Paper 2009/054

On the Security of Tandem-DM

Ewan Fleischmann, Michael Gorski, and Stefan Lucks


We provide the first proof of security for Tandem-DM one of the oldest and most well-known constructions for turning a blockcipher with n-bit blocklength and 2n-bit keylength into a 2n-bit cryptographic hash function. We prove, that when Tandem-DM is instantiated with AES-256, i.e. blocklength 128 bits and keylength 256 bits, any adversary that asks less than 2^{120.4} queries cannot find a collision with success probability greater than 1/2. We also prove a bound for preimage resistance of Tandem-DM. Interestingly, as there is only one practical construction known (FSE'06, Hirose) turning such an (n,2n)-bit blockcipher into a 2n-bit compression function that has provably birthday-type collision resistance, Tandem-DM is one out of two structures that possess this desirable feature.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. an extended abstract of this paper will appear at FSE 2009 proceedings, this is the full version
hash functionblockcipher basedproof of securitydouble block lengthideal cipher
Contact author(s)
ewan fleischmann @ uni-weimar de
2009-02-04: revised
2009-02-04: received
See all versions
Short URL
Creative Commons Attribution


      author = {Ewan Fleischmann and Michael Gorski and Stefan Lucks},
      title = {On the Security of Tandem-DM},
      howpublished = {Cryptology ePrint Archive, Paper 2009/054},
      year = {2009},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.