The Collision Security of Tandem-DM in the Ideal Cipher Model
نویسندگان
چکیده
We prove that Tandem-DM, which is one of the two “classical” schemes for turning a blockcipher of 2n-bit key into a double block length hash function, has birthday-type collision resistance in the ideal cipher model. A collision resistance analysis for Tandem-DM achieving a similar birthday-type bound was already proposed by Fleischmann, Gorski and Lucks at FSE 2009 [3]. As we detail, however, the latter analysis is wrong, thus leaving the collision resistance of Tandem-DM as an open problem until now. Our analysis exhibits a novel feature in that we introduce a trick not used before in ideal cipher proofs.
منابع مشابه
The Security of Abreast-DM in the Ideal Cipher Model
In this paper, we give a security proof for Abreast-DM in terms of collision resistance and preimage resistance. As old as Tandem-DM, the compression function Abreast-DM is one of the most well-known constructions for double block length compression functions. The bounds on the number of queries for collision resistance and preimage resistance are given by O (2). Based on a novel technique usin...
متن کاملThe Collision Security of MDC-4
There are four somewhat classical double length block cipher based compression functions known: MDC-2, MDC-4, Abreast-DM, and Tandem-DM. They all have been developed over 20 years ago. In recent years, cryptographic research has put a focus on block cipher based hashing and found collision security results for three of them (MDC-2, Abreast-DM, Tandem-DM). In this paper, we addMDC-4, which is pa...
متن کاملOn the Security of Tandem-DM
We provide the first proof of security for Tandem-DM, one of the oldest and most well-known constructions for turning a block cipher with n-bit block length and 2n-bit key length into a 2n-bit cryptographic hash function. We prove, that when Tandem-DM is instantiated with AES-256, block length 128 bits and key length 256 bits, any adversary that asks less than 2 queries cannot find a collision ...
متن کاملMJH: A Faster Alternative to MDC-2
In this paper, we introduce a new class of double-block-length hash functions. Using the ideal cipher model, we prove that these hash functions, dubbed MJH, are asymptotically collision resistant up to O(2n(1− ) query complexity for any > 0 in the iteration, where n is the block size of the underlying blockcipher. When based on n-bit key blockciphers, our construction, being of rate 1/2, provid...
متن کاملWeimar-DM: The Most Secure Double Length Compression Function
We presentWeimar-DM, a double length compression function using two calls to a block cipher with 2n-bit key and n-bit block size to compress a 3n-bit string to a 2n-bit one. For Weimar-DM, we show that for n = 128, no adversary asking less than 2 = 2 queries can find a collision with probability greater than 1/2. This is the highest collision security bound ever shown for such a compression fun...
متن کامل