The iterated random function problem

Document Type

Conference Article

Publication Title

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Abstract

At CRYPTO 2015, Minaud and Seurin introduced and studied the iterated random permutation problem, which is to distinguish the r-th iterate of a random permutation from a random permutation. In this paper, we study the closely related iterated random function problem, and prove the first almost-tight bound in the adaptive setting. More specifically, we prove that the advantage to distinguish the r-th iterate of a random function from a random function using q queries is bounded by O(q2r(log r)3/N), where N is the size of the domain. In previous work, the best known bound was O(q2r2/ N), obtained as a direct result of interpreting the iterated random function problem as a special case of CBC-MAC based on a random function. For the iterated random function problem, the best known attack has an advantage of Ω(q2r/ N), showing that our security bound is tight up to a factor of (log r) 3.

First Page

667

Last Page

697

DOI

10.1007/978-3-319-70697-9_23

Publication Date

1-1-2017

This document is currently not available here.

Share

COinS