemes with Substitution-Permutation (SP) round function. We do this work based on Meet-in-the-Middle (MitM) preimage attack techniques, and develop several useful initial structures.