On the collision and preimage security of MDC-4 in the ideal cipher model

We present a collision and preimage security analysis of MDC-4, a 24 years old construction for transforming an n-bit block cipher into a 2n-bit hash function. We start with MDC-4 based on one single block cipher, and prove that any adversary with query access to the underlying block cipher requires at least 2 queries (asymptotically) to find a collision. For the preimage resistance, we present a surprising negative result: for a target image with the same left and right half, a preimage for the full MDC-4 hash function can be found in 2 queries. Yet, restricted to target images with different left and right halves, we prove that at least 2 queries (asymptotically) are required to find a preimage. Next, we consider MDC-4 based on two independent block ciphers, a model that is less general but closer to the original design, and prove that the collision bound of 2 queries and the preimage bound of 2 queries apply to the MDC-4 compression function and hash function design. With these results, we are the first to formally confirm that MDC-4 offers a higher level of provable security compared to MDC-2.