The Collision Security of Tandem-DM in the Ideal Cipher Model - - PowerPoint PPT Presentation

The Collision Security of Tandem-DM in the Ideal Cipher Model

Jooyoung Lee1 Martijn Stam2 John Steinberger3

1Faculty of Mathematics and Statistics, Sejong University, Seoul, Korea 2Department of Computer Science, University of Bristol, Bristol, United Kingdom 3Institute of Theoretical Computer Science, Tsinghua University, Beijing, China

August 18, 2011

Tandem-DM

E

M

E

A 3n-bit to 2n-bit compression function making two calls to a blockcipher using 2n-bit keys Proposed by Lai and Massey in Eurocrypt 1992 The first security proof given in FSE 2009, its extension given in ProvSec 2010

Tandem-DM

E

M

E

Contribution Shows the prior proofs are flawed Presents a novel proof for the collision resistance of Tandem-DM in the ideal cipher model Mostly historical interest, rather than practical interest

Ideal Cipher Model & Query History

E E-1 Adversary

An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History

K1,X1

E E-1 Adversary

An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History

K1,X1

E E-1 Adversary

Y

1←{ 0,1} \R K1

$

R

K1←R K1∪{ Y 1}

n

R

K1

R

K1∪{ Y }

An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History

K1,X1

E E-1 Adversary

Y

1←{ 0,1} \R K1

$

R

K1←R K1∪{ Y 1}

n

Y1 R

K1

R

K1∪{ Y }

An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History

K1,X1

E E-1 Adversary

(X1,K1,Y1) Y1 An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History

E E-1

K2,Y2

Adversary

(X1,K1,Y1) An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History

E E-1

K2,Y2

Adversary

(X1,K1,Y1) X2←{ 0,1} \DK2

$

DK2←DK2∪{ X2}

n

DK2 DK2∪{ X } An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History

E E-1

K2,Y2

Adversary

(X1,K1,Y1) X2←{ 0,1} \DK2

$

DK2←DK2∪{ X2}

n

X2 DK2 DK2∪{ X } An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History

E E-1

K2,Y2

Adversary

(X1,K1,Y1) (X2,K2,Y2) X2 An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History

K3,X3

E E-1 Adversary

(X1,K1,Y1) (X2,K2,Y2) An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History

K3,X3

E E-1 Adversary

(X1,K1,Y1) (X2,K2,Y2) Y

3←{ 0,1} \R K3

$

R

K3←R K3∪{ Y 3}

n

R

K3

R

K3∪{ Y }

An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History

K3,X3

E E-1 Adversary

(X1,K1,Y1) (X2,K2,Y2) Y

3←{ 0,1} \R K3

$

R

K3←R K3∪{ Y 3}

n

Y3 R

K3

R

K3∪{ Y }

An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History

K3,X3

E E-1 Adversary

(X1,K1,Y1) (X2,K2,Y2) (X3 K3 Y3) Y3 (X3,K3,Y3) An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History

E E-1 Adversary

(X1,K1,Y1) (X2,K2,Y2) (X3 K3 Y3) (X3,K3,Y3) (Xq Kq Y

q)

(Xq,Kq,Y

q)

An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History

E E-1 Adversary

(X1,K1,Y1) (X2,K2,Y2) (X3 K3 Y3) (X3,K3,Y3) (Xq Kq Y

q)

Q e Hi to Q (Xq,Kq,Y

q)

Query History Q An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Ideal Cipher Model & Query History

E E-1 Adversary

(X1,K1,Y1) (X2,K2,Y2) (X3 K3 Y3) (X3,K3,Y3) (Xq Kq Y

q)

Q e Hi to Q (Xq,Kq,Y

q)

Query History Q An ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

Evaluation of Tandem-DM

(A, B||L, R), (B, L||R, S) ∈ Q determine TDME : {0, 1}3n − → {0, 1}2n A||B||L − → A ⊕ R||B ⊕ S

A A R TL A B L R S B S BL

Collisions in Tandem-DM

The goal of a collision-finding adversary A To find (A, B||L, R), (B, L||R, S), (A′, B′||L′, R′), (B′, L′||R′, S′) such that A||B||L = A′||B′||L′, A ⊕ R = A′ ⊕ R′, B ⊕ S = B′ ⊕ S′ Predicate Coll(Q) is true if and only if such queries exist in Q

A A R TL A B L R S B S BL A’ A’ R’ TR A B’ L’ R’ S’ S B’ S’ BR

Collisions in Tandem-DM

The goal of a collision-finding adversary A To find (A, B||L, R), (B, L||R, S), (A′, B′||L′, R′), (B′, L′||R′, S′) such that A||B||L = A′||B′||L′, A ⊕ R = A′ ⊕ R′, B ⊕ S = B′ ⊕ S′ We want to upper bound Pr[Coll(Q)] = AdvColl

TDME(A)

A A R TL A B L R S B S BL A’ A’ R’ TR A B’ L’ R’ S’ S B’ S’ BR

Collisions in Tandem-DM

The goal of a collision-finding adversary A To find (A, B||L, R), (B, L||R, S), (A′, B′||L′, R′), (B′, L′||R′, S′) such that A||B||L = A′||B′||L′, A ⊕ R = A′ ⊕ R′, B ⊕ S = B′ ⊕ S′ We want Pr[Coll(Q)] to be small

A A R TL A B L R S B S BL A’ A’ R’ TR A B’ L’ R’ S’ S B’ S’ BR

Case Analysis

Coll(Q) ⇒ Coll1(Q) ∨ Coll2(Q) ∨ Coll3(Q), where Coll1(Q) ⇔ Q has a collision with TL, BL, TR, BR distinct Coll2(Q) ⇔ Q has a collision with TL = BL or TR = BR Coll3(Q) ⇔ Q has a collision with TL = BR or BL = TR Ex) Coll2(Q) occurs if (A, A||A, A), (B, B||B, B) s.t. A = B exist

A 0n TL A A A A A 0n BL B 0n TR B B B B B 0n BR

Case Analysis

Coll(Q) ⇒ Coll1(Q) ∨ Coll2(Q) ∨ Coll3(Q), where Coll1(Q) ⇔ Q has a collision with TL, BL, TR, BR distinct Coll2(Q) ⇔ Q has a collision with TL = BL or TR = BR Coll3(Q) ⇔ Q has a collision with TL = BR or BL = TR We are going to focus on upper bounding Pr[Coll1(Q)] Ex) Coll2(Q) occurs if (A, A||A, A), (B, B||B, B) s.t. A = B exist

A 0n TL A A A A A 0n BL B 0n TR B B B B B 0n BR

Upper bounding Pr[Coll1(Q)]

General Framework

1

Upper bound the probability of Colli

1(Q) that the i-th query

completes a collision

2

Union bound by summing the upper bounds over all possible queries i = 1, . . . , q (If the upper bounds are independent of each query, then we can just multiply q)

A A R TL A B L R S B S BL A’ A’ R’ TR A B’ L’ R’ S’ S B’ S’ BR

Upper bounding Pr[Coll1(Q)]

General Framework

1

Upper bound the probability of Colli

1(Q) that the i-th query

completes a collision

2

Union bound by summing the upper bounds over all possible queries i = 1, . . . , q (If the upper bounds are independent of each query, then we can just multiply q) How can we upper bound Pr[Colli

1(Q)]?

A A R TL A B L R S B S BL A’ A’ R’ TR A B’ L’ R’ S’ S B’ S’ BR

Upper bounding Pr[Colli

1(Q)]

By symmetry, we can assume the last query is either TL or BL. The last query: TL BL Backward Case 1 Case 3 Forward Case 2 Case 4

A A R TL A B L R S B S BL A’ A’ R’ TR A B’ L’ R’ S’ S B’ S’ BR

Upper bounding Pr[Colli

1(Q)]

By symmetry, we can assume the last query is either TL or BL. The last query: TL BL Backward Case 1 Case 3 Forward Case 2 Case 4 Union bound Pr[Colli

1(Q)] ≤ Pr[Case1] + Pr[Case2] + Pr[Case3] + Pr[Case4]

A A R TL A B L R S B S BL A’ A’ R’ TR A B’ L’ R’ S’ S B’ S’ BR

Upper bounding Pr[Colli

1(Q)]

By symmetry, we can assume the last query is either TL or BL. The last query: TL BL Backward Case 1 Case 3 Forward Case 2 Case 4 Union bound Pr[Colli

1(Q)] ≤ Pr[Case1] + Pr[Case2] + Pr[Case3] + Pr[Case4]

A A R TL A B L R S B S BL A’ A’ R’ TR A B’ L’ R’ S’ S B’ S’ BR

Case 1: The Last Query is TL and Backward

1

At the point when TL is queried, B, L, R are fixed

2

B, L, R uniquely determine BL, and B ⊕ S

3

The number of BR-queries (B′, L′||R′, S′) such that B′ ⊕ S′ = B ⊕ S is at most α except with small probability

4

Each of BR-queries uniquely determines TR, and A′ ⊕ R′

5

The response should be A′ ⊕ R′ ⊕ R, so Pr[Case1] ≤

α 2n−q

(except with the “bad event")

? B L R

Case 1: The Last Query is TL and Backward

1

At the point when TL is queried, B, L, R are fixed

2

B, L, R uniquely determine BL, and B ⊕ S

3

The number of BR-queries (B′, L′||R′, S′) such that B′ ⊕ S′ = B ⊕ S is at most α except with small probability

4

Each of BR-queries uniquely determines TR, and A′ ⊕ R′

5

The response should be A′ ⊕ R′ ⊕ R, so Pr[Case1] ≤

α 2n−q

(except with the “bad event")

? B L R S ? S B S

Case 1: The Last Query is TL and Backward

1

At the point when TL is queried, B, L, R are fixed

2

B, L, R uniquely determine BL, and B ⊕ S

3

The number of BR-queries (B′, L′||R′, S′) such that B′ ⊕ S′ = B ⊕ S is at most α except with small probability

4

Each of BR-queries uniquely determines TR, and A′ ⊕ R′

5

The response should be A′ ⊕ R′ ⊕ R, so Pr[Case1] ≤

α 2n−q

(except with the “bad event")

? B L R S ? S B S B’ L’ R’ S’ S B’ S’

Case 1: The Last Query is TL and Backward

1

At the point when TL is queried, B, L, R are fixed

2

B, L, R uniquely determine BL, and B ⊕ S

3

The number of BR-queries (B′, L′||R′, S′) such that B′ ⊕ S′ = B ⊕ S is at most α except with small probability

4

Each of BR-queries uniquely determines TR, and A′ ⊕ R′

5

The response should be A′ ⊕ R′ ⊕ R, so Pr[Case1] ≤

α 2n−q

(except with the “bad event")

? B L R S ? S B S A’ R’ A’ B’ L’ R’ S’ A S B’ S’

Case 1: The Last Query is TL and Backward

1

At the point when TL is queried, B, L, R are fixed

2

B, L, R uniquely determine BL, and B ⊕ S

3

The number of BR-queries (B′, L′||R′, S′) such that B′ ⊕ S′ = B ⊕ S is at most α except with small probability

4

Each of BR-queries uniquely determines TR, and A′ ⊕ R′

5

The response should be A′ ⊕ R′ ⊕ R, so Pr[Case1] ≤

α 2n−q

(except with the “bad event")

A’ R’ R A’ R’ B L R S A R R S B S A’ R’ A’ B’ L’ R’ S’ A S B’ S’

Case 2: The Last Query is TL and Forward

Subcase 2a: BL-query is Backward

1

At the point when TL is queried, A, B, L are fixed

2

The number of backward queries whose answer is B is at most α except with small probability

3

Since each of such backward queries uniquely determines R, Pr[Subcase2a] ≤

α 2n−q (except with the “bad event")

A B L ?

Case 2: The Last Query is TL and Forward

Subcase 2a: BL-query is Backward

1

At the point when TL is queried, A, B, L are fixed

2

The number of backward queries whose answer is B is at most α except with small probability

3

Since each of such backward queries uniquely determines R, Pr[Subcase2a] ≤

α 2n−q (except with the “bad event")

A B L R S A S

Case 2: The Last Query is TL and Forward

Subcase 2a: BL-query is Backward

1

At the point when TL is queried, A, B, L are fixed

2

The number of backward queries whose answer is B is at most α except with small probability

3

Since each of such backward queries uniquely determines R, Pr[Subcase2a] ≤

α 2n−q (except with the “bad event")

A B L R S A S

Case 2: The Last Query is TL and Forward

Subcase 2b: BL-query is Forward

1

At the point when TL is queried, A, B, L are fixed

2

The number of forward queries whose input block is B?

A B L ?

Case 2: The Last Query is TL and Forward

Subcase 2b: BL-query is Forward

1

At the point when TL is queried, A, B, L are fixed

2

The number of forward queries whose input block is B?

A B L R S A S

Case 2: The Last Query is TL and Forward

Subcase 2b: BL-query is Forward

1

At the point when TL is queried, A, B, L are fixed

2

The number of forward queries whose input block is B? It is hard to probabilistically restrict this number!

A B L R S A S

Case 2: The Last Query is TL and Forward

Subcase 2b: BL-query is Forward

1

At the point when TL is queried, A, B, L are fixed

2

The number of forward queries whose input block is B? We want to eliminate this case

A B L R S A S

Main Idea: Modified Adversary A′

A′ runs A as a subroutine and records its query history Q′ If A makes a forward query EL||R(B), then A′ makes a query EL||R(B), and an additional query E−1

B||L(R)

If A makes a backward query E−1

B||L(R), then A′ makes a

query E−1

B||L(R), and an additional query EL||R(B)

B L R

Main Idea: Modified Adversary A′

A′ runs A as a subroutine and records its query history Q′ If A makes a forward query EL||R(B), then A′ makes a query EL||R(B), and an additional query E−1

B||L(R)

If A makes a backward query E−1

B||L(R), then A′ makes a

query E−1

B||L(R), and an additional query EL||R(B)

B L R

Main Idea: Modified Adversary A′

A′ runs A as a subroutine and records its query history Q′ If A makes a forward query EL||R(B), then A′ makes a query EL||R(B), and an additional query E−1

B||L(R)

If A makes a backward query E−1

B||L(R), then A′ makes a

query E−1

B||L(R), and an additional query EL||R(B)

B L R

The Property of the Modified Adversary

If A makes q queries, then A′ makes at most 2q queries Since Q ⊂ Q′, AdvColl

TDME(A) ≤ AdvColl TDME(A′)

B L R

The Property of the Modified Adversary

If A makes q queries, then A′ makes at most 2q queries Since Q ⊂ Q′, AdvColl

TDME(A) ≤ AdvColl TDME(A′)

B L R

The Property of the Modified Adversary

If A makes q queries, then A′ makes at most 2q queries Since Q ⊂ Q′, AdvColl

TDME(A) ≤ AdvColl TDME(A′)

If A′ obtains the BL position of a certain evaluation by a forward query, then A′ will immediately make an additional backward query and place it at the TL position B L R

The Property of the Modified Adversary

If A makes q queries, then A′ makes at most 2q queries Since Q ⊂ Q′, AdvColl

TDME(A) ≤ AdvColl TDME(A′)

If the TL position of a certain evaluation is obtained by a forward query after the BL position is determined, then the BL query should have been obtained by a backward query B L R

The Property of the Modified Adversary

If A makes q queries, then A′ makes at most 2q queries Since Q ⊂ Q′, AdvColl

TDME(A) ≤ AdvColl TDME(A′)

It means that A′ does not create Subcase 2b B L R

Main Result

Theorem For N = 2n, q < N/2 and 1 ≤ α ≤ 2q, Advcoll

TDM(q) ≤ 2N

• 2eq

α(N − 2q) α + 4qα N − 2q + 4q N − 2q Asymptotically, using α = n/ log n lim

n→∞ Advcoll TDM (N/n) = 0

Numerically, for n = 128, using α = 16 Advcoll

TDM(2120.87) < 1

2

Thank You