The Iterated Random Function Problem ASK 2016, Nagoya, Japan Mridul - PowerPoint PPT Presentation

Iterated Random Function Collision Attack on f Two main approaches: Feedback Attack : Based on Pollard’s Rho Algorithm Keeps feeding back f ’s outputs to f Query 1: x , query i : f i − 1 ( x ) Tries to find cycle Multiple Trails Attack : Based loosely on van Oorschot-Wiener’s Parallel Search Starts feedback queries simultaneously from many points Query 1 on Trail j : x j , query i on Trail j : f i − 1 ( x j ) Tries to make two trails merge

Iterated Random Function Collision Types on f

Iterated Random Function Collision Types on f Rho collision collision point c t x

Iterated Random Function Collision Types on f Rho collision collision point Tail length t c t x

Iterated Random Function Collision Types on f Rho collision collision point Tail length t Cycle length c c t x

Iterated Random Function Collision Types on f Rho collision collision point Tail length t Cycle length c Denoted ρ ( t , c ) c t x

Iterated Random Function Collision Types on f Rho collision collision point collision point Tail length t Cycle length c Denoted ρ ( t , c ) c t 1 t 2 t Lambda collision x 1 x 2 x

Iterated Random Function Collision Types on f Rho collision collision point collision point Tail length t Cycle length c Denoted ρ ( t , c ) c t 1 t 2 t Lambda collision Foot lengths t 1 x 1 x 2 x and t 2

Iterated Random Function Collision Types on f Rho collision collision point collision point Tail length t Cycle length c Denoted ρ ( t , c ) c t 1 t 2 t Lambda collision Foot lengths t 1 x 1 x 2 x and t 2 Denoted λ ( t 1 , t 2 )

Iterated Random Function Collision Probabilities on f c t 1 t 2 t x 1 x 2 x

Iterated Random Function Collision Probabilities on f Rho collision c t 1 t 2 t x 1 x 2 x

Iterated Random Function Collision Probabilities on f Rho collision Feedback attack from some x c t 1 t 2 t x 1 x 2 x

Iterated Random Function Collision Probabilities on f Rho collision Feedback attack from some x Pr [ ρ ( t , c )] ≤ 1 N c t 1 t 2 t x 1 x 2 x

Iterated Random Function Collision Probabilities on f Rho collision Feedback attack from some x Pr [ ρ ( t , c )] ≤ 1 N c Pr [ ρ ( t , c )] ≤ e − α for √ N t = Θ( α N ) t 1 t 2 t x 1 x 2 x

Iterated Random Function Collision Probabilities on f Rho collision Feedback attack from some x Pr [ ρ ( t , c )] ≤ 1 N c Pr [ ρ ( t , c )] ≤ e − α for √ N t = Θ( α N ) t 1 t 2 t Lambda collision x 1 x 2 x

Iterated Random Function Collision Probabilities on f Rho collision Feedback attack from some x Pr [ ρ ( t , c )] ≤ 1 N c Pr [ ρ ( t , c )] ≤ e − α for √ N t = Θ( α N ) t 1 t 2 t Lambda collision x 1 x 2 x Two-trail attack from some x 1 and x 2

Iterated Random Function Collision Probabilities on f Rho collision Feedback attack from some x Pr [ ρ ( t , c )] ≤ 1 N c Pr [ ρ ( t , c )] ≤ e − α for √ N t = Θ( α N ) t 1 t 2 t Lambda collision x 1 x 2 x Two-trail attack from some x 1 and x 2 Pr [ λ ( t 1 , t 2 )] ≤ 1 N

Iterated Random Function Collision Attack on f r Same two approaches:

Iterated Random Function Collision Attack on f r Same two approaches: Feedback Attack :

Iterated Random Function Collision Attack on f r Same two approaches: Feedback Attack : Keeps feeding back f r ’s outputs to f r

Iterated Random Function Collision Attack on f r Same two approaches: Feedback Attack : Keeps feeding back f r ’s outputs to f r Query 1: x , query i : ( f r ) i − 1 ( x )

Iterated Random Function Collision Attack on f r Same two approaches: Feedback Attack : Keeps feeding back f r ’s outputs to f r Query 1: x , query i : ( f r ) i − 1 ( x ) Tries to find cycle

Iterated Random Function Collision Attack on f r Same two approaches: Feedback Attack : Keeps feeding back f r ’s outputs to f r Query 1: x , query i : ( f r ) i − 1 ( x ) Tries to find cycle Multiple Trails Attack :

Iterated Random Function Collision Attack on f r Same two approaches: Feedback Attack : Keeps feeding back f r ’s outputs to f r Query 1: x , query i : ( f r ) i − 1 ( x ) Tries to find cycle Multiple Trails Attack : Starts feedback queries simultaneously from many points

Iterated Random Function Collision Attack on f r Same two approaches: Feedback Attack : Keeps feeding back f r ’s outputs to f r Query 1: x , query i : ( f r ) i − 1 ( x ) Tries to find cycle Multiple Trails Attack : Starts feedback queries simultaneously from many points Query 1 on Trail j : x j , query i on Trail j : ( f r ) i − 1 ( x j )

Iterated Random Function Collision Attack on f r Same two approaches: Feedback Attack : Keeps feeding back f r ’s outputs to f r Query 1: x , query i : ( f r ) i − 1 ( x ) Tries to find cycle Multiple Trails Attack : Starts feedback queries simultaneously from many points Query 1 on Trail j : x j , query i on Trail j : ( f r ) i − 1 ( x j ) Tries to make two trails merge

Iterated Random Function Collision Types on f r

Iterated Random Function Collision Types on f r Can be reduced to collisions on f

Iterated Random Function Collision Types on f r Can be reduced to collisions on f Rho collision: collision point c t x

Iterated Random Function Collision Types on f r Can be reduced to collisions on f Rho collision: collision point Direct ρ collision: c t x

Iterated Random Function Collision Types on f r Can be reduced to collisions on f Rho collision: collision point Direct ρ collision: f -collision in phase with r c t x

Iterated Random Function Collision Types on f r Can be reduced to collisions on f Rho collision: collision point Direct ρ collision: f -collision in phase with r c t = t + c mod r t x

Iterated Random Function Collision Types on f r Can be reduced to collisions on f Rho collision: collision point Direct ρ collision: f -collision in phase with r c t = t + c mod r t Delayed ρ collision: x

Iterated Random Function Collision Types on f r Can be reduced to collisions on f Rho collision: collision point Direct ρ collision: f -collision in phase with r c t = t + c mod r t Delayed ρ collision: f -collision out of phase x

Iterated Random Function Collision Types on f r Can be reduced to collisions on f Rho collision: collision point Direct ρ collision: f -collision in phase with r c t = t + c mod r t Delayed ρ collision: f -collision out of phase move around cycle η times in x all to adjust phase

Iterated Random Function Collision Types on f r Can be reduced to collisions on f Rho collision: collision point Direct ρ collision: f -collision in phase with r c t = t + c mod r t Delayed ρ collision: f -collision out of phase move around cycle η times in x all to adjust phase η = r / gcd( c , r )

Iterated Random Function Collision Types on f r Can be reduced to collisions on f Rho collision: collision point Direct ρ collision: f -collision in phase with r c t = t + c mod r t Delayed ρ collision: f -collision out of phase move around cycle η times in x all to adjust phase η = r / gcd( c , r ) t = t + c η mod r

Iterated Random Function Collision Types on f r Can be reduced to collisions on f Lambda collision: second collision point c ∆ t first t 1 t 2 collision point x 1 x 2

Iterated Random Function Collision Types on f r Can be reduced to collisions on f Lambda collision: second collision point Direct λ collision: c ∆ t first t 1 t 2 collision point x 1 x 2

Iterated Random Function Collision Types on f r Can be reduced to collisions on f Lambda collision: second collision point Direct λ collision: f -collision in phase with r c ∆ t first t 1 t 2 collision point x 1 x 2

Iterated Random Function Collision Types on f r Can be reduced to collisions on f Lambda collision: second collision point Direct λ collision: f -collision in phase with r t 1 = t 2 mod r c ∆ t first t 1 t 2 collision point x 1 x 2

Iterated Random Function Collision Types on f r Can be reduced to collisions on f Lambda collision: second collision point Direct λ collision: f -collision in phase with r t 1 = t 2 mod r c ∆ t Delayed λ collision: first t 1 t 2 collision point x 1 x 2

Iterated Random Function Collision Types on f r Can be reduced to collisions on f Lambda collision: second collision point Direct λ collision: f -collision in phase with r t 1 = t 2 mod r c ∆ t Delayed λ collision: f -collision out of phase first t 1 t 2 collision point x 1 x 2

Iterated Random Function Collision Types on f r Can be reduced to collisions on f Lambda collision: second collision point Direct λ collision: f -collision in phase with r t 1 = t 2 mod r c ∆ t Delayed λ collision: f -collision out of phase first t 1 t 2 find ρ collision on merged walk collision point x 1 x 2

Iterated Random Function Collision Types on f r Can be reduced to collisions on f Lambda collision: second collision point Direct λ collision: f -collision in phase with r t 1 = t 2 mod r c ∆ t Delayed λ collision: f -collision out of phase first t 1 t 2 find ρ collision on merged walk collision move around cycle η times in point all to adjust phase x 1 x 2

Iterated Random Function Collision Types on f r Can be reduced to collisions on f Lambda collision: second collision point Direct λ collision: f -collision in phase with r t 1 = t 2 mod r c ∆ t Delayed λ collision: f -collision out of phase first t 1 t 2 find ρ collision on merged walk collision move around cycle η times in point all to adjust phase x 1 x 2 t 1 = t 2 + c η mod r

Iterated Random Function Collision Types on f r Can be reduced to collisions on f Lambda collision: second collision point Direct λ collision: f -collision in phase with r t 1 = t 2 mod r c ∆ t Delayed λ collision: f -collision out of phase first t 1 t 2 find ρ collision on merged walk collision move around cycle η times in point all to adjust phase x 1 x 2 t 1 = t 2 + c η mod r also called λρ collision or ρ ′ collision

Iterated Random Function Collision Types on f r Can be reduced to collisions on f Lambda collision: second collision point Direct λ collision: f -collision in phase with r t 1 = t 2 mod r c ∆ t Delayed λ collision: f -collision out of phase first t 1 t 2 find ρ collision on merged walk collision move around cycle η times in point all to adjust phase x 1 x 2 t 1 = t 2 + c η mod r also called λρ collision or ρ ′ collision Needs 2 f-collisions

Iterated Random Function Collision Probabilities on f r

Iterated Random Function Collision Probabilities on f r Rho collision:

Iterated Random Function Collision Probabilities on f r Rho collision: q -query feedback attack from some point x

Iterated Random Function Collision Probabilities on f r Rho collision: q -query feedback attack from some point x collision probability cp ρ [ q ]

Iterated Random Function Collision Probabilities on f r Rho collision: q -query feedback attack from some point x collision probability cp ρ [ q ] � � q 2 r cp ρ [ q ] = O N

Iterated Random Function Collision Probabilities on f r Rho collision: q -query feedback attack from some point x collision probability cp ρ [ q ] � � q 2 r cp ρ [ q ] = O N Lambda collision: