Constrained PRFs for Unbounded Inputswith Short Keys

Hamza Abusalah Georg Fuchsbauer

ACNS 2016

Outline

1. Constrained Pseudorandom Functions (CPRFs)

2. Identity-Based Non-interactive Key Exchange

3. Unbounded-Input CPRFs

4. Unbounded-Input CPRFs with Short Keys

Pseudorandom Functions (PRFs)[GGM86]

k

x

Fk(x) F

Pseudorandom Functions (PRFs)

Randomx

y k

x

Fk(x) F

[GGM86]

Pseudorandom Functions (PRFs)

Randomx

y k

x

Fk(x) F

[GGM86]

≈

Pseudorandom Functions (PRFs)

Randomx

y

Unbounded-input PRFs [Goldreich04]: supports x ∈ {0, 1}∗

k

x

Fk(x) F

[GGM86]

≈

Constrained Pseudorandom Functions (CPRFs)[BW13],[KPTZ13],[BGI14]

Constr

S

k

Constrained Pseudorandom Functions (CPRFs)

F

x {Fk(x) if x ∈ S⊥ otherwisekSConstr

S

k

[BW13],[KPTZ13],[BGI14]

Constrained Pseudorandom Functions (CPRFs)

F

x {Fk(x) if x ∈ S⊥ otherwisekSConstr

S

k

[BW13],[KPTZ13],[BGI14]

x∗

Constrained Pseudorandom Functions (CPRFs)

F

x {Fk(x) if x ∈ S⊥ otherwisekSConstr

S

k

k

Fy

[BW13],[KPTZ13],[BGI14]

x∗

x 6= x∗

Constrained Pseudorandom Functions (CPRFs)

F

x {Fk(x) if x ∈ S⊥ otherwisekSConstr

S

k

k

Fy

ConstrkS

[BW13],[KPTZ13],[BGI14]

x∗

x 6= x∗

S 63 x∗

Constrained Pseudorandom Functions (CPRFs)

F

x {Fk(x) if x ∈ S⊥ otherwisekSConstr

S

k

k

Fy

Fk(x∗)y random

[BW13],[KPTZ13],[BGI14]

x∗

ConstrkS

≈

x 6= x∗

S 63 x∗

Types of CPRFs

• Polynomial-size S: Any PRF F is a CPRF

S = {x1, . . . , xp}, kS = {Fk(x1), . . . , Fk(xp)}

Types of CPRFs

• Polynomial-size S: Any PRF F is a CPRF

S = {x1, . . . , xp}, kS = {Fk(x1), . . . , Fk(xp)}

• Puncturable [SW14]: x∗ input

kx∗ ⇒ Fk(x) if x 6= x∗

(from PRGs)

Types of CPRFs

• Polynomial-size S: Any PRF F is a CPRF

S = {x1, . . . , xp}, kS = {Fk(x1), . . . , Fk(xp)}

• Puncturable [SW14]: x∗ input

kx∗ ⇒ Fk(x) if x 6= x∗

(from PRGs)

• Circuit [BW13]: C circuit

kC ⇒ Fk(x) if C(x) = 1

(from multilin. maps)

CPRFs for Unbounded Inputs

• TMs [AFP16]: M Turing machine

kM ⇒ Fk(x) if M(x) = 1

(from public-coin diO)

Accepts unbounded inputs x ∈ {0, 1}∗

CPRFs for Unbounded Inputs

• TMs [AFP16]: M Turing machine

kM ⇒ Fk(x) if M(x) = 1

(from public-coin diO)

Accepts unbounded inputs x ∈ {0, 1}∗

• TMs [DKW16]: (from iO)

CPRFs for Unbounded Inputs

Drawback: constrained keys are obfuscated circuits

This work: constrained keys are short signatures

• TMs [AFP16]: M Turing machine

kM ⇒ Fk(x) if M(x) = 1

(from public-coin diO)

Accepts unbounded inputs x ∈ {0, 1}∗

• TMs [DKW16]: (from iO)

Application

Identity-Based Non-interactive Key Exchange

a@mail

b@mail

c@mail

c@mail

kc

c@mailka

d@mail

Identity-Based Non-interactive Key Exchange

ka

a@mail

b@mail

c@mail

a@mail

c@mail

kc

c@mailka

d@mail

k

Identity-Based Non-interactive Key Exchange

a@mail

b@mail

c@mail

ka

kb

kc

c@mail

kc

c@mailka

d@mailkd

ka

a@mail

k

Identity-Based Non-interactive Key Exchange

a@mail

b@mail

c@mail

ka

kb

kc

c@mail

kc

c@mailka

d@mailkd

,kac

,kac

k

Identity-Based Non-interactive Key Exchange

a@mail

b@mail

c@mail

ka

kb

kc

c@mail

kc

c@mailka

d@mailkd

e@mail

ke

e@mailke

k

Identity-Based Non-interactive Key Exchange

a@mail

b@mail

ka

kb

c@mail

kc

c@mailka

e@mailke

,kabe

,kabe

,kabe

k

c@mailkc

d@mailkd

Identity-Based Non-interactive Key Exchange

a@mail

b@mail

c@mail

kc

c@mailka

Fk : {0, 1}∗ → {0, 1}m

k

Identity-Based Non-interactive Key Exchange

c@mail

kc

c@mailka

kabe :=Fk(a@mail‖b@mail‖e@mail)

Fk : {0, 1}∗ → {0, 1}ma@mail

b@mail

k

Identity-Based Non-interactive Key Exchange

c@mail

kc

c@mailka

b@mailb@mail

Fk : {0, 1}∗ → {0, 1}m

k

Identity-Based Non-interactive Key Exchange

c@mail

kc

c@mailka

b@mail

Fk : {0, 1}∗ → {0, 1}m

k

b@mail

Mb(x) =

{1 if x = . . . b@mail . . .0 otherwise

Identity-Based Non-interactive Key Exchange

c@mail

kc

c@mailka

kConstr

b@mail

Fk : {0, 1}∗ → {0, 1}m

b@mail

Mb(x) =

{1 if x = . . . b@mail . . .0 otherwise

Identity-Based Non-interactive Key Exchange

c@mail

kc

c@mailka

kConstr

kMb

b@mail

Fk : {0, 1}∗ → {0, 1}m

b@mail

Mb(x) =

{1 if x = . . . b@mail . . .0 otherwise

Obfuscation

ObfuscationApplication

Program Obfuscation

Virtual black-box[BGI+01]

Differing-input[BGI+01],[BCP14]

Public-coin differing-input[ISP15]

Indistinguishability[BGI+01], [GGH+13]

Program Obfuscation

Virtual black-box[BGI+01]

Differing-input[BGI+01],[BCP14]

Public-coin differing-input[ISP15]

Indistinguishability[BGI+01], [GGH+13]

Impossible[BGI+01]

Implausible[GGH+14]

TM-impossible[BSW16]

Program Obfuscation

P Obf P̃ ≡ P(∀x : P̃ (x) = P (x))

Functionality:

Program Obfuscation

P P̃ ≡ P

P0, P1

b ∈ {0, 1}b?

PbP̃b

Obf

Obf

Security:

Functionality:

Program Obfuscation

P P̃ ≡ PObf

• diO: must be hard to find x: P0(x) 6= P1(x)

Security:

Functionality:

Program Obfuscation

P P̃ ≡ PObf

• diO: must be hard to find x: P0(x) 6= P1(x)

• public-coin diO:hard to find x: P0(x) 6= P1(x)

even when given coins for computing P0, P1

Security:

Functionality:

Program Obfuscation

P P̃ ≡ PObf

• diO: must be hard to find x: P0(x) 6= P1(x)

• public-coin diO:hard to find x: P0(x) 6= P1(x)

even when given coins for computing P0, P1

• iO: P0 ≡ P1

Security:

Functionality:

ConstructionsObfuscation

Constructions

TM CPRFs

1) Warm-up: A circuit CPRF assuming

• Puncturable PRFs

• iO

TM CPRFs

1) Warm-up: A circuit CPRF assuming

• Puncturable PRFs

• iO

2) A Turing-machine CPRF assuming

• Puncturable PRFs

• Public-coin diO

• SNARKs (Succinct non-interactive arguments of knowledge)

TM CPRFs

1) Warm-up: A circuit CPRF assuming

• Puncturable PRFs

• iO

2) A Turing-machine CPRF assuming

• Puncturable PRFs

• Public-coin diO

• SNARKs (Succinct non-interactive arguments of knowledge)

3) A TM CPRF with short keys

• assuming the same

A Circuit CPRF

Circuit-constrained PRF:

• Fk(x) := PFk(x)

• puncturable PRF PFk

• iO

A Circuit CPRF

Circuit-constrained PRF:

• Fk(x) := PFk(x)

• Constr(k,C)→ kC :

Pk,C(x) :=

{PFk(x) if C(x) = 1⊥ otherwise

• puncturable PRF PFk

• iO

A Circuit CPRF

Circuit-constrained PRF:

• Fk(x) := PFk(x)

• Constr(k,C)→ kC :

kC ← iO

(Pk,C(x) :=

{PFk(x) if C(x) = 1⊥ otherwise

)

• puncturable PRF PFk

• iO

A Circuit CPRF

Circuit-constrained PRF:

• Fk(x) := PFk(x)

• Constr(k,C)→ kC :

Theorem. F is a secure circuit CPRF.

• puncturable PRF PFk

• iO

kC ← iO

(Pk,C(x) :=

{PFk(x) if C(x) = 1⊥ otherwise

)

A Circuit CPRF

Circuit-constrained PRF:

• Fk(x) := PFkx∗(x)

• Constr(k,C)→ kC :

Theorem. F is a secure circuit CPRF.

• puncturable PRF PFk

• iO

kC ← iO

(Pk,C(x) :=

{PFkx∗(x) if C(x) = 1⊥ otherwise

)

A CPRF for Unbounded Inputs

• Fk(x) := PFk(x)

• Constr(k,C):

kC ← iO

(Pk,C(x) :=

{PFk(x) if C(x) = 1⊥ otherwise

)

A CPRF for Unbounded Inputs

• Fk(x) := PFk(x)

• Constr(k,C):

kC ← iO

(Pk,C(x) :=

{PFk(x) if C(x) = 1⊥ otherwise

)

M?

A CPRF for Unbounded Inputs

• Fk(x) := PFk(x)

• Constr(k,C):

kC ← iO

(Pk,C(x) :=

{PFk(x) if C(x) = 1⊥ otherwise

)

M?

Circuit!

A CPRF for Unbounded Inputs

• Fk(x) := PFk(x)

• Constr(k,C):

kC ← iO

(Pk,C(x) :=

{PFk(x) if C(x) = 1⊥ otherwise

)

M?

Circuit! • cannot run TM⇒ use SNARK proving M(x) = 1

A CPRF for Unbounded Inputs

• Fk(x) := PFk(x)

• Constr(k,C):

kC ← iO

(Pk,C(x) :=

{PFk(x) if C(x) = 1⊥ otherwise

)

Circuit! • cannot run TM⇒ use SNARK proving M(x) = 1

• does not accept x ∈ {0, 1}∗⇒ hash x

unbounded!

A CPRF for Unbounded Inputs

• Fk(x) := PFk(H(x)) with H : {0, 1}∗ → {0, 1}n

A CPRF for Unbounded Inputs

• Fk(x) := PFk(H(x))

• Constr(k,M):

Pk,M (h, π)=

{PFk(h) if π proves ∃x : H(x) = h

∧ M(x) = 1⊥ otherwise

A CPRF for Unbounded Inputs

• Fk(x) := PFk(H(x))

• Constr(k,M):

kM←diO

(Pk,M (h, π)=

{PFk(h) if π proves ∃x : H(x) = h

∧ M(x) = 1⊥ otherwise

)

A CPRF for Unbounded Inputs

• Fk(x) := PFk(H(x))

• Constr(k,M):

kM←diO

(Pk,M (h, π)=

{PFk(h) if π proves ∃x : H(x) = h

∧ M(x) = 1⊥ otherwise

)

Why diO?

• consider M with M(x∗) = 0

M(x′) = 1H(x∗) = H(x′)

⇒ Pk,M 6≡ Pkx∗ ,M

A CPRF for Unbounded Inputs with Short Keys

• Fk(x) := PFk(H(x))

• Constr(k,M): signature σ on M

A CPRF for Unbounded Inputs with Short Keys

• Fk(x) := PFk(H(x))

• Constr(k,M): signature σ on M

• public:

diO

(Pk,vk(M,h, π, σ)=

PFk(h) if π proves ∃x : H(x) = h

∧ M(x) = 1and Verify(vk,M, σ)

⊥ otherwise

)

A CPRF for Unbounded Inputs with Short Keys

• Fk(x) := PFk(H(x))

• Constr(k,M): signature σ on M

• public:

diO

(Pk,vk(M,h, π, σ)=

PFk(h) if π proves ∃x : H(x) = h

∧ M(x) = 1and Verify(vk,M, σ)

⊥ otherwise

)

Security:

• diO(Pk,vk) ≈ diO(Pkx∗,vk)

A CPRF for Unbounded Inputs with Short Keys

• Fk(x) := PFk(H(x))

• Constr(k,M): signature σ on M

• public:

diO

(Pk,vk(M,h, π, σ)=

PFk(h) if π proves ∃x : H(x) = h

∧ M(x) = 1and Verify(vk,M, σ)

⊥ otherwise

)

Security:

• diO(Pk,vk) ≈ diO(Pkx∗,vk)

• Differing inputs? Yes: σ on M with M(x∗) = 1

A CPRF for Unbounded Inputs with Short Keys

• Fk(x) := PFk(H(x))

• Constr(k,M): signature σ on M

• public:

diO

(Pk,vk(M,h, π, σ)=

PFk(h) if π proves ∃x : H(x) = h

∧ M(x) = 1and Verify(vk,M, σ)

⊥ otherwise

)

Security:

• diO(Pk,vk) ≈ diO(Pkx∗,vk)

• Differing inputs? Yes: σ on M with M(x∗) = 1

• Hard to find when given coins? No! can reconstructsigning key

Functional Signatures w/ Obliv. Samplable Keys

Signature scheme with sampling algorithm

(vk∗, skx∗)← OSmp(x∗; r)

Functional Signatures w/ Obliv. Samplable Keys

Signature scheme with sampling algorithm

(vk∗, skx∗)← OSmp(x∗; r)

such that:

• vk∗ ≈ vk

Functional Signatures w/ Obliv. Samplable Keys

Signature scheme with sampling algorithm

(vk∗, skx∗)← OSmp(x∗; r)

such that:

• vk∗ ≈ vk

• skx∗ allows signing M ’s with M(x∗) = 0

Functional Signatures w/ Obliv. Samplable Keys

Signature scheme with sampling algorithm

(vk∗, skx∗)← OSmp(x∗; r)

such that:

• vk∗ ≈ vk

• skx∗ allows signing M ’s with M(x∗) = 0

• given r, hard to forge σ on M with M(x∗) = 1

Functional Signatures w/ Obliv. Samplable Keys

Signature scheme with sampling algorithm

(vk∗, skx∗)← OSmp(x∗; r)

such that:

• vk∗ ≈ vk Reduction can answer Constr queries

• skx∗ allows signing M ’s with M(x∗) = 0

• given r, hard to forge σ on M with M(x∗) = 1

Functional Signatures w/ Obliv. Samplable Keys

Signature scheme with sampling algorithm

(vk∗, skx∗)← OSmp(x∗; r)

such that:

• vk∗ ≈ vk

• skx∗ allows signing M ’s with M(x∗) = 0

• given r, hard to forge σ on M with M(x∗) = 1

− hard to find differing input

− apply diO

Functional Signatures w/ Obliv. Samplable Keys

Signature scheme with sampling algorithm

(vk∗, skx∗)← OSmp(x∗; r)

such that:

• vk∗ ≈ vk

• skx∗ allows signing M ’s with M(x∗) = 0

• given r, hard to forge σ on M with M(x∗) = 1

Construction from: commitment, PRF, SNARK

Functional Signatures w/ Obliv. Samplable Keys

Signature scheme with sampling algorithm

(vk∗, skx∗)← OSmp(x∗; r)

such that:

• vk∗ ≈ vk

• skx∗ allows signing M ’s with M(x∗) = 0

• given r, hard to forge σ on M with M(x∗) = 1

Construction from: commitment, PRF, SNARK

Thank you!

(and thanks to Hamza Abusalah for letting me reuse his slides)