the collision security of tandem-dm in the ideal cipher model · the collision security of...
TRANSCRIPT
![Page 1: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/1.jpg)
The Collision Security of Tandem-DMin the Ideal Cipher Model
Jooyoung Lee1 Martijn Stam2 John Steinberger3
1Faculty of Mathematics and Statistics, Sejong University, Seoul, Korea
2Department of Computer Science, University of Bristol, Bristol, United Kingdom
3Institute of Theoretical Computer Science, Tsinghua University, Beijing, China
August 18, 2011
![Page 2: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/2.jpg)
Tandem-DM
E
M
E
A 3n-bit to 2n-bit compression function making two calls toa blockcipher using 2n-bit keysProposed by Lai and Massey in Eurocrypt 1992The first security proof given in FSE 2009, its extensiongiven in ProvSec 2010
![Page 3: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/3.jpg)
Tandem-DM
E
M
E
ContributionShows the prior proofs are flawedPresents a novel proof for the collision resistance ofTandem-DM in the ideal cipher modelMostly historical interest, rather than practical interest
![Page 4: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/4.jpg)
Ideal Cipher Model & Query History
E E-1Adversary
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
![Page 5: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/5.jpg)
Ideal Cipher Model & Query History
K1,X1E E-1Adversary
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
![Page 6: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/6.jpg)
Ideal Cipher Model & Query History
K1,X1E E-1Adversary
Y1←{0,1} \RK1$
RK1←RK1∪{Y1}
n
RK1 RK1∪{Y }
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
![Page 7: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/7.jpg)
Ideal Cipher Model & Query History
K1,X1E E-1Adversary
Y1←{0,1} \RK1$
RK1←RK1∪{Y1}
n
Y1RK1 RK1∪{Y }
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
![Page 8: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/8.jpg)
Ideal Cipher Model & Query History
K1,X1E E-1Adversary(X1,K1,Y1)
Y1
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
![Page 9: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/9.jpg)
Ideal Cipher Model & Query History
E E-1K2,Y2Adversary(X1,K1,Y1)
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
![Page 10: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/10.jpg)
Ideal Cipher Model & Query History
E E-1K2,Y2Adversary(X1,K1,Y1) X2←{0,1} \DK2
$
DK2←DK2∪{X2}
n
DK2 DK2∪{X }
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
![Page 11: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/11.jpg)
Ideal Cipher Model & Query History
E E-1K2,Y2Adversary(X1,K1,Y1) X2←{0,1} \DK2
$
DK2←DK2∪{X2}
n
X2DK2 DK2∪{X }
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
![Page 12: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/12.jpg)
Ideal Cipher Model & Query History
E E-1K2,Y2Adversary(X1,K1,Y1)(X2,K2,Y2)
X2
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
![Page 13: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/13.jpg)
Ideal Cipher Model & Query History
K3,X3E E-1Adversary(X1,K1,Y1)(X2,K2,Y2)
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
![Page 14: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/14.jpg)
Ideal Cipher Model & Query History
K3,X3E E-1Adversary(X1,K1,Y1)(X2,K2,Y2)
Y3←{0,1} \RK3$
RK3←RK3∪{Y3}
n
RK3 RK3∪{Y }
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
![Page 15: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/15.jpg)
Ideal Cipher Model & Query History
K3,X3E E-1Adversary(X1,K1,Y1)(X2,K2,Y2)
Y3←{0,1} \RK3$
RK3←RK3∪{Y3}
n
Y3RK3 RK3∪{Y }
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
![Page 16: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/16.jpg)
Ideal Cipher Model & Query History
K3,X3E E-1Adversary(X1,K1,Y1)(X2,K2,Y2)(X3 K3 Y3)Y3 (X3,K3,Y3)
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
![Page 17: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/17.jpg)
Ideal Cipher Model & Query History
E E-1Adversary(X1,K1,Y1)(X2,K2,Y2)(X3 K3 Y3)(X3,K3,Y3)
(Xq Kq Yq)(Xq,Kq,Yq)
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
![Page 18: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/18.jpg)
Ideal Cipher Model & Query History
E E-1Adversary(X1,K1,Y1)(X2,K2,Y2)(X3 K3 Y3)(X3,K3,Y3)
(Xq Kq Yq) Q e Hi to Q(Xq,Kq,Yq) Query History Q
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
![Page 19: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/19.jpg)
Ideal Cipher Model & Query History
E E-1Adversary(X1,K1,Y1)(X2,K2,Y2)(X3 K3 Y3)(X3,K3,Y3)
(Xq Kq Yq) Q e Hi to Q(Xq,Kq,Yq) Query History Q
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
![Page 20: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/20.jpg)
Evaluation of Tandem-DM
(A,B||L,R), (B,L||R,S) ∈ Q determine
TDME : {0,1}3n −→ {0,1}2n
A||B||L 7−→ A⊕ R||B ⊕ S
AA RTL
A
B L RSS
B SBL
![Page 21: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/21.jpg)
Collisions in Tandem-DM
The goal of a collision-finding adversary ATo find (A,B||L,R), (B,L||R,S), (A′,B′||L′,R′), (B′,L′||R′,S′)such that A||B||L 6= A′||B′||L′, A⊕ R = A′ ⊕ R′, B ⊕ S = B′ ⊕ S′
Predicate Coll(Q) is true if and only if such queries exist in Q
AA RTL
A
B L RSS
B SBL
A’A’ R’TR
A
B’ L’ R’S’S
B’ S’BR
![Page 22: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/22.jpg)
Collisions in Tandem-DM
The goal of a collision-finding adversary ATo find (A,B||L,R), (B,L||R,S), (A′,B′||L′,R′), (B′,L′||R′,S′)such that A||B||L 6= A′||B′||L′, A⊕ R = A′ ⊕ R′, B ⊕ S = B′ ⊕ S′
We want to upper bound Pr[Coll(Q)] = AdvCollTDME (A)
AA RTL
A
B L RSS
B SBL
A’A’ R’TR
A
B’ L’ R’S’S
B’ S’BR
![Page 23: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/23.jpg)
Collisions in Tandem-DM
The goal of a collision-finding adversary ATo find (A,B||L,R), (B,L||R,S), (A′,B′||L′,R′), (B′,L′||R′,S′)such that A||B||L 6= A′||B′||L′, A⊕ R = A′ ⊕ R′, B ⊕ S = B′ ⊕ S′
We want Pr[Coll(Q)] to be small
AA RTL
A
B L RSS
B SBL
A’A’ R’TR
A
B’ L’ R’S’S
B’ S’BR
![Page 24: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/24.jpg)
Case Analysis
Coll(Q)⇒ Coll1(Q) ∨ Coll2(Q) ∨ Coll3(Q), where
Coll1(Q)⇔ Q has a collision with TL, BL, TR, BR distinctColl2(Q)⇔ Q has a collision with TL = BL or TR = BRColl3(Q)⇔ Q has a collision with TL = BR or BL = TR
Ex) Coll2(Q) occurs if (A,A||A,A), (B,B||B,B) s.t. A 6= B exist
A0nTL
A
A A AAA
0nBL
B0nTR
B
B B BBB
0nBR
![Page 25: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/25.jpg)
Case Analysis
Coll(Q)⇒ Coll1(Q) ∨ Coll2(Q) ∨ Coll3(Q), where
Coll1(Q)⇔ Q has a collision with TL, BL, TR, BR distinctColl2(Q)⇔ Q has a collision with TL = BL or TR = BRColl3(Q)⇔ Q has a collision with TL = BR or BL = TR
We are going to focus on upper bounding Pr[Coll1(Q)]
Ex) Coll2(Q) occurs if (A,A||A,A), (B,B||B,B) s.t. A 6= B exist
A0nTL
A
A A AAA
0nBL
B0nTR
B
B B BBB
0nBR
![Page 26: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/26.jpg)
Upper bounding Pr[Coll1(Q)]
General Framework1 Upper bound the probability of Colli1(Q) that the i-th query
completes a collision2 Union bound by summing the upper bounds over all
possible queries i = 1, . . . ,q (If the upper bounds areindependent of each query, then we can just multiply q)
AA RTL
A
B L RSS
B SBL
A’A’ R’TR
A
B’ L’ R’S’S
B’ S’BR
![Page 27: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/27.jpg)
Upper bounding Pr[Coll1(Q)]
General Framework1 Upper bound the probability of Colli1(Q) that the i-th query
completes a collision2 Union bound by summing the upper bounds over all
possible queries i = 1, . . . ,q (If the upper bounds areindependent of each query, then we can just multiply q)
How can we upper bound Pr[Colli1(Q)]?
AA RTL
A
B L RSS
B SBL
A’A’ R’TR
A
B’ L’ R’S’S
B’ S’BR
![Page 28: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/28.jpg)
Upper bounding Pr[Colli1(Q)]
By symmetry, we can assume the last query is either TL or BL.
The last query: TL BLBackward Case 1 Case 3Forward Case 2 Case 4
AA RTL
A
B L RSS
B SBL
A’A’ R’TR
A
B’ L’ R’S’S
B’ S’BR
![Page 29: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/29.jpg)
Upper bounding Pr[Colli1(Q)]
By symmetry, we can assume the last query is either TL or BL.
The last query: TL BLBackward Case 1 Case 3Forward Case 2 Case 4
Union bound
Pr[Colli1(Q)] ≤ Pr[Case1]+Pr[Case2]+Pr[Case3]+Pr[Case4]
AA RTL
A
B L RSS
B SBL
A’A’ R’TR
A
B’ L’ R’S’S
B’ S’BR
![Page 30: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/30.jpg)
Upper bounding Pr[Colli1(Q)]
By symmetry, we can assume the last query is either TL or BL.
The last query: TL BLBackward Case 1 Case 3Forward Case 2 Case 4
Union bound
Pr[Colli1(Q)] ≤ Pr[Case1]+Pr[Case2]+Pr[Case3]+Pr[Case4]
AA RTL
A
B L RSS
B SBL
A’A’ R’TR
A
B’ L’ R’S’S
B’ S’BR
![Page 31: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/31.jpg)
Case 1: The Last Query is TL and Backward
1 At the point when TL is queried, B, L, R are fixed2 B, L, R uniquely determine BL, and B ⊕ S3 The number of BR-queries (B′,L′||R′,S′) such that
B′ ⊕ S′ = B ⊕ S is at most α except with small probability4 Each of BR-queries uniquely determines TR, and A′ ⊕ R′
5 The response should be A′ ⊕ R′ ⊕ R, so Pr[Case1] ≤ α2n−q
(except with the “bad event")
??
B L R
![Page 32: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/32.jpg)
Case 1: The Last Query is TL and Backward
1 At the point when TL is queried, B, L, R are fixed2 B, L, R uniquely determine BL, and B ⊕ S3 The number of BR-queries (B′,L′||R′,S′) such that
B′ ⊕ S′ = B ⊕ S is at most α except with small probability4 Each of BR-queries uniquely determines TR, and A′ ⊕ R′
5 The response should be A′ ⊕ R′ ⊕ R, so Pr[Case1] ≤ α2n−q
(except with the “bad event")
?
B L RS
?
SB S
![Page 33: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/33.jpg)
Case 1: The Last Query is TL and Backward
1 At the point when TL is queried, B, L, R are fixed2 B, L, R uniquely determine BL, and B ⊕ S3 The number of BR-queries (B′,L′||R′,S′) such that
B′ ⊕ S′ = B ⊕ S is at most α except with small probability4 Each of BR-queries uniquely determines TR, and A′ ⊕ R′
5 The response should be A′ ⊕ R′ ⊕ R, so Pr[Case1] ≤ α2n−q
(except with the “bad event")
?
B L RS
?
SB S
B’ L’ R’S’S
B’ S’
![Page 34: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/34.jpg)
Case 1: The Last Query is TL and Backward
1 At the point when TL is queried, B, L, R are fixed2 B, L, R uniquely determine BL, and B ⊕ S3 The number of BR-queries (B′,L′||R′,S′) such that
B′ ⊕ S′ = B ⊕ S is at most α except with small probability4 Each of BR-queries uniquely determines TR, and A′ ⊕ R′
5 The response should be A′ ⊕ R′ ⊕ R, so Pr[Case1] ≤ α2n−q
(except with the “bad event")
?
B L RS
?
SB S
A’ R’A’
B’ L’ R’S’
A
SB’ S’
![Page 35: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/35.jpg)
Case 1: The Last Query is TL and Backward
1 At the point when TL is queried, B, L, R are fixed2 B, L, R uniquely determine BL, and B ⊕ S3 The number of BR-queries (B′,L′||R′,S′) such that
B′ ⊕ S′ = B ⊕ S is at most α except with small probability4 Each of BR-queries uniquely determines TR, and A′ ⊕ R′
5 The response should be A′ ⊕ R′ ⊕ R, so Pr[Case1] ≤ α2n−q
(except with the “bad event")
A’ R’ RA’ R’
B L RS
A R R
SB S
A’ R’A’
B’ L’ R’S’
A
SB’ S’
![Page 36: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/36.jpg)
Case 2: The Last Query is TL and Forward
Subcase 2a: BL-query is Backward1 At the point when TL is queried, A, B, L are fixed2 The number of backward queries whose answer is B is at
most α except with small probability3 Since each of such backward queries uniquely determines
R, Pr[Subcase2a] ≤ α2n−q (except with the “bad event")
AA
B L ?
![Page 37: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/37.jpg)
Case 2: The Last Query is TL and Forward
Subcase 2a: BL-query is Backward1 At the point when TL is queried, A, B, L are fixed2 The number of backward queries whose answer is B is at
most α except with small probability3 Since each of such backward queries uniquely determines
R, Pr[Subcase2a] ≤ α2n−q (except with the “bad event")
A
B L RS
A
S
![Page 38: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/38.jpg)
Case 2: The Last Query is TL and Forward
Subcase 2a: BL-query is Backward1 At the point when TL is queried, A, B, L are fixed2 The number of backward queries whose answer is B is at
most α except with small probability3 Since each of such backward queries uniquely determines
R, Pr[Subcase2a] ≤ α2n−q (except with the “bad event")
A
B L RS
A
S
![Page 39: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/39.jpg)
Case 2: The Last Query is TL and Forward
Subcase 2b: BL-query is Forward1 At the point when TL is queried, A, B, L are fixed2 The number of forward queries whose input block is B?
AA
B L ?
![Page 40: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/40.jpg)
Case 2: The Last Query is TL and Forward
Subcase 2b: BL-query is Forward1 At the point when TL is queried, A, B, L are fixed2 The number of forward queries whose input block is B?
A
B L RS
A
S
![Page 41: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/41.jpg)
Case 2: The Last Query is TL and Forward
Subcase 2b: BL-query is Forward1 At the point when TL is queried, A, B, L are fixed2 The number of forward queries whose input block is B?
It is hard to probabilistically restrict this number!
A
B L RS
A
S
![Page 42: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/42.jpg)
Case 2: The Last Query is TL and Forward
Subcase 2b: BL-query is Forward1 At the point when TL is queried, A, B, L are fixed2 The number of forward queries whose input block is B?
We want to eliminate this case
A
B L RS
A
S
![Page 43: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/43.jpg)
Main Idea: Modified Adversary A′
A′ runs A as a subroutine and records its query history Q′
If A makes a forward query EL||R(B), then A′ makes aquery EL||R(B), and an additional query E−1
B||L(R)
If A makes a backward query E−1B||L(R), then A′ makes a
query E−1B||L(R), and an additional query EL||R(B)
B L R
![Page 44: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/44.jpg)
Main Idea: Modified Adversary A′
A′ runs A as a subroutine and records its query history Q′
If A makes a forward query EL||R(B), then A′ makes aquery EL||R(B), and an additional query E−1
B||L(R)
If A makes a backward query E−1B||L(R), then A′ makes a
query E−1B||L(R), and an additional query EL||R(B)
B L R
![Page 45: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/45.jpg)
Main Idea: Modified Adversary A′
A′ runs A as a subroutine and records its query history Q′
If A makes a forward query EL||R(B), then A′ makes aquery EL||R(B), and an additional query E−1
B||L(R)
If A makes a backward query E−1B||L(R), then A′ makes a
query E−1B||L(R), and an additional query EL||R(B)
B L R
![Page 46: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/46.jpg)
The Property of the Modified Adversary
If A makes q queries, then A′ makes at most 2q queries
Since Q ⊂ Q′, AdvCollTDME (A) ≤ AdvColl
TDME (A′)
B L R
![Page 47: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/47.jpg)
The Property of the Modified Adversary
If A makes q queries, then A′ makes at most 2q queries
Since Q ⊂ Q′, AdvCollTDME (A) ≤ AdvColl
TDME (A′)
B L R
![Page 48: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/48.jpg)
The Property of the Modified Adversary
If A makes q queries, then A′ makes at most 2q queries
Since Q ⊂ Q′, AdvCollTDME (A) ≤ AdvColl
TDME (A′)
If A′ obtains the BL position of a certain evaluation by a forwardquery, then A′ will immediately make an additional backwardquery and place it at the TL position
B L R
![Page 49: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/49.jpg)
The Property of the Modified Adversary
If A makes q queries, then A′ makes at most 2q queries
Since Q ⊂ Q′, AdvCollTDME (A) ≤ AdvColl
TDME (A′)
If the TL position of a certain evaluation is obtained by aforward query after the BL position is determined, then the BLquery should have been obtained by a backward query
B L R
![Page 50: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/50.jpg)
The Property of the Modified Adversary
If A makes q queries, then A′ makes at most 2q queries
Since Q ⊂ Q′, AdvCollTDME (A) ≤ AdvColl
TDME (A′)
It means that A′ does not create Subcase 2b
B L R
![Page 51: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/51.jpg)
Main Result
Theorem
For N = 2n, q < N/2 and 1 ≤ α ≤ 2q,
AdvcollTDM(q) ≤ 2N
(2eq
α(N − 2q)
)α+
4qαN − 2q
+4q
N − 2q
Asymptotically, using α = n/ log n
limn→∞
AdvcollTDM (N/n) = 0
Numerically, for n = 128, using α = 16
AdvcollTDM(2120.87) <
12
![Page 52: The Collision Security of Tandem-DM in the Ideal Cipher Model · The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee1 Martijn Stam2 John Steinberger3 1Faculty](https://reader036.vdocument.in/reader036/viewer/2022062921/5f03c1be7e708231d40a9e11/html5/thumbnails/52.jpg)
Thank You