Efficient Quantum-Safe Distributed PRF and Applications: Playing DiSE in a Quantum World

Abstract

We propose the first distributed version of a simple, efficient, and provably quantum-safe pseudorandom function (PRF). The distributed PRF (DPRF) supports arbitrary threshold access structures based on the hardness of the well-studied Learning with Rounding (LWR) problem. Our construction (abbreviated as \(\textsf{PQDPRF}\)) practically outperforms not only existing constructions of DPRF based on lattice-based assumptions, but also outperforms (in terms of evaluation time) existing constructions of: (i) classically secure DPRFs based on discrete-log hard groups, and (ii) quantum-safe DPRFs based on any generic quantum-safe PRF (e.g. AES). The efficiency of \(\textsf{PQDPRF}\) stems from the extreme simplicity of its construction, consisting of a simple inner product computation over \(\mathbb {Z}_q\), followed by a rounding to a smaller modulus \(p < q\). The key technical novelty of our proposal lies in our proof technique, where we prove the correctness and post-quantum security of \(\textsf{PQDPRF}\) (against semi-honest corruptions of any less than threshold number of parties) for a polynomial q/p (equivalently, “modulus to modulus”)-ratio.

Our proposed DPRF construction immediately enables efficient yet quantum-safe instantiations of several practical applications, including key distribution centers, distributed coin tossing, long-term encryption of information, etc. We showcase a particular application of \(\textsf{PQDPRF}\) in realizing an efficient yet quantum-safe version of distributed symmetric-key encryption (\(\textsf{DiSE}\) – originally proposed by Agrawal et al. in CCS 2018), which we call \(\mathsf {PQ-DiSE}\). For semi-honest adversarial corruptions across a wide variety of corruption thresholds, \(\mathsf {PQ-DiSE}\) substantially outperforms existing instantiations of \(\textsf{DiSE}\) based on discrete-log hard groups and generic PRFs (e.g. AES). We illustrate the practical efficiency of our \(\textsf{PQDPRF}\) via prototype implementation of \(\mathsf {PQ-DiSE}\).

A Generalised (t, T)-Threshold PRF

1.1 A.1 Proof of Correctness and Consistency

Correctness of \(\mathsf {PQDPRF_{t,T}}\) can be proved essentially in the same way as of \(\mathsf {PQDPRF_{T,T}}\), which in turn implies its consistency. Let \(\mathcal {P}=\{P_i\}_{i\in [T]}\) be a set of T parties, and \(\mathbb {A}_{t,T}\) be a threshold access structure defined on it. Without loss of generality let us consider \(\mathcal {P}^\prime = \{P_1,\dots ,P_{t}\}\in \mathbb {A}_{t,T}\) to be a valid t-sized subset. Clearly \(P_1\) is the group_leader of \(\mathcal {P}^\prime \). Let \(\mathcal {H}:\{0,1\}^\star \rightarrow \mathbb {Z}_q^n\) be a hash function modeled as a random oracle. Given an input \(\textbf{x}\), let us denote the direct PRF evaluation with \(f_{\textbf{k}}^{\textsf{dir}}(\textbf{x})\) and distributed PRF evaluation by t number of parties in \(\mathcal {P}^\prime \) using \(\mathsf {PQDPRF_{t,T}}\) as \(f_{\textbf{k}}^{\textsf{dist}}( \textbf{x})\). They are computed as follows.

$$ f_{\textbf{k}}^{\textsf{dir}}(\textbf{x}) = \lfloor {\langle {\mathcal {H}(\textbf{x}),\textbf{k}}\rangle }\rceil _p,\quad f_{\textbf{k}}^{\textsf{dist}}(\textbf{x}) = \lfloor {\lfloor {\langle {\mathcal {H}(\textbf{x}),\mathbf {k_1}}\rangle }\rceil _{q_1}-\sum _{i=2}^t\lfloor {\langle {\mathcal {H}(\textbf{x}),\mathbf {k_i}}\rangle }\rceil _{q_1}}\rceil _p. $$

Claim

Difference between direct PRF evaluation (\(f_{\textbf{k}}^{\textsf{dir}}(\textbf{x})\)) and distributed PRF evaluation (\(f_{\textbf{k}}^{\textsf{dist}}( \textbf{x})\)) on some input \(\textbf{x}\) is strictly upper bounded by 1, i.e.,

$$\begin{aligned} \left| f_{\textbf{k}}^{\textsf{dist}}(\textbf{x})-f_{\textbf{k}}^{\textsf{dir}}(\textbf{x})\right| < 1. \end{aligned}$$

Proof

Note that by definition of round-off operation (Sect. 2.1), for any \(y\in \mathbb {Z}_q\), we can express \(\lfloor {y}\rceil _p\) as \(\frac{p}{q}y+e\), where \(-0.5\le e < 0.5\).

We assume \(\textbf{r}=\mathcal {H}(\textbf{x})\). Now the direct evaluation can be written as,

$$ f_{\textbf{k}}^{\textsf{dir}}(\textbf{x}) = \lfloor {\langle {\textbf{r},\textbf{k}}\rangle }\rceil _p = \frac{p}{q}\langle {\textbf{r},\textbf{k}}\rangle +e^\prime , $$

where \(\left| e^\prime \right| \le 0.5\). The distributed evaluation can be expressed as,

$$\begin{aligned} f_{\textbf{k}}^{\textsf{dist}}(\textbf{x}) &= \lfloor {\lfloor {\langle {\textbf{r},\mathbf {k_1}}\rangle }\rceil _{q_1}-\sum _{i=2}^t\lfloor {\langle {\textbf{r},\mathbf {k_i}}\rangle }\rceil _{q_1}}\rceil _p\\ &= \lfloor {\langle {\textbf{r},\mathbf {k_1}}\rangle \cdot \frac{q_1}{q}+e_1 - \sum _{i=2}^t(\langle {\textbf{r},\mathbf {k_i}}\rangle \cdot \frac{q_1}{q}+e_i)}\rceil _{p}\\ &= \lfloor {\frac{q_1}{q}(\langle {\textbf{r},\mathbf {k_1}}\rangle -\sum _{i=2}^t\langle {\textbf{r},\mathbf {k_i}}\rangle )+(e_1-\sum _{i=2}^te_i)}\rceil _{p}\\ &\le \lfloor {\frac{q_1}{q}\langle {\textbf{r},\textbf{k}}\rangle +\frac{t}{2}}\rceil _{p}\\ &= \frac{p}{q_1}(\frac{q_1}{q}\langle {\textbf{r},\textbf{k}}\rangle +\frac{t}{2}) + e\\ &= \frac{p}{q}\langle {\textbf{r},\textbf{k}}\rangle +\frac{p}{q_1}\cdot \frac{t}{2} + e, \end{aligned}$$

where, each \(-0.5\le e_i < 0.5\) and \(-0.5\le e < 0.5\) due to the definition of the round-off operation. Thus,

$$f_{\textbf{k}}^{\textsf{dist}}(\textbf{x})-f_{\textbf{k}}^{\textsf{dir}}(\textbf{x}) \le \frac{p}{q_1}\cdot \frac{t}{2} + e - e^\prime \implies \left| f_{\textbf{k}}^{\textsf{dist}}(\textbf{x})-f_{\textbf{k}}^{\textsf{dir}}(\textbf{x})\right| \le \left| \frac{p}{q_1}\cdot \frac{t}{2}\right| + \left| e - e^\prime \right| . $$

We choose values of p, t and \(q_1\) such that, the quantity \(\epsilon = \frac{p}{q_1}\cdot \frac{t}{2}\) becomes sufficiently small. As \(-0.5\le e < 0.5\) and \(-0.5\le e^\prime < 0.5\), \(\left| e-e^\prime \right| < 1\) always holds true. Thus, the quantity \(\epsilon +\left| e-e^\prime \right| \) is highly unlikely to exceed 1. Hence, the difference between direct PRF evaluation and distributed PRF evaluation is strictly upper bounded by 1, i.e.,

$$\begin{aligned} \left| f_{\textbf{k}}^{\textsf{dist}}(\textbf{x})-f_{\textbf{k}}^{\textsf{dir}}(\textbf{x})\right| < 1. \end{aligned}$$

   \(\square \)

As both \(f_{\textbf{k}}^{\textsf{dist}}(\textbf{x})\) and \(f_{\textbf{k}}^{\textsf{dir}}(\textbf{x})\) are integers, we conclude that their values are same except with a negligible probability. Thus correctness of our proposed distributed PRF \(\mathsf {PQDPRF_{t,T}}\) is satisfied.

As correctness of distributed PRF implies its consistency, the proposed \(\mathsf {PQDPRF_{t,T}}\) is consistent. We can see the consistency of the proposed DPRF by a different argument as well. Let us assume two distinct valid subsets \(S_1,S_2\in \mathbb {A}_{t,T}\), such that \(f_{\textbf{k}}^{\textsf{dist}}(\textbf{x})\big |_{S_1}\) and \(f_{\textbf{k}}^{\textsf{dist}}(\textbf{x})\big |_{S_2}\) are result of DPRF evaluations computed by \(S_1\) and \(S_2\) respectively. We can write,

$$f_{\textbf{k}}^{\textsf{dist}}(\textbf{x})\big |_{S_1} = \frac{p}{q}\langle {\textbf{r},\textbf{k}}\rangle +\frac{p}{q_1}\cdot \frac{t}{2}+e_1,\qquad f_{\textbf{k}}^{\textsf{dist}}(\textbf{x})\big |_{S_2} = \frac{p}{q}\langle {\textbf{r},\textbf{k}}\rangle +\frac{p}{q_1}\cdot \frac{t}{2}+e_2,$$

so that they together imply,

$$\begin{aligned} \left| f_{\textbf{k}}^{\textsf{dist}}(\textbf{x})\big |_{S_1}-f_{\textbf{k}}^{\textsf{dist}}(\textbf{x})\big |_{S_2}\right| =\left| e_1-e_2\right| . \end{aligned}$$

Now as \(-0.5\le e_1 < 0.5\) and \(-0.5\le e_2 < 0.5\), \(\left| e_1-e_2\right| <1\) always holds true. And both \(f_{\textbf{k}}^{\textsf{dist}}(\textbf{x})\big |_{S_1}\) and \(f_{\textbf{k}}^{\textsf{dist}}(\textbf{x})\big |_{S_2}\) being integral values, they always evaluate to the same value.

1.2 A.2 Proof of Security

The idea of the proof remains essentially the same as of proof of security of (T, T)-distributed PRF (Sect. 3.2). However among T parties of the set \(\mathcal {P}=\{P_1,\dots ,P_T\}\), only t parties are required to collaborate to evaluate the PRF on a given input. We assume a PPT adversary \(\mathcal {A}\) which has corrupted a subset \(\mathcal {P_C}\subset \mathcal {P}\) of size \((t-1)\) and thus acquired all their key shares. We show that, even if \(\mathcal {A}\) is able to see the PRF evaluation and all the partial evaluations of the honest parties in \(\mathcal {P}\setminus \mathcal {P_C}\) for a priori bounded number of query inputs, it will not be able to distinguish output of the PRF from the output of a truly random function on a challenge input, which is essentially different from the query inputs.

Recall that, after \(\mathsf {PQDPRF_{t,T}.Setup}\), each \(P_i\in \mathcal {P}\) gets to store \(\left( {\begin{array}{c}T-1\\ t-1\end{array}}\right) \) number of secret shares, each corresponding to one of the t-sized subsets, that \(P_i\) may belong to. In each of the hybrids, if \(P_i\in \mathcal {P}\setminus \mathcal {P_C}\) is a honest party, we denote by \(\mathbf {k_i}\) its key share corresponding to the t-sized group \(\{P_i\}\bigcup \mathcal {P_C}\), and by gl, the group_leader of \(\{P_i\}\bigcup \mathcal {P_C}\).

Now we define four hybrids consisting of game between the PPT adversary \(\mathcal {A}\) and a challenger \(\mathcal {C}\) as described in the tabular forms for the ease of exposition.

Indistinguishibility Between the Hybrids

The indistinguishibility of \(\textsf{Hybrid}_3\) from \(\textsf{Hybrid}_0\) for (t, T)-distributed PRF can be proved analogously as done in Sect. 3.2 for (T, T)-distributed PRF. Please see the detailed hybrids on the next page.