New and Improved Key-Homomorphic Pseudorandom Functions Abhishek - - PowerPoint PPT Presentation

new and improved key homomorphic pseudorandom functions
SMART_READER_LITE
LIVE PREVIEW

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek - - PowerPoint PPT Presentation

Aug 14, 2022 400 likes •890 views

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline Introduction 1 Construction, Parameters and Efficiency 2 Proof of Security

slide-1
SLIDE 1

New and Improved Key-Homomorphic Pseudorandom Functions

Abhishek Banerjee1 Chris Peikert1

1Georgia Institute of Technology

CRYPTO ’14 19 August 2014

slide-2
SLIDE 2

Outline

1

Introduction

2

Construction, Parameters and Efficiency

3

Proof of Security (Idea)

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 1 / 11

slide-3
SLIDE 3

Outline

1

Introduction

2

Construction, Parameters and Efficiency

3

Proof of Security (Idea)

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 1 / 11

slide-4
SLIDE 4

Pseudorandom Functions [GGM’84]

A family of functions F = {Fs : {0, 1}k → B} such that, given adaptive query access, Fs ← F Random U

c

✻ ❄ ✻ ❄

xi Fs(xi) xi U(xi) ?? Lots of applications in symmetric key cryptography: encryption, message authentication, friend or foe identification, . . .

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 2 / 11

(Thanks to Seth MacFarlane for the adversary)

slide-5
SLIDE 5

Cooking a (Provably Secure) PRF

1 Goldreich-Goldwasser-Micali [GGM’84]

Based on any (doubling) PRG: Fs(x1, . . . , xk) = Gxk(· · · (Gx1(s)) · · · )

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 3 / 11

slide-6
SLIDE 6

Cooking a (Provably Secure) PRF

1 Goldreich-Goldwasser-Micali [GGM’84]

Based on any (doubling) PRG: Fs(x1, . . . , xk) = Gxk(· · · (Gx1(s)) · · · )

2 Number-theoretic direct constructions [NR’97, NRR’00]

Framework: exponentiate to a product of (secret) exponents Security from number-theoretic assumptions (DDH, factoring, . . . )

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 3 / 11

slide-7
SLIDE 7

Cooking a (Provably Secure) PRF

1 Goldreich-Goldwasser-Micali [GGM’84]

Based on any (doubling) PRG: Fs(x1, . . . , xk) = Gxk(· · · (Gx1(s)) · · · )

2 Number-theoretic direct constructions [NR’97, NRR’00]

Framework: exponentiate to a product of (secret) exponents Security from number-theoretic assumptions (DDH, factoring, . . . )

3 Lattice-based direct constructions [BPR’12]

Framework: round a product of (secret) matrices/ring elements Security from lattice assumptions (LWE, worst-case lattice problems)

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 3 / 11

slide-8
SLIDE 8

Key-Homomorphic Pseudorandom Functions

Key Homomorphism

Can efficiently compute Fs+t(x) from Fs(x) and Ft(x) Applications:

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 4 / 11

slide-9
SLIDE 9

Key-Homomorphic Pseudorandom Functions

Key Homomorphism

Can efficiently compute Fs+t(x) from Fs(x) and Ft(x) Applications: distribute the operation of a Key Distribution Center,

1 DDH-based construction [NPR’99]

Security in the random oracle model

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 4 / 11

slide-10
SLIDE 10

Key-Homomorphic Pseudorandom Functions

Key Homomorphism

Can efficiently compute Fs+t(x) from Fs(x) and Ft(x) Applications: distribute the operation of a Key Distribution Center, symmetric-key proxy re-encryption, updatable encryption, and PRFs secure against related-key attacks [BC’10,LMR’14]

1 DDH-based construction [NPR’99]

Security in the random oracle model

2 Lattice-based construction [BLMR’13]

Security in the standard model; construction and proof similar to

[BPR’12] rounded-subset-product construction

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 4 / 11

slide-11
SLIDE 11

Key-Homomorphic Pseudorandom Functions

Key Homomorphism

Can efficiently compute Fs+t(x) from Fs(x) and Ft(x) Applications: distribute the operation of a Key Distribution Center, symmetric-key proxy re-encryption, updatable encryption, and PRFs secure against related-key attacks [BC’10,LMR’14]

1 DDH-based construction [NPR’99]

Security in the random oracle model

2 Lattice-based construction [BLMR’13]

Security in the standard model; construction and proof similar to

[BPR’12] rounded-subset-product construction

Main drawback: has huge parameters, keys, and runtimes

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 4 / 11

slide-12
SLIDE 12

Key-Homomorphic Pseudorandom Functions

Key Homomorphism

Can efficiently compute Fs+t(x) from Fs(x) and Ft(x) Applications: distribute the operation of a Key Distribution Center, symmetric-key proxy re-encryption, updatable encryption, and PRFs secure against related-key attacks [BC’10,LMR’14]

1 DDH-based construction [NPR’99]

Security in the random oracle model

2 Lattice-based construction [BLMR’13]

Security in the standard model; construction and proof similar to

[BPR’12] rounded-subset-product construction

Main drawback: has huge parameters, keys, and runtimes

[BPR’12] also gives (non-KH) PRFs having much better parameters,

with slightly worse (still polylog) depth

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 4 / 11

slide-13
SLIDE 13

Key-Homomorphic Pseudorandom Functions

Key Homomorphism

Can efficiently compute Fs+t(x) from Fs(x) and Ft(x) Applications: distribute the operation of a Key Distribution Center, symmetric-key proxy re-encryption, updatable encryption, and PRFs secure against related-key attacks [BC’10,LMR’14]

1 DDH-based construction [NPR’99]

Security in the random oracle model

2 Lattice-based construction [BLMR’13]

Security in the standard model; construction and proof similar to

[BPR’12] rounded-subset-product construction

Main drawback: has huge parameters, keys, and runtimes

[BPR’12] also gives (non-KH) PRFs having much better parameters,

with slightly worse (still polylog) depth Can we obtain similar tradeoffs for KH-PRFs?

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 4 / 11

slide-14
SLIDE 14

Our Results

⋆ New KH-PRFs (from lattices):

Polylog ˜ O(1) depth (still) Quasi-optimal ˜ O(λ) key sizes

First sublinear-depth PRFs (KH or otherwise) with ˜ O(λ) key size!

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 5 / 11

slide-15
SLIDE 15

Our Results

⋆ New KH-PRFs (from lattices):

Polylog ˜ O(1) depth (still) Quasi-optimal ˜ O(λ) key sizes

First sublinear-depth PRFs (KH or otherwise) with ˜ O(λ) key size! Reference Key Pub Params Time/Bit

[BLMR’13]

λ3 [λ3] λ6 [λ4] λ5 [λ3] This work λ [λ] λ2 [λ] λω [λ]

Figure : For input length λ with 2λ security under standard assumptions. Log factors omitted. Ring-based constructions appear in [brackets].

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 5 / 11

slide-16
SLIDE 16

Our Results

⋆ New KH-PRFs (from lattices):

Polylog ˜ O(1) depth (still) Quasi-optimal ˜ O(λ) key sizes

First sublinear-depth PRFs (KH or otherwise) with ˜ O(λ) key size! Reference Key Pub Params Time/Bit

[BLMR’13]

λ3 [λ3] λ6 [λ4] λ5 [λ3] This work λ [λ] λ2 [λ] λω [λ]

Figure : For input length λ with 2λ security under standard assumptions. Log factors omitted. Ring-based constructions appear in [brackets].

⋆ New proof technique that may be useful elsewhere

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 5 / 11

slide-17
SLIDE 17

Our Results

⋆ New KH-PRFs (from lattices):

Polylog ˜ O(1) depth (still) Quasi-optimal ˜ O(λ) key sizes

First sublinear-depth PRFs (KH or otherwise) with ˜ O(λ) key size! Reference Key Pub Params Time/Bit

[BLMR’13]

λ3 [λ3] λ6 [λ4] λ5 [λ3] This work λ [λ] λ2 [λ] λω [λ]

Figure : For input length λ with 2λ security under standard assumptions. Log factors omitted. Ring-based constructions appear in [brackets].

⋆ New proof technique that may be useful elsewhere Full version: http://eprint.iacr.org/2014/074

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 5 / 11

slide-18
SLIDE 18

Outline

1

Introduction

2

Construction, Parameters and Efficiency

3

Proof of Security (Idea)

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 5 / 11

slide-19
SLIDE 19

Boneh et al. KH-PRF Construction [BLMR’13]

Secret key s ∈ Zn

q , pub params B0, B1 ∈ {0, 1}n×n, input x ∈ {0, 1}k

Fs(x) =

  • s ·

k

  • i=1

Bxi

  • p

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 6 / 11

slide-20
SLIDE 20

Boneh et al. KH-PRF Construction [BLMR’13]

Secret key s ∈ Zn

q , pub params B0, B1 ∈ {0, 1}n×n, input x ∈ {0, 1}k

Fs(x) =

  • s ·

k

  • i=1

Bxi

  • p

1 2

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 6 / 11

slide-21
SLIDE 21

Boneh et al. KH-PRF Construction [BLMR’13]

Secret key s ∈ Zn

q , pub params B0, B1 ∈ {0, 1}n×n, input x ∈ {0, 1}k

Fs(x) =

  • s ·

k

  • i=1

Bxi

  • p

1 2 “Somewhat key-homomorphic:” Fs(x) + Ft(x) ∈ Fs+t(x) + {0, ±1}n

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 6 / 11

slide-22
SLIDE 22

Boneh et al. KH-PRF Construction [BLMR’13]

Secret key s ∈ Zn

q , pub params B0, B1 ∈ {0, 1}n×n, input x ∈ {0, 1}k

Fs(x) =

  • s ·

k

  • i=1

Bxi

  • p

1 2 “Somewhat key-homomorphic:” Fs(x) + Ft(x) ∈ Fs+t(x) + {0, ±1}n Proof strategy: introduce “short” error which “rounds away”

t ✓ ✓

x1

t t t q q q ✓ ✓

x2 x3 xk Fs(x) =

  • s ·

k

  • i=1

Bxi

  • p

s

≈     (sBx1 + ex1)

  • sx1

·

k

  • i=2

Bxi     

p

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 6 / 11

slide-23
SLIDE 23

Boneh et al. KH-PRF Construction [BLMR’13]

Secret key s ∈ Zn

q , pub params B0, B1 ∈ {0, 1}n×n, input x ∈ {0, 1}k

Fs(x) =

  • s ·

k

  • i=1

Bxi

  • p

1 2 “Somewhat key-homomorphic:” Fs(x) + Ft(x) ∈ Fs+t(x) + {0, ±1}n Proof strategy: introduce “short” error which “rounds away”

t t t q q q ✓ ✓

x2 x3 xk Fs(x) =

  • s ·

k

  • i=1

Bxi

  • p

s

≈     (sBx1 + ex1)

  • sx1

·

k

  • i=2

Bxi     

p c

  • sx1 ·

k

  • i=2

Bxi

  • p

c

≈ . . .

c

≈ ⌊sx⌉p = U(x)

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 6 / 11

slide-24
SLIDE 24

Boneh et al. KH-PRF Construction [BLMR’13]

Secret key s ∈ Zn

q , pub params B0, B1 ∈ {0, 1}n×n, input x ∈ {0, 1}k

Fs(x) =

  • s ·

k

  • i=1

Bxi

  • p

1 2 “Somewhat key-homomorphic:” Fs(x) + Ft(x) ∈ Fs+t(x) + {0, ±1}n Proof strategy: introduce “short” error which “rounds away”

t t t q q q ✓ ✓

x2 x3 xk Fs(x) =

  • s ·

k

  • i=1

Bxi

  • p

s

≈     (sBx1 + ex1)

  • sx1

·

k

  • i=2

Bxi     

p c

  • sx1 ·

k

  • i=2

Bxi

  • p

c

≈ . . .

c

≈ ⌊sx⌉p = U(x) ✗ LWE approx factor grows exponentially in input length k.

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 6 / 11

slide-25
SLIDE 25

Gadget and Bit-Decomposition

“Gadget” Zq-matrix G [MP’12]:

q

A G G−1(A) = Any Zq-matrix Square {0, 1}-matrix

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 7 / 11

slide-26
SLIDE 26

Gadget and Bit-Decomposition

“Gadget” Zq-matrix G [MP’12]:

q

A G G−1(A) = Any Zq-matrix Square {0, 1}-matrix A ubiquitous tool in lattice cryptography: FHE [BV’11,GSW’13,AP’14], CCA/IBE/ABE/FHS [MP’12,BGG+’14,GVW’14]

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 7 / 11

slide-27
SLIDE 27

Our Construction

For matrices A0, A1, full binary tree T and x ∈ {0, 1}|T|, define AT (x):

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 8 / 11

slide-28
SLIDE 28

Our Construction

For matrices A0, A1, full binary tree T and x ∈ {0, 1}|T|, define AT (x):

T x AT (x) := Ax for |T| = 1

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 8 / 11

slide-29
SLIDE 29

Our Construction

For matrices A0, A1, full binary tree T and x ∈ {0, 1}|T|, define AT (x):

T x

✟✟ ✟ ❍ ❍ ❍ ❞

T T.l T.r xl xr

✁ ✁ ✁ ❆ ❆ ❆ ✁ ✁ ✁ ✁ ❆ ❆ ❆ ❆

AT (x) := Ax for |T| = 1 AT (xlxr) := AT.l(xl) · G−1(AT.r(xr))

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 8 / 11

slide-30
SLIDE 30

Our Construction

For matrices A0, A1, full binary tree T and x ∈ {0, 1}|T|, define AT (x):

T x

✟✟ ✟ ❍ ❍ ❍ ❞

T T.l T.r xl xr

✁ ✁ ✁ ❆ ❆ ❆ ✁ ✁ ✁ ✁ ❆ ❆ ❆ ❆

AT (x) := Ax for |T| = 1 AT (xlxr) := AT.l(xl) · G−1(AT.r(xr))

New KH-PRF Construction

Public parameters: matrices A0, A1, full binary tree T Function Fs on |T|-bit input x defined as Fs(x) = ⌊s · AT (x)⌉p

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 8 / 11

slide-31
SLIDE 31

Our Construction

For matrices A0, A1, full binary tree T and x ∈ {0, 1}|T|, define AT (x):

T x

✟✟ ✟ ❍ ❍ ❍ ❞

T T.l T.r xl xr

✁ ✁ ✁ ❆ ❆ ❆ ✁ ✁ ✁ ✁ ❆ ❆ ❆ ❆

AT (x) := Ax for |T| = 1 AT (xlxr) := AT.l(xl) · G−1(AT.r(xr))

New KH-PRF Construction

Public parameters: matrices A0, A1, full binary tree T Function Fs on |T|-bit input x defined as Fs(x) = ⌊s · AT (x)⌉p Somewhat KH just as in [BLMR’13]. Same applications!

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 8 / 11

slide-32
SLIDE 32

Parameters and Parallelism

Sequentiality s(T): the “right depth” of T

Circuit depth of PRF is proportional to s(T) ✓ ✓ ✓ ✓ ✄ ✄ ★★ ★ ❙ ❙ ❙ ❙ ❈ ❈ ❝ ❝ ❝

s = 2

t t t t t t t t t

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 9 / 11

slide-33
SLIDE 33

Parameters and Parallelism

Sequentiality s(T): the “right depth” of T

Circuit depth of PRF is proportional to s(T)

Expansion e(T): the “left depth” of T

LWE approx factor is exponential in e(T) ✓ ✓ ✓ ✓ ✄ ✄ ★★ ★ ❙ ❙ ❙ ❙ ❈ ❈ ❝ ❝ ❝

e = 2

t t t t t t t t t

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 9 / 11

slide-34
SLIDE 34

Parameters and Parallelism

Sequentiality s(T): the “right depth” of T

Circuit depth of PRF is proportional to s(T)

Expansion e(T): the “left depth” of T

LWE approx factor is exponential in e(T)

Max input length = max # leaves = e+s

s

✓ ✓ ✓ ✄ ✄ ★ ★ ★ ❙ ❙ ❙ ❙ ❈ ❈ ❝ ❝ ❝

s = 2, e = 2

t t t t t t t t t

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 9 / 11

slide-35
SLIDE 35

Parameters and Parallelism

Sequentiality s(T): the “right depth” of T

Circuit depth of PRF is proportional to s(T)

Expansion e(T): the “left depth” of T

LWE approx factor is exponential in e(T)

Max input length = max # leaves = e+s

s

✓ ✓ ✓ ✄ ✄ ★ ★ ★ ❙ ❙ ❙ ❙ ❈ ❈ ❝ ❝ ❝

s = 2, e = 2

t t t t t t t t t ✓ ✓ ❙ ❙ t t

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 9 / 11

slide-36
SLIDE 36

Parameters and Parallelism

Sequentiality s(T): the “right depth” of T

Circuit depth of PRF is proportional to s(T)

Expansion e(T): the “left depth” of T

LWE approx factor is exponential in e(T)

Max input length = max # leaves = e+s

s

✓ ✓ ✓ ✄ ✄ ★ ★ ★ ❙ ❙ ❙ ❙ ❈ ❈ ❝ ❝ ❝

s = 2, e = 2

t t t t t t t t t ✓ ✓ ❙ ❙ t t

Instantiations

e(T ) s(T ) Key Params λ − 1 1 λ3 λ6

t t t t t t t qqq ✁ ✁ ❆ ❆ ✁ ✁ ❆ ❆ ❆ ❆

x1 x2 x3 xλ “Left Spine”

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 9 / 11

slide-37
SLIDE 37

Parameters and Parallelism

Sequentiality s(T): the “right depth” of T

Circuit depth of PRF is proportional to s(T)

Expansion e(T): the “left depth” of T

LWE approx factor is exponential in e(T)

Max input length = max # leaves = e+s

s

✓ ✓ ✓ ✄ ✄ ★ ★ ★ ❙ ❙ ❙ ❙ ❈ ❈ ❝ ❝ ❝

s = 2, e = 2

t t t t t t t t t ✓ ✓ ❙ ❙ t t

Instantiations

e(T ) s(T ) Key Params λ − 1 1 λ3 λ6

t t t t t t t qqq ✁ ✁ ❆ ❆ ✁ ✁ ❆ ❆ ❆ ❆

x1 x2 x3 xλ

[BLMR’13]

Construction!

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 9 / 11

slide-38
SLIDE 38

Parameters and Parallelism

Sequentiality s(T): the “right depth” of T

Circuit depth of PRF is proportional to s(T)

Expansion e(T): the “left depth” of T

LWE approx factor is exponential in e(T)

Max input length = max # leaves = e+s

s

✓ ✓ ✓ ✄ ✄ ★ ★ ★ ❙ ❙ ❙ ❙ ❈ ❈ ❝ ❝ ❝

s = 2, e = 2

t t t t t t t t t ✓ ✓ ❙ ❙ t t

Instantiations

e(T ) s(T ) Key Params λ − 1 1 λ3 λ6 1 λ − 1 λ λ2

t t t t t t t t q q q ❆ ❆ ✁ ✁ ❆ ❆ ✁ ✁ ✁ ✁

xλ x3 x2 x1 “Right Spine”

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 9 / 11

slide-39
SLIDE 39

Parameters and Parallelism

Sequentiality s(T): the “right depth” of T

Circuit depth of PRF is proportional to s(T)

Expansion e(T): the “left depth” of T

LWE approx factor is exponential in e(T)

Max input length = max # leaves = e+s

s

✓ ✓ ✓ ✄ ✄ ★ ★ ★ ❙ ❙ ❙ ❙ ❈ ❈ ❝ ❝ ❝

s = 2, e = 2

t t t t t t t t t ✓ ✓ ❙ ❙ t t

Instantiations

e(T ) s(T ) Key Params λ − 1 1 λ3 λ6 1 λ − 1 λ λ2 ≈ log4(λ) ≈ log4(λ) λ λ2

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 9 / 11

slide-40
SLIDE 40

Outline

1

Introduction

2

Construction, Parameters and Efficiency

3

Proof of Security (Idea)

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 9 / 11

slide-41
SLIDE 41

Proof Idea

t t

❆ ✁ ✁ ❆ ❆

x0 − → x1

T1

T

t t q q q

❆ ❆ ❆ ✁ ✁ ❆ ❆ ✁ ✁ ❆ ❆

− → x2 − → xd

T2 Td

Fs(x) =

  • s · Ax0 · G−1(AT1(−

→ x1)) · · ·

  • p

s

≈     (s · Ax0 + ex0)

  • ux0

·G−1(AT1(− → x1)) · · ·     

p c

  • ux0 · G−1(AT1(−

→ x1)) · · ·

  • p

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 10 / 11

slide-42
SLIDE 42

Proof Idea

✓ New Idea: u = s · G + v for uniform, independent s and v ∈ P(G).

t t

❆ ✁ ✁ ❆ ❆

x0 − → x1

T1

T

t t q q q

❆ ❆ ❆ ✁ ✁ ❆ ❆ ✁ ✁ ❆ ❆

− → x2 − → xd

T2 Td

Fs(x) =

  • s · Ax0 · G−1(AT1(−

→ x1)) · · ·

  • p

s

≈     (s · Ax0 + ex0)

  • ux0

·G−1(AT1(− → x1)) · · ·     

p c

  • ux0 · G−1(AT1(−

→ x1)) · · ·

  • p

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 10 / 11

slide-43
SLIDE 43

Proof Idea

✓ New Idea: u = s · G + v for uniform, independent s and v ∈ P(G).

t t

❆ ✁ ✁ ❆ ❆

x0 − → x1

T1

T

t t q q q

❆ ❆ ❆ ✁ ✁ ❆ ❆ ✁ ✁ ❆ ❆

− → x2 − → xd

T2 Td

Fs(x) =

  • s · Ax0 · G−1(AT1(−

→ x1)) · · ·

  • p

s

≈     (s · Ax0 + ex0)

  • ux0

·G−1(AT1(− → x1)) · · ·     

p c

  • ux0 · G−1(AT1(−

→ x1)) · · ·

  • p

=

  • sx0 · AT1(−

→ x1) · G−1(AT2(− → x2)) · · · + vx0 · G−1(AT1(− → x1)) · · ·

  • p

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 10 / 11

slide-44
SLIDE 44

Proof Idea

✓ New Idea: u = s · G + v for uniform, independent s and v ∈ P(G).

✁ ✁ ❆ ❆

− → x1

T1

T ′

t t q q q

❆ ❆ ❆ ✁ ✁ ❆ ❆ ✁ ✁ ❆ ❆

− → x2 − → xd

T2 Td

Fs(x) =

  • s · Ax0 · G−1(AT1(−

→ x1)) · · ·

  • p

s

≈     (s · Ax0 + ex0)

  • ux0

·G−1(AT1(− → x1)) · · ·     

p c

  • ux0 · G−1(AT1(−

→ x1)) · · ·

  • p

=

  • sx0 · AT1(−

→ x1) · G−1(AT2(− → x2)) · · · + vx0 · G−1(AT1(− → x1)) · · ·

  • p

=

  • sx0 · AT ′(−

→ x1 · · · − → xd) + vx0 · G−1(AT1(− → x1)) · · ·

  • p

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 10 / 11

slide-45
SLIDE 45

Proof Idea

✓ New Idea: u = s · G + v for uniform, independent s and v ∈ P(G).

✁ ✁ ❆ ❆

− → x1

T1

T ′

t t q q q

❆ ❆ ❆ ✁ ✁ ❆ ❆ ✁ ✁ ❆ ❆

− → x2 − → xd

T2 Td

Fs(x) =

  • s · Ax0 · G−1(AT1(−

→ x1)) · · ·

  • p

s

≈     (s · Ax0 + ex0)

  • ux0

·G−1(AT1(− → x1)) · · ·     

p c

  • ux0 · G−1(AT1(−

→ x1)) · · ·

  • p

=

  • sx0 · AT1(−

→ x1) · G−1(AT2(− → x2)) · · · + vx0 · G−1(AT1(− → x1)) · · ·

  • p

=

  • sx0 · AT ′(−

→ x1 · · · − → xd) + vx0 · G−1(AT1(− → x1)) · · ·

  • p

· · ·

c

  • sx + vx0G−1(AT1(−

→ x1)) · · · + other v terms

  • p

s

≈ U(x).

  • Banerjee and Peikert (Georgia Tech)

New and Improved KH-PRFs CRYPTO ’14 10 / 11

slide-46
SLIDE 46

Conclusions

Our main contributions

New KH-PRFs from lattices: quasi-optimal key sizes, polylog depth New proof technique

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 11 / 11

slide-47
SLIDE 47

Conclusions

Our main contributions

New KH-PRFs from lattices: quasi-optimal key sizes, polylog depth New proof technique The Last Word [Mun’07]

Banerjee and Peikert (Georgia Tech) New and Improved KH-PRFs CRYPTO ’14 11 / 11

(Image source: http://xkcd.com/221/)