PRF Domain Extension Using DAGs

We prove a general domain extension theorem for pseudo-random functions (PRFs). Given a PRF

F

from

n

bits to

n

bits, it is well known that employing

F

in a chaining mode (CBC-MAC) yields a PRF on a bigger domain of

mn

bits. One can view each application of

F

in this chaining mode to be a node in a graph, and the chaining as edges between the node. The resulting graph is just a line graph. In this paper, we show that the underlying graph can be an arbitrary directed acyclic graph (DAG), and the resulting function on the larger domain is still a PRF. The only requirement on the graph is that it have unique source and sink nodes, and no two nodes have the same set of incident nodes. A new highly parallelizable MAC construction follows which has a critical path of only 3+log

*

m

applications of

F

.

If we allow Galois field arithmetic, we can consider edge-colored DAGs, where the colors represent multiplication in the field by the color. We prove an even more general theorem, where the only restriction on the colored DAGs is that if two nodes (

u

and

v

) have the same set of incident nodes

W

, then at least one

w

in

W

is incident on

u

and

v

with a different colored edge. PMAC (Parallelizable Message Authentication ) is a simple example of such graphs. Finally, to handle variable length domain extension, we extend our theorem to a collection of DAGs. The general theorem allows one to have further optimizations over PMAC, and many modes which deal with variable lengths.