the iterated random function problemmridul nandi indian statistical institute, kolkata 28 september...

Iterated Random Function

The Iterated Random Function ProblemASK 2016, Nagoya, Japan

Mridul Nandi

Indian Statistical Institute, Kolkata

28 September 2016Joint work with Ritam Bhaumik, Nilanjan Datta, Avijit Dutta,

Ashwin Jha, Avradip Mandal, Nicky Mouha.

Outline of the Talk

Iterated random function

Known vs. Our Approach

Types of Collision for (iterated) random function

Collision Probabilties and PRF analysis

Outline of the Talk

The Iterated Random Permutations Problem

Fix a positive integer r , and a random permutation f .

Minaud and Seurin in crypto 2015 studied PRP off r = f ◦ · · · ◦ f (r times)

O(rq/2n) PRP advantage

Lower bound of PRP advantage sometimes Θ(q/2n)

Scope of improvement

The Iterated Random Function Problem

We ask same problem for random function

We show Θ(rq2/2n) PRF advantage

We show an attack with advantage about rq2/2n providedq ≥ 2n/3

We show upper bound using Coefficients H Technique

Known Approach: Full Collision Probability

Used for analyzing Improved bound of CBC by Bellare,Pietrzak and Rogaway in crypto 2005

O(rq2/2n) PRF advantage for CBC of length r

Collision between a final input (q such) and other rq inputs

On the average 1/2n collision probability for a pair

Unfortunately this is not true for random function (collisionprobability for a pair can be O(rq/2n))

Our Approach : Upper Bound

Allow all collisions on f that do not lead to collision on f r

Look at possible function graphs of f and f r

Bound probabilities of different types of collisions

Use Coefficient H Technique to upper bound advantage

Our Approach : Lower Bound

We show lower bound

Vary first block and rest all blocks are same

For a pair collision probability about r/2n

Use Inclusion Exclusion Principle to lower bound advantage

So it is tight up to a small power of log r

We show lower bound

Function Graphs

Views function as directed graph

y = f (x) represented by an edge from x to y

Loops allowed, no multiple edges

Trails move together once merged

All trails eventually lead to cycles

Function Graphs

Collision Attack on f

Two main approaches:

Feedback Attack:

Based on Pollard’s Rho AlgorithmKeeps feeding back f ’s outputs to f

Query 1: x , query i : f i−1(x)

Tries to find cycle

Multiple Trails Attack:

Based loosely on van Oorschot-Wiener’s Parallel SearchStarts feedback queries simultaneously from many points

Query 1 on Trail j : xj , query i on Trail j : fi−1(xj)

Tries to make two trails merge

Feedback Attack:

Based on Pollard’s Rho AlgorithmKeeps feeding back f ’s outputs to f

Tries to find cycle

Feedback Attack:Based on Pollard’s Rho Algorithm

Keeps feeding back f ’s outputs to f

Tries to find cycle

Feedback Attack:Based on Pollard’s Rho AlgorithmKeeps feeding back f ’s outputs to f

Tries to find cycle

Multiple Trails Attack:Based loosely on van Oorschot-Wiener’s Parallel Search

Starts feedback queries simultaneously from many points

Tries to find cycle

Multiple Trails Attack:Based loosely on van Oorschot-Wiener’s Parallel SearchStarts feedback queries simultaneously from many points

Tries to find cycle

Collision Types on f

Rho collision

Tail length t

Cycle length c

Denoted ρ(t, c)

Lambda collision

Foot lengths t1and t2

Denoted λ(t1, t2)

t

c

x

collision point

t1 t2

x1 x2

collision point

Rho collision

Tail length t

Cycle length c

Denoted ρ(t, c)

Lambda collision

Denoted λ(t1, t2)

t

c

x

collision point

t1 t2

x1 x2

collision point

Rho collision

Tail length t

Cycle length c

Denoted ρ(t, c)

Lambda collision

Denoted λ(t1, t2)

t

c

x

collision point

t1 t2

x1 x2

collision point

Rho collision

Tail length t

Cycle length c

Denoted ρ(t, c)

Lambda collision

Denoted λ(t1, t2)

t

c

x

collision point

t1 t2

x1 x2

collision point

Rho collision

Tail length t

Cycle length c

Denoted ρ(t, c)

Lambda collision

Denoted λ(t1, t2)

t

c

x

collision point

t1 t2

x1 x2

collision point

Rho collision

Tail length t

Cycle length c

Denoted ρ(t, c)

Lambda collision

Denoted λ(t1, t2)

t

c

x

collision point

t1 t2

x1 x2

collision point

Rho collision

Tail length t

Cycle length c

Denoted ρ(t, c)

Lambda collision

Denoted λ(t1, t2)

t

c

x

collision point

t1 t2

x1 x2

collision point

Rho collision

Tail length t

Cycle length c

Denoted ρ(t, c)

Lambda collision

Denoted λ(t1, t2)

t

c

x

collision point

t1 t2

x1 x2

collision point

Collision Probabilities on f

t

c

x

t1 t2

x1 x2

Rho collision

Feedback attack fromsome x

Pr [ρ(t, c)] ≤ 1N

Pr [ρ(t, c)] ≤ e−α

N for

t = Θ(√αN)

Lambda collision

Two-trail attack fromsome x1 and x2

Pr [λ(t1, t2)] ≤ 1N

t

c

x

t1 t2

x1 x2

Rho collision

Pr [ρ(t, c)] ≤ 1N

Pr [ρ(t, c)] ≤ e−α

N for

t = Θ(√αN)

Lambda collision

Pr [λ(t1, t2)] ≤ 1N

t

c

x

t1 t2

x1 x2

Rho collision

Pr [ρ(t, c)] ≤ 1N

Pr [ρ(t, c)] ≤ e−α

N for

t = Θ(√αN)

Lambda collision

Pr [λ(t1, t2)] ≤ 1N

t

c

x

t1 t2

x1 x2

Rho collision

Pr [ρ(t, c)] ≤ 1N

Pr [ρ(t, c)] ≤ e−α

N for

t = Θ(√αN)

Lambda collision

Pr [λ(t1, t2)] ≤ 1N

t

c

x

t1 t2

x1 x2

Rho collision

Pr [ρ(t, c)] ≤ 1N

Pr [ρ(t, c)] ≤ e−α

N for

t = Θ(√αN)

Lambda collision

Pr [λ(t1, t2)] ≤ 1N

t

c

x

t1 t2

x1 x2

Rho collision

Pr [ρ(t, c)] ≤ 1N

Pr [ρ(t, c)] ≤ e−α

N for

t = Θ(√αN)

Lambda collision

Pr [λ(t1, t2)] ≤ 1N

t

c

x

t1 t2

x1 x2

Rho collision

Pr [ρ(t, c)] ≤ 1N

Pr [ρ(t, c)] ≤ e−α

N for

t = Θ(√αN)

Lambda collision

Pr [λ(t1, t2)] ≤ 1N

t

c

x

t1 t2

x1 x2

Rho collision

Pr [ρ(t, c)] ≤ 1N

Pr [ρ(t, c)] ≤ e−α

N for

t = Θ(√αN)

Lambda collision

Pr [λ(t1, t2)] ≤ 1N

Collision Attack on f r

Same two approaches:

Feedback Attack:

Keeps feeding back f r ’s outputs to f r

Query 1: x , query i : (f r )i−1(x)

Tries to find cycle

Query 1 on Trail j : xj , query i on Trail j : (fr )i−1(xj)

Feedback Attack:

Keeps feeding back f r ’s outputs to f r

Tries to find cycle

Feedback Attack:Keeps feeding back f r ’s outputs to f r

Tries to find cycle

Multiple Trails Attack:Starts feedback queries simultaneously from many points

Tries to find cycle

Collision Types on f r

Can be reduced to collisions on f

Rho collision:

Direct ρ collision:

f -collision in phase with rt = t + c mod r

Delayed ρ collision:

f -collision out of phasemove around cycle η times inall to adjust phaseη = r/gcd(c, r)t = t + cη mod r

t

c

x

collision point

Rho collision:

t

c

x

collision point

Rho collision:

t

c

x

collision point

Rho collision:

t

c

x

collision point

Rho collision:

f -collision in phase with r

t = t + c mod r

t

c

x

collision point

Rho collision:

t

c

x

collision point

Rho collision:

t

c

x

collision point

Rho collision:

f -collision out of phase

move around cycle η times inall to adjust phaseη = r/gcd(c, r)t = t + cη mod r

t

c

x

collision point

Rho collision:

f -collision out of phasemove around cycle η times inall to adjust phase

η = r/gcd(c, r)t = t + cη mod r

t

c

x

collision point

Rho collision:

f -collision out of phasemove around cycle η times inall to adjust phaseη = r/gcd(c, r)

t = t + cη mod r

t

c

x

collision point

Rho collision:

t

c

x

collision point

Lambda collision:

Direct λ collision:

f -collision in phase with rt1 = t2 mod r

Delayed λ collision:

f -collision out of phasefind ρ collision on merged walkmove around cycle η times inall to adjust phaset1 = t2 + cη mod ralso called λρ collision or ρ′

collisionNeeds 2 f-collisions

∆tc

second collision point

t1 t2

x1 x2

firstcollisionpoint

Lambda collision:

∆tc

t1 t2

x1 x2

firstcollisionpoint

Lambda collision:

f -collision in phase with r

t1 = t2 mod r

∆tc

t1 t2

x1 x2

firstcollisionpoint

Lambda collision:

∆tc

t1 t2

x1 x2

firstcollisionpoint

Lambda collision:

∆tc

t1 t2

x1 x2

firstcollisionpoint

Lambda collision:

f -collision out of phase

find ρ collision on merged walkmove around cycle η times inall to adjust phaset1 = t2 + cη mod ralso called λρ collision or ρ′

∆tc

t1 t2

x1 x2

firstcollisionpoint

Lambda collision:

f -collision out of phasefind ρ collision on merged walk

move around cycle η times inall to adjust phaset1 = t2 + cη mod ralso called λρ collision or ρ′

∆tc

t1 t2

x1 x2

firstcollisionpoint

Lambda collision:

f -collision out of phasefind ρ collision on merged walkmove around cycle η times inall to adjust phase

t1 = t2 + cη mod ralso called λρ collision or ρ′

∆tc

t1 t2

x1 x2

firstcollisionpoint

Lambda collision:

f -collision out of phasefind ρ collision on merged walkmove around cycle η times inall to adjust phaset1 = t2 + cη mod r

also called λρ collision or ρ′

∆tc

t1 t2

x1 x2

firstcollisionpoint

Lambda collision:

collision

Needs 2 f-collisions

∆tc

t1 t2

x1 x2

firstcollisionpoint

Lambda collision:

∆tc

t1 t2

x1 x2

firstcollisionpoint

Collision Probabilities on f r

Rho collision:

q-query feedback attack from some point xcollision probability cpρ[q]

cpρ[q] = O(

q2rN

)

Lambda collision:

(q1, q2)-query two-trail attack from some points x1, x2collision probability cpλ[q1, q2]

cpλ[q1, q2] = O(

q1q2r(log r)3

N

)

Rho collision:

q-query feedback attack from some point xcollision probability cpρ[q]

cpρ[q] = O(

q2rN

)Lambda collision:

cpλ[q1, q2] = O(

q1q2r(log r)3

N

)

Rho collision:q-query feedback attack from some point x

collision probability cpρ[q]

cpρ[q] = O(

q2rN

)Lambda collision:

cpλ[q1, q2] = O(

q1q2r(log r)3

N

)

Rho collision:q-query feedback attack from some point xcollision probability cpρ[q]

cpρ[q] = O(

q2rN

)Lambda collision:

cpλ[q1, q2] = O(

q1q2r(log r)3

N

)

cpρ[q] = O(

q2rN

)

Lambda collision:

cpλ[q1, q2] = O(

q1q2r(log r)3

N

)

cpρ[q] = O(

q2rN

)Lambda collision:

cpλ[q1, q2] = O(

q1q2r(log r)3

N

)

cpρ[q] = O(

q2rN

)Lambda collision:

(q1, q2)-query two-trail attack from some points x1, x2

collision probability cpλ[q1, q2]

cpλ[q1, q2] = O(

q1q2r(log r)3

N

)

cpρ[q] = O(

q2rN

)Lambda collision:

cpλ[q1, q2] = O(

q1q2r(log r)3

N

)

cpρ[q] = O(

q2rN

)Lambda collision:

cpλ[q1, q2] = O(

q1q2r(log r)3

N

)

A general attack strategy, covering all adversaries:

m trails from m distinct starting points x1, . . . , xm

Trail lengths q1, . . . , qm with∑

i qi = q

Tries to find either a ρ collision or a two-trail λ collision

Collision probability cp[q]

cp[q] = O(q2r(log r)3

N

)

i qi = q

N

)

i qi = q

N

)

i qi = q

N

)

i qi = q

N

)

i qi = q

N

)

PRF Security Result

A any prf adversary

AdvprfA [fr ] = O

(q2r(log r)3

N

)Proof uses Patarin’s Coefficient H Technique

(log r)3 can be further improved, almost to log r

Probably possible to show AdvprfA [fr ] = O

(q2rN

)

PRF Security Result

A any prf adversary

AdvprfA [fr ] = O

(q2r(log r)3

N

(q2rN

)

PRF Security Result

A any prf adversary

AdvprfA [fr ] = O

(q2r(log r)3

N

)

Proof uses Patarin’s Coefficient H Technique

(q2rN

)

PRF Security Result

A any prf adversary

AdvprfA [fr ] = O

(q2r(log r)3

N

(q2rN

)

PRF Security Result

A any prf adversary

AdvprfA [fr ] = O

(q2r(log r)3

N

(q2rN

)

PRF Security Result

A any prf adversary

AdvprfA [fr ] = O

(q2r(log r)3

N

(q2rN

)

Sketch of Proof

Parallel Graph: union of non-intersecting paths

Query transcript τ has multiple trails

Call τ BAD if not parallel graph

BAD is equivalent to collision in general m trail attack (afterreordering queries)

Pr [BAD] = O(q2r(log r)3

N

)Internal states equally probable for isomorphic goodtranscripts

Plug internal blocks into the good transcript τ

Sketch of Proof

N

Sketch of Proof

N

Sketch of Proof

N

Sketch of Proof

N

Sketch of Proof

N

)

Internal states equally probable for isomorphic goodtranscripts

Sketch of Proof

N

Sketch of Proof

N

Lower Bound on Collision Probability

General m trail attack is the best known attack

cp[q] is best known success probability

Inclusion-Exclusion Principle gives lower bound

cp[q] = Ω(q2rN

)Security bound tight up to a factor of (log r)3

cp[q] = Ω(q2rN

)

Security bound tight up to a factor of (log r)3

cp[q] = Ω(q2rN

x := (x1, x2, . . . , xq), xi are distinct blocks from {0, 1}n.

Let collf (xi ; xj) denote the event f(`)(xi ) = f

(`)(xj) andcollf (x) :=

⋃xi ,xj∈x collf (xi ; xj).

Prf

[collf (x)

]≥∑i

Upper Bound on colli ,j ,k

Pr[Case 1] ≤ 2`2N2

Pr[Case 2] ≤ 6`6N3

colli ,j ,k ≤2`2

N2+

6`6

N3.

Upper Bound on colli ,j ,k ,m

Pr[Case 1] ≤ `2N2

Pr[Case 2] ≤ 6`3N3

Pr[Case 3] ≤ 2`5N3

Upper Bound on colli ,j ,k ,m

Pr[Case 4] ≤ 24`8N4

Pr[Case 5] ≤ 4`8N4

.

colli ,j ,k,m ≤`2

N2+

6`3 + 2`5

N3+

28`8

N4.

Lower Bound on colli ,j

Let cycle be the event that at least one of the walks(corresponding to xi and xj) has a cycle.

colli ,j |¬cycle =`N Pr[cycle] ≤

2`2

N .

colli ,j ≥`

N

(1− 2`

2

N

).

Main Result on Lower Bound

Lower Bound Theorem

Let x := (x1, . . . , xq) ∈({0, 1}n

)qbe a q tuple of distinct inputs.

For `, q ≥ 3, q2`N < 1 and ` < min(

N5184 ,

N12

4√

3, N

13

3√36), we have

Pr[collf (x)] ≥q2`

12N.

Example

Collision for N = 264. Hence taking q =√

20 · 2643 , ` = 0.1× 2

643 ,

we get δ = 0.499.

Future Research and Conclusion

Removing log r factor.

The attack requires some lower bound on q. Can we provesome lower bound for all attacks?

Almost tight bound (up to a log r factor).

THANK YOU

Conclusion

the iterated random function problemmridul nandi indian statistical institute, kolkata 28 september...

Documents