The Iterated Random Function Problem ASK 2016, Nagoya, Japan Mridul - - PowerPoint PPT Presentation

Iterated Random Function

The Iterated Random Function Problem

ASK 2016, Nagoya, Japan Mridul Nandi

Indian Statistical Institute, Kolkata

28 September 2016 Joint work with Ritam Bhaumik, Nilanjan Datta, Avijit Dutta, Ashwin Jha, Avradip Mandal, Nicky Mouha.

Iterated Random Function

Outline of the Talk

Iterated random function

Iterated Random Function

Outline of the Talk

Iterated random function Known vs. Our Approach

Iterated Random Function

Outline of the Talk

Iterated random function Known vs. Our Approach Types of Collision for (iterated) random function

Iterated Random Function

Outline of the Talk

Iterated random function Known vs. Our Approach Types of Collision for (iterated) random function Collision Probabilties and PRF analysis

Iterated Random Function

The Iterated Random Permutations Problem

Iterated Random Function

The Iterated Random Permutations Problem

Fix a positive integer r, and a random permutation f .

Iterated Random Function

The Iterated Random Permutations Problem

Fix a positive integer r, and a random permutation f . Minaud and Seurin in crypto 2015 studied PRP of f r = f ◦ · · · ◦ f (r times)

Iterated Random Function

The Iterated Random Permutations Problem

Fix a positive integer r, and a random permutation f . Minaud and Seurin in crypto 2015 studied PRP of f r = f ◦ · · · ◦ f (r times) O(rq/2n) PRP advantage

Iterated Random Function

The Iterated Random Permutations Problem

Fix a positive integer r, and a random permutation f . Minaud and Seurin in crypto 2015 studied PRP of f r = f ◦ · · · ◦ f (r times) O(rq/2n) PRP advantage Lower bound of PRP advantage sometimes Θ(q/2n)

Iterated Random Function

The Iterated Random Permutations Problem

Fix a positive integer r, and a random permutation f . Minaud and Seurin in crypto 2015 studied PRP of f r = f ◦ · · · ◦ f (r times) O(rq/2n) PRP advantage Lower bound of PRP advantage sometimes Θ(q/2n) Scope of improvement

Iterated Random Function

The Iterated Random Function Problem

We ask same problem for random function

Iterated Random Function

The Iterated Random Function Problem

We ask same problem for random function We show Θ(rq2/2n) PRF advantage

Iterated Random Function

The Iterated Random Function Problem

We ask same problem for random function We show Θ(rq2/2n) PRF advantage We show an attack with advantage about rq2/2n provided q ≥ 2n/3

Iterated Random Function

The Iterated Random Function Problem

We ask same problem for random function We show Θ(rq2/2n) PRF advantage We show an attack with advantage about rq2/2n provided q ≥ 2n/3 We show upper bound using Coefficients H Technique

Iterated Random Function

Known Approach: Full Collision Probability

Used for analyzing Improved bound of CBC by Bellare, Pietrzak and Rogaway in crypto 2005

Iterated Random Function

Known Approach: Full Collision Probability

Used for analyzing Improved bound of CBC by Bellare, Pietrzak and Rogaway in crypto 2005 O(rq2/2n) PRF advantage for CBC of length r

Iterated Random Function

Known Approach: Full Collision Probability

Used for analyzing Improved bound of CBC by Bellare, Pietrzak and Rogaway in crypto 2005 O(rq2/2n) PRF advantage for CBC of length r Collision between a final input (q such) and other rq inputs

Iterated Random Function

Known Approach: Full Collision Probability

Used for analyzing Improved bound of CBC by Bellare, Pietrzak and Rogaway in crypto 2005 O(rq2/2n) PRF advantage for CBC of length r Collision between a final input (q such) and other rq inputs On the average 1/2n collision probability for a pair

Iterated Random Function

Known Approach: Full Collision Probability

Used for analyzing Improved bound of CBC by Bellare, Pietrzak and Rogaway in crypto 2005 O(rq2/2n) PRF advantage for CBC of length r Collision between a final input (q such) and other rq inputs On the average 1/2n collision probability for a pair Unfortunately this is not true for random function (collision probability for a pair can be O(rq/2n))

Iterated Random Function

Our Approach : Upper Bound

Iterated Random Function

Our Approach : Upper Bound

Allow all collisions on f that do not lead to collision on f r

Iterated Random Function

Our Approach : Upper Bound

Allow all collisions on f that do not lead to collision on f r Look at possible function graphs of f and f r

Iterated Random Function

Our Approach : Upper Bound

Allow all collisions on f that do not lead to collision on f r Look at possible function graphs of f and f r Bound probabilities of different types of collisions

Iterated Random Function

Our Approach : Upper Bound

Allow all collisions on f that do not lead to collision on f r Look at possible function graphs of f and f r Bound probabilities of different types of collisions Use Coefficient H Technique to upper bound advantage

Iterated Random Function

Our Approach : Lower Bound

We show lower bound

Iterated Random Function

Our Approach : Lower Bound

We show lower bound Vary first block and rest all blocks are same

Iterated Random Function

Our Approach : Lower Bound

We show lower bound Vary first block and rest all blocks are same For a pair collision probability about r/2n

Iterated Random Function

Our Approach : Lower Bound

We show lower bound Vary first block and rest all blocks are same For a pair collision probability about r/2n Use Inclusion Exclusion Principle to lower bound advantage

Iterated Random Function

Our Approach : Lower Bound

We show lower bound Vary first block and rest all blocks are same For a pair collision probability about r/2n Use Inclusion Exclusion Principle to lower bound advantage So it is tight up to a small power of log r

Iterated Random Function

Function Graphs

Iterated Random Function

Function Graphs

Views function as directed graph

Iterated Random Function

Function Graphs

Views function as directed graph y = f (x) represented by an edge from x to y

Iterated Random Function

Function Graphs

Views function as directed graph y = f (x) represented by an edge from x to y Loops allowed, no multiple edges

Iterated Random Function

Function Graphs

Views function as directed graph y = f (x) represented by an edge from x to y Loops allowed, no multiple edges Trails move together once merged

Iterated Random Function

Function Graphs

Views function as directed graph y = f (x) represented by an edge from x to y Loops allowed, no multiple edges Trails move together once merged All trails eventually lead to cycles

Iterated Random Function

Collision Attack on f

Two main approaches:

Iterated Random Function

Collision Attack on f

Two main approaches: Feedback Attack:

Iterated Random Function

Collision Attack on f

Two main approaches: Feedback Attack:

Based on Pollard’s Rho Algorithm

Iterated Random Function

Collision Attack on f

Two main approaches: Feedback Attack:

Based on Pollard’s Rho Algorithm Keeps feeding back f ’s outputs to f

Iterated Random Function

Collision Attack on f

Two main approaches: Feedback Attack:

Based on Pollard’s Rho Algorithm Keeps feeding back f ’s outputs to f Query 1: x , query i: f i−1(x)

Iterated Random Function

Collision Attack on f

Two main approaches: Feedback Attack:

Based on Pollard’s Rho Algorithm Keeps feeding back f ’s outputs to f Query 1: x , query i: f i−1(x) Tries to find cycle

Iterated Random Function

Collision Attack on f

Two main approaches: Feedback Attack:

Based on Pollard’s Rho Algorithm Keeps feeding back f ’s outputs to f Query 1: x , query i: f i−1(x) Tries to find cycle

Multiple Trails Attack:

Iterated Random Function

Collision Attack on f

Two main approaches: Feedback Attack:

Based on Pollard’s Rho Algorithm Keeps feeding back f ’s outputs to f Query 1: x , query i: f i−1(x) Tries to find cycle

Multiple Trails Attack:

Based loosely on van Oorschot-Wiener’s Parallel Search

Iterated Random Function

Collision Attack on f

Two main approaches: Feedback Attack:

Based on Pollard’s Rho Algorithm Keeps feeding back f ’s outputs to f Query 1: x , query i: f i−1(x) Tries to find cycle

Multiple Trails Attack:

Based loosely on van Oorschot-Wiener’s Parallel Search Starts feedback queries simultaneously from many points

Iterated Random Function

Collision Attack on f

Two main approaches: Feedback Attack:

Based on Pollard’s Rho Algorithm Keeps feeding back f ’s outputs to f Query 1: x , query i: f i−1(x) Tries to find cycle

Multiple Trails Attack:

Based loosely on van Oorschot-Wiener’s Parallel Search Starts feedback queries simultaneously from many points Query 1 on Trail j: xj , query i on Trail j: f i−1(xj)

Iterated Random Function

Collision Attack on f

Two main approaches: Feedback Attack:

Based on Pollard’s Rho Algorithm Keeps feeding back f ’s outputs to f Query 1: x , query i: f i−1(x) Tries to find cycle

Multiple Trails Attack:

Based loosely on van Oorschot-Wiener’s Parallel Search Starts feedback queries simultaneously from many points Query 1 on Trail j: xj , query i on Trail j: f i−1(xj) Tries to make two trails merge

Iterated Random Function

Collision Types on f

Iterated Random Function

Collision Types on f

Rho collision

t c x collision point

Iterated Random Function

Collision Types on f

Rho collision

Tail length t

t c x collision point

Iterated Random Function

Collision Types on f

Rho collision

Tail length t Cycle length c

t c x collision point

Iterated Random Function

Collision Types on f

Rho collision

Tail length t Cycle length c Denoted ρ(t, c)

t c x collision point

Iterated Random Function

Collision Types on f

Rho collision

Tail length t Cycle length c Denoted ρ(t, c)

Lambda collision

t c x collision point t1 t2 x1 x2 collision point

Iterated Random Function

Collision Types on f

Rho collision

Tail length t Cycle length c Denoted ρ(t, c)

Lambda collision

Foot lengths t1 and t2

t c x collision point t1 t2 x1 x2 collision point

Iterated Random Function

Collision Types on f

Rho collision

Tail length t Cycle length c Denoted ρ(t, c)

Lambda collision

Foot lengths t1 and t2 Denoted λ(t1, t2)

t c x collision point t1 t2 x1 x2 collision point

Iterated Random Function

Collision Probabilities on f

t c x t1 t2 x1 x2

Iterated Random Function

Collision Probabilities on f

t c x t1 t2 x1 x2 Rho collision

Iterated Random Function

Collision Probabilities on f

t c x t1 t2 x1 x2 Rho collision

Feedback attack from some x

Iterated Random Function

Collision Probabilities on f

t c x t1 t2 x1 x2 Rho collision

Feedback attack from some x Pr [ρ(t, c)] ≤ 1

N

Iterated Random Function

Collision Probabilities on f

t c x t1 t2 x1 x2 Rho collision

Feedback attack from some x Pr [ρ(t, c)] ≤ 1

N

Pr [ρ(t, c)] ≤ e−α

N

for t = Θ( √ αN)

Iterated Random Function

Collision Probabilities on f

t c x t1 t2 x1 x2 Rho collision

Feedback attack from some x Pr [ρ(t, c)] ≤ 1

N

Pr [ρ(t, c)] ≤ e−α

N

for t = Θ( √ αN)

Lambda collision

Iterated Random Function

Collision Probabilities on f

t c x t1 t2 x1 x2 Rho collision

Feedback attack from some x Pr [ρ(t, c)] ≤ 1

N

Pr [ρ(t, c)] ≤ e−α

N

for t = Θ( √ αN)

Lambda collision

Two-trail attack from some x1 and x2

Iterated Random Function

Collision Probabilities on f

t c x t1 t2 x1 x2 Rho collision

Feedback attack from some x Pr [ρ(t, c)] ≤ 1

N

Pr [ρ(t, c)] ≤ e−α

N

for t = Θ( √ αN)

Lambda collision

Two-trail attack from some x1 and x2 Pr [λ(t1, t2)] ≤ 1

N

Iterated Random Function

Collision Attack on f r

Same two approaches:

Iterated Random Function

Collision Attack on f r

Same two approaches: Feedback Attack:

Iterated Random Function

Collision Attack on f r

Same two approaches: Feedback Attack:

Keeps feeding back f r’s outputs to f r

Iterated Random Function

Collision Attack on f r

Same two approaches: Feedback Attack:

Keeps feeding back f r’s outputs to f r Query 1: x , query i: (f r)i−1(x)

Iterated Random Function

Collision Attack on f r

Same two approaches: Feedback Attack:

Keeps feeding back f r’s outputs to f r Query 1: x , query i: (f r)i−1(x) Tries to find cycle

Iterated Random Function

Collision Attack on f r

Same two approaches: Feedback Attack:

Keeps feeding back f r’s outputs to f r Query 1: x , query i: (f r)i−1(x) Tries to find cycle

Multiple Trails Attack:

Iterated Random Function

Collision Attack on f r

Same two approaches: Feedback Attack:

Keeps feeding back f r’s outputs to f r Query 1: x , query i: (f r)i−1(x) Tries to find cycle

Multiple Trails Attack:

Starts feedback queries simultaneously from many points

Iterated Random Function

Collision Attack on f r

Same two approaches: Feedback Attack:

Keeps feeding back f r’s outputs to f r Query 1: x , query i: (f r)i−1(x) Tries to find cycle

Multiple Trails Attack:

Starts feedback queries simultaneously from many points Query 1 on Trail j: xj , query i on Trail j: (f r)i−1(xj)

Iterated Random Function

Collision Attack on f r

Same two approaches: Feedback Attack:

Keeps feeding back f r’s outputs to f r Query 1: x , query i: (f r)i−1(x) Tries to find cycle

Multiple Trails Attack:

Starts feedback queries simultaneously from many points Query 1 on Trail j: xj , query i on Trail j: (f r)i−1(xj) Tries to make two trails merge

Iterated Random Function

Collision Types on f r

Iterated Random Function

Collision Types on f r

Can be reduced to collisions on f

Iterated Random Function

Collision Types on f r

Can be reduced to collisions on f Rho collision:

t c x collision point

Iterated Random Function

Collision Types on f r

Can be reduced to collisions on f Rho collision:

Direct ρ collision:

t c x collision point

Iterated Random Function

Collision Types on f r

Can be reduced to collisions on f Rho collision:

Direct ρ collision:

f -collision in phase with r

t c x collision point

Iterated Random Function

Collision Types on f r

Can be reduced to collisions on f Rho collision:

Direct ρ collision:

f -collision in phase with r t = t + c mod r

t c x collision point

Iterated Random Function

Collision Types on f r

Can be reduced to collisions on f Rho collision:

Direct ρ collision:

f -collision in phase with r t = t + c mod r

Delayed ρ collision:

t c x collision point

Iterated Random Function

Collision Types on f r

Can be reduced to collisions on f Rho collision:

Direct ρ collision:

f -collision in phase with r t = t + c mod r

Delayed ρ collision:

f -collision out of phase

t c x collision point

Iterated Random Function

Collision Types on f r

Can be reduced to collisions on f Rho collision:

Direct ρ collision:

f -collision in phase with r t = t + c mod r

Delayed ρ collision:

f -collision out of phase move around cycle η times in all to adjust phase

t c x collision point

Iterated Random Function

Collision Types on f r

Can be reduced to collisions on f Rho collision:

Direct ρ collision:

f -collision in phase with r t = t + c mod r

Delayed ρ collision:

f -collision out of phase move around cycle η times in all to adjust phase η = r/gcd(c, r)

t c x collision point

Iterated Random Function

Collision Types on f r

Can be reduced to collisions on f Rho collision:

Direct ρ collision:

f -collision in phase with r t = t + c mod r

Delayed ρ collision:

f -collision out of phase move around cycle η times in all to adjust phase η = r/gcd(c, r) t = t + cη mod r

t c x collision point

Iterated Random Function

Collision Types on f r

Can be reduced to collisions on f Lambda collision:

∆t c second collision point t1 t2 x1 x2 first collision point

Iterated Random Function

Collision Types on f r

Can be reduced to collisions on f Lambda collision:

Direct λ collision:

∆t c second collision point t1 t2 x1 x2 first collision point

Iterated Random Function

Collision Types on f r

Can be reduced to collisions on f Lambda collision:

Direct λ collision:

f -collision in phase with r

∆t c second collision point t1 t2 x1 x2 first collision point

Iterated Random Function

Collision Types on f r

Can be reduced to collisions on f Lambda collision:

Direct λ collision:

f -collision in phase with r t1 = t2 mod r

∆t c second collision point t1 t2 x1 x2 first collision point

Iterated Random Function

Collision Types on f r

Can be reduced to collisions on f Lambda collision:

Direct λ collision:

f -collision in phase with r t1 = t2 mod r

Delayed λ collision:

∆t c second collision point t1 t2 x1 x2 first collision point

Iterated Random Function

Collision Types on f r

Can be reduced to collisions on f Lambda collision:

Direct λ collision:

f -collision in phase with r t1 = t2 mod r

Delayed λ collision:

f -collision out of phase

∆t c second collision point t1 t2 x1 x2 first collision point

Iterated Random Function

Collision Types on f r

Can be reduced to collisions on f Lambda collision:

Direct λ collision:

f -collision in phase with r t1 = t2 mod r

Delayed λ collision:

f -collision out of phase find ρ collision on merged walk

∆t c second collision point t1 t2 x1 x2 first collision point

Iterated Random Function

Collision Types on f r

Can be reduced to collisions on f Lambda collision:

Direct λ collision:

f -collision in phase with r t1 = t2 mod r

Delayed λ collision:

f -collision out of phase find ρ collision on merged walk move around cycle η times in all to adjust phase

∆t c second collision point t1 t2 x1 x2 first collision point

Iterated Random Function

Collision Types on f r

Can be reduced to collisions on f Lambda collision:

Direct λ collision:

f -collision in phase with r t1 = t2 mod r

Delayed λ collision:

f -collision out of phase find ρ collision on merged walk move around cycle η times in all to adjust phase t1 = t2 + cη mod r

∆t c second collision point t1 t2 x1 x2 first collision point

Iterated Random Function

Collision Types on f r

Can be reduced to collisions on f Lambda collision:

Direct λ collision:

f -collision in phase with r t1 = t2 mod r

Delayed λ collision:

f -collision out of phase find ρ collision on merged walk move around cycle η times in all to adjust phase t1 = t2 + cη mod r also called λρ collision or ρ′ collision

∆t c second collision point t1 t2 x1 x2 first collision point

Iterated Random Function

Collision Types on f r

Can be reduced to collisions on f Lambda collision:

Direct λ collision:

f -collision in phase with r t1 = t2 mod r

Delayed λ collision:

f -collision out of phase find ρ collision on merged walk move around cycle η times in all to adjust phase t1 = t2 + cη mod r also called λρ collision or ρ′ collision Needs 2 f-collisions

∆t c second collision point t1 t2 x1 x2 first collision point

Iterated Random Function

Collision Probabilities on f r

Iterated Random Function

Collision Probabilities on f r

Rho collision:

Iterated Random Function

Collision Probabilities on f r

Rho collision:

q-query feedback attack from some point x

Iterated Random Function

Collision Probabilities on f r

Rho collision:

q-query feedback attack from some point x collision probability cpρ[q]

Iterated Random Function

Collision Probabilities on f r

Rho collision:

q-query feedback attack from some point x collision probability cpρ[q] cpρ[q] = O

• q2r

N

Iterated Random Function

Collision Probabilities on f r

Rho collision:

q-query feedback attack from some point x collision probability cpρ[q] cpρ[q] = O

• q2r

N

• Lambda collision:

Iterated Random Function

Collision Probabilities on f r

Rho collision:

q-query feedback attack from some point x collision probability cpρ[q] cpρ[q] = O

• q2r

N

• Lambda collision:

(q1, q2)-query two-trail attack from some points x1, x2

Iterated Random Function

Collision Probabilities on f r

Rho collision:

q-query feedback attack from some point x collision probability cpρ[q] cpρ[q] = O

• q2r

N

• Lambda collision:

(q1, q2)-query two-trail attack from some points x1, x2 collision probability cpλ[q1, q2]

Iterated Random Function

Collision Probabilities on f r

Rho collision:

q-query feedback attack from some point x collision probability cpρ[q] cpρ[q] = O

• q2r

N

• Lambda collision:

(q1, q2)-query two-trail attack from some points x1, x2 collision probability cpλ[q1, q2] cpλ[q1, q2] = O

• q1q2r(log r)3

N

Iterated Random Function

Collision Probabilities on f r

A general attack strategy, covering all adversaries:

Iterated Random Function

Collision Probabilities on f r

A general attack strategy, covering all adversaries: m trails from m distinct starting points x1, . . . , xm

Iterated Random Function

Collision Probabilities on f r

A general attack strategy, covering all adversaries: m trails from m distinct starting points x1, . . . , xm Trail lengths q1, . . . , qm with

i qi = q

Iterated Random Function

Collision Probabilities on f r

A general attack strategy, covering all adversaries: m trails from m distinct starting points x1, . . . , xm Trail lengths q1, . . . , qm with

i qi = q

Tries to find either a ρ collision or a two-trail λ collision

Iterated Random Function

Collision Probabilities on f r

A general attack strategy, covering all adversaries: m trails from m distinct starting points x1, . . . , xm Trail lengths q1, . . . , qm with

i qi = q

Tries to find either a ρ collision or a two-trail λ collision Collision probability cp[q]

Iterated Random Function

Collision Probabilities on f r

A general attack strategy, covering all adversaries: m trails from m distinct starting points x1, . . . , xm Trail lengths q1, . . . , qm with

i qi = q

Tries to find either a ρ collision or a two-trail λ collision Collision probability cp[q] cp[q] = O

• q2r(log r)3

N

Iterated Random Function

PRF Security Result

Iterated Random Function

PRF Security Result

A any prf adversary

Iterated Random Function

PRF Security Result

A any prf adversary Advprf

A [f r] = O

• q2r(log r)3

N

Iterated Random Function

PRF Security Result

A any prf adversary Advprf

A [f r] = O

• q2r(log r)3

N

• Proof uses Patarin’s Coefficient H Technique

Iterated Random Function

PRF Security Result

A any prf adversary Advprf

A [f r] = O

• q2r(log r)3

N

• Proof uses Patarin’s Coefficient H Technique

(log r)3 can be further improved, almost to log r

Iterated Random Function

PRF Security Result

A any prf adversary Advprf

A [f r] = O

• q2r(log r)3

N

• Proof uses Patarin’s Coefficient H Technique

(log r)3 can be further improved, almost to log r Probably possible to show Advprf

A [f r] = O

• q2r

N

Iterated Random Function

Sketch of Proof

Iterated Random Function

Sketch of Proof

Parallel Graph: union of non-intersecting paths

Iterated Random Function

Sketch of Proof

Parallel Graph: union of non-intersecting paths Query transcript τ has multiple trails

Iterated Random Function

Sketch of Proof

Parallel Graph: union of non-intersecting paths Query transcript τ has multiple trails Call τ BAD if not parallel graph

Iterated Random Function

Sketch of Proof

Parallel Graph: union of non-intersecting paths Query transcript τ has multiple trails Call τ BAD if not parallel graph BAD is equivalent to collision in general m trail attack (after reordering queries)

Iterated Random Function

Sketch of Proof

Parallel Graph: union of non-intersecting paths Query transcript τ has multiple trails Call τ BAD if not parallel graph BAD is equivalent to collision in general m trail attack (after reordering queries) Pr [BAD] = O

• q2r(log r)3

N

Iterated Random Function

Sketch of Proof

Parallel Graph: union of non-intersecting paths Query transcript τ has multiple trails Call τ BAD if not parallel graph BAD is equivalent to collision in general m trail attack (after reordering queries) Pr [BAD] = O

• q2r(log r)3

N

• Internal states equally probable for isomorphic good

transcripts

Iterated Random Function

Sketch of Proof

Parallel Graph: union of non-intersecting paths Query transcript τ has multiple trails Call τ BAD if not parallel graph BAD is equivalent to collision in general m trail attack (after reordering queries) Pr [BAD] = O

• q2r(log r)3

N

• Internal states equally probable for isomorphic good

transcripts Plug internal blocks into the good transcript τ

Iterated Random Function

Lower Bound on Collision Probability

Iterated Random Function

Lower Bound on Collision Probability

General m trail attack is the best known attack

Iterated Random Function

Lower Bound on Collision Probability

General m trail attack is the best known attack cp[q] is best known success probability

Iterated Random Function

Lower Bound on Collision Probability

General m trail attack is the best known attack cp[q] is best known success probability Inclusion-Exclusion Principle gives lower bound

Iterated Random Function

Lower Bound on Collision Probability

General m trail attack is the best known attack cp[q] is best known success probability Inclusion-Exclusion Principle gives lower bound cp[q] = Ω

• q2r

N

Iterated Random Function

Lower Bound on Collision Probability

General m trail attack is the best known attack cp[q] is best known success probability Inclusion-Exclusion Principle gives lower bound cp[q] = Ω

• q2r

N

• Security bound tight up to a factor of (log r)3

Iterated Random Function

Lower Bound on Collision Probability

x := (x1, x2, . . . , xq), xi are distinct blocks from {0, 1}n. Let collf (xi; xj) denote the event f (ℓ)(xi) = f (ℓ)(xj) and collf (x) :=

xi,xj∈x collf (xi; xj).

Iterated Random Function

Lower Bound on Collision Probability

Pr

f

• collf (x)
• ≥
• i<j

colli,j

• Pr

f [collf (xi; xj)]

− 3

• i<j<k

colli,j,k

• Pr

f [collf (xi; xj) ∩ collf (xj; xk)]

− 1 2

• i<j,k<m

{i,j}∩{k,m}=∅ colli,j,k,m

• Pr

f [collf (xi; xj) ∩ collf (xk; xm)]

Iterated Random Function

Upper Bound on colli,j,k

Pr[Case 1] ≤ 2ℓ2

N2

Pr[Case 2] ≤ 6ℓ6

N3

colli,j,k ≤ 2ℓ2 N2 + 6ℓ6 N3 .

Iterated Random Function

Upper Bound on colli,j,k,m

Pr[Case 1] ≤ ℓ2

N2

Pr[Case 2] ≤ 6ℓ3

N3

Pr[Case 3] ≤ 2ℓ5

N3

Iterated Random Function

Upper Bound on colli,j,k,m

Pr[Case 4] ≤ 24ℓ8

N4

Pr[Case 5] ≤ 4ℓ8

N4 .

colli,j,k,m ≤ ℓ2 N2 + 6ℓ3 + 2ℓ5 N3 + 28ℓ8 N4 .

Iterated Random Function

Lower Bound on colli,j

Let cycle be the event that at least one of the walks (corresponding to xi and xj) has a cycle. colli,j|¬cycle = ℓ

N

Pr[cycle] ≤ 2ℓ2

N .

colli,j ≥ ℓ N

• 1 − 2ℓ2

N

• .

Iterated Random Function

Main Result on Lower Bound

Lower Bound Theorem Let x := (x1, . . . , xq) ∈

• {0, 1}nq be a q tuple of distinct inputs.

For ℓ, q ≥ 3, q2ℓ

N < 1 and ℓ < min( N 5184, N

1 2

4 √ 3, N

1 3 3

√ 36), we have

Pr[collf (x)] ≥ q2ℓ 12N . Example Collision for N = 264. Hence taking q = √ 20 · 2

64 3 , ℓ = 0.1 × 2 64 3 ,

we get δ = 0.499.

Iterated Random Function

Future Research and Conclusion

Removing log r factor.

Iterated Random Function

Future Research and Conclusion

Removing log r factor. The attack requires some lower bound on q. Can we prove some lower bound for all attacks?

Iterated Random Function

Future Research and Conclusion

Removing log r factor. The attack requires some lower bound on q. Can we prove some lower bound for all attacks? Almost tight bound (up to a log r factor).

Iterated Random Function

Future Research and Conclusion

Removing log r factor. The attack requires some lower bound on q. Can we prove some lower bound for all attacks? Almost tight bound (up to a log r factor).

THANK YOU

Iterated Random Function

Conclusion