On the Security of Tandem-DM

14 years 12 months ago

Download eprint.iacr.org

Abstract. We provide the first proof of security for Tandem-DM, one of the oldest and most wellknown constructions for turning a blockcipher with n-bit blocklength and 2n-bit keylength into a 2n-bit cryptographic hash function. We prove, that when Tandem-DM is instantiated with AES-256, i.e. blocklength 128 bits and keylength 256 bits, any adversary that asks less than 2120.4 queries cannot find a collision with success probability greater than 1/2. We also prove a bound for preimage resistance of Tandem-DM. Interestingly, as there is only one practical construction known (FSE'06, Hirose) turning such an (n, 2n)-bit blockcipher into a 2n-bit compression function that has provably birthday-type collision resistance, Tandem-DM is one out of two structures that possess this desirable feature.

Ewan Fleischmann, Michael Gorski, Stefan Lucks

Real-time Traffic

Birthday-type Collision Resistance | Cryptographic Hash Function | Cryptography | FSE 2009 | Keylength 256 Bits |

claim paper

Post Info
More Details (n/a)

Added	25 Nov 2009
Updated	25 Nov 2009
Type	Conference
Year	2009
Where	FSE
Authors	Ewan Fleischmann, Michael Gorski, Stefan Lucks

Comments (0)

Sciweavers

On the Security of Tandem-DM

Birthday-type Collision Resistance | Cryptographic Hash Function | Cryptography | FSE 2009 | Keylength 256 Bits |

Explore & Download

Productivity Tools

Document Tools

Image Tools

Sciweavers