with short keys constrained prfs for unbounded inputsfuchsbau/slidesacns16.pdf · pseudorandom...
TRANSCRIPT
![Page 1: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/1.jpg)
Constrained PRFs for Unbounded Inputswith Short Keys
Hamza Abusalah Georg Fuchsbauer
ACNS 2016
![Page 2: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/2.jpg)
Outline
1. Constrained Pseudorandom Functions (CPRFs)
2. Identity-Based Non-interactive Key Exchange
3. Unbounded-Input CPRFs
4. Unbounded-Input CPRFs with Short Keys
![Page 3: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/3.jpg)
Pseudorandom Functions (PRFs)[GGM86]
k
x
Fk(x) F
![Page 4: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/4.jpg)
Pseudorandom Functions (PRFs)
Randomx
y k
x
Fk(x) F
[GGM86]
![Page 5: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/5.jpg)
Pseudorandom Functions (PRFs)
Randomx
y k
x
Fk(x) F
[GGM86]
≈
![Page 6: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/6.jpg)
Pseudorandom Functions (PRFs)
Randomx
y
Unbounded-input PRFs [Goldreich04]: supports x ∈ {0, 1}∗
k
x
Fk(x) F
[GGM86]
≈
![Page 7: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/7.jpg)
Constrained Pseudorandom Functions (CPRFs)[BW13],[KPTZ13],[BGI14]
Constr
S
k
![Page 8: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/8.jpg)
Constrained Pseudorandom Functions (CPRFs)
F
x {Fk(x) if x ∈ S⊥ otherwisekSConstr
S
k
[BW13],[KPTZ13],[BGI14]
![Page 9: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/9.jpg)
Constrained Pseudorandom Functions (CPRFs)
F
x {Fk(x) if x ∈ S⊥ otherwisekSConstr
S
k
[BW13],[KPTZ13],[BGI14]
x∗
![Page 10: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/10.jpg)
Constrained Pseudorandom Functions (CPRFs)
F
x {Fk(x) if x ∈ S⊥ otherwisekSConstr
S
k
k
Fy
[BW13],[KPTZ13],[BGI14]
x∗
x 6= x∗
![Page 11: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/11.jpg)
Constrained Pseudorandom Functions (CPRFs)
F
x {Fk(x) if x ∈ S⊥ otherwisekSConstr
S
k
k
Fy
ConstrkS
[BW13],[KPTZ13],[BGI14]
x∗
x 6= x∗
S 63 x∗
![Page 12: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/12.jpg)
Constrained Pseudorandom Functions (CPRFs)
F
x {Fk(x) if x ∈ S⊥ otherwisekSConstr
S
k
k
Fy
Fk(x∗)y random
[BW13],[KPTZ13],[BGI14]
x∗
ConstrkS
≈
x 6= x∗
S 63 x∗
![Page 13: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/13.jpg)
Types of CPRFs
• Polynomial-size S: Any PRF F is a CPRF
S = {x1, . . . , xp}, kS = {Fk(x1), . . . , Fk(xp)}
![Page 14: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/14.jpg)
Types of CPRFs
• Polynomial-size S: Any PRF F is a CPRF
S = {x1, . . . , xp}, kS = {Fk(x1), . . . , Fk(xp)}
• Puncturable [SW14]: x∗ input
kx∗ ⇒ Fk(x) if x 6= x∗
(from PRGs)
![Page 15: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/15.jpg)
Types of CPRFs
• Polynomial-size S: Any PRF F is a CPRF
S = {x1, . . . , xp}, kS = {Fk(x1), . . . , Fk(xp)}
• Puncturable [SW14]: x∗ input
kx∗ ⇒ Fk(x) if x 6= x∗
(from PRGs)
• Circuit [BW13]: C circuit
kC ⇒ Fk(x) if C(x) = 1
(from multilin. maps)
![Page 16: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/16.jpg)
CPRFs for Unbounded Inputs
• TMs [AFP16]: M Turing machine
kM ⇒ Fk(x) if M(x) = 1
(from public-coin diO)
Accepts unbounded inputs x ∈ {0, 1}∗
![Page 17: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/17.jpg)
CPRFs for Unbounded Inputs
• TMs [AFP16]: M Turing machine
kM ⇒ Fk(x) if M(x) = 1
(from public-coin diO)
Accepts unbounded inputs x ∈ {0, 1}∗
• TMs [DKW16]: (from iO)
![Page 18: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/18.jpg)
CPRFs for Unbounded Inputs
Drawback: constrained keys are obfuscated circuits
This work: constrained keys are short signatures
• TMs [AFP16]: M Turing machine
kM ⇒ Fk(x) if M(x) = 1
(from public-coin diO)
Accepts unbounded inputs x ∈ {0, 1}∗
• TMs [DKW16]: (from iO)
![Page 19: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/19.jpg)
Application
![Page 20: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/20.jpg)
Identity-Based Non-interactive Key Exchange
a@mail
b@mail
c@mail
c@mail
kc
c@mailka
d@mail
![Page 21: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/21.jpg)
Identity-Based Non-interactive Key Exchange
ka
a@mail
b@mail
c@mail
a@mail
c@mail
kc
c@mailka
d@mail
k
![Page 22: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/22.jpg)
Identity-Based Non-interactive Key Exchange
a@mail
b@mail
c@mail
ka
kb
kc
c@mail
kc
c@mailka
d@mailkd
ka
a@mail
k
![Page 23: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/23.jpg)
Identity-Based Non-interactive Key Exchange
a@mail
b@mail
c@mail
ka
kb
kc
c@mail
kc
c@mailka
d@mailkd
,kac
,kac
k
![Page 24: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/24.jpg)
Identity-Based Non-interactive Key Exchange
a@mail
b@mail
c@mail
ka
kb
kc
c@mail
kc
c@mailka
d@mailkd
e@mail
ke
e@mailke
k
![Page 25: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/25.jpg)
Identity-Based Non-interactive Key Exchange
a@mail
b@mail
ka
kb
c@mail
kc
c@mailka
e@mailke
,kabe
,kabe
,kabe
k
c@mailkc
d@mailkd
![Page 26: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/26.jpg)
Identity-Based Non-interactive Key Exchange
a@mail
b@mail
c@mail
kc
c@mailka
Fk : {0, 1}∗ → {0, 1}m
k
![Page 27: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/27.jpg)
Identity-Based Non-interactive Key Exchange
c@mail
kc
c@mailka
kabe :=Fk(a@mail‖b@mail‖e@mail)
Fk : {0, 1}∗ → {0, 1}ma@mail
b@mail
k
![Page 28: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/28.jpg)
Identity-Based Non-interactive Key Exchange
c@mail
kc
c@mailka
b@mailb@mail
Fk : {0, 1}∗ → {0, 1}m
k
![Page 29: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/29.jpg)
Identity-Based Non-interactive Key Exchange
c@mail
kc
c@mailka
b@mail
Fk : {0, 1}∗ → {0, 1}m
k
b@mail
Mb(x) =
{1 if x = . . . b@mail . . .0 otherwise
![Page 30: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/30.jpg)
Identity-Based Non-interactive Key Exchange
c@mail
kc
c@mailka
kConstr
b@mail
Fk : {0, 1}∗ → {0, 1}m
b@mail
Mb(x) =
{1 if x = . . . b@mail . . .0 otherwise
![Page 31: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/31.jpg)
Identity-Based Non-interactive Key Exchange
c@mail
kc
c@mailka
kConstr
kMb
b@mail
Fk : {0, 1}∗ → {0, 1}m
b@mail
Mb(x) =
{1 if x = . . . b@mail . . .0 otherwise
![Page 32: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/32.jpg)
Obfuscation
![Page 33: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/33.jpg)
ObfuscationApplication
![Page 34: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/34.jpg)
Program Obfuscation
Virtual black-box[BGI+01]
Differing-input[BGI+01],[BCP14]
Public-coin differing-input[ISP15]
Indistinguishability[BGI+01], [GGH+13]
![Page 35: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/35.jpg)
Program Obfuscation
Virtual black-box[BGI+01]
Differing-input[BGI+01],[BCP14]
Public-coin differing-input[ISP15]
Indistinguishability[BGI+01], [GGH+13]
Impossible[BGI+01]
Implausible[GGH+14]
TM-impossible[BSW16]
![Page 36: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/36.jpg)
Program Obfuscation
P Obf P̃ ≡ P(∀x : P̃ (x) = P (x))
Functionality:
![Page 37: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/37.jpg)
Program Obfuscation
P P̃ ≡ P
P0, P1
b ∈ {0, 1}b?
PbP̃b
Obf
Obf
Security:
Functionality:
![Page 38: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/38.jpg)
Program Obfuscation
P P̃ ≡ PObf
• diO: must be hard to find x: P0(x) 6= P1(x)
Security:
Functionality:
![Page 39: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/39.jpg)
Program Obfuscation
P P̃ ≡ PObf
• diO: must be hard to find x: P0(x) 6= P1(x)
• public-coin diO:hard to find x: P0(x) 6= P1(x)
even when given coins for computing P0, P1
Security:
Functionality:
![Page 40: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/40.jpg)
Program Obfuscation
P P̃ ≡ PObf
• diO: must be hard to find x: P0(x) 6= P1(x)
• public-coin diO:hard to find x: P0(x) 6= P1(x)
even when given coins for computing P0, P1
• iO: P0 ≡ P1
Security:
Functionality:
![Page 41: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/41.jpg)
ConstructionsObfuscation
![Page 42: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/42.jpg)
Constructions
![Page 43: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/43.jpg)
TM CPRFs
1) Warm-up: A circuit CPRF assuming
• Puncturable PRFs
• iO
![Page 44: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/44.jpg)
TM CPRFs
1) Warm-up: A circuit CPRF assuming
• Puncturable PRFs
• iO
2) A Turing-machine CPRF assuming
• Puncturable PRFs
• Public-coin diO
• SNARKs (Succinct non-interactive arguments of knowledge)
![Page 45: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/45.jpg)
TM CPRFs
1) Warm-up: A circuit CPRF assuming
• Puncturable PRFs
• iO
2) A Turing-machine CPRF assuming
• Puncturable PRFs
• Public-coin diO
• SNARKs (Succinct non-interactive arguments of knowledge)
3) A TM CPRF with short keys
• assuming the same
![Page 46: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/46.jpg)
A Circuit CPRF
Circuit-constrained PRF:
• Fk(x) := PFk(x)
• puncturable PRF PFk
• iO
![Page 47: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/47.jpg)
A Circuit CPRF
Circuit-constrained PRF:
• Fk(x) := PFk(x)
• Constr(k,C)→ kC :
Pk,C(x) :=
{PFk(x) if C(x) = 1⊥ otherwise
• puncturable PRF PFk
• iO
![Page 48: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/48.jpg)
A Circuit CPRF
Circuit-constrained PRF:
• Fk(x) := PFk(x)
• Constr(k,C)→ kC :
kC ← iO
(Pk,C(x) :=
{PFk(x) if C(x) = 1⊥ otherwise
)
• puncturable PRF PFk
• iO
![Page 49: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/49.jpg)
A Circuit CPRF
Circuit-constrained PRF:
• Fk(x) := PFk(x)
• Constr(k,C)→ kC :
Theorem. F is a secure circuit CPRF.
• puncturable PRF PFk
• iO
kC ← iO
(Pk,C(x) :=
{PFk(x) if C(x) = 1⊥ otherwise
)
![Page 50: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/50.jpg)
A Circuit CPRF
Circuit-constrained PRF:
• Fk(x) := PFkx∗(x)
• Constr(k,C)→ kC :
Theorem. F is a secure circuit CPRF.
• puncturable PRF PFk
• iO
kC ← iO
(Pk,C(x) :=
{PFkx∗(x) if C(x) = 1⊥ otherwise
)
![Page 51: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/51.jpg)
A CPRF for Unbounded Inputs
• Fk(x) := PFk(x)
• Constr(k,C):
kC ← iO
(Pk,C(x) :=
{PFk(x) if C(x) = 1⊥ otherwise
)
![Page 52: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/52.jpg)
A CPRF for Unbounded Inputs
• Fk(x) := PFk(x)
• Constr(k,C):
kC ← iO
(Pk,C(x) :=
{PFk(x) if C(x) = 1⊥ otherwise
)
M?
![Page 53: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/53.jpg)
A CPRF for Unbounded Inputs
• Fk(x) := PFk(x)
• Constr(k,C):
kC ← iO
(Pk,C(x) :=
{PFk(x) if C(x) = 1⊥ otherwise
)
M?
Circuit!
![Page 54: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/54.jpg)
A CPRF for Unbounded Inputs
• Fk(x) := PFk(x)
• Constr(k,C):
kC ← iO
(Pk,C(x) :=
{PFk(x) if C(x) = 1⊥ otherwise
)
M?
Circuit! • cannot run TM⇒ use SNARK proving M(x) = 1
![Page 55: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/55.jpg)
A CPRF for Unbounded Inputs
• Fk(x) := PFk(x)
• Constr(k,C):
kC ← iO
(Pk,C(x) :=
{PFk(x) if C(x) = 1⊥ otherwise
)
Circuit! • cannot run TM⇒ use SNARK proving M(x) = 1
• does not accept x ∈ {0, 1}∗⇒ hash x
unbounded!
![Page 56: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/56.jpg)
A CPRF for Unbounded Inputs
• Fk(x) := PFk(H(x)) with H : {0, 1}∗ → {0, 1}n
![Page 57: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/57.jpg)
A CPRF for Unbounded Inputs
• Fk(x) := PFk(H(x))
• Constr(k,M):
Pk,M (h, π)=
{PFk(h) if π proves ∃x : H(x) = h
∧ M(x) = 1⊥ otherwise
![Page 58: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/58.jpg)
A CPRF for Unbounded Inputs
• Fk(x) := PFk(H(x))
• Constr(k,M):
kM←diO
(Pk,M (h, π)=
{PFk(h) if π proves ∃x : H(x) = h
∧ M(x) = 1⊥ otherwise
)
![Page 59: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/59.jpg)
A CPRF for Unbounded Inputs
• Fk(x) := PFk(H(x))
• Constr(k,M):
kM←diO
(Pk,M (h, π)=
{PFk(h) if π proves ∃x : H(x) = h
∧ M(x) = 1⊥ otherwise
)
Why diO?
• consider M with M(x∗) = 0
M(x′) = 1H(x∗) = H(x′)
⇒ Pk,M 6≡ Pkx∗ ,M
![Page 60: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/60.jpg)
A CPRF for Unbounded Inputs with Short Keys
• Fk(x) := PFk(H(x))
• Constr(k,M): signature σ on M
![Page 61: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/61.jpg)
A CPRF for Unbounded Inputs with Short Keys
• Fk(x) := PFk(H(x))
• Constr(k,M): signature σ on M
• public:
diO
(Pk,vk(M,h, π, σ)=
PFk(h) if π proves ∃x : H(x) = h
∧ M(x) = 1and Verify(vk,M, σ)
⊥ otherwise
)
![Page 62: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/62.jpg)
A CPRF for Unbounded Inputs with Short Keys
• Fk(x) := PFk(H(x))
• Constr(k,M): signature σ on M
• public:
diO
(Pk,vk(M,h, π, σ)=
PFk(h) if π proves ∃x : H(x) = h
∧ M(x) = 1and Verify(vk,M, σ)
⊥ otherwise
)
Security:
• diO(Pk,vk) ≈ diO(Pkx∗,vk)
![Page 63: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/63.jpg)
A CPRF for Unbounded Inputs with Short Keys
• Fk(x) := PFk(H(x))
• Constr(k,M): signature σ on M
• public:
diO
(Pk,vk(M,h, π, σ)=
PFk(h) if π proves ∃x : H(x) = h
∧ M(x) = 1and Verify(vk,M, σ)
⊥ otherwise
)
Security:
• diO(Pk,vk) ≈ diO(Pkx∗,vk)
• Differing inputs? Yes: σ on M with M(x∗) = 1
![Page 64: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/64.jpg)
A CPRF for Unbounded Inputs with Short Keys
• Fk(x) := PFk(H(x))
• Constr(k,M): signature σ on M
• public:
diO
(Pk,vk(M,h, π, σ)=
PFk(h) if π proves ∃x : H(x) = h
∧ M(x) = 1and Verify(vk,M, σ)
⊥ otherwise
)
Security:
• diO(Pk,vk) ≈ diO(Pkx∗,vk)
• Differing inputs? Yes: σ on M with M(x∗) = 1
• Hard to find when given coins? No! can reconstructsigning key
![Page 65: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/65.jpg)
Functional Signatures w/ Obliv. Samplable Keys
Signature scheme with sampling algorithm
(vk∗, skx∗)← OSmp(x∗; r)
![Page 66: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/66.jpg)
Functional Signatures w/ Obliv. Samplable Keys
Signature scheme with sampling algorithm
(vk∗, skx∗)← OSmp(x∗; r)
such that:
• vk∗ ≈ vk
![Page 67: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/67.jpg)
Functional Signatures w/ Obliv. Samplable Keys
Signature scheme with sampling algorithm
(vk∗, skx∗)← OSmp(x∗; r)
such that:
• vk∗ ≈ vk
• skx∗ allows signing M ’s with M(x∗) = 0
![Page 68: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/68.jpg)
Functional Signatures w/ Obliv. Samplable Keys
Signature scheme with sampling algorithm
(vk∗, skx∗)← OSmp(x∗; r)
such that:
• vk∗ ≈ vk
• skx∗ allows signing M ’s with M(x∗) = 0
• given r, hard to forge σ on M with M(x∗) = 1
![Page 69: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/69.jpg)
Functional Signatures w/ Obliv. Samplable Keys
Signature scheme with sampling algorithm
(vk∗, skx∗)← OSmp(x∗; r)
such that:
• vk∗ ≈ vk Reduction can answer Constr queries
• skx∗ allows signing M ’s with M(x∗) = 0
• given r, hard to forge σ on M with M(x∗) = 1
![Page 70: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/70.jpg)
Functional Signatures w/ Obliv. Samplable Keys
Signature scheme with sampling algorithm
(vk∗, skx∗)← OSmp(x∗; r)
such that:
• vk∗ ≈ vk
• skx∗ allows signing M ’s with M(x∗) = 0
• given r, hard to forge σ on M with M(x∗) = 1
− hard to find differing input
− apply diO
![Page 71: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/71.jpg)
Functional Signatures w/ Obliv. Samplable Keys
Signature scheme with sampling algorithm
(vk∗, skx∗)← OSmp(x∗; r)
such that:
• vk∗ ≈ vk
• skx∗ allows signing M ’s with M(x∗) = 0
• given r, hard to forge σ on M with M(x∗) = 1
Construction from: commitment, PRF, SNARK
![Page 72: with Short Keys Constrained PRFs for Unbounded Inputsfuchsbau/slidesACNS16.pdf · Pseudorandom Functions (PRFs) Random x y Unbounded-input PRFs [Goldreich04]: supports x 2 f0; 1g](https://reader036.vdocuments.site/reader036/viewer/2022063014/5fcf52e60abd2137660167a0/html5/thumbnails/72.jpg)
Functional Signatures w/ Obliv. Samplable Keys
Signature scheme with sampling algorithm
(vk∗, skx∗)← OSmp(x∗; r)
such that:
• vk∗ ≈ vk
• skx∗ allows signing M ’s with M(x∗) = 0
• given r, hard to forge σ on M with M(x∗) = 1
Construction from: commitment, PRF, SNARK
Thank you!
(and thanks to Hamza Abusalah for letting me reuse his slides)