Domain Extension of Public Random Functions: Beyond the Birthday Barrier

A public random function is a random function that is accessible by all parties, in-cluding the adversary. For example, a (public) random oracle is a public random function{0, 1}∗ → {0, 1}. The natural problem of constructing a public random oracle from a pub-lic random function {0, 1} → {0, 1} (for some m > n) was first considered at Crypto 2005by Coron et al. who proved the security of variants of the Merkle-Damg̊ard constructionagainst adversaries issuing up to O(2) queries to the construction and to the underly-ing compression function. This bound is less than the square root of n2, the number ofrandom bits contained in the underlying random function.In this paper, we investigate domain extenders for public random functions approachingoptimal security. In particular, for all ∈ (0, 1) and all functions m and ` (polynomial in n),we provide a construction C,m,`(·) which extends a public random function R : {0, 1} →{0, 1} to a function C,m,`(R) : {0, 1} → {0, 1} with time-complexity polynomialin n and 1/ and which is secure against adversaries which make up to Θ(2n(1− ) queries. Acentral tool for achieving high security are special classes of unbalanced bipartite expandergraphs with small degree. The achievability of practical (as opposed to complexity-theoretic)efficiency is proved by a non-constructive existence proof.Combined with the iterated constructions of Coron et al., our result leads to the first iter-ated construction of a hash function {0, 1}∗ → {0, 1} from a component function {0, 1} →{0, 1} that withstands all recently proposed generic attacks against iterated hash functions,like Joux’s multi-collision attack, Kelsey and Schneier’s second-preimage attack, and Kelseyand Kohno’s herding attacks.