[PPT] - An Algebraic Framework for Pseudorandom Functions and Applications PowerPoint Presentation

SLIDE 1

Michel Abdalla, Fabrice Benhamouda, Alain Passelègue

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security

SLIDE 2

Pseudorandom functions

efficiently computable function 𝐺: 𝐿 × 𝐸 → 𝑆
indistinguishable from a random function 𝑔: 𝐸 → 𝑆

𝐺

𝑏 ∈ 𝐿 𝑦 𝐺(𝑏, 𝑦)

𝑔

𝑦 𝑔(𝑦)

≈𝑑

[GGM86]

1/22

SLIDE 3

Number-theoretic PRF

𝑂𝑆: ℤ𝑞

𝑜 × 0,1 𝑜 → 𝔿

DDH-based (Naor-Reingold) PRF

[NR97]

𝑏 , 𝑦 𝑕 𝑗=1

𝑜

𝑏𝑗

𝑦𝑗

↦

2/22

SLIDE 4

𝑂𝑆: ℤ𝑞

𝑜 × 0,1 𝑜 → 𝔿

DDH-based (Naor-Reingold) PRF

Number-theoretic PRF

𝑏 , 𝑦 𝑗=1

𝑜

𝑏𝑗

𝑦𝑗

↦

[NR97]

2/22

SLIDE 5

𝑂𝑆: ℤ𝑞

𝑜 × 0,1 𝑜 → 𝔿

DDH-based (Naor-Reingold) PRF

Number-theoretic PRF

𝑏 , 𝑦 𝑄

𝑦(

𝑏) with 𝑄

𝑦 𝑈 1, … , 𝑈 𝑜 = 𝑗=1 𝑜

𝑈

𝑗 𝑦𝑗

↦

[NR97]

2/22

SLIDE 6

𝑂𝑆: ℤ𝑞

𝑜 × 0,1 𝑜 → 𝔿

DDH-based (Naor-Reingold) PRF

Number-theoretic PRF

𝑏 , 𝑦 𝑄

𝑦(

𝑏) with 𝑄

𝑦 𝑈 1, … , 𝑈 𝑜 = 𝑗=1 𝑜

𝑈

𝑗 𝑦𝑗

↦ fact 1: 𝑄

𝑦 𝑦∈ 0,1 𝑜 linearly independent 𝑜-variate polynomials

fact 2:

ther constructions with the same form (𝐶𝑁𝑆, 𝑀𝑋, … )

[NR97]

2/22

SLIDE 7

Main question

PRF 𝐺: 𝑏, 𝑦 ∈ ℤ𝑞

𝑜 × 𝐸 ↦ 𝑄 𝑦

𝑏 𝑄

𝑦 𝑦∈𝐸 linearly independent 𝑜-variate polynomials over ℤ𝑞

?

3/22

SLIDE 8

Main question

PRF 𝐺: 𝑏, 𝑦 ∈ ℤ𝑞

𝑜 × 𝐸 ↦ 𝑄 𝑦

𝑏 𝑄

𝑦 𝑦∈𝐸 linearly independent 𝑜-variate polynomials over ℤ𝑞

(standard assumption?)

?

3/22

SLIDE 9

Outline

motivation for such an equivalence and proof
applications to (RKA) PRF
new algebraic framework for related-key security

4/22

SLIDE 10

Motivation 1

PRF 𝐺: 𝑏, 𝑦 ∈ ℤ𝑞

𝑜 × 𝐸 ↦ 𝑄 𝑦

𝑏 ∈ 𝔿 𝑄

𝑦 𝑦∈𝐸 lin. ind. 𝑜-variate polynomials

5/22

SLIDE 11

Motivation 1

PRF 𝐺: 𝑏, 𝑦 ∈ ℤ𝑞

𝑜 × 𝐸 ↦ 𝑄 𝑦

𝑏 ∈ 𝔿 𝑄

𝑦 𝑦∈𝐸 lin. ind. 𝑜-variate polynomials

toy example: 𝑂𝑆: 𝑏, 𝑦 ∈ ℤ𝑞

𝑜 × 0,1 𝑜 ↦ 𝑗=1 𝑜

𝑏𝑗

𝑦𝑗 ∈ 𝔿 is a PRF

proof: { 𝑗=1

𝑜

𝑈

𝑗 𝑦𝑗

𝑦 ∈ 0,1 𝑜 are linearly independent

5/22

SLIDE 12

Def: Φ-RKA-PRF

Φ ⊆ 𝐺𝑣𝑜(𝐿, 𝐿) a class of functions
efficiently computable function 𝐺: 𝐿 × 𝐸 → 𝑆
indistinguishable from a random function 𝑔: 𝐿 × 𝐸 → 𝑆

𝐺

𝑏 ∈ 𝐿 𝝔, 𝑦 𝐺(𝝔 𝒃 , 𝑦)

𝑔

𝝔, 𝑦 𝑔(𝝔 𝒃 , 𝑦)

≈𝑑

[BK03] 𝑏 ∈ 𝐿

Motivation 2

6/22

SLIDE 13

Def: Φ-RKA-PRF

Φ ⊆ 𝐺𝑣𝑜(𝐿, 𝐿) a class of functions
efficiently computable function 𝐺: 𝐿 × 𝐸 → 𝑆
indistinguishable from a random function 𝑔: 𝐿 × 𝐸 → 𝑆

𝐺

𝑏 ∈ 𝐿 𝝔, 𝑦 𝐺(𝝔 𝒃 , 𝑦)

𝑔

𝝔, 𝑦 𝑔(𝝔 𝒃 , 𝑦)

≈𝑑

[BK03] 𝑏 ∈ 𝐿

[BK03]: impossibility results for certain classes

Motivation 2

6/22

SLIDE 14

Def: Φ-RKA-PRF

Φ ⊆ 𝐺𝑣𝑜(𝐿, 𝐿) a class of functions
efficiently computable function 𝐺: 𝐿 × 𝐸 → 𝑆
indistinguishable from a random function 𝑔: 𝐿 × 𝐸 → 𝑆

𝐺

𝑏 ∈ 𝐿 𝝔, 𝑦 𝐺(𝝔 𝒃 , 𝑦)

𝑔

𝝔, 𝑦 𝑔(𝝔 𝒃 , 𝑦)

≈𝑑

[BK03] 𝑏 ∈ 𝐿

[BK03]: impossibility results for certain classes goal: Φ-RKA-security for largest possible classes

Motivation 2

6/22

SLIDE 15

𝐺: 𝑏, 𝑦 ∈ ℤ𝑞

𝑜 × 𝐸 ↦ 𝑄 𝑦

𝑏 ∈ 𝔿 Φ ⊆ ℤ𝑞 𝑈

1, … , 𝑈 𝑜 contains only 𝑜-variate polynomials

7/22

SLIDE 16

𝐺: 𝑏, 𝑦 ∈ ℤ𝑞

𝑜 × 𝐸 ↦ 𝑄 𝑦

𝑏 ∈ 𝔿 Φ ⊆ ℤ𝑞 𝑈

1, … , 𝑈 𝑜 contains only 𝑜-variate polynomials

then 𝐺 𝜚 𝑏 , 𝑦 = 𝑄

𝑦 𝜚

𝑏 = 𝑄

𝑦 ∘ 𝜚

𝑏

7/22

SLIDE 17

𝐺

𝑏 ∈ ℤ𝑞

𝑜

𝜚, 𝑦 𝑄

𝑦 ∘ 𝜚

𝑏

𝑔

𝜚, 𝑦 $

≈𝑑

𝐺: 𝑏, 𝑦 ∈ ℤ𝑞

𝑜 × 𝐸 ↦ 𝑄 𝑦

𝑏 ∈ 𝔿 Φ ⊆ ℤ𝑞 𝑈

1, … , 𝑈 𝑜 contains only 𝑜-variate polynomials

then 𝐺 𝜚 𝑏 , 𝑦 = 𝑄

𝑦 𝜚

𝑏 = 𝑄

𝑦 ∘ 𝜚

𝑏

𝑏 ∈ ℤ𝑞

𝑜

7/22

SLIDE 18

𝐺

𝑏 ∈ ℤ𝑞

𝑜

𝜚, 𝑦 𝑄

𝑦 ∘ 𝜚

𝑏

𝑔

𝜚, 𝑦 $

≈𝑑

𝑄

𝑦 ∘ 𝜚 𝑦∈𝐸 𝜚∈Φ

lin. ind. 𝑜-variate polynomials

𝐺: 𝑏, 𝑦 ∈ ℤ𝑞

𝑜 × 𝐸 ↦ 𝑄 𝑦

𝑏 ∈ 𝔿 Φ ⊆ ℤ𝑞 𝑈

1, … , 𝑈 𝑜 contains only 𝑜-variate polynomials

then 𝐺 𝜚 𝑏 , 𝑦 = 𝑄

𝑦 𝜚

𝑏 = 𝑄

𝑦 ∘ 𝜚

𝑏

𝑏 ∈ ℤ𝑞

𝑜

7/22

SLIDE 19

Summary of our (RKA) PRF results

𝚾 𝒃𝒋 ↦ 𝒃𝒋 + 𝒄𝒋 𝒃𝒋 ↦ 𝒃𝒋 ∗ 𝒄𝒋 𝒃𝒋 ↦ 𝑸(𝒃𝒋) 𝒃𝒋 ↦ 𝒃𝝉(𝒋) 𝒃𝒋 ↦ 𝑸(𝒃𝝉(𝒋)) [BC10] 𝑂𝑆∗ (exp. time) 𝑂𝑆∗, 𝑀𝑋

? ? ?

[ABPP14] 𝑂𝑆∗ 𝑂𝑆∗ 𝑂𝑆∗

? ?

this paper 𝑂𝑆, 𝑂𝑆∗, 𝑀𝑋, 𝑙𝑀𝑗𝑜, … 𝑂𝑆, 𝑂𝑆∗, 𝑀𝑋, 𝑙𝑀𝑗𝑜, … 𝑂𝑆, 𝑂𝑆∗, 𝑀𝑋, 𝑙𝑀𝑗𝑜, … 𝑂𝑆𝑚𝑗𝑜, 𝐶𝑁𝑆 𝑂𝑆𝑚𝑗𝑜

PRFs: simple proofs for 𝑂𝑆, 𝐶𝑁𝑆, 𝑀𝑋, 𝑙𝑀𝑗𝑜 and their extensions

8/22

SLIDE 20

𝑄

𝑦 𝑦∈𝐸 lin. ind. 𝑜-variate polynomials over ℤ𝑞

PRF 𝐺: 𝑏, 𝑦 ∈ ℤ𝑞

𝑜 × 𝐸 ↦ 𝑄 𝑦

𝑏

?

9/22

SLIDE 21

𝑄

𝑦 𝑦∈𝐸 lin. ind. 𝑜-variate polynomials over ℤ𝑞

PRF 𝐺: 𝑏, 𝑦 ∈ ℤ𝑞

𝑜 × 𝐸 ↦ 𝑄 𝑦

𝑏

?

10/22

SLIDE 22

assume 𝑄

𝑦0 = 𝜇1𝑄 𝑦1 + … + 𝜇𝑟𝑄 𝑦𝑟

𝑄

𝑦 𝑦∈𝐸 lin. ind. 𝑜-variate polynomials over ℤ𝑞

PRF 𝐺: 𝑏, 𝑦 ∈ ℤ𝑞

𝑜 × 𝐸 ↦ 𝑄 𝑦

𝑏

?

10/22

SLIDE 23

assume 𝑄

𝑦0 = 𝜇1𝑄 𝑦1 + … + 𝜇𝑟𝑄 𝑦𝑟

𝐺

𝑏 ∈ ℤ𝑞

𝑜

𝑦0, 𝑦1, … , 𝑦𝑟 [𝑄

𝑦0(

𝑏)], … , [𝑄

𝑦𝑟(

𝑏)]

𝑔

𝑦0, 𝑦1, … , 𝑦𝑟 𝑔 𝑦0 , … , 𝑔(𝑦𝑟)

≉𝑑

𝑔 𝑦0 ≠ 𝑔 𝑦1 𝜇1 ⋅ … ⋅ 𝑔 𝑦𝑟

𝜇𝑟

𝑄

𝑦 𝑦∈𝐸 lin. ind. 𝑜-variate polynomials over ℤ𝑞

PRF 𝐺: 𝑏, 𝑦 ∈ ℤ𝑞

𝑜 × 𝐸 ↦ 𝑄 𝑦

𝑏 = 𝑄

𝑦1

𝑏

𝜇1 ⋅ … ⋅ 𝑄 𝑦𝑟

𝑏

𝜇𝑟

𝑄

𝑦0(

𝑏) = 𝜇1𝑄

𝑦1

𝑏 + … + 𝜇𝑟𝑄

𝑦𝑟

𝑏

10/22

SLIDE 24

𝑄

𝑦 𝑦∈𝐸 lin. ind. 𝑜-variate polynomials over ℤ𝑞

PRF 𝐺: 𝑏, 𝑦 ∈ ℤ𝑞

𝑜 × 𝐸 ↦ 𝑄 𝑦

𝑏

?

11/22

SLIDE 25

Real 𝑄 [𝑄( 𝑏)] Rand 𝑄

where the polynomials queried are lin. ind.

𝑏 ∈ ℤ𝑞

𝑜

𝑄

𝑦 𝑦∈𝐸 lin. ind. 𝑜-variate polynomials over ℤ𝑞

PRF 𝐺: 𝑏, 𝑦 ∈ ℤ𝑞

𝑜 × 𝐸 ↦ 𝑄 𝑦

𝑏

$

?

11/22

SLIDE 26

Real 𝑄 [𝑄( 𝑏)] Rand 𝑄 $

≈𝑑

thm: linearly independent polynomial (lip) security where the polynomials queried are lin. ind.

𝑏 ∈ ℤ𝑞

𝑜

standard assumption

𝑄

𝑦 𝑦∈𝐸 lin. ind. 𝑜-variate polynomials over ℤ𝑞

PRF 𝐺: 𝑏, 𝑦 ∈ ℤ𝑞

𝑜 × 𝐸 ↦ 𝑄 𝑦

𝑏

11/22

SLIDE 27

This talk

Real 𝑄 [𝑄( 𝑏)] Rand 𝑄 $

≈𝑑

thm: linearly independent polynomial (lip) security where the polynomials queried are

lin. ind. + multilinear

𝑏 ∈ ℤ𝑞

𝑜

DDH

12/22

SLIDE 28

simple case:

𝑜 = 3
only monomials queried: 𝑄 ∈ {𝑈

1 𝑦1𝑈 2 𝑦2𝑈 3 𝑦3 | 𝑦 ∈ 0,1 3}

 computation of 𝑄 𝑏 as a path through a binary tree

13/22

SLIDE 29

simple case:

𝑜 = 3
only monomials queried: 𝑄 ∈ {𝑈

1 𝑦1𝑈 2 𝑦2𝑈 3 𝑦3 | 𝑦 ∈ 0,1 3}

 computation of 𝑄 𝑏 as a path through a binary tree

[1]

13/22

SLIDE 30

simple case:

𝑜 = 3
only monomials queried: 𝑄 ∈ {𝑈

1 𝑦1𝑈 2 𝑦2𝑈 3 𝑦3 | 𝑦 ∈ 0,1 3}

 computation of 𝑄 𝑏 as a path through a binary tree

[1] [𝑏1] [1]

13/22

SLIDE 31

simple case:

𝑜 = 3
only monomials queried: 𝑄 ∈ {𝑈

1 𝑦1𝑈 2 𝑦2𝑈 3 𝑦3 | 𝑦 ∈ 0,1 3}

 computation of 𝑄 𝑏 as a path through a binary tree

[1] [1] 𝑏2 [𝑏1] [𝑏1] 𝑏1𝑏2 [1]

13/22

SLIDE 32

simple case:

𝑜 = 3
only monomials queried: 𝑄 ∈ {𝑈

1 𝑦1𝑈 2 𝑦2𝑈 3 𝑦3 | 𝑦 ∈ 0,1 3}

 computation of 𝑄 𝑏 as a path through a binary tree

[1] [1] 𝑏2 [1] [𝑏3] [𝑏2] [𝑏2𝑏3] [𝑏1] [𝑏1] 𝑏1𝑏2 [𝑏1] [𝑏1𝑏3] [𝑏1𝑏2] [𝑏1𝑏2𝑏3] [1]

13/22

SLIDE 33

simple case:

𝑜 = 3
only monomials queried: 𝑄 ∈ {𝑈

1 𝑦1𝑈 2 𝑦2𝑈 3 𝑦3 | 𝑦 ∈ 0,1 3}

 computation of 𝑄 𝑏 as a path through a binary tree

[1] [1] 𝑏2 [1] [𝑏3] [𝑏2] [𝑏2𝑏3] [𝑏1] [𝑏1] 𝑏1𝑏2 [𝑏1] [𝑏1𝑏3] [𝑏1𝑏2] [𝑏1𝑏2𝑏3] [1]

13/22

𝑈

1𝑈3

SLIDE 34

simple case:

𝑜 = 3
only monomials queried: 𝑄 ∈ {𝑈

1 𝑦1𝑈 2 𝑦2𝑈 3 𝑦3 | 𝑦 ∈ 0,1 3}

 computation of 𝑄 𝑏 as a path through a binary tree

[1] [1] 𝑏2 [1] [𝑏3] [𝑏2] [𝑏2𝑏3] [𝑏1] [𝑏1] 𝑏1𝑏2 [𝑏1] [𝑏1𝑏3] [𝑏1𝑏2] [𝑏1𝑏2𝑏3] [1]

13/22

𝑈

1𝑈3

𝑦1 = 1

SLIDE 35

simple case:

𝑜 = 3
only monomials queried: 𝑄 ∈ {𝑈

1 𝑦1𝑈 2 𝑦2𝑈 3 𝑦3 | 𝑦 ∈ 0,1 3}

 computation of 𝑄 𝑏 as a path through a binary tree

[1] [1] 𝑏2 [1] [𝑏3] [𝑏2] [𝑏2𝑏3] [𝑏1] [𝑏1] 𝑏1𝑏2 [𝑏1] [𝑏1𝑏3] [𝑏1𝑏2] [𝑏1𝑏2𝑏3] [1]

13/22

𝑈

1𝑈3

𝑦1 = 1 𝑦2 = 0

SLIDE 36

simple case:

𝑜 = 3
only monomials queried: 𝑄 ∈ {𝑈

1 𝑦1𝑈 2 𝑦2𝑈 3 𝑦3 | 𝑦 ∈ 0,1 3}

 computation of 𝑄 𝑏 as a path through a binary tree

[1] [1] 𝑏2 [1] [𝑏3] [𝑏2] [𝑏2𝑏3] [𝑏1] [𝑏1] 𝑏1𝑏2 [𝑏1] [𝑏1𝑏3] [𝑏1𝑏2] [𝑏1𝑏2𝑏3] [1]

13/22

𝑈

1𝑈3

𝑦1 = 1 𝑦2 = 0 𝑦3 = 1

SLIDE 37

[1] [1] 𝑏2 [1] [𝑏3] [𝑏2] [𝑏2𝑏3] [𝑏1] [𝑏1] 𝑏1𝑏2 [𝑏1] [𝑏1𝑏3] [𝑏1𝑏2] [𝑏1𝑏2𝑏3] [1]

13/22

SLIDE 38

[1] [1] 𝑏2 [1] [𝑏3] [𝑏2] [𝑏2𝑏3] [𝛽] [𝛽] 𝛽𝑏2 [𝛽] [𝛽𝑏3] [𝛽𝑏2] [𝛽𝑏2𝑏3] [1]

13/22

SLIDE 39

[1] [1] 𝑏2 [1] [𝑏3] [𝑏2] [𝑏2𝑏3] [𝛽] [𝛽] 𝛽𝑏2 [𝛽] [𝛽𝑏3] [𝛽𝑏2] [𝛽𝑏2𝑏3] [1]

13/22

DDH assumption: 1 , 𝑏 , 𝑐 , 𝑏𝑐 ≈𝑑 1 , 𝛽 , 𝛾 , 𝛿

SLIDE 40

[1] 𝛾 [1] [𝑏3] [𝛾] [𝛾𝑏3] [𝛽] 𝛿 [𝛽] [𝛽𝑏3] [𝛿] [𝛿𝑏3] [1] [𝛽] [1]

DDH assumption: 1 , 𝑏 , 𝑐 , 𝑏𝑐 ≈𝑑 1 , 𝛽 , 𝛾 , 𝛿

13/22

SLIDE 41

[1] 𝛾 [1] [𝜀] [𝛾] [𝜗] [𝛽] 𝛿 [𝛽] [𝜂] [𝛿] [𝜃] [1] [𝛽] [1]

DDH assumption: 1 , 𝑏 , 𝑐 , 𝑏𝑐 ≈𝑑 1 , 𝛽 , 𝛾 , 𝛿

13/22

SLIDE 42

[1] [𝑏3] [𝑏2] [𝑏2𝑏3] [𝑏1] [𝑏1𝑏3] [𝑏1𝑏2] [𝑏1𝑏2𝑏3] [1] [𝛿] [𝛾] [𝜗] [𝛽] [𝜂] [𝜀] [𝜃]

≈𝑑

DDH

general case: use these monomials to simulate any (multilinear) polynomial e.g.: 𝑏1 + 1 𝑏2 + 1 𝑏3 + 1 = 𝑦∈ 0,1 𝑜 𝑏1

𝑦1𝑏2 𝑦2𝑏3 𝑦3

= 1 + 𝑏1 + 𝑏2 + 𝑏3 + 𝑏1𝑏2 + 𝑏1𝑏3 + 𝑏2𝑏3 + 𝑏1𝑏2𝑏3

≈𝑑

1 + 𝛽 + 𝛾 + 𝛿 + 𝜀 + 𝜂 + 𝜗 + 𝜃

DDH

14/22

SLIDE 43

[1] [𝑏3] [𝑏2] [𝑏2𝑏3] [𝑏1] [𝑏1𝑏3] [𝑏1𝑏2] [𝑏1𝑏2𝑏3] [1] [𝛿] [𝛾] [𝜗] [𝛽] [𝜂] [𝜀] [𝜃]

≈𝑑

DDH

general case: use these monomials to simulate any (multilinear) polynomial e.g.: 𝑏1 + 1 𝑏2 + 1 𝑏3 + 1 = 𝑦∈ 0,1 𝑜 𝑏1

𝑦1𝑏2 𝑦2𝑏3 𝑦3

= 1 + 𝑏1 + 𝑏2 + 𝑏3 + 𝑏1𝑏2 + 𝑏1𝑏3 + 𝑏2𝑏3 + 𝑏1𝑏2𝑏3

≈𝑑

1 + 𝛽 + 𝛾 + 𝛿 + 𝜀 + 𝜂 + 𝜗 + 𝜃

DDH

no linear relation between polynomials 𝑄

1, … , 𝑄 𝑟

 𝑄

1

𝑏 , … , 𝑄

𝑟

𝑏 ≈𝑑 $1, … , $𝑟 problem: reduction time = 𝑃(2𝑜) (# of monomials) subexponential hardness of DDH required in the paper: proof under standard DDH idea: lazy simulation

14/22

SLIDE 44

Real 𝑄 [𝑄( 𝑏)] Rand 𝑄 $

≈𝑑

where the polynomials queried are lin. ind. + multilinear (+ subexponential hardness of DDH)

𝑏 ∈ ℤ𝑞

𝑜

DDH

15/22

SLIDE 45

Real 𝑄 [𝑄( 𝐵)] Rand 𝑄 $

≈𝑑

where the polynomials queried are lin. ind. (+ natural assumptions for 𝑙 ≥ 2) polynomial-time proof

𝐵 ∈ (ℤ𝑞

𝑙×𝑙)

𝑜

Main result

MDDH

15/22

SLIDE 46

Applications

PRF 𝐺: 𝑏, 𝑦 ∈ ℤ𝑞

𝑜 × 𝐸 ↦ 𝑄 𝑦

𝑏 ∈ 𝔿 𝑄

𝑦 𝑦∈𝐸 lin. ind. 𝑜-variate polynomials

16/22

SLIDE 47

Applications

PRF 𝐺: 𝑏, 𝑦 ∈ ℤ𝑞

𝑜 × 𝐸 ↦ 𝑄 𝑦

𝑏 ∈ 𝔿 𝑄

𝑦 𝑦∈𝐸 lin. ind. 𝑜-variate polynomials

Φ ⊆ ℤ𝑞 𝑈

1, … , 𝑈 𝑜

Φ-RKA-PRF 𝐺: 𝑏, 𝑦 ∈ ℤ𝑞

𝑜 × 𝐸 ↦ 𝑄 𝑦

𝑏 ∈ 𝔿 𝑄

𝑦 ∘ 𝜚 𝑦∈𝐸 𝜚∈Φ

lin. ind. 𝑜-variate polynomials

16/22

SLIDE 48

condition: 𝑄

𝑦 ∘ 𝜚 𝑦∈𝐸 𝜚∈Φ

lin. ind. 𝑜-variate polynomials

this is a very strong condition!

17/22

SLIDE 49

condition: 𝑄

𝑦 ∘ 𝜚 𝑦∈𝐸 𝜚∈Φ

lin. ind. 𝑜-variate polynomials

this is a very strong condition! counter-example: Φ = Φ+, 𝜚𝑐 𝑏 = 𝑏1 + 𝑐1, … , 𝑏𝑜 + 𝑐𝑜 𝑂𝑆: 𝑏, 𝑦 ∈ ℤ𝑞

𝑜 × 0,1 𝑜 ↦ [ 𝑗=1 𝑜

𝑏𝑗

𝑦𝑗]

17/22

SLIDE 50

condition: 𝑄

𝑦 ∘ 𝜚 𝑦∈𝐸 𝜚∈Φ

lin. ind. 𝑜-variate polynomials

this is a very strong condition! counter-example: Φ = Φ+, 𝜚𝑐 𝑏 = 𝑏1 + 𝑐1, … , 𝑏𝑜 + 𝑐𝑜 𝑂𝑆: 𝑏, 𝑦 ∈ ℤ𝑞

𝑜 × 0,1 𝑜 ↦ [ 𝑗=1 𝑜

𝑏𝑗

𝑦𝑗]

attack against 𝑂𝑆 with 3 queries: 𝑂𝑆 𝑏, 01 … 0 = [𝑏2] 𝑂𝑆 𝑏, 11 … 0 = [𝑏1𝑏2] 𝑂𝑆 𝜚(1,0,…,0)( 𝑏), 110 … 0 = 𝑏1 + 1 𝑏2 = 𝑏1𝑏2 ⋅ [𝑏2]

17/22

SLIDE 51

this case was addressed in [BC10] idea: it is secure if the adversary is unique-input solution: force the adversary to be unique-input

18/22

SLIDE 52

this case was addressed in [BC10] idea: it is secure if the adversary is unique-input solution: force the adversary to be unique-input intuition: construct a PRF 𝐻 from 𝐺 as 𝑯 𝒃, 𝒚 = 𝑮 𝒃, 𝑰 𝒃, 𝒚 where 𝐼 is a collision-resistant hash function ⇒ if 𝑏 or 𝑦 change, then so does 𝐼( 𝑏, 𝑦)

18/22

SLIDE 53

Our new framework

instead of: 𝐻 𝑏, 𝑦 = 𝐺 𝑏, 𝐼 𝒃, 𝑦 we use: 𝐻 𝑏, 𝑦 = 𝐺 𝑏, 𝐼 𝒃𝟐 , … , [𝒃𝒐], 𝑦  reduction to the lip security notion!

19/22

SLIDE 54

Proof idea

simulate:

𝑏1 , … , [𝑏𝑜] by querying polynomials 𝑈

1, … , 𝑈 𝑜

𝐻

𝑏, 𝑦 by querying 𝑄𝐼 𝑏1 ,…,[𝑏𝑜],𝑦 𝐻 𝑏, 𝑦 = 𝑄𝐼 𝑏 ,𝑦 𝑏  𝐻 𝑏, 𝑦 ≈𝑑 $ 𝑈

1, … , 𝑈 𝑜 and polynomials 𝑄ℎ ∘ 𝜚 lin. ind. (for distinct ℎ)

20/22

SLIDE 55

Conclusion

completely algebraic framework
unifies most of the existing number-theoretic (RKA-)PRFs
simplifies proofs of (related-key) security
new constructions and security results

21/22

SLIDE 56

Real 𝑄 [𝑄( 𝐵)] Rand 𝑄 $

≈𝑑

𝐵 ∈ (ℤ𝑞

𝑙×𝑙)

𝑜

MDDH 𝚾 𝒃𝒋 ↦ 𝒃𝒋 + 𝒄𝒋 𝒃𝒋 ↦ 𝒃𝒋 ∗ 𝒄𝒋 𝒃𝒋 ↦ 𝑸(𝒃𝒋) 𝒃𝒋 ↦ 𝒃𝝉(𝒋) 𝒃𝒋 ↦ 𝑸(𝒃𝝉(𝒋)) [BC10] 𝑂𝑆∗ (exp. time) 𝑂𝑆∗, 𝑀𝑋

? ? ?

[ABPP14] 𝑂𝑆∗ 𝑂𝑆∗ 𝑂𝑆∗

? ?

this paper 𝑂𝑆, 𝑂𝑆∗, 𝑀𝑋, 𝑙𝑀𝑗𝑜, … 𝑂𝑆, 𝑂𝑆∗, 𝑀𝑋, 𝑙𝑀𝑗𝑜, … 𝑂𝑆, 𝑂𝑆∗, 𝑀𝑋, 𝑙𝑀𝑗𝑜, … 𝑂𝑆𝑚𝑗𝑜, 𝐶𝑁𝑆 𝑂𝑆𝑚𝑗𝑜

Thank you! Questions?

22/22