Abstract
A constrained pseudo random function (PRF) behaves like a standard PRF, but with the added feature that the (master) secret key holder, having secret key K, can produce a constrained key, \(K_f\), that allows for the evaluation of the PRF on a subset of the domain as determined by a predicate function f within some family \(\mathcal {F}\). While previous constructions gave constrained PRFs for poly-sized circuits, all reductions for such functionality were based in the selective model of security where an attacker declares which point he is attacking before seeing any constrained keys.
In this paper we give new constrained PRF constructions for arbitrary circuits in the random oracle model based on indistinguishability obfuscation. Our solution is constructed from two recently emerged primitives: an adaptively secure Attribute-Based Encryption (ABE) for circuits and a Universal Sampler Scheme as introduced by Hofheinz et al. Both primitives are constructible from indistinguishability obfuscation (\(i\mathcal {O}\)) (and injective pseudorandom generators) with only polynomial loss.
Supported by NSF CNS-0952692, CNS-1228599 and CNS-1414082. DARPA through the U.S. Office of Naval Research under Contract N00014-11-1-0382, Google Faculty Research award, the Alfred P. Sloan Fellowship, Microsoft Faculty Fellowship, and Packard Foundation Fellowship.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
In fact, for many classes of allowed constraining predicates, \(A\) can easily ask for constrained keys that, taken together, allow to evaluate \(F(K,\cdot )\) everywhere except on \(x^*\). For instance, in our case, \(A\) could ask for all keys \(K_{f_i}\) with \(f_i(x)=1\Leftrightarrow x_i=1-x^*_i\). Hence, in this case, the simulation must fail already whenever \(|\mathcal {C}|\ge 2\).
- 2.
More specifically, we present a construction for polynomial-sized circuits of any apriori bounded depth.
- 3.
The construction is actually for Functional Encryption which implies ABE.
- 4.
We use the convention that the master secret key can decrypt all honestly generated ABE ciphertexts. Alternatively, one could just generate a secret key for a circuit that always outputs 1 and use this to decrypt.
- 5.
Note that the value \(\ell _{\mathrm {ckt}}\) required by the universal sampler scheme is determined by the ABE scheme. It depends on the size of the encryption circuit \(\mathsf {ABE.enc}\) and the length of \(\mathsf {pk}_{\mathsf {ABE}}\).
- 6.
Recall \(\mathsf {ABE.dec}(\mathsf {msk}_{\mathsf {ABE}}, \mathsf {ABE.enc}(\mathsf {pk}_{\mathsf {ABE}}, m, x))\) outputs m, and so does \(\mathsf {ABE.dec}(\mathsf {sk}_C, \mathsf {ABE.enc}(\mathsf {pk}_{\mathsf {ABE}}, m, x))\) if \(C(x)=1\).
- 7.
Recall \(O(d^*) = \alpha \), and \(\mathsf {ABE.dec}(\mathsf {msk}_{\mathsf {ABE}}, \alpha ) = \beta \).
- 8.
The definition in [19] only requires this probability to be negligible in \(\lambda \). However, the construction actually achieves zero probability of Honest Sample Violation. Hence, for the simplicity of our proof, we will use this definition.
- 9.
This assumption can be justified by the use of an appropriate pseudorandom generator that maps \(\ell _{\mathrm {rnd}}\) bits to the required length.
- 10.
We can assume this holds true, since given \(\mathsf {msk}_{\mathsf {ABE}}\), one can compute a secret key \(\mathsf {sk}\) for circuit \(C_{\mathrm {all}}\) that accepts all inputs, and then use \(\mathsf {sk}\) to decrypt \(\mathsf {ABE.enc}(\mathsf {pk}_{\mathsf {ABE}}, m, x)\).
References
Agrawal, S., Koppula, V., Waters, B.: Impossibility of simulation secure functional encryption even with random oracles. Cryptology ePrint Archive, Report 2016/959 (2016)
Ananth, P., Brakerski, Z., Segev, G., Vaikuntanathan, V.: From selective to adaptive security in functional encryption. In: Advances in Cryptology - CRYPTO 2015–35th Annual Cryptology Conference, Proceedings, Part II, Santa Barbara, CA, USA, 16–20 August 2015, pp. 657–677 (2015)
Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security, pp. 62–73 (1993)
Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles. In: Advances in Cryptology - EUROCRYPT 2004, International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, Proceedings, 2–6 May 2004, pp. 223–238 (2004)
Boneh, D., Waters, B.: Constrained pseudorandom functions and their applications. In: ASIACRYPT, pp. 280–300 (2013)
Boneh, D., Zhandry, M.: Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation. In: Proceedings of CRYPTO 2014 (2014)
Boyle, E., Goldwasser, S., Ivan, I.: Functional signatures and pseudorandom functions. In: Public-Key Cryptography - PKC 2014–17th International Conference on Practice and Theory in Public-Key Cryptography, Buenos Aires, Proceedings, Argentina, 26–28 March 2014, pp. 501–519 (2014)
Brakerski, Z., Vaikuntanathan, V.: Constrained key-homomorphic PRFs from standard lattice assumptions - or: How to secretly embed a circuit in your PRF. In: Theory of Cryptography - 12th Theory of Cryptography Conference, TCC 2015, Warsaw, Poland, 23–25 March 2015, Proceedings, Part II, pp. 1–30 (2015)
Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited (preliminary version). In: STOC, pp. 209–218 (1998)
Coron, J.-S.: Optimal security proofs for PSS and other signature schemes. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 272–287. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_18
Coron, J., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: Advances in Cryptology - CRYPTO 2013–33rd Annual Cryptology Conference, Proceedings, Part I, Santa Barbara, CA, USA, 18–22 August 2013, pp. 476–493 (2013)
Fuchsbauer, G., Konstantinov, M., Pietrzak, K., Rao, V.: Adaptive security of constrained PRFs. In: Advances in Cryptology - ASIACRYPT 2014–20th International Conference on the Theory and Application of Cryptology and Information Security, Proceedings, Part II, Kaoshiung, Taiwan, R.O.C., 7–11 December 2014, pp. 82–101 (2014)
Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_1
Garg, S., Gentry, C., Halevi, S., Sahai, A., Waters, B.: Attribute-based encryption for circuits from multilinear maps. In: Advances in Cryptology - CRYPTO 2013–33rd Annual Cryptology Conference, Proceedings, Part II, Santa Barbara, CA, USA, 18–22 August 2013, pp. 479–499 (2013)
Garg, S., Gentry, C., Halevi, S., Zhandry, M.: Fully secure attribute based encryption from multilinear maps. Cryptology ePrint Archive, Report 2014/622 (2014). http://eprint.iacr.org/
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions (extended abstract). In: FOCS, pp. 464–479 (1984)
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attribute-based encryption for circuits. In: STOC (2013)
Goyal, R., Goyal, V.: Overcoming cryptographic impossibility results using blockchains. In: Theory of Cryptography - 15th International Conference, TCC 2017, Proceedings, Part I, Baltimore, MD, USA, 12–15 November 2017, pp. 529–561 (2017)
Hofheinz, D., Jager, T., Khurana, D., Sahai, A., Waters, B., Zhandry, M.: How to generate and use universal parameters. In: ASIACRYPT (2016)
Hofheinz, D., Jager, T., Knapp, E.: Waters signatures with optimal security reduction. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 66–83. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_5
Hohenberger, S., Koppula, V., Waters, B.: Adaptively secure puncturable pseudorandom functions in the standard model. In: Advances in Cryptology - ASIACRYPT 2015–21st International Conference on the Theory and Application of Cryptology and Information Security, Proceedings, Part I, Auckland, New Zealand, 29 November–3 December 2015, pp. 79–102 (2015)
Kaliski, B., Staddon, J.: PKCS #1: RSA cryptography specifications version 2.0 (1998)
Kiayias, A., Papadopoulos, S., Triandopoulos, N., Zacharias, T.: Delegatable pseudorandom functions and applications. In: ACM Conference on Computer and Communications Security, pp. 669–684 (2013)
Lewko, A.B., Waters, B.: Why proving HIBE systems secure is difficult. In: Advances in Cryptology - EUROCRYPT 2014–33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings, Copenhagen, Denmark, 11–15 May 2014, pp. 58–76 (2014)
Liu, Q., Zhandry, M.: Decomposable obfuscation: a framework for building applications of obfuscation from polynomial hardness. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 138–169. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_6
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, 22–24 May 2005, pp. 84–93 (2005)
Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_27
Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: STOC, pp. 475–484 (2014)
U.S. Department of Commerce/National Institute of Standards and Technology: Digital Signature Standards (DSS) (2013). Federal Information Processing Standards Publication 186–4
Waters, B.: A punctured programming approach to adaptively secure functional encryption. In: Advances in Cryptology - CRYPTO 2015–35th Annual Cryptology Conference, Proceedings, Part II, Santa Barbara, CA, USA, 16–20 August 2015, pp. 678–697 (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Preliminaries Continued
A Preliminaries Continued
1.1 A.1 Universal Samplers
In a recent work, Hofheinz et al. [19] introduced the notion of universal samplers. Intuitively, a universal sampler scheme provides a concise way to sample pseudorandomly from arbitrary distributions. More formally, a universal sampler scheme \(\mathcal {U}\), parameterized by polynomials \(\ell _{\mathrm {ckt}}, \ell _{\mathrm {inp}}\) and \(\ell _{\mathrm {out}}\), consists of algorithms \(\mathsf {US.setup}\) and \(\mathsf {US.sample}\) defined below.
-
\(\mathsf {US.setup}({1^{\lambda }})\) takes as input the security parameter \(\lambda \) and outputs the sampler parameters U.
-
\(\mathsf {US.sample}(U, d)\) is a deterministic algorithm that takes as input the sampler parameters U and a circuit d of size at most \(\ell _{\mathrm {ckt}}\) bits. The circuit d takes as input \(\ell _{\mathrm {inp}}\) bits and outputs \(\ell _{\mathrm {out}}\) bits. The output of \(\mathsf {US.sample}\) also consists of \(\ell _{\mathrm {out}}\) bits.
Intuitively, \(\mathsf {US.sample}\) is supposed to sample from \(d\), in the sense that it outputs a value \(d(z)\) for pseudorandom and hidden random coins \(z\). However, it is nontrivial to define what it means that the random coins \(z\) are hidden, and that even multiple outputs (for adversarially and possibly even adaptively chosen circuits \(d\)) look pseudorandom.
Hofheinz et al. [19] formalize security by mandating that \(\mathsf {US.sample}\) is programmable in the random oracle model. In particular, there should be an efficient way to simulate \(U\) and the random oracle, such that \(\mathsf {US.sample}\) outputs an externally given value that is honestly sampled from \(d\). This programming should work even for arbitrarily many \(\mathsf {US.sample}\) outputs for adversarially chosen inputs \(d\) simultaneously, and it should be indistinguishable from a real execution of \(\mathsf {US.setup}\) and \(\mathsf {US.sample}\).
In this work, we will be using a universal sampler scheme that is even adaptively secure. In order to formally define adaptive security for universal samplers, let us first define the notion of an admissible adversary \(\mathcal {A}\).
An admissible adversary \(\mathcal {A}\) is defined to be an efficient interactive Turing Machine that outputs one bit, with the following input/output behavior:
-
\(\mathcal {A}\) takes as input security parameter \(\lambda \) and sampler parameters U.
-
\(\mathcal {A}\) can send a random oracle query \((\mathsf {RO}, x)\), and receives the output of the random oracle on input x.
-
\(\mathcal {A}\) can send a message of the form \((\mathsf {params}, d)\) where \(d \in \mathcal {C}[\ell _{\mathrm {ckt}}, \ell _{\mathrm {inp}}, \ell _{\mathrm {out}}]\). Upon sending this message, \(\mathcal {A}\) is required to honestly compute \(p_d = \mathsf {US.sample}(U,d)\), making use of any additional random oracle queries, and \(\mathcal {A}\) appends \((d, p_d)\) to an auxiliary tape (this is required to check for Honest Sample Violation in the Ideal experiment).
Let \(\mathsf {SimUGen}\) and \(\mathsf {SimRO}\) be PPT algorithms. Consider the following two experiments:
\(\mathsf {Real}^{\mathcal {A}}({1^{\lambda }})\):
-
1.
The random oracle \(\mathsf {RO}\) is implemented by assigning random outputs to each unique query made to \(\mathsf {RO}\).
-
2.
\(U \leftarrow \mathsf {US.setup}^{\mathsf {RO}}({1^{\lambda }})\).
-
3.
\(\mathcal {A}({1^{\lambda }},U)\) is executed, where every random oracle query, represented by a message of the form \((\mathsf {RO},x)\), receives the response \(\mathsf {RO}(x)\).
-
4.
Upon termination of \(\mathcal {A}\), the output of the experiment is the final output of the execution of \(\mathcal {A}\).
\(\mathsf {Ideal}^{\mathcal {A}}_{\mathsf {SimUGen}, \mathsf {SimRO}}({1^{\lambda }})\):
-
1.
A truly random function F that maps \(\ell _{\mathrm {ckt}}\) bits to \(\ell _{\mathrm {inp}}\) bits is implemented by assigning random \(\ell _{\mathrm {inp}}\)-bit outputs to each unique query made to F. Throughout this experiment, a Samples Oracle O is implemented as follows: On input d, where \(d \in \mathcal {C}[\ell _{\mathrm {ckt}}, \ell _{\mathrm {inp}}, \ell _{\mathrm {out}}]\), O outputs d(F(d)).
-
2.
\((U,\tau ) \leftarrow \mathsf {SimUGen}({1^{\lambda }})\). Here, \(\mathsf {SimUGen}\) can make arbitrary queries to the Samples Oracle O.
-
3.
\(\mathcal {A}({1^{\lambda }},U)\) and \(\mathsf {SimRO}(\tau )\) begin simultaneous execution.
-
Whenever \(\mathcal {A}\) sends a message of the form \((\mathsf {RO}, x)\), this is forwarded to \(\mathsf {SimRO}\), which produces a response to be sent back to \(\mathcal {A}\).
-
\(\mathsf {SimRO}\) can make any number of queries to the Samples Oracle O.
-
Finally, after \(\mathcal {A}\) sends any message of the form \((\mathsf {params},d)\), the auxiliary tape of \(\mathcal {A}\) is examined until an entry of the form \((d,p_d)\) is added to it. At this point, if \(p_d\) is not equal to d(F(d)), then experiment aborts, resulting in an Honest Sample Violation.
-
-
4.
Upon termination of \(\mathcal {A}\), the output of the experiment is the final output of the execution of \(\mathcal {A}\).
Definition 2
A universal sampler scheme , parameterized by polynomials \(\ell _{\mathrm {ckt}}, \ell _{\mathrm {inp}}\) and \(\ell _{\mathrm {out}}\), is said to be adaptively secure in the random oracle model if there exist PPT algorithms \(\mathsf {SimUGen}\) and \(\mathsf {SimRO}\) such that for all admissible PPT adversaries \(\mathcal {A}\), the following hold:Footnote 8
and
Hofheinz et al. [19] construct a universal sampler scheme that is adaptively secure in the random oracle model, assuming a secure indistinguishability obfuscator, a selectively secure puncturable PRF and an injective pseudorandom generator.
1.2 A.2 Attribute Based Encryption
An attribute based encryption scheme \(\mathsf {ABE}\) for a circuit family \(\mathcal {F}\) with message space \(\mathcal {M}\) and attribute space \(\mathcal {X}\) consists of algorithms \(\mathsf {ABE.setup}\), \(\mathsf {ABE.keygen}\), \(\mathsf {ABE.enc}\) and \(\mathsf {ABE.dec}\) defined below.
-
\(\mathsf {ABE.setup}({1^{\lambda }})\) is a PPT algorithm that takes as input the security parameter and outputs the public key \(\mathsf {pk}_{\mathsf {ABE}}\) and the master secret key \(\mathsf {msk}_{\mathsf {ABE}}\).
-
\(\mathsf {ABE.keygen}(\mathsf {msk}_{\mathsf {ABE}}, C)\) is a PPT algorithm that takes as input the master secret key \(\mathsf {msk}_{\mathsf {ABE}}\), a circuit \(C \in \mathcal {F}\) and outputs a secret key \(\mathsf {sk}_{C}\) for circuit C.
-
\(\mathsf {ABE.enc}(\mathsf {pk}_{\mathsf {ABE}}, m, x)\) takes as input a public key \(\mathsf {pk}_{\mathsf {ABE}}\), message \(m \in \mathcal {M}\), an attribute \(x\in \mathcal {X}\) and outputs a ciphertext \(c\). We will assume the encryption algorithm takes \(\ell _{\mathrm {rnd}}\) bits of randomnessFootnote 9. The notation \(\mathsf {ABE.enc}(\mathsf {pk}_{\mathsf {ABE}}, m, x; r)\) is used to represent the randomness r used by \(\mathsf {ABE.enc}\).
-
\(\mathsf {ABE.dec}(\mathsf {sk}_C, c)\) takes as input secret key \(\mathsf {sk}_C\), ciphertext \(c\) and outputs \(y \in \mathcal {M}\cup \{\perp \}\).
Correctness. For any circuit \(C\in \mathcal {F}\), \((\mathsf {pk}_{\mathsf {ABE}}, \mathsf {msk}_{\mathsf {ABE}}) \leftarrow \mathsf {ABE.setup}({1^{\lambda }})\), message \(m \in \mathcal {M}\), attribute \(x\in \mathcal {X}\) such that \(C(x) = 1\), we require the following:
For simplicity of notation, we will assume \(\mathsf {ABE.dec}\)(\(\mathsf {msk}_{\mathsf {ABE}}\), \(\mathsf {ABE.enc}(\mathsf {pk}_{\mathsf {ABE}}\), m, x)) = m for all messages m, attributes xFootnote 10.
Security. Security for an ABE scheme is defined via the following adaptive security game between a challenger and adversary \(\mathsf {Att}\).
-
1.
Setup Phase. The challenger chooses \((\mathsf {pk}_{\mathsf {ABE}}, \mathsf {msk}_{\mathsf {ABE}}) \leftarrow \mathsf {ABE.setup}({1^{\lambda }})\) and sends \(\mathsf {pk}_{\mathsf {ABE}}\) to \(\mathsf {Att}\).
-
2.
Pre-Challenge Phase. The challenger receives multiple secret key queries. For each \(C \in \mathcal {F}\) queried, it computes \(\mathsf {sk}_C \leftarrow \mathsf {ABE.keygen}(\mathsf {msk}_{\mathsf {ABE}}, C)\) and sends \(\mathsf {sk}_C\) to \(\mathsf {Att}\).
-
3.
Challenge. \(\mathsf {Att}\) sends messages \(m_0, m_1 \in \mathcal {M}\) and attribute \(x \in \mathcal {X}\) such that \(C(x) = 0\) for all circuits queried during the Pre-Challenge phase. The challenger chooses \(b\leftarrow \{0,1\}\), computes \(c\) \(\leftarrow \) \(\mathsf {ABE.enc}(\mathsf {pk}_{\mathsf {ABE}}\), \(m_b\), x) and sends \(c\) to \(\mathsf {Att}\).
-
4.
Post-Challenge Phase. \(\mathsf {Att}\) sends multiple secret key queries \(C \in \mathcal {F}\) as in the Pre-Challenge phase, but with the added restriction that \(C(x)=0\). It receives \(\mathsf {sk}_{C}\) \(\leftarrow \mathsf {ABE.keygen}(\mathsf {msk}_{\mathsf {ABE}}\), C).
-
5.
Guess. Finally, \(\mathsf {Att}\) outputs its guess \(b'\).
\(\mathsf {Att}\) wins the ABE security game for scheme \(\mathsf {ABE}\) if \(b=b'\). Let \(\mathsf {Adv}_{\mathsf {Att}}^{\mathsf {ABE}} = \Big | \Pr [\mathsf {Att}\text { wins}] - 1/2 ~ \Big |\).
Definition 3
An ABE scheme \(\mathsf {ABE}= (\mathsf {ABE.setup}\), \(\mathsf {ABE.keygen}\), \(\mathsf {ABE.enc}\), \(\mathsf {ABE.dec})\) is said to be adaptively secure if for all PPT adversaries \(\mathsf {Att}\), \(\mathsf {Adv}_{\mathsf {Att}}^{\mathsf {ABE}} \le \textit{negl}(\lambda )\).
In a recent work, Waters [30] showed a construction for an adaptively secure functional encryption scheme, using indistinguishability obfuscation. An adaptively secure functional encryption scheme implies an adaptively secure attribute based encryption scheme. Garg, Gentry, Halevi and Zhandry [15] showed a direct construction based on multilinear encodings. Ananth, Brakerski, Segev and Vaikuntanathan [2] showed how to transform any selectively secure FE scheme to achieve adaptive security.
Rights and permissions
Copyright information
© 2019 International Financial Cryptography Association
About this paper
Cite this paper
Hofheinz, D., Kamath, A., Koppula, V., Waters, B. (2019). Adaptively Secure Constrained Pseudorandom Functions. In: Goldberg, I., Moore, T. (eds) Financial Cryptography and Data Security. FC 2019. Lecture Notes in Computer Science(), vol 11598. Springer, Cham. https://doi.org/10.1007/978-3-030-32101-7_22
Download citation
DOI: https://doi.org/10.1007/978-3-030-32101-7_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-32100-0
Online ISBN: 978-3-030-32101-7
eBook Packages: Computer ScienceComputer Science (R0)