Random oracles are practical: a paradigm for designing efficient protocols
CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
The security of the cipher block chaining message authentication code
Journal of Computer and System Sciences
Loss-less condensers, unbalanced expanders, and extractors
STOC '01 Proceedings of the thirty-third annual ACM symposium on Theory of computing
A Design Principle for Hash Functions
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
Indistinguishability of Random Systems
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
The random oracle methodology, revisited
Journal of the ACM (JACM)
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Lower bounds for discrete logarithms and related problems
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
Indifferentiable security analysis of popular hash functions with prefix-free padding
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Multi-property-preserving hash domain extension and the EMD transform
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
A failure-friendly design principle for hash functions
ASIACRYPT'05 Proceedings of the 11th international conference on Theory and Application of Cryptology and Information Security
Single-key AIL-MACs from any FIL-MAC
ICALP'05 Proceedings of the 32nd international conference on Automata, Languages and Programming
FSE'06 Proceedings of the 13th international conference on Fast Software Encryption
Merkle-Damgård revisited: how to construct a hash function
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Second preimages on n-bit hash functions for much less than 2n work
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Herding hash functions and the nostradamus attack
EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
Abstract models of computation in cryptography
IMA'05 Proceedings of the 10th international conference on Cryptography and Coding
On the relation between the ideal cipher and the random oracle models
TCC'06 Proceedings of the Third conference on Theory of Cryptography
Improved Indifferentiability Security Analysis of chopMD Hash Function
Fast Software Encryption
Building a Collision-Resistant Compression Function from Non-compressing Primitives
ICALP '08 Proceedings of the 35th international colloquium on Automata, Languages and Programming, Part II
Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions
CRYPTO 2008 Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology
INDOCRYPT '08 Proceedings of the 9th International Conference on Cryptology in India: Progress in Cryptology
A Double-Piped Mode of Operation for MACs, PRFs and PROs: Security beyond the Birthday Barrier
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
On the Insecurity of the Fiat-Shamir Signatures with Iterative Hash Functions
ProvSec '09 Proceedings of the 3rd International Conference on Provable Security
A Modular Design for Hash Functions: Towards Making the Mix-Compress-Mix Approach Practical
ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
A Distinguisher for the Compression Function of SIMD-512
INDOCRYPT '09 Proceedings of the 10th International Conference on Cryptology in India: Progress in Cryptology
A new mode of operation for block ciphers and length-preserving MACs
EUROCRYPT'08 Proceedings of the theory and applications of cryptographic techniques 27th annual international conference on Advances in cryptology
Domain extension for MACs beyond the birthday barrier
EUROCRYPT'11 Proceedings of the 30th Annual international conference on Theory and applications of cryptographic techniques: advances in cryptology
Indifferentiability of domain extension modes for hash functions
INTRUST'11 Proceedings of the Third international conference on Trusted Systems
| Hi-index | 0.00 |
A public random function is a random function that is accessible by all parties, including the adversary. For example, a (public) random oracle is a public random function {0,1}* → {0,1}n. The natural problem of constructing a public random oracle from a public random function {0, 1}m → {0, 1}n (for some m n) was first considered at Crypto 2005 by Coron et al. who proved the security of variants of the Merkle-Damgård construction against adversaries issuing up to O(2n/2) queries to the construction and to the underlying compression function. This bound is less than the square root of n2m, the number of random bits contained in the underlying random function. In this paper, we investigate domain extenders for public random functions approaching optimal security. In particular, for all Ɛ ∈ (0, 1) and all functions m and l (polynomial in n), we provide a construction CƐ,m,l(ċ) which extends a public random function R : {0, 1}n → {0, 1}n to a function CƐ,m,l(R) : {0, 1}m(n) → {0, 1}l(n) with time-complexity polynomial in n and 1/Ɛ and which is secure against adversaries which make up to Θ(2n(1-Ɛ)) queries. A central tool for achieving high security are special classes of unbalanced bipartite expander graphs with small degree. The achievability of practical (as opposed to complexity-theoretic) efficiency is proved by a non-constructive existence proof. Combined with the iterated constructions of Coron et al., our result leads to the first iterated construction of a hash function {0, 1}* → {0, 1}n from a component function {0, 1}n → {0, 1}n that withstands all recently proposed generic attacks against iterated hash functions, like Joux's multi-collision attack, Kelsey and Schneier's second-preimage attack, and Kelsey and Kohno's herding attacks.