Private Puncturable PRFs from Standard Lattice Assumptions

Boneh, Dan; Kim, Sam; Montgomery, Hart

doi:10.1007/978-3-319-56620-7_15

Dan Boneh¹⁵,
Sam Kim¹⁵ &
Hart Montgomery¹⁶

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10210))

Included in the following conference series:

Annual International Conference on the Theory and Applications of Cryptographic Techniques

3707 Accesses
37 Citations

Abstract

A puncturable pseudorandom function (PRF) has a master key k that enables one to evaluate the PRF at all points of the domain, and has a punctured key $k_x$ that enables one to evaluate the PRF at all points but one. The punctured key $k_x$ reveals no information about the value of the PRF at the punctured point x. Punctured PRFs play an important role in cryptography, especially in applications of indistinguishability obfuscation. However, in previous constructions, the punctured key $k_x$ completely reveals the punctured point x: given $k_x$ it is easy to determine x. A private puncturable PRF is one where $k_x$ reveals nothing about x. This concept was defined by Boneh, Lewi, and Wu, who showed the usefulness of private puncturing, and gave constructions based on multilinear maps. The question is whether private puncturing can be built from a standard (weaker) cryptographic assumption.

We construct the first privately puncturable PRF from standard lattice assumptions, namely learning with errors (LWE) and 1 dimensional short integer solutions (1D-SIS), which have connections to worst-case hardness of general lattice problems. Our starting point is the (non-private) PRF of Brakerski and Vaikuntanathan. We introduce a number of new techniques to enhance this PRF, from which we obtain a privately puncturable PRF. In addition, we also study the simulation based definition of private constrained PRFs for general circuits, and show that the definition is not satisfiable.

You have full access to this open access chapter, Download conference paper PDF

Adaptively Secure Puncturable Pseudorandom Functions in the Standard Model

Privately Puncturing PRFs from Lattices: Adaptive Security and Collusion Resistant Pseudorandomness

Leakage-Resilient Cryptography from Puncturable Primitives and Obfuscation

Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

A pseudorandom function (PRF) [GGM86] is a function $F :\mathcal {K}\times \mathcal {X}\rightarrow \mathcal {Y}$ that can be computed by a deterministic polynomial time algorithm: on input $(k,x) \in \mathcal {K}\times \mathcal {X}$ the algorithm outputs $F(k,x) \in \mathcal {Y}$. The PRF F is said to be a constrained PRF [BW13, KPTZ13, BGI14] if one can derive constrained keys from the master PRF key k. Each constrained key $k_g$ is associated with a predicate $g :\mathcal {X}\rightarrow \{0,1\}$, and this $k_g$ enables one to evaluate F(k, x) for all $x \in \mathcal {X}$ for which $g(x)=1$, but at no other points of $\mathcal {X}$. A constrained PRF is secure if given constrained keys for predicates $g_1, \ldots , g_Q$, of the adversary’s choosing, the adversary cannot distinguish the PRF from a random function at points not covered by the given keys, namely at points x where $g_1(x) = \cdots = g_Q(x) = 0$. We review the precise definition in Sect. 3.

The simplest constraint, called a puncturing constraint, is a constraint that enables one to evaluate the PRF at all points except one. For $x \in \mathcal {X}$ we denote by $k_x$ a punctured key that lets one evaluate the PRF at all points in $\mathcal {X}$, except for the punctured point x. Given the key $k_x$, the adversary should be unable to distinguish F(k, x) from a random element in $\mathcal {Y}$. Puncturable PRFs have found numerous applications in cryptography [BW13, KPTZ13, BGI14], most notably in applications of indistinguishability obfuscation ($i\mathcal {O}$) [SW14]. Note that two punctured keys, punctured at two different points, enable the evaluation of the PRF at all points in the domain $\mathcal {X}$, and are therefore equivalent to the master PRF key k. For this reason, for puncturing constraints, we are primarily interested in settings where the adversary is limited to obtaining at most a single punctured key, punctured at a point of its choice. At the punctured point, the adversary should be unable to distinguish the value of the PRF from random.

PRFs supporting puncturing constraints can be easily constructed from the tree-based PRF of [GGM86], as discussed in [BW13, KPTZ13, BGI14]. Notice, however, that a punctured key $k_x$ completely reveals what the point x is. An adversary that is given $k_x$ can easily tell where the key was punctured.

Private Puncturing. Can we construct a PRF that can be punctured privately? The adversary should learn nothing about x from the punctured key $k_x$. More generally, Boneh, Lewi, and Wu [BLW17] define private constrained PRFs, where a constrained key $k_g$ reveals nothing about the predicate g. They present applications of private constraint PRFs to constructing software watermarking [CHN+16], deniable encryption [CDNO97], searchable encryption, and more. They also construct private constrained PRFs from powerful tools, such as multilinear maps and $i\mathcal {O}$.

Several of the applications for private constraints in [BLW17] require only private puncturing. Here we describe one such application, namely the connection to distributed point functions (DPF) [GI14, BGI15] and 2-server private information retrieval (PIR) [CKGS98]. In a DPF, the key generation algorithm is given a point $x^* \in \mathcal {X}$ and outputs two keys $k_0$ and $k_1$. The two keys are equivalent, except at the point $x^*$. More precisely, $F(k_0,x) = F(k_1,x)$ for all key $x \ne x^*$ and $F(k_0,x^*) \ne F(k_1,x^*)$. A DPF is secure if given one of $k_0$ or $k_1$, the adversary learns nothing about $x^*$. In [GI14] the authors show that DPFs give a simple and efficient 2-server PIR scheme. They give an elegant DPF construction from one-way functions.

A privately puncturable PRF is also a DPF: set $k_0$ to be the master PRF key k, and set the key $k_1$ to be the punctured key $k_{x^*}$, punctured at $x^*$. The privacy property ensures that this is a secure DPF. However, there is an important difference between a DPF and a privately puncturable PRF. DPF key generation takes the punctured point $x^*$ as input, and generates the two keys $k_0,k_1$. In contrast, private puncturing works differently: one first generates the master key k, and at some time later asks for a punctured key $k_{x^*}$ at some point $x^*$. That is, the punctured point is chosen adaptively after the master key is generated. This adaptive capability gives rise to a 2-server PIR scheme that has a surprising property: one of the servers can be offline. In particular, one of the servers does its PIR computation before the PIR query is chosen, sends the result to the client, and goes offline. Later, when the client chooses the PIR query, it only talks to the second server.

Our Contribution. We construct the first privately puncturable PRF from the learning with errors problem (LWE) [Reg09] and the one-dimensional short integer solution problem (1D-SIS) [Ajt96, BV15], which are both related to worst-case hardness of general lattice problems. We give a brief overview of the construction here, and give a detailed overview in Sect. 2.

Our starting point is the elegant LWE-based PRF of Brakerski and Vaikuntanathan [BV15], which is a constrained PRF for general circuits, but is only secure if at most one constrained key is published (publishing two constrained keys reveals the master key). This PRF is not private because the constraint is part of the constrained key and is available in the clear. As a first attempt, we try to make this PRF private by embedding in the constrained key, an FHE encryption of the constraint, along with an encryption of the FHE decryption key (a similar structure is used in the predicate encryption scheme of [GVW15b]). Now the constraint is hidden, but PRF evaluation requires an FHE decryption, which is a problem. We fix this in a number of steps, as described in the next section. To prove security, we introduce an additional randomizing component as part of the FHE plaintext to embed an LWE instance in the challenge PRF evaluation.

We prove security of our private puncturable PRF in the selective setting, where the adversary commits ahead of time to the punctured point x where it will be challenged. To obtain adaptive security, where the punctured point is chosen adaptively, we use standard complexity leveraging [BB04].

In addition to our punctured PRF construction, we show in Sect. 6 that, for general function constraints, a simulation based definition of privacy is impossible. This complements [BLW17] who show that a game-based definition of privacy is achievable assuming the existence of $i\mathcal {O}$. To prove the impossibility, we show that even for a single key, a simulation-secure privately constrained PRF for general functions, implies a simulation secure functional encryption for general functions, which was previously shown to be impossible [BSW11, AGVW13].

Finally, our work raises a number of interesting open problems. First, our techniques work well to enable private puncturing, but do not seem to generalize to arbitrary circuit constraints. It would be a significant achievement if one could use LWE/SIS to construct a private constrained PRF for arbitrary circuits, even in the single-key case. Also, can we construct an LWE/SIS-based adaptively secure private puncturable PRF, without relying on complexity leveraging? We discuss these questions in more detail in Sect. 7.

1.1 Related Work

PRFs from LWE. The first PRF construction from the learning with errors assumption was given by Banerjee, Peikert, and Rosen in [BPR12]. Subsequent PRF constructions from LWE gave the first key-homomorphic PRFs [BLMR13, BP14]. The constructions of [BV15, BFP+15] generalized the previous works to the setting of constrained PRFs.

Constrained PRFs. The notion of constrained PRFs was first introduced in three independent works [BW13, KPTZ13, BGI14] and since then, there have been a number of constructions from different assumptions. We briefly survey the state of the art. The standard GGM tree [GGM86] gives PRFs for simple constraints such as prefix-fixing or puncturing [BW13, KPTZ13, BGI14]. Bilinear maps give left/right constraints but in the random oracle model [BW13]. LWE gives general circuit constraints, but only when a single constrained key is released [BV15]. Multilinear maps and indistinguishability obfuscation provide general circuit constraints, and even for constraints represented as Turing machines with unbounded inputs [BW13, BZ14, BFP+15, CRV14, AFP16, DKW16], as well as constrained verifiable random functions [Fuc14]. Several works explore how to achieve adaptive security [FKPR14, BV15, HKW15, HKKW14].

Private constrained PRFs were introduced by Boneh, Lewi, and Wu [BLW17]. They construct a privately constrained PRF for puncturing and bit-fixing constraints from multilinear maps, and for circuit constraints using indistinguishability obfuscation.

ABE and PE from LWE. The techniques used in this work build upon a series of works in the area of attribute-based encryption [SW05] and predicate encryption [BW07, KSW08] from LWE. These include constructions of [ABB10, GVW15a, BGG+14, GV15, BV16, BCTW16], and predicate encryption constructions of [AFV11, GMW15, GVW15b].^{Footnote 1}

Concurrent Work. In an independent and concurrent work, Canetti and Chen [CC17] construct a single-key privately constrained PRF for general $\text {NC}^1$ circuits from LWE. Their techniques are very different from the ones used in this work as their construction relies on instances of the graph-induced multilinear maps construction by Gentry, Gorbunov, and Halevi [GGH15] that can be reduced to LWE. They also analyze their construction with respect to a simulation-based definition. We note that the simulation-based definition that we consider in Sect. 6 is stronger than their definition and therefore, the impossibility that we show does not apply to their construction.

2 Overview of the Main Construction

In this section, we provide a general overview of our main construction. The complete construction and proof of security are provided in Sect. 5.1.

Recall that the LWE assumption states that for a uniform vector $\mathbf {s}\in \mathbb {Z}_q^n$ and a matrix $\mathbf {A}\in \mathbb {Z}_q^{n \times m}$ for an appropriately chosen n, m, q, it holds that $(\mathbf {A},\ \mathbf {s}^T \mathbf {A}+ \mathbf {e}^T)$ is indistinguishable from uniform where $\mathbf {e}$ is sampled from an appropriate low-norm error distribution. We present the outline ignoring the precise generation or evolution of $\mathbf {e}$ and just refer to it as $\mathsf {noise}$.

Embedding Circuits into Matrices. Our starting point is the single-key constrained PRF of [BV15], which builds upon the ABE construction of [BGG+14] and the PRF of [BP14]. At a high level, the ABE of [BGG+14] encodes an attribute vector $\mathbf x \in \{0,1\}^\ell $ as a vector

$$\begin{aligned} \mathbf {s}^T \big (\mathbf {A}_1 + x_1 \cdot \mathbf {G}\ | \cdots |\ \mathbf {A}_\ell + x_\ell \cdot \mathbf {G}\big ) + \mathsf {noise}\ \in \mathbb {Z}_q^{m \ell }, \end{aligned}$$

(2.1)

for public matrices $\mathbf {A}_1, \ldots , \mathbf {A}_\ell $ in $\mathbb {Z}_q^{n \times m}$, a secret random vector $\mathbf {s}$ in $\mathbb {Z}_q^n$, and a specific fixed “gadget matrix” $\mathbf {G}\in \mathbb {Z}_q^{n \times m}$. This encoding allows for fully homomorphic operations on the attributes, while keeping the noise small. In particular, given $\mathbf {x}$ and a poly-size circuit $f:\{0,1\}^\ell \rightarrow \{0,1\}$, one can compute from (2.1), the vector

$$\begin{aligned} \mathbf {s}^T \big (\mathbf {A}_f + f(\mathbf {x}) \cdot \mathbf {G}\big ) + \mathsf {noise}\ \in \mathbb {Z}_q^m \end{aligned}$$

(2.2)

where the matrix $\mathbf {A}_f$ depends only on the function f, and not on the underlying attribute $\mathbf {x}$. This implies a homomorphic operation on the matrices $\mathbf {A}_1, \ldots , \mathbf {A}_\ell $ defined as $ \mathsf {Eval}_{\mathsf {pk}}(f, \mathbf {A}_1, \ldots , \mathbf {A}_\ell ) \rightarrow \mathbf {A}_f$.

This homomorphic property leads to the following puncturable PRF. Let $\mathsf {eq}(\mathbf {x}^*, \mathbf {x})$ be the equality check circuit (represented as NAND gates) defined as follows:

$$\mathsf {eq}(\mathbf {x}^*, \mathbf {x}) = \left\{ \begin{array}{ll} 1 &{} \text {if } \mathbf {x}^*= \mathbf {x}\text {,} \\ 0 &{} \text {otherwise.} \end{array} \right. $$

For $\mathbf {x}= (x_1,\ldots ,x_\ell ) \in \{0,1\}^\ell $ define the PRF as:

$$ \mathsf {PRF}_{\mathbf {s}}(\mathbf {x}) \mathrel {\mathop :}=\lfloor \mathbf {s}^T \cdot \mathbf {A}_{\mathsf {eq}} \rceil _p \ \ \in \mathbb {Z}_p^m \quad \text {where}\quad \mathbf {A}_{\mathsf {eq}} \mathrel {\mathop :}=\mathsf {Eval}_{\mathsf {pk}}(\mathsf {eq}, \mathbf {B}_1, \ldots , \mathbf {B}_\ell , \mathbf {A}_{x_1}, \ldots , \mathbf {A}_{x_\ell }). $$

Here $\mathbf {s}\in \mathbb {Z}_q^n$ is the master secret key, and the matrices $\mathbf {A}_0, \mathbf {A}_1, \mathbf {B}_1, \ldots , \mathbf {B}_\ell $ are random public matrices in $\mathbb {Z}_q^{n \times m}$ chosen at setup. Note that $\mathbf {A}_{\mathsf {eq}}$ is a function of $\mathbf {x}$. The operation $\lfloor \cdot \rceil _p$ is component-wise rounding that maps an element in $\mathbb {Z}_q$ to an element in $\mathbb {Z}_p$ for an appropriately chosen p, where $p < q$.

Next, define the punctured key at the point $\mathbf {x}^*= (x^*_1,\ldots ,x^*_\ell ) \in \{0,1\}^\ell $ as:

$$\begin{aligned} k_{\mathbf {x}^*} = \big (\mathbf {x}^*,\quad \mathbf {s}^T\cdot \big (\mathbf {A}_0 + 0 \cdot \mathbf {G}\ |\ \mathbf {A}_1 + 1 \cdot \mathbf {G}\quad \big |\quad \mathbf {B}_1 + x^*_1 \cdot \mathbf {G}\ | \cdots |\ \mathbf {B}_\ell + x^*_\ell \cdot \mathbf {G}\big ) + \mathsf {noise}\big ). \end{aligned}$$

(2.3)

To use this key to evaluate the PRF at a point $\mathbf {x}\in \{0,1\}^\ell $, the user homomorphically evaluates the equality check circuit $\mathsf {eq}(\mathbf {x}^*,\mathbf {x})$, as in (2.2), to obtain the vector $\mathbf {s}^T \big (\mathbf {A}_\mathsf {eq}+ \mathsf {eq}(\mathbf {x}^*,\mathbf {x}) \cdot \mathbf {G}\big ) + \mathsf {noise}$. Rounding this vector gives the correct PRF value whenever $\mathsf {eq}(\mathbf {x}^*,\mathbf {x}) = 0$, namely $\mathbf {x}\ne \mathbf {x}^*$, as required. A security argument as in [BV15] proves that with some minor modifications, this PRF is a secure (non-private) puncturable PRF, assuming that the LWE problem is hard.

FHE to Hide Puncture Point. The reason why the construction above is not private is because to operate on the ABE encodings, one needs the description of the attributes. Therefore, the punctured key must include the point $\mathbf {x}^*$ in the clear, for the evaluator to run the equality check circuit on the punctured key (2.3).

Our plan to get around this limitation is to first encrypt the attributes $(x^*_1,\ldots ,x^*_\ell )$ using a fully homomorphic encryption (FHE) scheme before embedding it as the attributes. In particular, we define our punctured key to be

where $\mathsf {ct}\in \mathbb {Z}_q^z$ is an FHE encryption of the punctured point $\mathbf {x}^*$, and $\mathsf {sk}\in \mathbb {Z}_q^t$ is the FHE secret key. While it is not clear how to use this key to evaluate the PRF, at least the punctured point $\mathbf {x}^*$ is not exposed in the clear. One can show that the components of $k_{\mathbf {x}^*}$ that embed the secret key $\mathsf {sk}$ do not leak information about $\mathsf {sk}$.

Now, given $\mathbf {x}\in \{0,1\}^\ell $, one can now run the equality check operation inside the FHE ciphertext, which gives the encrypted result of the equality check circuit. The question is how the evaluator can extract this result from the ciphertext. To do this, we take advantage of another property of the underlying ABE: to homomorphically multiply two attributes, one requires knowledge of just one of the attributes, not both. This means that even without the knowledge of the FHE secret key $\mathsf {sk}$, the evaluator can compute the inner product of $\mathsf {sk}$ and $\mathsf {ct}$. Recall that for lattice-based FHE schemes (e.g., [GSW13]), the decryption operation is the rounding of the inner product of the ciphertext with the FHE secret key. This technique was also used in the lattice-based predicate encryption scheme of [GVW15b].

Rounding Away FHE Noise. The problem with the approach above is that we cannot compute the full FHE decryption. We can only compute the first decryption step, the inner product. The second step, rounding, cannot be done while keeping the FHE decryption key secret. Computing just the inner product produces the FHE plaintext, but offset by some small additive error term $e \in \mathbb {Z}_q$. More specifically, the homomorphic evaluation of $\mathsf {eq}(\mathbf {x}^*,\mathbf {x})$ followed by the inner product with $\mathsf {sk}$, results in the vector

$$\begin{aligned} \mathbf {s}^T \left( \mathbf {A}_{\mathsf {fhe},\mathsf {eq}} + \left( \frac{q}{2} \cdot \mathsf {eq}(\mathbf {x}^*, \mathbf {x}) + e \right) \cdot \mathbf {G}\right) + \mathsf {noise}\ \ \in \mathbb {Z}_q^m, \end{aligned}$$

where $\mathbf {A}_{\mathsf {fhe},\mathsf {eq}}$ is the result of homomorphically computing the FHE equality test circuit, along with the inner product with the secret key, on the public matrices. Here $e \in \mathbb {Z}_q$ is some offset term. Even when $\mathsf {eq}(\mathbf {x}^*, \mathbf {x})=0$, the rounding of this vector will not produce the correct evaluation due to this offset term e. Moreover, the term e contains information about the original plaintext and therefore, to ensure private puncturing, we must somehow allow for correct computation without revealing the actual value of e. Resolving this issue seems difficult. It is precisely the reason why the predicate encryption scheme of [GVW15b] cannot be converted to a fully-attribute hiding predicate encryption scheme (and therefore a full-fledged functional encryption scheme). However, in our context, the problem of noisy decryption has an elegant solution.

The idea is to “shorten” the vector $(\mathbf {s}^T \cdot e \cdot \mathbf {G})$ so that it is absorbed into $\mathsf {noise}$, and disappears as we round to obtain the PRF value at x. Towards this goal, we sample the secret vector $\mathbf {s}$ from the LWE noise distribution, which does not change the hardness of LWE [ACPS09]. Next, we observe that although the gadget matrix $\mathbf {G}$ is not a short matrix as a whole, it does contain a number of short column vectors. For instance, a subset of the columns vectors of the gadget matrix consist of elementary basis vectors $\mathbf {u}_i \in \mathbb {Z}_q^n$ with the ith entry set to 1 and the rest set to 0. More precisely, for $1 \le i \le n$, let the vector $\mathbf {v}_i \in \mathbb {Z}_q^m$ be an m dimensional basis vectors with its $i \cdot \lfloor \log q - 1 \rfloor $th entry set to 1 and the rest set to 0. Then, $\mathbf {G}\cdot \mathbf {v}_i = \mathbf {u}_i$.

With this observation, we can simply define the PRF with respect to these short column positions in the gadget matrix. For instance, consider defining the PRF with respect to the first column position as follows

$$ \mathsf {PRF}_\mathbf {s}(\mathbf {x}) := \lfloor \mathbf {s}^T \cdot \mathbf {A}_{\mathsf {fhe},\mathsf {eq}} \cdot \mathbf {v}_1 \rceil _p \ \ \in \mathbb {Z}_p.$$

Since we are simply taking the first component of a pseudorandom vector, this does not change the pseudorandomness property of the PRF (to adversaries without a constrained key). However, for the evaluation with the punctured key, this allows the FHE error term to be “merged” with $\mathsf {noise}$

$$\begin{aligned} \left( \mathbf {s}^T \right.&\left. \left( \mathbf {A}_{\mathsf {fhe}, \mathsf {eq}} + \left( \frac{q}{2} \cdot \mathsf {eq}(\mathbf {x}^*, \mathbf {x}) + e \right) \cdot \mathbf {G}\right) + \mathsf {noise}\right) \mathbf {v}_1 \\&= \mathbf {s}^T \mathbf {A}_{\mathsf {fhe},\mathsf {eq}} \mathbf {v}_1 + \mathbf {s}^T \left( \frac{q}{2} \cdot \mathsf {eq}(\mathbf {x}^*, \mathbf {x}) + e \right) \mathbf {u}_1 + \mathsf {noise}'\\&= \mathbf {s}^T \mathbf {A}_{\mathsf {fhe},\mathsf {eq}} \mathbf {v}_1 + \left( \frac{q}{2} \cdot \mathsf {eq}(\mathbf {x}^*, \mathbf {x}) + e \right) \left\langle \mathbf {s}, \mathbf {u}_1 \right\rangle + \mathsf {noise}' \\&= \mathbf {s}^T \mathbf {A}_{\mathsf {fhe},\mathsf {eq}} \mathbf {v}_1 + \frac{q}{2} \cdot \mathsf {eq}(\mathbf {x}^*,\mathbf {x}) \left\langle \mathbf {s}, \mathbf {u}_1 \right\rangle + \underbrace{e \cdot \left\langle \mathbf {s}, \mathbf {u}_1 \right\rangle + \mathsf {noise}'}_{\text {short}}. \end{aligned}$$

When $\mathsf {eq}(\mathbf {x}^*,\mathbf {x})=0$, then the rounding of the vector above results in the correct PRF evaluation since the final noise $e \cdot \left\langle \mathbf {s}, \mathbf {u}_1 \right\rangle + \mathsf {noise}'$ is small and will disappear with the rounding.

Pseudorandomness at Punctured Point. The remaining problem is to make the PRF evaluation at the punctured point look random to an adversary who only holds a punctured key. Note that if the adversary evaluates the PRF at the punctured point $x^*$ using its punctured key, the result is the correct PRF output, but offset by the term $(\frac{q}{2} + e) \cdot s_1 + \mathsf {noise}'$, which is clearly distinguishable from random. To fix this, we make the following modifications. First, we include a uniformly generated vector $\mathbf {w}= (w_1, \ldots , w_n) \in \mathbb {Z}_q^n$ as part of the public parameters. Then, we modify the FHE homomorphic operation such that after evaluating the equality check circuit, we multiply the resulting message with one of the $w_i$’s such that decryption outputs $w_i \cdot \mathsf {eq}(\mathbf {x}^*, \mathbf {x}) + e$, instead of $\frac{q}{2} \cdot \mathsf {eq}(\mathbf {x}^*, \mathbf {x}) + e$. Then, we define the PRF evaluation as the vector

$$ \mathsf {PRF}_\mathbf {s}(\mathbf {x}) = \left\lfloor \sum _i \mathbf {s}^T \cdot \mathbf {A}_{\mathsf {fhe},\mathsf {eq},i} \cdot \mathbf {v}_i \right\rceil _p .$$

where $\mathbf {v}_1, \ldots , \mathbf {v}_n \in \mathbb {Z}_q^m$ are elementary basis vectors such that $\mathbf {G}\cdot \mathbf {v}_i = \mathbf {u}_i \in \mathbb {Z}_q^n$. Here, the matrix $\mathbf {A}_{\mathsf {fhe},\mathsf {eq},i}$ represents the matrix encoding the equality check circuit operation, followed by scalar multiplication by $w_i$. Now, evaluating the PRF with the punctured key at the punctured point results in the vector

$$\begin{aligned} \sum _i \left( \mathbf {s}^T \right.&\left. \left( \mathbf {A}_{\mathsf {fhe},\mathsf {eq},i} + \left( w_i \cdot \mathsf {eq}(\mathbf {x}^*, \mathbf {x}) + e \right) \cdot \mathbf {G}\right) + \mathsf {noise}\right) \mathbf {v}_i \\&= \sum _i \mathbf {s}^T \mathbf {A}_{\mathsf {fhe},\mathsf {eq},i} \cdot \mathbf {v}_i + \sum _i \mathbf {s}^T \left( w_i \cdot \mathsf {eq}(\mathbf {x}^*, \mathbf {x}) + e_i \right) \mathbf {u}_i + \mathsf {noise}'\\&= \sum _i \mathbf {s}^T \mathbf {A}_{\mathsf {fhe},\mathsf {eq},i} \cdot \mathbf {v}_i + \sum _i ( \mathsf {eq}(\mathbf {x}^*,\mathbf {x}) + e_i) \left\langle \mathbf {s}, w_i \cdot \mathbf {u}_i \right\rangle \cdot + \mathsf {noise}'. \\&= \sum _i \mathbf {s}^T \mathbf {A}_{\mathsf {fhe},\mathsf {eq},i} \cdot \mathbf {v}_i + \mathsf {eq}(\mathbf {x}^*,\mathbf {x}) \left\langle \mathbf {s}, \mathbf {w} \right\rangle + \mathsf {noise}''. \end{aligned}$$

We note that when $\mathsf {eq}(\mathbf {x}^*,\mathbf {x}) = 1$, then the offset term is a noisy inner product on the secret vector $\mathbf {s}$. This allows us to embed an LWE sample in the offset term and show that the evaluation indeed looks uniformly random to an adversary with a punctured key.

3 Preliminaries

Basic Notations. For an integer n, we write [n] to denote the set $\{ 1, \ldots , n \}$. For a finite set S, we write $x \overset{\$}{\leftarrow }S$ to denote sampling x uniformly at random from S. We use bold lowercase letters $(e.g., \mathbf {v}, \mathbf {w})$ to denote column vectors and bold uppercase letters $(e.g., \mathbf {A}, \mathbf {B})$ to denote matrices. For a vector or matrix $\mathbf {s}, \mathbf {A}$, we use $\mathbf {s}^T, \mathbf {B}^T$ to denote their transpose. We write $\lambda $ for the security parameter. We say that a function $\epsilon (\lambda )$ is negligible in $\lambda $, if $\epsilon (\lambda ) = o(1/\lambda ^c)$ for every $c \in \mathbb {N}$, and we write $\mathsf {negl}(\lambda )$ to denote a negligible function in $\lambda $. We say that an event occurs with negligible probability if the probability of the event is $\mathsf {negl}(\lambda )$, and an event occurs with overwhelming probability if its complement occurs with negligible probability.

Rounding. For an integer $p \le q$, we define the modular “rounding” function

$$ \lfloor \cdot \rceil _p :\mathbb {Z}_q \rightarrow \mathbb {Z}_p \text { that maps } x \rightarrow \lfloor (p/q) \cdot x \rceil $$

and extend it coordinate-wise to matrices and vectors over $\mathbb {Z}_q$. Here, the operation $\lfloor \cdot \rceil $ is the rounding operation over $\mathbb {R}$.

Norm for Vectors and Matrices. Throughout this work, we will always use the infinity norm for vectors and matrices. This means that for a vector $\mathbf {x}$, the norm $\left\| \mathbf {x} \right\| $ is the maximal absolute value of an element in $\mathbf {x}$. Similarly, for a matrix $\mathbf {A}$, $\left\| \mathbf {A} \right\| $ is the maximal absolute value of any of its entries. If $\mathbf {x}$ is n-dimensional and $\mathbf {A}$ is $n \times m$, then $\left\| \mathbf {x}^T \mathbf {A} \right\| \le n \cdot \left\| \mathbf {x} \right\| \cdot \left\| \mathbf {A} \right\| $.

3.1 Private Constrained PRFs

We first review the definition of a pseudorandom function (PRF) [GGM86].

Definition 1

(Pseudorandom Function [GGM86]). Fix a security parameter $\lambda $. A keyed function $F :\mathcal {K}\times \mathcal {X}\rightarrow \mathcal {Y}$ with keyspace $\mathcal {K}$, domain $\mathcal {X}$, and range $\mathcal {Y}$ is pseudorandom if for all efficient algorithms $\mathcal {A}$,

$$ \left| \Pr \left[ k \overset{\$}{\leftarrow }\mathcal {K}: \mathcal {A}^{F(k, \cdot )}(1^\lambda ) = 1 \right] \right| - \Pr \left[ f \overset{\$}{\leftarrow }\mathsf {Funcs}(\mathcal {X}, \mathcal {Y}): \mathcal {A}^{f(\cdot )}(1^\lambda ) = 1 \right] = \mathsf {negl}(\lambda ) .$$

Sometimes, a PRF is defined more naturally with respect to a pair of algorithms $\varPi _{\mathsf {PRF}} = (\mathsf {PRF.Setup}, \mathsf {PRF.Eval})$ where $\mathsf {PRF.Setup}$ is a randomized algorithm that samples the PRF key k in $\mathcal {K}$ and $\mathsf {PRF.Eval}$ computes the keyed function $F(k,\cdot )$.

In a constrained PRF [BW13, KPTZ13, BGI14], an authority with a master secret key $\mathsf {msk}$ for the PRF can create a restricted key $\mathsf {sk}_f$ associated with some function f that allows one to evaluate the PRF only at inputs $x \in \mathcal {X}$ for which $f(x) = 0$.^{Footnote 2}

Definition 2

(Constrained PRF [BW13, KPTZ13, BGI14]). A constrained PRF consists of a tuple of algorithms $\varPi _\mathsf {pPRF}= (\mathsf {cPRF.Setup}, \mathsf {cPRF.Constrain}, \mathsf {cPRF.ConstrainEval}, \mathsf {cPRF.Eval})$ over domain $\mathcal {X}$, range $\mathcal {Y}$, and circuit class $\mathcal {C}$ is defined as follows:

$\mathsf {cPRF.Setup}(1^\lambda ) \rightarrow \mathsf {msk}$: On input the security parameter $\lambda $, the setup algorithm outputs the master secret key $\mathsf {msk}$.
$\mathsf {cPRF.Constrain}(\mathsf {msk}, f) \rightarrow \mathsf {sk}_f$: On input the master secret key $\mathsf {msk}$, and a circuit $f \in \mathcal {C}$, the constrain algorithm outputs a constrained key $\mathsf {sk}_f$.
$\mathsf {cPRF.ConstrainEval}(\mathsf {sk}, x) \rightarrow y$: On input a constrained key $\mathsf {sk}$, and an input $x \in \mathcal {X}$, the puncture evaluation algorithm evaluates the PRF value $y \in \mathcal {Y}$.
$\mathsf {cPRF.Eval}(\mathsf {msk}, x) \rightarrow y$: On input the master secret key $\mathsf {msk}$ and an input $x \in \mathcal {X}$, the evaluation algorithm evaluates the PRF value $y \in \mathcal {Y}$.

Algorithms $\mathsf {cPRF.Setup}$ and $\mathsf {cPRF.Constrain}$ are randomized, while algorithms $\mathsf {cPRF.ConstrainEval}$ and $\mathsf {cPRF.Eval}$ are always deterministic.

Correctness. A constrained PRF is correct if for all $\lambda \in \mathbb {N}$, $\mathsf {msk}\leftarrow \mathsf {cPRF.Setup}(1^\lambda )$, for every circuit $C \in \mathcal {C}$, and input $x \in \mathcal {X}$ for which $f(x)=0$, we have that

$$\begin{aligned} \mathsf {cPRF.ConstrainEval}(\mathsf {cPRF.Constrain}(\mathsf {msk}, f), x) = \mathsf {cPRF.Eval}(\mathsf {msk}, x) \end{aligned}$$

with overwhelming probability.

Security. We require two security properties for constrained PRFs: pseudorandomness and privacy. The first property states that given constrained PRF keys, an adversary cannot distinguish the PRF evaluation at the points where it is not allowed to compute, from a randomly sampled point from the range.

Definition 3

(Pseudorandomness). Fix a security parameter $\lambda $. A constrained PRF scheme $\varPi _{\mathsf {cPRF}}= (\mathsf {cPRF.Setup}, \mathsf {cPRF.Constrain}, \mathsf {cPRF.ConstrainEval}, \mathsf {cPRF.Eval})$ is pseudorandom if for all PPT adversary $\mathcal {A}= (\mathcal {A}_1, \mathcal {A}_2)$, there is a negligible function $\mathsf {negl}(\lambda )$ such that

$$ \mathsf {Adv}_{\varPi _{\mathsf {cPRF}}, \mathcal {A}}^{\mathsf {rand}}(\lambda ) = \left| \Pr [\mathsf {Expt}_{\varPi _{\mathsf {cPRF}}, \mathcal {A}}^{(0)}(\lambda ) = 1] - \Pr [\mathsf {Expt}_{\varPi _{\mathsf {cPRF}}, \mathcal {A}}^{(1)}(\lambda )=1] \right| \le \mathsf {negl}(\lambda ) $$

where for each $b \in \{0,1\}$ and $\lambda \in \mathbb {Z}$, the experiment $\mathsf {Expt}_{\varPi _{\mathsf {cPRF}}, \mathcal {A}}^{(b)}(\lambda )$ is defined as follows:

1.
$\mathsf {msk}\leftarrow \mathsf {cPRF.Setup}(1^\lambda )$
2.
$(x^*, \mathsf {state}_1) \leftarrow \mathcal {A}_1^{\mathsf {cPRF.Constrain}(\mathsf {msk}, \cdot ), \mathsf {cPRF.Eval}(\mathsf {msk}, \cdot )}(1^\lambda )$
3.
$y_0 \leftarrow \mathsf {cPRF.Eval}(\mathsf {msk}, x^*)$
4.
$y_1 \overset{\$}{\leftarrow }\mathcal {Y}$
5.
$b' \leftarrow \mathcal {A}_2^{\mathsf {cPRF.Constrain}(\mathsf {msk}, \cdot ), \mathsf {cPRF.Eval}(\mathsf {msk}, \cdot )}(y_b, \mathsf {state}_1)$
6.
Output $b'$

To prevent the adversary from trivially winning the game, we require that for any query f that $\mathcal {A}$ makes to the $\mathsf {cPRF.Constrain}(\mathsf {msk}, \cdot )$ oracle, it holds that $f(x^*) = 1$, and for any query x that $\mathcal {A}$ makes to the $\mathsf {cPRF.Eval}(\mathsf {msk}, \cdot )$ oracle, it holds that $x \ne x^*$.

The security games as defined above is the fully adaptive game. One can also define a selective variant of the games above where the adversary commits to the challenge point before the game starts. We do so in Definition 6 below.

Next, we require that a constrained key $\mathsf {sk}_f$ not leak information about the constraint function f as in the setting of private constrained PRFs of [BLW17].

Definition 4

(Privacy). Fix a security parameter $\lambda \in \mathbb {N}$. A constrained PRF scheme $\varPi _{\mathsf {cPRF}}= (\mathsf {cPRF.Setup}, \mathsf {cPRF.Constrain}, \mathsf {cPRF.ConstrainEval}, \mathsf {cPRF.Eval})$ is private if for all PPT adversary $\mathcal {A}$, there is a negligible function $\mathsf {negl}(\lambda )$ such that

$$ \mathsf {Adv}_{\varPi _{\mathsf {cPRF}}, \mathcal {A}}^{\mathsf {priv}}(\lambda ) = \left| \Pr [ \mathsf {Expt}_{\varPi _{\mathsf {cPRF}}, \mathcal {A}}^{(0)}(\lambda ) = 1 ] - \Pr [ \mathsf {Expt}_{\varPi _{\mathsf {cPRF}}, \mathcal {A}}^{(1)}(\lambda ) = 1 ] \right| \le \mathsf {negl}(\lambda )$$

where the experiments $\mathsf {Expt}_{\varPi _{\mathsf {cPRF}}, \mathcal {A}}^{(b)}$ are defined as follows:

1.
$\mathsf {msk}\leftarrow \mathsf {cPRF.Setup}(1^\lambda )$.
2.
$b' \leftarrow \mathcal {A}^{\mathsf {cPRF.Constrain}_b(\mathsf {msk}, \cdot , \cdot ), \mathsf {cPRF.Eval}(\mathsf {msk}, \cdot )}(1^\lambda )$.
3.
Output $b'$

where the oracle $\mathsf {cPRF.Constrain}_b(\cdot , \cdot , \cdot )$ is defined as follows

$\mathsf {cPRF.Constrain}_b(\mathsf {msk}, f_0, f_1)$: On input the master secret key $\mathsf {msk}$, and a pair of constraint functions $f_0, f_1$, outputs $sk_{f,b} \leftarrow \mathsf {cPRF.Constrain}(f_b)$.

In the experiment above, we require an extra admissibility condition on the adversary to prevent it from trivially distinguishing the two experiments. For a circuit $f \in \mathcal {C}$, define the set $S(f) \subseteq \mathcal {X}$ where $\{ x \in \mathcal {X}: f(x) = 0 \}$. Let d be the number of queries that $\mathcal {A}$ makes to $\mathsf {cPRF.Constrain}_b(\mathsf {msk}, \cdot , \cdot )$ and let $(f^{(i)}_0, f^{(i)}_1)$ for $i \in [d]$ denote the ith pair of circuits that the adversary submits to the constrain oracle. Then we require that

1.
For every query x that $\mathcal {A}$ makes to the evaluation oracle, $ f^{(i)}_0(x) = f^{(i)}_1(x)$.
2.
For every pair of distinct indices $i,j \in [d]$,
$$ S \left( f^{(i)}_0 \right) \cap S \left( f^{(j)}_0 \right) = S \left( f^{(i)}_1 \right) \cap S \left( f^{(j)}_1 \right) .$$

Justification for the second admissibility condition is discussed in [BLW17, Remark 2.11].

3.2 Private Puncturable PRFs

A puncturable PRF is a special case of constrained PRFs where one can only request constained keys for point functions. That is, each constraining circuit $C_{x^*}$ is associated with a point $x^* \in \{0,1\}^n$, and $C_{x^*}(x)=0$ if and only if $x \ne x^*$. Concretely, a puncturable PRF is specified by a tuple of algorithms $\varPi _\mathsf {pPRF}= (\mathsf {pPRF.Setup}, \mathsf {pPRF.Puncture}, \mathsf {pPRF.PunctureEval}, \mathsf {pPRF.Eval})$ with identical syntax as regular constrained PRFs, with the exception that the algorithm $\mathsf {pPRF.Puncture}$ takes in a point x to be punctured rather than a circuit f.

In the context of private puncturing, we require without loss of generality, that algorithm $\mathsf {pPRF.Puncture}$ be deterministic (see [BLW17, Remark 2.14]). If it were randomized, it could be de-randomized by generating its random bits using a PRF keyed by a part of $\mathsf {msk}$, and given the point x as input.

We define a slightly weaker variant of correctness than as is defined above for constrained PRF called computational functionality preserving as in the setting of [BV15]. In words, this property states that it is computationally hard to find a point $x \ne x^*$ such that the result of the puncture evaluation differs from the actual PRF evaluation. This is essentially a relaxation of the statistical notion of correctness to the computational notion of correctness.

Definition 5

(Computational Functionality Preserving). Fix a security parameter $\lambda $ and let $\varPi _\mathsf {pPRF}= (\mathsf {pPRF.Setup}, \mathsf {pPRF.Puncture}, \mathsf {pPRF.PunctureEval}, \mathsf {pPRF.Eval})$ be a private-puncturable PRF scheme. For every adversary $\mathcal {A}= (\mathcal {A}_1, \mathcal {A}_2)$, consider the following experiment where we choose $\mathsf {msk}\leftarrow \mathsf {pPRF.Setup}(1^\lambda )$, $(\mathsf {state}, x^*) \leftarrow \mathcal {A}_1(1^\lambda )$, and $\mathsf {sk}_{x^*} \leftarrow \mathsf {pPRF.Puncture}(\mathsf {msk}, x^*)$. Then, the private-puncturable PRF scheme $\varPi _\mathsf {pPRF}$ is computational functionality preserving if

$$ \Pr \left[ x \leftarrow \mathcal {A}_2^{\mathsf {pPRF.Eval}(\mathsf {msk}, \cdot )}(\mathsf {state}, \mathsf {sk}_{x^*}): \begin{array}{c} x \ne x^* \wedge \\ \mathsf {pPRF.Eval}(\mathsf {msk}, x) \ne \\ \mathsf {pPRF.PunctureEval}(\mathsf {sk}_{x^*}, x) \end{array} \right] \le \mathsf {negl}(\lambda ) $$

for some negligible function $\mathsf {negl}$.

We next specialize the security definitions to the settings of puncturing constraints. For puncturable PRFs, the adversary in the pseudorandomness game is limited to making at most one key query to $\mathsf {pPRF.Puncture}$. If it made two key queries, for two distinct punctures, it would be able to evaluate the PRF on all points in the domain, and then cannot win the game. Therefore, we need only consider two types of adversaries in the pseudorandomness game:

an adversary that makes evaluation queries, but no key queries during the game, and
an adversary that makes exactly one key query.

The first adversary plays the regular PRF security game. A simple reduction shows that selective security against an adversary of the second type implies security against an adversary of the first type. Therefore, when defining (selective) security, it suffices to only consider (selective) adversaries of the second type.

One technicality in defining pseudorandomness for puncturable PRFs that satisfy a computational notion of correctness is that the adversary must also be given access to an evaluation oracle. This is because given only a punctured key, the adversary cannot efficiently detect whether a point in the domain evaluates to the correct PRF evaluation with the punctured key without the evaluation oracle. Therefore, we define the following pseudorandomness definition.

Definition 6

Fix a security parameter $\lambda $. A puncturable PRF scheme $\varPi _\mathsf {pPRF} = (\mathsf {pPRF.Setup}, \mathsf {pPRF.Puncture}, \mathsf {pPRF.PunctureEval}, \mathsf {pPRF.Eval})$ is selectively-pseudorandom if for every PPT adversary $\mathcal {A}= (\mathcal {A}_1, \mathcal {A}_2)$, there exists a negligible function $\mathsf {negl}$ such that for $\mathsf {msk}\leftarrow \mathsf {pPRF.Setup}(1^\lambda )$, $(x^*, \mathsf {state}) \leftarrow \mathcal {A}_1(1^\lambda )$, $\mathsf {sk}_{x^*} \leftarrow \mathsf {pPRF.Puncture}(\mathsf {msk}, x^*)$, $u \overset{\$}{\leftarrow }\mathcal {Y}$, we have that

(3.1)

To prevent the adversary from trivially breaking the game, we require that the adversary $\mathcal {A}$ cannot query the evaluation oracle on $x^*$.

We next define the notion of privacy for puncturable PRFs. Again, since we rely on the computational notion of correctness, we provide the adversary access to an honest evaluation oracle (except for at the challenge points). As in the pseudorandomness game, we only consider selective adversaries that make a single key query, although that results in a slightly weaker notion of privacy than in Definition 4.^{Footnote 3}

Definition 7

Fix a security parameter $\lambda $. A puncturable PRF scheme $\varPi _\mathsf {pPRF} = (\mathsf {pPRF.Setup}, \mathsf {pPRF.Puncture}, \mathsf {pPRF.PunctureEval}, \mathsf {pPRF.Eval})$ is selectively-private if for every PPT adversary $\mathcal {A}= (\mathcal {A}_1, \mathcal {A}_2)$, there exists a negligible function $\mathsf {negl}$ such that for $\mathsf {msk}\leftarrow \mathsf {pPRF.Setup}(1^\lambda )$, $(x^*, \mathsf {state}) \leftarrow \mathcal {A}_1(1^\lambda )$, $\mathsf {sk}_{x^*} \leftarrow \mathsf {pPRF.Puncture}(\mathsf {msk}, x^*)$, $\mathsf {sk}_{\mathbf {0}} \leftarrow \mathsf {pPRF.Puncture}(\mathsf {msk}, \mathbf {0})$, we have that

$$ \left| \Pr [\mathcal {A}_2^{\mathsf {pPRF.Eval}(\mathsf {msk},\cdot )} (\mathsf {state}, \mathsf {sk}_{x^*})=1] - \Pr [\mathcal {A}_2^{\mathsf {pPRF.Eval}(\mathsf {msk},\cdot )} (\mathsf {state}, \mathsf {sk}_{\mathbf {0}})=1] \right| \le \mathsf {negl}(\lambda ).$$

To prevent the adversary from trivially winning the game, we require that the adversary $\mathcal {A}$ cannot query the evaluation oracle on $x^*$ or $\mathbf {0}$.

Remarks. We note that a selectively-secure privately constrained PRF can be shown to be fully secure generically through complexity leveraging. In particular, the selectivity of the definition does not hurt the applicability of privacy as it can be shown to be adaptively secure generically. Achieving adaptive security for any kind of constrained PRFs without complexity leveraging (with polynomial loss in the reduction) remains a challenging problem. For puncturable PRFs, for instance, the only known adaptively secure constructions rely on the power of indistinguishability obfuscation [HKW15, HKKW14].^{Footnote 4}

We also note that since constrained PRF is a symmetric-key notion, the setup algorithm just returns the master secret key $\mathsf {msk}$. However, one can also consider dividing the setup into distinct parameter generation algorithm and seed generation algorithm where the parameters can be generated once and can be reused with multiple seeds for the PRF. In fact, for our construction in Sect. 5.1, a large part of the master secret key component can be fixed once and made public as parameters for the scheme. However, we maintain our current definition for simplicity.

3.3 Fully-Homomorphic Encryption

Following the presentation of [GVW15b], we give a minimal definition of fully homomorphic encryption (FHE) which is sufficient for this work. Technically, in this work, we use a leveled homomorphic encryption scheme (LHE); however, we will still refer to it simply as FHE. A leveled homomorphic encryption scheme is a tuple of polynomial-time algorithms $\varPi _{\mathsf {HE}}= (\mathsf {HE.KeyGen}, \mathsf {HE.Enc}, \mathsf {HE.Eval}, \mathsf {HE.Dec})$ defined as follows:

$\mathsf {HE.KeyGen}(1^\lambda , 1^d, 1^k) \rightarrow \mathsf {sk}$: On input the security parameter $\lambda $, a depth bound d, and a message length k, the key generation algorithm outputs a secret key $\mathsf {sk}$.
$\mathsf {HE.Enc}(\mathsf {sk}, \mu ) \rightarrow \mathsf {ct}$: On input a secret key $\mathsf {sk}$ and a message $\mu \in \{0,1\}^k$, the encryption algorithm outputs a ciphertext $\mathsf {ct}$.
$\mathsf {HE.Eval}(C, \mathsf {ct}) \rightarrow \mathsf {ct}'$: On input a circuit $C :\{0,1\}^k \rightarrow \{0,1\}$ of depth d and a ciphertext $\mathsf {ct}$, the homomorphic evaluation algorithm outputs ciphertext $\mathsf {ct}'$.
$\mathsf {HE.Dec}(\mathsf {sk}, \mathsf {ct}') \rightarrow \mu '$: On input a secret key $\mathsf {sk}$ and a ciphertext $\mathsf {ct}'$, the decryption algorithm outputs a message $\mu ' \in \{0,1\}$.

Correctness. We require that for all $\lambda , d, k$, $\mathsf {sk}\leftarrow \mathsf {HE.KeyGen}(1^\lambda , 1^d, 1^k)$, $\mu \in \{0,1\}^k$, and boolean circuits $C :\{0,1\}^k \rightarrow \{0,1\}$ of depth at most d, we have that

$$\begin{aligned} \Pr \left[ \mathsf {HE.Dec}(\mathsf {sk}, \mathsf {HE.Eval}(C, \mathsf {HE.Enc}(\mathsf {sk}, \mu ))) = C(\mu ) \right] = 1 \end{aligned}$$

where the probability is taken over $\mathsf {HE.Enc}$ and $\mathsf {HE.KeyGen}$.

Security. For security, we require standard semantic security. For any PPT adversary $\mathcal {A}= (\mathcal {A}_1, \mathcal {A}_2)$, and for all $d, k = \mathsf {poly}(\lambda )$, there exists a negligible function $\mathsf {negl}$ such that

$$ \Pr \left[ b = b' : \begin{array}{l} \mathsf {sk}\leftarrow \mathsf {HE.KeyGen}(1^\lambda , 1^d, 1^k); \\ \mu \leftarrow \mathcal {A}(1^\lambda , 1^d, 1^k); \\ b \overset{\$}{\leftarrow }\{0,1\}; \\ \mathsf {ct}_0 \leftarrow \mathsf {HE.Enc}(\mathsf {sk}, 0^{|\mu |}); \\ \mathsf {ct}_1 \leftarrow \mathsf {HE.Enc}(\mathsf {sk}, \mu ); \\ b' \leftarrow \mathcal {A}(\mathsf {ct}_b) \end{array} \right] - \frac{1}{2} \le \mathsf {negl}(\lambda ) $$

4 LWE, SIS, Lattice FHE, and Matrix Embeddings

In this section, we present a brief background on the average case lattice problems of the Learning with Errors problem (LWE) as well as the one-dimensional Short Integer Solutions problem (1D-SIS). We also discuss the instantiations of FHE from LWE and summarize the circuit matrix embedding technique of the lattice ABE constructions.

Gaussian Distributions. We let $D_{\mathbb {Z}^m, \sigma }$ to be the discrete Gaussian distribution over $\mathbb {Z}^m$ with parameter $\sigma $. For simplicity, we truncate the distribution, which means that we replace the output by $\mathbf {0}$ whenever the norm $\left\| \cdot \right\| $ exceeds $\sqrt{m} \cdot \sigma $.

The LWE Problem. Let n, m, q be positive integers and $\chi $ be some noise distribution over $\mathbb {Z}_q$. In the $\mathsf {LWE}(n,m,q,\chi )$ problem, the adversary’s goal is to distinguish between the two distributions:

$$\begin{aligned} (\mathbf {A}, \mathbf {s}^T \mathbf {A}+ \mathbf {e}^T) \qquad \text{ and } \qquad (\mathbf {A}, \mathbf {u}^T) \end{aligned}$$

where $\mathbf {A}\overset{\$}{\leftarrow }\mathbb {Z}_q^{n \times m}$, $\mathbf {s}\overset{\$}{\leftarrow }\chi ^n$, $\mathbf {e}\leftarrow \chi ^m$, and $\mathbf {u}\overset{\$}{\leftarrow }\mathbb {Z}_q^m$ are uniformly sampled.

Connection to Worst-Case. Let $B = B(n) \in \mathbb {N}$. A family of distributions $\chi = \{ \chi _n \}_{n \in \mathbb {N}}$ is called B-bounded if

$$\begin{aligned} \Pr [\chi \in \{ -B, -B+1 \ldots , B-1, B \}] = 1. \end{aligned}$$

For certain B-bounded error distributions $\chi $, including the discrete Gaussian distributions^{Footnote 5}, the $\mathsf {LWE}(n,m,q,\chi )$ problem is as hard as approximating certain worst-case lattice problems such as GapSVP and SIVP on n-dimensional lattices to within $\tilde{O}(n \cdot q/B)$ factor [Reg09, Pei09, ACPS09, MM11, MP12, BLP+13].

The Gadget Matrix. Let $\tilde{N} = n \cdot \lceil \log q \rceil $ and define the “gadget matrix” $\mathbf {G}= \mathbf {g}\otimes \mathbf {I}_n \in \mathbb {Z}_q^{n \times \tilde{N}}$ where $\mathbf {g}= (1, 2, 4, \ldots , 2^{\lceil \log q \rceil - 1})$. We define the inverse function $\mathbf {G}^{-1}: \mathbb {Z}_q^{n \times m} \rightarrow \{0,1\}^{\tilde{N} \times m}$ which expands each entry $a \in \mathbb {Z}_q$ of the input matrix into a column of size $\lceil \log q \rceil $ consisting of the bits of the binary representation of a. To simplify the notation, we always assume that $\mathbf {G}$ has width m, which we do so without loss of generality as we can always extend the width of $\mathbf {G}$ by adding zero columns. We have the property that for any matrix $\mathbf {A}\in \mathbb {Z}_q^{n \times m}$, it holds that $\mathbf {G}\cdot \mathbf {G}^{-1}(\mathbf {A}) = \mathbf {A}$.

The 1D-SIS Problem. Following the technique of [BV15], we use a variant of the Short Integer Solution (SIS) problem of [Ajt96] called 1D-SIS problem to show correctness and security for our scheme. Let $m, \beta $ be positive integers and let q be a product of n prime moduli $p_1< p_2< \ldots < p_n$, $q = \prod _{i \in [n]} p_i$. Then, in the $\text {1D-SIS}_{m,q,\beta }$, the adversary is given a uniformly random vector $\mathbf {v}\in \mathbb {Z}_q^m$ and its goal is to find $\mathbf {z}\in \mathbb {Z}^m$ such that $\left\| \mathbf {z} \right\| \le \beta $ and $\left\langle \mathbf {v}, \mathbf {z} \right\rangle = 0 \mod q$. For $m = O(n \log q)$, $p_1 \ge \beta \cdot \omega (\sqrt{mn \log n})$, the $\text {1D-SIS-R}_{m,q,p,\beta }$ problem is as hard as approximating certain worst-case lattice problems such as GapSVP and SIVP to within $\beta \cdot \tilde{O}(\sqrt{mn})$ factor [Reg04, BV15].

For this work, we will use another variant called 1D-SIS-R that we define as follows. Let $m, \beta $ be positive integers. We let $q = p \cdot \prod _{i \in [n]} p_i$, where all $p_1< p_2< \cdots < p_n$ are all co-prime and co-prime with p as well. In the $\text {1D-SIS-R}_{m,q,p,\beta }$ problem, the adversary is given a uniformly random vector $\mathbf {v}\in \mathbb {Z}_q^m$ and its goal is to find a vector $\mathbf {z}\in \mathbb {Z}^m$ such that $\left\| \mathbf {z} \right\| \le \beta $ and $\left\langle \mathbf {v}, \mathbf {z} \right\rangle \in [-\beta , \beta ] + (q/p) (\mathbb {Z}+ 1/2)$.^{Footnote 6} [BKM17, Appendix B] shows that $\text {1D-SIS-R}_{m,q,p,\beta }$ is as hard as $\text {1D-SIS}_{m,q,\beta }$ and therefore, is as hard as certain worst-case lattice problems.

4.1 FHE from LWE

There are a number of FHE constructions from LWE [BV14a, BGV12, GSW13, BV14b, ASP14, CM15, MW16, BP16, PS16]. For this work, we use the fact that these constructions can support not just binary, but field operations.

Specifically, given an encryption of a message $\mathbf {x}\in \{0,1\}^{\ell }$, a circuit $C :\{0,1\}^{\ell } \rightarrow \{0,1\}$, and any field element $w \in \mathbb {Z}_q$, one can homomorphically compute the function

$$\begin{aligned} f_{C,w}(\mathbf {x}) = w \cdot C(\mathbf {x}) \in \mathbb {Z}_q \end{aligned}$$

on the ciphertext. Here, we take advantage of the fact that the FHE homomorphic operations can support scalar multiplication by a field element without increasing the noise too much. Looking ahead, we will encrypt the punctured point $\mathbf {x}^*$, and homomorphically compute the equality predicate $\mathsf {eq}_\mathbf {x}(\mathbf {x}^*) = \left\{ \begin{array}{ll} 1 &{} \mathbf {x}= \mathbf {x}^*\\ 0 &{} \text {otherwise} \end{array} \right. $ on the ciphertext such that it decrypts to a random element $w_\gamma \in \mathbb {Z}_q$ only if the evaluation of the PRF a point $\mathbf {x}$ equals to the punctured point. This is simply evaluating the equality check circuit on the FHE ciphertext and scaling the result by $w_\gamma $.

We formally summarize the properties of FHE constructions from LWE below.^{Footnote 7}

Theorem 1

(FHE from LWE). Fix a security parameter $\lambda $ and depth bound $d = d(\lambda )$. Let $n,m,q,\chi $ be LWE parameters where $\chi $ is a B-bounded error distribution and $q > B \cdot m^{O(d)}$. Then, there is an FHE scheme $\varPi _{\mathsf {HE}}= (\mathsf {HE.KeyGen}, \mathsf {HE.Enc}, \mathsf {HE.Eval}, \mathsf {HE.Dec})$ for circuits of depth bound d, with the following properties:

$\mathsf {HE.KeyGen}$ outputs a secret key $\mathsf {sk}\in \mathbb {Z}_q^n$
$\mathsf {HE.Enc}$ takes in a message $\mathbf {m}\in \{0,1\}^k $ and outputs a ciphertext $\mathsf {ct}\in \{0,1\}^z$ where $z = \mathsf {poly}(\lambda , d, \log q, k)$.
$\mathsf {HE.Eval}$ takes in a circuit $f_{C,w}$ and a ciphertext $\mathsf {ct}$ and outputs ciphertexts $\mathsf {ct}' \in \{0,1\}^n$.
For any boolean circuit C of depth d and scalar element $w \in \mathbb {Z}_q$, $\mathsf {HE.Eval}(f_{C,w}, \cdot )$ is computed by a boolean circuit of depth $\mathsf {poly}(d, \log z)$.
$\mathsf {HE.Dec}$ on input $\mathsf {sk}$ and $\mathsf {ct}$, when $C(\mathbf {m})=1$ we have that
$$\begin{aligned} \sum _{i=1}^t \mathsf {sk}[i] \cdot \mathsf {ct}[i] \in [ w - E, w + E ]. \end{aligned}$$
When $C(\mathbf {m}) = 0$ we have
$$\begin{aligned} \sum _{i=1}^t \mathsf {sk}[i] \cdot \mathsf {ct}[i] \in [-E, E] \end{aligned}$$
for some bound $E = B \cdot m^{O(d)}$.
Security relies on $\mathsf {LWE}(n, m, q, \chi )$.

We note that in the predicate encryption construction of [GVW15b], the result of [BV14b] is used, which applies the sequential homomorphic multiplication of ciphertexts (through branching programs) to take advantage of the asymmetric noise growth of FHE. This allows the final noise from the FHE homomorphic operations to be bounded by $\mathsf {poly}(\lambda )$, but the depth of the FHE evaluation grows polynomially in the bit length of the FHE modulus. In our construction, this optimization is not needed because we will only be concerned with the equality check circuit which is already only logarithmic in the depth of the input length. Therefore, one can perform regular FHE homomorphic operations with depth logarithmic in the bit length of the FHE modulus.

4.2 Matrix Embeddings

In the ABE construction of [BGG+14], Boneh et al. introduced a method to embed circuits into LWE matrices and since then, the technique saw a number of applications in lattice-based constructions [BV15, GVW15b, GV15, BV16, BCTW16].

We provide an overview of this technique since our proof of security will rely on the specifics of this matrix encodings. Our, description will be informal, but we formally describe the properties that we need for the proofs below. We refer the readers to [BGG+14, GVW15b] for the formal treatment.

In the setting of [BGG+14], for the set of public matrix $\mathbf {A}_1, \ldots \mathbf {A}_\ell $, we encode a vector of field elements $\mathbf {x}\in \mathbb {Z}_q^t$ as an LWE sample as

$$\begin{aligned} \mathbf {a}_{x_i} = \mathbf {s}^T (\mathbf {A}_i + x_i \cdot \mathbf {G}) + \mathbf {e}_i \end{aligned}$$

for $i = 1, \ldots , \ell $ where $\mathbf {s}$ and $\mathbf {e}_i$’s are sampled according to the standard LWE distribution. Then, given two encodings, $\mathbf {a}_{x_i}$, $\mathbf {a}_{x_j}$, we can add and multiply them as follows:

$$\begin{aligned} \mathbf {a}_{x_i + x_j}&= \mathbf {a}_{x_i} + \mathbf {a}_{x_j} \\&= \mathbf {s}^T (\mathbf {A}_i + x_i \cdot \mathbf {G}) + \mathbf {e}_i + \mathbf {s}^T (\mathbf {A}_j + x_j \cdot \mathbf {G}) + \mathbf {e}_j \\&= \mathbf {s}^T ([\mathbf {A}_i + \mathbf {A}_j] + [x_i + x_j] \cdot \mathbf {G}) + [\mathbf {e}_i + \mathbf {e}_j] \\&= \mathbf {s}^T (\mathbf {A}_{+,i,j} + [x_i + x_j] \cdot \mathbf {G}) + \mathbf {e}_{+,i,j} \end{aligned}$$

$$\begin{aligned} \mathbf {a}_{x_i \times x_j}&= \mathbf {a}_{x_i} \cdot x_j - \mathbf {a}_{x_j} \mathbf {G}^{-1}(\mathbf {A}_i) \\&= \mathbf {s}^T (x_j \mathbf {A}_i + x_i x_j \cdot \mathbf {G}) + x_j \mathbf {e}_j - \mathbf {s}^T (\mathbf {A}_j \mathbf {G}^{-1}(\mathbf {A}_i) + x_j \mathbf {A}_i) + \mathbf {e}_j \mathbf {G}^{-1}(\mathbf {A}_i) \\&= \mathbf {s}^T ([-\mathbf {A}_j \mathbf {G}^{-1}(\mathbf {A}_i)] + [x_i \cdot x_j] \cdot \mathbf {G}) + [x_j \mathbf {e}_i + \mathbf {e}_j \mathbf {G}^{-1}(\mathbf {A}_i) \\&= \mathbf {s}^T (\mathbf {A}_{\times , i, j} + [x_i \cdot x_j] \cdot \mathbf {G}) + \mathbf {e}_{\times , i, j} \end{aligned}$$

Correspondingly, we can define operations on the matrices

$\mathbf {A}_{+, i, j} = \mathbf {A}_i + \mathbf {A}_j$
$\mathbf {A}_{\times , i, j} = -\mathbf {A}_j \mathbf {G}^{-1}(\mathbf {A}_i)$

Using these operations, one can compute an arithmetic circuit F on the encodings gate-by-gate. In particular, restricting $\mathbf {x}$ to be a binary string, we can compute the NAND operation as

$$\begin{aligned} \mathbf {a}_{\lnot (x_i \wedge x_j)} = \mathbf {a}_1 - \mathbf {a}_{x_i \times x_j} \end{aligned}$$

$$\begin{aligned} \mathbf {A}_{\lnot (x_i \wedge x_j)} = \mathbf {A}^*- \mathbf {A}_{\times , i, j} \end{aligned}$$

where $\mathbf {a}_1 = \mathbf {s}^T (\mathbf {A}^*+ \mathbf {G}) + \mathbf {e}^*$ is a fixed encoding of 1.

We note that in the description above, to compute a single multiplication on the encodings $\mathbf {a}_{x_i}$, $\mathbf {a}_{x_j}$, one must know one of $x_i$ or $x_j$, but it is not required to know both. This means that computing operations such as inner products on two vector attributes can be done without the knowledge of one of the vectors. In particular, given the encodings of $(\mathbf {x}, \mathbf {w}) \in \{0,1\}^{z} \times \mathbb {Z}_q^{t}$, and a pair $(C, \mathbf {x})$ where $C: \{0,1\}^{z} \rightarrow \{0,1\}^{t}$ and $\mathbf {x}\in \{0,1\}^z$, one can derive an encoding of ${(\mathsf {IP} \circ C)}(\mathbf {x}, \mathbf {w}) = \left\langle C(\mathbf {x}), \mathbf {w} \right\rangle $.

Theorem 2

[BGG+14, GVW15b]. Fix a security parameter $\lambda $, and lattice parameters $n,m,q,\chi $ where $\chi $ is a B-bounded error distribution. Let C be a depth-d Boolean circuit on z input bits. Let $\mathbf {A}_1, \ldots , \mathbf {A}_{z}, \tilde{\mathbf {A}}_1, \ldots , \tilde{\mathbf {A}}_{t} \in \mathbb {Z}_q^{n \times m}$, $(x_1, \mathbf {b}_1), \ldots , (x_z, \mathbf {b}_z) \in \{0,1\}\times \mathbb {Z}_q^m$, and $(w_1, \tilde{\mathbf {b}}_1), \ldots , (w_t, \tilde{\mathbf {b}}_t) \in \mathbb {Z}_q \times \mathbb {Z}_q^m$ such that

$$\begin{aligned} \left\| \mathbf {b}^T_i - \mathbf {s}^T (\mathbf {A}_i + x_i \cdot \mathbf {G}) \right\| \le B \quad \text{ for } i = 1, \ldots , z \end{aligned}$$

$$ \left\| \tilde{\mathbf {b}}^T_j - \mathbf {s}^T (\tilde{\mathbf {A}}_j + w_j \cdot \mathbf {G}) \right\| \le B \quad \text{ for } j = 1, \ldots , t $$

for some $\mathbf {s}\in \mathbb {Z}_q^n$. There exists the following pair of algorithms

$\mathsf {Eval}_{\mathsf {pk}}({(\mathsf {IP} \circ C)}, \mathbf {A}_1, \ldots , \mathbf {A}_{z}, \tilde{\mathbf {A}}_1, \ldots , \tilde{\mathbf {A}}_{t}) \rightarrow \mathbf {A}_{{(\mathsf {IP} \circ C)}}$: On input a circuit ${(\mathsf {IP} \circ C)}$ for $C:\{0,1\}^z \rightarrow \{0,1\}^t$ and $z+t$ matrices $\mathbf {A}_1, \ldots , \mathbf {A}_{z}, \tilde{\mathbf {A}}_1, \ldots , \tilde{\mathbf {A}}_{t}$, outputs a matrix $\mathbf {A}_{{(\mathsf {IP} \circ C)}}$.
$\mathsf {Eval}_{\mathsf {ct}}({(\mathsf {IP} \circ C)}, \mathbf {b}_1, \ldots , \mathbf {b}_z, \tilde{\mathbf {b}}_1, \ldots , \tilde{\mathbf {b}}_t, \mathbf {x}) \rightarrow \mathbf {b}_{{(\mathsf {IP} \circ C)}}$: On input a circuit ${(\mathsf {IP} \circ C)}$ for $C:\{0,1\}^z \rightarrow \{0,1\}^t$, $z+t$ vectors $\mathbf {b}_1, \ldots , \mathbf {b}_z, \tilde{\mathbf {b}}_1, \ldots , \tilde{\mathbf {b}}_t$, and length z string $\mathbf {x}$, outputs a vector $\mathbf {b}_{{(\mathsf {IP} \circ C)}}$

such that for $\mathbf {A}_{{(\mathsf {IP} \circ C)}} \leftarrow \mathsf {Eval}_{\mathsf {pk}}({(\mathsf {IP} \circ C)}, \mathbf {A}_1, \ldots , \mathbf {A}_{z}, \tilde{\mathbf {A}}_1, \ldots , \tilde{\mathbf {A}}_{t})$, and $\mathbf {b}_{{(\mathsf {IP} \circ C)}} \leftarrow \mathsf {Eval}_{\mathsf {ct}}({(\mathsf {IP} \circ C)}, \mathbf {b}_1, \ldots , \mathbf {b}_z, \tilde{\mathbf {b}}_1, \ldots , \tilde{\mathbf {b}}_t, \mathbf {x})$, we have that

$$\left\| \mathbf {b}^T_{{(\mathsf {IP} \circ C)}} - \mathbf {s}^T (\mathbf {A}_{{(\mathsf {IP} \circ C)}} + \left\langle C(\mathbf {x}), \mathbf {w} \right\rangle \cdot \mathbf {G}) \right\| \le B \cdot m^{O(d)}.$$

Moreover, $\mathbf {b}_{{(\mathsf {IP} \circ C)}}$ is a “low-norm” linear function of $\mathbf {b}_1, \ldots , \mathbf {b}_z, \tilde{\mathbf {b}}_1, \ldots , \tilde{\mathbf {b}}_z$. That is, there are matrices $\mathbf {R}_1, \ldots , \mathbf {R}_z, \tilde{\mathbf {R}}_1, \ldots , \tilde{\mathbf {R}}_t$ such that $\mathbf {b}^T_{{(\mathsf {IP} \circ C)}} = \sum _{i=1}^z \mathbf {b}^T_i \mathbf {R}_i + \sum _{j=1}^t \tilde{\mathbf {b}}^T_j \tilde{\mathbf {R}}_j$ and $\left\| \mathbf {R}_i \right\| , \Vert \tilde{\mathbf {R}}_j \Vert \le m^{O(d)} $.

5 Main Construction

In this section, we present our private puncturable PRF. We first give a formal description of the construction followed by a sample instantiation of the parameters used in the construction. Then, we show correctness and security. We conclude the section with some extensions.

5.1 Construction

Our construction uses a number of parameters and indices, which we list here for reference:

$(n,m,q,\chi )$ - LWE parameters
$\ell $ - length of the PRF input
p - rounding modulus
z - size of FHE ciphertext (indexed by i)
t - size FHE secret key (indexed by j)
$d'$ - depth of the equality check circuit
d - depth of the circuit that computes the FHE homomorphic operation of equality check
$\gamma $ - index for the randomizers $w_1, \ldots , w_n$

For $\gamma \in [n]$ we use $\mathbf {u}_\gamma $ to denote the n dimensional basis vector in $\mathbb {Z}_q^n$ with $\gamma $th entry set to 1 and the rest set to 0. Also, for $\gamma \in [n]$, we denote by $\mathbf {v}_\gamma $ the m dimensional basis vector in $\mathbb {Z}_q^m$ with the $\gamma \cdot (\lceil \log q \rceil - 1)$th component set to 1 and the rest set to 0. By construction of $\mathbf {G}$ we have that $\mathbf {G}\cdot \mathbf {v}_\gamma = \mathbf {u}_\gamma $.

For the cleanest way to describe the construction, we slightly abuse notation and define the setup algorithm $\mathsf {pPRF.Setup}$ to also publish a set of public parameters $\mathsf {pp}$ along with the master secret key $\mathsf {msk}$. One can view $\mathsf {pp}$ as a fixed set of parameters for the whole system that is available to each algorithms $\mathsf {pPRF.Puncture}, \mathsf {pPRF.PunctureEval}, \mathsf {pPRF.Eval}$, or it can be viewed as a component included in both the master secret key $\mathsf {msk}$ and the punctured key $\mathsf {sk}_{\mathbf {x}^*}$.

Fix a security parameter $\lambda $. We construct a privately puncturable PRF $\varPi _\mathsf {pPRF}= (\mathsf {pPRF.Setup}, \mathsf {pPRF.Puncture}, \mathsf {pPRF.PunctureEval}, \mathsf {pPRF.Eval})$ with domain $\{0,1\}^\ell $ and range $\mathbb {Z}_p$ as follows:

$\mathsf {pPRF.Setup}(1^\lambda )$: On input the security parameter $\lambda $, the setup algorithm generates a set of uniformly random matrices in $\mathbb {Z}_q^{n \times m}$:
- $\mathbf {A}_0, \mathbf {A}_1$ that will encode the input to the PRF
- $\mathbf {B}_1, \ldots , \mathbf {B}_z$ that will encode the FHE ciphertext
- $\mathbf {C}_1, \ldots , \mathbf {C}_t$ that will encode the FHE secret key
Then, it generates a secret vector $\mathbf {s}$ from the error distribution $\mathbf {s}\leftarrow \chi ^n$, and also samples a uniformly random vector $\mathbf {w}\in \mathbb {Z}_q^n$. It sets
$$ \mathsf {pp}= \big (\{ \mathbf {A}_b \}_{b \in \{0,1\}},\ \{ \mathbf {B}_i \}_{i \in [z]},\ \{ \mathbf {C}_j \}_{j \in [t]},\ \mathbf {w}\big ) \quad \text {and}\quad \mathsf {msk}= \mathbf {s}$$
$\mathsf {pPRF.Eval}(\mathsf {msk}, \mathbf {x})$: On input the master secret key $\mathsf {msk}= \mathbf {s}$ and the PRF input $\mathbf {x}$, the evaluation algorithm first computes
$$ \tilde{\mathbf {B}}_{\gamma } \leftarrow \mathsf {Eval}_{\mathsf {pk}}(C_\gamma , \mathbf {B}_1, \ldots , \mathbf {B}_z, \mathbf {A}_{x_1}, \ldots , \mathbf {A}_{x_\ell }, \mathbf {C}_1, \ldots , \mathbf {C}_t ) $$
where for $\gamma \in [n]$ the circuit $C_\gamma $ is defined as $C_\gamma (\cdot ) = \mathsf {IP} \circ \mathsf {HE.Eval}(\mathsf {eq}_{w_\gamma }, \cdot )$ and the equality check function $\mathsf {eq}_{w_\gamma }$ is defined as:
$$ \mathsf {eq}_{w_\gamma }(\mathbf {x}^*, \mathbf {x}) = \left\{ \begin{array}{ll} w_\gamma &{} \text{ if } \mathbf {x}= \mathbf {x}^*\\ 0 &{} \text{ otherwise } \end{array} \right. .$$
The algorithm outputs the following as the PRF value:
$$ \left\lfloor \sum _{\gamma \in [n]} \left\langle \mathbf {s}^T \tilde{\mathbf {B}}_\gamma , \mathbf {v}_\gamma \right\rangle \right\rceil _p \in \mathbb {Z}_p.$$
$\mathsf {pPRF.Puncture}(\mathsf {msk}, \mathbf {x}^*)$: given $\mathsf {msk}$ and the point to be punctured $\mathbf {x}^*= (x^*_1, \ldots , x^*_\ell ) \in \{0,1\}^\ell $ as input, the puncturing algorithm generates an FHE key $\mathsf {he.sk}\leftarrow \mathsf {HE.KeyGen}(1^\lambda ,1^{d'},1^\ell )$ and encrypts $\mathbf {x}^*$ as
$$\begin{aligned} \mathsf {he.ct}\leftarrow \mathsf {HE.Enc}\big (\mathsf {he.sk},\ (x^*_1, \ldots , x^*_\ell )\big ) \in \mathbb {Z}_q^z . \end{aligned}$$
Then, it samples an error vector $\mathbf {e}\leftarrow \chi ^{2+z+t}$ from the error distribution and computes
$$\begin{array}{ll} \mathbf {a}_{b} = \mathbf {s}^T (\mathbf {A}_{b} + b \cdot \mathbf {G}) + \mathbf {e}^T_{1,b} &{}\qquad \forall b \in \{0,1\}\\ \mathbf {b}_i = \mathbf {s}^T (\mathbf {B}_i + \mathsf {he.ct}_i \cdot \mathbf {G}) + \mathbf {e}^T_{2,i} &{}\qquad \forall i \in [z] \\ \mathbf {c}_{j} = \mathbf {s}^T (\mathbf {C}_{j} + \mathsf {he.sk}_j \cdot \mathbf {G}) + \mathbf {e}^T_{3,j} &{}\qquad \forall j \in [t]. \end{array}$$
It outputs the punctured key $\mathsf {sk}_{\mathbf {x}^*}= \big (\{ \mathbf {a}_b \}_{b \in \{0,1\}},\ \{ \mathbf {b}_i \}_{i \in [z]},\ \{ \mathbf {c}_j \}_{j \in [t]},\ \mathsf {he.ct}\big )$.
$\mathsf {pPRF.PunctureEval}(\mathsf {sk}_{\mathbf {x}^*}, \mathbf {x})$: On input a punctured key $\mathsf {sk}_{\mathbf {x}^*}= \big (\{ \mathbf {a}_b \}_{b \in \{0,1\}},\ \{ \mathbf {b}_i \}_{i \in [z]},\ \{ \mathbf {c}_j \}_{j \in [t]},\ \mathsf {he.ct}\big )$ and $\mathbf {x}\in \{0,1\}^\ell $, the puncture evaluation algorithm runs
$$ \tilde{\mathbf {b}}_\gamma \leftarrow \mathsf {Eval}_{\mathsf {ct}}\big (C_\gamma ,\ \mathbf {b}_1, \ldots , \mathbf {b}_z,\ \mathbf {a}_{x_1}, \ldots , \mathbf {a}_{x_\ell },\ \mathbf {c}_1, \ldots , \mathbf {c}_t,\ (\mathsf {he.ct}, \mathbf {x}) \ \big ) $$
for $\gamma = 1, \ldots , n$. Here $C_\gamma $ is the circuit defined as in algorithm $\mathsf {pPRF.Eval}$. The puncture evaluation algorithm then outputs the PRF value:
$$\begin{aligned} \left\lfloor \sum _{\gamma \in [n]} \left\langle \tilde{\mathbf {b}}_{\gamma }, \mathbf {v}_{\gamma } \right\rangle \right\rceil _p \in \mathbb {Z}_p. \end{aligned}$$

As discussed in Sect. 3.2, we can de-randomize algorithm $\mathsf {pPRF.Puncture}$ so that it always returns the same output when run on the same input.

5.2 Parameters

The parameters can be instantiated such that breaking correctness or security translates to solving worst-case lattice problems to $2^{\tilde{O}(n^{1/c})}$ for some constant c. We set the parameters to account for the noise of both (a) the FHE decryption and (b) the homomorphic computation on the ABE encodings. The former will be bounded largely by $B \cdot m^{O(d')}$ and the latter by $B \cdot m^{O(d)}$. Here, $d'$ is the depth of the equality check circuit and d is the depth of the FHE operation of the equality check circuit. We want to set the modulus of the encodings q to be big enough to account for these bounds. Furthermore, for the 1D-SIS-R assumption, we need q to be the product of coprime moduli $p_1, \ldots , p_\lambda $ such that the smallest of these primes exceeds these bounds.

Sample Instantiations. We first set the PRF input length $\ell = \mathsf {poly}(\lambda )$. The depth of the equality check circuit is then $d' = O(\log \ell )$. We set $n = \lambda ^{2c}$. We define q to be the product of $\lambda $ coprime moduli $p, p_1, \ldots , p_{\lambda }$ where we set $p = \mathsf {poly}(\lambda )$ and for each $i \in [\lambda ]$, $p_i = 2^{O(n^{1/2c})}$ such that $p_1< \ldots < p_\lambda $. The noise distribution $\chi $ is set to be the discrete Gaussian distribution $D_{\mathbb {Z},\sqrt{n}}$. Then the FHE ciphertext size z and the secret key size t is determined by q. Set $m = \varTheta (n \log q)$. The depth of the FHE equality check circuit is $d = \mathsf {poly}(d', \log z)$.

5.3 Correctness and Security

We now state the correctness and security theorems of the construction in Sect. 5.1. The proofs of these theorems can be found in the full version [BKM17].

Theorem 3

The puncturable PRF from Sect. 5.1 with parameters instantiated as in Sect. 5.2 satisfies the correctness property of Definition 5 assuming the hardness of $\text {LWE}_{n,m,q,\chi }$ and $\text {1D-SIS-R}_{q,p,\beta ,m'}$ for $\beta = B \cdot m^{\tilde{O}(d)}$ and $m' = m \cdot (2+z+t)+1$.

Theorem 4

The puncturable PRF from Sect. 5.1 with parameters instantiated as in Sect. 5.2 is selectively-pseudorandom as defined in Definition 6 assuming the hardness of $\text {LWE}_{n,m',q,\chi }$ and $\text {1D-SIS-R}_{q,p,\beta ,m'}$ for $\beta = B \cdot m^{\tilde{O}(d)}$ and $m' = m \cdot (2+z+t)+1$.

Theorem 5

Let $\varPi _{\mathsf {HE}}$ be a secure leveled homomorphic encryption scheme with parameters instantiated as in Sect. 5.2. The puncturable PRF from Sect. 5.1 with parameters instantiated as in Sect. 5.2 satisfies the security property of a private puncturable PRF as defined in Definition 6 assuming the hardness of $\text {LWE}_{n,m',q,\chi }$ and $\text {1D-SIS-R}_{q,p,\beta ,m'}$ for $\beta = B \cdot m^{\tilde{O}(d)}$ and $m' = m \cdot (2+z+t)+1$.

5.4 Extentions

We conclude this section with some high-level discussion on extending our scheme and how it relates to other lattice based PRF constructions.

Puncturing at Multiple Points. A private puncturable PRF can be combined to support a single-key private k-puncturable PRF generically where a constrained key can be punctured at k distinct points in the domain. One way of doing this is to simply define the PRF to be the xor of k independent instances of a 1-puncturable PRF. More precisely, let $\mathsf {msk}_i \leftarrow \mathsf {pPRF.Setup}(1^\lambda )$ for $i=1, \ldots , k$. Then define the master secret key of the k-puncturable PRF to be the collection of these master secret keys $\mathsf {msk}= (\mathsf {msk}_1, \ldots , \mathsf {msk}_k)$. We define the evaluation of the PRF to be $F(\mathsf {msk}, \mathbf {x}) = F(\mathsf {msk}_1, \mathbf {x}) \oplus \ldots \oplus F(\mathsf {msk}_k, \mathbf {x})$. Then, to generate a punctured key at $S = \{ \mathbf {x}_1, \ldots , \mathbf {x}_k \}$, we puncture each $\mathsf {msk}_i$ at point $\mathbf {x}_i$, to get punctured key $\mathsf {sk}_{\mathbf {x}_i} \leftarrow \mathsf {pPRF.Puncture}(\mathsf {msk}_i, \mathbf {x}_i)$, and then set $\mathsf {sk}_S = (\mathsf {sk}_{\mathbf {x}_1}, \ldots , \mathsf {sk}_{\mathbf {x}_k})$. It is easy to see that one can evaluate the PRF with the punctured key only at a point $\mathbf {x}$ in the domain $\mathbf {x}\notin S$. It is also straightforward to show that pseudorandomness and privacy follow from the security of the underlying 1-puncturable PRF.

Short Constrained Keys. In [BV15], Brakerski and Vaikuntanathan provide a way to achieve succinct constrained keys for their single-key constrained PRF, which also extends to our construction in Sect. 5.1. We provide a high level overview of this method.

In the constrained PRF construction of [BV15], a constrained key consists of the description of the constraint circuit along with the ABE encodings of the constraint circuit. To get succinct constrained keys, one can encrypt the bit encodings for each possible bits using an encryption scheme and publish it as part of the public parameters (just like in a garbling scheme). Then, as the constrained key, one can provide the decryption keys corresponding to the bit description of the constraint circuit. Now, using the attribute-based encryption construction of [BGG+14], which has short decryption keys, one can provide the ABE secret key that allows the decryption of the bits of the constraint circuit.

One difference with our construction is that we encode field elements in our ABE encodings for the FHE key. However, the FHE key stays the same for any punctured point. Therefore, we can garble just the bit positions corresponding to the encryption of the point to be punctured and publish the rest of the components in the clear. This allows the size of the public parameters to absorb the size of the constrained key.

Key Homomomorphism. Our PRF construction has a similar structure as the other lattice-based PRF constructions and therefore, the master secret key (LWE vector) for which the PRF is defined can be added homomorphically from the PRF evaluations. However, we note that in our construction, the PRF key (secret vector) is from a short noise distribution $\chi $. Although there are applications of key-homomorphic PRFs with short keys, for most applications of key-homomorphic PRFs, one requires a perfect secret sharing of the PRF key, which requires it to come from a uniform distribution over a finite group. We leave it as an open problem to extend the construction to the setting of key-homomorphic PRFs with uniform keys.

6 Impossibility of Simulation Based Privacy

In this section, we show that a simulation based privacy notion for constrained PRFs for general circuit constraints is impossible. More precisely, we show that even for the single-key setting where the adversary is given one single constrained key, a natural extension of the indistinguishability privacy definition (Definition 4) to a simulation based privacy definition cannot be satisfied. We do this rather indirectly by showing that a constrained PRF (for general circuits) satisfying the simulation based privacy definition implies a simulation secure functional encryption [SS10, BSW11, O’N10], which was shown to be impossible in [BSW11, AGVW13].

6.1 Definition

We begin with the definition of a simulation based privacy notion for constrained PRFs. The simulation based privacy requires that any adversary given a constrained key $\mathsf {sk}_f$ does not learn any more information about the constraint other than what can be implied by comparing the output of the real evaluation $\mathsf {cPRF.Eval}(\mathsf {msk}, \cdot )$ and $\mathsf {cPRF.ConstrainEval}(\mathsf {sk}_f, \cdot )$. The correctness and pseudorandomness properties stay the same as how it is defined in Sect. 3.

Definition 8

(Sim-Privacy) Fix a security parameter $\lambda \in \mathbb {N}$. A constrained PRF scheme $\varPi _{\mathsf {cPRF}}= (\mathsf {cPRF.Setup}, \mathsf {cPRF.Constrain}, \mathsf {cPRF.ConstrainEval}, \mathsf {cPRF.}\mathsf {Eval})$ is simulation-private for single-key if there exists a PPT simulator $\mathcal {S}= (\mathcal {S}_{\mathsf {Eval}}, \mathcal {S}_{\mathsf {Constrain}})$ such that for all PPT adversary $\mathcal {A}$, there exists a negligible function $\mathsf {negl}(\lambda )$ such that

$$ \mathsf {Adv}_{\varPi _{\mathsf {cPRF}}, \mathcal {A}}^{\mathsf {priv}}(\lambda ) = \left| \Pr [\mathsf {Expt}_{\varPi _{\mathsf {cPRF}}, \mathcal {A}}^{\mathsf {REAL}}(\lambda )=1] - \Pr [\mathsf {Expt}_{\varPi _{\mathsf {cPRF}}, \mathcal {A}}^{\mathsf {RAND}}(\lambda )=1] \right| \le \mathsf {negl}(\lambda ) $$

where the experiments $\mathsf {Expt}_{\varPi _{\mathsf {cPRF}}, \mathcal {A}}^{\mathsf {REAL}}(\lambda )$ and $\mathsf {Expt}_{\varPi _{\mathsf {cPRF}}, \mathcal {A}}^{\mathsf {RAND}}(\lambda )$ are defined as follows:

Here, the algorithms $\mathcal {S}_{\mathsf {Eval}}$ and $\mathcal {S}_{\mathsf {Constrain}}$ share common state and the algorithm $\mathcal {S}_{\mathsf {Constrain}}$ is given the size |f| and oracle access to the following set of mappings

$$\begin{aligned} \mathcal {C}_{\mathsf {constrain}} = \left\{ i \mapsto f^*(x^{(i)}): i \in [Q] \right\} \end{aligned}$$

where Q represents the number of times $\mathcal {A}$ queries the evaluation oracles $\mathcal {S}_{\mathsf {Eval}}$.

In words, the security definition above requires that an adversary cannot distinguish whether it is interacting with a real constrained PRF or it is interacting with a simulator that is not actually given the constraint $f^*$ except for output of $f^*$ applied to each of the adversary’s queries to the evaluation oracle.

6.2 Functional Encryption

In this subsection, we define a simulation secure functional encryption for circuits. For simplicity, we consider functions with just binary outputs.

A (secret-key) functional encryption (FE) scheme is a tuple of algorithms $\varPi _{\mathsf {FE}}= (\mathsf {FE.Setup}, \mathsf {FE.KeyGen}, \mathsf {FE.Encrypt}, \mathsf {FE.Decrypt})$ defined over a message space $\mathcal {X}$, and a class of functions $\mathcal {F}_\lambda = \{ f:\mathcal {X}\rightarrow \{0,1\} \}$ with the following properties:

$\mathsf {FE.Setup}(1^\lambda ) \rightarrow \mathsf {msk}$: On input the security parameter $\lambda $, the setup algorithm outputs the master secret key $\mathsf {msk}$.
$\mathsf {FE.KeyGen}(\mathsf {msk}, f) \rightarrow \mathsf {sk}_f$: On input the master secret key $\mathsf {msk}$ and a circuit f, the key generation algorithm outputs a secret key $\mathsf {sk}_f$.
$\mathsf {FE.Encrypt}(\mathsf {msk}, \mathbf {x}) \rightarrow \mathsf {ct}$: On input the master secret key $\mathsf {msk}$, and a message $\mathbf {x}$, the encryption algorithm outputs a ciphertext $\mathsf {ct}$.
$\mathsf {FE.Decrypt}(\mathsf {ct}, \mathsf {sk}_f) \rightarrow \{0,1\}$: On input a ciphertext $\mathsf {ct}$ and a secret key $\mathsf {sk}_f$, the decryption algorithm outputs a bit $y \in \{0,1\}$.

Correctness. A functional encryption scheme $\varPi _{\mathsf {FE}}= (\mathsf {FE.Setup}, \mathsf {FE.KeyGen}, \mathsf {FE.Encrypt}, \mathsf {FE.Decrypt})$ is correct if for all $\lambda \in \mathbb {N}$, $\mathsf {msk}\leftarrow \mathsf {FE.Setup}(1^\lambda )$, $f \in \mathcal {F}$, and $\mathsf {sk}_f \leftarrow \mathsf {FE.KeyGen}(\mathsf {msk}, f)$, we have that

$$\begin{aligned} \Pr [\mathsf {FE.Decrypt}(\mathsf {sk}_f, \mathsf {FE.Encrypt}(\mathsf {msk}, \mathbf {x})) = f(\mathbf {x})] = 1 - \mathsf {negl}(\lambda ). \end{aligned}$$

Security. For security, we require that any adversary given a secret key does not learn any more information about an encrypted message other than what can be deduced from an honest decryption.

Definition 9

Fix a security parameter $\lambda \in \mathbb {N}$. A functional encryption scheme $\varPi _{\mathsf {FE}}= (\mathsf {FE.Setup}, \mathsf {FE.KeyGen}, \mathsf {FE.Encrypt}, \mathsf {FE.Decrypt})$ is simulation secure for single-key if there exists a PPT simulator $\mathcal {S}= (\mathcal {S}_{\mathsf {Encrypt}}, \mathcal {S}_{\mathsf {KeyGen}})$ such that for all PPT adversary $\mathcal {A}$, there exists a negligible function $\mathsf {negl}(\lambda )$ such that

$$ \mathsf {Adv}_{\varPi _{\mathsf {FE}}, \mathcal {A}}^{\mathsf {FE}}(\lambda ) = \left| \Pr [\mathsf {Expt}_{\varPi _{\mathsf {FE}}, \mathcal {A}}^{\mathsf {REAL}}(\lambda )=1] - \Pr [\mathsf {Expt}_{\varPi _{\mathsf {FE}}, \mathcal {A}}^{\mathsf {RAND}}(\lambda )=1] \right| \le \mathsf {negl}(\lambda ) $$

where the experiments $\mathsf {Expt}_{\varPi _{\mathsf {FE}}, \mathcal {A}}^{\mathsf {REAL}}(\lambda )$ and $\mathsf {Expt}_{\varPi _{\mathsf {FE}}, \mathcal {A}}^{\mathsf {RAND}}(\lambda )$ are defined as follows:

Here, the algorithms $\mathcal {S}_{\mathsf {Encrypt}}$ and $\mathcal {S}_{\mathsf {KeyGen}}$ share common state and the simulator $\mathcal {S}_{\mathsf {KeyGen}}$ is given oracle access to the set of mappings $\mathcal {C}_{\mathsf {msg}} = \left\{ i \mapsto f^*(\mathbf {x}^{(i)}):\right. \left. i \in [Q] \right\} $ where Q represents the number of queries that $\mathcal {A}$ makes to $\mathcal {S}_{\mathsf {Encrypt}}$.

It was shown in [BSW11, AGVW13] that a functional encryption scheme satisfying the security definition above is impossible to achieve.

6.3 FE from Constrained PRFs

In this subsection, we present our construction of functional encryption. Fix a security parameter $\lambda $. Let $\varPi _{\mathsf {cPRF}}= (\mathsf {cPRF.Setup}, \mathsf {cPRF.Constrain}, \mathsf {cPRF.}\mathsf {ConstrainEval}, \mathsf {cPRF.Eval})$ be a constrained PRF with domain $\{0,1\}^{\lambda + \ell }$ and range $\{0,1\}^\lambda $ where $\ell $ is the size of the message in the functional encryption scheme. We also use an additional regular PRF, which we denote by $F_\mathbf {k}: \{0,1\}^\lambda \rightarrow \{0,1\}^\ell $. We construct $\varPi _{\mathsf {FE}}= (\mathsf {FE.Setup}, \mathsf {FE.KeyGen}, \mathsf {FE.Encrypt}, \mathsf {FE.Decrypt})$ as follows:

$\mathsf {FE.Setup}(1^\lambda )$: On input the security parameter $\lambda $, the setup algorithm first samples a regular PRF key $\mathbf {k}\overset{\$}{\leftarrow }\{0,1\}^\lambda $. Then, it runs $\mathsf {cprf.msk}\leftarrow \mathsf {cPRF.Setup}(1^\lambda )$ and sets $\mathsf {msk}= (\mathsf {cprf.msk}, \mathbf {k})$.
$\mathsf {FE.KeyGen}(\mathsf {msk}, f)$: On input the master secret key $\mathsf {msk}$ and a circuit f, the key generation algorithm generates a constrained PRF key $\mathsf {sk}_{C_{f,\mathbf {k}}}\leftarrow \mathsf {cPRF.Constrain}(\mathsf {cprf.msk}, C_{f,\mathbf {k}})$ where the circuit $C_{f,\mathbf {k}}$ is defined as follows:
$$C_{f,\mathbf {k}}(\mathbf {r},\mathbf {y}) = \left\{ \begin{array}{ll} 0 &{} \text{ if } f (F_\mathbf {k}(\mathbf {r}) \oplus \mathbf {y}) = 0 \\ 1 &{} \text{ otherwise } \end{array} \right. . $$
It outputs $\mathsf {sk}_f = \mathsf {sk}_{C_{f,\mathbf {k}}}$.
$\mathsf {FE.Encrypt}(\mathsf {msk}, \mathbf {x})$: On input the master secret key $\mathsf {msk}$, and a message $\mathbf {x}\in \{0,1\}^\ell $, the encryption algorithm first samples encryption randomness $\mathbf {r}\overset{\$}{\leftarrow }\{0,1\}^\lambda $ and computes $\mathbf {y}= F_\mathbf {k}(\mathbf {r}) \oplus \mathbf {x}$. Then, it returns
$$\begin{aligned} \mathsf {ct}= (\mathbf {r}, \mathbf {y}, \mathsf {cPRF.Eval}(\mathsf {cprf.msk}, \mathbf {r}\Vert \mathbf {y})) \end{aligned}$$
$\mathsf {FE.Decrypt}(\mathsf {sk}_f, \mathsf {ct})$: On input a secret key $\mathsf {sk}_f = \mathsf {sk}_{C_{f,\mathbf {k}}}$ and $\mathsf {ct}= (\mathbf {r}, \mathbf {y}, \tilde{\mathsf {ct}})$, the decryption algorithm returns 0 if $\mathsf {cPRF.ConstrainEval}(\mathsf {sk}_{C_{f,\mathbf {k}}}, \mathbf {r}\Vert \mathbf {y}) = \tilde{\mathsf {ct}}$ and 1 otherwise.

Correctness. To show correctness, we note that the decryption algorithm simply evaluates the PRF using the constrained key $\mathsf {cPRF.Constrain}(\mathsf {sk}_{C_{f,\mathbf {k}}}, \mathbf {r}\Vert \mathbf {y})$ and returns 0 if the result equals $\tilde{\mathsf {ct}}$ and 1 otherwise. Since $\tilde{\mathsf {ct}}$ is precisely the PRF evaluation using the master secret key $\mathsf {cPRF.Eval}(\mathsf {cprf.msk}, \mathbf {r}\Vert \mathbf {y})$, the two evaluations coincide if $C_{f,\mathbf {k}}(\mathbf {r},\mathbf {y}) = 0$. Also, if $\varPi _{\mathsf {cPRF}}$ satisfies the standard notion of pseudorandomness as in Definition 3, the PRF evaluation using the master secret key and the PRF evaluation using the constrained key differs with overwhelming probability if the constraint is not satisfied $C_{f,\mathbf {k}}(\mathbf {r},\mathbf {y}) = 1$.

6.4 Security

In this section, we prove security of construction above.

Theorem 6

Let $\varPi _{\mathsf {cPRF}}= (\mathsf {cPRF.Setup}, \mathsf {cPRF.Constrain}, \mathsf {cPRF.ConstrainEval}, \mathsf {cPRF.Eval})$ be a constrained PRF scheme satisfying the security properties of Definition 8. Also, let $F_\mathbf {k}$ be a secure PRF. Then, the functional encryption scheme $\varPi _{\mathsf {FE}}$ constructed above satisfies the simulation based security notion of Definition 9.

Proof

We proceed through a series of hybrid experiments where the first hybrid $\mathsf {H}_{0}$ represents the real experiment $\mathsf {Expt}_{\varPi _{\mathsf {FE}}, \mathcal {A}}^{\mathsf {REAL}}$ and the final hybrid $\mathsf {H}_{3}$ represents the ideal simulation $\mathsf {Expt}_{\varPi _{\mathsf {FE}}, \mathcal {A}}^{\mathsf {RAND}}$.

Hybrid $\mathsf {H}_{0}$: This is the real experiment. The challenger runs the real setup algorithm to generate $\mathsf {msk}$. Then the adversary makes a number of encryption queries and a key generation query which the challenger answers using its $\mathsf {msk}$.
Hybrid $\mathsf {H}_{1}$: In this experiment, the challenger runs the simulator for the constrained PRF to answer the adversary’s queries. More precisely, given a constrained PRF simulator $\mathcal {S}= (\mathcal {S}_{\mathsf {Eval}}, \mathcal {S}_{\mathsf {Constrain}})$, the challenger first samples a PRF key $\mathbf {k}\overset{\$}{\leftarrow }\{0,1\}^\lambda $ as $\mathsf {msk}$. Then for each encryption query $\mathbf {x}$ that the adversary makes, the challenger samples $\mathbf {r}\overset{\$}{\leftarrow }\{0,1\}^\lambda $, computes $\mathbf {y}\leftarrow F_\mathbf {k}(\mathbf {r}) \oplus \mathbf {x}$ and invokes the simulator to generate $\tilde{\mathsf {ct}} \leftarrow \mathcal {S}_{\mathsf {Eval}}(\mathbf {r}\Vert \mathbf {y})$. It provides $(\mathbf {r},\mathbf {y},\tilde{\mathsf {ct}})$ to the adversary as the encryption of $\mathbf {x}$. To answer the single key generation query on $f^*$ from the adversary, the challenger invokes the simulator $\mathcal {S}_{\mathsf {Constrain}}()$ to generate the key. For the set of mappings $\mathcal {C}_{\mathsf {constrain}}$ that are to be provided to $\mathcal {S}_{\mathsf {Constrain}}$, the challenger computes $f^*(\mathbf {x}^{(i)})$ itself and feeds it to the simulator.

By the assumption on the simulator $\mathcal {S}= (\mathcal {S}_{\mathsf {Eval}}, \mathcal {S}_{\mathsf {Constrain}})$, we have that the hybrids $\mathsf {H}_{0}$ and $\mathsf {H}_{1}$ are indistinguishable to the adversary. We note that in $\mathsf {H}_{1}$, the challenger does not actually use the PRF key $\mathbf {k}$ to generate the secret keys.
Hybrid $\mathsf {H}_{2}$: In this experiment, the challenger replaces $F_\mathbf {k}(\cdot )$ with a random function. Namely, to answer an encryption query $\mathbf {x}$ by the adversary, the challenger ignores the message $\mathbf {x}$ and samples $\tilde{\mathbf {y}}$ randomly $\tilde{\mathbf {y}} \overset{\$}{\leftarrow }\{0,1\}^\ell $. It then invokes $\tilde{\mathsf {ct}} \leftarrow \mathcal {S}_{\mathsf {Eval}}(\mathbf {r}\Vert \tilde{\mathbf {y}})$ and sets $(\mathbf {r}, \tilde{\mathbf {y}}, \tilde{\mathsf {ct}})$ as the encryption of $\mathbf {x}$. The rest of the experiment remains unchanged from $\mathsf {H}_{1}$.

Note that in both hybrid experiments $\mathsf {H}_{1}$ and $\mathsf {H}_{2}$, the challenger does not use the PRF key $\mathbf {k}$ other than in evaluating the PRF $F_\mathbf {k}(\cdot )$ to encrypt. Therefore, by the PRF security of $F_\mathbf {k}(\cdot )$, the two experiments are indistinguishable to the adversary. We note that in $\mathsf {H}_{2}$, the challenger does not use any information about the message $\mathbf {x}_i$ other than providing the simulator $\mathcal {S}_{\mathsf {Constrain}}$ with the values $f^*(\mathbf {x}^{(i)})$.
Hybrid $\mathsf {H}_{3}$: This experiment represents the ideal experiment where the challenger corresponds to the simulator for the functional encryption game. The simulator runs in exactly the same way as in the previous hybrid $\mathsf {H}_{2}$. Namely, for each encryption query $\mathbf {x}$ that the adversary makes, it samples $\mathbf {r}\overset{\$}{\leftarrow }\{0,1\}^\lambda $, $\mathbf {y}\overset{\$}{\leftarrow }\{0,1\}^\ell $ and invokes $\tilde{\mathsf {ct}} \leftarrow \mathcal {S}_{\mathsf {Eval}}(\mathbf {r}\Vert \tilde{\mathbf {y}})$. It sets $(\mathbf {r},\tilde{\mathbf {y}}, \tilde{\mathsf {ct}})$ as the encryption of $\mathbf {x}$. Note that to generate the ciphertext, it does not use any information about $\mathbf {x}$. For the single key query, the simulator invokes $\mathcal {S}_{\mathsf {Constrain}}()$. For the set of mappings $\mathcal {C}_{\mathsf {constrain}}$ that are to be provided to $\mathcal {S}_{\mathsf {Constrain}}$, it uses its own oracle $\mathcal {C}_{\mathsf {msg}}$ to provide the values $f^*(\mathbf {x}^{(i)})$.

It is easy to see that the distribution of the experiments $\mathsf {H}_{2}$ and $\mathsf {H}_{3}$ are identical.

We have shown that the experiment $\mathsf {H}_{0}$, which corresponds to $\mathsf {Expt}_{\varPi _{\mathsf {FE}}, \mathcal {A}}^{\mathsf {REAL}}$ and the experiment $\mathsf {H}_{3}$, which corresponds to $\mathsf {Expt}_{\varPi _{\mathsf {FE}}, \mathcal {A}}^{\mathsf {RAND}}$ are indistinguishable. This concludes the proof.

7 Conclusion and Open Problems

We constructed a privately puncturable PRF from worst-case lattice problems. Prior constructions of privately puncturable PRFs required heavy tools such as multilinear maps or $i\mathcal {O}$. This work provides the first privately puncturable PRF from a standard assumption. We also showed that for general functions, a natural simulation-based privacy definition for constrained PRFs is impossible to achieve.

Our PRF builds on the construction of [BV15], which supports circuit constraints. However, our construction does not extend to more general constraints, and it will be interesting to provide a private constrained PRF for a larger class of circuit constraints. For private puncturing, it will be interesting to give more constructions based on assumptions other than LWE.

Our construction satisfies the selective security game of private puncturable PRFs, and we rely on complexity leveraging for adaptive security. Recently, [HKW15] gave a way to achieve adaptively secure puncturable PRFs without complexity leveraging. Can we extend the result to private puncturable PRFs?

Finally, private constrained PRFs have a number of interesting applications, as explored here and in [BLW17]. It would be interesting to find further applications and relations to other cryptographic primitives.

Notes

1.
We note that LWE based predicate encryption constructions satisfy a weaker security property often referred to as weak attribute-hiding than as is defined in [BW07, KSW08].
2.
We adopt the convention that $f(x)=0$ signifies the ability to evaluate the PRF. This is opposite of the standard convention, and is done purely for convenience in the technical section.
3.
We note that the admissibility condition in Definition 4 allows an adversary to make two constrained key queries (see [BLW17] Remark 2.14). However, applications of privately puncturable PRFs require pseudorandomness property to be satisfied, which can only be achieved in the single-key setting. Therefore, the restriction of privacy to the single-key setting does not affect the applications of privately puncturable PRFs.
4.
There are other adaptively secure constrained PRF constructions for prefix fixing and bit-fixing constraints as in [FKPR14, Hof14]; however, they too either require superpolynomial loss in the security parameter or rely on random oracles. The construction of [BV15] achieves adaptive security for the challenge point, but is selective with respect to the constraint.
5.
By discrete Gaussian, we always mean the truncated discrete Gaussian.
6.
The term $(q/p) (\mathbb {Z}+ 1/2)$ is a slight abuse of notation when q / p is not even. In this case, we mean $(q/p) \cdot (\mathbb {Z}) + \lfloor (q/p) \cdot (1/2) \rfloor $.
7.
We slightly abuse the FHE syntax in Sect. 3.3.

References

Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). doi:10.1007/978-3-642-13190-5_28
Chapter Google Scholar
Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). doi:10.1007/978-3-642-03356-8_35
Chapter Google Scholar
Abusalah, H., Fuchsbauer, G., Pietrzak, K.: Constrained PRFs for unbounded inputs. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 413–428. Springer, Cham (2016). doi:10.1007/978-3-319-29485-8_24
Chapter Google Scholar
Agrawal, S., Freeman, D.M., Vaikuntanathan, V.: Functional encryption for inner product predicates from learning with errors. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 21–40. Springer, Heidelberg (2011). doi:10.1007/978-3-642-25385-0_2
Chapter Google Scholar
Agrawal, S., Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption: new perspectives and lower bounds. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 500–518. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40084-1_28
Chapter Google Scholar
Ajtai, M.: Generating hard instances of lattice problems. In: STOC (1996)
Google Scholar
Alperin-Sheriff, J., Peikert, C.: Faster bootstrapping with polynomial error. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 297–314. Springer, Heidelberg (2014). doi:10.1007/978-3-662-44371-2_17
Chapter Google Scholar
Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004). doi:10.1007/978-3-540-24676-3_14
Chapter Google Scholar
Brakerski, Z., Cash, D., Tsabary, R., Wee, H.: Targeted homomorphic attribute-based encryption. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 330–360. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53644-5_13
Chapter Google Scholar
Banerjee, A., Fuchsbauer, G., Peikert, C., Pietrzak, K., Stevens, S.: Key-homomorphic constrained pseudorandom functions. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 31–60. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46497-7_2
Chapter Google Scholar
Boneh, D., Gentry, C., Gorbunov, S., Halevi, S., Nikolaenko, V., Segev, G., Vaikuntanathan, V., Vinayagamurthy, D.: Fully key-homomorphic encryption, arithmetic circuit abe and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014). doi:10.1007/978-3-642-55220-5_30
Chapter Google Scholar
Boyle, E., Goldwasser, S., Ivan, I.: Functional signatures and pseudorandom functions. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 501–519. Springer, Heidelberg (2014). doi:10.1007/978-3-642-54631-0_29
Chapter Google Scholar
Boyle, E., Gilboa, N., Ishai, Y.: Function secret sharing. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 337–367. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46803-6_12
Google Scholar
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (leveled) fully homomorphic encryption without bootstrapping. In: ITCS (2012)
Google Scholar
Boneh, D., Kim, S., Montgomery, H.: Private puncturable PRFs from standard lattice assumptions. Cryptology ePrint Archive, Report 2017/100 (2017). http://eprint.iacr.org/2017/100
Boneh, D., Lewi, K., Montgomery, H., Raghunathan, A.: Key homomorphic PRFs and their applications. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 410–428. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40041-4_23
Chapter Google Scholar
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: STOC (2013)
Google Scholar
Boneh, D., Lewi, K., Wu, D.J.: Constraining pseudorandom functions privately. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10175, pp. 494–524. Springer, Heidelberg (2017). doi:10.1007/978-3-662-54388-7_17
Chapter Google Scholar
Banerjee, A., Peikert, C.: New and improved key-homomorphic pseudorandom functions. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 353–370. Springer, Heidelberg (2014). doi:10.1007/978-3-662-44371-2_20
Chapter Google Scholar
Brakerski, Z., Perlman, R.: Lattice-based fully dynamic multi-key FHE with short ciphertexts. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 190–213. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53018-4_8
Chapter Google Scholar
Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29011-4_42
Chapter Google Scholar
Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011). doi:10.1007/978-3-642-19571-6_16
Chapter Google Scholar
Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. SIAM J. Comput. 43(2), 831–871 (2014)
Article MathSciNet MATH Google Scholar
Brakerski, Z., Vaikuntanathan, V.: Lattice-based FHE as secure as PKE. In: ITCS (2014)
Google Scholar
Brakerski, Z., Vaikuntanathan, V.: Constrained key-homomorphic PRFs from standard lattice assumptions. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 1–30. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46497-7_1
Chapter Google Scholar
Brakerski, Z., Vaikuntanathan, V.: Circuit-ABE from LWE: unbounded attributes and semi-adaptive security. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 363–384. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53015-3_13
Chapter Google Scholar
Boneh, D., Waters, B.: Conjunctive, subset, and range queries on encrypted data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 535–554. Springer, Heidelberg (2007). doi:10.1007/978-3-540-70936-7_29
Chapter Google Scholar
Boneh, D., Waters, B.: Constrained pseudorandom functions and their applications. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 280–300. Springer, Heidelberg (2013). doi:10.1007/978-3-642-42045-0_15
Chapter Google Scholar
Boneh, D., Zhandry, M.: Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 480–499. Springer, Heidelberg (2014). doi:10.1007/978-3-662-44371-2_27
Chapter Google Scholar
Canetti, R., Chen, Y.: Constraint-hiding constrained PRFs for NC1 from LWE. In: EUROCRYPT (2017)
Google Scholar
Canetti, R., Dwork, C., Naor, M., Ostrovsky, R.: Deniable encryption. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 90–104. Springer, Heidelberg (1997). doi:10.1007/BFb0052229
Chapter Google Scholar
Cohen, A., Holmgren, J., Nishimaki, R., Vaikuntanathan, V., Wichs, D.: Watermarking cryptographic capabilities. In: STOC (2016)
Google Scholar
Chor, B., Kushilevitz, E., Goldreich, O., Sudan, M.: Private information retrieval. J. ACM 45(6), 965–981 (1998)
Article MathSciNet MATH Google Scholar
Clear, M., McGoldrick, C.: Multi-identity and multi-key leveled FHE from learning with errors. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 630–656. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48000-7_31
Chapter Google Scholar
Chandran, N., Raghuraman, S., Vinayagamurthy, D.: Constrained pseudorandom functions: verifiable and delegatable. IACR Cryptology ePrint Archive, 2014:522 (2014)
Google Scholar
Deshpande, A., Koppula, V., Waters, B.: Constrained pseudorandom functions for unconstrained inputs. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 124–153. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49896-5_5
Chapter Google Scholar
Fuchsbauer, G., Konstantinov, M., Pietrzak, K., Rao, V.: Adaptive security of constrained PRFs. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 82–101. Springer, Heidelberg (2014). doi:10.1007/978-3-662-45608-8_5
Google Scholar
Fuchsbauer, G.: Constrained verifiable random functions. In: Abdalla, M., Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 95–114. Springer, Cham (2014). doi:10.1007/978-3-319-10879-7_7
Google Scholar
Gentry, C., Gorbunov, S., Halevi, S.: Graph-induced multilinear maps from lattices. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 498–527. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46497-7_20
Chapter Google Scholar
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM (JACM) 33(4), 792–807 (1986)
Article MathSciNet MATH Google Scholar
Gilboa, N., Ishai, Y.: Distributed point functions and their applications. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 640–658. Springer, Heidelberg (2014). doi:10.1007/978-3-642-55220-5_35
Chapter Google Scholar
Gay, R., Méaux, P., Wee, H.: Predicate encryption for multi-dimensional range queries from lattices. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 752–776. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46447-2_34
Google Scholar
Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40041-4_5
Chapter Google Scholar
Gorbunov, S., Vinayagamurthy, D.: Riding on asymmetry: efficient ABE for branching programs. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 550–574. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48797-6_23
Chapter Google Scholar
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attribute-based encryption for circuits. J. ACM (JACM) 62(6), 45 (2015)
Article MathSciNet MATH Google Scholar
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Predicate encryption for circuits from LWE. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 503–523. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48000-7_25
Chapter Google Scholar
Hofheinz, D., Kamath, A., Koppula, V., Waters, B.: Adaptively secure constrained pseudorandom functions. IACR Cryptology ePrint Archive, 2014:720 (2014)
Google Scholar
Hohenberger, S., Koppula, V., Waters, B.: Adaptively secure puncturable pseudorandom functions in the standard model. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 79–102. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48797-6_4
Chapter Google Scholar
Hofheinz, D.: Fully secure constrained pseudorandom functions using random oracles. IACR Cryptology ePrint Archive, 2014:372 (2014)
Google Scholar
Kiayias, A., Papadopoulos, S., Triandopoulos, N., Zacharias, T.: Delegatable pseudorandom functions and applications. In: CCS (2013)
Google Scholar
Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008). doi:10.1007/978-3-540-78967-3_9
Chapter Google Scholar
Micciancio, D., Mol, P.: Pseudorandom knapsacks and the sample complexity of LWE search-to-decision reductions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 465–484. Springer, Heidelberg (2011). doi:10.1007/978-3-642-22792-9_26
Chapter Google Scholar
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29011-4_41
Chapter Google Scholar
Mukherjee, P., Wichs, D.: Two round multiparty computation via multi-key FHE. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 735–763. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49896-5_26
Chapter Google Scholar
O’Neill, A.: Definitional issues in functional encryption. IACR Cryptology ePrint Archive, 2010:556 (2010)
Google Scholar
Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem. In: STOC (2009)
Google Scholar
Peikert, C., Shiehian, S.: Multi-key FHE from LWE, revisited. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 217–238. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53644-5_9
Chapter Google Scholar
Regev, O.: Lattices in computer science-average case hardness. Lecture Notes for Class (scribe: Elad Verbin) (2004)
Google Scholar
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM (JACM) 56(6), 34 (2009)
Article MathSciNet MATH Google Scholar
Sahai, A., Seyalioglu, H.: Worry-free encryption: functional encryption with public keys. In: CCS (2010)
Google Scholar
Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). doi:10.1007/11426639_27
Chapter Google Scholar
Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: STOC (2014)
Google Scholar

Download references

Acknowledgements

We thank the anonymous Eurocrypt reviewers for their insightful comments which helped improve the paper. We also thank David Wu for his helpful comments on the definition of privately constrained PRFs. This work is supported by NSF, DARPA, the Simons foundation, and a grant from ONR. Opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of DARPA. Part of the work was also done while the second author was visiting Fujitsu Laboratories of America as an intern.

Author information

Authors and Affiliations

Stanford University, Stanford, USA
Dan Boneh & Sam Kim
Fujitsu Laboratories of America, Sunnyvale, USA
Hart Montgomery

Authors

Dan Boneh
View author publications
You can also search for this author in PubMed Google Scholar
Sam Kim
View author publications
You can also search for this author in PubMed Google Scholar
Hart Montgomery
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sam Kim .

Editor information

Editors and Affiliations

University of Luxembourg, Luxembourg, Luxembourg
Jean-Sébastien Coron
Aarhus University, Aarhus, Denmark
Jesper Buus Nielsen

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Boneh, D., Kim, S., Montgomery, H. (2017). Private Puncturable PRFs from Standard Lattice Assumptions. In: Coron, JS., Nielsen, J. (eds) Advances in Cryptology – EUROCRYPT 2017. EUROCRYPT 2017. Lecture Notes in Computer Science(), vol 10210. Springer, Cham. https://doi.org/10.1007/978-3-319-56620-7_15

Download citation

DOI: https://doi.org/10.1007/978-3-319-56620-7_15
Published: 01 April 2017
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-56619-1
Online ISBN: 978-3-319-56620-7
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics