the collision security of tandem-dm in the ideal cipher model · the collision security of...
Post on 08-Jun-2020
1 Views
Preview:
TRANSCRIPT
The Collision Security of Tandem-DMin the Ideal Cipher Model
Jooyoung Lee1 Martijn Stam2 John Steinberger3
1Faculty of Mathematics and Statistics, Sejong University, Seoul, Korea
2Department of Computer Science, University of Bristol, Bristol, United Kingdom
3Institute of Theoretical Computer Science, Tsinghua University, Beijing, China
August 18, 2011
Tandem-DM
E
M
E
A 3n-bit to 2n-bit compression function making two calls toa blockcipher using 2n-bit keysProposed by Lai and Massey in Eurocrypt 1992The first security proof given in FSE 2009, its extensiongiven in ProvSec 2010
Tandem-DM
E
M
E
ContributionShows the prior proofs are flawedPresents a novel proof for the collision resistance ofTandem-DM in the ideal cipher modelMostly historical interest, rather than practical interest
Ideal Cipher Model & Query History
E E-1Adversary
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
Ideal Cipher Model & Query History
K1,X1E E-1Adversary
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
Ideal Cipher Model & Query History
K1,X1E E-1Adversary
Y1←{0,1} \RK1$
RK1←RK1∪{Y1}
n
RK1 RK1∪{Y }
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
Ideal Cipher Model & Query History
K1,X1E E-1Adversary
Y1←{0,1} \RK1$
RK1←RK1∪{Y1}
n
Y1RK1 RK1∪{Y }
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
Ideal Cipher Model & Query History
K1,X1E E-1Adversary(X1,K1,Y1)
Y1
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
Ideal Cipher Model & Query History
E E-1K2,Y2Adversary(X1,K1,Y1)
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
Ideal Cipher Model & Query History
E E-1K2,Y2Adversary(X1,K1,Y1) X2←{0,1} \DK2
$
DK2←DK2∪{X2}
n
DK2 DK2∪{X }
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
Ideal Cipher Model & Query History
E E-1K2,Y2Adversary(X1,K1,Y1) X2←{0,1} \DK2
$
DK2←DK2∪{X2}
n
X2DK2 DK2∪{X }
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
Ideal Cipher Model & Query History
E E-1K2,Y2Adversary(X1,K1,Y1)(X2,K2,Y2)
X2
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
Ideal Cipher Model & Query History
K3,X3E E-1Adversary(X1,K1,Y1)(X2,K2,Y2)
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
Ideal Cipher Model & Query History
K3,X3E E-1Adversary(X1,K1,Y1)(X2,K2,Y2)
Y3←{0,1} \RK3$
RK3←RK3∪{Y3}
n
RK3 RK3∪{Y }
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
Ideal Cipher Model & Query History
K3,X3E E-1Adversary(X1,K1,Y1)(X2,K2,Y2)
Y3←{0,1} \RK3$
RK3←RK3∪{Y3}
n
Y3RK3 RK3∪{Y }
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
Ideal Cipher Model & Query History
K3,X3E E-1Adversary(X1,K1,Y1)(X2,K2,Y2)(X3 K3 Y3)Y3 (X3,K3,Y3)
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
Ideal Cipher Model & Query History
E E-1Adversary(X1,K1,Y1)(X2,K2,Y2)(X3 K3 Y3)(X3,K3,Y3)
(Xq Kq Yq)(Xq,Kq,Yq)
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
Ideal Cipher Model & Query History
E E-1Adversary(X1,K1,Y1)(X2,K2,Y2)(X3 K3 Y3)(X3,K3,Y3)
(Xq Kq Yq) Q e Hi to Q(Xq,Kq,Yq) Query History Q
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
Ideal Cipher Model & Query History
E E-1Adversary(X1,K1,Y1)(X2,K2,Y2)(X3 K3 Y3)(X3,K3,Y3)
(Xq Kq Yq) Q e Hi to Q(Xq,Kq,Yq) Query History Q
An ideal cipher is simulated by lazy samplingThe query history Q determines every evaluation of ablockcipher-based compression function
Evaluation of Tandem-DM
(A,B||L,R), (B,L||R,S) ∈ Q determine
TDME : {0,1}3n −→ {0,1}2n
A||B||L 7−→ A⊕ R||B ⊕ S
AA RTL
A
B L RSS
B SBL
Collisions in Tandem-DM
The goal of a collision-finding adversary ATo find (A,B||L,R), (B,L||R,S), (A′,B′||L′,R′), (B′,L′||R′,S′)such that A||B||L 6= A′||B′||L′, A⊕ R = A′ ⊕ R′, B ⊕ S = B′ ⊕ S′
Predicate Coll(Q) is true if and only if such queries exist in Q
AA RTL
A
B L RSS
B SBL
A’A’ R’TR
A
B’ L’ R’S’S
B’ S’BR
Collisions in Tandem-DM
The goal of a collision-finding adversary ATo find (A,B||L,R), (B,L||R,S), (A′,B′||L′,R′), (B′,L′||R′,S′)such that A||B||L 6= A′||B′||L′, A⊕ R = A′ ⊕ R′, B ⊕ S = B′ ⊕ S′
We want to upper bound Pr[Coll(Q)] = AdvCollTDME (A)
AA RTL
A
B L RSS
B SBL
A’A’ R’TR
A
B’ L’ R’S’S
B’ S’BR
Collisions in Tandem-DM
The goal of a collision-finding adversary ATo find (A,B||L,R), (B,L||R,S), (A′,B′||L′,R′), (B′,L′||R′,S′)such that A||B||L 6= A′||B′||L′, A⊕ R = A′ ⊕ R′, B ⊕ S = B′ ⊕ S′
We want Pr[Coll(Q)] to be small
AA RTL
A
B L RSS
B SBL
A’A’ R’TR
A
B’ L’ R’S’S
B’ S’BR
Case Analysis
Coll(Q)⇒ Coll1(Q) ∨ Coll2(Q) ∨ Coll3(Q), where
Coll1(Q)⇔ Q has a collision with TL, BL, TR, BR distinctColl2(Q)⇔ Q has a collision with TL = BL or TR = BRColl3(Q)⇔ Q has a collision with TL = BR or BL = TR
Ex) Coll2(Q) occurs if (A,A||A,A), (B,B||B,B) s.t. A 6= B exist
A0nTL
A
A A AAA
0nBL
B0nTR
B
B B BBB
0nBR
Case Analysis
Coll(Q)⇒ Coll1(Q) ∨ Coll2(Q) ∨ Coll3(Q), where
Coll1(Q)⇔ Q has a collision with TL, BL, TR, BR distinctColl2(Q)⇔ Q has a collision with TL = BL or TR = BRColl3(Q)⇔ Q has a collision with TL = BR or BL = TR
We are going to focus on upper bounding Pr[Coll1(Q)]
Ex) Coll2(Q) occurs if (A,A||A,A), (B,B||B,B) s.t. A 6= B exist
A0nTL
A
A A AAA
0nBL
B0nTR
B
B B BBB
0nBR
Upper bounding Pr[Coll1(Q)]
General Framework1 Upper bound the probability of Colli1(Q) that the i-th query
completes a collision2 Union bound by summing the upper bounds over all
possible queries i = 1, . . . ,q (If the upper bounds areindependent of each query, then we can just multiply q)
AA RTL
A
B L RSS
B SBL
A’A’ R’TR
A
B’ L’ R’S’S
B’ S’BR
Upper bounding Pr[Coll1(Q)]
General Framework1 Upper bound the probability of Colli1(Q) that the i-th query
completes a collision2 Union bound by summing the upper bounds over all
possible queries i = 1, . . . ,q (If the upper bounds areindependent of each query, then we can just multiply q)
How can we upper bound Pr[Colli1(Q)]?
AA RTL
A
B L RSS
B SBL
A’A’ R’TR
A
B’ L’ R’S’S
B’ S’BR
Upper bounding Pr[Colli1(Q)]
By symmetry, we can assume the last query is either TL or BL.
The last query: TL BLBackward Case 1 Case 3Forward Case 2 Case 4
AA RTL
A
B L RSS
B SBL
A’A’ R’TR
A
B’ L’ R’S’S
B’ S’BR
Upper bounding Pr[Colli1(Q)]
By symmetry, we can assume the last query is either TL or BL.
The last query: TL BLBackward Case 1 Case 3Forward Case 2 Case 4
Union bound
Pr[Colli1(Q)] ≤ Pr[Case1]+Pr[Case2]+Pr[Case3]+Pr[Case4]
AA RTL
A
B L RSS
B SBL
A’A’ R’TR
A
B’ L’ R’S’S
B’ S’BR
Upper bounding Pr[Colli1(Q)]
By symmetry, we can assume the last query is either TL or BL.
The last query: TL BLBackward Case 1 Case 3Forward Case 2 Case 4
Union bound
Pr[Colli1(Q)] ≤ Pr[Case1]+Pr[Case2]+Pr[Case3]+Pr[Case4]
AA RTL
A
B L RSS
B SBL
A’A’ R’TR
A
B’ L’ R’S’S
B’ S’BR
Case 1: The Last Query is TL and Backward
1 At the point when TL is queried, B, L, R are fixed2 B, L, R uniquely determine BL, and B ⊕ S3 The number of BR-queries (B′,L′||R′,S′) such that
B′ ⊕ S′ = B ⊕ S is at most α except with small probability4 Each of BR-queries uniquely determines TR, and A′ ⊕ R′
5 The response should be A′ ⊕ R′ ⊕ R, so Pr[Case1] ≤ α2n−q
(except with the “bad event")
??
B L R
Case 1: The Last Query is TL and Backward
1 At the point when TL is queried, B, L, R are fixed2 B, L, R uniquely determine BL, and B ⊕ S3 The number of BR-queries (B′,L′||R′,S′) such that
B′ ⊕ S′ = B ⊕ S is at most α except with small probability4 Each of BR-queries uniquely determines TR, and A′ ⊕ R′
5 The response should be A′ ⊕ R′ ⊕ R, so Pr[Case1] ≤ α2n−q
(except with the “bad event")
?
B L RS
?
SB S
Case 1: The Last Query is TL and Backward
1 At the point when TL is queried, B, L, R are fixed2 B, L, R uniquely determine BL, and B ⊕ S3 The number of BR-queries (B′,L′||R′,S′) such that
B′ ⊕ S′ = B ⊕ S is at most α except with small probability4 Each of BR-queries uniquely determines TR, and A′ ⊕ R′
5 The response should be A′ ⊕ R′ ⊕ R, so Pr[Case1] ≤ α2n−q
(except with the “bad event")
?
B L RS
?
SB S
B’ L’ R’S’S
B’ S’
Case 1: The Last Query is TL and Backward
1 At the point when TL is queried, B, L, R are fixed2 B, L, R uniquely determine BL, and B ⊕ S3 The number of BR-queries (B′,L′||R′,S′) such that
B′ ⊕ S′ = B ⊕ S is at most α except with small probability4 Each of BR-queries uniquely determines TR, and A′ ⊕ R′
5 The response should be A′ ⊕ R′ ⊕ R, so Pr[Case1] ≤ α2n−q
(except with the “bad event")
?
B L RS
?
SB S
A’ R’A’
B’ L’ R’S’
A
SB’ S’
Case 1: The Last Query is TL and Backward
1 At the point when TL is queried, B, L, R are fixed2 B, L, R uniquely determine BL, and B ⊕ S3 The number of BR-queries (B′,L′||R′,S′) such that
B′ ⊕ S′ = B ⊕ S is at most α except with small probability4 Each of BR-queries uniquely determines TR, and A′ ⊕ R′
5 The response should be A′ ⊕ R′ ⊕ R, so Pr[Case1] ≤ α2n−q
(except with the “bad event")
A’ R’ RA’ R’
B L RS
A R R
SB S
A’ R’A’
B’ L’ R’S’
A
SB’ S’
Case 2: The Last Query is TL and Forward
Subcase 2a: BL-query is Backward1 At the point when TL is queried, A, B, L are fixed2 The number of backward queries whose answer is B is at
most α except with small probability3 Since each of such backward queries uniquely determines
R, Pr[Subcase2a] ≤ α2n−q (except with the “bad event")
AA
B L ?
Case 2: The Last Query is TL and Forward
Subcase 2a: BL-query is Backward1 At the point when TL is queried, A, B, L are fixed2 The number of backward queries whose answer is B is at
most α except with small probability3 Since each of such backward queries uniquely determines
R, Pr[Subcase2a] ≤ α2n−q (except with the “bad event")
A
B L RS
A
S
Case 2: The Last Query is TL and Forward
Subcase 2a: BL-query is Backward1 At the point when TL is queried, A, B, L are fixed2 The number of backward queries whose answer is B is at
most α except with small probability3 Since each of such backward queries uniquely determines
R, Pr[Subcase2a] ≤ α2n−q (except with the “bad event")
A
B L RS
A
S
Case 2: The Last Query is TL and Forward
Subcase 2b: BL-query is Forward1 At the point when TL is queried, A, B, L are fixed2 The number of forward queries whose input block is B?
AA
B L ?
Case 2: The Last Query is TL and Forward
Subcase 2b: BL-query is Forward1 At the point when TL is queried, A, B, L are fixed2 The number of forward queries whose input block is B?
A
B L RS
A
S
Case 2: The Last Query is TL and Forward
Subcase 2b: BL-query is Forward1 At the point when TL is queried, A, B, L are fixed2 The number of forward queries whose input block is B?
It is hard to probabilistically restrict this number!
A
B L RS
A
S
Case 2: The Last Query is TL and Forward
Subcase 2b: BL-query is Forward1 At the point when TL is queried, A, B, L are fixed2 The number of forward queries whose input block is B?
We want to eliminate this case
A
B L RS
A
S
Main Idea: Modified Adversary A′
A′ runs A as a subroutine and records its query history Q′
If A makes a forward query EL||R(B), then A′ makes aquery EL||R(B), and an additional query E−1
B||L(R)
If A makes a backward query E−1B||L(R), then A′ makes a
query E−1B||L(R), and an additional query EL||R(B)
B L R
Main Idea: Modified Adversary A′
A′ runs A as a subroutine and records its query history Q′
If A makes a forward query EL||R(B), then A′ makes aquery EL||R(B), and an additional query E−1
B||L(R)
If A makes a backward query E−1B||L(R), then A′ makes a
query E−1B||L(R), and an additional query EL||R(B)
B L R
Main Idea: Modified Adversary A′
A′ runs A as a subroutine and records its query history Q′
If A makes a forward query EL||R(B), then A′ makes aquery EL||R(B), and an additional query E−1
B||L(R)
If A makes a backward query E−1B||L(R), then A′ makes a
query E−1B||L(R), and an additional query EL||R(B)
B L R
The Property of the Modified Adversary
If A makes q queries, then A′ makes at most 2q queries
Since Q ⊂ Q′, AdvCollTDME (A) ≤ AdvColl
TDME (A′)
B L R
The Property of the Modified Adversary
If A makes q queries, then A′ makes at most 2q queries
Since Q ⊂ Q′, AdvCollTDME (A) ≤ AdvColl
TDME (A′)
B L R
The Property of the Modified Adversary
If A makes q queries, then A′ makes at most 2q queries
Since Q ⊂ Q′, AdvCollTDME (A) ≤ AdvColl
TDME (A′)
If A′ obtains the BL position of a certain evaluation by a forwardquery, then A′ will immediately make an additional backwardquery and place it at the TL position
B L R
The Property of the Modified Adversary
If A makes q queries, then A′ makes at most 2q queries
Since Q ⊂ Q′, AdvCollTDME (A) ≤ AdvColl
TDME (A′)
If the TL position of a certain evaluation is obtained by aforward query after the BL position is determined, then the BLquery should have been obtained by a backward query
B L R
The Property of the Modified Adversary
If A makes q queries, then A′ makes at most 2q queries
Since Q ⊂ Q′, AdvCollTDME (A) ≤ AdvColl
TDME (A′)
It means that A′ does not create Subcase 2b
B L R
Main Result
Theorem
For N = 2n, q < N/2 and 1 ≤ α ≤ 2q,
AdvcollTDM(q) ≤ 2N
(2eq
α(N − 2q)
)α+
4qαN − 2q
+4q
N − 2q
Asymptotically, using α = n/ log n
limn→∞
AdvcollTDM (N/n) = 0
Numerically, for n = 128, using α = 16
AdvcollTDM(2120.87) <
12
Thank You
top related