On the Security of Tandem-DM

Ewan Fleischmann, Michael Gorski, and Stefan Lucks

Abstract

We provide the first proof of security for Tandem-DM one of the oldest and most well-known constructions for turning a blockcipher with n-bit blocklength and 2n-bit keylength into a 2n-bit cryptographic hash function. We prove, that when Tandem-DM is instantiated with AES-256, i.e. blocklength 128 bits and keylength 256 bits, any adversary that asks less than 2^{120.4} queries cannot find a collision with success probability greater than 1/2. We also prove a bound for preimage resistance of Tandem-DM. Interestingly, as there is only one practical construction known (FSE'06, Hirose) turning such an (n,2n)-bit blockcipher into a 2n-bit compression function that has provably birthday-type collision resistance, Tandem-DM is one out of two structures that possess this desirable feature.

Available format(s)
Category
Secret-key cryptography
Publication info
Published elsewhere. an extended abstract of this paper will appear at FSE 2009 proceedings, this is the full version
Keywords
hash functionblockcipher basedproof of securitydouble block lengthideal cipher
Contact author(s)
ewan fleischmann @ uni-weimar de
History
2009-02-04: revised
See all versions
Short URL
https://ia.cr/2009/054

CC BY

BibTeX

@misc{cryptoeprint:2009/054,
author = {Ewan Fleischmann and Michael Gorski and Stefan Lucks},
title = {On the Security of Tandem-DM},
howpublished = {Cryptology ePrint Archive, Paper 2009/054},
year = {2009},
note = {\url{https://eprint.iacr.org/2009/054}},
url = {https://eprint.iacr.org/2009/054}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.