the iterated random function problemmridul nandi indian statistical institute, kolkata 28 september...
TRANSCRIPT
-
Iterated Random Function
The Iterated Random Function ProblemASK 2016, Nagoya, Japan
Mridul Nandi
Indian Statistical Institute, Kolkata
28 September 2016Joint work with Ritam Bhaumik, Nilanjan Datta, Avijit Dutta,
Ashwin Jha, Avradip Mandal, Nicky Mouha.
-
Iterated Random Function
Outline of the Talk
Iterated random function
Known vs. Our Approach
Types of Collision for (iterated) random function
Collision Probabilties and PRF analysis
-
Iterated Random Function
Outline of the Talk
Iterated random function
Known vs. Our Approach
Types of Collision for (iterated) random function
Collision Probabilties and PRF analysis
-
Iterated Random Function
Outline of the Talk
Iterated random function
Known vs. Our Approach
Types of Collision for (iterated) random function
Collision Probabilties and PRF analysis
-
Iterated Random Function
Outline of the Talk
Iterated random function
Known vs. Our Approach
Types of Collision for (iterated) random function
Collision Probabilties and PRF analysis
-
Iterated Random Function
The Iterated Random Permutations Problem
Fix a positive integer r , and a random permutation f .
Minaud and Seurin in crypto 2015 studied PRP off r = f ◦ · · · ◦ f (r times)
O(rq/2n) PRP advantage
Lower bound of PRP advantage sometimes Θ(q/2n)
Scope of improvement
-
Iterated Random Function
The Iterated Random Permutations Problem
Fix a positive integer r , and a random permutation f .
Minaud and Seurin in crypto 2015 studied PRP off r = f ◦ · · · ◦ f (r times)
O(rq/2n) PRP advantage
Lower bound of PRP advantage sometimes Θ(q/2n)
Scope of improvement
-
Iterated Random Function
The Iterated Random Permutations Problem
Fix a positive integer r , and a random permutation f .
Minaud and Seurin in crypto 2015 studied PRP off r = f ◦ · · · ◦ f (r times)
O(rq/2n) PRP advantage
Lower bound of PRP advantage sometimes Θ(q/2n)
Scope of improvement
-
Iterated Random Function
The Iterated Random Permutations Problem
Fix a positive integer r , and a random permutation f .
Minaud and Seurin in crypto 2015 studied PRP off r = f ◦ · · · ◦ f (r times)
O(rq/2n) PRP advantage
Lower bound of PRP advantage sometimes Θ(q/2n)
Scope of improvement
-
Iterated Random Function
The Iterated Random Permutations Problem
Fix a positive integer r , and a random permutation f .
Minaud and Seurin in crypto 2015 studied PRP off r = f ◦ · · · ◦ f (r times)
O(rq/2n) PRP advantage
Lower bound of PRP advantage sometimes Θ(q/2n)
Scope of improvement
-
Iterated Random Function
The Iterated Random Permutations Problem
Fix a positive integer r , and a random permutation f .
Minaud and Seurin in crypto 2015 studied PRP off r = f ◦ · · · ◦ f (r times)
O(rq/2n) PRP advantage
Lower bound of PRP advantage sometimes Θ(q/2n)
Scope of improvement
-
Iterated Random Function
The Iterated Random Function Problem
We ask same problem for random function
We show Θ(rq2/2n) PRF advantage
We show an attack with advantage about rq2/2n providedq ≥ 2n/3
We show upper bound using Coefficients H Technique
-
Iterated Random Function
The Iterated Random Function Problem
We ask same problem for random function
We show Θ(rq2/2n) PRF advantage
We show an attack with advantage about rq2/2n providedq ≥ 2n/3
We show upper bound using Coefficients H Technique
-
Iterated Random Function
The Iterated Random Function Problem
We ask same problem for random function
We show Θ(rq2/2n) PRF advantage
We show an attack with advantage about rq2/2n providedq ≥ 2n/3
We show upper bound using Coefficients H Technique
-
Iterated Random Function
The Iterated Random Function Problem
We ask same problem for random function
We show Θ(rq2/2n) PRF advantage
We show an attack with advantage about rq2/2n providedq ≥ 2n/3
We show upper bound using Coefficients H Technique
-
Iterated Random Function
Known Approach: Full Collision Probability
Used for analyzing Improved bound of CBC by Bellare,Pietrzak and Rogaway in crypto 2005
O(rq2/2n) PRF advantage for CBC of length r
Collision between a final input (q such) and other rq inputs
On the average 1/2n collision probability for a pair
Unfortunately this is not true for random function (collisionprobability for a pair can be O(rq/2n))
-
Iterated Random Function
Known Approach: Full Collision Probability
Used for analyzing Improved bound of CBC by Bellare,Pietrzak and Rogaway in crypto 2005
O(rq2/2n) PRF advantage for CBC of length r
Collision between a final input (q such) and other rq inputs
On the average 1/2n collision probability for a pair
Unfortunately this is not true for random function (collisionprobability for a pair can be O(rq/2n))
-
Iterated Random Function
Known Approach: Full Collision Probability
Used for analyzing Improved bound of CBC by Bellare,Pietrzak and Rogaway in crypto 2005
O(rq2/2n) PRF advantage for CBC of length r
Collision between a final input (q such) and other rq inputs
On the average 1/2n collision probability for a pair
Unfortunately this is not true for random function (collisionprobability for a pair can be O(rq/2n))
-
Iterated Random Function
Known Approach: Full Collision Probability
Used for analyzing Improved bound of CBC by Bellare,Pietrzak and Rogaway in crypto 2005
O(rq2/2n) PRF advantage for CBC of length r
Collision between a final input (q such) and other rq inputs
On the average 1/2n collision probability for a pair
Unfortunately this is not true for random function (collisionprobability for a pair can be O(rq/2n))
-
Iterated Random Function
Known Approach: Full Collision Probability
Used for analyzing Improved bound of CBC by Bellare,Pietrzak and Rogaway in crypto 2005
O(rq2/2n) PRF advantage for CBC of length r
Collision between a final input (q such) and other rq inputs
On the average 1/2n collision probability for a pair
Unfortunately this is not true for random function (collisionprobability for a pair can be O(rq/2n))
-
Iterated Random Function
Our Approach : Upper Bound
Allow all collisions on f that do not lead to collision on f r
Look at possible function graphs of f and f r
Bound probabilities of different types of collisions
Use Coefficient H Technique to upper bound advantage
-
Iterated Random Function
Our Approach : Upper Bound
Allow all collisions on f that do not lead to collision on f r
Look at possible function graphs of f and f r
Bound probabilities of different types of collisions
Use Coefficient H Technique to upper bound advantage
-
Iterated Random Function
Our Approach : Upper Bound
Allow all collisions on f that do not lead to collision on f r
Look at possible function graphs of f and f r
Bound probabilities of different types of collisions
Use Coefficient H Technique to upper bound advantage
-
Iterated Random Function
Our Approach : Upper Bound
Allow all collisions on f that do not lead to collision on f r
Look at possible function graphs of f and f r
Bound probabilities of different types of collisions
Use Coefficient H Technique to upper bound advantage
-
Iterated Random Function
Our Approach : Upper Bound
Allow all collisions on f that do not lead to collision on f r
Look at possible function graphs of f and f r
Bound probabilities of different types of collisions
Use Coefficient H Technique to upper bound advantage
-
Iterated Random Function
Our Approach : Lower Bound
We show lower bound
Vary first block and rest all blocks are same
For a pair collision probability about r/2n
Use Inclusion Exclusion Principle to lower bound advantage
So it is tight up to a small power of log r
-
Iterated Random Function
Our Approach : Lower Bound
We show lower bound
Vary first block and rest all blocks are same
For a pair collision probability about r/2n
Use Inclusion Exclusion Principle to lower bound advantage
So it is tight up to a small power of log r
-
Iterated Random Function
Our Approach : Lower Bound
We show lower bound
Vary first block and rest all blocks are same
For a pair collision probability about r/2n
Use Inclusion Exclusion Principle to lower bound advantage
So it is tight up to a small power of log r
-
Iterated Random Function
Our Approach : Lower Bound
We show lower bound
Vary first block and rest all blocks are same
For a pair collision probability about r/2n
Use Inclusion Exclusion Principle to lower bound advantage
So it is tight up to a small power of log r
-
Iterated Random Function
Our Approach : Lower Bound
We show lower bound
Vary first block and rest all blocks are same
For a pair collision probability about r/2n
Use Inclusion Exclusion Principle to lower bound advantage
So it is tight up to a small power of log r
-
Iterated Random Function
Function Graphs
Views function as directed graph
y = f (x) represented by an edge from x to y
Loops allowed, no multiple edges
Trails move together once merged
All trails eventually lead to cycles
-
Iterated Random Function
Function Graphs
Views function as directed graph
y = f (x) represented by an edge from x to y
Loops allowed, no multiple edges
Trails move together once merged
All trails eventually lead to cycles
-
Iterated Random Function
Function Graphs
Views function as directed graph
y = f (x) represented by an edge from x to y
Loops allowed, no multiple edges
Trails move together once merged
All trails eventually lead to cycles
-
Iterated Random Function
Function Graphs
Views function as directed graph
y = f (x) represented by an edge from x to y
Loops allowed, no multiple edges
Trails move together once merged
All trails eventually lead to cycles
-
Iterated Random Function
Function Graphs
Views function as directed graph
y = f (x) represented by an edge from x to y
Loops allowed, no multiple edges
Trails move together once merged
All trails eventually lead to cycles
-
Iterated Random Function
Function Graphs
Views function as directed graph
y = f (x) represented by an edge from x to y
Loops allowed, no multiple edges
Trails move together once merged
All trails eventually lead to cycles
-
Iterated Random Function
Collision Attack on f
Two main approaches:
Feedback Attack:
Based on Pollard’s Rho AlgorithmKeeps feeding back f ’s outputs to f
Query 1: x , query i : f i−1(x)
Tries to find cycle
Multiple Trails Attack:
Based loosely on van Oorschot-Wiener’s Parallel SearchStarts feedback queries simultaneously from many points
Query 1 on Trail j : xj , query i on Trail j : fi−1(xj)
Tries to make two trails merge
-
Iterated Random Function
Collision Attack on f
Two main approaches:
Feedback Attack:
Based on Pollard’s Rho AlgorithmKeeps feeding back f ’s outputs to f
Query 1: x , query i : f i−1(x)
Tries to find cycle
Multiple Trails Attack:
Based loosely on van Oorschot-Wiener’s Parallel SearchStarts feedback queries simultaneously from many points
Query 1 on Trail j : xj , query i on Trail j : fi−1(xj)
Tries to make two trails merge
-
Iterated Random Function
Collision Attack on f
Two main approaches:
Feedback Attack:Based on Pollard’s Rho Algorithm
Keeps feeding back f ’s outputs to f
Query 1: x , query i : f i−1(x)
Tries to find cycle
Multiple Trails Attack:
Based loosely on van Oorschot-Wiener’s Parallel SearchStarts feedback queries simultaneously from many points
Query 1 on Trail j : xj , query i on Trail j : fi−1(xj)
Tries to make two trails merge
-
Iterated Random Function
Collision Attack on f
Two main approaches:
Feedback Attack:Based on Pollard’s Rho AlgorithmKeeps feeding back f ’s outputs to f
Query 1: x , query i : f i−1(x)
Tries to find cycle
Multiple Trails Attack:
Based loosely on van Oorschot-Wiener’s Parallel SearchStarts feedback queries simultaneously from many points
Query 1 on Trail j : xj , query i on Trail j : fi−1(xj)
Tries to make two trails merge
-
Iterated Random Function
Collision Attack on f
Two main approaches:
Feedback Attack:Based on Pollard’s Rho AlgorithmKeeps feeding back f ’s outputs to f
Query 1: x , query i : f i−1(x)
Tries to find cycle
Multiple Trails Attack:
Based loosely on van Oorschot-Wiener’s Parallel SearchStarts feedback queries simultaneously from many points
Query 1 on Trail j : xj , query i on Trail j : fi−1(xj)
Tries to make two trails merge
-
Iterated Random Function
Collision Attack on f
Two main approaches:
Feedback Attack:Based on Pollard’s Rho AlgorithmKeeps feeding back f ’s outputs to f
Query 1: x , query i : f i−1(x)
Tries to find cycle
Multiple Trails Attack:
Based loosely on van Oorschot-Wiener’s Parallel SearchStarts feedback queries simultaneously from many points
Query 1 on Trail j : xj , query i on Trail j : fi−1(xj)
Tries to make two trails merge
-
Iterated Random Function
Collision Attack on f
Two main approaches:
Feedback Attack:Based on Pollard’s Rho AlgorithmKeeps feeding back f ’s outputs to f
Query 1: x , query i : f i−1(x)
Tries to find cycle
Multiple Trails Attack:
Based loosely on van Oorschot-Wiener’s Parallel SearchStarts feedback queries simultaneously from many points
Query 1 on Trail j : xj , query i on Trail j : fi−1(xj)
Tries to make two trails merge
-
Iterated Random Function
Collision Attack on f
Two main approaches:
Feedback Attack:Based on Pollard’s Rho AlgorithmKeeps feeding back f ’s outputs to f
Query 1: x , query i : f i−1(x)
Tries to find cycle
Multiple Trails Attack:Based loosely on van Oorschot-Wiener’s Parallel Search
Starts feedback queries simultaneously from many points
Query 1 on Trail j : xj , query i on Trail j : fi−1(xj)
Tries to make two trails merge
-
Iterated Random Function
Collision Attack on f
Two main approaches:
Feedback Attack:Based on Pollard’s Rho AlgorithmKeeps feeding back f ’s outputs to f
Query 1: x , query i : f i−1(x)
Tries to find cycle
Multiple Trails Attack:Based loosely on van Oorschot-Wiener’s Parallel SearchStarts feedback queries simultaneously from many points
Query 1 on Trail j : xj , query i on Trail j : fi−1(xj)
Tries to make two trails merge
-
Iterated Random Function
Collision Attack on f
Two main approaches:
Feedback Attack:Based on Pollard’s Rho AlgorithmKeeps feeding back f ’s outputs to f
Query 1: x , query i : f i−1(x)
Tries to find cycle
Multiple Trails Attack:Based loosely on van Oorschot-Wiener’s Parallel SearchStarts feedback queries simultaneously from many points
Query 1 on Trail j : xj , query i on Trail j : fi−1(xj)
Tries to make two trails merge
-
Iterated Random Function
Collision Attack on f
Two main approaches:
Feedback Attack:Based on Pollard’s Rho AlgorithmKeeps feeding back f ’s outputs to f
Query 1: x , query i : f i−1(x)
Tries to find cycle
Multiple Trails Attack:Based loosely on van Oorschot-Wiener’s Parallel SearchStarts feedback queries simultaneously from many points
Query 1 on Trail j : xj , query i on Trail j : fi−1(xj)
Tries to make two trails merge
-
Iterated Random Function
Collision Types on f
Rho collision
Tail length t
Cycle length c
Denoted ρ(t, c)
Lambda collision
Foot lengths t1and t2
Denoted λ(t1, t2)
t
c
x
collision point
t1 t2
x1 x2
collision point
-
Iterated Random Function
Collision Types on f
Rho collision
Tail length t
Cycle length c
Denoted ρ(t, c)
Lambda collision
Foot lengths t1and t2
Denoted λ(t1, t2)
t
c
x
collision point
t1 t2
x1 x2
collision point
-
Iterated Random Function
Collision Types on f
Rho collision
Tail length t
Cycle length c
Denoted ρ(t, c)
Lambda collision
Foot lengths t1and t2
Denoted λ(t1, t2)
t
c
x
collision point
t1 t2
x1 x2
collision point
-
Iterated Random Function
Collision Types on f
Rho collision
Tail length t
Cycle length c
Denoted ρ(t, c)
Lambda collision
Foot lengths t1and t2
Denoted λ(t1, t2)
t
c
x
collision point
t1 t2
x1 x2
collision point
-
Iterated Random Function
Collision Types on f
Rho collision
Tail length t
Cycle length c
Denoted ρ(t, c)
Lambda collision
Foot lengths t1and t2
Denoted λ(t1, t2)
t
c
x
collision point
t1 t2
x1 x2
collision point
-
Iterated Random Function
Collision Types on f
Rho collision
Tail length t
Cycle length c
Denoted ρ(t, c)
Lambda collision
Foot lengths t1and t2
Denoted λ(t1, t2)
t
c
x
collision point
t1 t2
x1 x2
collision point
-
Iterated Random Function
Collision Types on f
Rho collision
Tail length t
Cycle length c
Denoted ρ(t, c)
Lambda collision
Foot lengths t1and t2
Denoted λ(t1, t2)
t
c
x
collision point
t1 t2
x1 x2
collision point
-
Iterated Random Function
Collision Types on f
Rho collision
Tail length t
Cycle length c
Denoted ρ(t, c)
Lambda collision
Foot lengths t1and t2
Denoted λ(t1, t2)
t
c
x
collision point
t1 t2
x1 x2
collision point
-
Iterated Random Function
Collision Probabilities on f
t
c
x
t1 t2
x1 x2
Rho collision
Feedback attack fromsome x
Pr [ρ(t, c)] ≤ 1N
Pr [ρ(t, c)] ≤ e−α
N for
t = Θ(√αN)
Lambda collision
Two-trail attack fromsome x1 and x2
Pr [λ(t1, t2)] ≤ 1N
-
Iterated Random Function
Collision Probabilities on f
t
c
x
t1 t2
x1 x2
Rho collision
Feedback attack fromsome x
Pr [ρ(t, c)] ≤ 1N
Pr [ρ(t, c)] ≤ e−α
N for
t = Θ(√αN)
Lambda collision
Two-trail attack fromsome x1 and x2
Pr [λ(t1, t2)] ≤ 1N
-
Iterated Random Function
Collision Probabilities on f
t
c
x
t1 t2
x1 x2
Rho collision
Feedback attack fromsome x
Pr [ρ(t, c)] ≤ 1N
Pr [ρ(t, c)] ≤ e−α
N for
t = Θ(√αN)
Lambda collision
Two-trail attack fromsome x1 and x2
Pr [λ(t1, t2)] ≤ 1N
-
Iterated Random Function
Collision Probabilities on f
t
c
x
t1 t2
x1 x2
Rho collision
Feedback attack fromsome x
Pr [ρ(t, c)] ≤ 1N
Pr [ρ(t, c)] ≤ e−α
N for
t = Θ(√αN)
Lambda collision
Two-trail attack fromsome x1 and x2
Pr [λ(t1, t2)] ≤ 1N
-
Iterated Random Function
Collision Probabilities on f
t
c
x
t1 t2
x1 x2
Rho collision
Feedback attack fromsome x
Pr [ρ(t, c)] ≤ 1N
Pr [ρ(t, c)] ≤ e−α
N for
t = Θ(√αN)
Lambda collision
Two-trail attack fromsome x1 and x2
Pr [λ(t1, t2)] ≤ 1N
-
Iterated Random Function
Collision Probabilities on f
t
c
x
t1 t2
x1 x2
Rho collision
Feedback attack fromsome x
Pr [ρ(t, c)] ≤ 1N
Pr [ρ(t, c)] ≤ e−α
N for
t = Θ(√αN)
Lambda collision
Two-trail attack fromsome x1 and x2
Pr [λ(t1, t2)] ≤ 1N
-
Iterated Random Function
Collision Probabilities on f
t
c
x
t1 t2
x1 x2
Rho collision
Feedback attack fromsome x
Pr [ρ(t, c)] ≤ 1N
Pr [ρ(t, c)] ≤ e−α
N for
t = Θ(√αN)
Lambda collision
Two-trail attack fromsome x1 and x2
Pr [λ(t1, t2)] ≤ 1N
-
Iterated Random Function
Collision Probabilities on f
t
c
x
t1 t2
x1 x2
Rho collision
Feedback attack fromsome x
Pr [ρ(t, c)] ≤ 1N
Pr [ρ(t, c)] ≤ e−α
N for
t = Θ(√αN)
Lambda collision
Two-trail attack fromsome x1 and x2
Pr [λ(t1, t2)] ≤ 1N
-
Iterated Random Function
Collision Attack on f r
Same two approaches:
Feedback Attack:
Keeps feeding back f r ’s outputs to f r
Query 1: x , query i : (f r )i−1(x)
Tries to find cycle
Multiple Trails Attack:
Starts feedback queries simultaneously from many points
Query 1 on Trail j : xj , query i on Trail j : (fr )i−1(xj)
Tries to make two trails merge
-
Iterated Random Function
Collision Attack on f r
Same two approaches:
Feedback Attack:
Keeps feeding back f r ’s outputs to f r
Query 1: x , query i : (f r )i−1(x)
Tries to find cycle
Multiple Trails Attack:
Starts feedback queries simultaneously from many points
Query 1 on Trail j : xj , query i on Trail j : (fr )i−1(xj)
Tries to make two trails merge
-
Iterated Random Function
Collision Attack on f r
Same two approaches:
Feedback Attack:Keeps feeding back f r ’s outputs to f r
Query 1: x , query i : (f r )i−1(x)
Tries to find cycle
Multiple Trails Attack:
Starts feedback queries simultaneously from many points
Query 1 on Trail j : xj , query i on Trail j : (fr )i−1(xj)
Tries to make two trails merge
-
Iterated Random Function
Collision Attack on f r
Same two approaches:
Feedback Attack:Keeps feeding back f r ’s outputs to f r
Query 1: x , query i : (f r )i−1(x)
Tries to find cycle
Multiple Trails Attack:
Starts feedback queries simultaneously from many points
Query 1 on Trail j : xj , query i on Trail j : (fr )i−1(xj)
Tries to make two trails merge
-
Iterated Random Function
Collision Attack on f r
Same two approaches:
Feedback Attack:Keeps feeding back f r ’s outputs to f r
Query 1: x , query i : (f r )i−1(x)
Tries to find cycle
Multiple Trails Attack:
Starts feedback queries simultaneously from many points
Query 1 on Trail j : xj , query i on Trail j : (fr )i−1(xj)
Tries to make two trails merge
-
Iterated Random Function
Collision Attack on f r
Same two approaches:
Feedback Attack:Keeps feeding back f r ’s outputs to f r
Query 1: x , query i : (f r )i−1(x)
Tries to find cycle
Multiple Trails Attack:
Starts feedback queries simultaneously from many points
Query 1 on Trail j : xj , query i on Trail j : (fr )i−1(xj)
Tries to make two trails merge
-
Iterated Random Function
Collision Attack on f r
Same two approaches:
Feedback Attack:Keeps feeding back f r ’s outputs to f r
Query 1: x , query i : (f r )i−1(x)
Tries to find cycle
Multiple Trails Attack:Starts feedback queries simultaneously from many points
Query 1 on Trail j : xj , query i on Trail j : (fr )i−1(xj)
Tries to make two trails merge
-
Iterated Random Function
Collision Attack on f r
Same two approaches:
Feedback Attack:Keeps feeding back f r ’s outputs to f r
Query 1: x , query i : (f r )i−1(x)
Tries to find cycle
Multiple Trails Attack:Starts feedback queries simultaneously from many points
Query 1 on Trail j : xj , query i on Trail j : (fr )i−1(xj)
Tries to make two trails merge
-
Iterated Random Function
Collision Attack on f r
Same two approaches:
Feedback Attack:Keeps feeding back f r ’s outputs to f r
Query 1: x , query i : (f r )i−1(x)
Tries to find cycle
Multiple Trails Attack:Starts feedback queries simultaneously from many points
Query 1 on Trail j : xj , query i on Trail j : (fr )i−1(xj)
Tries to make two trails merge
-
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Rho collision:
Direct ρ collision:
f -collision in phase with rt = t + c mod r
Delayed ρ collision:
f -collision out of phasemove around cycle η times inall to adjust phaseη = r/gcd(c, r)t = t + cη mod r
t
c
x
collision point
-
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Rho collision:
Direct ρ collision:
f -collision in phase with rt = t + c mod r
Delayed ρ collision:
f -collision out of phasemove around cycle η times inall to adjust phaseη = r/gcd(c, r)t = t + cη mod r
t
c
x
collision point
-
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Rho collision:
Direct ρ collision:
f -collision in phase with rt = t + c mod r
Delayed ρ collision:
f -collision out of phasemove around cycle η times inall to adjust phaseη = r/gcd(c, r)t = t + cη mod r
t
c
x
collision point
-
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Rho collision:
Direct ρ collision:
f -collision in phase with rt = t + c mod r
Delayed ρ collision:
f -collision out of phasemove around cycle η times inall to adjust phaseη = r/gcd(c, r)t = t + cη mod r
t
c
x
collision point
-
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Rho collision:
Direct ρ collision:
f -collision in phase with r
t = t + c mod r
Delayed ρ collision:
f -collision out of phasemove around cycle η times inall to adjust phaseη = r/gcd(c, r)t = t + cη mod r
t
c
x
collision point
-
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Rho collision:
Direct ρ collision:
f -collision in phase with rt = t + c mod r
Delayed ρ collision:
f -collision out of phasemove around cycle η times inall to adjust phaseη = r/gcd(c, r)t = t + cη mod r
t
c
x
collision point
-
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Rho collision:
Direct ρ collision:
f -collision in phase with rt = t + c mod r
Delayed ρ collision:
f -collision out of phasemove around cycle η times inall to adjust phaseη = r/gcd(c, r)t = t + cη mod r
t
c
x
collision point
-
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Rho collision:
Direct ρ collision:
f -collision in phase with rt = t + c mod r
Delayed ρ collision:
f -collision out of phase
move around cycle η times inall to adjust phaseη = r/gcd(c, r)t = t + cη mod r
t
c
x
collision point
-
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Rho collision:
Direct ρ collision:
f -collision in phase with rt = t + c mod r
Delayed ρ collision:
f -collision out of phasemove around cycle η times inall to adjust phase
η = r/gcd(c, r)t = t + cη mod r
t
c
x
collision point
-
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Rho collision:
Direct ρ collision:
f -collision in phase with rt = t + c mod r
Delayed ρ collision:
f -collision out of phasemove around cycle η times inall to adjust phaseη = r/gcd(c, r)
t = t + cη mod r
t
c
x
collision point
-
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Rho collision:
Direct ρ collision:
f -collision in phase with rt = t + c mod r
Delayed ρ collision:
f -collision out of phasemove around cycle η times inall to adjust phaseη = r/gcd(c, r)t = t + cη mod r
t
c
x
collision point
-
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Lambda collision:
Direct λ collision:
f -collision in phase with rt1 = t2 mod r
Delayed λ collision:
f -collision out of phasefind ρ collision on merged walkmove around cycle η times inall to adjust phaset1 = t2 + cη mod ralso called λρ collision or ρ′
collisionNeeds 2 f-collisions
∆tc
second collision point
t1 t2
x1 x2
firstcollisionpoint
-
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Lambda collision:
Direct λ collision:
f -collision in phase with rt1 = t2 mod r
Delayed λ collision:
f -collision out of phasefind ρ collision on merged walkmove around cycle η times inall to adjust phaset1 = t2 + cη mod ralso called λρ collision or ρ′
collisionNeeds 2 f-collisions
∆tc
second collision point
t1 t2
x1 x2
firstcollisionpoint
-
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Lambda collision:
Direct λ collision:
f -collision in phase with r
t1 = t2 mod r
Delayed λ collision:
f -collision out of phasefind ρ collision on merged walkmove around cycle η times inall to adjust phaset1 = t2 + cη mod ralso called λρ collision or ρ′
collisionNeeds 2 f-collisions
∆tc
second collision point
t1 t2
x1 x2
firstcollisionpoint
-
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Lambda collision:
Direct λ collision:
f -collision in phase with rt1 = t2 mod r
Delayed λ collision:
f -collision out of phasefind ρ collision on merged walkmove around cycle η times inall to adjust phaset1 = t2 + cη mod ralso called λρ collision or ρ′
collisionNeeds 2 f-collisions
∆tc
second collision point
t1 t2
x1 x2
firstcollisionpoint
-
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Lambda collision:
Direct λ collision:
f -collision in phase with rt1 = t2 mod r
Delayed λ collision:
f -collision out of phasefind ρ collision on merged walkmove around cycle η times inall to adjust phaset1 = t2 + cη mod ralso called λρ collision or ρ′
collisionNeeds 2 f-collisions
∆tc
second collision point
t1 t2
x1 x2
firstcollisionpoint
-
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Lambda collision:
Direct λ collision:
f -collision in phase with rt1 = t2 mod r
Delayed λ collision:
f -collision out of phase
find ρ collision on merged walkmove around cycle η times inall to adjust phaset1 = t2 + cη mod ralso called λρ collision or ρ′
collisionNeeds 2 f-collisions
∆tc
second collision point
t1 t2
x1 x2
firstcollisionpoint
-
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Lambda collision:
Direct λ collision:
f -collision in phase with rt1 = t2 mod r
Delayed λ collision:
f -collision out of phasefind ρ collision on merged walk
move around cycle η times inall to adjust phaset1 = t2 + cη mod ralso called λρ collision or ρ′
collisionNeeds 2 f-collisions
∆tc
second collision point
t1 t2
x1 x2
firstcollisionpoint
-
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Lambda collision:
Direct λ collision:
f -collision in phase with rt1 = t2 mod r
Delayed λ collision:
f -collision out of phasefind ρ collision on merged walkmove around cycle η times inall to adjust phase
t1 = t2 + cη mod ralso called λρ collision or ρ′
collisionNeeds 2 f-collisions
∆tc
second collision point
t1 t2
x1 x2
firstcollisionpoint
-
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Lambda collision:
Direct λ collision:
f -collision in phase with rt1 = t2 mod r
Delayed λ collision:
f -collision out of phasefind ρ collision on merged walkmove around cycle η times inall to adjust phaset1 = t2 + cη mod r
also called λρ collision or ρ′
collisionNeeds 2 f-collisions
∆tc
second collision point
t1 t2
x1 x2
firstcollisionpoint
-
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Lambda collision:
Direct λ collision:
f -collision in phase with rt1 = t2 mod r
Delayed λ collision:
f -collision out of phasefind ρ collision on merged walkmove around cycle η times inall to adjust phaset1 = t2 + cη mod ralso called λρ collision or ρ′
collision
Needs 2 f-collisions
∆tc
second collision point
t1 t2
x1 x2
firstcollisionpoint
-
Iterated Random Function
Collision Types on f r
Can be reduced to collisions on f
Lambda collision:
Direct λ collision:
f -collision in phase with rt1 = t2 mod r
Delayed λ collision:
f -collision out of phasefind ρ collision on merged walkmove around cycle η times inall to adjust phaset1 = t2 + cη mod ralso called λρ collision or ρ′
collisionNeeds 2 f-collisions
∆tc
second collision point
t1 t2
x1 x2
firstcollisionpoint
-
Iterated Random Function
Collision Probabilities on f r
Rho collision:
q-query feedback attack from some point xcollision probability cpρ[q]
cpρ[q] = O(
q2rN
)
Lambda collision:
(q1, q2)-query two-trail attack from some points x1, x2collision probability cpλ[q1, q2]
cpλ[q1, q2] = O(
q1q2r(log r)3
N
)
-
Iterated Random Function
Collision Probabilities on f r
Rho collision:
q-query feedback attack from some point xcollision probability cpρ[q]
cpρ[q] = O(
q2rN
)Lambda collision:
(q1, q2)-query two-trail attack from some points x1, x2collision probability cpλ[q1, q2]
cpλ[q1, q2] = O(
q1q2r(log r)3
N
)
-
Iterated Random Function
Collision Probabilities on f r
Rho collision:q-query feedback attack from some point x
collision probability cpρ[q]
cpρ[q] = O(
q2rN
)Lambda collision:
(q1, q2)-query two-trail attack from some points x1, x2collision probability cpλ[q1, q2]
cpλ[q1, q2] = O(
q1q2r(log r)3
N
)
-
Iterated Random Function
Collision Probabilities on f r
Rho collision:q-query feedback attack from some point xcollision probability cpρ[q]
cpρ[q] = O(
q2rN
)Lambda collision:
(q1, q2)-query two-trail attack from some points x1, x2collision probability cpλ[q1, q2]
cpλ[q1, q2] = O(
q1q2r(log r)3
N
)
-
Iterated Random Function
Collision Probabilities on f r
Rho collision:q-query feedback attack from some point xcollision probability cpρ[q]
cpρ[q] = O(
q2rN
)
Lambda collision:
(q1, q2)-query two-trail attack from some points x1, x2collision probability cpλ[q1, q2]
cpλ[q1, q2] = O(
q1q2r(log r)3
N
)
-
Iterated Random Function
Collision Probabilities on f r
Rho collision:q-query feedback attack from some point xcollision probability cpρ[q]
cpρ[q] = O(
q2rN
)Lambda collision:
(q1, q2)-query two-trail attack from some points x1, x2collision probability cpλ[q1, q2]
cpλ[q1, q2] = O(
q1q2r(log r)3
N
)
-
Iterated Random Function
Collision Probabilities on f r
Rho collision:q-query feedback attack from some point xcollision probability cpρ[q]
cpρ[q] = O(
q2rN
)Lambda collision:
(q1, q2)-query two-trail attack from some points x1, x2
collision probability cpλ[q1, q2]
cpλ[q1, q2] = O(
q1q2r(log r)3
N
)
-
Iterated Random Function
Collision Probabilities on f r
Rho collision:q-query feedback attack from some point xcollision probability cpρ[q]
cpρ[q] = O(
q2rN
)Lambda collision:
(q1, q2)-query two-trail attack from some points x1, x2collision probability cpλ[q1, q2]
cpλ[q1, q2] = O(
q1q2r(log r)3
N
)
-
Iterated Random Function
Collision Probabilities on f r
Rho collision:q-query feedback attack from some point xcollision probability cpρ[q]
cpρ[q] = O(
q2rN
)Lambda collision:
(q1, q2)-query two-trail attack from some points x1, x2collision probability cpλ[q1, q2]
cpλ[q1, q2] = O(
q1q2r(log r)3
N
)
-
Iterated Random Function
Collision Probabilities on f r
A general attack strategy, covering all adversaries:
m trails from m distinct starting points x1, . . . , xm
Trail lengths q1, . . . , qm with∑
i qi = q
Tries to find either a ρ collision or a two-trail λ collision
Collision probability cp[q]
cp[q] = O(q2r(log r)3
N
)
-
Iterated Random Function
Collision Probabilities on f r
A general attack strategy, covering all adversaries:
m trails from m distinct starting points x1, . . . , xm
Trail lengths q1, . . . , qm with∑
i qi = q
Tries to find either a ρ collision or a two-trail λ collision
Collision probability cp[q]
cp[q] = O(q2r(log r)3
N
)
-
Iterated Random Function
Collision Probabilities on f r
A general attack strategy, covering all adversaries:
m trails from m distinct starting points x1, . . . , xm
Trail lengths q1, . . . , qm with∑
i qi = q
Tries to find either a ρ collision or a two-trail λ collision
Collision probability cp[q]
cp[q] = O(q2r(log r)3
N
)
-
Iterated Random Function
Collision Probabilities on f r
A general attack strategy, covering all adversaries:
m trails from m distinct starting points x1, . . . , xm
Trail lengths q1, . . . , qm with∑
i qi = q
Tries to find either a ρ collision or a two-trail λ collision
Collision probability cp[q]
cp[q] = O(q2r(log r)3
N
)
-
Iterated Random Function
Collision Probabilities on f r
A general attack strategy, covering all adversaries:
m trails from m distinct starting points x1, . . . , xm
Trail lengths q1, . . . , qm with∑
i qi = q
Tries to find either a ρ collision or a two-trail λ collision
Collision probability cp[q]
cp[q] = O(q2r(log r)3
N
)
-
Iterated Random Function
Collision Probabilities on f r
A general attack strategy, covering all adversaries:
m trails from m distinct starting points x1, . . . , xm
Trail lengths q1, . . . , qm with∑
i qi = q
Tries to find either a ρ collision or a two-trail λ collision
Collision probability cp[q]
cp[q] = O(q2r(log r)3
N
)
-
Iterated Random Function
PRF Security Result
A any prf adversary
AdvprfA [fr ] = O
(q2r(log r)3
N
)Proof uses Patarin’s Coefficient H Technique
(log r)3 can be further improved, almost to log r
Probably possible to show AdvprfA [fr ] = O
(q2rN
)
-
Iterated Random Function
PRF Security Result
A any prf adversary
AdvprfA [fr ] = O
(q2r(log r)3
N
)Proof uses Patarin’s Coefficient H Technique
(log r)3 can be further improved, almost to log r
Probably possible to show AdvprfA [fr ] = O
(q2rN
)
-
Iterated Random Function
PRF Security Result
A any prf adversary
AdvprfA [fr ] = O
(q2r(log r)3
N
)
Proof uses Patarin’s Coefficient H Technique
(log r)3 can be further improved, almost to log r
Probably possible to show AdvprfA [fr ] = O
(q2rN
)
-
Iterated Random Function
PRF Security Result
A any prf adversary
AdvprfA [fr ] = O
(q2r(log r)3
N
)Proof uses Patarin’s Coefficient H Technique
(log r)3 can be further improved, almost to log r
Probably possible to show AdvprfA [fr ] = O
(q2rN
)
-
Iterated Random Function
PRF Security Result
A any prf adversary
AdvprfA [fr ] = O
(q2r(log r)3
N
)Proof uses Patarin’s Coefficient H Technique
(log r)3 can be further improved, almost to log r
Probably possible to show AdvprfA [fr ] = O
(q2rN
)
-
Iterated Random Function
PRF Security Result
A any prf adversary
AdvprfA [fr ] = O
(q2r(log r)3
N
)Proof uses Patarin’s Coefficient H Technique
(log r)3 can be further improved, almost to log r
Probably possible to show AdvprfA [fr ] = O
(q2rN
)
-
Iterated Random Function
Sketch of Proof
Parallel Graph: union of non-intersecting paths
Query transcript τ has multiple trails
Call τ BAD if not parallel graph
BAD is equivalent to collision in general m trail attack (afterreordering queries)
Pr [BAD] = O(q2r(log r)3
N
)Internal states equally probable for isomorphic goodtranscripts
Plug internal blocks into the good transcript τ
-
Iterated Random Function
Sketch of Proof
Parallel Graph: union of non-intersecting paths
Query transcript τ has multiple trails
Call τ BAD if not parallel graph
BAD is equivalent to collision in general m trail attack (afterreordering queries)
Pr [BAD] = O(q2r(log r)3
N
)Internal states equally probable for isomorphic goodtranscripts
Plug internal blocks into the good transcript τ
-
Iterated Random Function
Sketch of Proof
Parallel Graph: union of non-intersecting paths
Query transcript τ has multiple trails
Call τ BAD if not parallel graph
BAD is equivalent to collision in general m trail attack (afterreordering queries)
Pr [BAD] = O(q2r(log r)3
N
)Internal states equally probable for isomorphic goodtranscripts
Plug internal blocks into the good transcript τ
-
Iterated Random Function
Sketch of Proof
Parallel Graph: union of non-intersecting paths
Query transcript τ has multiple trails
Call τ BAD if not parallel graph
BAD is equivalent to collision in general m trail attack (afterreordering queries)
Pr [BAD] = O(q2r(log r)3
N
)Internal states equally probable for isomorphic goodtranscripts
Plug internal blocks into the good transcript τ
-
Iterated Random Function
Sketch of Proof
Parallel Graph: union of non-intersecting paths
Query transcript τ has multiple trails
Call τ BAD if not parallel graph
BAD is equivalent to collision in general m trail attack (afterreordering queries)
Pr [BAD] = O(q2r(log r)3
N
)Internal states equally probable for isomorphic goodtranscripts
Plug internal blocks into the good transcript τ
-
Iterated Random Function
Sketch of Proof
Parallel Graph: union of non-intersecting paths
Query transcript τ has multiple trails
Call τ BAD if not parallel graph
BAD is equivalent to collision in general m trail attack (afterreordering queries)
Pr [BAD] = O(q2r(log r)3
N
)
Internal states equally probable for isomorphic goodtranscripts
Plug internal blocks into the good transcript τ
-
Iterated Random Function
Sketch of Proof
Parallel Graph: union of non-intersecting paths
Query transcript τ has multiple trails
Call τ BAD if not parallel graph
BAD is equivalent to collision in general m trail attack (afterreordering queries)
Pr [BAD] = O(q2r(log r)3
N
)Internal states equally probable for isomorphic goodtranscripts
Plug internal blocks into the good transcript τ
-
Iterated Random Function
Sketch of Proof
Parallel Graph: union of non-intersecting paths
Query transcript τ has multiple trails
Call τ BAD if not parallel graph
BAD is equivalent to collision in general m trail attack (afterreordering queries)
Pr [BAD] = O(q2r(log r)3
N
)Internal states equally probable for isomorphic goodtranscripts
Plug internal blocks into the good transcript τ
-
Iterated Random Function
Lower Bound on Collision Probability
General m trail attack is the best known attack
cp[q] is best known success probability
Inclusion-Exclusion Principle gives lower bound
cp[q] = Ω(q2rN
)Security bound tight up to a factor of (log r)3
-
Iterated Random Function
Lower Bound on Collision Probability
General m trail attack is the best known attack
cp[q] is best known success probability
Inclusion-Exclusion Principle gives lower bound
cp[q] = Ω(q2rN
)Security bound tight up to a factor of (log r)3
-
Iterated Random Function
Lower Bound on Collision Probability
General m trail attack is the best known attack
cp[q] is best known success probability
Inclusion-Exclusion Principle gives lower bound
cp[q] = Ω(q2rN
)Security bound tight up to a factor of (log r)3
-
Iterated Random Function
Lower Bound on Collision Probability
General m trail attack is the best known attack
cp[q] is best known success probability
Inclusion-Exclusion Principle gives lower bound
cp[q] = Ω(q2rN
)Security bound tight up to a factor of (log r)3
-
Iterated Random Function
Lower Bound on Collision Probability
General m trail attack is the best known attack
cp[q] is best known success probability
Inclusion-Exclusion Principle gives lower bound
cp[q] = Ω(q2rN
)
Security bound tight up to a factor of (log r)3
-
Iterated Random Function
Lower Bound on Collision Probability
General m trail attack is the best known attack
cp[q] is best known success probability
Inclusion-Exclusion Principle gives lower bound
cp[q] = Ω(q2rN
)Security bound tight up to a factor of (log r)3
-
Iterated Random Function
Lower Bound on Collision Probability
x := (x1, x2, . . . , xq), xi are distinct blocks from {0, 1}n.
Let collf (xi ; xj) denote the event f(`)(xi ) = f
(`)(xj) andcollf (x) :=
⋃xi ,xj∈x collf (xi ; xj).
-
Iterated Random Function
Lower Bound on Collision Probability
Prf
[collf (x)
]≥∑i
-
Iterated Random Function
Upper Bound on colli ,j ,k
Pr[Case 1] ≤ 2`2N2
Pr[Case 2] ≤ 6`6N3
colli ,j ,k ≤2`2
N2+
6`6
N3.
-
Iterated Random Function
Upper Bound on colli ,j ,k ,m
Pr[Case 1] ≤ `2N2
Pr[Case 2] ≤ 6`3N3
Pr[Case 3] ≤ 2`5N3
-
Iterated Random Function
Upper Bound on colli ,j ,k ,m
Pr[Case 4] ≤ 24`8N4
Pr[Case 5] ≤ 4`8N4
.
colli ,j ,k,m ≤`2
N2+
6`3 + 2`5
N3+
28`8
N4.
-
Iterated Random Function
Lower Bound on colli ,j
Let cycle be the event that at least one of the walks(corresponding to xi and xj) has a cycle.
colli ,j |¬cycle =`N Pr[cycle] ≤
2`2
N .
colli ,j ≥`
N
(1− 2`
2
N
).
-
Iterated Random Function
Main Result on Lower Bound
Lower Bound Theorem
Let x := (x1, . . . , xq) ∈({0, 1}n
)qbe a q tuple of distinct inputs.
For `, q ≥ 3, q2`N < 1 and ` < min(
N5184 ,
N12
4√
3, N
13
3√36), we have
Pr[collf (x)] ≥q2`
12N.
Example
Collision for N = 264. Hence taking q =√
20 · 2643 , ` = 0.1× 2
643 ,
we get δ = 0.499.
-
Iterated Random Function
Future Research and Conclusion
Removing log r factor.
The attack requires some lower bound on q. Can we provesome lower bound for all attacks?
Almost tight bound (up to a log r factor).
THANK YOU
-
Iterated Random Function
Future Research and Conclusion
Removing log r factor.
The attack requires some lower bound on q. Can we provesome lower bound for all attacks?
Almost tight bound (up to a log r factor).
THANK YOU
-
Iterated Random Function
Future Research and Conclusion
Removing log r factor.
The attack requires some lower bound on q. Can we provesome lower bound for all attacks?
Almost tight bound (up to a log r factor).
THANK YOU
-
Iterated Random Function
Future Research and Conclusion
Removing log r factor.
The attack requires some lower bound on q. Can we provesome lower bound for all attacks?
Almost tight bound (up to a log r factor).
THANK YOU
-
Iterated Random Function
Conclusion