1. No category

The Iterated Random Function Problem

Iterated Random Function
The Iterated Random Function Problem
ASK 2016, Nagoya, Japan
Mridul Nandi
Indian Statistical Institute, Kolkata
28 September 2016
Joint work with Ritam Bhaumik, Nilanjan Datta, Avijit Dutta,
Ashwin Jha, Avradip Mandal, Nicky Mouha.
Iterated Random Function
Outline of the Talk
Iterated random function
Iterated Random Function
Outline of the Talk
Iterated random function
Known vs. Our Approach
Iterated Random Function
Outline of the Talk
Iterated random function
Known vs. Our Approach
Types of Collision for (iterated) random function
Iterated Random Function
Outline of the Talk
Iterated random function
Known vs. Our Approach
Types of Collision for (iterated) random function
Collision Probabilties and PRF analysis
Iterated Random Function
The Iterated Random Permutations Problem
Iterated Random Function
The Iterated Random Permutations Problem
Fix a positive integer r , and a random permutation f .
Iterated Random Function
The Iterated Random Permutations Problem
Fix a positive integer r , and a random permutation f .
Minaud and Seurin in crypto 2015 studied PRP of
f r = f ◦ · · · ◦ f (r times)
Iterated Random Function
The Iterated Random Permutations Problem
Fix a positive integer r , and a random permutation f .
Minaud and Seurin in crypto 2015 studied PRP of
f r = f ◦ · · · ◦ f (r times)
O(rq/2n ) PRP advantage
Iterated Random Function
The Iterated Random Permutations Problem
Fix a positive integer r , and a random permutation f .
Minaud and Seurin in crypto 2015 studied PRP of
f r = f ◦ · · · ◦ f (r times)
O(rq/2n ) PRP advantage
Lower bound of PRP advantage sometimes Θ(q/2n )
Iterated Random Function
The Iterated Random Permutations Problem
Fix a positive integer r , and a random permutation f .
Minaud and Seurin in crypto 2015 studied PRP of
f r = f ◦ · · · ◦ f (r times)
O(rq/2n ) PRP advantage
Lower bound of PRP advantage sometimes Θ(q/2n )
Scope of improvement
Iterated Random Function
The Iterated Random Function Problem
We ask same problem for random function
Iterated Random Function
The Iterated Random Function Problem
We ask same problem for random function
We show Θ(rq 2 /2n ) PRF advantage
Iterated Random Function
The Iterated Random Function Problem
We ask same problem for random function
We show Θ(rq 2 /2n ) PRF advantage
We show an attack with advantage about rq 2 /2n provided
q ≥ 2n/3
Iterated Random Function
The Iterated Random Function Problem
We ask same problem for random function
We show Θ(rq 2 /2n ) PRF advantage
We show an attack with advantage about rq 2 /2n provided
q ≥ 2n/3
We show upper bound using Coefficients H Technique
Iterated Random Function
Known Approach: Full Collision Probability
Used for analyzing Improved bound of CBC by Bellare,
Pietrzak and Rogaway in crypto 2005
Iterated Random Function
Known Approach: Full Collision Probability
Used for analyzing Improved bound of CBC by Bellare,
Pietrzak and Rogaway in crypto 2005
O(rq 2 /2n ) PRF advantage for CBC of length r
Iterated Random Function
Known Approach: Full Collision Probability
Used for analyzing Improved bound of CBC by Bellare,
Pietrzak and Rogaway in crypto 2005
O(rq 2 /2n ) PRF advantage for CBC of length r
Collision between a final input (q such) and other rq inputs
Iterated Random Function
Known Approach: Full Collision Probability
Used for analyzing Improved bound of CBC by Bellare,
Pietrzak and Rogaway in crypto 2005
O(rq 2 /2n ) PRF advantage for CBC of length r
Collision between a final input (q such) and other rq inputs
On the average 1/2n collision probability for a pair
Iterated Random Function
Known Approach: Full Collision Probability
Used for analyzing Improved bound of CBC by Bellare,
Pietrzak and Rogaway in crypto 2005
O(rq 2 /2n ) PRF advantage for CBC of length r
Collision between a final input (q such) and other rq inputs
On the average 1/2n collision probability for a pair
Unfortunately this is not true for random function (collision
probability for a pair can be O(rq/2n ))
Iterated Random Function
Our Approach : Upper Bound
Iterated Random Function
Our Approach : Upper Bound
Allow all collisions on f that do not lead to collision on f r
Iterated Random Function
Our Approach : Upper Bound
Allow all collisions on f that do not lead to collision on f r
Look at possible function graphs of f and f r
Iterated Random Function
Our Approach : Upper Bound
Allow all collisions on f that do not lead to collision on f r
Look at possible function graphs of f and f r
Bound probabilities of different types of collisions
Iterated Random Function
Our Approach : Upper Bound
Allow all collisions on f that do not lead to collision on f r
Look at possible function graphs of f and f r
Bound probabilities of different types of collisions
Use Coefficient H Technique to upper bound advantage
Iterated Random Function
Our Approach : Lower Bound
We show lower bound
Iterated Random Function
Our Approach : Lower Bound
We show lower bound
Vary first block and rest all blocks are same
Iterated Random Function
Our Approach : Lower Bound
We show lower bound
Vary first block and rest all blocks are same
For a pair collision probability about r /2n
Iterated Random Function
Our Approach : Lower Bound
We show lower bound
Vary first block and rest all blocks are same
For a pair collision probability about r /2n
Use Inclusion Exclusion Principle to lower bound advantage
Iterated Random Function
Our Approach : Lower Bound
We show lower bound
Vary first block and rest all blocks are same
For a pair collision probability about r /2n
Use Inclusion Exclusion Principle to lower bound advantage
So it is tight up to a small power of log r
Iterated Random Function
Function Graphs
Iterated Random Function
Function Graphs
Views function as directed graph
Iterated Random Function
Function Graphs
Views function as directed graph
y = f (x) represented by an edge from x to y
Iterated Random Function
Function Graphs
Views function as directed graph
y = f (x) represented by an edge from x to y
Loops allowed, no multiple edges
Iterated Random Function
Function Graphs
Views function as directed graph
y = f (x) represented by an edge from x to y
Loops allowed, no multiple edges
Trails move together once merged
Iterated Random Function
Function Graphs
Views function as directed graph
y = f (x) represented by an edge from x to y
Loops allowed, no multiple edges
Trails move together once merged
All trails eventually lead to cycles
Iterated Random Function
Collision Attack on f
Two main approaches:
Iterated Random Function
Collision Attack on f
Two main approaches:
Feedback Attack:
Iterated Random Function
Collision Attack on f
Two main approaches:
Feedback Attack:
Based on Pollard’s Rho Algorithm
Iterated Random Function
Collision Attack on f
Two main approaches:
Feedback Attack:
Based on Pollard’s Rho Algorithm
Keeps feeding back f ’s outputs to f
Iterated Random Function
Collision Attack on f
Two main approaches:
Feedback Attack:
Based on Pollard’s Rho Algorithm
Keeps feeding back f ’s outputs to f
Query 1: x , query i: f i−1 (x)
Iterated Random Function
Collision Attack on f
Two main approaches:
Feedback Attack:
Based on Pollard’s Rho Algorithm
Keeps feeding back f ’s outputs to f
Query 1: x , query i: f i−1 (x)
Tries to find cycle
Iterated Random Function
Collision Attack on f
Two main approaches:
Feedback Attack:
Based on Pollard’s Rho Algorithm
Keeps feeding back f ’s outputs to f
Query 1: x , query i: f i−1 (x)
Tries to find cycle
Multiple Trails Attack:
Iterated Random Function
Collision Attack on f
Two main approaches:
Feedback Attack:
Based on Pollard’s Rho Algorithm
Keeps feeding back f ’s outputs to f
Query 1: x , query i: f i−1 (x)
Tries to find cycle
Multiple Trails Attack:
Based loosely on van Oorschot-Wiener’s Parallel Search
Iterated Random Function
Collision Attack on f
Two main approaches:
Feedback Attack:
Based on Pollard’s Rho Algorithm
Keeps feeding back f ’s outputs to f
Query 1: x , query i: f i−1 (x)
Tries to find cycle
Multiple Trails Attack:
Based loosely on van Oorschot-Wiener’s Parallel Search
Starts feedback queries simultaneously from many points
Iterated Random Function
Collision Attack on f
Two main approaches:
Feedback Attack:
Based on Pollard’s Rho Algorithm
Keeps feeding back f ’s outputs to f
Query 1: x , query i: f i−1 (x)
Tries to find cycle
Multiple Trails Attack:
Based loosely on van Oorschot-Wiener’s Parallel Search
Starts feedback queries simultaneously from many points
Query 1 on Trail j: xj , query i on Trail j: f i−1 (xj )
Iterated Random Function
Collision Attack on f
Two main approaches:
Feedback Attack:
Based on Pollard’s Rho Algorithm
Keeps feeding back f ’s outputs to f
Query 1: x , query i: f i−1 (x)
Tries to find cycle
Multiple Trails Attack:
Based loosely on van Oorschot-Wiener’s Parallel Search
Starts feedback queries simultaneously from many points
Query 1 on Trail j: xj , query i on Trail j: f i−1 (xj )
Tries to make two trails merge
Iterated Random Function
Collision Types on f
Iterated Random Function
Collision Types on f
Rho collision
collision point
c
t
x
Iterated Random Function
Collision Types on f
Rho collision
Tail length t
collision point
c
t
x
Iterated Random Function
Collision Types on f
Rho collision
Tail length t
collision point
Cycle length c
c
t
x
Iterated Random Function
Collision Types on f
Rho collision
Tail length t
collision point
Cycle length c
Denoted ρ(t, c)
c
t
x
Iterated Random Function
Collision Types on f
Rho collision
Tail length t
collision point
collision point
Cycle length c
Denoted ρ(t, c)
Lambda collision
c
t
t1
t2
x
x1
x2
Iterated Random Function
Collision Types on f
Rho collision
Tail length t
collision point
collision point
Cycle length c
Denoted ρ(t, c)
Lambda collision
Foot lengths t1
and t2
c
t
t1
t2
x
x1
x2
Iterated Random Function
Collision Types on f
Rho collision
Tail length t
collision point
collision point
Cycle length c
Denoted ρ(t, c)
Lambda collision
Foot lengths t1
and t2
Denoted λ(t1 , t2 )
c
t
t1
t2
x
x1
x2
Iterated Random Function
Collision Probabilities on f
c
t
t1
t2
x
x1
x2
Iterated Random Function
Collision Probabilities on f
Rho collision
c
t
t1
t2
x
x1
x2
Iterated Random Function
Collision Probabilities on f
Rho collision
Feedback attack from
some x
c
t
t1
t2
x
x1
x2
Iterated Random Function
Collision Probabilities on f
Rho collision
Feedback attack from
some x
Pr [ρ(t, c)] ≤
c
t
t1
t2
x
x1
x2
1
N
Iterated Random Function
Collision Probabilities on f
Rho collision
Feedback attack from
some x
c
t
t1
t2
x
x1
x2
Pr [ρ(t, c)] ≤
1
N
Pr [ρ(t, c)] ≤
√
t = Θ( αN)
e −α
N
for
Iterated Random Function
Collision Probabilities on f
Rho collision
Feedback attack from
some x
c
t
t1
t2
Pr [ρ(t, c)] ≤
1
N
Pr [ρ(t, c)] ≤
√
t = Θ( αN)
e −α
N
Lambda collision
x
x1
x2
for
Iterated Random Function
Collision Probabilities on f
Rho collision
Feedback attack from
some x
c
t
t1
t2
Pr [ρ(t, c)] ≤
1
N
Pr [ρ(t, c)] ≤
√
t = Θ( αN)
e −α
N
for
Lambda collision
x
x1
x2
Two-trail attack from
some x1 and x2
Iterated Random Function
Collision Probabilities on f
Rho collision
Feedback attack from
some x
c
t
t1
t2
Pr [ρ(t, c)] ≤
1
N
Pr [ρ(t, c)] ≤
√
t = Θ( αN)
e −α
N
for
Lambda collision
x
x1
x2
Two-trail attack from
some x1 and x2
Pr [λ(t1 , t2 )] ≤
1
N
Iterated Random Function
Collision Attack on f r
Same two approaches:
Iterated Random Function
Collision Attack on f r
Same two approaches:
Feedback Attack:
Iterated Random Function
Collision Attack on f r
Same two approaches:
Feedback Attack:
Keeps feeding back f r ’s outputs to f r
Iterated Random Function
Collision Attack on f r
Same two approaches:
Feedback Attack:
Keeps feeding back f r ’s outputs to f r
Query 1: x , query i: (f r )i−1 (x)
Iterated Random Function
Collision Attack on f r
Same two approaches:
Feedback Attack:
Keeps feeding back f r ’s outputs to f r
Query 1: x , query i: (f r )i−1 (x)
Tries to find cycle
Iterated Random Function
Collision Attack on f r
Same two approaches:
Feedback Attack:
Keeps feeding back f r ’s outputs to f r
Query 1: x , query i: (f r )i−1 (x)
Tries to find cycle
Multiple Trails Attack:
Iterated Random Function
Collision Attack on f r
Same two approaches:
Feedback Attack:
Keeps feeding back f r ’s outputs to f r
Query 1: x , query i: (f r )i−1 (x)
Tries to find cycle
Multiple Trails Attack:
Starts feedback queries simultaneously from many points
Iterated Random Function
Collision Attack on f r
Same two approaches:
Feedback Attack:
Keeps feeding back f r ’s outputs to f r
Query 1: x , query i: (f r )i−1 (x)
Tries to find cycle
Multiple Trails Attack:
Starts feedback queries simultaneously from many points
Query 1 on Trail j: xj , query i on Trail j: (f r )i−1 (xj )
Iterated Random Function
Collision Attack on f r
Same two approaches:
Feedback Attack:
Keeps feeding back f r ’s outputs to f r
Query 1: x , query i: (f r )i−1 (x)
Tries to find cycle
Multiple Trails Attack:
Starts feedback queries simultaneously from many points
Query 1 on Trail j: xj , query i on Trail j: (f r )i−1 (xj )
Tries to make two trails merge
Iterated Random Function
Collision Types on f r
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Rho collision:
collision point
c
t
x
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Rho collision:
collision point
Direct ρ collision:
c
t
x
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Rho collision:
collision point
Direct ρ collision:
f -collision in phase with r
c
t
x
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Rho collision:
collision point
Direct ρ collision:
f -collision in phase with r
t = t + c mod r
c
t
x
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Rho collision:
collision point
Direct ρ collision:
f -collision in phase with r
t = t + c mod r
Delayed ρ collision:
c
t
x
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Rho collision:
collision point
Direct ρ collision:
f -collision in phase with r
t = t + c mod r
Delayed ρ collision:
c
t
f -collision out of phase
x
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Rho collision:
collision point
Direct ρ collision:
f -collision in phase with r
t = t + c mod r
Delayed ρ collision:
f -collision out of phase
move around cycle η times in
all to adjust phase
c
t
x
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Rho collision:
collision point
Direct ρ collision:
f -collision in phase with r
t = t + c mod r
Delayed ρ collision:
f -collision out of phase
move around cycle η times in
all to adjust phase
η = r /gcd(c, r )
c
t
x
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Rho collision:
collision point
Direct ρ collision:
f -collision in phase with r
t = t + c mod r
Delayed ρ collision:
f -collision out of phase
move around cycle η times in
all to adjust phase
η = r /gcd(c, r )
t = t + cη mod r
c
t
x
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Lambda collision:
second collision point
c
∆t
t1
t2
x1
x2
first
collision
point
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Lambda collision:
second collision point
Direct λ collision:
c
∆t
t1
t2
x1
x2
first
collision
point
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Lambda collision:
second collision point
Direct λ collision:
f -collision in phase with r
c
∆t
t1
t2
x1
x2
first
collision
point
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Lambda collision:
second collision point
Direct λ collision:
f -collision in phase with r
t1 = t2 mod r
c
∆t
t1
t2
x1
x2
first
collision
point
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Lambda collision:
second collision point
Direct λ collision:
f -collision in phase with r
t1 = t2 mod r
c
∆t
Delayed λ collision:
t1
t2
x1
x2
first
collision
point
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Lambda collision:
second collision point
Direct λ collision:
f -collision in phase with r
t1 = t2 mod r
c
∆t
Delayed λ collision:
f -collision out of phase
t1
t2
x1
x2
first
collision
point
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Lambda collision:
second collision point
Direct λ collision:
f -collision in phase with r
t1 = t2 mod r
c
∆t
Delayed λ collision:
f -collision out of phase
find ρ collision on merged walk
t1
t2
x1
x2
first
collision
point
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Lambda collision:
second collision point
Direct λ collision:
f -collision in phase with r
t1 = t2 mod r
c
∆t
Delayed λ collision:
f -collision out of phase
find ρ collision on merged walk
move around cycle η times in
all to adjust phase
t1
t2
x1
x2
first
collision
point
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Lambda collision:
second collision point
Direct λ collision:
f -collision in phase with r
t1 = t2 mod r
c
∆t
Delayed λ collision:
f -collision out of phase
find ρ collision on merged walk
move around cycle η times in
all to adjust phase
t1 = t2 + cη mod r
t1
t2
x1
x2
first
collision
point
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Lambda collision:
second collision point
Direct λ collision:
f -collision in phase with r
t1 = t2 mod r
c
∆t
Delayed λ collision:
f -collision out of phase
find ρ collision on merged walk
move around cycle η times in
all to adjust phase
t1 = t2 + cη mod r
also called λρ collision or ρ0
collision
t1
t2
x1
x2
first
collision
point
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Lambda collision:
second collision point
Direct λ collision:
f -collision in phase with r
t1 = t2 mod r
c
∆t
Delayed λ collision:
f -collision out of phase
find ρ collision on merged walk
move around cycle η times in
all to adjust phase
t1 = t2 + cη mod r
also called λρ collision or ρ0
collision
Needs 2 f-collisions
t1
t2
x1
x2
first
collision
point
Iterated Random Function
Collision Probabilities on f r
Iterated Random Function
Collision Probabilities on f r
Rho collision:
Iterated Random Function
Collision Probabilities on f r
Rho collision:
q-query feedback attack from some point x
Iterated Random Function
Collision Probabilities on f r
Rho collision:
q-query feedback attack from some point x
collision probability cpρ [q]
Iterated Random Function
Collision Probabilities on f r
Rho collision:
q-query feedback attack from some point x
collision probability cpρ [q]
2 cpρ [q] = O qNr
Iterated Random Function
Collision Probabilities on f r
Rho collision:
q-query feedback attack from some point x
collision probability cpρ [q]
2 cpρ [q] = O qNr
Lambda collision:
Iterated Random Function
Collision Probabilities on f r
Rho collision:
q-query feedback attack from some point x
collision probability cpρ [q]
2 cpρ [q] = O qNr
Lambda collision:
(q1 , q2 )-query two-trail attack from some points x1 , x2
Iterated Random Function
Collision Probabilities on f r
Rho collision:
q-query feedback attack from some point x
collision probability cpρ [q]
2 cpρ [q] = O qNr
Lambda collision:
(q1 , q2 )-query two-trail attack from some points x1 , x2
collision probability cpλ [q1 , q2 ]
Iterated Random Function
Collision Probabilities on f r
Rho collision:
q-query feedback attack from some point x
collision probability cpρ [q]
2 cpρ [q] = O qNr
Lambda collision:
(q1 , q2 )-query two-trail attack from some points x1 , x2
collision probability cpλ [q1 , q2 ]
(log r )3
cpλ [q1 , q2 ] = O q1 q2 r N
Iterated Random Function
Collision Probabilities on f r
A general attack strategy, covering all adversaries:
Iterated Random Function
Collision Probabilities on f r
A general attack strategy, covering all adversaries:
m trails from m distinct starting points x1 , . . . , xm
Iterated Random Function
Collision Probabilities on f r
A general attack strategy, covering all adversaries:
m trails from m distinct starting points x1 , . . . , xm
P
Trail lengths q1 , . . . , qm with i qi = q
Iterated Random Function
Collision Probabilities on f r
A general attack strategy, covering all adversaries:
m trails from m distinct starting points x1 , . . . , xm
P
Trail lengths q1 , . . . , qm with i qi = q
Tries to find either a ρ collision or a two-trail λ collision
Iterated Random Function
Collision Probabilities on f r
A general attack strategy, covering all adversaries:
m trails from m distinct starting points x1 , . . . , xm
P
Trail lengths q1 , . . . , qm with i qi = q
Tries to find either a ρ collision or a two-trail λ collision
Collision probability cp[q]
Iterated Random Function
Collision Probabilities on f r
A general attack strategy, covering all adversaries:
m trails from m distinct starting points x1 , . . . , xm
P
Trail lengths q1 , . . . , qm with i qi = q
Tries to find either a ρ collision or a two-trail λ collision
Collision probability cp[q]
cp[q] = O
q 2 r (log r )3
N
Iterated Random Function
PRF Security Result
Iterated Random Function
PRF Security Result
A any prf adversary
Iterated Random Function
PRF Security Result
A any prf adversary
2
3
r ] = O q r (log r )
Advprf
[f
A
N
Iterated Random Function
PRF Security Result
A any prf adversary
2
3
r ] = O q r (log r )
Advprf
[f
A
N
Proof uses Patarin’s Coefficient H Technique
Iterated Random Function
PRF Security Result
A any prf adversary
2
3
r ] = O q r (log r )
Advprf
[f
A
N
Proof uses Patarin’s Coefficient H Technique
(log r )3 can be further improved, almost to log r
Iterated Random Function
PRF Security Result
A any prf adversary
2
3
r ] = O q r (log r )
Advprf
[f
A
N
Proof uses Patarin’s Coefficient H Technique
(log r )3 can be further improved, almost to log r
r ] = O q2 r
Probably possible to show Advprf
[f
A
N
Iterated Random Function
Sketch of Proof
Iterated Random Function
Sketch of Proof
Parallel Graph: union of non-intersecting paths
Iterated Random Function
Sketch of Proof
Parallel Graph: union of non-intersecting paths
Query transcript τ has multiple trails
Iterated Random Function
Sketch of Proof
Parallel Graph: union of non-intersecting paths
Query transcript τ has multiple trails
Call τ BAD if not parallel graph
Iterated Random Function
Sketch of Proof
Parallel Graph: union of non-intersecting paths
Query transcript τ has multiple trails
Call τ BAD if not parallel graph
BAD is equivalent to collision in general m trail attack (after
reordering queries)
Iterated Random Function
Sketch of Proof
Parallel Graph: union of non-intersecting paths
Query transcript τ has multiple trails
Call τ BAD if not parallel graph
BAD is equivalent to collision in general m trail attack (after
reordering queries)
2
r )3
Pr [BAD] = O q r (log
N
Iterated Random Function
Sketch of Proof
Parallel Graph: union of non-intersecting paths
Query transcript τ has multiple trails
Call τ BAD if not parallel graph
BAD is equivalent to collision in general m trail attack (after
reordering queries)
2
r )3
Pr [BAD] = O q r (log
N
Internal states equally probable for isomorphic good
transcripts
Iterated Random Function
Sketch of Proof
Parallel Graph: union of non-intersecting paths
Query transcript τ has multiple trails
Call τ BAD if not parallel graph
BAD is equivalent to collision in general m trail attack (after
reordering queries)
2
r )3
Pr [BAD] = O q r (log
N
Internal states equally probable for isomorphic good
transcripts
Plug internal blocks into the good transcript τ
Iterated Random Function
Lower Bound on Collision Probability
Iterated Random Function
Lower Bound on Collision Probability
General m trail attack is the best known attack
Iterated Random Function
Lower Bound on Collision Probability
General m trail attack is the best known attack
cp[q] is best known success probability
Iterated Random Function
Lower Bound on Collision Probability
General m trail attack is the best known attack
cp[q] is best known success probability
Inclusion-Exclusion Principle gives lower bound
Iterated Random Function
Lower Bound on Collision Probability
General m trail attack is the best known attack
cp[q] is best known success probability
Inclusion-Exclusion Principle gives lower bound
2 cp[q] = Ω qNr
Iterated Random Function
Lower Bound on Collision Probability
General m trail attack is the best known attack
cp[q] is best known success probability
Inclusion-Exclusion Principle gives lower bound
2 cp[q] = Ω qNr
Security bound tight up to a factor of (log r )3
Iterated Random Function
Lower Bound on Collision Probability
x := (x1 , x2 , . . . , xq ), xi are distinct blocks from {0, 1}n .
Let collf (xi ;Sxj ) denote the event f (`) (xi ) = f (`) (xj ) and
collf (x) := xi ,xj ∈x collf (xi ; xj ).
Iterated Random Function
Lower Bound on Collision Probability
colli,j
}|
{
Xz
Pr collf (x) ≥
Pr[collf (xi ; xj )]
f
i<j
f
colli,j,k
}|
{
X z
Pr[collf (xi ; xj ) ∩ collf (xj ; xk )]
−3
i<j<k
f
colli,j,k,m
1
−
2
X
i<j,k<m
{i,j}∩{k,m}=∅
z
}|
{
Pr[collf (xi ; xj ) ∩ collf (xk ; xm )]
f
Iterated Random Function
Upper Bound on colli,j,k
Pr[Case 1] ≤
2`2
N2
colli,j,k ≤
Pr[Case 2] ≤
2`2 6`6
+ 3.
N2
N
6`6
N3
Iterated Random Function
Upper Bound on colli,j,k,m
Pr[Case 1] ≤
`2
N2
Pr[Case 2] ≤
6`3
N3
Pr[Case 3] ≤
2`5
N3
Iterated Random Function
Upper Bound on colli,j,k,m
Pr[Case 4] ≤
24`8
N4
colli,j,k,m ≤
Pr[Case 5] ≤
`2
6`3 + 2`5 28`8
+
+ 4 .
N2
N3
N
4`8
.
N4
Iterated Random Function
Lower Bound on colli,j
Let cycle be the event that at least one of the walks
(corresponding to xi and xj ) has a cycle.
colli,j|¬cycle =
`
N
colli,j
Pr[cycle] ≤
`
2`2 ≥
1−
.
N
N
2`2
N .
Iterated Random Function
Main Result on Lower Bound
Lower Bound Theorem
Let x := (x1 , . . . , xq ) ∈ {0, 1}n
For `, q ≥ 3,
q2 `
N
q
be a q tuple of distinct inputs.
1
N
< 1 and ` < min( 5184
, 4N√23 ,
Pr[collf (x)] ≥
1
N3
√
),
3
36
we have
q2`
.
12N
Example
Collision for N = 264 . Hence taking q =
we get δ = 0.499.
√
64
64
20 · 2 3 , ` = 0.1 × 2 3 ,
Iterated Random Function
Future Research and Conclusion
Removing log r factor.
Iterated Random Function
Future Research and Conclusion
Removing log r factor.
The attack requires some lower bound on q. Can we prove
some lower bound for all attacks?
Iterated Random Function
Future Research and Conclusion
Removing log r factor.
The attack requires some lower bound on q. Can we prove
some lower bound for all attacks?
Almost tight bound (up to a log r factor).
Iterated Random Function
Future Research and Conclusion
Removing log r factor.
The attack requires some lower bound on q. Can we prove
some lower bound for all attacks?
Almost tight bound (up to a log r factor).
THANK YOU
Iterated Random Function
Conclusion

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz