Paper 2007/229

Domain Extension of Public Random Functions: Beyond the Birthday Barrier

Ueli Maurer and Stefano Tessaro

Abstract

A public random function is a random function that is accessible by all parties, including the adversary. For example, a (public) random oracle is a public random function $\{0,1{\}}^{\ast }\to \{0,1{\}}^n$. The natural problem of constructing a public random oracle from a public random function $\{0,1{\}}^m\to \{0,1{\}}^n$ (for some $m>n$) was first considered at Crypto 2005 by Coron et al.\ who proved the security of variants of the Merkle-Damgård construction against adversaries issuing up to $$ queries to the construction and to the underlying compression function. This bound is less than the square root of $$, the number of random bits contained in the underlying random function. In this paper, we investigate domain extenders for public random functions approaching optimal security. In particular, for all $$ and all functions $$ and $$ (polynomial in $$), we provide a construction $$ which extends a public random function $$ to a function $$ with time-complexity polynomial in $$ and $$ and which is secure against adversaries which make up to $$ queries. A central tool for achieving high security are special classes of unbalanced bipartite expander graphs with small degree. The achievability of practical (as opposed to complexity-theoretic) efficiency is proved by a non-constructive existence proof. Combined with the iterated constructions of Coron et al., our result leads to the first iterated construction of a hash function $$ from a component function $$ that withstands all recently proposed generic attacks against iterated hash functions, like Joux's multi-collision attack, Kelsey and Schneier's second-preimage attack, and Kelsey and Kohno's herding attacks.