Constraint-Hiding Constrained PRFs for NC $$^1$$ from LWE

Canetti, Ran; Chen, Yilei

doi:10.1007/978-3-319-56620-7_16

Ran Canetti^15,16 &
Yilei Chen¹⁵

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10210))

Included in the following conference series:

Annual International Conference on the Theory and Applications of Cryptographic Techniques

3397 Accesses
47 Citations

Abstract

Constraint-hiding constrained PRFs (CHCPRFs), initially studied by Boneh, Lewi and Wu (PKC 2017), are constrained PRFs where the constrained key hides the description of the constraint. Envisioned with powerful applications such as searchable encryption, private-detectable watermarking and symmetric deniable encryption, the only known candidates of CHCPRFs are based on indistinguishability obfuscation or multilinear maps with strong security properties.

In this paper we construct CHCPRFs for all NC$^1$ circuits from the Learning with Errors assumption. The construction draws heavily from the graph-induced multilinear maps by Gentry, Gorbunov and Halevi (TCC 2015), as well as the existing lattice-based PRFs. In fact, our construction can be viewed as an instance of the GGH15 approach where security can be reduced to LWE.

We also show how to build from CHCPRFs reusable garbled circuits (RGC), or equivalently private-key function-hiding functional encryptions with 1-key security. This provides a different approach of constructing RGC from that of Goldwasser et al. (STOC 2013).

You have full access to this open access chapter, Download conference paper PDF

Constraining and Watermarking PRFs from Milder Assumptions

Constrained Key-Homomorphic PRFs from Standard Lattice Assumptions

Private Constrained PRFs (and More) from LWE

Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Constrained PRFs [15, 16, 39] are pseudorandom functions with a special mode that outputs a constrained key defined by a predicate C. The constrained key $\mathsf {CK}_C$ preserves the functionality over the inputs x s.t. $C(x)=1$, while leaving the function values on inputs x s.t. $C(x)=0$ pseudorandom. In the standard formulation of constrained PRFs, the constrained key is not required to hide the predicate C. In fact, many constructions of constrained PRFs do reveal the constraint. A quintessential example is GGM’s puncturable PRF [33] where $\mathsf {CK}$ explicitly reveals the punctured points.

The notion of constraint-hiding constrained PRF (CHCPRF), proposed by Boneh, Lewi and Wu [12], makes the additional guarantee that the constraining predicate C remains hidden, even given the constrained key. Such an additional property allows the primitive to provide fairly natural constructions of searchable encryption, watermarking, deniable encryption, and others. However, they only propose candidates of CHCPRFs based on strong assumptions, like indistinguishability obfuscation (iO) or heuristic assumptions on candidate multilinear maps (multilinear-DDH or subgroup elimination).

This Work. We further investigate the notion of CHCPRF, propose constructions based on standard cryptographic assumptions, and demonstrate more applications.

We first propose an alternative, simulation-based definition for CHCPRF. While for the cases addressed in our constructions the new style is (almost) equivalent to the indistinguishability-based one from [12], the new formulation provides a different viewpoint on the primitive.

Our main result is a construction of CHCPRF for all $\mathsf {NC}^1$ circuit constraints based on the Learning with Errors (LWE) assumption [48]:

Theorem 1

Assuming the intractability of LWE, there are CHCPRFs with 1-key simulation-based security, for all constraints recognizable by $\mathsf {NC}^1$ circuits.

The construction combines the graph-induced multilinear maps by Gentry, Gorbunov and Halevi [31], their candidate obfuscator, and the lattice-based PRFs of [5, 6, 11, 19]. At the heart of our technical contribution is identifying a restricted (yet still powerful) variant of the GGH15 maps, whose security can be reduced to LWE. This involves formulating new “LWE-hard” secret distributions that handle the permutation matrices underlying Barrington’s construction.

In addition, we construct function-hiding private-key functional encryptions (equivalently, reusable garbled circuits [34]) from CHCPRFs. This gives a construction of reusable garbled circuits from LWE that is very different from that of [34]:

Theorem 2

For a circuit class $\mathcal {C}$, assuming 1-key simulation-based CHCPRFs for constraints in $\mathcal {C}$, and CPA secure private-key encryption whose decryption circuit is in $\mathcal {C}$, there exist 1-key secure reusable garbled circuits for $\mathcal {C}$.

1.1 CHCPRFs, Functional Encryption and Obfuscation

We propose a simulation-based definitional approach for CHCPRF, and compare this approach to the indistinguishability-based approach of Boneh et al. [12].

Defining CHCPRFs. A constrained PRF consists of three algorithms: Master secret key generation, constrained key generation, and function evaluation. We first note that in order to have hope to hide the constraint, the function evaluation algorithm should return a random-looking value v even if evaluated on a constrained input x, as opposed to returning $\perp $ as in the standard formulation. Furthermore, we require that the value of the original function on x remains pseudorandom even given the constrained key and the value v.

The definition of CHCPRF is aimed at capturing three requirements: (1) the constrained keys preserve functionality on inputs that do not match the constraint; (2) the function values at constrained points remain pseudorandom given the constrained key; (3) the constrained key does not reveal any information on the constraining function.

Boneh et al. [12] give a number of indistinguishability-based definitions that vary in strength, depending on the level of adaptivity of the adversary in choosing the constraints and evaluation points, as well as on the number of constrained keys that the adversary is allowed to see. We take an alternative approach and give a simulation-based definition. We also compare the definitions, and show equivalence and derivations in a number of cases.

Here is a sketch of the non-adaptive single-key variant of our simulation-based definition. The definition captures all three requirements via a single interaction: We require that, for any polytime adversary, there exists a polytime simulator such that the adversary can distinguish between the outcomes of the following two experiments only with negligible probability:

In the real experiment, the system first generates a master secret key K. The adversary can then query a constraint circuit C and many inputs $x^{(1)},\ldots ,x^{(t)}$. In return, it obtains $\mathsf {CK}_C, x^{(1)}, \ldots ,x^{(t)}, y^{(1)},\ldots ,y^{(t)}$, where $\mathsf {CK}_C$ is a key constrained by C, and $y^{(i)}$ is the result of evaluating the original, unconstrained function with key K at point $x^{(i)}$. (This is so regardless of whether $x^{(i)}$ meets the constraint or not.)
In the ideal experiment, the simulator samples a master secret key $K^S$. Once received a constraint query, the simulator obtains only the description length of C and creates a simulated constrained key $\mathsf {CK}^S$. Once received input queries $x^{(1)},\ldots ,x^{(t)}$, the simulator also t indicator bits $d^{(1)},\ldots ,d^{(t)}$ where the $d^{(i)}$ denotes whether $x^{(i)}$ is in the constraint, and generates simulated values $y^{(1)S},\ldots ,y^{(t)S}$. If $d^{(i)}=0$, then the simulated $y^{(i)S}$ is uniformly random. The output of the experiment is $\mathsf {CK}^S,x^{(1)},\ldots ,x^{(t)}, y^{(1)S},\ldots ,y^{(t)S}$.

Secret-Key Functional Encryption from Simulation-Based CHCPRFs. We sketch our construction of functional encryption from CHCPRFs. Functional encryption [13] allows the evaluator, given a functional decryption key, to learn the value of the function applied to encrypted data without learning anything else. With CHCPRFs in hand, it is rather simple to construct a private-key functional encryption scheme that is both function-private and input-private. Our functional encryption scheme proceeds as follows:

Key generation: The master key for the scheme is a key K for a CHCPRF, and a key $\mathsf {SK}$ for a CPA-secure symmetric encryption scheme $(\mathsf {Enc}, \mathsf {Dec})$.
Encrypt a message m: $\mathsf {CT}=(c,t)$, where $c= \mathsf {Enc}_{\mathsf {SK}}(m)$, and $t = \mathsf {CHCPRF}_K(c)$.
Functional decryption key: The functional decryption key for a binary function f is a constrained-key $\mathsf {CK}_{\hat{f}}$ for the function $\hat{f}(c) = f(\mathsf {Dec}_{\mathsf {SK}}(c))$. That is, $\hat{f}$ has $\mathsf {SK}$ hardwired; it decrypts its input c and applies f to the plaintext.
Functional decryption: Given ciphertext $\mathsf {CT}=(c,t)$ and the constrained decryption key $\mathsf {CK}_{\hat{f}}$, output $1$ if $t=\mathsf {CHCPRF}_{\mathsf {CK}_{\hat{f}}}(c)$, $0$ otherwise.

Correctness of decryption follows from the correctness and constrainability of the CHCPRF, and secrecy follows from the constraint-hiding property.

This construction is conceptually different from the previous construction [34]. In particular, the size of ciphertext (for 1-bit output) is the size of a symmetric encryption ciphertext plus the security parameter, independent of the depth of the circuit.

Two-Key CHCPRFs Imply Obfuscation. It is natural to consider an extension of the CHCPRF definition to the case where the adversary may obtain multiple constrained keys derived from the same master key. Indeed in [12] some applications of this extended notion are presented.

We observe that this extended notion in fact implies full fledged program obfuscation: To obfuscate a circuit C, choose a key K for a CHCPRF, and output two constrained keys: The constrained key $\mathsf {CK}[C]$, and the constrained key $\mathsf {CK}[I]$, where I is the circuit that always outputs 1. To evaluate C(x) check whether $\mathsf {CHCPRF}_{\mathsf {CK}[C]}(x)=\mathsf {CHCPRF}_{\mathsf {CK}[I]}(x)$.

Again, correctness of evaluation follows from the correctness and constrainability of the CHCPRF. The level of security for the obfuscation depends on the definition of CHCPRF in use. Specifically, the natural extension of the above simulation-based definition to the two-key setting implies that the above simple obfuscation method is VBB (which in turn means that the known impossibility results for VBB obfuscation carry over to this variant of two-key CHCPRF). The indistinguishability-based definition of [12] implies that the above obfuscation method is IO.

1.2 Overview of Our Construction

Our construction of CHCPRFs draws heavily from the multilinear maps by Gentry et al. [31], and the lattice-based PRFs of Banerjee et al. [5, 6, 11, 19]. We thus start with a brief review of the relevant parts of these works.

Recap GGH15. The GGH15 multilinear encoding is depicted by a DAG that defines the rule of homomorphic operations and zero-testing. For our purpose it is sufficient to consider the following special functionality (which corresponds to a graph of $\ell $ nodes and two parallel edges from node i to node $i+1$, see Fig. 1a): We would like to encode $2\ell +1$ secrets $s_1^0,s_1^1,\ldots ,s_\ell ^0,s_\ell ^1,s_T$ over some finite group G, in such a way that an evaluator who receives the encodings can test, for any given $x \in \{0,1\}^{\ell }$, whether $s_{T}=\prod _{i=1}^{\ell }s_i^{x_i}$, and at the same time the encodings hide “everything else” about the secrets. (Indeed, “everything else” might have different meanings in different contexts.)

To do that, GGH15 take the group G to actually be a ring $R_q$, where R denotes the base ring (typical choices include $R=\mathbb {Z}^{n\times n}$ or $R=\mathbb {Z}[x]/(\varPhi _n(x))$, where n is a parameter related to the lattice dimension, and $\varPhi _n$ is the $n^{th}$ cyclotomic polynomial), and q is the modulus. The encoder then samples $\ell +1$ hard Ajtai-type matrices $ \{ \mathbf {A} _1, \mathbf {A} _2,\ldots , \mathbf {A} _\ell , \mathbf {A} _{\ell +1}\leftarrow R_q^{1\times m} \} $ with trapdoors [2, 3, 44], and associates each matrix with the corresponding node of the graph. These matrices and their trapdoors are treated as (universal) public and secret parameters, respectively. We refer to the indices $1\ldots \ell +1$ as levels.

The $2\ell $ secrets are associated with the $2\ell $ edges of the graph in the natural way. Encoding a secret $s_i^b$ is done in two steps: First create an LWE sample for the secret $s_i^b$ under the matrix $ \mathbf {A} _{i+1}$, namely ${\mathbf {Y}^{b}_{i}} = s_i^b \mathbf {A} _{i+1}+{\mathbf {E}^{b}_{i}}$. Next, sample a preimage ${\mathbf {D}^{b}_{i}}$ of ${\mathbf {Y}^{b}_{i}}$ under the matrix $ \mathbf {A} _i$, using the trapdoor of $ \mathbf {A} _i$. That is, ${ \mathbf {A} _i{\mathbf {D}^{b}_{i}} = {\mathbf {Y}^{b}_{i}}}$ and ${\mathbf {D}^{b}_{i}}$ is sampled from discrete Gaussian distribution of small width. The encoder then lets ${\mathbf {D}^{b}_{i}}$ be the encoding of ${{s}^{b}_{i}}$. The encoding $T$ of $s_T$, where $s_T=\prod _{i=1}^{\ell }s_i^{x_i}$ for some $x \in \{0,1\}^{\ell }$, is defined as $T=F(x)$, where $F(x)= \mathbf {A} _1\prod _{i=1}^{\ell }{\mathbf {D}^{x_i}_{i}}$. Finally, the values $ \mathbf {A} _1, \mathbf {D} _1^0, \mathbf {D} _1^1,\ldots , \mathbf {D} _\ell ^0, \mathbf {D} _\ell ^1,T$ are given to the evaluator. To test a given $x'\in \{0,1\}^{\ell }$, the evaluator computes $F(x')$ and checks whether $F(x')-T$ is a matrix with small entries.

To see why this works out functionality-wise consider the following equation:

$$\begin{aligned} F(x) = \mathbf {A} _1\prod _{i=1}^{\ell }{\mathbf {D}^{x_i}_{i}} = \prod _{i=1}^{\ell }{{s}^{x_i}_{i}} \mathbf {A} _{\ell +1}+ \underbrace{\sum _{i=1}^{\ell } \left( \prod _{j=1}^{i-1}{{s}^{x_i}_{i}} \cdot {\mathbf {E}^{x_i}_{i}} \cdot \prod _{k=i+1}^{\ell }{\mathbf {D}^{x_i}_{i}} \right) }_{ \mathbf {E} _{x}} \pmod q. \end{aligned}$$

(1)

Indeed, if the secrets $s_i^b$ are set with small norm, then the entire $ \mathbf {E} _{x}$ term can be viewed as a small error term, so the dominant factor, $\prod _{i=1}^{\ell }{{s}^{x_i}_{i}} \mathbf {A} _{\ell +1}$, will be purely determined by the multiplicative relationship of the secrets. As for security, observe that the encoding ${\mathbf {D}^{b}_{i}}$ of each secret $s_i^b$ amounts to an LWE encoding of $s_i^b$, and furthermore the encoding of $s_x=\prod _{i=1}^{\ell }s_i^{x_i}$ is also in the form of an LWE instance $ \mathbf {A} _{\ell +1}$, $\prod _{i=1}^{\ell }s_i^{x_i} \mathbf {A} _{\ell +1}+ \mathbf {E} _x \pmod q$. Of course, being in the form of LWE does not amount to a clear security property that is based on LWE. We discuss this point further below.

The Power and Danger in the GGH15 Approach. The GGH15 encoding embeds the plaintext s into the secret term of the LWE instance, unlike in other LWE-based systems (e.g. Regev [48] or dual-Regev [32]) where the plaintext is associated with the error term or the $ \mathbf {A} $ matrix. While the graph structure and trapdoor sampling mechanism enables homomorphic evaluations on the LWE secrets, analyzing the security becomes tricky. Unlike the traditional case where the LWE secrets s are independent and random, here the LWE secrets, representing plaintexts, are taken from distributions that are potentially structured or correlated with each other.

Such dependencies make it hard to prove security of the trapdoor sampling: Recall that the encoding $ \mathbf {D} _i$ of some secret $\hat{s}_i$ (possibly obtained from an evaluation over correlated secrets) is the preimage of $ \mathbf {Y} _i := \hat{s}_i \mathbf {A} _{i+1}+ \mathbf {E} $ sampled by the trapdoor of $ \mathbf {A} _{i}$. For instance, in the extreme case where $\hat{s}_i=0$, then the public encoding $ \mathbf {D} _i$ becomes a “weak trapdoor” of $ \mathbf {A} _{i}$, which endangers the secrets encoded on the edges heading to $ \mathbf {A} _{i}$ [31].

Consequently, to safely use the GGH15 encoding, one has to consider the joint distribution of all the LWE secrets $s_i^b$, and demonstrate that the trapdoor sampling algorithm remains secure even with respect to these secrets. We demonstrate how to do that in a specific setting, by showing that there exists a “simulated” way to sample the encodings without knowing the secrets or trapdoors, and the resulting sample is indistinguishable from the real one.

LWE-Based PRFs. The example of the “subset product” type encoding may remind the readers of the lattices-based pseudorandom functions [5, 6, 11, 19]. Indeed, recall the basic construction of Banerjee et al. [6, Sect. 5.1]. For modulus $2\le p<q$ chosen such that q/p is exponential in the input length $\ell $. The secret keys of the PRF are exactly $2\ell $ LWE secrets $s_1^0,s_1^1,\ldots ,s_\ell ^0,s_\ell ^1$ and a uniform matrix $ \mathbf {A} $ over $R_q$. To evaluate, compute $F(x)=\left\lfloor \prod _{i=1}^{\ell }{{s}^{x_i}_{i}} \mathbf {A} \right\rceil _p$ where $\left\lfloor v \right\rceil _p$ means multiplying v by p/q and rounding to the nearest integer. Rounding plays a crucial role in the security proof, since it allows to add fresh small noise terms without changing the functionality whp, hence one can inductively obtain fresh LWE instances on any level.

Our Construction for Bit-Fixing Constraints. A bit-fixing constraint is specified by a string $ \mathbf {c} \in \{ 0,1,\star \} ^\ell $, where 0 and 1 are the matching bits and $\star $ denotes the wildcards. The constrain predicate C outputs $1$ if the input matches $ \mathbf {c} $.

The combination of GGH15 and lattice-based PRFs inspires us to construct CHCPRFs for bit-fixing constraints. In fact, after rounding F(x) in Eq. (1), the functionality of $\left\lfloor F(x) \right\rceil $ is equivalent to (up to the rounding error) both the BPR PRF [6, Sect. 5.1] and a variant of the PRF in [11, Sect. 5.1]. If we take the $2\ell $ LWE secrets $s_1^0,s_1^1,\ldots ,s_\ell ^0,s_\ell ^1$ as master secret key, the encodings $ \mathbf {A} _1, \mathbf {D} _1^0, \mathbf {D} _1^1,\ldots , \mathbf {D} _\ell ^0, \mathbf {D} _\ell ^1$ as the evaluation key in the normal mode. An intuitive constraining algorithm is simply replacing the LWE secret of the constrained bit with an independent random element t, and reproduce its encoding $ \mathbf {D} _t$. As an example, Fig. 1a and b illustrate the normal mode and constrained mode of a bit-fixing PRF.

We show that the key and the outputs from both the normal mode and the constrained mode (both modes use trapdoor sampling) are indistinguishable from an oblivious sampling procedure without using the trapdoors. The proof proceeds level-by-level (from level $\ell $ to level 1). Within each level i, there are two steps. The first step uses the computational hardness of LWE: observe that the LWE samples associated on $ \mathbf {A} _{i+1}$ are with independent secrets, and $ \mathbf {A} _{i+1}$ is trapdoor-free in that hybrid distribution by induction, so the LWE samples are indistinguishable from uniformly random. The second step uses a statistical sampling lemma by Gentry, Peikert and Vaikuntanathan [32], which says the preimage of uniform outputs can be sampled without using the trapdoor of $ \mathbf {A} _i$. The proof strategy is first illustrated by Brakerski et al. where they construct an evasive conjunction obfuscator from GGH15 [20].

We note that this construction and analysis imply that a variant of the PRF from [11] also satisfies 1-key bit-fixing constraint hiding. Although the PRF from [11] does not involve the trapdoor sampling procedure and is much simpler as a bit-fixing CHCPRF, understanding the GGH15-based version is beneficial for understanding the CHCPRF for $\mathsf {NC}^1$ coming next.

Embedding a General Constraint in the PRF Keys. We move on towards embedding a general constraint in the key. Consider in particular the task of puncturing the key at a single point without revealing the point, which is essential to the applications like watermarking and deniable encryption mentioned in [12]. Indeed, even that simple function seems to require some new idea.

To preserve the graph structure while handling general constraints, Barrington’s Theorem [8] comes into the picture. Recall that Barrington’s Theorem converts any depth-d Boolean circuits into an oblivious branching program of length $z\le 4^d$ composed of permutation matrices $ \{ {\mathbf {B}^{b}_{i}} \} _{b\in \{0,1\}, i\in [z]}$ of dimension w (by default $w=5$). Evaluation is done via multiplying the matrices selected by input bits, with the final output $ \mathbf {I} ^{w\times w}$ or a w-cycle $ \mathbf {P} $ recognizing $1$ or $0$ respectively.

To embed permutation matrices in the construction, we set the secret term for the normal mode as (where $\otimes $ is the tensor product operator); in the constrained mode as ${\mathbf {S}^{b}_{i}} = {\mathbf {B}^{b}_{i}} \otimes {{s}^{b}_{i}}$. This provides the functionality of constraining all $\mathsf {NC}^1$ circuits. See Fig. 1c for an example of 2-bit point constraint $x_1x_2\in \{0,1\}^2$, where $x_1$ controls the $1^{st}$ and $3^{rd}$ branches, $x_2$ controls the $2^{nd}$ and $4^{th}$ branches, $ \mathbf {Q} $ and $ \mathbf {R} $ represent different w-cycles.

We then analyze whether the permutation matrix structures are hidden in the constrained key, and whether the constrained outputs are pseudorandom. The first observation is that the tensor product of a permutation matrix $ \mathbf {B} $ and any hard LWE secret distribution s forms a hard LWE distribution, i.e. $ \mathbf {A} , \left( \mathbf {B} \otimes s\right) \cdot \mathbf {A} + \mathbf {E} $ is indistinguishable from uniformly random. This means both the secret and the permutation matrices are hidden in the constrained key.

Still, the rounded constrained output $\left\lfloor ( \mathbf {P} \otimes \prod _{i=1}^{\ell }{{s}^{x_i}_{i}})\cdot \mathbf {A} _{z+1} \right\rceil $ is a fixed permutation of the original value. So the adversary can left-multiply $ \mathbf {P} ^{-1}$ to obtain the original output. To randomize the constrained outputs, we adapt the “bookend” idea from the GGH15 candidate obfuscator. That is, we multiply the output on the left by a small random vector $ \mathbf {J} \in R^{1\times w}$. By a careful reduction to standard LWE, one can show that $ \mathbf {A} , \mathbf {J} \mathbf {A} + \mathbf {E} $, $ \mathbf {J} \left( \mathbf {P} \otimes 1_R\right) \mathbf {A} + \mathbf {E'} $ is indistinguishable from uniformly random.

With these two additional hard LWE distributions in the toolbox, we can base $\mathsf {NC}^1$ CHCPRF on LWE via the same two-step proof strategy (i.e. LWE+GPV in each level) used in the bit-fixing construction.

1.3 More on Related Work

More Background on Multilinear Maps and the Implication of this Work. The notion of cryptographic multilinear maps was introduced by Boneh and Silverberg [14]. Currently there are three main candidates [26, 30, 31], with a number of variants. However, what security properties hold for the candidates remains unclear. In particular, none of the candidates is known to satisfy the multilinear DDH or subgroup elimination assumptions that are sufficient for the CHCPRFs by Boneh et al. [12] (see [24, 25, 30, 37] for the attacks on these assumptions).

Note that even our result does not imply that GGH15 satisfies the traditional assumptions like multilinear DDH, but at least it demonstrates a safe setting. To what extent can the safe setting be generalized remains an open problem. Indeed, a central task in the study of the existing candidate multilinear maps is to identify settings where they can be used based on standard cryptographic assumptions [36].

Relations to the GGH15 Candidate Program Obfuscator. Our construction for $\mathsf {NC}^1$ constraints is strongly reminiscent of the candidate obfuscator from GGH15 [31, Sect. 5.2]. In particular, the “secrets” in the CHCPRF corresponds to the “multiplicative bundling scalars” from the GGH15 obfuscator. Under the restriction of releasing only 1 branch (either the functional branch or the dummy branch), our result implies that the “scalars” and permutation matrices can be hidden (without using additional safeguards such as the Kilian-type randomization and padded randomness on the diagonal).

In contrast, the recent cryptanalysis of the GGH15 obfuscator [23] shows that when releasing both the functional key and the dummy key, one can extract the bundling scalars even if the obfuscator is equipped with all the safeguards.

It might be instructive to see where our reduction to LWE fail if one attempts to apply our proof technique to the two-key setting. The point is that in this case, the adversary obtains LWE samples $ \mathbf {Y} , \mathbf {Y} '$ with correlated secrets; Therefore it is not clear how to simulate the Gaussian samples of $ \mathbf {D} $ conditioned on ${ \mathbf {A} \mathbf {D} = \mathbf {Y} }$ or of $ \mathbf {D} '$ conditioned on ${ \mathbf {A} ' \mathbf {D} ' = \mathbf {Y} '}$, without knowing the trapdoors of $ \mathbf {A} $ and $ \mathbf {A} '$.

1.4 Concurrent Work

In an independent work, Boneh, Kim and Montgomery [10] build CHCPRF from LWE, for the special case of input puncturing constraints. Their construction is very different from ours. In particular, their starting point is the (non-hiding) constrained PRF by Brakerski and Vaikuntanathan [19].

While they analyze their construction with respect to the indistinguishability-based definition, they also consider a simulation-based definition that is significantly stronger than the one here. They show that it is impossible to realize that definition for general functions. To do that, they use the same construction of functional encryption from CHCPRFs as the one presented here.

2 Preliminaries

Notations and Terminology. Let $\mathbb {R}, \mathbb {Z}, \mathbb {N}$ be the set of real numbers, integers and positive integers. The notation R is often used to denote some base ring. The concrete choices of R are $\mathbb {Z}^{n\times n}$ (the integer matrices) and $\mathbb {Z}[x]/(x^n+1)$ (where n is a power of 2). We denote R/(qR) by $R_q$. The rounding operation $\left\lfloor a \right\rceil _p: \mathbb {Z}_q \rightarrow \mathbb {Z}_p$ is defined as multiplying a by p/q and rounding the result to the nearest integer.

For $n\in \mathbb {N}$, $[n] := \{ 1,\ldots , n \} $. A vector in $\mathbb {R}^n$ is represented in column form, and written as a bold lower-case letter, e.g. $ \mathbf {v} $. For a vector $ \mathbf {v} $, the $i^{th}$ component of $ \mathbf {v} $ will be denoted by $v_i$. A matrix is written as a bold capital letter, e.g. $ \mathbf {A} $. The $i^{th}$ column vector of $ \mathbf {A} $ is denoted $ \mathbf {a} _i$.

The length of a vector is the $\ell _p$-norm $\Vert \mathbf {v} \Vert _p = (\sum v_i^p)^{1/p}$. The length of a matrix is the norm of its longest column: $\Vert \mathbf {A} \Vert _p = \max _i \Vert \mathbf {a} _i\Vert _p$. By default we use $\ell _2$-norm unless explicitly mentioned. When a vector or matrix is called “small” (or “short”), we refer to its norm (resp. length). The thresholds of “small” will be precisely parameterized in the article and are not necessary negligible functions.

2.1 Matrix Branching Programs

Definition 1

(Matrix branching programs). A width-w, length-z matrix branching program over $\ell $-bit inputs consists of an index-to-input map, a sequence of pairs of matrices $ {\mathbf {B}^{b}_{i}}$, and a non-identity matrix $ \mathbf {P} $ representing $0$: $\mathsf {BP}= \{ \iota : [z]\rightarrow [\ell ], \{ {\mathbf {B}^{b}_{i}} \in \{0,1\}^{w\times w} \} _{i\in [z],b\in \{0,1\}} ,~ \mathbf {P} \in \{0,1\}^{w\times w}\setminus \{ \mathbf {I} \} \} .$ The program computes the function $f_{\mathsf {BP}}: \{0,1\}^\ell \rightarrow \{0,1\}$, defined as

$$ f_{\mathsf {BP}}(x)={\left\{ \begin{array}{ll} 1&{} \text{ if } \, \,\, \, {\mathop {\prod }\nolimits _{i\in [z]}} {\mathbf {B}^{x_{\iota (i)}}_{i}}= \mathbf {I} \\ 0&{}\text{ if } \, \, \, \,{\mathop {\prod }\nolimits _{i\in [z]}} {\mathbf {B}^{x_{\iota (i)}}_{i}}= \mathbf {P} \\ \bot &{}\text{ elsewhere } \\ \end{array}\right. } $$

A set of branching programs $ \{ \mathsf {BP} \} $ is called oblivious if all the programs in the set have the same index-to-input map $\iota $.

Theorem 3

(Barrington’s theorem [8]). For $d\in \mathbb {N}$, and for any set of depth-d fan-in-2 Boolean circuits $ \{ C \} $, there is an oblivious set of width-5 length-$4^d$ branching programs $ \{ \mathsf {BP} \} $ with a index-to-input map $\iota $, where each $\mathsf {BP}$ is composed of permutation matrices $ \{ {\mathbf {B}^{b}_{i}} \in \{0,1\}^{5\times 5} \} _{i\in [z],b\in \{0,1\}} $, a 5-cycle $ \mathbf {P} $, and $\iota $.

2.2 Lattices

An n-dimensional lattice $\varLambda $ is a discrete additive subgroup of $\mathbb {R}^n$. Given n linearly independent basis vectors $ \mathbf {B} = \{ \mathbf {b} _1,\ldots , \mathbf {b} _n\in \mathbb {R}^n \} $, the lattice generated by $ \mathbf {B} $ is $\varLambda ( \mathbf {B} ) = \varLambda ( \mathbf {b} _1,\ldots , \mathbf {b} _n) = \{ \sum \limits _{i=1}^{n} x_i\cdot \mathbf {b} _i , x_i\in \mathbb {Z}\}$. We have the quotient group $\mathbb {R}^n/\varLambda $ of cosets $ \mathbf {c} +\varLambda = \{ \mathbf {c} + \mathbf {v} , \mathbf {v} \in \varLambda \} $, $ \mathbf {c} \in \mathbb {R}^n$. Let $ \mathbf {\tilde{B}} $ denote the Gram-Schmidt orthogonalization of $ \mathbf {B} $.

Gaussian on Lattices. For any $\sigma > 0$, define the Gaussian function on $\mathbb {R}^n$ centered at $ \mathbf {c} $ with parameter $\sigma $:

$$ \forall \mathbf {x} \in \mathbb {R}^n, ~ \rho _{\sigma , \mathbf {c} }( \mathbf {x} ) = e^{-\pi \Vert \mathbf {x} - \mathbf {c} \Vert ^2/\sigma ^2}$$

For any $ \mathbf {c} \in \mathbb {R}^n$, $\sigma > 0$, and n-dimensional lattice $\varLambda $, define the discrete Gaussian distribution over $\varLambda $ as:

$$ \forall \mathbf {x} \in \varLambda , ~ D_{\varLambda + \mathbf {c} , \sigma }( \mathbf {x} ) = \frac{\rho _{\sigma , \mathbf {c} }( \mathbf {x} )}{\rho _{\sigma , \mathbf {c} }(\varLambda )} $$

Lemma 1

[45, 47]. Let $ \mathbf {B} $ be a basis of an m-dimensional lattice $\varLambda $, and let $\sigma \ge \Vert \tilde{ \mathbf {B} }\Vert \cdot \omega ( \log n)$, then $\Pr _{ \mathbf {x} \leftarrow D_{\varLambda , \sigma }}[ \Vert \mathbf {x} \Vert \ge \sigma \cdot \sqrt{m} \vee \mathbf {x} = \mathbf {0} ]\le \mathsf {negl}(n)$.

Gentry, Peikert and Vaikuntanathan [32] show how to sample statistically close to discrete Gaussian distribution in polynomial time for sufficiently large $\sigma $ (the algorithm is first proposed by Klein [40]). The sampler is upgraded in [18] so that the output is distributed exactly as a discrete Gaussian.

Lemma 2

[18, 32]. There is a p.p.t. algorithm that, given a basis $ \mathbf {B} $ of an n-dimensional lattice $\varLambda ( \mathbf {B} )$, $ \mathbf {c} \in \mathbb {R}^n$, $\sigma \ge \Vert \tilde{ \mathbf {B} }\Vert \cdot \sqrt{\ln (2n + 4)/\pi }$, outputs a sample from $D_{\varLambda + \mathbf {c} ,\sigma }$.

We then present the trapdoor sampling algorithm and the corollary of GPV lemma in the general ring R.

Lemma 3

[2, 3, 44]. There is a p.p.t. algorithm $\mathsf {Trap}\mathsf {Sam}(R, 1^n, 1^m, q)$ that, given the base ring R, modulus $q\ge 2$, lattice dimension n, and width parameter m (under the condition that $m= \varOmega (\log q)$ if $R=\mathbb {Z}^{n\times n}$, $m= \varOmega (n\log q)$ if $R=\mathbb {Z}[x]/(x^{n}+1)$), outputs $ \mathbf {A} \leftarrow U(R^{1\times m}_q)$ with a trapdoor $\tau $.

Lemma 4

[32]. There is a p.p.t. algorithm $\mathsf {Preimg}\mathsf {Sam}( \mathbf {A} , \tau , \mathbf {y} , \sigma )$ that with all but negligible probability over $( \mathbf {A} , \tau )\leftarrow \mathsf {Trap}\mathsf {Sam}(R, 1^n, 1^m, q)$, for sufficiently large $\sigma = \varOmega (\sqrt{n\log q})$, the following distributions are statistically close:

$$ \{ \mathbf {A} , \mathbf {x} , \mathbf {y} : \mathbf {y} \leftarrow U(R_q), \mathbf {x} \leftarrow \mathsf {Preimg}\mathsf {Sam}( \mathbf {A} , \tau , \mathbf {y} , \sigma ) \} \approx _s \{ \mathbf {A} , \mathbf {x} , \mathbf {y} : \mathbf {x} \leftarrow \gamma _{\sigma }, \mathbf {y} = \mathbf {A} \mathbf {x} \} $$

where $\gamma _{\sigma }$ represents $D^{1\times n}_{\mathbb {Z}^{nm}, \sigma }$ if $R=\mathbb {Z}^{n\times n}$; represents $D_{R^m, \sigma }$ if $R=\mathbb {Z}[x]/(x^{n}+1)$.

When the image is a matrix $ \mathbf {Y} = [ \mathbf {y} _1||...|| \mathbf {y} _\ell ]$, we abuse the notation for the preimage sampling algorithm, use $ \mathbf {D} \leftarrow \mathsf {Preimg}\mathsf {Sam}( \mathbf {A} , \tau , \mathbf {Y} , \sigma )$ to represent the concatenation of $\ell $ samples from $ \mathbf {d} _i\leftarrow \mathsf {Preimg}\mathsf {Sam}( \mathbf {A} , \tau , \mathbf {y} _i, \sigma )_{i\in [\ell ]}$.

2.3 General Learning with Errors Problems

The learning with errors (LWE) problem, formalized by Regev [48], states that solving noisy linear equations, in certain rings and for certain error distributions, is as hard as solving some worst-case lattice problems. The two typical forms used in cryptographic applications are (standard) LWE and RingLWE. The latter is introduced by Lyubashevsky, Peikert and Regev [42].

We formulate them as the General learning with errors problems similar to those of [17], with more flexibility in the secret distribution and the base ring.

Definition 2

(General learning with errors problem). The (decisional) general learning with errors problem (GLWE) is parameterized by the base ring R, dimension parameters $k, \ell , m$ for samples, dimension parameter n for lattices, modulus q, the secret distribution $\eta $ over $R^{k\times \ell }$, and the error distribution $\chi $ over $R^{\ell \times m}$. The $\mathsf {GLWE}_{R,k, \ell , m, n,q,\eta ,\chi }$ problem is to distinguish the following two distributions: (1) LWE samples $s\leftarrow \eta $, $ \mathbf {A} \leftarrow U(R_q^{\ell \times m})$, $ \mathbf {E} \leftarrow \chi ^{k\times m}$, output $( \mathbf {A} , s \mathbf {A} + \mathbf {E} )\in (R_q^{\ell \times m}\times R_q^{k\times m})$; (2) uniform distributions $U(R_q^{\ell \times m}\times R_q^{k\times m})$.

We define $\mathsf {GLWE}_{R,k, \ell , m, n,q,\eta ,\chi }$-hardness for secret distributions. The subscripts are dropped if they are clear from the context.

Definition 3

A secret distribution $\eta $ is called $\mathsf {GLWE}_{R,k, \ell , m, n,q,\eta ,\chi }$-hard if no p.p.t. adversary distinguishes the two distributions in the $\mathsf {GLWE}_{R,k, \ell , m, n,q,\eta ,\chi }$ problem with 1/2 plus non-negligible probability.

Here are the connections of decisional LWE/RingLWE to the worst-case lattice problems, in the language of GLWE-hardness. For the LWE problem we present the version where the secret is a square matrix.

Lemma 5

(LWE [18, 46, 48]). Let n be an integer, $R = \mathbb {Z}^{n\times n}$. q be an integer modulus, $0<\sigma <q$ such that $\sigma > 2\sqrt{n}$. If there exists an efficient (possibly quantum) algorithm that breaks $\mathsf {GLWE}_{R, 1, 1, m,n, q, U(R_q) ,D^{n\times n}_{\mathbb {Z}, \sigma }}$, then there exists an efficient (possibly quantum) algorithm for approximating $\mathsf {SIVP}$ and $\mathsf {Gap}\mathsf {SVP}$ in the $\ell _2$ norm, in the worst case, to within $\tilde{O}(nq/\sigma )$ factors.

Lemma 6

(RingLWE [29, 41, 42]). Let n be a power of 2, $R = \mathbb {Z}[x]/(x^n+1)$. Let q be a prime integer s.t. $q\equiv 1\pmod n$. $0<\sigma <q$, $\sigma > \omega (\sqrt{\log (n)})$, $\sigma '>n^{3/4}m^{1/4}\sigma $. If there exists an efficient (possibly quantum) algorithm that breaks $\mathsf {GLWE}_{R, 1,1, m,n, q, U(R_q), D_{R, \sigma '}}$, then there exists an polynomial time quantum algorithm for solving $\mathsf {SVP}$ for ideal-lattices over R, in the worst case, to within $\tilde{O}(\sqrt{n}q/\sigma )$ factors.

For proper choices of parameters, error distributions of small norm can be used as hard secret distribution (usually called Hermit-normal-form LWE).

Lemma 7

(HNF-LWE [4, 18]). For $R, m, n, q, \sigma $ chosen as was in Lemma 5, $\mathsf {GLWE}_{R, 1,1, m',n, q, D^{n\times n}_{\mathbb {Z}, \sigma },D^{n\times n}_{\mathbb {Z}, \sigma }}$ is as hard as $\mathsf {GLWE}_{R, 1,1, m,n, q, U(R_q) ,D^{n\times n}_{\mathbb {Z}, \sigma }}$ for $m'\le m-(16n+4\log \log q)$.

Lemma 8

(HNF-RingLWE [43]). For $R, m, n, q, \sigma , \sigma '$ chosen as in Lemma 6, $\mathsf {GLWE}_{R, 1,1, m-1,n, q, D_{R, \sigma '},D_{R, \sigma '}}$ is as hard as $\mathsf {GLWE}_{R, 1,1, m,n, q, U(R_q) ,D_{R, \sigma '}}$.

Pseudorandom Functions Based on GLWE. We adapt theorems from the PRF construction of Boneh, Lewi, Montgomery, and Raghunathan [11, Theorems 4.3, 5.1]. The result was originally stated for LWE. We observe that it holds for general rings under proper choices of parameter. A proof sketch is described in [21].

Lemma 9

(Adapted from [11]). Let $\ell \in \mathbb {N}$ be the bit-length of the input. $m,n,q,p\in \mathbb {N}$, $\sigma , B\in \mathbb {R}$ s.t. $0<\sigma <q$, $B \ge \sigma \sqrt{m}$, $q/p>B^\ell $. $\eta = U(R_q)$, $\gamma _\sigma $ is a distribution over $R^{m\times m}$ parameterized by $\sigma $, $\chi _\sigma $ is a distribution over $R^{1\times m}$ parameterized by $\sigma $. $\Vert \gamma _\sigma \Vert , \Vert \chi _\sigma \Vert \le \sigma \sqrt{m}$.

Consider the function $f:\{0,1\}^\ell \rightarrow R^{1\times m}_p$, $f_{ \mathbf {U} }(x) = \left\lfloor \mathbf {U} \prod _{i=1}^{\ell }{\mathbf {D}^{x_i}_{i}} \right\rceil _p$, where $ \mathbf {U} \leftarrow U(R_q^{1\times m})$ is the private parameter, $ \{ {\mathbf {D}^{b}_{i}}\leftarrow \gamma _\sigma \} _{b\in \{0,1\}, i\in [\ell ]}$ is the public parameter.

If there is an efficient algorithm that given input $ \mathbf {A} \leftarrow U(R_q^{1\times m})$, outputs $ \mathbf {U} \in R_q^{1\times m}, \mathbf {D} \in R^{m\times m}$ that are statistically close to $U(R_q^{1\times m})\times \gamma _\sigma $ and $ \mathbf {U} \mathbf {D} = \mathbf {A} $; then f is a PRF assuming the hardness of $\mathsf {GLWE}_{R,1,1,m,n,q,\eta ,\chi _\sigma }$.

3 GLWE-Hard Distributions: Extension Package

We prove GLWE-hardness for the following “structural” secret distributions. They are used in the analysis of Construction 11.

Lemma 10

Fix a permutation matrix $ \mathbf {B} \in \{0,1\}^{w\times w}$. If a secret distribution $\eta $ over R is $\mathsf {GLWE}_{R,1,1,w^2m,n,q,\eta , \chi }$-hard, then the secret distribution $ \mathbf {B} \otimes \eta $ is $\mathsf {GLWE}_{R^{w\times w},1,1,m,n,q, \mathbf {B} \otimes \eta , \chi ^{w\times w}}$-hard.

Proof

For a permutation matrix $ \mathbf {B} \in \{0,1\}^{w\times w}$, suppose there is a p.p.t. distinguisher between samples from

$$( \mathbf {B} , \mathbf {A} , ( \mathbf {B} \otimes s) \mathbf {A} + \mathbf {E} ),\text { where } \mathbf {A} \leftarrow U(R_q^{w\times wm}), s\leftarrow \eta , \mathbf {E} \leftarrow \chi ^{w\times wm}$$

and samples from the uniform distribution $( \mathbf {B} , U(R_q^{w\times wm}), U(R_q^{w\times wm}) )$, then we build an attacker for $\mathsf {GLWE}_{R,1,1,w^2m,n,q,\eta , \chi }$.

The attacker is given an $\mathsf {GLWE}_{R,1,1,w^2m,n,q,\eta , \chi }$ instance

$$( \mathbf {A'} , \mathbf {Y'} ) = ( \mathbf {A} _1||...|| \mathbf {A} _w, \mathbf {Y} _1||...|| \mathbf {Y} _w ), \text { where } \mathbf {A} _i, \mathbf {Y} _i \in R^{1\times wm} , ~i\in [w].$$

It then rearranges the blocks as $( \mathbf {U} , \mathbf {V} )\in R^{w\times wm}\times R^{w\times wm}$, where the $i^{th}$ (blocked) row of $ \mathbf {U} $ is $ \mathbf {A} _i$, the $i^{th}$ (blocked) row of $ \mathbf {V} $ is $ \mathbf {Y} _i$. The attacker then sends $\left( \mathbf {B} , \mathbf {U} , \left( \mathbf {B} \otimes 1_R\right) \mathbf {V} \right) $ to the distinguisher. Observe that $\left( \mathbf {B} , \mathbf {U} , \left( \mathbf {B} \otimes 1_R\right) \mathbf {V} \right) $ is from the $ \mathbf {B} \otimes \eta $ secret distribution if $( \mathbf {A'} , \mathbf {Y'} )$ is from the $\eta $ secret distribution, or from the uniform distribution if $( \mathbf {A'} , \mathbf {Y'} )$ is from the uniform distribution. Hence the attacker wins with the same probability as the distinguisher. $\square $

Lemma 11

Let $w\in [2,\infty )\cap \mathbb {Z}$. Fix a permutation matrix $ \mathbf {C} \in \{0,1\}^{w\times w}$ that represents a w-cycle. If a secret distribution $\eta $ over R is $\mathsf {GLWE}_{R,1,1,wm,n,q,\eta , \chi }$-hard, then $(\eta ^{1\times w}, \eta ^{1\times w}\times ( \mathbf {C} \otimes 1_R))$ is $\mathsf {GLWE}_{R,2,w,m,n,q, (\eta ^{1\times w}, \eta ^{1\times w}\times ( \mathbf {C} \otimes 1_R)), \chi }$-hard.

Proof

Let $ \mathbf {H} = [h_1, h_2, \ldots , h_w]$ where $ \{ h_i\leftarrow \eta \} _{i\in [w]}$. Let

$$\mathcal {H}:= \{ ( \mathbf {A} _j, \mathbf {Y} _{i,j} = h_i \mathbf {A} _j+ \mathbf {E} _{i,j}) | \mathbf {A} _{j}\leftarrow U(R_q^{1\times m}), h_i\leftarrow \eta , \mathbf {E} _{i,j}\leftarrow \chi , i, j\in [w] \} $$

be the rearranging of w independent GLWE samples from $\mathsf {GLWE}_{R,1,1, wm,n,q,\eta , \chi }$. $\mathcal {H}$ is indistinguishable from the uniform distribution $\mathcal {U}:= \{ ( \mathbf {A} _j, \mathbf {Y} _{i,j} ) | \mathbf {A} _{j}\leftarrow U(R_q^{1\times m}), \mathbf {Y} _{i,j}\leftarrow U(R_q^{1\times m}), i, j\in [w] \} $ due to standard GLWE.

We show that if there is an attacker $D'$ that distinguishes

$$( \mathbf {A} , \mathbf {H} \mathbf {A} + \mathbf {E} , \mathbf {H} \left( \mathbf {C} \otimes 1_R\right) \mathbf {A} + \mathbf {E'} ),$$

where $ \mathbf {E} , \mathbf {E'} \leftarrow \chi ^{1\times m}$ from

$$U(R^{w\times m}_q \times R^{1\times m}_q \times R^{1\times m}_q),$$

then there is a distinguisher D for (a subset of) $\mathcal {H}$ and $\mathcal {U}$.

To do so, we simulate the $(\eta ^{1\times w}, \eta ^{1\times w}\times \left( \mathbf {C} \otimes 1_R\right) )$ samples from $\mathcal {H}$ or $\mathcal {U}$ by setting $ \mathbf {A} \in R^{w\times m}$ where the $j^{th}$ row of $ \mathbf {A} $ is $ \mathbf {A} _j$, $ \mathbf {Y} := \sum _{j\in [w]} \mathbf {Y} _{j,j}$, and $ \mathbf {Z} := \sum _{j\in [w]} \mathbf {Y} _{\zeta (j),j}$, where $\zeta (j):[w]\rightarrow [w]$ outputs the row number of the 1-entry in the $j^{th}$ column of $ \mathbf {C} $. Note that being a w-cycle indicates that the 1-entries in $ \mathbf {C} $ disjoint with the 1-entries in $ \mathbf {I} ^{w\times w}$. Observe that the sample $( \mathbf {A} , \mathbf {Y} , \mathbf {Z} )$ is from the secret distribution $(\eta ^{1\times w}, \eta ^{1\times w}\times \left( \mathbf {C} \otimes 1_R\right) )$ if transformed from $\mathcal {H}$, or from the uniform distribution if transformed from $\mathcal {U}$. Hence the distinguisher $D'$ wins with the same probability as the attacker D. $\square $

4 Constraint-Hiding Constrained PRFs

This section provides the definitions of constraint-hiding constrained PRFs. We first recall the indistinguishability-based definition from [12], then give our simulation-based definition, and discuss the relations among these two definitions and program obfuscation.

4.1 The Indistinguishability-Based Definition

We first recall the indistinguishability-based definition for CHCPRF from [12].

Definition 4

(Indistinguishability-based CHCPRF [12]). Consider a family of functions $\mathcal {F}=\{\mathcal {F}_\lambda \}_{\lambda \in \mathbf{N}}$ where $\mathcal {F}_\lambda = \{ F_k: D_\lambda \rightarrow R_\lambda \} _{\lambda \in \mathbb {N}}$, along with a triple of efficient functions ($\mathsf {Gen}$, $\mathsf {Constrain}$, $\mathsf {Eval}$). For a constraint family $\mathcal {C} = \{ C_\lambda : D_\lambda \rightarrow \{0,1\} \} _{\lambda \in \mathbb {N}}$; the key generation algorithm $\mathsf {Gen}(1^\lambda )$ generates the master secret key $\mathsf {MSK}$, the constraining algorithm $\mathsf {Constrain}(1^\lambda , \mathsf {MSK}, C)$ takes the master secret key $\mathsf {MSK}$, a constraint C, outputs the constrained key $\mathsf {CK}$; the evaluation algorithm $\mathsf {Eval}(k, x)$ takes a key k, an input x, outputs $F_k(x)$.

We say that $\mathcal {F}$ is an indistinguishability-based CHCPRF for $\mathcal {C} $ if it satisfies the following properties:

Functionality Preservation Over Unconstrained Inputs. For input $x\in D_\lambda $ s.t. $C(x)=1$, $\Pr [ \mathsf {Eval}(\mathsf {MSK}, x) = \mathsf {Eval}(\mathsf {CK}, x)] \ge 1-\mathsf {negl}(\lambda )$, where the probability is taken over the randomness in algorithms $\mathsf {Gen}$ and $\mathsf {Constrain}$.

Pseudorandomness for Constrained Inputs. Consider the following experiment between a challenger and an adversary. The adversary can ask 3 types of oracle queries: constrained key oracle, evaluation oracle, and challenge oracle. For $b\in \{0,1\}$, the challenger responds to each oracle query in the following manner:

Constrained key oracle. Given a circuit $C\in \mathcal {C}$, the challenger outputs a constrained key $\mathsf {CK}\leftarrow \mathsf {Constrain}(1^\lambda , \mathsf {MSK}, C)$.
Evaluation oracle. Given an input $x\in D_\lambda $, the challenger outputs $y\leftarrow \mathsf {Eval}(\mathsf {MSK}, x)$.
Challenge oracle. Given an input $x_c\in D_\lambda $, the challenger outputs $y\leftarrow \mathsf {Eval}(\mathsf {MSK}, x_c)$ if $b=1$; outputs $y\leftarrow U(R_\lambda )$ if $b=0$.

The queries from the adversary satisfy the conditions that $C(x_c)=0$, and $x_c$ is not sent among evaluation queries. At the end of the experiment, the adversary chooses $b'$ and wins if $b'=b$. The scheme satisfies the pseudorandomness property if the winning probability of any p.p.t. adversary is bounded by $1/2+\mathsf {negl}(\lambda )$.

Indistinguishability-Based Constraint-Hiding. Consider the following experiment between a challenger and an adversary. The adversary can ask 2 types of oracle queries: constrained key oracle or evaluation oracle. For $b\in \{0,1\}$, the challenger responds to each oracle query in the following manner:

Constrained key oracle. Given a pair of circuits $C_0, C_1\in \mathcal {C}$, the challenger outputs a constrained key for $C_b$: $\mathsf {CK}\leftarrow \mathsf {Constrain}(1^\lambda , \mathsf {MSK}, C_b)$.
Evaluation oracle. Given an input $x\in D_\lambda $, the challenger outputs $y\leftarrow \mathsf {Eval}(\mathsf {MSK}, x)$.

For a circuit $C\in \mathcal {C}$, denote $S(C) := \{ x\in D_\lambda : C(x)=1 \} $. Suppose the adversary asks h pairs of circuit constraints $ \{ C^{(g)}_0, C^{(g)}_1 \} _{g\in [h]}$, the queries are admissible if (1) $\forall i\ne j\in [h]$, $S(C^{(i)}_0)\cap S(C^{(j)}_0) = S(C^{(i)}_1)\cap S(C^{(j)}_1)$; (2) for all input evaluation queries x, for all $g\in [h]$, $C^{(g)}_0(x) = C^{(g)}_1(x)$.

At the end of the experiment, the adversary chooses $b'$ and wins if $b'=b$. The scheme satisfies the constraint-hiding property if the winning probability of any p.p.t. adversary is bounded by $1/2+\mathsf {negl}(\lambda )$.

4.2 The Simulation-Based Definition

Next we give the simulation-based definition. We first present a definition that is central to the discussions and constructions in the paper, then mention its variants.

Definition 5

(Simulation-based CHCPRF). Consider a family of functions $\mathcal {F}=\{\mathcal {F}_\lambda \}_{\lambda \in \mathbf{N}}$ with the same syntax as in Definition 4. We say that $\mathcal {F}$ is simulation-based CHCPRF for family $\mathcal {C} $ of circuits if for any polytime stateful algorithm $\mathsf {Adv}$, there is a polytime stateful algorithm $\mathsf {Sim}$ such that:

$$ \{ {Experiment} \, REAL_{\mathsf {Adv}}(1^\lambda ) \} _{\lambda \in \mathbb {N}} \approx _c \{ {Experiment} \, IDEAL_{\mathsf {Adv}, \mathsf {Sim}}(1^\lambda ) \} _{\lambda \in \mathbb {N}} $$

The ideal and real experiments are defined as follows for adversaries $\mathsf {Adv}$ and $\mathsf {Sim}$. Both algorithms are stateful.

That is, in the experiments the adversary can ask a single constraint query and polynomially many input queries, in any order. For input queries x made before the circuit query, $\mathsf {Adv}$ is expected to provide a bit $b_x$ indicating whether $C(x)=1$. In the real experiment $\mathsf {Adv}$ obtains the unconstrained function value at x. In the ideal experiment $\mathsf {Sim}$ learns the indicator bit $d_x$; if $d_x=1$ then $\mathsf {Adv}$ gets a value generated by $\mathsf {Sim}$, and if $d_x=0$ then $\mathsf {Adv}$ obtains a random value from the range R of the function. Once $\mathsf {Adv}$ makes the constraint query $C\in \mathcal {C}_\lambda $, both experiments verify the consistency of the indicator bits $d_x$ for all the inputs x queried by $\mathsf {Adv}$ so far. If any inconsistency is found then the experiment halts. Next, in the real experiment $\mathsf {Adv}$ obtains the constrained key generated by the constraining algorithm; in the ideal experiment $\mathsf {Adv}$ obtains a key generated by $\mathsf {Sim}$, whereas $\mathsf {Sim}$ is given only the size of C. The handling of input queries made by $\mathsf {Adv}$ after the circuit query is similar to the ones before, with the exception that the indicator bit $d_x$ is no longer needed and $\mathsf {Sim}$ obtains the value of C(x) instead. The output of the experiment is the final output bit of $\mathsf {Adv}$.

Remark 1

One may also consider a stronger definition than Definition 5 where the adversary is not required to provide the indicator bits $d_x$ in the queries prior to providing the constraint. However we note that this stronger definition is unachievable if the number of input queries before the constraint query is unbounded, due to an “incompressibility” argument similar to the one from [1].

Remark 2

The simulation-based definition can also be generalized to the setting where the adversary queries multiple constrained keys. That is, once received each constrained key query, the simulator has to simulate a constrained key, given only the size of the constraining circuit. We further discuss this strong variant shortly.

4.3 Relations Among the Definitions

We discuss the relation among the definitions of CHCPRF and program obfuscation.

Multiple-Key CHCPRFs Implies Obfuscation. We show that the simulation-based CHCPRF for 2 keys implies virtual black-box obfuscation (VBB), which is impossible to obtain for general functionalities [7, 35]. For the indistinguishability-based definition proposed in [12], achieving 2-key security implies indistinguishability obfuscation [7].

Recall the definitions for VBB obfuscation (we present the strongest variant in [7]) and indistinguishability obfuscation.

Definition 6

(Obfuscation [7, 35]). A probabilistic algorithm O is an obfuscator for a class of circuit $\mathcal {C}$ if the following conditions hold:

(Preservation of the function) For all inputs x, $\Pr [C(x) = O(C(x))]>1-\mathsf {negl}(\lambda )$.
(Polynomially slowdown) There is a polynomial p s.t. $|O(C)| < p(|C|)$.
(Strong virtual black-box obfuscation) For any p.p.t. adversary $\mathsf {Adv}$, there is a p.p.t. simulator $\mathsf {Sim}$ s.t. for all C, $ \{ \mathsf {Adv}(1^\lambda , O(C)) \} \approx _c \{ \mathsf {Sim}^C(1^\lambda , |C|) \} $.
(Indistinguishability obfuscation) For functionally equivalent circuits $C_0, C_1, O(C_0) \approx _c O(C_1) $.

Construction 4

(Obfuscator from 2-key CHCPRFs). Given a CHCPRF, we construct an obfuscator for C by create a constrained key $\mathsf {CK}[C]$, and a constrained key $\mathsf {CK}[I]$ where I is the circuit that always outputs 1. To evaluate C(x), output 1 if $\mathsf {CHCPRF}_{\mathsf {CK}[C]}(x)=\mathsf {CHCPRF}_{\mathsf {CK}[I]}(x)$, 0 otherwise.

Theorem 5

If 2-key simulation-secure CHCPRF exists for circuit class $\mathcal {C}$, then strong VBB obfuscation exists for circuit class $\mathcal {C}$.

Proof

The simulator for the VBB obfuscator (does not have to make oracle queries to C) runs the simulator for CHCPRF, produce simulated constraint keys for $\mathsf {CK}^S[C]$, $\mathsf {CK}^S[I]$, which are indistinguishable from the real constrained keys $\mathsf {CK}[C]$, $\mathsf {CK}[I]$ that are used to construct the obfuscator. $\square $

Corollary 1

[7, 35]. There are circuit classes for which 2-key simulation-secure CHCPRF does not exist.

Theorem 6

If 2-key indistinguishability-based CHCPRF exists for circuit class $\mathcal {C}$, then indistinguishability obfuscation exists for circuit class $\mathcal {C}$.

Proof

For a circuit C, the obfuscator outputs $\mathsf {CK}[C]$, $\mathsf {CK}[I]$. For functionally equivalent circuits $C_0$ and $C_1$, $S(C_0)\cap S(I) = S(C_1)\cap S(I)$. By indistinguishability constraint-hiding, $(\mathsf {CK}[C_0], \mathsf {CK}[I])\approx _c(\mathsf {CK}[C_1], \mathsf {CK}[I])$. $\square $

Simulation and Indistinguishability-Based Definitions for CHCPRF. Next we discuss the relation of the simulation and indistinguishability-based definitions for CHCPRF, under 1-key security. The two definitions are equivalent in the 1-key setting, for the corresponding order of queries and adaptivity. Below we state the theorems for the non-adaptive version of the definitions, then discuss their generalizations to the adaptive setting.

We first show that the simulation based definition implies the indistinguishability based definition.

Theorem 7

If a CHCPRF satisfies the non-adaptive simulation-based definition, then it satisfies the non-adaptive indistinguishability-based definition.

The proof of this theorem is via a standard hybrid argument and we describe the proof in [21]. The implication holds for the adaptive setting. In particular, the standard simulation definition from Definition 5 implies Definition 4 where the predicates on the input queries are committed; for the stronger simulation definition discussed in Remark 1, it implies the fully adaptive variant of Definition 4.

In the 1-key setting, the indistinguishability definition implies the simulation based definition.

Theorem 8

If a CHCPRF satisfies 1-key non-adaptive indistinguishability-based definition, it satisfies the 1-key non-adaptive simulation-based definition.

Proof

For a CHCPRF $\mathcal {F}$ that satisfies Definition 4 for one constrained key query, we construct a simulator as per Definition 5. The simulator picks an all-1 circuit $C^S = I$ such that $I(x)=1, \forall x\in D_\lambda $, and use the indistinguishability-secure constraining algorithm to derive a constrained key $\mathsf {CK}^S$ for $C^S$. Once the simulator obtains the inputs and the indicators $ \{ x^{(k)}, d^{(k)} \} _{k\in [t]}$, if $d^{(k)}=1$, outputs $\mathsf {Eval}(\mathsf {CK}^S, x^{(k)})$; if $d^{(k)}=0$, outputs $y\leftarrow U(R_\lambda )$.

We first prove constraint-hiding. Suppose there is an adversary $A'$ that distinguishes the simulated distribution from the real distribution, we build an adversary A that breaks the indistinguishability definition for $\mathcal {F}$. A sends constrained circuit queries $C_0 = C$ and $C_1 = I$, obtains $\mathsf {CK}[C_b]$. Then A sends input queries. For $x^{(k)}$ s.t. $C(x^{(k)})=I(x^{(k)}) = 1$, the output is $\mathsf {Eval}(\mathsf {CK}[C_b], x^{(k)})$; for $x^{(k)}$ s.t. $C(x^{(k)})\ne I(x^{(k)})$, it is an inadmissible query so A samples an uniform random output on its own. Then A forwards $\mathsf {CK}[C_b]$, inputs and outputs to $A'$. The choice of $A'$ for the real or the simulated distribution corresponds to $b=0$ or 1, hence the advantage of A is equivalent to $A'$.

The proof for pseudorandomness of constrained outputs is analogous. $\square $

The theorem extends to the setting where the input queries can be made after the constraint query.

5 The Constructions

In Sects. 5.1 and 5.2 we present the bit-fixing and $\mathsf {NC}^1$ CHCPRFs.

5.1 Bit-Fixing CHCPRFs

Definition 7

(Bit-fixing constraint [15]). A bit-fixing constraint is specified by a string $ \mathbf {c} \in \{ 0,1,\star \} ^\ell $, where 0 and 1 are the fixing bits and $\star $ denotes the wildcards. $C(x)=1$ if the input matches $ \mathbf {c} $, namely $((x_1 = c_1) \vee (c_1=\star ) )\wedge \ldots \wedge ((x_\ell = c_\ell ) \vee (c_\ell =\star ) )$.

We start with a brief overview of the construction and then give the details. For a PRF with $\ell $-bit input, the key-generation algorithm samples $2\ell $ secrets from GLWE-hard distributions with small Euclidean norm $ \{ {{s}^{b}_{i}} \leftarrow \eta \} _{b\in \{0,1\}, i\in [\ell ]}$, places them in a chain of length $\ell $ and width 2, and uses the GGH15 methodology to encode the chain. The evaluation key consists of the resulting $ \mathbf {A} _1$ matrix and the $ \mathbf {D} $ matrices $ \{ {\mathbf {D}^{b}_{i}} \} _{b\in \{0,1\}, i\in [\ell ]}$.

The evaluation algorithm selects the path according to the input, computes the product of $ \mathbf {D} $ matrices along the path $\prod ^{\ell }_{i=1}{\mathbf {D}^{x_i}_{i}}$, then multiplies $ \mathbf {A} _1$ on the left. The unrounded version of the output $ \mathbf {A} _{1}\prod _{i=1}^{\ell }{\mathbf {D}^{x_i}_{i}}$ is close to $\prod _{i=1}^{\ell }{{s}^{x_i}_{i}} \mathbf {A} _{\ell +1}$, where “close” hides the cumulated error terms. Finally, the resulting subset product is rounded by p where $2\le p<q$, $q/p>B$ with B being the maximum error bound. Rounding is required for correctness and security.

Construction 9

(Bit-fixing CHCPRFs). We construct a function family $ \mathcal {F}= \{ f:\{0,1\}^{\ell }\rightarrow R^{1\times m}_{p} \} $ equipped with algorithms $(\mathsf {Gen}, \mathsf {Constrain}, \mathsf {Eval})$ and a set of vectors $\mathcal {C}= \{ \mathbf {c} \in \{ 0,1,\star \} ^\ell \} $:

$\mathsf {Gen}(1^\lambda )$ takes the security parameter $\lambda $, samples parameters $q, p, \sigma , m$, $ \mathbf {A} _{\ell +1}\leftarrow U(R^m_q)$, $ \{ ( \mathbf {A} _{i}, \tau _{i}) \leftarrow \mathsf {Trap}\mathsf {Sam}({R}, 1^n, 1^m, q) \} _{i\in [\ell ]}$. Then, sample $2\ell $ independent small secrets from GLWE-hard distributions $ \{ {{s}^{b}_{i}} \leftarrow \eta \} _{b\in \{0,1\}, i\in [\ell ]}$. Next, encode the secrets as follows: first compute $ \{ {\mathbf {Y}^{b}_{i}}={{s}^{b}_{i}} \mathbf {A} _{i+1}+{\mathbf {E}^{b}_{i}}, {\mathbf {E}^{b}_{i}}\leftarrow \chi ^m \} _{i\in [\ell ], b\in \{0,1\}}$, then sample $ \{ {\mathbf {D}^{b}_{i}}\leftarrow \mathsf {Preimg}\mathsf {Sam}( \mathbf {A} _{i}, \tau _{i}, {{\mathbf {Y}^{b}_{i}}}, \sigma ) \} _{i\in [\ell ], b\in \{0,1\}}$ Set $\mathsf {MSK}:= ( \{ \mathbf {A} _i \} _{i\in [1,\ell +1]}, \{ \tau _i \} _{i\in [\ell ]}, \{ {{s}^{b}_{i}}, {\mathbf {D}^{b}_{i}} \} _{i\in [\ell ], b\in \{0,1\}})$.
$\mathsf {Constrain}(\mathsf {MSK}, \mathbf {c} )$ takes $\mathsf {MSK}$ and the bit-matching vector $ \mathbf {c} $, for $i\in [\ell ]$, if $c_i\ne \star $ (i.e. specified as 0 or 1), replaces the original ${{s}^{1-c_i}_{i}}$ by a fresh ${{t}^{1-c_i}_{i}}\leftarrow \eta $, then updates the encodings on these secrets: ${\mathbf {Y}^{1-c_i}_{i}}={{t}^{1-c_i}_{i}} \mathbf {A} _{i+1}+{\mathbf {E'}^{1-c_i}_{i}}, {\mathbf {E'}^{1-c_i}_{i}}\leftarrow \chi ^m$, samples ${\mathbf {D}^{1-c_i}_{i}}\leftarrow \mathsf {Preimg}\mathsf {Sam}( \mathbf {A} _{i}, \tau _{i}, { {\mathbf {Y}^{1-c_i}_{i}} }, \sigma ) $.

Set $\mathsf {CK}:= ( \mathbf {A} _1, \{ {\mathbf {D}^{b}_{i}} \} _{i\in [\ell ], b\in \{0,1\}})$.
$\mathsf {Eval}(k, x)$ takes the key $k = ( \mathbf {A} _1, \{ {\mathbf {D}^{b}_{i}} \} _{i\in [\ell ], b\in \{0,1\}} )$ and the input x, outputs $\left\lfloor \mathbf {A} _1\prod _{i=1}^{\ell }{\mathbf {D}^{x_i}_{i}} \right\rceil _p$.

Remark 3

We occasionally call $i\in \{ 1, 2, \ldots , \ell \} $ “levels”, from low to high.

Setting of Parameters. Parameters shall be set to ensure both correctness (i.e. the preservation of functionality over unconstrained inputs) and security. Note that the approximation factors of the underlying worst-case (general or ideal) lattices problems are inherently exponential in $\ell $.

Specifically, for $R = \mathbb {Z}^{n\times n}$, set $\eta = \chi = D^{n\times n}_{\mathbb {Z}, \sigma }$, $\gamma = D^{1\times nm}_{\mathbb {Z}^{nm}, \sigma }$. The parameters are set to satisfy $m\ge 2\log q$ due to Lemma 3; $q/p>(\sigma \cdot m)^\ell $ due to Lemma 1 for the correctness of rounding; $0<\sigma <q$, $\sigma =2\sqrt{n\log q}$, $nq/\sigma <2^{\lambda ^{1-\epsilon }}$ due to Lemmas 4, 5, 7, and 9. An example setting of parameters: $p=2$, $\epsilon =1/2$, $q=(32\ell n^2\log n)^\ell $, $\lambda =n=(\log q)^2$.

For $R = \mathbb {Z}[x]/(x^n+1)$, n being a power of 2, set $\eta = \chi = D_{R, \sigma }$, $\gamma = D^{1\times m}_{R^{m}, \sigma }$. The parameters are set to satisfy $m\ge 2\cdot n\log q$ due to Lemma 3; $q/p>(\sigma \cdot n^{3/4}m^{5/4})^\ell $ due to Lemma 1 for the correctness of rounding; $0<\sigma <q$, $\sigma =2\sqrt{n\log q}$, $nq/\sigma <2^{\lambda ^{1-\epsilon }}$ due to Lemmas 4, 6, 8, and 9. An example setting of parameters against the state-of-art ideal SVP algorithms [9, 27, 28]: $p=2$, $\epsilon =0.5001$, $q=(70\ell n^3\log n)^\ell $, $\lambda =n=(\log q)^{2.1}$.

Theorem 10

Assuming $\mathsf {GLWE}_{R,1,1,m,n,q,\eta ,\chi }$, Construction 9 is a simulation-secure bit-fixing CHCPRF.

Functionality Preservation on the Unconstrained Inputs. The constraining algorithm does not change any secrets on the unconstrained paths. So the functionality is perfectly preserved.

Security Proof Overview. The aim is to capture two properties: (1) pseudorandomness on the constrained inputs (2) the constrained key is indistinguishable from an obliviously sampled one.

We construct a simulator as follows: the simulator samples a key composed of $ \mathbf {A} $ matrices from uniform distribution and $ \mathbf {D} $ matrices from discrete-Gaussian distribution of small width. For the input-output pairs queried by the adversary, if the functionality is preserved on that point, then the simulator, knowing the input x, simply outputs the honest evaluation on the simulated key. If the input is constrained, it means at some level i, the secret ${{t}^{x_i}_{i}}$ in the constrained key is sampled independently from the original secret key ${{s}^{x_i}_{i}}$. Therefore the LWE instance ${{s}^{x_i}_{i}} \mathbf {A} _{i+1}+{\mathbf {E}^{x_i}_{i}}$, in the expression of the constrained output, provides an fresh random mask $ \mathbf {U} $. The reduction moves from level $\ell +1$ to level 1. At level 1, by the result of [11], the rounded output on x is pseudorandom if $C(x)=0$.

Note that the evaluation algorithm only needs $ \mathbf {A} _1$ but not the rest of the $ \mathbf {A} $ matrices. However, in the analysis we assume all the $ \mathbf {A} $ matrices are public.

Proof

The simulator samples all the $ \{ \mathbf {A} _{j} \} _{j\in [1,\ell +1]}$ matrices from random and $ \{ {\mathbf {D}^{b}_{i}} \} _{b\in \{0,1\}, i\in [\ell ]}$ from $\gamma $, outputs the constrained key $( \mathbf {A} _1, \{ {\mathbf {D}^{b}_{i}} \} _{i\in [\ell ], b\in \{0,1\}})$. To respond the input queries, the simulator picks $ \{ y^{(k)} \} _{k\in [t]}$ according to $ \{ d^{(k)} \} _{k\in [t]}$: if $d^{(k)}=1$ (i.e. the functionality is preserved on the constraint key at $x^{(k)}$), then outputs $y^{(k)}=\left\lfloor \mathbf {A} _1 \prod ^{\ell }_{i=1}{\mathbf {D}^{x^{(k)}_i}_{i}} \right\rceil _p$ (the honest evaluation on the simulated key); otherwise $y^{(k)}\leftarrow U(R^{1\times m}_p)$.

The proof consists of two parts. The first part (Lemma 12) shows that the real distribution is indistinguishable from a semi-simulated one, where all the $ \mathbf {D} $ matrices on the constrained key are sampled obliviously without knowing the constraint and the trapdoors of $ \mathbf {A} $ matrices, and all the outputs are derived from the simulated constrained key. The second part (Lemma 13) argues that the outputs are pseudorandom if they are in the constrained area.

In the first part, we define intermediate hybrid distributions $ \{ \mathsf {H}_{v} \} _{v\in [0, \ell ]}$. $\mathsf {H}_{\ell }$ corresponds to the real constrained key and outputs, $\mathsf {H}_{0}$ corresponds to the simulated constrained key and the semi-simulated outputs. The intermediate simulator in $\mathsf {H}_{v}$ knows the partial constraint from level 1 to v, and the level $w^{(k)}\in \{ v, \ldots , \ell \} $ where the input $x^{(k)}$ starts to deviate from the constraint vector.

Descriptions of $\mathsf {H}_{v}$, $v\in [0,\ell ]$: The simulator in $\mathsf {H}_v$

1.
Samples $ \{ ( \mathbf {A} _{j}, \tau _{j}) \leftarrow \mathsf {Trap}\mathsf {Sam}({R}, 1^n, 1^m, q) \} _{j\in [v]}$ with trapdoors, $ \{ \mathbf {A} _{j'}\leftarrow U(R_q^m) \} _{ j'\in [v+1,\ell +1]}$ from uniform;
2.
Samples the GLWE secrets $ \{ {{s}^{b}_{i}}\leftarrow \eta \} _{b\in \{0,1\}, i\in [v]}$ below level v; then, with part of the constraint vector $ \mathbf {c} _{[v]}$ in hand, for $i\in [v]$, if $c_i\ne \star $, samples ${{t}^{1-c_i}_{i}}\leftarrow \eta $;
3.
For $b\in \{0,1\}, i\in [v]$, if $t_i^b$ is sampled in the previous step, samples ${\mathbf {Y}^{b}_{i}}:= {{t}^{b}_{i}} \mathbf {A} _{i+1}+{\mathbf {E'}^{b}_{i}}$; otherwise, ${\mathbf {Y}^{b}_{i}}:= {{s}^{b}_{i}} \mathbf {A} _{i+1}+{\mathbf {E}^{b}_{i}}$,
4.
Samples $ \{ {\mathbf {D}^{b}_{i}}\leftarrow \mathsf {Preimg}\mathsf {Sam}( \mathbf {A} _i, \tau _i, {\mathbf {Y}^{b}_{i}}, \sigma ) \} _{b\in \{0,1\}, i\in [v]}$ as the constrained-key below level v. Samples the rest of the $ \mathbf {D} $ matrices obliviously $ \{ {\mathbf {D}^{b}_{i}}\leftarrow \gamma \} _{b\in \{0,1\}, i\in [v+1, \ell ]}$.
5.
To simulate the outputs, the simulator maintains a list $\mathcal {U}$ of $ \mathbf {U} $ matrices (to be specified) initiated empty. For $k\in [t]$, if the constraint is known to deviate in the path of $x^{(k)}_{[v+1,\ell ]}$ from level $w^{(k)}\in [v+1,\ell ]$, then compute $y^{(k)}$ as $\left\lfloor \prod _{i=1}^{v}{{s}^{x^{(k)}_i}_{i}} \mathbf {U} ^{x^{(k)}_{[v+1,w]}} \prod _{j=w^{(k)}}^{\ell }{\mathbf {D}^{x^{(k)}_j}_{j}} \right\rceil _p$ — here $ \mathbf {U} ^{x^{(k)}_{[v+1,w]}}$ is indexed by ${x^{(k)}_{[v+1,w]}}$; if it is not in the list $\mathcal {U}$, sample $ \mathbf {U} ^{x^{(k)}_{[v+1,w]}}\leftarrow U(R_q^m)$, include it in $\mathcal {U}$; otherwise, reuse the one in $\mathcal {U}$. If $x^{(k)}$ has not deviated above level v, then $y^{(k)}=\left\lfloor \prod _{i=1}^{v}{{s}^{x^{(k)}_i}_{i}} \mathbf {A} _{v+1}\prod _{j=v+1}^{\ell }{\mathbf {D}^{x^{(k)}_j}_{j}} \right\rceil _p$.

Lemma 12

$\mathsf {H}_{v}\approx _c \mathsf {H}_{v-1}$, for $v\in \{ \ell , ..., 1 \} $.

Proof

The difference of $\mathsf {H}_{v}$ and $\mathsf {H}_{v-1}$ lies in the sampling of ${\mathbf {D}^{0}_{v}}$, ${\mathbf {D}^{1}_{v}}$ and the outputs $ \{ y^{(k)} \} $. We first analyze the difference of the outputs between $\mathsf {H}_{v}$ and $\mathsf {H}_{v-1}$ by classifying the input queries into 3 cases:

1.
For input $x^{(k)}$ that matches the partial constraint vector $ \mathbf {c} _{[v,\ell ]}$, observe that $\left\lfloor \prod _{i=1}^{v-1}{{s}^{x^{(k)}_i}_{i}} \mathbf {A} _{v}\prod _{j=v}^{\ell }{\mathbf {D}^{x^{(k)}_j}_{j}} \right\rceil _p=\left\lfloor \prod _{i=1}^{v-1}{{s}^{x^{(k)}_i}_{i}}({{s}^{x^{(k)}_v}_{v}} \mathbf {A} _{v+1}+{\mathbf {E}^{x^{(k)}_v}_{v}})\prod _{j=v+1}^{\ell }{\mathbf {D}^{x^{(k)}_j}_{j}} \right\rceil _p$ $\approx _s\left\lfloor \prod _{i=1}^{v}{{s}^{x^{(k)}_i}_{i}} \mathbf {A} _{v+1}\prod _{j=v+1}^{\ell }{\mathbf {D}^{x^{(k)}_j}_{j}} \right\rceil _p$, where $\approx _s$ is due to the small norm of $\prod _{i=1}^{v-1}{{s}^{x^{(k)}_i}_{i}}{\mathbf {E}^{x^{(k)}_v}_{v}}\prod _{j=v+1}^{\ell }{\mathbf {D}^{x^{(k)}_j}_{j}}$. Hence the output is statistically close in $\mathsf {H}_{v-1}$ and $\mathsf {H}_{v}$.
2.
For the input $x^{(k)}$ that is preserving above level v but deviated at level v, the fresh LWE secret ${{t}^{x^{(k)}_v}_{v}}$ sampled in the constrained key is independent from the original key ${{s}^{x^{(k)}_v}_{v}}$. So ${{s}^{x^{(k)}_v}_{v}} \mathbf {A} _{v+1}+{\mathbf {E}^{x^{(k)}_v}_{v}}$ and ${{t}^{x^{(k)}_v}_{v}} \mathbf {A} _{v+1}+{\mathbf {E'}^{x^{(k)}_v}_{v}}$ are treated as independent LWE instances w.r.t. $ \mathbf {A} _{v+1}$.
3.
For $x^{(k)}$ that has deviated above level v, the output can be written as
$$\begin{aligned} \begin{aligned} y^{(k)} =~&\left\lfloor \prod _{i=1}^{v}{{s}^{x^{(k)}_i}_{i}} \mathbf {U} ^{x^{(k)}_{[v+1,w]}} \prod _{j=w^{(k)}}^{\ell }{\mathbf {D}^{x^{(k)}_j}_{j}} \right\rceil _p \\ \approx _s~&\left\lfloor \prod _{i=1}^{v-1}{{s}^{x^{(k)}_i}_{i}} ({{s}^{x^{(k)}_v}_{v}} \mathbf {U} ^{x^{(k)}_{[v+1,w]}}+ \mathbf {E'} )\prod _{j=w^{(k)}}^{\ell }{\mathbf {D}^{x^{(k)}_j}_{j}} \right\rceil _p, \end{aligned} \end{aligned}$$
(2)
where $ \mathbf {U} ^{x^{(k)}_{[v+1,w]}}$ is uniform by induction.

To summarize, there are less than $3(|\mathcal {U}|+1)$ matrices that are GLWE samples in $\mathsf {H}_{v}$ while uniform in $\mathsf {H}_{v-1}$. The GLWE samples involves 3 independent secrets: ${{s}^{0}_{v}}$, ${{s}^{1}_{v}}$ and ${{t}^{1-c_{v}}_{v}}$ if $c_{v}\ne \star $. ${{t}^{1-c_{v}}_{v}}$ is only masked by $ \mathbf {A} _{v+1}$; $ \{ {{s}^{b}_{v}} \} _{b\in \{0,1\}}$ are masked by $ \mathbf {A} _{v+1}$ (in the constrained key and the outputs of cases (1) and (2)) and the uniform matrices in the list $\mathcal {U}$ (the outputs of case (3)); all the samples are associated with independently sampled noises.

If there is an attacker $A'$ that distinguishes $\mathsf {H}_{v}$ and $\mathsf {H}_{v-1}$ with non-negligible probability $\zeta $, we can build an attacker A who distinguishes (a subset among the $3(|\mathcal {U}|+1)$) GLWE samples

$$ \{ [ \mathbf {A} _{v+1}, \mathbf {U} ^1, \mathbf {U} ^2, \ldots , \mathbf {U} ^{|\mathcal {U}|}], [{{s}^{0}_{v}}, {{s}^{1}_{v}}, {{t}^{1-c_i}_{v}}]^T \cdot [ \mathbf {A} _{v+1}, \mathbf {U} ^1, \mathbf {U} ^2, \ldots , \mathbf {U} ^{|\mathcal {U}|}]+\tilde{ \mathbf {E} } \} ,$$

where $\tilde{ \mathbf {E} }\leftarrow \chi ^{3\times (|\mathcal {U}|+1)m} $ from

$$ \{ U( R_q^{(|\mathcal {U}|+1)m} \times R_q^{3\times (|\mathcal {U}|+1)m} ) \} $$

To do so, once A obtains the samples, it places the samples under mask $ \mathbf {A} _{v+1}$ in the constrained key and the outputs of cases (1) and (2); places the samples under masks $ \mathbf {U} ^1, \ldots , \mathbf {U} ^{|\mathcal {U}|}$ in the outputs of cases (3). Then samples $ \{ \mathbf {A} _j \} _{j\in [v]}$ with trapdoors, GLWE secrets $ \{ {{s}^{b}_{i}}\leftarrow \eta \} _{b\in \{0,1\}, i\in [v]}$. Then samples $ \{ {\mathbf {D}^{b}_{i}}\leftarrow \mathsf {Preimg}\mathsf {Sam}( \mathbf {A} _i, \tau _i, {\mathbf {Y}^{b}_{i}}, \sigma ) \} _{b\in \{0,1\}, i\in [v]}$ as the constrained-key below level v. Samples the rest of the $ \mathbf {D} $ matrices obliviously $ \{ {\mathbf {D}^{b}_{i}}\leftarrow \gamma \} _{b\in \{0,1\}, i\in [v+1, \ell ]}$.

With these matrices the attacker A is able to simulate the outputs, send the outputs and constrained key to $A'$. If the samples are from GLWE, then it corresponds to $\mathsf {H}_{v}$; if the samples are uniform, then the matrices $ \{ {\mathbf {D}^{b}_{v}} \} _{b\in \{0,1\}}$ sampled via $ \{ {\mathbf {D}^{b}_{v}}\leftarrow \mathsf {Preimg}\mathsf {Sam}( \mathbf {A} _v, \tau _v, {\mathbf {Y}^{b}_{v}}, \sigma ) \} _{b\in \{0,1\}}$ are statistically close to the obliviously sampled ones due to Lemma 4, so it is statistically close to $\mathsf {H}_{v-1}$. Hence A breaks GLWE with probability more than $\zeta /(3(t+1))$, which contradicts to Lemma 7. $\square $

Lemma 13

If $C(x^{(k)})=0$, then the output $y^{(k)}$ in $\mathsf {H}_{0}$ is pseudorandom.

Proof

A constrained output $y^{(k)}$ can be expressed as $\left\lfloor \mathbf {U} ^{x^{(k)}_{ [1,w] } } \prod _{ j=w^{(k)} }^{\ell }{\mathbf {D}^{x^{(k)}_j}_{j}} \right\rceil _p$, where the secret $ {\mathbf {U}^{(k)}_{[1,w^{(k)}]}} $ is uniform; the public $ \mathbf {D} $ matrices are sampled from discrete-Gaussian distribution $\gamma $. By Lemma 9 $y^{(k)}$ is pseudorandom. $\square $

The proof completes by combining Lemmas 12 and 13. $\square $

5.2 Constraint-Hiding for $\mathsf {NC}^1$ Circuits

Next we present the CHCPRF for $\mathsf {NC}^1$ circuit constraints. For circuits of depth d, use Barrington’s Theorem [8] to convert them into a set of oblivious branching program $ \{ \mathsf {BP} \} $ with the same index-to-input map $\iota : [z]\rightarrow [\ell ]$, the same w-cycle $ \mathbf {P} $ that represents the 0 output (by default $w=5$). Let $ \{ {\mathbf {B}^{b}_{i}} \in \{0,1\}^{w\times w} \} _{i\in [z],b\in \{0,1\}} $ be the permutation matrices in each $\mathsf {BP}$.

The master secret key for the CHCPRF consists of 2z secrets from GLWE-hard distributions $\eta $ over R with small Euclidean norm $ \{ {{s}^{b}_{i}} \leftarrow \eta \} _{b\in \{0,1\}, i\in [z]}$, together with a vector $ \mathbf {J} \in R^{1\times w}$. To generate an evaluation key, in the normal setting, let ${\mathbf {S}^{b}_{i}}:= \mathbf {I} ^{w\times w}\otimes {{s}^{b}_{i}}\in \{0,1\}^{w\times w} \otimes _{R} R$; in the constrained setting for a constraint recognized by $\mathsf {BP}$, let ${\mathbf {S}^{b}_{i}}:={\mathbf {B}^{b}_{i}}\otimes {{s}^{b}_{i}}\in \{0,1\}^{w\times w} \otimes _{R} R$. For both settings, places $ \{ {\mathbf {S}^{b}_{i}} \} _{b\in \{0,1\}, i\in [z]}$ in a chain of length z and width 2, places $ \mathbf {J} $ on the left end of the chain, and uses the GGH15 methodology to encode the chain. The encoding of $ \mathbf {J} $ is merged into $ \mathbf {A} _1$ and denote the resultant matrix as $ \mathbf {A} _J$. The evaluation key consists of $ \mathbf {A} _J$ and the $ \mathbf {D} $ matrices $ \{ {\mathbf {D}^{b}_{i}} \} _{b\in \{0,1\}, i\in [z]}$.

To evaluate on x, output $\left\lfloor \mathbf {A} _J\prod _{i=1}^{z}{\mathbf {D}^{x_{\iota (i)}}_{i}} \right\rceil _p$. To elaborate the functionality, for x s.t. $C(x)=1$, $\left\lfloor \mathbf {A} _J\prod _{i=1}^{z}{\mathbf {D}^{x_{\iota (i)}}_{i}} \right\rceil _p \approx _s \left\lfloor \mathbf {J} ( \mathbf {I} ^{w\times w}\otimes \prod _{i=1}^{z}{{s}^{x_{\iota (i)}}_{i}}) \mathbf {A} _{z+1} \right\rceil _p$; for x s.t. $C(x)=0$, $\left\lfloor \mathbf {A} _J\prod _{i=1}^{z}{\mathbf {D}^{x_{\iota (i)}}_{i}} \right\rceil _p \approx _s \left\lfloor \mathbf {J} ( \mathbf {P} \otimes \prod _{i=1}^{z}{{s}^{x_{\iota (i)}}_{i}}) \mathbf {A} _{z+1} \right\rceil _p$. As a reminder, the permutation matrix $ \mathbf {P} $ that represent the w-cycle is not a secret to the construction, so the use of the left-bookend $ \mathbf {J} $ is essential for security.

Construction 11

(CHCPRFs for $\mathsf {NC}^1$ circuits). We construct a function family $ \mathcal {F}= \{ f:\{0,1\}^{\ell }\rightarrow R^{1\times wm}_{p} \} $ equipped with 3 algorithms $(\mathsf {Gen}, \mathsf {Constrain}, \mathsf {Eval})$, associated with a set of oblivious branching programs $ \{ \mathsf {BP} \} $ of length z obtained by applying Lemma 3 on all the $\mathsf {NC}^1$ circuits.

$\mathsf {Gen}(1^\lambda )$ samples parameters $q, p, \sigma , m$, z (the length of branching programs), $ \{ ( \mathbf {A} _{i}, \tau _{i}) \leftarrow \mathsf {Trap}\mathsf {Sam}({R^{w\times w}}, 1^n, 1^m, q) \} _{i\in [z]}$, $ \mathbf {A} _{z+1}\leftarrow U(R^{w\times wm}_q)$. Samples 2z independent small secrets from GLWE-hard distributions $ \{ {{s}^{b}_{i}} \leftarrow \eta \} _{b\in \{0,1\}, i\in [z]}$, sets the secret matrices to be ${\mathbf {S}^{b}_{i}}= \mathbf {I} ^{w\times w}\otimes {{s}^{b}_{i}}$. Next, encode the secrets as follows: first compute $ \{ {\mathbf {Y}^{b}_{i}}={\mathbf {S}^{b}_{i}} \mathbf {A} _{i+1}+{\mathbf {E}^{b}_{i}}, {\mathbf {E}^{b}_{i}}\leftarrow \chi ^{w\times wm} \} _{i\in [z], b\in \{0,1\}}$; then, sample $ \{ {\mathbf {D}^{b}_{i}}\leftarrow \mathsf {Preimg}\mathsf {Sam}( \mathbf {A} _{i}, \tau _{i}, {{\mathbf {Y}^{b}_{i}}}, \sigma ) \} _{i\in [z], b\in \{0,1\}}$. Additionally, sample a small secret $ \mathbf {J} \leftarrow \eta ^{1\times w}$ as the left-bookend. Compute $ \mathbf {A} _J:= \mathbf {J} \mathbf {A} _1+ \mathbf {E} _J$ where $ \mathbf {E} _J\leftarrow \chi ^{1\times wm}$.

Set $\mathsf {MSK}:= ( \{ \mathbf {A} _i \} _{i\in [1,z+1]}, \{ \tau _i \} _{i\in [z]}, \mathbf {A} _J, \{ {{s}^{b}_{i}}, {\mathbf {D}^{b}_{i}} \} _{i\in [z], b\in \{0,1\}})$.
$\mathsf {Constrain}(\mathsf {MSK},\mathsf {BP})$ takes $\mathsf {MSK}$, and a matrix branching program $\mathsf {BP}= \{ {\mathbf {B}^{b}_{i}}\in R^{w\times w} \} _{i\in [z], b\in \{0,1\}}$. For $i\in [z]$, $b\in \{0,1\}$, compute ${\mathbf {Y}^{b}_{i}}=\left( {\mathbf {B}^{b}_{i}}\otimes {{s}^{b}_{i}}\right) \mathbf {A} _{i+1}+{\mathbf {E'}^{b}_{i}}, {\mathbf {E'}^{b}_{i}}\leftarrow \chi ^{w\times wm}$, samples ${\mathbf {D}^{b}_{i}}\leftarrow \mathsf {Preimg}\mathsf {Sam}( \mathbf {A} _{i}, \tau _{i}, { {\mathbf {Y}^{b}_{i}} }, \sigma ) $.

Set the constrained key $\mathsf {CK}:= ( \mathbf {A} _J, \{ {\mathbf {D}^{b}_{i}} \} _{i\in [z], b\in \{0,1\}})$.
$\mathsf {Eval}(k, x)$ takes the input x and the key $k = ( \mathbf {A} _J, \{ {\mathbf {D}^{b}_{i}} \} _{i\in [z], b\in \{0,1\}})$, outputs $\left\lfloor \mathbf {A} _J\prod _{i=1}^{z}{\mathbf {D}^{x_{\iota (i)}}_{i}} \right\rceil _p$.

Setting of Parameters. Settings of the distributions and their dimensions: For $R = \mathbb {Z}^{n\times n}$, set $\eta = \chi = D^{n\times n}_{\mathbb {Z}, \sigma }$, $\gamma = D^{1\times nwm}_{\mathbb {Z}^{nwm}, \sigma }$. For $R = \mathbb {Z}[x]/(x^n+1)$, n being a power of 2, set $\eta = \chi = D_{R, \sigma }$, $\gamma = D^{1\times wm}_{R^{wm}, \sigma }$.

The restriction on the parameters are analogous to the settings in the bit-fixing construction.

Theorem 12

Assuming $\mathsf {GLWE}_{R,1,1,w^2 m,n,q,\eta ,\chi }$, Construction 11 is a simulation-secure CHCPRF for $\mathsf {NC}^1$ constraints.

Proof Overview. The simulation algorithm and the overall proof strategy is similar to the one for the bit-fixing constraints. Namely, we close the trapdoors for $ \mathbf {A} $ matrices from level z to level 1. Within each level v, there are several GLWE instance associated with $ \mathbf {A} _{v+1}$ whose trapdoor is closed in the previous hybrid. The additional complexity comes from dealing with secrets with permutation matrix structures. They are handled by the new GLWE packages from Sect. 3.

Proof

The simulator samples $ \{ \mathbf {A} _{i}\leftarrow U(R_q^{w\times wm}) \} _{i\in [1,z+1]}$, and $ \{ {\mathbf {D}^{b}_{i}}\leftarrow \gamma \} _{b\in \{0,1\}, i\in [z]}$. It also samples $ \mathbf {J} \leftarrow \eta ^{1\times w}$, computes $ \mathbf {A} _J:= \mathbf {J} \mathbf {A} _1+ \mathbf {E} _J$ where $ \mathbf {E} _J\leftarrow \chi ^{1\times wm}$. Outputs the constrained key $( \mathbf {A} _J, \{ {\mathbf {D}^{b}_{i}} \} _{i\in [z], b\in \{0,1\}})$. The simulator responds the input queries by picking $ \{ y^{(k)} \} _{k\in [t]}$ according to $ \{ d^{(k)} \} _{k\in [t]}$: if $d^{(k)}=1$, then outputs $y^{(k)}=\left\lfloor \mathbf {A} _J \prod ^{z}_{i=1}{\mathbf {D}^{x^{(k)}_i}_{i}} \right\rceil _p$; otherwise $y^{(k)}\leftarrow U(R^{1\times wm}_p)$.

The proof consists of two parts. The first part (Lemma 14) shows that the real distribution is indistinguishable from a semi-simulated one, where all the $ \mathbf {D} $ matrices on the constrained key are sampled without knowing the constraint and trapdoors of $ \mathbf {A} $ matrices, and all the outputs are expressed by these obliviously sampled $ \mathbf {A} $ and $ \mathbf {D} $ matrices. The second part (Lemma 15) argues that the outputs are pseudorandom if they are in the constrained area.

In the first part, we define intermediate hybrid distributions $ \{ \mathsf {H}_{v} \} _{v\in [0, z]}$. $\mathsf {H}_{z}$ corresponds to the real constrained key and output distributions, $\mathsf {H}_{0}$ corresponds to the simulated constrained key and the semi-simulated outputs. The simulators in $\mathsf {H}_z, \mathsf {H}_{z-1}, \ldots , \mathsf {H}_{1}$ know the full description of the constraint $\mathsf {BP}= \{ {\mathbf {B}^{b}_{i}} \} _{i\in [z], b\in \{0,1\}}$; the simulator in $\mathsf {H}_0$ only knows the indicators $ \{ d^{(k)} \} _{k\in [t]}$.

Descriptions of $\mathsf {H}_{v}$, $v\in [0, z]$: The simulator in $\mathsf {H}_v$

1.
Samples $ \{ ( \mathbf {A} _{j}, \tau _{j}) \leftarrow \mathsf {Trap}\mathsf {Sam}({R^{w\times w}}, 1^n, 1^m, q) \} _{j\in [v]}$ with trapdoors; samples $ \{ \mathbf {A} _{j'}\leftarrow U(R_q^{w\times wm}) \} _{ j'\in [v+1,z+1]}$ uniformly random;
2.
Samples the GLWE secrets $ \{ {{s}^{b}_{i}}\leftarrow \eta \} _{b\in \{0,1\}, i\in [v]}$ below level v; and a bookend vector $ \mathbf {J} \leftarrow \eta ^{1\times w}$;
3.
Samples ${\mathbf {Y}^{b}_{i}}:= \left( {\mathbf {B}^{b}_{i}}\otimes {{s}^{b}_{i}}\right) \mathbf {A} _{i+1}+{\mathbf {E'}^{b}_{i}}$; computes $ \mathbf {A} _J:= \mathbf {J} \mathbf {A} _1+ \mathbf {E} _J$;
4.
Simulates $ \{ {\mathbf {D}^{b}_{i}}\leftarrow \mathsf {Preimg}\mathsf {Sam}( \mathbf {A} _i, \tau _i, {\mathbf {Y}^{b}_{i}}, \sigma ) \} _{b\in \{0,1\}, i\in [v]}$ as the constrained-key below level v. Samples the rest of the $ \mathbf {D} $ matrices obliviously $ \{ {\mathbf {D}^{b}_{i}}\leftarrow \gamma \} _{b\in \{0,1\}, i\in [v+1, z]}$.
5.
Simulates the outputs. For $k\in [t]$, computes $y^{(k)}$ as
$$\begin{aligned} y^{(k)} = \left\lfloor \mathbf {J} \times \left( \left( \prod _{j=v+1}^{z}{\mathbf {B}^{x^{(k)}_{\iota (j)}}_{j}} \right) ^{-1} \otimes \prod _{i=1}^{v}{{s}^{x^{(k)}_{\iota (i)}}_{i}} \right) \times \mathbf {A} _{v+1}\prod _{j=v+1}^{z}{\mathbf {D}^{x^{(k)}_{\iota (j)}}_{j}} \right\rceil _p \end{aligned}$$
(3)

Lemma 14

$\mathsf {H}_{v}\approx _c \mathsf {H}_{v-1}$, for $v\in [z]$.

Proof

The difference of $\mathsf {H}_{v}$ and $\mathsf {H}_{v-1}$ lies in the sampling of ${\mathbf {D}^{0}_{v}}, {\mathbf {D}^{1}_{v}}$ and the outputs $ \{ y^{(k)} \} $. We first examine the outputs. For $k\in [t]$, we express the output $y^{(k)}$, starting from the expression in $\mathsf {H}_{v}$ to the one in $\mathsf {H}_{v-1}$:

$$\begin{aligned} \begin{aligned} y^{(k)}&= \left\lfloor \mathbf {J} \times \left( \left( \prod _{j=v+1}^{z}{\mathbf {B}^{x^{(k)}_{\iota (j)}}_{j}} \right) ^{-1} \otimes \prod _{i=1}^{v}{{s}^{x^{(k)}_{\iota (i)}}_{i}} \right) \times \mathbf {A} _{v+1}\prod _{j=v+1}^{z}{\mathbf {D}^{x^{(k)}_{\iota (j)}}_{j}} \right\rceil _p \\&= \left\lfloor \mathbf {J} \times \left( \left( \prod _{j=v+1}^{z}{\mathbf {B}^{x^{(k)}_{\iota (j)}}_{j}} \right) ^{-1} \otimes \prod _{i=1}^{v-1}{{s}^{x^{(k)}_{\iota (i)}}_{i}} \right) \times \left( \mathbf {I} ^{w\times w}\otimes {{s}^{x^{(k)}_{\iota (v)}}_{v}}\right) \mathbf {A} _{v+1}\prod _{j=v+1}^{z}{\mathbf {D}^{x^{(k)}_{\iota (j)}}_{j}} \right\rceil _p \\&= \Bigg \lfloor \mathbf {J} \times \left( \left( \prod _{j=v+1}^{z}{\mathbf {B}^{x^{(k)}_{\iota (j)}}_{j}} \right) ^{-1} \otimes \prod _{i=1}^{v-1}{{s}^{x^{(k)}_{\iota (i)}}_{i}} \right) \\&\qquad \qquad \qquad \times \left( {\mathbf {B}^{x^{(k)}_{\iota (v)}}_{v}}\otimes 1_R\right) ^{-1}\times \left( {\mathbf {B}^{x^{(k)}_{\iota (v)}}_{v}}\otimes {{s}^{x^{(k)}_{\iota (v)}}_{v}} \right) \mathbf {A} _{v+1}\prod _{j=v+1}^{z}{\mathbf {D}^{x^{(k)}_{\iota (j)}}_{j}} \Bigg \rceil _p \\&\approx _s \Bigg \lfloor \mathbf {J} \times \left( \left( \prod _{j=v}^{z}{\mathbf {B}^{x^{(k)}_{\iota (j)}}_{j}} \right) ^{-1}\otimes \prod _{i=1}^{v-1}{{s}^{x^{(k)}_{\iota (i)}}_{i}} \right) \\&\qquad \qquad \qquad \times \left[ \left( {\mathbf {B}^{x^{(k)}_{\iota (v)}}_{v}}\otimes {{s}^{x^{(k)}_{\iota (v)}}_{v}} \right) \mathbf {A} _{v+1} + \mathbf {E} ' \right] \prod _{j=v+1}^{z}{\mathbf {D}^{x^{(k)}_{\iota (j)}}_{j}} \Bigg \rceil _p \\&= \left\lfloor \mathbf {J} \times \left( \left( \prod _{j=v}^{z}{\mathbf {B}^{x^{(k)}_{\iota (j)}}_{j}} \right) ^{-1}\otimes \prod _{i=1}^{v-1}{{s}^{x^{(k)}_{\iota (i)}}_{i}} \right) \times {\mathbf {Y}^{x^{(k)}_{\iota (v)}}_{v}} \prod _{j=v+1}^{z}{\mathbf {D}^{x^{(k)}_{\iota (j)}}_{j}} \right\rceil _p \\&= \left\lfloor \mathbf {J} \times \left( \left( \prod _{j=v}^{z}{\mathbf {B}^{x^{(k)}_{\iota (j)}}_{j}} \right) ^{-1}\otimes \prod _{i=1}^{v-1}{{s}^{x^{(k)}_{\iota (i)}}_{i}} \right) \times \mathbf {A} _{v}\prod _{j=v}^{z}{\mathbf {D}^{x^{(k)}_{\iota (j)}}_{j}} \right\rceil _p \end{aligned} \end{aligned}$$

(4)

where ${\mathbf {Y}^{x^{(k)}_{\iota (v)}}_{v}} = \mathbf {A} _{v}{\mathbf {D}^{x^{(k)}_{\iota (v)}}_{v}}$. The correctness of this equation is a routine check. The implication is that the difference of $\mathsf {H}_{v}$ and $\mathsf {H}_{v-1}$ fully lies in the sampling of ${\mathbf {Y}^{0}_{v}}, {\mathbf {Y}^{1}_{v}}$ (being GLWE samples in $\mathsf {H}_{v}$ or uniform in $\mathsf {H}_{v-1}$) and their preimages ${\mathbf {D}^{0}_{v}}, {\mathbf {D}^{1}_{v}}$ sampled by the trapdoor of $ \mathbf {A} _v$.

Formally, suppose there is an attacker $A'$ that distinguishes $\mathsf {H}_{v}$ and $\mathsf {H}_{v-1}$ with non-negligible probability $\zeta $, we can build an attacker A who distinguishes:

$$ \mathbf {A} _{v+1}, \{ {\mathbf {Y}^{b}_{v}} = \left( {\mathbf {B}^{b}_{v}}\otimes {{s}^{b}_{v}} \right) \mathbf {A} _{v+1} + {\mathbf {E}^{b}_{v}} \} _{b\in \{0,1\}} $$

from

$$ \{ U( R_q^{w\times wm} \times R_q^{w\times wm} \times R_q^{w\times wm} ) \} $$

To do so, once A obtains the samples, it samples $ \{ \mathbf {A} _j \} _{j\in [v]}$ with trapdoors, and produce the preimages $ \{ {\mathbf {D}^{b}_{v}}\leftarrow \mathsf {Preimg}\mathsf {Sam}( \mathbf {A} _v, \tau _v, {\mathbf {Y}^{b}_{v}}, \sigma ) \} _{b\in \{0,1\}}$. Then places $ \mathbf {A} _{v+1}$, ${\mathbf {Y}^{0}_{v}}$, ${\mathbf {Y}^{1}_{v}}$, ${\mathbf {D}^{0}_{v}}$, ${\mathbf {D}^{1}_{v}}$ in the constrained key and the outputs. It further samples GLWE secrets $ \{ {{s}^{b}_{i}}\leftarrow \eta \} _{b\in \{0,1\}, i\in [v]}$, $ \{ {\mathbf {D}^{b}_{i}}\leftarrow \mathsf {Preimg}\mathsf {Sam}( \mathbf {A} _i, \tau _i, {\mathbf {Y}^{b}_{i}}, \sigma ) \} _{b\in \{0,1\}, i\in [v]}$ as the constrained-key below level v. Samples the rest of the $ \mathbf {D} $ matrices obliviously $ \{ {\mathbf {D}^{b}_{i}}\leftarrow \gamma \} _{b\in \{0,1\}, i\in [v+1, z]}$.

With these matrices the attacker A is able to simulate the rest of the outputs, send the outputs and constrained key to $A'$. If the samples are from GLWE, then it corresponds to $\mathsf {H}_{v}$; if the samples are uniform, then the matrices $ \{ {\mathbf {D}^{b}_{v}} \} _{b\in \{0,1\}}$ sampled via $ \{ {\mathbf {D}^{b}_{v}}\leftarrow \mathsf {Preimg}\mathsf {Sam}( \mathbf {A} _v, \tau _v, {\mathbf {Y}^{b}_{v}}, \sigma ) \} _{b\in \{0,1\}}$ are statistically close to the obliviously sampled ones due to Lemma 4, so it is statistically close to $\mathsf {H}_{v-1}$. Hence A breaks GLWE with probability more than $\zeta /2$, which contradicts to Lemma 10. $\square $

Lemma 15

If $C(x^{(k)})=0$, then the output $y^{(k)}$ in $\mathsf {H}_{0}$ is pseudorandom.

Proof

Following Eq. 3, a constrained output $y^{(k)}$ in $\mathsf {H}_{0}$ can be expressed as:

$$\begin{aligned} y^{(k)} = \left\lfloor \mathbf {J} \times \left( \mathbf {P} ^{-1}\otimes 1_R\right) \times \mathbf {A} _{1}\prod _{j=1}^{z}{\mathbf {D}^{x^{(k)}_{\iota (j)}}_{j}} \right\rceil _p \approx _s \left\lfloor \left( \mathbf {J} \times \left( \mathbf {P} ^{-1}\otimes 1_R\right) \times \mathbf {A} _{1} + \mathbf {E} \right) \prod _{j=1}^{z}{\mathbf {D}^{x^{(k)}_{\iota (j)}}_{j}} \right\rceil _p \end{aligned}$$

(5)

For $ \mathbf {J} \mathbf {A} _1+ \mathbf {E} _J$ as part of the constrained key, $ \mathbf {J} \times \left( \mathbf {P} ^{-1}\otimes 1_R\right) \times \mathbf {A} _{1} + \mathbf {E} $ as part of the constrained output $y^{(k)}$, $( \mathbf {J} \mathbf {A} _1+ \mathbf {E} _J, \mathbf {J} \times \left( \mathbf {P} ^{-1}\otimes 1_R\right) \times \mathbf {A} _{1} + \mathbf {E} )$ is indistinguishable from $U(R_q^{1\times wm}, R_q^{1\times wm})$ due to Lemma 11. This means each constrained output $y^{(k)}$ is indistinguishable from $\left\lfloor \mathbf {U} \prod _{j=1}^{z}{\mathbf {D}^{x^{(k)}_{\iota (j)}}_{j}} \right\rceil _p$ where $ \mathbf {U} \leftarrow U(R_q^{1\times wm})$. Hence $y^{(k)}$ is pseudorandom if $C(x^{(k)})=0$ due to Lemma 9. $\square $

The proof completes by combining the Lemmas 14 and 15. $\square $

6 Private-Key Functional Encryption from CHCPRF

We construct private-key function-hiding functional encryptions for $\mathsf {NC}^1$ circuits from (1) CHCPRFs for $\mathsf {NC}^1$; (2) semantic secure private-key encryption schemes with decryption in $\mathsf {NC}^1$. The scheme satisfies 1-key simulation-based security.

6.1 The Definition of Functional Encryption

Definition 8

(Function-hiding private-key functional encryption [34]). A functional encryption scheme for a class of functions $\mathcal {C}_\mu = \{C : \{0,1\}^\mu \rightarrow \{0,1\}\}$ is a tuple of p.p.t. algorithms $(\mathsf {Setup}, \mathsf {FSK}\mathsf {Gen}, \mathsf {Enc}, \mathsf {Dec})$ such that:

$\mathsf {Setup}(1^\lambda )$ takes as input the security parameter $1^\lambda $, outputs the master secret key $\mathsf {MSK}$.
$\mathsf {FSK}\mathsf {Gen}(\mathsf {MSK}, C)$ takes $\mathsf {MSK}$ and a function $C \in \mathcal {C}_\mu $, outputs a functional decryption key $\mathsf {FSK}_C$.
$\mathsf {Enc}(\mathsf {MSK}, m)$ takes $\mathsf {MSK}$ and a message $m \in \{0,1\}^\mu $, outputs a ciphertext $\mathsf {CT}_m$.
$\mathsf {Dec}(\mathsf {FSK}_C, \mathsf {CT}_m)$ takes as input a ciphertext $\mathsf {CT}_m$ and a functional decryption key $\mathsf {FSK}_C$, outputs (in the clear) the result C(m) of applying the function on the message.

We require that:

Correctness. For every message $m \in \{0,1\}^\mu $ and function $C\in \mathcal {C}_\mu $ we have:

$$\begin{aligned} \Pr \ \left[ b = C(m) \left| \begin{matrix} {\mathsf {MSK}} &{}\leftarrow &{}\mathsf {Setup}(1^\lambda ) \\ {\mathsf {FSK}_C} &{}\leftarrow &{}\mathsf {FSK}\mathsf {Gen}(\mathsf {MSK}, C)\\ {\mathsf {CT}_m} &{}\leftarrow &{}\mathsf {Enc}(\mathsf {MSK}, m) \\ b &{}\leftarrow &{}\mathsf {Dec}(\mathsf {FSK}_C, \mathsf {CT}_m) \end{matrix} \right. \right] = 1 - \mathsf {negl}(\lambda ) \end{aligned}$$

Security. We require that for all polytime, stateful algorithm $\mathsf {Adv}$, there is a polytime, stateful algorithm $\mathsf {Sim}$ such that:

$$ \{ {Experiment} \, REAL_{\mathsf {Adv}}(1^\lambda ) \} _{\lambda \in \mathbb {N}} \approx _c \{ {Experiment} \, IDEAL_{\mathsf {Adv}, \mathsf {Sim}}(1^\lambda ) \} _{\lambda \in \mathbb {N}} $$

The real and ideal experiments of stateful algorithms $\mathsf {Adv},\mathsf {Sim}$ are as follow:

That is, in the experiments $\mathsf {Adv}$ can ask for a single functional decryption key and polynomially many input queries, in any order. For encryption queries m made before the decryption key query, $\mathsf {Adv}$ is expected to provide a bit $d_x$ indicating whether $C(m)=1$. In the real experiment $\mathsf {Adv}$ obtains the encryption of m. In the ideal experiment $\mathsf {Adv}$ obtains a value generated by $\mathsf {Sim}$, whereas $\mathsf {Sim}$ is given only $1^{|m|}$ and $d_m$. Once $\mathsf {Adv}$ makes the functional key query for circuit $C\in \mathcal {C}_\lambda $, both experiments verify the consistency of the indicator bits $d_m$ for all the encryption queries m made by $\mathsf {Adv}$ so far. If any inconsistency is found then the experiment halts. Next, in the real experiment $\mathsf {Adv}$ obtains the constrained key generated by the constraining algorithm; in the ideal experiment $\mathsf {Adv}$ obtains a key generated by $\mathsf {Sim}$, whereas $\mathsf {Sim}$ is given only the size of C. The handling of encryption queries made by $\mathsf {Adv}$ after the circuit query is similar to the ones before, with the exception that the indicator bit $d_m$ is no longer needed and $\mathsf {Sim}$ obtains the value of C(m) instead. The output of the experiment is the final output bit of $\mathsf {Adv}$.

6.2 The Construction

Theorem 13

If there are 1-key secure constraint-hiding constraint PRFs for constraint class $\mathcal {C}$, and symmetric-key encryption schemes with decryption in the class $\mathcal {C}$, then there are 1-key secure private-key function-hiding functional encryptions for function class $\mathcal {C}$.

Corollary 2

Assuming the intractability of GLWE, there are 1-key secure private-key function-hiding functional encryptions for $\mathsf {NC}^1$.

Construction 14

Given a CHCPRF $(\mathsf {F}.\mathsf {Gen}, \mathsf {F}.\mathsf {Constrain}, \mathsf {F}.\mathsf {Eval})$, a semantic secure symmetric-key encryption scheme $(\mathsf {Sym}.\mathsf {Gen}, \mathsf {Sym}.\mathsf {Enc}, \mathsf {Sym}.\mathsf {Dec})$, we build a private-key functional encryption $\mathsf {FE}$ as follows:

$\mathsf {FE}.\mathsf {Setup}(1^\lambda )$ takes as input the security parameter $1^\lambda $, runs $\mathsf {Sym}.\mathsf {Gen}(1^\lambda )\rightarrow \mathsf {Sym}.\mathsf {SK}$, $\mathsf {F}.\mathsf {Gen}(1^\lambda )\rightarrow \mathsf {F}.\mathsf {MSK}$, outputs the master secret key $\mathsf {FE}.\mathsf {MSK}= (\mathsf {Sym}.\mathsf {SK}, \mathsf {F}.\mathsf {MSK})$.
$\mathsf {FE}.\mathsf {Enc}(\mathsf {FE}.\mathsf {MSK}, m)$ parses $\mathsf {FE}.\mathsf {MSK}= (\mathsf {Sym}.\mathsf {SK}, \mathsf {F}.\mathsf {MSK})$, computes $\mathsf {Sym}.\mathsf {CT} = \mathsf {Sym}.\mathsf {Enc}(m)$, $\mathsf {Tag}=\mathsf {F}.\mathsf {Eval}(\mathsf {F}.\mathsf {MSK}, \mathsf {Sym}.\mathsf {CT})$. Outputs $\mathsf {FE}.\mathsf {CT}= (\mathsf {Sym}.\mathsf {CT}, \mathsf {Tag})$.
$\mathsf {FE}.\mathsf {FSK}\mathsf {Gen}(\mathsf {FE}.\mathsf {MSK}, C)$ parses $\mathsf {FE}.\mathsf {MSK}= (\mathsf {Sym}.\mathsf {SK}, \mathsf {F}.\mathsf {MSK})$, outputs the functional decryption key $\mathsf {FE}.\mathsf {FSK}_C = \mathsf {F}.\mathsf {Constrain}(\mathsf {F}.\mathsf {MSK}, F[\mathsf {Sym}.\mathsf {SK}, C])$, where the functionality of $F[\mathsf {Sym}.\mathsf {SK}, C](\cdot )$ is:
- On input x, computes $\mathsf {Sym}.\mathsf {Dec}(\mathsf {Sym}.\mathsf {SK}, x)\rightarrow m\in \{0,1\}^\mu \cap \bot $;
- if $m=\bot $, return 0; else, return C(m).
$\mathsf {FE}.\mathsf {Dec}(\mathsf {FE}.\mathsf {FSK}_C, \mathsf {FE}.\mathsf {CT})$ parses $\mathsf {FE}.\mathsf {FSK}_C = \mathsf {F}.\mathsf {CK}_F$, $\mathsf {FE}.\mathsf {CT}= (\mathsf {Sym}.\mathsf {CT}, \mathsf {Tag})$, computes $T = \mathsf {F}.\mathsf {Eval}(\mathsf {F}.\mathsf {CK}_F, \mathsf {Sym}.\mathsf {CT})$. Outputs $1$ if $T=\mathsf {Tag}$, $0$ if not.

Correctness. Correctness follows the correctness of $\mathsf {Sym}$ and $\mathsf {F}$.

Proof

We build the FE simulator $\mathsf {FE}.\mathsf {Sim}$ from the symmetric-key encryption simulator $\mathsf {Sym}.\mathsf {Sim}$ and CHCPRF simulator $\mathsf {F}.\mathsf {Sim}$:

1.
Generates the simulated master secret-keys $\mathsf {Sym}.\mathsf {SK}^S$ and $\mathsf {F}.\mathsf {MSK}^S$
2.
Given a function-decryption key query (for function C), $\mathsf {FE}.\mathsf {Sim}$ runs $\mathsf {CK}^S\leftarrow \mathsf {F}.\mathsf {Sim}_1(1^\lambda , 1^{|F[\mathsf {Sym}.\mathsf {SK}, C]|}, \mathsf {F}.\mathsf {MSK}^S)$, outputs $\mathsf {CK}^S$ as $\mathsf {FE}.\mathsf {FSK}^S$.
3.
Given a ciphertext query and the output bit C(m), $\mathsf {FE}.\mathsf {Sim}$ runs $\mathsf {Sym}.\mathsf {CT}^S \leftarrow \mathsf {Sym}.\mathsf {Sim}(1^\lambda , 1^{|m|}, \mathsf {Sym}.\mathsf {SK}^S)$ and $\mathsf {Tag}^S \leftarrow \mathsf {F}\mathsf {Sim}_2(\mathsf {F}.\mathsf {MSK}^S, \mathsf {CK}^S, \mathsf {Sym}.\mathsf {CT}^S, C(m))$, outputs $(\mathsf {Sym}.\mathsf {CT}^S, \mathsf {Tag}^S)$ as $\mathsf {FE}.\mathsf {CT}^S$.

To show that the simulated outputs are indistinguishable from the real outputs, consider an intermediate simulator $\mathsf {FE}.\mathsf {Sim}'$ which is the same to $\mathsf {FE}.\mathsf {Sim}$, except that it uses the real $\mathsf {Sym}$ ciphertexts in the ciphertext queries. Observe that the secret-key of $\mathsf {Sym}$ is not exposed in $\mathsf {FE}.\mathsf {Sim}'$ or $\mathsf {FE}.\mathsf {Sim}$, the output distributions of $\mathsf {FE}.\mathsf {Sim}'$ and $\mathsf {FE}.\mathsf {Sim}$ are indistinguishable following the security of $\mathsf {Sym}$.

Next, assume there is a distinguisher D for the outputs of the real $\mathsf {FE}$ scheme and $\mathsf {FE}.\mathsf {Sim}'$, we build an attacker A for the CHCPRF $\mathsf {F}$. A samples a secret key for $\mathsf {Sym}$, sends a constrained circuit query, obtains the real $\mathsf {CK}$ if it is the real distribution, or the simulated $\mathsf {CK}^S$ if it is the simulated distribution; then creates symmetric-key ciphertexts, sends as the input queries to the CHCPRF. It obtains the real outputs if it is the real case, or the simulated outputs if it is the simulated case. A treats the outputs as tags. A forwards the ciphertexts, tags and FSK to D. D’s success probability transfers to the one for A. $\square $

References

Agrawal, S., Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption: new perspectives and lower bounds. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 500–518. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40084-1_28
Chapter Google Scholar
Ajtai, M.: Generating hard instances of the short basis problem. In: Wiedermann, J., Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 1–9. Springer, Heidelberg (1999). doi:10.1007/3-540-48523-6_1
Chapter Google Scholar
Alwen, J., Peikert, C.: Generating shorter bases for hard random lattices. Theory Comput. Syst. 48(3), 535–553 (2011)
Article MathSciNet MATH Google Scholar
Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). doi:10.1007/978-3-642-03356-8_35
Chapter Google Scholar
Banerjee, A., Peikert, C.: New and improved key-homomorphic pseudorandom functions. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 353–370. Springer, Heidelberg (2014). doi:10.1007/978-3-662-44371-2_20
Chapter Google Scholar
Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29011-4_42
Chapter Google Scholar
Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. J. ACM 59(2), 6 (2012)
Article MathSciNet MATH Google Scholar
Barrington, D.A.M.: Bounded-width polynomial-size branching programs recognize exactly those languages in NC$^1$. In: Hartmanis, J. (ed.) STOC, pp. 1–5. ACM, New York (1986)
Google Scholar
Biasse, J.-F., Song, F.: Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields. In: Proceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 893–902. SIAM (2016)
Google Scholar
Boneh, D., Kim, S., Montgomery, H.: Private puncturable PRFs from standard lattice assumptions. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 415–445. Springer, Cham (2017). Cryptology ePrint Archive, Report 2017/100 (2017)
Google Scholar
Boneh, D., Lewi, K., Montgomery, H.W., Raghunathan, A.: Key homomorphic PRFs and their applications. In: Canetti and Garay [22], pp. 410–428
Google Scholar
Boneh, D., Lewi, K., Wu, D.J.: Constraining pseudorandom functions privately. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10175, pp. 494–524. Springer, Heidelberg (2017). doi:10.1007/978-3-662-54388-7_17. Cryptology ePrint Archive, Report 2015/1167
Chapter Google Scholar
Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011). doi:10.1007/978-3-642-19571-6_16
Chapter Google Scholar
Boneh, D., Silverberg, A.: Applications of multilinear forms to cryptography. Contemp. Math. 324(1), 71–90 (2003)
Article MathSciNet MATH Google Scholar
Boneh, D., Waters, B.: Constrained pseudorandom functions and their applications. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 280–300. Springer, Heidelberg (2013). doi:10.1007/978-3-642-42045-0_15
Chapter Google Scholar
Boyle, E., Goldwasser, S., Ivan, I.: Functional signatures and pseudorandom functions. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 501–519. Springer, Heidelberg (2014). doi:10.1007/978-3-642-54631-0_29
Chapter Google Scholar
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: ITCS, pp. 309–325. ACM (2012)
Google Scholar
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Proceedings of the Forty-Fifth Annual ACM Symposium on Theory of Computing, pp. 575–584. ACM (2013)
Google Scholar
Brakerski, Z., Vaikuntanathan, V.: Constrained key-homomorphic PRFs from standard lattice assumptions. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 1–30. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46497-7_1
Chapter Google Scholar
Brakerski, Z., Vaikuntanathan, V., Wee, H., Wichs, D.: Obfuscating conjunctions under entropic ring LWE. In: ITCS, pp. 147–156. ACM (2016)
Google Scholar
Canetti, R., Chen, Y.: Constraint-hiding constrained PRFs for NC$^1$ from LWE. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 446–476. Springer, Cham (2017). Cryptology ePrint Archive (2017)
Google Scholar
Canetti, R., Garay, J.A. (eds.): CRYPTO 2013. LNCS, vol. 8042. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40041-4
MATH Google Scholar
Chen, Y., Gentry, C., Halevi, S.: Cryptanalyses of candidate branching program obfuscators. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 278–307. Springer, Cham (2017). Cryptology ePrint Archive, Report 2016/998 (2017)
Google Scholar
Cheon, J.H., Han, K., Lee, C., Ryu, H., Stehlé, D.: Cryptanalysis of the multilinear map over the integers. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 3–12. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46800-5_1
Google Scholar
Coron, J.-S., Lee, M.S., Lepoint, T., Tibouchi, M.: Cryptanalysis of GGH15 multilinear maps. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 607–628. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53008-5_21
Chapter Google Scholar
Coron, J.-S., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: Canetti and Garay [22], pp. 476–493
Google Scholar
Cramer, R., Ducas, L., Peikert, C., Regev, O.: Recovering short generators of principal ideals in cyclotomic rings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 559–585. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49896-5_20
Chapter Google Scholar
Cramer, R., Ducas, L., Wesolowski, B.: Short stickelberger class relations and application to ideal-SVP. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 324–348. Springer, Cham (2017). Cryptology ePrint Archive, Report 2016/885 (2017)
Google Scholar
Ducas, L., Durmus, A.: Ring-LWE in polynomial rings. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 34–51. Springer, Heidelberg (2012). doi:10.1007/978-3-642-30057-8_3
Chapter Google Scholar
Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson and Nguyen [38], pp. 1–17
Google Scholar
Gentry, C., Gorbunov, S., Halevi, S.: Graph-induced multilinear maps from lattices. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 498–527. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46497-7_20
Chapter Google Scholar
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206 (2008)
Google Scholar
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986)
Article MathSciNet MATH Google Scholar
Goldwasser, S., Kalai, Y., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: Proceedings of the Forty-Fifth Annual ACM Symposium on Theory of Computing, pp. 555–564. ACM (2013)
Google Scholar
Hada, S.: Zero-knowledge and code obfuscation. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 443–457. Springer, Heidelberg (2000). doi:10.1007/3-540-44448-3_34
Chapter Google Scholar
Halevi, S.: Graded encoding, variations on a scheme. Cryptology ePrint Archive, Report 2015/866 (2015)
Google Scholar
Hu, Y., Jia, H.: Cryptanalysis of GGH map. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 537–565. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49890-3_21
Chapter Google Scholar
Johansson, T., Nguyen, P.Q. (eds.): EUROCRYPT 2013. LNCS, vol. 7881. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38348-9
MATH Google Scholar
Kiayias, A., Papadopoulos, S., Triandopoulos, N., Zacharias, T.: Delegatable pseudorandom functions and applications. In: ACM Conference on Computer and Communications Security, pp. 669–684. ACM (2013)
Google Scholar
Klein, P.N.: Finding the closest lattice vector when it’s unusually close. In: SODA, pp. 937–941. ACM/SIAM (2000)
Google Scholar
Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr. 75(3), 565–599 (2015)
Article MathSciNet MATH Google Scholar
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM 60(6), 43 (2013)
Article MathSciNet MATH Google Scholar
Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ring-LWE cryptography. In: Johansson and Nguyen [38], pp. 35–54
Google Scholar
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29011-4_41
Chapter Google Scholar
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measure. SIAM J. Comput. 37(1), 267–302 (2007)
Article MathSciNet MATH Google Scholar
Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: Mitzenmacher, M. (ed.) STOC 2009, pp. 333–342. ACM, New York (2009)
Google Scholar
Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006). doi:10.1007/11681878_8
Chapter Google Scholar
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34:1–34:40 (2009)
Article MathSciNet MATH Google Scholar

Download references

Acknowledgments

We thank Leonid Reyzin for helpful discussions and the formalization of LWE-hardness. The first author is a member of the Check Point Institute for Information Security. This work is supported by the NSF MACS project, NSF grants CNS1012798, CNS1012910, and ISF grant 1523/14.

Author information

Authors and Affiliations

Boston University, Boston, USA
Ran Canetti & Yilei Chen
Tel Aviv University, Tel Aviv, Israel
Ran Canetti

Authors

Ran Canetti
View author publications
You can also search for this author in PubMed Google Scholar
Yilei Chen
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yilei Chen .

Editor information

Editors and Affiliations

University of Luxembourg, Luxembourg, Luxembourg
Jean-Sébastien Coron
Aarhus University, Aarhus, Denmark
Jesper Buus Nielsen

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Canetti, R., Chen, Y. (2017). Constraint-Hiding Constrained PRFs for NC$^1$ from LWE. In: Coron, JS., Nielsen, J. (eds) Advances in Cryptology – EUROCRYPT 2017. EUROCRYPT 2017. Lecture Notes in Computer Science(), vol 10210. Springer, Cham. https://doi.org/10.1007/978-3-319-56620-7_16

Download citation

DOI: https://doi.org/10.1007/978-3-319-56620-7_16
Published: 01 April 2017
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-56619-1
Online ISBN: 978-3-319-56620-7
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Constraint-Hiding Constrained PRFs for NC\(^1\) from LWE

Abstract

Similar content being viewed by others

Constraining and Watermarking PRFs from Milder Assumptions

Constrained Key-Homomorphic PRFs from Standard Lattice Assumptions

Private Constrained PRFs (and More) from LWE

Keywords

1 Introduction

Theorem 1

Theorem 2

1.1 CHCPRFs, Functional Encryption and Obfuscation

1.2 Overview of Our Construction

1.3 More on Related Work

1.4 Concurrent Work

2 Preliminaries

2.1 Matrix Branching Programs

Definition 1

Theorem 3

2.2 Lattices

Lemma 1

Lemma 2

Lemma 3

Lemma 4

2.3 General Learning with Errors Problems

Definition 2

Definition 3

Lemma 5

Lemma 6

Lemma 7

Lemma 8

Lemma 9

3 GLWE-Hard Distributions: Extension Package

Lemma 10

Proof

Lemma 11

Proof

4 Constraint-Hiding Constrained PRFs

4.1 The Indistinguishability-Based Definition

Definition 4

4.2 The Simulation-Based Definition

Definition 5

Remark 1

Remark 2

4.3 Relations Among the Definitions

Definition 6

Construction 4

Theorem 5

Proof

Corollary 1

Theorem 6

Proof

Theorem 7

Theorem 8

Proof

5 The Constructions

5.1 Bit-Fixing CHCPRFs

Definition 7

Construction 9

Remark 3

Theorem 10

Proof

Lemma 12

Proof

Lemma 13

Proof

5.2 Constraint-Hiding for \(\mathsf {NC}^1\) Circuits

Construction 11

Theorem 12

Proof

Lemma 14

Proof

Lemma 15

Proof

6 Private-Key Functional Encryption from CHCPRF

6.1 The Definition of Functional Encryption

Definition 8

6.2 The Construction

Theorem 13

Corollary 2

Construction 14