Sciweavers

FSE
2009
Springer

On the Security of Tandem-DM

15 years 25 days ago
On the Security of Tandem-DM
Abstract. We provide the first proof of security for Tandem-DM, one of the oldest and most wellknown constructions for turning a blockcipher with n-bit blocklength and 2n-bit keylength into a 2n-bit cryptographic hash function. We prove, that when Tandem-DM is instantiated with AES-256, i.e. blocklength 128 bits and keylength 256 bits, any adversary that asks less than 2120.4 queries cannot find a collision with success probability greater than 1/2. We also prove a bound for preimage resistance of Tandem-DM. Interestingly, as there is only one practical construction known (FSE'06, Hirose) turning such an (n, 2n)-bit blockcipher into a 2n-bit compression function that has provably birthday-type collision resistance, Tandem-DM is one out of two structures that possess this desirable feature.
Ewan Fleischmann, Michael Gorski, Stefan Lucks
Added 25 Nov 2009
Updated 25 Nov 2009
Type Conference
Year 2009
Where FSE
Authors Ewan Fleischmann, Michael Gorski, Stefan Lucks
Comments (0)