The Collision Security of Tandem-DM in the Ideal Cipher Model

Size: px

Start display at page:

Download "The Collision Security of Tandem-DM in the Ideal Cipher Model"

Lucas Malone
5 years ago
Views:

1 The Collision ecurity of Tandem-DM in the Ideal Cipher Model Jooyoung Lee 1 Martijn tam 2 John teinberger 3 1 Faculty of Mathematics and tatistics, ejong University, eoul, Korea 2 Department of Computer cience, University of Bristol, Bristol, United Kingdom 3 Institute of Theoretical Computer cience, Tsinghua University, Beijing, China ugust 18, 2011

2 Tandem-DM E M E 3n-bit to 2n-bit compression function making two calls to a blockcipher using 2n-bit keys Proposed by Lai and Massey in Eurocrypt 1992 The first security proof given in FE 2009, its extension given in Provec 2010

3 Tandem-DM E M E Contribution hows the prior proofs are flawed Presents a novel proof for the collision resistance of Tandem-DM in the ideal cipher model Mostly historical interest, rather than practical interest

4 Ideal Cipher Model & Query History E dversary E -1 n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

5 Ideal Cipher Model & Query History E K 1,X 1 dversary E -1 n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

6 Ideal Cipher Model & Query History E K 1,X 1 dversary E -1 Y 1 $ n {0,1} \R K 1 R 1 R 1 K 1 K 1 {Y } n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

7 Ideal Cipher Model & Query History E K 1,X 1 dversary E -1 Y 1 $ n {0,1} \R K 1 R 1 R 1 K 1 K 1 {Y } Y 1 n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

8 Ideal Cipher Model & Query History E K 1,X 1 dversary E -1 (X 1,K 1,Y 1 ) Y 1 n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

9 Ideal Cipher Model & Query History E dversary K 2,Y 2 E -1 (X 1,K 1,Y 1 ) n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

10 Ideal Cipher Model & Query History E dversary K 2,Y 2 E -1 (X 1,K 1,Y 1 ) X 2 $ n {0,1} \D K 2 D 2 D 2 K 2 K 2 {X } n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

11 Ideal Cipher Model & Query History E dversary K 2,Y 2 E -1 (X 1,K 1,Y 1 ) X 2 $ n {0,1} \D K 2 X 2 D 2 D 2 K 2 K 2 {X } n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

12 Ideal Cipher Model & Query History E dversary K 2,Y 2 E -1 (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) X 2 n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

13 Ideal Cipher Model & Query History E K 3,X 3 dversary E -1 (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

14 Ideal Cipher Model & Query History E K 3,X 3 dversary E -1 Y 3 $ n {0,1} \R (X 1,K 1,Y 1 ) K 3 (X 2,K 2,Y 2 ) R 3 R 3 K 3 K 3 {Y } n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

15 Ideal Cipher Model & Query History E K 3,X 3 dversary E -1 Y 3 $ n {0,1} \R (X 1,K 1,Y 1 ) K 3 (X 2,K 2,Y 2 ) R 3 R 3 K 3 K 3 {Y } Y 3 n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

16 Ideal Cipher Model & Query History E K 3,X 3 Y 3 dversary (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) (X 3,K 3,Y 3 ) E -1 n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

17 Ideal Cipher Model & Query History E dversary E -1 (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) (X 3,K 3,Y 3 ) (X q,k q,y q ) n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

18 Ideal Cipher Model & Query History E dversary E -1 (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) (X 3,K 3,Y 3 ) (X q,k q,y q ) Query History Q n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

19 Ideal Cipher Model & Query History E dversary E -1 (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) (X 3,K 3,Y 3 ) (X q,k q,y q ) Query History Q n ideal cipher is simulated by lazy sampling The query history Q determines every evaluation of a blockcipher-based compression function

20 Evaluation of Tandem-DM (, B L, R), (B, L R, ) Q determine TDM E : {0, 1} 3n {0, 1} 2n B L R B TL R BL B

21 Collisions in Tandem-DM The goal of a collision-finding adversary To find (, B L, R), (B, L R, ), (, B L, R ), (B, L R, ) such that B L B L, R = R, B = B Predicate Coll(Q) is true if and only if such queries exist in Q TL R TR R BL B B L R BR B

22 Collisions in Tandem-DM The goal of a collision-finding adversary To find (, B L, R), (B, L R, ), (, B L, R ), (B, L R, ) such that B L B L, R = R, B = B We want to upper bound Pr[Coll(Q)] = dv Coll TDM E () TL R TR R BL B B L R BR B

23 Collisions in Tandem-DM The goal of a collision-finding adversary To find (, B L, R), (B, L R, ), (, B L, R ), (B, L R, ) such that B L B L, R = R, B = B We want Pr[Coll(Q)] to be small TL R TR R BL B B L R BR B

24 Case nalysis Coll(Q) Coll 1 (Q) Coll 2 (Q) Coll 3 (Q), where Coll 1 (Q) Q has a collision with TL, BL, TR, BR distinct Coll 2 (Q) Q has a collision with TL = BL or TR = BR Coll 3 (Q) Q has a collision with TL = BR or BL = TR Ex) Coll 2 (Q) occurs if (,, ), (B, B B, B) s.t. B exist TL 0 n B TR 0 n BL 0 n B B B BR B 0 n

25 Case nalysis Coll(Q) Coll 1 (Q) Coll 2 (Q) Coll 3 (Q), where Coll 1 (Q) Q has a collision with TL, BL, TR, BR distinct Coll 2 (Q) Q has a collision with TL = BL or TR = BR Coll 3 (Q) Q has a collision with TL = BR or BL = TR We are going to focus on upper bounding Pr[Coll 1 (Q)] Ex) Coll 2 (Q) occurs if (,, ), (B, B B, B) s.t. B exist TL 0 n B TR 0 n BL 0 n B B B BR B 0 n

26 Upper bounding Pr[Coll 1 (Q)] General Framework 1 Upper bound the probability of Coll i 1(Q) that the i-th query completes a collision 2 Union bound by summing the upper bounds over all possible queries i = 1,..., q (If the upper bounds are independent of each query, then we can just multiply q) TL R TR R BL B B L R BR B

27 Upper bounding Pr[Coll 1 (Q)] General Framework 1 Upper bound the probability of Coll i 1(Q) that the i-th query completes a collision 2 Union bound by summing the upper bounds over all possible queries i = 1,..., q (If the upper bounds are independent of each query, then we can just multiply q) How can we upper bound Pr[Coll i 1(Q)]? TL R TR R BL B B L R BR B

28 Upper bounding Pr[Coll i 1(Q)] By symmetry, we can assume the last query is either TL or BL. The last query: TL BL Backward Case 1 Case 3 Forward Case 2 Case 4 TL R TR R BL B B L R BR B

29 Upper bounding Pr[Coll i 1(Q)] By symmetry, we can assume the last query is either TL or BL. Union bound The last query: TL BL Backward Case 1 Case 3 Forward Case 2 Case 4 Pr[Coll i 1(Q)] Pr[Case1] + Pr[Case2] + Pr[Case3] + Pr[Case4] TL R TR R BL B B L R BR B

30 Upper bounding Pr[Coll i 1(Q)] By symmetry, we can assume the last query is either TL or BL. Union bound The last query: TL BL Backward Case 1 Case 3 Forward Case 2 Case 4 Pr[Coll i 1(Q)] Pr[Case1] + Pr[Case2] + Pr[Case3] + Pr[Case4] TL R TR R BL B B L R BR B

31 Case 1: The Last Query is TL and Backward 1 t the point when TL is queried, B, L, R are fixed 2 B, L, R uniquely determine BL, and B 3 The number of BR-queries (B, L R, ) such that B = B is at most α except with small probability 4 Each of BR-queries uniquely determines TR, and R 5 The response should be R R, so Pr[Case1] α 2 n q (except with the bad event")?

32 Case 1: The Last Query is TL and Backward 1 t the point when TL is queried, B, L, R are fixed 2 B, L, R uniquely determine BL, and B 3 The number of BR-queries (B, L R, ) such that B = B is at most α except with small probability 4 Each of BR-queries uniquely determines TR, and R 5 The response should be R R, so Pr[Case1] α 2 n q (except with the bad event")? B

33 Case 1: The Last Query is TL and Backward 1 t the point when TL is queried, B, L, R are fixed 2 B, L, R uniquely determine BL, and B 3 The number of BR-queries (B, L R, ) such that B = B is at most α except with small probability 4 Each of BR-queries uniquely determines TR, and R 5 The response should be R R, so Pr[Case1] α 2 n q (except with the bad event")? B L R B B

34 Case 1: The Last Query is TL and Backward 1 t the point when TL is queried, B, L, R are fixed 2 B, L, R uniquely determine BL, and B 3 The number of BR-queries (B, L R, ) such that B = B is at most α except with small probability 4 Each of BR-queries uniquely determines TR, and R 5 The response should be R R, so Pr[Case1] α 2 n q (except with the bad event")? R B L R B B

35 Case 1: The Last Query is TL and Backward 1 t the point when TL is queried, B, L, R are fixed 2 B, L, R uniquely determine BL, and B 3 The number of BR-queries (B, L R, ) such that B = B is at most α except with small probability 4 Each of BR-queries uniquely determines TR, and R 5 The response should be R R, so Pr[Case1] α 2 n q (except with the bad event") R R R R B L R B B

36 Case 2: The Last Query is TL and Forward ubcase 2a: BL-query is Backward 1 t the point when TL is queried,, B, L are fixed 2 The number of backward queries whose answer is B is at most α except with small probability 3 ince each of such backward queries uniquely determines R, Pr[ubcase2a] α 2 n q (except with the bad event") B L?

37 Case 2: The Last Query is TL and Forward ubcase 2a: BL-query is Backward 1 t the point when TL is queried,, B, L are fixed 2 The number of backward queries whose answer is B is at most α except with small probability 3 ince each of such backward queries uniquely determines R, Pr[ubcase2a] α 2 n q (except with the bad event")

38 Case 2: The Last Query is TL and Forward ubcase 2a: BL-query is Backward 1 t the point when TL is queried,, B, L are fixed 2 The number of backward queries whose answer is B is at most α except with small probability 3 ince each of such backward queries uniquely determines R, Pr[ubcase2a] α 2 n q (except with the bad event")

39 Case 2: The Last Query is TL and Forward ubcase 2b: BL-query is Forward 1 t the point when TL is queried,, B, L are fixed 2 The number of forward queries whose input block is B? B L?

40 Case 2: The Last Query is TL and Forward ubcase 2b: BL-query is Forward 1 t the point when TL is queried,, B, L are fixed 2 The number of forward queries whose input block is B?

41 Case 2: The Last Query is TL and Forward ubcase 2b: BL-query is Forward 1 t the point when TL is queried,, B, L are fixed 2 The number of forward queries whose input block is B? It is hard to probabilistically restrict this number!

42 Case 2: The Last Query is TL and Forward ubcase 2b: BL-query is Forward 1 t the point when TL is queried,, B, L are fixed 2 The number of forward queries whose input block is B? We want to eliminate this case

43 Main Idea: Modified dversary runs as a subroutine and records its query history Q If makes a forward query E L R (B), then makes a query E L R (B), and an additional query E 1 B L (R) If makes a backward query E 1 B L (R), then makes a query E 1 B L (R), and an additional query E L R(B)

44 Main Idea: Modified dversary runs as a subroutine and records its query history Q If makes a forward query E L R (B), then makes a query E L R (B), and an additional query E 1 B L (R) If makes a backward query E 1 B L (R), then makes a query E 1 B L (R), and an additional query E L R(B)

45 Main Idea: Modified dversary runs as a subroutine and records its query history Q If makes a forward query E L R (B), then makes a query E L R (B), and an additional query E 1 B L (R) If makes a backward query E 1 B L (R), then makes a query E 1 B L (R), and an additional query E L R(B)

46 The Property of the Modified dversary If makes q queries, then makes at most 2q queries ince Q Q, dv Coll TDM E () dv Coll TDM E ( )

47 The Property of the Modified dversary If makes q queries, then makes at most 2q queries ince Q Q, dv Coll TDM E () dv Coll TDM E ( )

48 The Property of the Modified dversary If makes q queries, then makes at most 2q queries ince Q Q, dv Coll TDM E () dv Coll TDM E ( ) If obtains the BL position of a certain evaluation by a forward query, then will immediately make an additional backward query and place it at the TL position

49 The Property of the Modified dversary If makes q queries, then makes at most 2q queries ince Q Q, dv Coll TDM E () dv Coll TDM E ( ) If the TL position of a certain evaluation is obtained by a forward query after the BL position is determined, then the BL query should have been obtained by a backward query

50 The Property of the Modified dversary If makes q queries, then makes at most 2q queries ince Q Q, dv Coll TDM E () dv Coll TDM E ( ) It means that does not create ubcase 2b

51 Main Result Theorem For N = 2 n, q < N/2 and 1 α 2q, ( dv coll TDM (q) 2N 2eq α(n 2q) symptotically, using α = n/ log n ) α + 4qα N 2q + lim n dvcoll TDM (N/n) = 0 Numerically, for n = 128, using α = 16 dv coll TDM ( ) < 1 2 4q N 2q

52 Thank You

Provable Security in Symmetric Key Cryptography

Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X