We provide the first proof of security for Tandem-DM, one of the oldest and most well-known constructions for turning a block cipher with n-bit block length and 2n-bit key length into a 2n-bit cryptographic hash function. We prove, that when Tandem-DM is instantiated with AES-256, block length 128 bits and key length 256 bits, any adversary that asks less than 2120.4 queries cannot find a collision with success probability greater than 1/2. We also prove a bound for preimage resistance of Tandem-DM. Interestingly, as there is only one practical construction known turning such an (n,2n) bit block cipher into a 2n-bit compression function that has provably birthday-type collision resistance (FSE'06, Hirose), Tandem-DM is one out of two constructions that has this desirable feature. © 2009 Springer Berlin Heidelberg.
CITATION STYLE
Fleischmann, E., Gorski, M., & Lucks, S. (2009). On the security of tandem-DM. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 5665 LNCS, pp. 84–103). https://doi.org/10.1007/978-3-642-03317-9_6
Mendeley helps you to discover research relevant for your work.