The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty

The Collision Security of Tandem-DMin the Ideal Cipher Model

Jooyoung Lee1 Martijn Stam2 John Steinberger3

1Faculty of Mathematics and Statistics, Sejong University, Seoul, Korea

2Department of Computer Science, University of Bristol, Bristol, United Kingdom

3Institute of Theoretical Computer Science, Tsinghua University, Beijing, China

August 18, 2011

Tandem-DM

E

M

E

A 3n-bit to 2n-bit compression function making two calls toa blockcipher using 2n-bit keysProposed by Lai and Massey in Eurocrypt 1992The first security proof given in FSE 2009, its extensiongiven in ProvSec 2010

Tandem-DM

E

M

E

ContributionShows the prior proofs are flawedPresents a novel proof for the collision resistance ofTandem-DM in the ideal cipher modelMostly historical interest, rather than practical interest

Ideal Cipher Model & Query History

E E-1Adversary

An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function


K1,X1E E-1Adversary



K1,X1E E-1Adversary

Y1←{0,1} \RK1$

RK1←RK1∪{Y1}

n

RK1 RK1∪{Y }



K1,X1E E-1Adversary

Y1←{0,1} \RK1$

RK1←RK1∪{Y1}

n

Y1RK1 RK1∪{Y }



K1,X1E E-1Adversary(X1,K1,Y1)

Y1



E E-1K2,Y2Adversary(X1,K1,Y1)



E E-1K2,Y2Adversary(X1,K1,Y1) X2←{0,1} \DK2

$

DK2←DK2∪{X2}

n

DK2 DK2∪{X }



E E-1K2,Y2Adversary(X1,K1,Y1) X2←{0,1} \DK2

$

DK2←DK2∪{X2}

n

X2DK2 DK2∪{X }



E E-1K2,Y2Adversary(X1,K1,Y1)(X2,K2,Y2)

X2



K3,X3E E-1Adversary(X1,K1,Y1)(X2,K2,Y2)




Y3←{0,1} \RK3$

RK3←RK3∪{Y3}

n

RK3 RK3∪{Y }




Y3←{0,1} \RK3$

RK3←RK3∪{Y3}

n

Y3RK3 RK3∪{Y }



K3,X3E E-1Adversary(X1,K1,Y1)(X2,K2,Y2)(X3 K3 Y3)Y3 (X3,K3,Y3)



E E-1Adversary(X1,K1,Y1)(X2,K2,Y2)(X3 K3 Y3)(X3,K3,Y3)

(Xq Kq Yq)(Xq,Kq,Yq)




(Xq Kq Yq) Q e Hi to Q(Xq,Kq,Yq) Query History Q




(Xq Kq Yq) Q e Hi to Q(Xq,Kq,Yq) Query History Q


Evaluation of Tandem-DM

(A,B||L,R), (B,L||R,S) ∈ Q determine

TDME : {0,1}3n −→ {0,1}2n

A||B||L 7−→ A⊕ R||B ⊕ S

AA RTL

A

B L RSS

B SBL

Collisions in Tandem-DM

The goal of a collision-finding adversary ATo find (A,B||L,R), (B,L||R,S), (A′,B′||L′,R′), (B′,L′||R′,S′)such that A||B||L 6= A′||B′||L′, A⊕ R = A′ ⊕ R′, B ⊕ S = B′ ⊕ S′

Predicate Coll(Q) is true if and only if such queries exist in Q

AA RTL

A

B L RSS

B SBL

A’A’ R’TR

A

B’ L’ R’S’S

B’ S’BR



We want to upper bound Pr[Coll(Q)] = AdvCollTDME (A)

AA RTL

A

B L RSS

B SBL

A’A’ R’TR

A

B’ L’ R’S’S

B’ S’BR



We want Pr[Coll(Q)] to be small

AA RTL

A

B L RSS

B SBL

A’A’ R’TR

A

B’ L’ R’S’S

B’ S’BR

Case Analysis

Coll(Q)⇒ Coll1(Q) ∨ Coll2(Q) ∨ Coll3(Q), where

Coll1(Q)⇔ Q has a collision with TL, BL, TR, BR distinctColl2(Q)⇔ Q has a collision with TL = BL or TR = BRColl3(Q)⇔ Q has a collision with TL = BR or BL = TR

Ex) Coll2(Q) occurs if (A,A||A,A), (B,B||B,B) s.t. A 6= B exist

A0nTL

A

A A AAA

0nBL

B0nTR

B

B B BBB

0nBR

Case Analysis

Coll(Q)⇒ Coll1(Q) ∨ Coll2(Q) ∨ Coll3(Q), where

Coll1(Q)⇔ Q has a collision with TL, BL, TR, BR distinctColl2(Q)⇔ Q has a collision with TL = BL or TR = BRColl3(Q)⇔ Q has a collision with TL = BR or BL = TR

We are going to focus on upper bounding Pr[Coll1(Q)]

Ex) Coll2(Q) occurs if (A,A||A,A), (B,B||B,B) s.t. A 6= B exist

A0nTL

A

A A AAA

0nBL

B0nTR

B

B B BBB

0nBR

Upper bounding Pr[Coll1(Q)]

General Framework1 Upper bound the probability of Colli1(Q) that the i-th query

completes a collision2 Union bound by summing the upper bounds over all

possible queries i = 1, . . . ,q (If the upper bounds areindependent of each query, then we can just multiply q)

AA RTL

A

B L RSS

B SBL

A’A’ R’TR

A

B’ L’ R’S’S

B’ S’BR

Upper bounding Pr[Coll1(Q)]

General Framework1 Upper bound the probability of Colli1(Q) that the i-th query

completes a collision2 Union bound by summing the upper bounds over all

possible queries i = 1, . . . ,q (If the upper bounds areindependent of each query, then we can just multiply q)

How can we upper bound Pr[Colli1(Q)]?

AA RTL

A

B L RSS

B SBL

A’A’ R’TR

A

B’ L’ R’S’S

B’ S’BR

Upper bounding Pr[Colli1(Q)]

By symmetry, we can assume the last query is either TL or BL.

The last query: TL BLBackward Case 1 Case 3Forward Case 2 Case 4

AA RTL

A

B L RSS

B SBL

A’A’ R’TR

A

B’ L’ R’S’S

B’ S’BR




Union bound

Pr[Colli1(Q)] ≤ Pr[Case1]+Pr[Case2]+Pr[Case3]+Pr[Case4]

AA RTL

A

B L RSS

B SBL

A’A’ R’TR

A

B’ L’ R’S’S

B’ S’BR




Union bound

Pr[Colli1(Q)] ≤ Pr[Case1]+Pr[Case2]+Pr[Case3]+Pr[Case4]

AA RTL

A

B L RSS

B SBL

A’A’ R’TR

A

B’ L’ R’S’S

B’ S’BR

Case 1: The Last Query is TL and Backward

1 At the point when TL is queried, B, L, R are fixed2 B, L, R uniquely determine BL, and B ⊕ S3 The number of BR-queries (B′,L′||R′,S′) such that

B′ ⊕ S′ = B ⊕ S is at most α except with small probability4 Each of BR-queries uniquely determines TR, and A′ ⊕ R′

5 The response should be A′ ⊕ R′ ⊕ R, so Pr[Case1] ≤ α2n−q

(except with the “bad event")

??

B L R






?

B L RS

?

SB S






?

B L RS

?

SB S

B’ L’ R’S’S

B’ S’






?

B L RS

?

SB S

A’ R’A’

B’ L’ R’S’

A

SB’ S’






A’ R’ RA’ R’

B L RS

A R R

SB S

A’ R’A’

B’ L’ R’S’

A

SB’ S’

Case 2: The Last Query is TL and Forward

Subcase 2a: BL-query is Backward1 At the point when TL is queried, A, B, L are fixed2 The number of backward queries whose answer is B is at

most α except with small probability3 Since each of such backward queries uniquely determines

R, Pr[Subcase2a] ≤ α2n−q (except with the “bad event")

AA

B L ?





A

B L RS

A

S





A

B L RS

A

S


Subcase 2b: BL-query is Forward1 At the point when TL is queried, A, B, L are fixed2 The number of forward queries whose input block is B?

AA

B L ?



A

B L RS

A

S



It is hard to probabilistically restrict this number!

A

B L RS

A

S



We want to eliminate this case

A

B L RS

A

S

Main Idea: Modified Adversary A′

A′ runs A as a subroutine and records its query history Q′

If A makes a forward query EL||R(B), then A′ makes aquery EL||R(B), and an additional query E−1

B||L(R)

If A makes a backward query E−1B||L(R), then A′ makes a

query E−1B||L(R), and an additional query EL||R(B)

B L R




B||L(R)



B L R




B||L(R)



B L R

The Property of the Modified Adversary

If A makes q queries, then A′ makes at most 2q queries

Since Q ⊂ Q′, AdvCollTDME (A) ≤ AdvColl

TDME (A′)

B L R




TDME (A′)

B L R




TDME (A′)

If A′ obtains the BL position of a certain evaluation by a forwardquery, then A′ will immediately make an additional backwardquery and place it at the TL position

B L R




TDME (A′)

If the TL position of a certain evaluation is obtained by aforward query after the BL position is determined, then the BLquery should have been obtained by a backward query

B L R




TDME (A′)

It means that A′ does not create Subcase 2b

B L R

Main Result

Theorem

For N = 2n, q < N/2 and 1 ≤ α ≤ 2q,

AdvcollTDM(q) ≤ 2N

(2eq

α(N − 2q)

)α+

4qαN − 2q

+4q

N − 2q

Asymptotically, using α = n/ log n

limn→∞

AdvcollTDM (N/n) = 0

Numerically, for n = 128, using α = 16

AdvcollTDM(2120.87) <

12

Thank You

Documents

The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty