Login
Login

MDC-2

{{Short description|Cryptographic hash function}}

{{More citations needed|date=February 2019}}

In cryptography, MDC-2 (Modification Detection Code 2, sometimes called Meyer–Schilling,{{Citation needed|date=February 2019}} standardized in ISO 10118-2) is a cryptographic hash function. MDC-2 is a hash function based on a block cipher with a proof of security in the ideal-cipher model.{{cite conference

| first = John

| last = Steinberger

| title = The Collision Intractability of MDC-2 in the Ideal-Cipher Model

| book-title = Advances in Cryptology – EUROCRYPT 2007

| pages = 34–51

| publisher = Springer-Verlag

| date = June 23, 2007

| url = http://eprint.iacr.org/2006/294

| doi = 10.1007/978-3-540-72540-4_3

| access-date = January 31, 2008| doi-access = free

| url-access = subscription

}} The length of the output hash depends on the underlying block cipher used.

Algorithm

Let E(p,k) be a block cipher encryption function with inputs p (plaintext) and k (key), each of length n, calculating a ciphertext of length also n.

For a given message M to hash, the MDC-2 algorithm proceeds as follows. Let A_1, B_1 be two different constants of size n. Let M\, || \, \text{pad} = M_1\,||..||\,M_m where each M_i has size n, then the hash V_m \, || \, W_m of the message is given by:

  • for i = 1 to m:
  • V_i = M_i \oplus E(M_i,A_i)
  • W_i = M_i \oplus E(M_i,B_i)
  • V_i^L\, || \,V_i^R = V_i
  • W_i^L\, || \,W_i^R = W_i
  • A_{i+1} = V_i^L\,||\,W_i^R
  • B_{i+1} = W_i^L\,||\,V_i^R
  • return A_{m+1}\,||\,B_{m+1}.

Here the V_i, W_i are split in halves V_i^L etc., which have the length n/2.

MDC-2DES hashes

When MDC-2 uses the DES block cipher, the 128-bit (16-byte) MDC-2 hashes are typically represented as 32-digit hexadecimal numbers. A_1 is chosen as the 8-byte string 5252525252525252 and B_1 is chosen as the 8-byte string 2525252525252525 (written as hexdigits). Additionally, before each iteration the first byte A[0] of A recalculated as (A[0] & 0x9f) ^ 0x40 and the first byte B[0] of B is recalculated as (B[0] & 0x9f) ^ 0x20.

The following demonstrates a 43-byte ASCII input (which is padded with five zero-bytes so its length is a multiple of the DES block size of 8 bytes) and the corresponding MDC-2 hash:

MDC2("The quick brown fox jumps over the lazy {{Background color|#87CEEB|d}}og")

= 000ed54e093d61679aefbeae05bfe33a

Even a small change in the message will (with probability) result in a completely different hash, e.g. changing d to c:

MDC2("The quick brown fox jumps over the lazy {{Background color|#87CEEB|c}}og")

= 775f59f8e51aec29c57ac6ab850d58e8

The hash of the zero-length string is:

MDC2("")

= 52525252525252522525252525252525

Patent issues

MDC-2 was covered by {{US patent|4908861}}, issued on March 13, 1990 but filed by IBM on August 28, 1987. Because of patent concerns support for MDC-2 has been disabled in OpenSSL on most Linux distributions and is not implemented by many other cryptographic libraries. It is implemented in GPG's libgcrypt.

The patent was due to expire on August 28, 2007, twenty years after the filing date. It actually expired in 2002{{Cite journal

| title = USPTO - Patent Maintenance Fees

| publisher = United States Patent Office

| date = March 13, 2002

| url = https://ramps.uspto.gov/eram/getMaintFeesInfo.do?patentNum=4908861&applicationNum=07090633

| access-date = 2008-01-31

}}{{Dead link|date=March 2020 |bot=InternetArchiveBot |fix-attempted=yes }} (Click on "Bibliographic data".) because IBM did not pay the renewal fee. The Canadian patent was not renewed and no European patent was granted so MDC-2 can now be freely used.

See also

Notes

{{Cryptography navbox | hash}}

Category:Cryptographic hash functions