Paper 2009/054
On the Security of Tandem-DM
Ewan Fleischmann, Michael Gorski, and Stefan Lucks
Abstract
We provide the first proof of security for Tandem-DM one of the oldest and most well-known constructions for turning a blockcipher with n-bit blocklength and 2n-bit keylength into a 2n-bit cryptographic hash function. We prove, that when Tandem-DM is instantiated with AES-256, i.e. blocklength 128 bits and keylength 256 bits, any adversary that asks less than 2^{120.4} queries cannot find a collision with success probability greater than 1/2. We also prove a bound for preimage resistance of Tandem-DM. Interestingly, as there is only one practical construction known (FSE'06, Hirose) turning such an (n,2n)-bit blockcipher into a 2n-bit compression function that has provably birthday-type collision resistance, Tandem-DM is one out of two structures that possess this desirable feature.
Metadata
- Available format(s)
- Category
- Secret-key cryptography
- Publication info
- Published elsewhere. an extended abstract of this paper will appear at FSE 2009 proceedings, this is the full version
- Keywords
- hash functionblockcipher basedproof of securitydouble block lengthideal cipher
- Contact author(s)
- ewan fleischmann @ uni-weimar de
- History
- 2009-02-04: revised
- 2009-02-04: received
- See all versions
- Short URL
- https://ia.cr/2009/054
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2009/054, author = {Ewan Fleischmann and Michael Gorski and Stefan Lucks}, title = {On the Security of Tandem-{DM}}, howpublished = {Cryptology {ePrint} Archive, Paper 2009/054}, year = {2009}, url = {https://eprint.iacr.org/2009/054} }