A public random function is a random function that is accessible by all parties, including the adversary. For example, a (public) random oracle is a public random function {0, 1}∗ → {0, 1}n . The natural problem of constructing a public random oracle from a public random function {0, 1}m → {0, 1}n (for some m > n) was first considered at Crypto 2005 by Coron et al. who proved the security of variants of the Merkle-Damg˚ard construction against adversaries issuing up to O(2n/2 ) queries to the construction and to the underlying compression function. This bound is less than the square root of n2m , the number of random bits contained in the underlying random function. In this paper, we investigate domain extenders for public random functions approaching optimal security. In particular, for all ∈ (0, 1) and all functions m and (polynomial in n), we provide a construction C ,m, (·) which extends a public random function R : {0, 1}n → {0, 1}n to a function C ,m, (R) : {0, 1...
Ueli M. Maurer, Stefano Tessaro