## Domain extension of public random functions: Beyond the birthday barrier (2007)

Venue: | In Advances in Cryptology – CRYPTO ’07 (2007), Lecture Notes in Computer Science |

Citations: | 9 - 2 self |

### BibTeX

@INPROCEEDINGS{Maurer07domainextension,

author = {Ueli Maurer and Stefano Tessaro},

title = {Domain extension of public random functions: Beyond the birthday barrier},

booktitle = {In Advances in Cryptology – CRYPTO ’07 (2007), Lecture Notes in Computer Science},

year = {2007},

pages = {187--204},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

Combined with the iterated constructions of Coron et al., our result leads to the first iterated construction of a hash function f0; 1g\Lambda ! f0; 1gn from a component function f0; 1gn! f0; 1gn that withstands all recently proposed generic attacks against iterated hash functions, like Joux's multi-collision attack, Kelsey and Schneier's second-preimage attack, and Kelsey and Kohno's herding attacks. 1 Introduction 1.1 Secret vs. Public Random Functions Primitives that provide some form of randomness are of central importance in cryptography, both as a primitive assumed to be given (e.g. a secret key), and as a primitive constructed from a weaker one to "behave like " a certain ideal random primitive (e.g. a random function), according to some security notion.

### Citations

1425 | Random Oracles Are Practical: a Paradigm for Designing Efficient Protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...onally-secure) realization from such a secret key of a secret random function to which the adversary has no access. In contrast, a (public) random oracle, as used in the so-called random-oracle model =-=[7]-=-, is a function f0; 1g \Lambdas! f0; 1g n to which the adversary has complete access, like the legitimate parties. Similarly, a public parameter (e.g. the parameter selecting a hash function from a cl... |

710 |
Universal classes of hash functions
- Carter, Wegman
- 1979
(Show Context)
Citation Context ...is lost) and the term "barrier" is used because breaking it is non-trivial if at all possible. For secret random functions, many constructions in the literature, also those based on universal hashing =-=[11, 30]-=- and the CBC-construction [5, 21], suffer from the birthday problem, and hence several researchers [1, 4, 21] considered the problem of achieving security beyond the birthday barrier. The goal of this... |

670 | Universally composable security: A new paradigm for cryptographic protocols
- Canetti
- 2001
(Show Context)
Citation Context ...ty [23] naturally extends the concept of indistinguishability to systems with a public and a private interface 6 adopting a simulation-based approach, in the same spirit as the security frameworks of =-=[8, 29]-=-. The public interface can be used by all parties, including the adversary, whereas the legitimate parties have exclusive access to the private interface. Generally, we denote such a system as an orde... |

353 |
A Certified digital signature
- Merkle
- 1990
(Show Context)
Citation Context ...onsidered the problem of constructing a random oracle f0; 1g \Lambdas! f0; 1g n from a public random function f0; 1g m ! f0; 1g n (where m ? n) and showed that a modified Merkle-Damg*ard construction =-=[25, 14]-=- works, with information-theoretic security (i.e., indifferentiability) up to about O(2 n=2 ) queries. This bound, only the square root of O(2 n ), is usually called the "birthday barrier". The term "... |

312 | A Design Principle for Hash Functions - Damgård - 1989 |

257 | The Random Oracle Methodology, Revisited
- Canetti, Goldreich, et al.
- 1998
(Show Context)
Citation Context ... adversary) are considered. Another famous example of a reduction problem for public primitives is the realization of a (public) random oracle from a public parameter. This was shown to be impossible =-=[9, 23]-=-. 1.2 Domain Extension and the Birthday Barrier A random primitive (both secret or public) can be characterized by the number of random bits it contains. An `-bit key is a string (or table) containing... |

233 | Lower bounds for discrete logarithms and related problems
- Shoup
- 1997
(Show Context)
Citation Context ...-box. 3 Such a generic proof is not an ultimate security proof for C(F), but it proves that the construction C(\Delta ) itself has no 3 This is analogous to security proofs in the generic group model =-=[31, 22]-=- which show that no attack exists that does not exploit the particular representation of group elements. 3sweakness. A main advantage of such a proof is that it applies to every cryptographic property... |

211 | The security of the cipher block chaining message authentication code
- BELLARE, KILIAN, et al.
- 1994
(Show Context)
Citation Context ...is more involved. For example, while the CBC-construction can be seen as the secure realization of a secret random function f0; 1g \Lambdas! f0; 1g n from a secret random function f0; 1g n ! f0; 1g n =-=[5, 21]-=-, the same statement is false if public functions (accessible to the adversary) are considered. Another famous example of a reduction problem for public primitives is the realization of a (public) ran... |

159 | A model for asynchronous reactive systems and its application to secure message transmission
- Pfitzmann, Waidner
- 2001
(Show Context)
Citation Context ...ty [23] naturally extends the concept of indistinguishability to systems with a public and a private interface 6 adopting a simulation-based approach, in the same spirit as the security frameworks of =-=[8, 29]-=-. The public interface can be used by all parties, including the adversary, whereas the legitimate parties have exclusive access to the private interface. Generally, we denote such a system as an orde... |

104 |
Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions
- Joux
(Show Context)
Citation Context ... B of queries up to which security is guaranteed is a crucial parameter of such a proof, especially in view of several surprises of the past years regarding weaknesses of iterated constructions. Joux =-=[17]-=- showed that the security of the Merkle-Damg*ard construction (with compression function with n-bit output) against finding multi-collisions is not much higher than the security against normal collisi... |

90 | Lossless condensers, unbalanced expanders, and extractors
- Ta-Shma, Umans, et al.
(Show Context)
Citation Context ...s with sufficiently small (i.e. polynomially-bounded) left-degree exists. Much work in this area has been devoted to lossless unbalanced expanders, i.e. with fl ss D, but the best known constructions =-=[32, 26]-=- for this case for our choice of parameters lead to either super-polynomial degree or a much too small bound K. However, we are satisfied even if the expansion factor is much smaller than the leftdegr... |

88 | Extracting randomness: A survey and new constructions - Nisan, Ta-Shma - 1999 |

84 | Merkle-Damgård Revisited: How to Construct a Hash Function
- Coron, Dodis, et al.
- 2005
(Show Context)
Citation Context ... special additional type of access, namely inverse queries. 2sHowever, the situation is different if one starts from a public random function (as opposed to just a public random string). Coron et al. =-=[13]-=- considered the problem of constructing a random oracle f0; 1g \Lambdas! f0; 1g n from a public random function f0; 1g m ! f0; 1g n (where m ? n) and showed that a modified Merkle-Damg*ard constructio... |

75 | On fast and provably secure message authentication based on universal hashing
- Shoup
- 1996
(Show Context)
Citation Context ...is lost) and the term "barrier" is used because breaking it is non-trivial if at all possible. For secret random functions, many constructions in the literature, also those based on universal hashing =-=[11, 30]-=- and the CBC-construction [5, 21], suffer from the birthday problem, and hence several researchers [1, 4, 21] considered the problem of achieving security beyond the birthday barrier. The goal of this... |

65 | Randomness conductors and constant-degree lossless expanders - Capalbo, Reingold, et al. - 2002 |

63 | Multi-property-preserving hash domain extension and the EMD transform
- Bellare, Ristenpart
- 2006
(Show Context)
Citation Context ... (2 n(1\Gamma ffl) ). We finally note that our approach also works with all other known constructions of a public random oracle from a public compression function, as for example the constructions of =-=[6, 12]-=-, or other constructions discussed in [13]. Setting ffl small enough provides high levels of security for properties like preimage resistance, second preimage resistance, multicollision resistance, or... |

46 | Indistinguishability of random systems
- Maurer
- 2002
(Show Context)
Citation Context ...is more involved. For example, while the CBC-construction can be seen as the secure realization of a secret random function f0; 1g \Lambdas! f0; 1g n from a secret random function f0; 1g n ! f0; 1g n =-=[5, 21]-=-, the same statement is false if public functions (accessible to the adversary) are considered. Another famous example of a reduction problem for public primitives is the realization of a (public) ran... |

44 | A Failure-Friendly Design Principle for Hash Functions
- Lucks
(Show Context)
Citation Context ...[18]. One possibility to overcome these issues is to rely on a compression function with input domain much larger than the size of the output of the construction (cf. for example the constructions in =-=[20]-=- and the double block-length construction of [12]), but this does not seem to be the best possible approach, both from a theoretical and from a practical viewpoint, as explained below. A proof, like t... |

43 |
Preimages on n-Bit Hash Functions for Much Less than 2n Work
- Kelsey, Schneier, et al.
- 2005
(Show Context)
Citation Context ...ries. Joux's attack has been generalized to a wider class of constructions [16]. Other attacks in a similar spirit against iterated constructions are the second-preimage attack by Kelsey and Schneier =-=[19]-=-, and herding attacks [18]. One possibility to overcome these issues is to rely on a compression function with input domain much larger than the size of the output of the construction (cf. for example... |

30 | Constructing VIL-MACs from FIL-MACs: message authentication under weakened assumptions
- An, Bellare
- 1999
(Show Context)
Citation Context ... [25, 14] construction is collision-resistant if the component function is. Similarly, one can prove that the CBC construction is a PRF if the component function is [5], or that certain constructions =-=[2, 24]-=- are secure MACs if the component function is. A second type of proof, which is the subject of [13] and of this paper, is the proof that if F is a public random function, then so is C(F), up to a cert... |

30 | Herding Hash Functions and the Nostradamus Attack
- Kelsey, Kohno
- 2006
(Show Context)
Citation Context ...en generalized to a wider class of constructions [16]. Other attacks in a similar spirit against iterated constructions are the second-preimage attack by Kelsey and Schneier [19], and herding attacks =-=[18]-=-. One possibility to overcome these issues is to rely on a compression function with input domain much larger than the size of the output of the construction (cf. for example the constructions in [20]... |

29 |
Foiling birthday attacks in length-doubling transformations - Benes: A non-reversible alternative to Feistel
- Aiello, Venkatesan
- 1996
(Show Context)
Citation Context ...andom functions, many constructions in the literature, also those based on universal hashing [11, 30] and the CBC-construction [5, 21], suffer from the birthday problem, and hence several researchers =-=[1, 4, 21]-=- considered the problem of achieving security beyond the birthday barrier. The goal of this paper is to solve the corresponding problem for public random functions. Namely, we want to achieve essentia... |

21 |
Stateless Evaluation of Pseudorandom Functions: Security beyond the Birthday Barrier
- Bellare, Goldreich, et al.
- 1999
(Show Context)
Citation Context ...andom functions, many constructions in the literature, also those based on universal hashing [11, 30] and the CBC-construction [5, 21], suffer from the birthday problem, and hence several researchers =-=[1, 4, 21]-=- considered the problem of achieving security beyond the birthday barrier. The goal of this paper is to solve the corresponding problem for public random functions. Namely, we want to achieve essentia... |

16 | Abstract models of computation in cryptography - Maurer - 2005 |

15 | Indifferentiable security analysis of popular hash functions with prefix-free padding
- Chang, Lee, et al.
(Show Context)
Citation Context ... to rely on a compression function with input domain much larger than the size of the output of the construction (cf. for example the constructions in [20] and the double block-length construction of =-=[12]-=-), but this does not seem to be the best possible approach, both from a theoretical and from a practical viewpoint, as explained below. A proof, like that of [13], for a construction C(\Delta ) of a p... |

14 | Single-Key AIL-MACs from Any FIL-MAC - Maurer, Sjdin |

11 | Breaking the ice - finding multicollisions in iterated concatenated and expanded (ice) hash functions
- Hoch, Shamir
- 2006
(Show Context)
Citation Context ... n=2 ), which is surprising because for a random function, finding an r-multi-collision requires \Theta (2 r\Gamma 1 r n) queries. Joux's attack has been generalized to a wider class of constructions =-=[16]-=-. Other attacks in a similar spirit against iterated constructions are the second-preimage attack by Kelsey and Schneier [19], and herding attacks [18]. One possibility to overcome these issues is to ... |

10 | Inidifferentiability, impossibility results on reductions, and applications to the random oracle methodology
- Maurer, Renner, et al.
- 2004
(Show Context)
Citation Context ... adversary) are considered. Another famous example of a reduction problem for public primitives is the realization of a (public) random oracle from a public parameter. This was shown to be impossible =-=[9, 23]-=-. 1.2 Domain Extension and the Birthday Barrier A random primitive (both secret or public) can be characterized by the number of random bits it contains. An `-bit key is a string (or table) containing... |

7 | Non-interactive timestamping in the bounded storage model
- Moran, Shaltiel, et al.
- 2004
(Show Context)
Citation Context ...s with sufficiently small (i.e. polynomially-bounded) left-degree exists. Much work in this area has been devoted to lossless unbalanced expanders, i.e. with fl ss D, but the best known constructions =-=[32, 26]-=- for this case for our choice of parameters lead to either super-polynomial degree or a much too small bound K. However, we are satisfied even if the expansion factor is much smaller than the leftdegr... |

6 | On the relation between Ideal Cipher and Random Oracle Models
- Dodis, Puniya
- 2006
(Show Context)
Citation Context .... Namely, we want to achieve essentially maximal security, i.e., up to \Theta (2 n(1\Gamma ffl) ) queries for any ffl ? 0 (where the construction may depend on ffl). Like for other problems (see e.g. =-=[15]-=-), going from the "secret case" to the "public case" appears to involve substantial new construction elements and analysis techniques. 1.3 Significance of Domain Extension for Public Random Functions ... |

4 | Constructions of sparse asymmetric connectors with number theoretic methods - Baltz, Jäger, et al. - 2005 |

1 | Benes and butterfly schemes revisited - Patarin, Montreuil - 2005 |