The Collision Security of Tandem-DM in the Ideal Cipher Model - PowerPoint PPT Presentation

The Collision Security of Tandem-DM in the Ideal Cipher Model Jooyoung Lee 1 Martijn Stam 2 John Steinberger 3 1 Faculty of Mathematics and Statistics, Sejong University, Seoul, Korea 2 Department of Computer Science, University of Bristol, Bristol, United Kingdom 3 Institute of Theoretical Computer Science, Tsinghua University, Beijing, China August 18, 2011

Tandem-DM E M E A 3 n -bit to 2 n -bit compression function making two calls to a blockcipher using 2 n -bit keys Proposed by Lai and Massey in Eurocrypt 1992 The first security proof given in FSE 2009, its extension given in ProvSec 2010

Tandem-DM E M E Contribution Shows the prior proofs are flawed Presents a novel proof for the collision resistance of Tandem-DM in the ideal cipher model Mostly historical interest, rather than practical interest

Ideal Cipher Model & Query History E Adversary E -1 An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History E Adversary E -1 K 1 ,X 1 An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History E Adversary E -1 K 1 ,X 1 $ n 1 ← { 0,1} \R Y K1 K1 ← R K1 ∪ { Y } K1 ∪ { Y 1 } R R R K1 An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History E Adversary E -1 K 1 ,X 1 $ n 1 ← { 0,1} \R Y K1 K1 ← R K1 ∪ { Y } K1 ∪ { Y 1 } R R R K1 Y 1 An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History E Adversary E -1 K 1 ,X 1 (X 1 ,K 1 ,Y 1 ) Y 1 An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History E Adversary E -1 K 2 ,Y 2 (X 1 ,K 1 ,Y 1 ) An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History E Adversary E -1 K 2 ,Y 2 (X 1 ,K 1 ,Y 1 ) $ n X 2 ← { 0,1} \D K2 D K2 ← D K2 ∪ { X 2 } D K2 ∪ { X } D K2 An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History E Adversary E -1 K 2 ,Y 2 (X 1 ,K 1 ,Y 1 ) $ n X 2 ← { 0,1} \D K2 D K2 ← D K2 ∪ { X 2 } D K2 ∪ { X } D K2 X 2 An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History E Adversary E -1 K 2 ,Y 2 (X 1 ,K 1 ,Y 1 ) (X 2 ,K 2 ,Y 2 ) X 2 An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History E Adversary E -1 K 3 ,X 3 (X 1 ,K 1 ,Y 1 ) (X 2 ,K 2 ,Y 2 ) An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History E Adversary E -1 K 3 ,X 3 $ (X 1 ,K 1 ,Y 1 ) n 3 ← { 0,1} \R Y K3 (X 2 ,K 2 ,Y 2 ) K3 ← R K3 ∪ { Y } K3 ∪ { Y 3 } R R R K3 An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History E Adversary E -1 K 3 ,X 3 $ (X 1 ,K 1 ,Y 1 ) n 3 ← { 0,1} \R Y K3 (X 2 ,K 2 ,Y 2 ) K3 ← R K3 ∪ { Y K3 ∪ { Y } 3 } R R R K3 Y 3 An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History E Adversary E -1 K 3 ,X 3 (X 1 ,K 1 ,Y 1 ) (X 2 ,K 2 ,Y 2 ) (X 3 K 3 Y 3 ) (X 3 ,K 3 ,Y 3 ) Y 3 An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History E Adversary E -1 (X 1 ,K 1 ,Y 1 ) (X 2 ,K 2 ,Y 2 ) (X 3 K 3 Y 3 ) (X 3 ,K 3 ,Y 3 ) (X q K q Y (X q ,K q ,Y q ) q ) An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History E Adversary E -1 (X 1 ,K 1 ,Y 1 ) (X 2 ,K 2 ,Y 2 ) (X 3 K 3 Y 3 ) (X 3 ,K 3 ,Y 3 ) (X q K q Y Query History Q Q (X q ,K q ,Y q ) q ) Q e Hi to An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History E Adversary E -1 (X 1 ,K 1 ,Y 1 ) (X 2 ,K 2 ,Y 2 ) (X 3 K 3 Y 3 ) (X 3 ,K 3 ,Y 3 ) (X q K q Y Query History Q Q (X q ,K q ,Y q ) q ) Q e Hi to An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Evaluation of Tandem-DM ( A , B || L , R ) , ( B , L || R , S ) ∈ Q determine TDM E : { 0 , 1 } 3 n { 0 , 1 } 2 n − → A || B || L �− → A ⊕ R || B ⊕ S TL A R A A B L R S B S BL

Collisions in Tandem-DM The goal of a collision-finding adversary A To find ( A , B || L , R ) , ( B , L || R , S ) , ( A ′ , B ′ || L ′ , R ′ ) , ( B ′ , L ′ || R ′ , S ′ ) such that A || B || L � = A ′ || B ′ || L ′ , A ⊕ R = A ′ ⊕ R ′ , B ⊕ S = B ′ ⊕ S ′ Predicate Coll ( Q ) is true if and only if such queries exist in Q TL TR A R A’ R’ A A A’ A B L R B’ L’ R’ S S S’ B S B’ S’ BL BR

Collisions in Tandem-DM The goal of a collision-finding adversary A To find ( A , B || L , R ) , ( B , L || R , S ) , ( A ′ , B ′ || L ′ , R ′ ) , ( B ′ , L ′ || R ′ , S ′ ) such that A || B || L � = A ′ || B ′ || L ′ , A ⊕ R = A ′ ⊕ R ′ , B ⊕ S = B ′ ⊕ S ′ We want to upper bound Pr [ Coll ( Q )] = Adv Coll TDM E ( A ) TL TR A R A’ R’ A A A A’ B L R B’ L’ R’ S S’ S B S B’ S’ BL BR

Collisions in Tandem-DM The goal of a collision-finding adversary A To find ( A , B || L , R ) , ( B , L || R , S ) , ( A ′ , B ′ || L ′ , R ′ ) , ( B ′ , L ′ || R ′ , S ′ ) such that A || B || L � = A ′ || B ′ || L ′ , A ⊕ R = A ′ ⊕ R ′ , B ⊕ S = B ′ ⊕ S ′ We want Pr [ Coll ( Q )] to be small TL TR A R A’ R’ A A A’ A B L R B’ L’ R’ S S S’ B S B’ S’ BL BR

Case Analysis Coll ( Q ) ⇒ Coll 1 ( Q ) ∨ Coll 2 ( Q ) ∨ Coll 3 ( Q ) , where Coll 1 ( Q ) ⇔ Q has a collision with TL, BL, TR, BR distinct Coll 2 ( Q ) ⇔ Q has a collision with TL = BL or TR = BR Coll 3 ( Q ) ⇔ Q has a collision with TL = BR or BL = TR Ex) Coll 2 ( Q ) occurs if ( A , A || A , A ) , ( B , B || B , B ) s.t. A � = B exist TL TR 0 n 0 n A A B B A A B B A B A B 0 n 0 n BL BR

Case Analysis Coll ( Q ) ⇒ Coll 1 ( Q ) ∨ Coll 2 ( Q ) ∨ Coll 3 ( Q ) , where Coll 1 ( Q ) ⇔ Q has a collision with TL, BL, TR, BR distinct Coll 2 ( Q ) ⇔ Q has a collision with TL = BL or TR = BR Coll 3 ( Q ) ⇔ Q has a collision with TL = BR or BL = TR We are going to focus on upper bounding Pr [ Coll 1 ( Q )] Ex) Coll 2 ( Q ) occurs if ( A , A || A , A ) , ( B , B || B , B ) s.t. A � = B exist TL TR 0 n 0 n A A B B A A B B A B A B 0 n 0 n BL BR

Upper bounding Pr [ Coll 1 ( Q )] General Framework Upper bound the probability of Coll i 1 ( Q ) that the i -th query 1 completes a collision Union bound by summing the upper bounds over all 2 possible queries i = 1 , . . . , q (If the upper bounds are independent of each query, then we can just multiply q ) TL TR A R A’ R’ A A A’ A B L R B’ L’ R’ S S’ S B S B’ S’ BL BR

Upper bounding Pr [ Coll 1 ( Q )] General Framework Upper bound the probability of Coll i 1 ( Q ) that the i -th query 1 completes a collision Union bound by summing the upper bounds over all 2 possible queries i = 1 , . . . , q (If the upper bounds are independent of each query, then we can just multiply q ) How can we upper bound Pr [ Coll i 1 ( Q )] ? TL TR A R A’ R’ A A A’ A B L R B’ L’ R’ S S’ S B S B’ S’ BL BR

Upper bounding Pr [ Coll i 1 ( Q )] By symmetry, we can assume the last query is either TL or BL. The last query: TL BL Backward Case 1 Case 3 Forward Case 2 Case 4 TL TR A R A’ R’ A A A’ A B L R B’ L’ R’ S S’ S B S B’ S’ BL BR

Upper bounding Pr [ Coll i 1 ( Q )] By symmetry, we can assume the last query is either TL or BL. The last query: TL BL Backward Case 1 Case 3 Forward Case 2 Case 4 Union bound Pr [ Coll i 1 ( Q )] ≤ Pr [ Case1 ] + Pr [ Case2 ] + Pr [ Case3 ] + Pr [ Case4 ] TL TR A R A’ R’ A A A’ A B L R B’ L’ R’ S S’ S B S B’ S’ BL BR