# The iterated random function problem

## Document Type

Conference Article

## Publication Title

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

## Abstract

At CRYPTO 2015, Minaud and Seurin introduced and studied the iterated random permutation problem, which is to distinguish the r-th iterate of a random permutation from a random permutation. In this paper, we study the closely related iterated random function problem, and prove the first almost-tight bound in the adaptive setting. More specifically, we prove that the advantage to distinguish the r-th iterate of a random function from a random function using q queries is bounded by O(q2r(log r)3/N), where N is the size of the domain. In previous work, the best known bound was O(q2r2/ N), obtained as a direct result of interpreting the iterated random function problem as a special case of CBC-MAC based on a random function. For the iterated random function problem, the best known attack has an advantage of Ω(q2r/ N), showing that our security bound is tight up to a factor of (log r) 3.

## First Page

667

## Last Page

697

## DOI

10.1007/978-3-319-70697-9_23

## Publication Date

1-1-2017

## Recommended Citation

Bhaumik, Ritam; Datta, Nilanjan; Dutta, Avijit; Mouha, Nicky; and Nandi, Mridul, "The iterated random function problem" (2017). *Conference Articles*. 290.

https://digitalcommons.isical.ac.in/conf-articles/290