An Algebraic Framework for Pseudorandom Functions and Applications - PowerPoint PPT Presentation

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel Abdalla, Fabrice Benhamouda, Alain Passelègue

Pseudorandom functions [GGM86] - efficiently computable function 𝐺: 𝐿 × 𝐸 → 𝑆 - indistinguishable from a random function 𝑔: 𝐸 → 𝑆 𝑏 ∈ 𝐿 𝑦 𝑦 ≈ 𝑑 𝐺 𝑔 𝐺(𝑏, 𝑦) 𝑔(𝑦) 1/22

Number-theoretic PRF [NR97] DDH-based (Naor-Reingold) PRF 𝑜 × 0,1 𝑜 → 𝔿 𝑂𝑆: ℤ 𝑞 𝑦𝑗 𝑜 𝑕 𝑗=1 𝑏 𝑗 𝑏 , 𝑦 ↦ 2/22

Number-theoretic PRF [NR97] DDH-based (Naor-Reingold) PRF 𝑜 × 0,1 𝑜 → 𝔿 𝑂𝑆: ℤ 𝑞 𝑦 𝑗 𝑜 𝑗=1 𝑏 , 𝑦 ↦ 𝑏 𝑗 2/22

Number-theoretic PRF [NR97] DDH-based (Naor-Reingold) PRF 𝑜 × 0,1 𝑜 → 𝔿 𝑂𝑆: ℤ 𝑞 𝑦 𝑗 with 𝑄 𝑜 𝑜 = 𝑗=1 𝑏 , 𝑦 ↦ 𝑄 𝑦 ( 𝑏) 𝑦 𝑈 1 , … , 𝑈 𝑈 𝑗 2/22

Number-theoretic PRF [NR97] DDH-based (Naor-Reingold) PRF 𝑜 × 0,1 𝑜 → 𝔿 𝑂𝑆: ℤ 𝑞 𝑦 𝑗 with 𝑄 𝑜 𝑜 = 𝑗=1 𝑏 , 𝑦 ↦ 𝑄 𝑦 ( 𝑏) 𝑦 𝑈 1 , … , 𝑈 𝑈 𝑗 fact 1: 𝑦 𝑦∈ 0,1 𝑜 linearly independent 𝑜 -variate polynomials 𝑄 fact 2: other constructions with the same form (𝐶𝑁𝑆, 𝑀𝑋, … ) 2/22

Main question 𝑜 × 𝐸 ↦ 𝑄 PRF 𝐺: 𝑏, 𝑦 ∈ ℤ 𝑞 𝑦 𝑏 ? 𝑦 𝑦∈𝐸 linearly independent 𝑜 -variate polynomials over ℤ 𝑞 𝑄 3/22

Main question 𝑜 × 𝐸 ↦ 𝑄 PRF 𝐺: 𝑏, 𝑦 ∈ ℤ 𝑞 𝑦 𝑏 ? 𝑦 𝑦∈𝐸 linearly independent 𝑜 -variate polynomials over ℤ 𝑞 𝑄 (standard assumption?) 3/22

Outline - motivation for such an equivalence and proof - applications to (RKA) PRF - new algebraic framework for related-key security 4/22

Motivation 1 𝑜 × 𝐸 ↦ 𝑄 PRF 𝐺: 𝑏, 𝑦 ∈ ℤ 𝑞 𝑦 𝑏 ∈ 𝔿 𝑦 𝑦∈𝐸 lin. ind. 𝑜 -variate polynomials 𝑄 5/22

Motivation 1 𝑜 × 𝐸 ↦ 𝑄 PRF 𝐺: 𝑏, 𝑦 ∈ ℤ 𝑞 𝑦 𝑏 ∈ 𝔿 𝑦 𝑦∈𝐸 lin. ind. 𝑜 -variate polynomials 𝑄 toy example: 𝑜 × 0,1 𝑜 ↦ 𝑗=1 𝑦 𝑗 ∈ 𝔿 is a PRF 𝑜 𝑂𝑆: 𝑏, 𝑦 ∈ ℤ 𝑞 𝑏 𝑗 proof: 𝑦 ∈ 0,1 𝑜 are linearly independent 𝑦 𝑗 𝑜 { 𝑗=1 𝑈 𝑗 5/22

Motivation 2 Def: Φ -RKA-PRF [BK03] - Φ ⊆ 𝐺𝑣𝑜(𝐿, 𝐿) a class of functions - efficiently computable function 𝐺: 𝐿 × 𝐸 → 𝑆 - indistinguishable from a random function 𝑔: 𝐿 × 𝐸 → 𝑆 𝑏 ∈ 𝐿 𝑏 ∈ 𝐿 𝝔, 𝑦 𝝔, 𝑦 ≈ 𝑑 𝐺 𝑔 𝐺(𝝔 𝒃 , 𝑦) 𝑔(𝝔 𝒃 , 𝑦) 6/22

Motivation 2 Def: Φ -RKA-PRF [BK03] - Φ ⊆ 𝐺𝑣𝑜(𝐿, 𝐿) a class of functions - efficiently computable function 𝐺: 𝐿 × 𝐸 → 𝑆 - indistinguishable from a random function 𝑔: 𝐿 × 𝐸 → 𝑆 𝑏 ∈ 𝐿 𝑏 ∈ 𝐿 𝝔, 𝑦 𝝔, 𝑦 ≈ 𝑑 𝐺 𝑔 𝐺(𝝔 𝒃 , 𝑦) 𝑔(𝝔 𝒃 , 𝑦) [BK03]: impossibility results for certain classes 6/22

Motivation 2 Def: Φ -RKA-PRF [BK03] - Φ ⊆ 𝐺𝑣𝑜(𝐿, 𝐿) a class of functions - efficiently computable function 𝐺: 𝐿 × 𝐸 → 𝑆 - indistinguishable from a random function 𝑔: 𝐿 × 𝐸 → 𝑆 𝑏 ∈ 𝐿 𝑏 ∈ 𝐿 𝝔, 𝑦 𝝔, 𝑦 ≈ 𝑑 𝐺 𝑔 𝐺(𝝔 𝒃 , 𝑦) 𝑔(𝝔 𝒃 , 𝑦) [BK03]: impossibility results for certain classes goal: Φ -RKA-security for largest possible classes 6/22

𝑜 × 𝐸 ↦ 𝑄 𝐺: 𝑏, 𝑦 ∈ ℤ 𝑞 𝑦 𝑏 ∈ 𝔿 𝑜 contains only 𝑜 -variate polynomials Φ ⊆ ℤ 𝑞 𝑈 1 , … , 𝑈 7/22

𝑜 × 𝐸 ↦ 𝑄 𝐺: 𝑏, 𝑦 ∈ ℤ 𝑞 𝑦 𝑏 ∈ 𝔿 𝑜 contains only 𝑜 -variate polynomials Φ ⊆ ℤ 𝑞 𝑈 1 , … , 𝑈 then 𝐺 𝜚 𝑏 , 𝑦 = 𝑄 𝑦 𝜚 𝑏 = 𝑄 𝑦 ∘ 𝜚 𝑏 7/22

𝑜 × 𝐸 ↦ 𝑄 𝐺: 𝑏, 𝑦 ∈ ℤ 𝑞 𝑦 𝑏 ∈ 𝔿 𝑜 contains only 𝑜 -variate polynomials Φ ⊆ ℤ 𝑞 𝑈 1 , … , 𝑈 then 𝐺 𝜚 𝑏 , 𝑦 = 𝑄 𝑦 𝜚 𝑏 = 𝑄 𝑦 ∘ 𝜚 𝑏 𝑜 𝑏 ∈ ℤ 𝑞 𝑜 𝑏 ∈ ℤ 𝑞 𝜚, 𝑦 𝜚, 𝑦 ≈ 𝑑 𝐺 𝑔 𝑄 𝑦 ∘ 𝜚 𝑏 $ 7/22

𝑜 × 𝐸 ↦ 𝑄 𝐺: 𝑏, 𝑦 ∈ ℤ 𝑞 𝑦 𝑏 ∈ 𝔿 𝑜 contains only 𝑜 -variate polynomials Φ ⊆ ℤ 𝑞 𝑈 1 , … , 𝑈 then 𝐺 𝜚 𝑏 , 𝑦 = 𝑄 𝑦 𝜚 𝑏 = 𝑄 𝑦 ∘ 𝜚 𝑏 𝑜 𝑏 ∈ ℤ 𝑞 𝑜 𝑏 ∈ ℤ 𝑞 𝜚, 𝑦 𝜚, 𝑦 ≈ 𝑑 𝐺 𝑔 𝑄 𝑦 ∘ 𝜚 𝑏 $ lin. ind. 𝑜 -variate polynomials 𝑄 𝑦 ∘ 𝜚 𝑦∈𝐸 𝜚∈Φ 7/22

Summary of our (RKA) PRF results PRFs: simple proofs for 𝑂𝑆, 𝐶𝑁𝑆, 𝑀𝑋, 𝑙𝑀𝑗𝑜 and their extensions 𝒃 𝒋 ↦ 𝒃 𝝉(𝒋) 𝒃 𝒋 ↦ 𝑸(𝒃 𝝉(𝒋) ) 𝚾 𝒃 𝒋 ↦ 𝒃 𝒋 + 𝒄 𝒋 𝒃 𝒋 ↦ 𝒃 𝒋 ∗ 𝒄 𝒋 𝒃 𝒋 ↦ 𝑸(𝒃 𝒋 ) [BC10] 𝑂𝑆 ∗ 𝑂𝑆 ∗ , 𝑀𝑋 ? ? ? (exp. time) [ABPP14] 𝑂𝑆 ∗ 𝑂𝑆 ∗ 𝑂𝑆 ∗ ? ? this paper 𝑂𝑆, 𝑂𝑆 ∗ , 𝑂𝑆, 𝑂𝑆 ∗ , 𝑂𝑆, 𝑂𝑆 ∗ , 𝑂𝑆 𝑚𝑗𝑜 , 𝑂𝑆 𝑚𝑗𝑜 𝑀𝑋, 𝑙𝑀𝑗𝑜, … 𝑀𝑋, 𝑙𝑀𝑗𝑜, … 𝑀𝑋, 𝑙𝑀𝑗𝑜, … 𝐶𝑁𝑆 8/22

𝑦 𝑦∈𝐸 lin. ind. 𝑜 -variate polynomials over ℤ 𝑞 𝑄 ? 𝑜 × 𝐸 ↦ 𝑄 PRF 𝐺: 𝑏, 𝑦 ∈ ℤ 𝑞 𝑦 𝑏 9/22

𝑦 𝑦∈𝐸 lin. ind. 𝑜 -variate polynomials over ℤ 𝑞 𝑄 ? 𝑜 × 𝐸 ↦ 𝑄 PRF 𝐺: 𝑏, 𝑦 ∈ ℤ 𝑞 𝑦 𝑏 10/22

𝑦 𝑦∈𝐸 lin. ind. 𝑜 -variate polynomials over ℤ 𝑞 𝑄 ? 𝑜 × 𝐸 ↦ 𝑄 PRF 𝐺: 𝑏, 𝑦 ∈ ℤ 𝑞 𝑦 𝑏 assume 𝑄 𝑦 0 = 𝜇 1 𝑄 𝑦 1 + … + 𝜇 𝑟 𝑄 𝑦 𝑟 10/22

𝑦 𝑦∈𝐸 lin. ind. 𝑜 -variate polynomials over ℤ 𝑞 𝑄 𝑜 × 𝐸 ↦ 𝑄 PRF 𝐺: 𝑏, 𝑦 ∈ ℤ 𝑞 𝑦 𝑏 assume 𝑄 𝑦 0 = 𝜇 1 𝑄 𝑦 1 + … + 𝜇 𝑟 𝑄 𝑦 𝑟 𝑜 𝑏 ∈ ℤ 𝑞 𝑦 0 , 𝑦 1 , … , 𝑦 𝑟 𝑦 0 , 𝑦 1 , … , 𝑦 𝑟 ≉ 𝑑 𝐺 𝑔 𝑔 𝑦 0 , … , 𝑔(𝑦 𝑟 ) [𝑄 𝑦 0 ( 𝑏)], … , [𝑄 𝑦 𝑟 ( 𝑏)] 𝜇 𝑟 𝑔 𝑦 0 ≠ 𝑔 𝑦 1 𝜇 1 ⋅ … ⋅ 𝑔 𝑦 𝑟 𝑄 𝑦 0 ( 𝑏) = 𝜇 1 𝑄 𝑦 1 𝑏 + … + 𝜇 𝑟 𝑄 𝑦 𝑟 𝑏 𝜇 𝑟 𝜇 1 ⋅ … ⋅ 𝑄 = 𝑄 𝑦 1 𝑏 𝑦 𝑟 𝑏 10/22

𝑦 𝑦∈𝐸 lin. ind. 𝑜 -variate polynomials over ℤ 𝑞 𝑄 ? 𝑜 × 𝐸 ↦ 𝑄 PRF 𝐺: 𝑏, 𝑦 ∈ ℤ 𝑞 𝑦 𝑏 11/22

𝑦 𝑦∈𝐸 lin. ind. 𝑜 -variate polynomials over ℤ 𝑞 𝑄 ? 𝑜 × 𝐸 ↦ 𝑄 PRF 𝐺: 𝑏, 𝑦 ∈ ℤ 𝑞 𝑦 𝑏 𝑜 𝑏 ∈ ℤ 𝑞 𝑄 𝑄 Real Rand [𝑄( 𝑏)] $ where the polynomials queried are lin. ind. 11/22

𝑦 𝑦∈𝐸 lin. ind. 𝑜 -variate polynomials over ℤ 𝑞 𝑄 𝑜 × 𝐸 ↦ 𝑄 PRF 𝐺: 𝑏, 𝑦 ∈ ℤ 𝑞 𝑦 𝑏 thm: linearly independent polynomial (lip) security 𝑜 𝑏 ∈ ℤ 𝑞 standard assumption 𝑄 𝑄 ≈ 𝑑 Real Rand [𝑄( 𝑏)] $ where the polynomials queried are lin. ind. 11/22

This talk thm: linearly independent polynomial (lip) security 𝑜 𝑏 ∈ ℤ 𝑞 DDH 𝑄 𝑄 ≈ 𝑑 Real Rand [𝑄( 𝑏)] $ where the polynomials queried are lin. ind. + multilinear 12/22

simple case: - 𝑜 = 3 𝑦 3 | 𝑦 ∈ 0,1 3 } 𝑦 1 𝑈 𝑦 2 𝑈 - only monomials queried: 𝑄 ∈ {𝑈 1 2 3  computation of 𝑄 as a path through a binary tree 𝑏 13/22

simple case: - 𝑜 = 3 𝑦 3 | 𝑦 ∈ 0,1 3 } 𝑦 1 𝑈 𝑦 2 𝑈 - only monomials queried: 𝑄 ∈ {𝑈 1 2 3  computation of 𝑄 as a path through a binary tree 𝑏 [1] 13/22

simple case: - 𝑜 = 3 𝑦 3 | 𝑦 ∈ 0,1 3 } 𝑦 1 𝑈 𝑦 2 𝑈 - only monomials queried: 𝑄 ∈ {𝑈 1 2 3  computation of 𝑄 as a path through a binary tree 𝑏 [1] [1] [𝑏 1 ] 13/22

simple case: - 𝑜 = 3 𝑦 3 | 𝑦 ∈ 0,1 3 } 𝑦 1 𝑈 𝑦 2 𝑈 - only monomials queried: 𝑄 ∈ {𝑈 1 2 3  computation of 𝑄 as a path through a binary tree 𝑏 [1] [1] [𝑏 1 ] [1] 𝑏 2 [𝑏 1 ] 𝑏 1 𝑏 2 13/22

simple case: - 𝑜 = 3 𝑦 3 | 𝑦 ∈ 0,1 3 } 𝑦 1 𝑈 𝑦 2 𝑈 - only monomials queried: 𝑄 ∈ {𝑈 1 2 3  computation of 𝑄 as a path through a binary tree 𝑏 [1] [1] [𝑏 1 ] [1] 𝑏 2 [𝑏 1 ] 𝑏 1 𝑏 2 [1] [𝑏 3 ] [𝑏 2 ] [𝑏 2 𝑏 3 ] [𝑏 1 ] [𝑏 1 𝑏 3 ] [𝑏 1 𝑏 2 ] [𝑏 1 𝑏 2 𝑏 3 ] 13/22

simple case: - 𝑜 = 3 𝑦 3 | 𝑦 ∈ 0,1 3 } 𝑦 1 𝑈 𝑦 2 𝑈 - only monomials queried: 𝑄 ∈ {𝑈 1 2 3  computation of 𝑄 as a path through a binary tree 𝑏 [1] [1] [𝑏 1 ] [1] 𝑏 2 [𝑏 1 ] 𝑏 1 𝑏 2 [1] [𝑏 3 ] [𝑏 2 ] [𝑏 2 𝑏 3 ] [𝑏 1 ] [𝑏 1 𝑏 3 ] [𝑏 1 𝑏 2 ] [𝑏 1 𝑏 2 𝑏 3 ] 𝑈 1 𝑈 3 13/22