The Iterated Random Function Problem

  • Ritam Bhaumik
  • Nilanjan Datta
  • Avijit Dutta
  • Nicky MouhaEmail author
  • Mridul Nandi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10625)


At CRYPTO 2015, Minaud and Seurin introduced and studied the iterated random permutation problem, which is to distinguish the r-th iterate of a random permutation from a random permutation. In this paper, we study the closely related iterated random function problem, and prove the first almost-tight bound in the adaptive setting. More specifically, we prove that the advantage to distinguish the r-th iterate of a random function from a random function using q queries is bounded by \(O(q^2r(\log r)^3/N)\), where N is the size of the domain. In previous work, the best known bound was \(O(q^2r^2/N)\), obtained as a direct result of interpreting the iterated random function problem as a special case of CBC-MAC based on a random function. For the iterated random function problem, the best known attack has an advantage of \(\varOmega (q^2r/N)\), showing that our security bound is tight up to a factor of \((\log r)^3\).


Iterated random function Random function Pseudorandom function Password hashing Patarin H-coefficient technique Provable security 


  1. 1.
    Bellare, M., Kilian, J., Rogaway, P.: The security of cipher block chaining. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 341–358. Springer, Heidelberg (1994). Google Scholar
  2. 2.
    Bellare, M., Kilian, J., Rogaway, P.: The security of the Cipher Block Chaining message authentication code. J. Comp. Syst. Sci. 61(3), 362–399 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Bellare, M., Pietrzak, K., Rogaway, P.: Improved security analyses for Cipher Block Chaining Message Authentication Codes. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 527–545. Springer, Heidelberg (2005). CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Ristenpart, T., Tessaro, S.: Multi-instance security and its application to password-based cryptography. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 312–329. Springer, Heidelberg (2012). CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). CrossRefGoogle Scholar
  6. 6.
    Berke, R.: On the security of iterated MACs. Ph.D. thesis, ETH Zürich (2003)Google Scholar
  7. 7.
    Bernstein, D.J.: A short proof of the unpredictability of cipher block chaining, January 2005.
  8. 8.
    Bhaumik, R., Datta, N., Dutta, A., Mouha, N., Nandi, M.: The Iterated Random Function Problem. ePrint Report 2017/892 (2017). full version of this paperGoogle Scholar
  9. 9.
    Bossi, S., Visconti, A.: What users should know about Full Disk Encryption based on LUKS. In: Reiter, M., Naccache, D. (eds.) CANS 2015. LNCS, vol. 9476, pp. 225–237. Springer, Cham (2015). CrossRefGoogle Scholar
  10. 10.
    Chen, S., Steinberger, J.: Tight Security Bounds for Key-Alternating Ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014). CrossRefGoogle Scholar
  11. 11.
    Dodis, Y., Gennaro, R., Håstad, J., Krawczyk, H., Rabin, T.: Randomness extraction and key derivation using the CBC, Cascade and HMAC modes. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 494–510. Springer, Heidelberg (2004). CrossRefGoogle Scholar
  12. 12.
    Dodis, Y., Ristenpart, T., Steinberger, J., Tessaro, S.: To hash or not to hash again? (In) differentiability results for H 2 and HMAC. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 348–366. Springer, Heidelberg (2012). CrossRefGoogle Scholar
  13. 13.
    Ferguson, N., Schneier, B.: Practical Cryptography. Wiley, New York (2003)zbMATHGoogle Scholar
  14. 14.
    Gaži, P., Pietrzak, K., Rybár, M.: The exact PRF-Security of NMAC and HMAC. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 113–130. Springer, Heidelberg (2014). CrossRefGoogle Scholar
  15. 15.
    Minaud, B., Seurin, Y.: The iterated random permutation problem with applications to cascade encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 351–367. Springer, Heidelberg (2015). CrossRefGoogle Scholar
  16. 16.
    Nandi, M.: A simple and unified method of proving indistinguishability. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 317–334. Springer, Heidelberg (2006). CrossRefGoogle Scholar
  17. 17.
    Patarin, J.: The “Coefficients H” technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009). CrossRefGoogle Scholar
  18. 18.
    Preneel, B., van Oorschot, P.C.: MDx-MAC and building fast MACs from hash functions. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 1–14. Springer, Heidelberg (1995). Google Scholar
  19. 19.
    Turan, M.S., Barker, E., Burr, W., Chen, L.: Recommendation for key derivation using pseudorandom functions (Revised). NIST Special Publication 800–132, National Institute of Standards and Technology (NIST), December 2010Google Scholar
  20. 20.
    Wagner, D., Goldberg, I.: Proofs of security for the Unix password hashing algorithm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 560–572. Springer, Heidelberg (2000). CrossRefGoogle Scholar
  21. 21.
    Wuille, P.: Bitcoin network graphs (2017).
  22. 22.
    Yao, F.F., Yin, Y.L.: Design and Analysis of Password-Based Key Derivation Functions. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 245–261. Springer, Heidelberg (2005). CrossRefGoogle Scholar
  23. 23.
    Yao, F.F., Yin, Y.L.: Design and analysis of password-based key derivation functions. IEEE Trans. Inf. Theor. 51(9), 3292–3297 (2005)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Ritam Bhaumik
    • 1
  • Nilanjan Datta
    • 2
  • Avijit Dutta
    • 1
  • Nicky Mouha
    • 3
    • 4
    Email author
  • Mridul Nandi
    • 1
  1. 1.Indian Statistical InstituteKolkataIndia
  2. 2.Indian Institute of TechnologyKharagpurIndia
  3. 3.National Institute of Standards and TechnologyGaithersburgUSA
  4. 4.Project-team SECRET, InriaParisFrance

Personalised recommendations