The Collision Security of Tandem-DM in the Ideal Cipher Model

  • Jooyoung Lee
  • Martijn Stam
  • John Steinberger
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6841)

Abstract

We prove that Tandem-DM, which is one of the two “classical” schemes for turning a blockcipher of 2n-bit key into a double block length hash function, has birthday-type collision resistance in the ideal cipher model. A collision resistance analysis for Tandem-DM achieving a similar birthday-type bound was already proposed by Fleischmann, Gorski and Lucks at FSE 2009 [3]. As we detail, however, the latter analysis is wrong, thus leaving the collision resistance of Tandem-DM as an open problem until now. Our analysis exhibits a novel feature in that we introduce a trick not used before in ideal cipher proofs.

References

  1. 1.
    Dodis, Y., Steinberger, J.: Message Authentication Codes from Unpredictable Block Ciphers. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 267–285. Springer, Heidelberg (2009), Full version available at http://people.csail.mit.edu/dodis/ps/tight-mac.ps
  2. 2.
    Fleischmann, E., Forler, C., Gorski, M., Lucks, S.: Collision resistant double-length hashing. In: Heng, S.-H., Kurosawa, K. (eds.) ProvSec 2010. LNCS, vol. 6402, pp. 102–118. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  3. 3.
    Fleischmann, E., Gorski, M., Lucks, S.: On the security of tandem-DM. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 84–103. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  4. 4.
    Fleischmann, E., Gorski, M., Lucks, S.: Security of Cyclic Double Block Length Hash Functions. In: Parker, M.G. (ed.) Cryptography and Coding 2009. LNCS, vol. 5921, pp. 153–175. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  5. 5.
    Hirose, S.: Provably secure double-block-length hash functions in a black-box model. In: Park, C.-s., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 330–342. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Hirose, S.: Some plausible constructions of double-block-length hash functions. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 210–225. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  7. 7.
    Krause, M., Armknecht, F., Fleischmann, E.: Preimage resistance beyond the birthday bound: double-length hashing revisited. Preprint, http://eprint.iacr.org/2010/519
  8. 8.
    Lai, X., Massey, J.: Hash functions based on block ciphers. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 55–70. Springer, Heidelberg (1993)Google Scholar
  9. 9.
    Lee, J., Kwon, D.: The security of Abreast-DM in the ideal cipher model. IEICE Transactions 94-A(1), 104–109 (2011), http://eprint.iacr.org/2009/225.pdf CrossRefGoogle Scholar
  10. 10.
    Lee, J., Steinberger, J.: Multi-property-preserving Domain Extension Using Polynomial-Based Modes of Operation. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 573–596. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  11. 11.
    Lee, J., Stam, M., Steinberger, J.: The collision security of Tandem-DM in the ideal-cipher model. Full version of this paper, http://eprint.iacr.org/2010/409
  12. 12.
    Lee, J., Stam, M., Steinberger, J.: The preimage security of double-block-length compression functions. Preprint, http://eprint.iacr.org/2011/210
  13. 13.
    Lucks, S.: A collision-resistant rate-1 double-block-length hash function. In: Symmetric Cryptography. Dagstuhl Seminar Proceedings, 07021 (2007)Google Scholar
  14. 14.
    Özen, O., Stam, M.: Another Glance at Double-Length Hashing. In: Parker, M.G. (ed.) Cryptography and Coding 2009. LNCS, vol. 5921, pp. 176–201. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Rogaway, P., Shrimpton, T.: Cryptographic hash-function basics: Definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 371–388. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  16. 16.
    Rogaway, P., Steinberger, J.: Constructing cryptographic hash functions from fixed-key blockciphers. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 433–450. Springer, Heidelberg (2008)Google Scholar
  17. 17.
    Shrimpton, T., Stam, M.: Building a collision-resistant compression function from non-compressing primitives. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 643–654. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    Steinberger, J.P.: The Collision Intractability of MDC-2 in the Ideal-Cipher Model. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 34–51. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  19. 19.
    Stam, M.: Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 397–412. Springer, Heidelberg (2008)Google Scholar
  20. 20.
    Stam, M.: Blockcipher-based hashing revisited. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 67–83. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  21. 21.
    Wagner, D.: Cryptanalysis of the Yi-Lam Hash. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 483–488. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  22. 22.
    Yi, X., Lam, K.-Y.: A new hash function based on block cipher. In: Mu, Y., Pieprzyk, J.P., Varadharajan, V. (eds.) ACISP 1997. LNCS, vol. 1270, pp. 139–146. Springer, Heidelberg (1997)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Jooyoung Lee
    • 1
  • Martijn Stam
    • 2
  • John Steinberger
    • 3
  1. 1.Faculty of Mathematics and StatisticsSejong UniversitySeoulKorea
  2. 2.Department of Computer ScienceUniversity of BristolBristolUnited Kingdom
  3. 3.Institute of Theoretical Computer ScienceTsinghua UniversityBeijingChina

Personalised recommendations