The security of hash functions based on a block cipher with a block length of m bits and a key length of k bits, where k ≤ m, is considered. New attacks are presented on a large class of iterated hash functions with a 2m-bit hash result which processes in each iteration two message blocks using two encryptions. In particular, the attacks break three proposed schemes: Parallel-DM, the PBGV hash function, and the LOKI DBH mode. Key words. Cryptanalysis, Cryptographic hash functions, Block ciphers, Double block length hash functions, Birthday attacks.
Lars R. Knudsen, Xuejia Lai, Bart Preneel