## Domain Extension for MACs Beyond the Birthday Barrier

- Yevgeniy Dodis, John P. Steinberger
- EUROCRYPT
- 2011

1 Excerpt

- Published 2005 in IACR Cryptology ePrint Archive

In [1], W. Aiello and R. Venkatesan have shown how to construct pseudo-random functions of 2n bits<lb>→ 2n bits from pseudo-random functions of n bits→ n bits. They claimed that their construction, called<lb>“Benes”, reaches the optimal bound (m ¿ 2) of security against adversaries with unlimited computing<lb>power but limited by m queries in an adaptive chosen plaintext attack (CPA-2). However a complete<lb>proof of this result is not given in [1] since one of the assertions of [1] is wrong. Due to this, the proof<lb>given in [1] is valid for most attacks, but not for all the possible chosen plaintext attacks. In this paper<lb>we will in a way fix this problem since for all ε > 0, we will prove CPA-2 security when m ¿ 2n(1−ε).<lb>However we will also see that the probability to distinguish Benes functions from random functions is<lb>sometime larger than the term in m 2<lb>22n given in [1]. One of the key idea in our proof will be to notice<lb>that, when m À 2 and m ¿ 2, for large number of variables linked with some critical equalities,<lb>the average number of solutions may be large (i.e. À 1) while, at the same time, the probability to have<lb>at least one such critical equalities is negligible (i.e. ¿ 1).<lb>

@article{Patarin2005BenesAB,
title={Benes and Butterfly schemes revisited},
author={Jacques Patarin and Audrey Montreuil},
journal={IACR Cryptology ePrint Archive},
year={2005},
volume={2005},
pages={4}
}