Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier

Abstract

Related-key attacks (RKAs) concern the security of cryptographic primitives in the situation where the key can be manipulated by the adversary. In the RKA setting, the adversary’s power is expressed through the class of related-key deriving (\(\mathrm {RKD}\)) functions which the adversary is restricted to using when modifying keys. Bellare and Kohno (EUROCRYPT 2003, volume 2656 of LNCS, Springer, Heidelberg, pp 491–506, 2003) first formalized RKAs and pinpointed the foundational problem of constructing RKA-secure pseudorandom functions (RKA-PRFs). To date there are few constructions for RKA-PRFs under standard assumptions, and it is a major open problem to construct RKA-PRFs for larger classes of \(\mathrm {RKD}\) functions. We make significant progress on this problem. We first show how to repair the framework for constructing RKA-PRF by Bellare and Cash (CRYPTO 2010, volume 6223 of LNCS, Springer, Heidelberg, pp 666–684, 2010) and extend it to handle the more challenging case of classes of \(\mathrm {RKD}\) functions that contain claws. We apply this extension to show that a variant of the Naor–Reingold function already considered by Bellare and Cash is an RKA-PRF for a class of affine \(\mathrm {RKD}\) functions under the Decisional Diffie–Hellman (DDH) assumption, albeit with a blowup that is exponential in the PRF input size. We then develop a second extension of the Bellare–Cash framework and use it to show that the same Naor–Reingold variant is actually an RKA-PRF for a class of degree d polynomial \(\mathrm {RKD}\) functions under the stronger decisional d-Diffie–Hellman inversion assumption. As a significant technical contribution, our proof of this result avoids the exponential-time security reduction that was inherent in the work of Bellare and Cash and in our first result. In particular, by setting \(d = 1\) (affine functions), we obtain a construction of RKA-secure PRF for affine relation based on the polynomial hardness of DDH.

1 Introduction

Background and Context. A common approach to prove the security of a cryptographic scheme, known as provable security, is to relate its security to one of its underlying primitives or to an accepted hard computational problem. While this approach is now standard and widely accepted, there is still a significant gap between the existing models used in security proofs and the actual environment in which these cryptosystems are deployed. For example, most of the existing security models assume that the adversary has no information about the user’s secret key. However, it is well known that this is not always true in practice: the adversary may be able to learn partial information about the secrets using different types of side-channel attacks, such as the study of energy consumption, fault injection, or timing analysis. In the particular case of fault injection, for instance, an adversary can learn not only partial information about the secret key, but it may also be able to force a cryptosystem to work with different but related secret keys. Then, if it can observe the outcome of this cryptosystem, it may be able to break it. This is what is known in the literature as a related-key attack (RKA).

Most primitives are designed without taking related-key attacks into consideration, so their security proofs do not provide any guarantee against such attacks. Hence, a cryptographic scheme that is perfectly safe in theory may be completely vulnerable in practice. Indeed, many such attacks were found during the last decade, especially against practical blockciphers [5,6,7, 10, 11, 19]. Inspired by this cryptanalytic work, some years ago, theoreticians started to develop appropriate security models and search for cryptographic primitives which can be proven RKA secure.

Formal Foundations of RKA Security. Though RKAs were first introduced by Biham and Knudsen [8, 20] in the early 1990s, it was only in 2003 that Bellare and Kohno [9] began the formalization of the theoretical foundations for RKA security. We recall their security definition for RKA security of pseudorandom functions (PRFs) here. Let \(F {:\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) be a family of functions, and let \({\Phi } = \{\phi {:\;\;}\mathcal {K}\rightarrow \mathcal {K}\}\) be a set of functions on the key space \(\mathcal {K}\), called a related-key deriving (RKD) function set. We say that F is a \({\Phi } \)-RKA-PRF if for any polynomial-time adversary, its advantage in the following game is negligible. The game starts by picking a random challenge bit b, a random target key \(K \in \mathcal {K}\) and a random function \(G {:\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\). The adversary can repeatedly query an oracle that, given a pair \((\phi , x) \in {\Phi } \times \mathcal {D}\), returns either \(F(\phi (K),x)\), if \(b = 1\), or \(G(\phi (K),x)\), if \(b = 0\). Finally, the adversary outputs a bit \(b'\), and its advantage is defined by \(2 \, {\Pr \left[ \,{b = b'}\,\right] } - 1\). Note that if the class \({\Phi } \) of \(\mathrm {RKD}\) functions contain only the identity function, then this notion matches standard PRF security.

Bellare and Cash [2] designed the first RKA-PRFs secure under standard assumptions for group-induced \(\mathrm {RKD}\) classes, by adapting the Naor–Reingold PRF [23]. Their RKA-PRFs are secure for \(\mathrm {RKD}\) function classes consisting of certain multiplicative and additive classes. To explain their results, let us begin by recalling the definition of the Naor–Reingold PRF. Let \(\mathbb {G}= \langle g \rangle \) be a group of prime order p. Let \({\mathsf {NR}} {:\;\;}({{\mathbb {Z}}}_p^*)^{n+1} \times \{0,1\}^n \rightarrow \mathbb {G}\) denote the Naor–Reingold PRF that given a key \({\vec {a}} = (a_0,\ldots ,a_n) \in ({{\mathbb {Z}}}_p^*)^{n+1}\) and input \(x = x_1 {\,\Vert \,}\ldots {\,\Vert \,}x_n \in \{0,1\}^n\) returns

$$\begin{aligned} {\mathsf {NR}} ({\vec {a}},x) = \left[ {a_0 \prod _{i=1}^n a_i^{x_i}}\right] \end{aligned}$$

where for any \(a \in {{\mathbb {Z}}}_p\), [a] stands for \(g^a\), as defined in [16]. The key space of the Naor–Reingold PRF is \({\mathcal {K}} = ({{\mathbb {Z}}}_p^*)^{n+1}\), which has a group structure under the operation of component-wise multiplication modulo p, denoted \(*\). Now let \({\Phi } _{*}\) denote the class of component-wise multiplicative functions on \(({{\mathbb {Z}}}_p^*)^{n+1}\), that is \({\Phi } _{*}= \{ \phi {:\;\;}{\vec {a}} \in ({{\mathbb {Z}}}_p^*)^{n+1} \mapsto {\vec {b}} * {\vec {a}} \; \vert \; {\vec {b}} \in ({{\mathbb {Z}}}_p^*)^{n+1} \}\). It is easy to see that \({\mathsf {NR}} \) is not itself a \({\Phi } _{*}\)-RKA-PRF, since it suffers from simple algebraic attacks, but using a collision-resistant hash function \(h {:\;\;}\{0,1\}^n \times \mathbb {G}^{n+1} \rightarrow \{0,1\}^{n-2}\), Bellare and Cash were able to show that a simple modification of the Naor–Reingold PRF does yield a \({\Phi } _{*}\)-RKA-PRF under the DDH assumption. Specifically, they defined \(F {:\;\;}({{\mathbb {Z}}}_p^*)^{n+1} \times \{0,1\}^n \rightarrow \mathbb {G}\) by:

$$\begin{aligned} F({\vec {a}},x) = {\mathsf {NR}} ({\vec {a}},11{\,\Vert \,}h(x,(\left[ {a_0}\right] , \left[ {a_0a_1}\right] ,\ldots ,\left[ {a_0a_n}\right] ))) \; \end{aligned}$$

and showed that this F is indeed a \({\Phi } _{*}\)-RKA-PRF under the DDH assumption. A second construction in [2] uses similar techniques to build an RKA-PRF under the DLIN assumption.

In the original version of their paper, Bellare and Cash also used a variant of the Naor–Reingold PRF, \({\mathsf {NR}^{*}} {:\;\;}{{\mathbb {Z}}}_p^{n} \times \{0,1\}^n {\setminus } \{0^n\} \rightarrow \mathbb {G}\), defined by:

$$\begin{aligned} {\mathsf {NR}^{*}} ({\vec {a}},x) = \left[ {\prod _{i=1}^n a_i^{x_i}}\right] , \end{aligned}$$

to obtain a third RKA-PRF, this one for additive \(\mathrm {RKD}\) functions. In more detail, the key space \({\mathcal {K}} = {{\mathbb {Z}}}_p^{n}\) of \({\mathsf {NR}^{*}} \) has a natural group structure under the operation of component-wise addition modulo p. We define \({\Phi } _{+}\) to be the class of functions, \({\Phi } _{+}= \{ \phi {:\;\;}{\vec {a}} \in {{\mathbb {Z}}}_p^{n} \mapsto {\vec {a}} + {\vec {b}}\; \vert \; {\vec {b}} \in {{\mathbb {Z}}}_p^{n} \}\). Then, Bellare and Cash claimed that the function \(F {:\;\;}{{\mathbb {Z}}}_p^{n} \times \{0,1\}^n {\setminus } 0^n \rightarrow \mathbb {G}\) with

$$\begin{aligned} F({\vec {a}},x) = {\mathsf {NR}^{*}} ({\vec {a}},11{\,\Vert \,}h(x,( \left[ {a_1}\right] ,\left[ {a_2}\right] ,\ldots ,\left[ {a_n}\right] ))) \end{aligned}$$

is a \({\Phi } _{+}\)-RKA-PRF under the DDH assumption, when the function \(h {:\;\;}\{0,1\}^n \times \mathbb {G}^{n} \rightarrow \{0,1\}^{n-2}\) is a collision-resistant hash function. The running time of their security reduction in this case was exponential in the input size.

These foundational results of [2] were obtained by applying a single, elegant, general framework to the Naor–Reingold PRFs. The framework hinges on two main tools, key malleability and key-fingerprints for PRFs and associated \(\mathrm {RKD}\) function classes \({\Phi } \). The former property means that there is an efficient deterministic algorithm, called a key-transformer, that enables one to transform an oracle for computing M(K, x) into one for computing \(M(\phi (K),x)\) for any \(\phi \in {\Phi } \) and any input x (the technical requirements are in fact somewhat more involved than these), where M denotes the PRF on which one would like to apply the framework. The latter provides a means to ensure that, in the Bellare–Cash construction for an RKA-PRF from a (normal) PRF M, all adversarial queries to the putative \({\Phi } \)-RKA-PRF get appropriately separated before being processed by M. In combination, these two features enable a reduction to be made to the PRF security of the underlying function M.

Unfortunately, it was recently discovered that the original framework of [2] has a bug, in that a technical requirement on the key-transformer, called hash function compatibility, was too weak to enable the original security proof of the Bellare–Cash construction to go through. When hash function compatibility is appropriately strengthened to enable a proof, it still holds for the key-transformers used in the analysis of their two main constructions, the multiplicative DDH and DLIN-based RKA-PRF constructions. However, the new compatibility definition no longer holds for the key-transformer used in their additive, DDH-based RKA-PRF construction. With respect to their framework and, specifically, their additive, DDH-based RKA-PRF construction, Bellare and Cash note in the latest version of their paper [3]: We see no easy way to fill the gap within our current framework and accordingly are retracting our claims about this construction and omitting it from the current version.

Main Question. A natural question that arises from the work of Bellare–Cash is whether it is possible to go further, to obtain RKA-PRFs for larger classes of \(\mathrm {RKD}\) function than \({\Phi } _{*}\) and \({\Phi } _{+}\). This is important in understanding whether there are yet to be discovered fundamental barriers in achieving RKA security for PRFs, as well as bringing the current state of the art for RKA security closer to practical application. This question becomes even more relevant in the light of the results of Bellare, Cash and Miller [4], who showed that RKA security can be transferred from PRFs to several other primitives, including identity-based encryption (IBE), signatures, as well as symmetric (SE) and public-key encryption (PKE) secure against chosen-ciphertext attacks. Their results illustrate the central role that RKA-PRFs play in related-key security more generally: Any advance in constructing RKA-PRFs for broader classes would immediately transfer to these other primitives via the results of [4]. A subsidiary question is whether it is possible to repair the Bellare–Cash framework without requiring stronger hash compatibility conditions on the key-transformer. This, if achievable, would reinstate their \({\Phi } _{+}\)-RKA-PRF.

A partial answer to the first question was provided by Goyal, O’Neill and Rao [18], who proposed RKA-secure weak-PRF and symmetric encryption schemes for polynomial functions using the Decisional Truncated q-ADHE problem. RKA-secure weak-PRFs, however, are significantly weaker than standard RKA-PRFs since their security only holds with respect to random inputs. Wee [24] provided RKA-secure PKE for linear functions, while Bellare, Paterson, and Thomson [14] proposed a framework for obtaining RKA-secure IBE for affine and polynomial \(\mathrm {RKD}\) function sets, from which RKA security for signatures, PKE (and more) for the same \(\mathrm {RKD}\) function sets follows using the results of [4] and extensions thereof. However, in respect of these works, it should be noted that achieving RKA security for randomized primitives appears to be substantially easier than for PRFs which are deterministic objects. An extended discussion on this point can be found in [2, Section 1].

In parallel work to ours, Lewi et al. [22] showed that the key homomorphic PRFs from Boneh et al. [12] (and slight extensions of them) are RKA secure. Specifically, they show RKA security for a strict subset of \({\Phi } _{+}\) for the PRF of [12] that is based on the Learning with Error (LWE) problem, and against a claw-free class of affine functions for the PRF of [12] that is based on multilinear maps. They also showed that if the adversary’s queries are restricted to unique inputs, these two PRFs are RKA secure for larger classes, namely a class of affine \(\mathrm {RKD}\) functions (with a low-norm for the “linear” part) for the LWE-based PRF and a class of polynomial \(\mathrm {RKD}\) functions for the PRF based on multilinear maps. These classes are not really comparable to our classes \({\Phi } _{\mathsf {aff}}\) and \({\Phi } _{d}\) of affine and polynomial functions defined below, because the secret-key structures are slightly different. However, we remark that Lewi et al. [22] do not deal with claw-free classes and do not show ways to leverage unique-input RKA security to full RKA security. We handle both of these issues in our paper, and it may be possible to extend our solutions to their setting. It should also be remarked that the construction of Barnahee and Peikert [13] may also yield another RKA-secure PRF based on LWE.

Our Contributions. In this paper, we make substantial progress on the main question above, obtaining RKA-PRFs for substantially larger classes of \(\mathrm {RKD}\) functions than were previously known. To ease notations, we consider our \(\mathrm {RKD}\) functions to be vectors of multivariate polynomials so that each component is a multivariate polynomial in \({{\mathbb {Z}}}_p[T_1,\ldots ,T_{n}] = {{\mathbb {Z}}}_p[\vec {T}]\), where \(T_1,\ldots ,T_{n}\) are unknowns. Along the way, we recover the original Bellare–Cash framework, showing that their original technical conditions on the key-transformer are in fact already sufficient to enable a (different) proof of RKA security to go through. Let us first introduce our main results on specific RKA-PRFs and then explain the technical means by which they are obtained.

For p prime and \(n,d \ge 1\), let \({\Phi } _{d}\) denote the class of functions from \({{\mathbb {Z}}}_p^{n}\) to \({{\mathbb {Z}}}_p^{n}\) each of whose component functions is a non-constant univariate polynomial of degree at most d. That is, we have:

$$\begin{aligned} {\Phi } _{d}=\left\{ \begin{array}{l} {\phi } {:\;\;}{{{\mathbb {Z}}}_p^{n}} \rightarrow {{{\mathbb {Z}}}_p^{n}} \,\Big |\,\begin{array}{l} \vec {\phi } = (\phi _1,\ldots ,\phi _n) ; \phi _i : \vec {T}\mapsto \sum \nolimits _{j=0}^{d} \alpha _{i,j} \cdot T_i^j,\\ \qquad \forall i = 1,\ldots ,n, (\alpha _{i,1},\ldots ,\alpha _{i,d}) \ne 0^d\end{array} \\ \end{array}\right\} . \end{aligned}$$

For the special case \(d=1\), we denote \({\Phi } _{1}\) by \({\Phi } _{\mathsf {aff}}\) (\({\mathsf {aff}}\) for affine functions). Note that \({\Phi } _{+}\subset {\Phi } _{\mathsf {aff}}\).

We will construct RKA-PRFs for the \(\mathrm {RKD}\) function classes \({\Phi } _{\mathsf {aff}}\) and \({\Phi } _{d}\) for each d. To this end, let \(\mathbb {G}= \langle g \rangle \) be a group of prime order p, let \(\overline{\mathcal {D}}= \{0,1\}^n \times \mathbb {G}^n\), and let \(h {:\;\;}\overline{\mathcal {D}}\rightarrow \{0,1\}^{n-2}\) be a hash function. Let \(\omega _i = 0^{i-1}{\,\Vert \,}1{\,\Vert \,}0^{n-i}\), for \(i = 1,\ldots ,n\). Define \(F{:\;\;}{{\mathbb {Z}}}_p^n \times (\{0,1\}^n {\setminus } 0^n)\rightarrow \mathbb {G}\) by:

$$\begin{aligned} F({\vec {a}},x) = {\mathsf {NR}^{*}} ({\vec {a}}, 11{\,\Vert \,}h(x,{\mathsf {NR}^{*}} ({\vec {a}},\vec {\omega }))) \end{aligned}$$

for all \({\vec {a}} \in {{\mathbb {Z}}}_p^n\) and \(x \in \{0,1\}^n\). This is the same F as in the withdrawn construction of [2]. Theorems 4.5 and 6.12 show that this function is an RKA-PRF for both the \(\mathrm {RKD}\) function classes \({\Phi } _{\mathsf {aff}}\) and \({\Phi } _{d}\) (for each d), under reasonable hardness assumptions.

For our first result on the \({\Phi } _{\mathsf {aff}}\)-RKA-PRF security of F, we recover and extend the withdrawn result of Bellare and Cash [2], under the same hardness assumption that they required, namely the standard DDH assumption. Here our proof, like that in [2], requires a reduction with a loss that is exponential in the PRF input size. We then develop a further extension of the Bellare–Cash framework enabling us to circumvent their use of key-transformers having a key malleability property. We use this framework to modularize our proof that F is also a \({\Phi } _{d}\)-RKA-PRF. As part of this proof, we require the decisional d-Diffie–Hellman Inversion (d-DDHI) assumption, introduced in [18]. Informally, the d-DDHI problem in a group \(\mathbb {G}\) of prime order p consists of deciding, given inputs \((\left[ {1}\right] ,\left[ {a}\right] ,\ldots , \left[ {a^{d}}\right] )\) and z, where \(\left[ {1}\right] = g\) is a generator of \(\mathbb {G}\), whether z is equal to \(\left[ {\frac{1}{a}}\right] \) or to a random group element. Notably, in our analysis of the \({\Phi } _{d}\)-RKA-PRF security of F, we are able to avoid an exponential-time reduction. In particular, fixing \(d = 1\), we obtain an RKA-secure PRF for the class of affine functions (which contains both additive and multiplicative classes) based on the polynomial hardness of DDH.

Let us now expand on the technical aspects of our contributions.

Proof Barriers and Techniques. We first show how the Bellare–Cash framework can be modified to deal with \(\mathrm {RKD}\) functions that are not claw-free, meaning that there exist pairs of different \(\mathrm {RKD}\) functions \(\phi _1\) and \(\phi _2\) and a key \(K \in \mathcal {K}\), such that \(\phi _1(K) = \phi _2(K)\). Up to now, only claw-free classes have been considered for RKA-PRFs. But classes \({\Phi } \) underlying practical attacks such as fault injections have no reason to be claw-free, so dealing with non-claw-free classes of \(\mathrm {RKD}\) functions is important in advancing RKA security toward practice. Moreover, both our \(\mathrm {RKD}\) function classes of interest, \({\Phi } _{\mathsf {aff}}\) and \({\Phi } _{d}\), do contain claws. The lack of claw-freeness poses a problem in security proofs because, if an adversary is able to find two \(\mathrm {RKD}\) functions which lead to the same derived key, it can detect this via his queries, and then the equation \(\phi _1(K) = \phi _2(K)\) may leak information on K sufficient to enable the adversary to break RKA-PRF security in a particular construction.

We overcome the lack of claw-freeness in our adaptation of the Bellare–Cash framework by introducing two new concepts, \({\Phi } \)-Key-Collision Security for PRFs and \({\Phi } \)-Statistical-Key-Collision Security. The former is a property similar to the identity-collision-resistance property defined in [4] in the context of pseudorandom generators and refers to the non-existence of an adversary who can find a colliding key (i.e., \(\phi _1 \ne \phi _2\) s.t. \(\phi _1(K) = \phi _2(K)\) for \(\phi _1, \phi _2 \in {\Phi } \)), when given oracle access to the PRF under related keys \(\phi (K)\). The latter concept is essentially the same, but now oracle access to the PRF is replaced by oracle access to a random function. These properties are just the right ingredients necessary to generalize the Bellare–Cash framework to the non-claw-free case.

At the same time as dealing with claws, we are able to repair the gap in the proof for the original Bellare–Cash framework, showing that the original hash function compatibility condition required of the key-transformer is already strong enough to enable an alternative proof of RKA security. Our new proof introduces a slightly different sequence of game hops in order to avoid the apparent impasse in the original proof. Our main theorem establishing the RKA-PRF security of functions arising from this framework is Theorem 3.1. It repairs and extends the corresponding main theorem in [2]. Our theorem is then combined with an analysis of the specific function \({\mathsf {NR}^{*}} \) to obtain Theorem 4.5 concerning the \({\Phi } _{\mathsf {aff}}\)-RKA-PRF security of F.

To show that F is also a \({\Phi } _{d}\)-RKA-PRF, we still have a second major difficulty to overcome. While \({\Phi } _{d}\)-key-collision security and \({\Phi } _{d}\)-statistical-key-collision security can still be proven for F, we no longer have the key-transformer component that is critical to the Bellare–Cash framework. Instead, in Sect. 5, we introduce a further extension of their framework, replacing the key-transformer with a stronger pseudorandomness condition on the base PRF M used in the construction, which we call \((\mathcal {S},{\Phi })\text {-unique-input-prf-rka security}\). The new requirement essentially states that M should already act as a \({\Phi } \)-RKA-PRF on a restricted domain \(\mathcal {S}\), provided the queries \((\phi _1,x_1),\ldots ,(\phi _q,x_q)\) made by the \({\Phi } \)-RKA-PRF adversary to its oracle with \(x_i \in \mathcal {S}\) are all for distinct \(x_i\). Under this condition, we are able to prove Theorem 5.1 establishing the security of RKA-PRFs arising from our further extension of the Bellare–Cash framework. This theorem then enables us to prove in a modular fashion that F is also a \({\Phi } _{d}\)-RKA-PRF.

The final technical challenge is in proving that \({\mathsf {NR}^{*}} \), playing the role of M, satisfies the relevant \((\mathcal {S},{\Phi })\text {-unique-input-prf-rka security}\) property so as to allow the application of Theorem 5.1. This is done in a crucial lemma, Lemma 6.3, whose proof involves a delicate series of hybrids in which we gradually replace the oracle responses to queries \((\phi _i,x_i)\) for \(x_i\) in a suitable set \(\mathcal {S}\) with random values. We exploit the algebraic nature of the function \({\mathsf {NR}^{*}} \) to ensure that the hybrids are close under a particular pair of hardness assumptions (the \((N,d){\text{-PDDH }}\) and \((N,d){\text{-EDDH }}\) assumptions, which are stated in the proof). We also make use of an efficient, approximate (but close to perfect) procedure to detect linear dependencies arising in the simulation from the adversary’s oracle queries. This procedure is key to making the entire proof efficient (rather than exponential-time). Finally, we provide a series of reductions relating our pair of hardness assumptions to the \({d}\text{-DDHI }\) assumption. In the particular case \(d =1\), we can recover our result concerning \({\Phi } _{\mathsf {aff}}\)-RKA-PRF security of F under DDH (rather than \({}\text{-DDHI }\)), but now without an exponential-time reduction thanks to Lemma 6.4, as the \((N,1){\text{-EDDH }}\) assumption can be reduced to the \(\mathrm {DDH}\) assumption.

Paper Organization. The rest of the paper is organized as follows. Section 2 recalls basic notation and definitions. Section 3 repairs and extends the original Bellare–Cash framework. In particular, the extended framework handles classes of RKD functions that are not claw-free. Section 4 then applies the extended Bellare–Cash framework to the case of affine \(\mathrm {RKD}\) functions. Section 5 then describes our generalized framework, and Sect. 6 applies it to the case of polynomial \(\mathrm {RKD}\) functions. The latter section also contains reductions from our new assumptions to standard ones. Finally, Appendix A details the relation between assumptions underlying our two frameworks (key-malleability and unique-input-RKA security).

Publication Note. An abridged version of this paper appears in the Proceedings of the 34th Annual Cryptology Conference (CRYPTO 2014), Part I, Juan A. Garay and Rosario Gennaro (Eds.), volume 8616 of Lecture Notes in Computer Science, pp. 77–94, Springer, August 2014 [1]. This is the full version.

2 Definitions

Notations and Conventions. Let \(\mathsf {Fun}(\mathcal {K},\mathcal {D},\mathcal {R})\) be the set of all functions \(F {:\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\). A family of functions \(F {:\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) takes a key \(K \in \mathcal {K}\) and an input \(x \in \mathcal {D}\) and returns an output \(F(K,x) \in \mathcal {R}\). If \(\vec {x}\) is a vector then \(\vert \vec {x} \vert \) denotes its length, and \(\vec {x} = (x_1,\ldots ,x_{\vert \vec {x} \vert })\). For a binary string x, we denote \(\vert x \vert \) its length, \(x_i\) its ith bit and, for \(i,j \in \{1,\ldots ,n\}\), \(i \le j\), \(x_{i,\ldots ,j}\) the binary string \(x_i {\,\Vert \,}\ldots {\,\Vert \,}x_j\). For a binary string \(x \in \{0,1\}^n\) and an integer d, we denote by \(d \cdot x\) the string \(y = y_1 {\,\Vert \,}\ldots {\,\Vert \,}y_n \in \{0,d\}^{n}\) defined by \(y_i = d \cdot x_i\) for \(i = 1,\ldots ,n\). For two strings \(x,y \in \{0,\ldots ,d\}^n\), we denote by \(y \preceq x\) the fact that \(y_i \le x_i\), for any \(i = 1,\ldots ,n\) and we denote by S(x) the set \(\{ i \; \vert \; x_i \ne 0\}\). We denote by \(\varvec{A}\) a matrix of size \(k \times m\) and by \(A_{i,j}\) its coefficients, for \(i,j \in \{1,\ldots ,k\} \times \{1,\ldots ,m\}\). If \(\vec {\phi }\) is a vector of functions from \(S_1\) to \(S_2\) with \(\vert \vec {\phi } \vert = n\) and \({\vec {a}} \in S_1^n\) then we denote by \(\vec {\phi }({\vec {a}})\) the vector \((\phi _1({\vec {a}}_1),\ldots ,\phi _n({\vec {a}}_n)) \in S_2^n\). If \(F {:\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) is a family of functions and \(\vec {x}\) is a vector over \(\mathcal {D}\) then \(F(K,\vec {x})\) denotes the vector \((F(K,x_1),\ldots ,F(K,x_{\vert \vec {x} \vert }))\). If S is a set, then \(\vert S \vert \) denotes its size. We denote by \(s {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}S\) the operation of picking at random s in S. If \(\mathscr {A}\) is a randomized algorithm, we denote by \(y {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathscr {A}(x_1,x_2,\ldots )\) the operation of running \(\mathscr {A}\) on inputs \((x_1,x_2,\ldots )\) with fresh coins and letting y denote the output.

Finally, following [16], we often implicitly consider a multiplicative group \(\mathbb {G}= \langle g \rangle \) of prime order p and we denote by \([a]_{g}\), or simply \(\left[ {a}\right] \) if there is no ambiguity about the generator, the element \(g^a\).

Games. Some of our definitions and proofs use code-based game-playing [15]. Recall that a game has an \(\mathbf{Initialize }\) procedure, procedures to respond to adversary’s oracle queries, and a \(\mathbf{Finalize }\) procedure. A game \(\text {G}\) is executed with an adversary \(\mathscr {A}\) as follows. First, \(\mathbf{Initialize }\) executes and its outputs are the inputs to \(\mathscr {A}\). Then, \(\mathscr {A}\) executes, its oracle queries being answered by the corresponding procedures of \(\text {G}\). When \(\mathscr {A}\) terminates, its outputs become the input to the \(\mathbf{Finalize }\) procedure. The output of the latter, denoted \(\text {G}^\mathscr {A}\) is called the output of the game, and we let “\(\text {G}^\mathscr {A}\Rightarrow 1\),” abbreviated \({\textsc {Succ}}\) in the proofs, denote the event that this game output takes the value 1. When \(\mathbf{Finalize }\) is not specified, it is implicitly defined as the trivial procedure that outputs its inputs (thus only forwarding the outputs of the adversary). Boolean flags are assumed initialized to \(\mathsf {false}\). Games \(\text {G}_i\), \(\text {G}_j\) are identical until \(\mathsf {flag}\) if their code differs only in statements that follow the setting of \(\mathsf {flag}\) to \(\mathsf {true}\). The running time of an adversary by convention is the worst case time for the execution of the adversary with any of the games defining its security, so that the time of the called game procedures is included.

PRFs. PRFs were introduced by [17]. A PRF is a family of functions \(F {:\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) which is efficiently computable and so that it is hard to distinguish a function chosen randomly from the PRF family from a random function . The advantage of an adversary \(\mathscr {A}\) in attacking the standard prf security of a family of functions \(F {:\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) is defined via

$$\begin{aligned} \mathbf {Adv}^{\mathsf {prf}}_{F}{(\mathscr {A})} = {\Pr \left[ \,{{\mathrm {PRFReal}}_F^{\mathscr {A}} \Rightarrow 1}\,\right] } - {\Pr \left[ \,{{\mathrm {PRFRand}}_F^\mathscr {A}\Rightarrow 1}\,\right] } . \end{aligned}$$

Game \({\mathrm {PRFReal}}_F\) begins by picking \(K {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathcal {K}\) and responds to query \(\mathbf{Fn } (x)\) via F(K, x). Game \({\mathrm {PRFRand}}_F\) begins by picking \(f {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathsf {Fun}(\mathcal {D}, \mathcal {R})\) and responds to oracle query \(\mathbf{Fn } (x)\) via f(x).

RKA-PRFs. We recall the definitions from [9]. Let \(F {:\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) be a family of functions and \({\Phi } \subseteq \mathsf {Fun}({\mathcal {K}}, {\mathcal {K}})\). The members of \({\Phi } \) are called \(\mathrm {RKD} \) (Related-Key Deriving) functions. An adversary is said to be \({\Phi } \)-restricted if its oracle queries \((\phi ,x)\) satisfy \(\phi \in {\Phi } \). The advantage of a \({\Phi } \)-restricted adversary \(\mathscr {A}\) in attacking the prf-rka security of F is defined via

$$\begin{aligned} \mathbf {Adv}^{\mathsf {prf}\text{- }\mathsf {rka}}_{F,{\Phi }}{(\mathscr {A})} = {\Pr \left[ \,{\mathrm {RKPRFReal}_F^\mathscr {A}\Rightarrow 1}\,\right] } - {\Pr \left[ \,{\mathrm {RKPRFRand}_F^\mathscr {A}\Rightarrow 1}\,\right] } . \end{aligned}$$

Game \(\mathrm {RKPRFReal}_F\) begins by picking \(K {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathcal {K}\) and then responds to oracle query \(\mathbf{RKFn } (\phi ,x)\) via \(F(\phi (K),x)\). Game \(\mathrm {RKPRFRand}_F\) begins by picking \(G {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathsf {Fun}(\mathcal {K},\mathcal {D}, \mathcal {R})\) and responds to oracle query \(\mathbf{RKFn } (\phi ,x)\) via \(G(\phi (K),x)\). We say that F is a \({\Phi } \)-RKA-secure PRF if it is hard to distinguish a function chosen randomly from the PRF family from a random keyed function for any \({\Phi } \)-restricted, efficient adversary.

Strong Key Fingerprint. A strong key fingerprint is a tool used in proofs to detect whether a key arises more than once in a simulation, even if we do not have any information about the key itself. We recall the definition from [2]. Suppose \(F {:\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) is a family of functions. Let \(\vec {\omega }\) be a vector over \(\mathcal {D}\) and let \(n = \vert \vec {\omega }\vert \). We say that \(\vec {\omega }\) is a strong key fingerprint for F if

$$\begin{aligned} (F(K,\omega _1),\ldots ,F(K,\omega _n)) \ne (F(K',\omega _1),\ldots ,F(K',\omega _n)) \end{aligned}$$

for all distinct \(K,K' \in \mathcal {K}\).

Key-Malleability. As defined in [2], let \(F {:\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) be a family of functions and \({\Phi } \) be a class of \(\mathrm {RKD} \) functions. Suppose \(\mathsf {KT}\) is a deterministic algorithm that, given an oracle \(f {:\;\;}\mathcal {D}\rightarrow \mathcal {R}\) and inputs \((\phi ,x) \in {\Phi } \times \mathcal {D}\), returns a point \(\mathsf {KT}^f(\phi ,x) \in \mathcal {R}\). \(\mathsf {KT}\) is said to be a key-transformer for \((F,{\Phi })\) if it satisfies the correctness and uniformity conditions. Correctness asks that \(\mathsf {KT}^{F(K,\cdot )}(\phi ,x) = F(\phi (K),x)\) for every \((\phi ,K,x) \in {\Phi } \times {\mathcal {K}} \times \mathcal {D}\). Let us say that a \({\Phi } \)-restricted adversary is unique-input if, in its oracle queries \((\phi _1, x_1),\ldots , (\phi _q, x_q)\), the points \(x_1,\ldots , x_q\) are always distinct. Uniformity requires that for any (even inefficient) \({\Phi } \)-restricted, unique-input adversary \(\mathscr {U}\),

$$\begin{aligned} {\Pr \left[ \,{{}\text {KTReal}_{\mathsf {KT}}^{\mathscr {U}} \Rightarrow 1}\,\right] } = {\Pr \left[ \,{\text {KTRand}_{\mathsf {KT}}^{\mathscr {U}} \Rightarrow 1}\,\right] }, \end{aligned}$$

where game \({}\text {KTReal}_{\mathsf {KT}}\) is initialized by picking \(f {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathsf {Fun}(\mathcal {D},\mathcal {R})\) and responds to query \(\mathbf{KTFn } (\phi ,x)\) via \(\mathsf {KT}^f(\phi ,x)\), while \(\text {KTRand}_{\mathsf {KT}}\) has no initialization and responds to oracle query \(\mathbf{KTFn } (\phi ,x)\) by returning a value \(y {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathcal {R}\) chosen uniformly at random in \(\mathcal {R}\). If such a key-transformer exists, we say that F is a \({\Phi } \)-key-malleable PRF.

Compatible Hash Functions. Let \(F {:\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) be a family of functions and \({\Phi } \) be a class of \(\mathrm {RKD} \) functions, such that there is a key-transformer \(\mathsf {KT}\) for \((F,{\Phi })\). Let \(\vec {\omega }\in {\mathcal {D}}^m\) and let \(\overline{{\mathcal {D}}} = {\mathcal {D}} \times {\mathcal {R}}^m\). We denote by \(\mathsf {Qrs}(\mathsf {KT},F,{\Phi },\vec {\omega })\) the set of all \(w \in \mathcal {D}\) such that there exists \((f,\phi ,i) \in \mathsf {Fun}(\mathcal {D},\mathcal {R}) \times {\Phi } \times \{1,\ldots ,m\}\) such that the computation of \(\mathsf {KT}^f (\phi ,\omega _i)\) makes oracle query w. Then, we say that a hash function \(H {:\;\;}\overline{\mathcal {D}} \rightarrow S\) is compatible with \((\mathsf {KT},F,{\Phi },\vec {\omega })\), if \(S = {\mathcal {D}} {\setminus } \mathsf {Qrs}(\mathsf {KT},F,{\Phi },\vec {\omega })\). Note that this definition is the same as that given in the original Bellare–Cash framework [2] rather than the stronger one used in the authors’ repaired version [3].

CR Hash Functions. The advantage of \(\mathscr {C}\) in attacking the collision-resistance (cr) security of \(H {:\;\;}\mathcal {D}\rightarrow \mathcal {R}\) is

$$\begin{aligned} \mathbf {Adv}^{\mathsf {cr}}_{H}(\mathscr {C}) = {\Pr \left[ \,{x \ne x' \; \text{ and } \; H(x) = H(x')}\,\right] } \end{aligned}$$

where the probability is over \((x,x') {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathscr {C}\).

Hardness Assumptions. Our proofs make use of the d-Strong Discrete Logarithm (\({d} \text{-SDL }\)) and Decisional d-Diffie–Hellman Inversion (\({d}\text{-DDHI }\)) problems given in [18] and described in Fig. 1. We define the advantage of an adversary \(\mathscr {D}\) against the \({d} \text{-SDL }\) problem in \(\mathbb {G}\) as

$$\begin{aligned} \mathbf {Adv}^{{d}\mathsf {\text{- }sdl}}_{\mathbb {G}}(\mathscr {D}) = {\Pr \left[ \,{{{d} \text{-SDL }}_{\mathbb {G}}^{\mathscr {D}} \Rightarrow \mathsf {true}}\,\right] } \end{aligned}$$

where the probability is over the choices of \(a \in {{\mathbb {Z}}}_p\), \(g\in \mathbb {G}\), and the random coins used by the adversary. The advantage of an adversary \(\mathscr {D}\) against the \({d}\text{-DDHI }\) problem in \(\mathbb {G}\) is defined to be

$$\begin{aligned} \mathbf {Adv}^{{d} {\mathsf {\text{- }ddhi}}}_{\mathbb {G}}{(\mathscr {D})} = {\Pr \left[ \,{{d} \text{-DDHI-Real } _{\mathbb {G}}^{\mathscr {D}} \Rightarrow 1}\,\right] } - {\Pr \left[ \,{{d} \text{-DDHI-Rand } _{\mathbb {G}}^{\mathscr {D}} \Rightarrow 1}\,\right] } \end{aligned}$$

where the probabilities are over the choices of \(a,z \in {{\mathbb {Z}}}_p\), \(g\in \mathbb {G}\), and the random coins used by the adversary.

We have two assumptions corresponding to the hardness of these problems, the \({d} \text{-SDL }\) assumption and the \({d}\text{-DDHI }\) assumption. Setting \(d = 1\) in the \({d} \text{-SDL }\) problem, we recover the usual definition of the DL problem in \(\mathbb {G}\).

Fig. 1

Games defining the \({d} \text{-SDL }\) and \({d}\text{-DDHI }\) problems in \(\mathbb {G}\)

3 Repairing and Extending the Bellare–Cash Framework

Here, we give a method to deal with classes of RKD functions that are not claw-free, such as affine classes, by repairing and extending the general framework of Bellare and Cash from [2]. Our approach still relies on key-malleability, meaning that it is not generally applicable since almost all the known PRFs are not key-malleable for interesting classes of functions. However, as we shall see, it does provide an easy way to obtain a \({\Phi } _{\mathsf {aff}}\)-RKA-secure PRF, using the variant \(\mathsf {NR}^{*}\) of the Naor–Reingold PRF. In Sect. 5, we will present a further extension of the Bellare–Cash approach that enables us to deal with PRFs that are not key-malleable.

To deal with non-claw-freeness, we first introduce two new notions. The first one is called \({\Phi }\)-Key-Collision Security and captures the likelihood that an adversary finds two RKD functions which lead to the same derived key in a given PRF construction. The second one, called \({\Phi } \)-Statistical-Key-Collision Security, is similar, but replaces the oracle access to the PRF with an oracle access to a random function.

\({\Phi } \)-Key-Collision (\({\Phi } \)-kc) Security. Let \({\Phi } \) be a class of RKD functions. We define the advantage of an adversary \(\mathscr {A}\) against the \({\Phi } \)-key-collision security of a PRF \(M {:\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\), denoted by \(\mathbf {Adv}_{{\Phi },M}^{\mathsf {kc}}{(\mathscr {A})}\), to be the probability of success in the game on the left side of Fig. 2, where the functions \(\phi \) appearing in \(\mathscr {A}\)’s queries are restricted to lie in \({\Phi } \).

\({\Phi }\)-Statistical-Key-Collision (\({\Phi }\)-skc) Security. Let \({\Phi }\) be a class of RKD functions. We define the advantage of an adversary \(\mathscr {A}\) against the \({\Phi }\)-statistical-key-collision security for \(\mathsf {Fun}(\mathcal {K},\mathcal {D}, \mathcal {R})\), denoted by \(\mathbf {Adv}_{{\Phi }}^{\mathsf {skc}}{(\mathscr {A})}\), to be the probability of success in the game on the right side of Fig. 2. Here the functions \(\phi \) appearing in \(\mathscr {A}\)’s queries are again restricted to lie in \({\Phi }\).

Fig. 2

Game defining the \({\Phi } \)-key-collision security of a PRF M on the left and \({\Phi } \)-statistical-key-collision security for \(\mathsf {Fun}({\mathcal {K}},{\mathcal {D}}, {\mathcal {R}})\) on the right

Using these notions, we can now prove the following theorem, which both repairs and extends the main result of [2].

Theorem 3.1

Let \(M {:\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) be a family of functions and \({\Phi } \) be a class of \(\mathrm {RKD} \) functions that contains the identity function \(\mathsf {id}\). Let \(\mathsf {KT}\) be a key-transformer for \((M,{\Phi })\) making \(Q_{\mathsf {KT}}\) oracle queries, and let \(\vec {\omega }\in {\mathcal {D}}^m\) be a strong key fingerprint for M. Let \(\overline{{\mathcal {D}}} = {\mathcal {D}} \times {\mathcal {R}}^m\) and let \(H {:\;\;}\overline{\mathcal {D}} \rightarrow S\) be a hash function that is compatible with \((\mathsf {KT},M,{\Phi },\vec {\omega })\). Define \(F {:\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) by

$$\begin{aligned} F(K,x) = M(K,H(x,M(K,\vec {\omega }))) \end{aligned}$$

for all \(K \in \mathcal {K}\) and \(x \in \mathcal {D}\). Let \(\mathscr {A}\) be a \({\Phi } \)-restricted adversary against the prf-rka security of F that makes \(Q_\mathscr {A}\le \vert S \vert \) oracle queries. Then, we can construct an adversary \(\mathscr {B}\) against the standard prf security of M, an adversary \(\mathscr {C}\) against the cr security of H, an adversary \(\mathscr {D}\) against the \({\Phi } \)-kc security of M and an adversary \(\mathscr {E}\) against \({\Phi } \)-skc security for \(\mathsf {Fun}({\mathcal {K}},{\mathcal {D}}, {\mathcal {R}})\) such that

$$\begin{aligned} \mathbf {Adv}^{\mathsf {prf}\text{- }\mathsf {rka}}_{{\Phi },F}{(\mathscr {A})} \;\le \;\mathbf {Adv}^{\mathsf {prf}}_{M}{(\mathscr {A})} + \mathbf {Adv}^{\mathsf {cr}}_{H}(\mathscr {C}) + \mathbf {Adv}_{{\Phi },M}^{\mathsf {kc}}{(\mathscr {D})} + \mathbf {Adv}_{{\Phi }}^{\mathsf {skc}}{(\mathscr {E})}. \end{aligned}$$

(1)

Adversaries \(\mathscr {C}\), \(\mathscr {D}\) and \(\mathscr {E}\) have approximately the same running time as \(\mathscr {A}\). Adversary \(\mathscr {B}\) has approximately the same running time as \(\mathscr {A}\) plus the time required for \(Q_\mathscr {A}\cdot (m+1)\) executions of the key-transformer \(\mathsf {KT}\).

Note that if the class \({\Phi } \) is claw-free, then the advantage of any adversary in breaking \({\Phi } \)-kc security of M or \({\Phi } \)-skc security for \(\mathsf {Fun}({\mathcal {K}},{\mathcal {D}}, {\mathcal {R}})\) is zero. In this case, Theorem 3.1 matches exactly the main theorem of [2], under the original and weaker definition of hash function compatibility from [2]. This justifies our claim of repairing the Bellare–Cash framework.

Overview of the Proof. The proof of the above theorem is detailed below and relies on the sequence of 11 games (games \(\text {G}_0-\text {G}_{10}\)) described in Fig. 3. Here we provide a brief overview. Since the RKD functions that we consider in our case may have claws, we start by dealing with possible collisions on the related keys in the RKPRFReal case, using the key-collision notion (games \(\text {G}_0-\text {G}_2\)). Then, in games \(\text {G}_3-\text {G}_4\), we deal with possible collisions on hash values in order to ensure that the hash values h used to compute the output y are pairwise distinct so the attacker is unique-input. Then, using the properties of the key-transformer and the compatibility condition, we show that it is hard to distinguish the output from a uniformly random output (games \(\text {G}_5-\text {G}_7\)) based on the standard prf security of M. Finally, we use the statistical-key-collision security notion to deal with possible key collisions in the RKPRFRand case (games \(\text {G}_8-\text {G}_{10}\)) so that \(\text {G}_{10}\) matches the description of the RKPRFRand game.

Remark 3.2

It is worth noting that we deviate from the original proof of [2] in games \(\text {G}_5-\text {G}_7\), filling the gap in their original proof, but under the same technical conditions on compatibility. Unlike in their proof, we are able to show that the output of F is already indistinguishable from a uniformly random output as soon as one replaces the underlying PRF M with a random function f due to the uniformity condition of the transformer. In order to build a unique-input adversary against the uniformity condition, the main trick is to precompute the values of f(w) for all \(w \in \mathsf {Qrs}(\mathsf {KT},M,{\Phi },\vec {\omega })\) and use these values to compute \(\mathsf {KT}^{f} (\phi ,\omega _i)\), for \(i = 1,\ldots ,\vert \vec {\omega }\vert \) and \(\phi \in {\Phi } \), whenever needed. This avoids the need to query the oracle in the uniformity game twice on the same input when computing the fingerprint.

Proof of Theorem 3.1

The proof is based on the sequence of games in Fig. 3. Much of the proof is similar to that of the general framework of Bellare and Cash from [2]. However, we have additional games to deal with non-claw-freeness (games \(\text {G}_1\), \(\text {G}_2\), \(\text {G}_9\) and \(\text {G}_{10}\)), and some games (games \(\text {G}_6\) and \(\text {G}_7\)) are modified to deal with the gap in the proof of the corresponding theorem in [2]. Let \({\textsc {Succ}}_i\) denote the event that game \(\text {G}_i\) output takes the value 1.

Fig. 3

Games for the proof of Theorem 3.1

Game \(\text {G}_1\) introduces storage of used \(\mathrm {RKD}\) functions and values of \(\vec {\overline{\omega }}\) in sets D and E, respectively, and sets \(\mathsf {flag}_1\) to \(\mathsf {true}\) if the same value of \(\vec {\overline{\omega }}\) arises for two different \(\mathrm {RKD}\) functions. Since this storage does not affect the values returned by \(\mathbf{RKFn } \)

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_1}\,\right] } = {\Pr \left[ \,{{\textsc {Succ}}_0}\,\right] } . \end{aligned}$$

Game \(\text {G}_2\) adds the boxed code which changes how the repetition of an \(\vec {\overline{\omega }}\) value is handled, by picking instead a random value from \(\mathcal {R}^m {\setminus } E\) that will not repeat any previous one. Games \(\text {G}_1\) and \(\text {G}_2\) are identical until \(\mathsf {flag}_1\) is set to \(\mathsf {true}\); hence, we have

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_1}\,\right] } \;\le \;{\Pr \left[ \,{{\textsc {Succ}}_2}\,\right] } + {\Pr \left[ \,{E_1}\,\right] } \end{aligned}$$

where \(E_1\) denotes the event that the execution of \(\mathscr {A}\) with game \(\text {G}_1\) sets \(\mathsf {flag}_1\) to \(\mathsf {true}\). We design an adversary \(\mathscr {D}\) attacking the \({\Phi } \)-key-collision security of M such that

$$\begin{aligned} {\Pr \left[ \,{E_1}\,\right] } \;\le \;\mathbf {Adv}_{{\Phi },M}^{\mathsf {kc}}{(\mathscr {D})} . \end{aligned}$$

Adversary \(\mathscr {D}\) runs \(\mathscr {A}\). When the latter makes a \(\mathbf{RKFn } \)-query \((\phi ,x)\), adversary \(\mathscr {D}\) queries \((\phi ,\omega _{i})\), for \(i = 1,\ldots ,\vert \vec {\omega }\vert \), to its oracle, then computes \(\vec {\overline{\omega }}\) and then \(h = H(x,\vec {\overline{\omega }})\) and finally queries \((\phi ,h)\) to its oracle and sends it to \(\mathscr {A}\). When \(\mathscr {A}\) stops, \(\mathscr {D}\) searches for two different \(\mathrm {RKD}\) functions \(\phi \) queried by \(\mathscr {A}\) that lead to the same value \(\vec {\overline{\omega }}\) and returns these two functions if found. Since \(\vec {\omega }\) is a strong key fingerprint, two such functions lead to the same key, so \(\mathscr {D}\) wins if it finds such two functions. (Of course, if the class of \(\mathrm {RKD}\) functions is claw-free, the advantage of the attacker is 0.)

Game \(\text {G}_3\) introduces storage of hash values in a set G and sets \(\mathsf {flag}_2\) to \(\mathsf {true}\) if the same hash output arises twice. Since this storage does not affect the values returned by \(\mathbf{RKFn } \)

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_3}\,\right] } = {\Pr \left[ \,{{\textsc {Succ}}_2}\,\right] } . \end{aligned}$$

Game \(\text {G}_4\) adds the boxed code which changes how repetition of hash values is handled, by picking instead a random value h from \(\mathcal {S}{\setminus } G\) that will not repeat any previously used hash value. Games \(\text {G}_3\) and \(\text {G}_4\) are identical until \(\mathsf {flag}_2\) is set to \(\mathsf {true}\), hence we have

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_3}\,\right] } \;\le \;{\Pr \left[ \,{{\textsc {Succ}}_4}\,\right] } + {\Pr \left[ \,{E_2}\,\right] } \end{aligned}$$

where \(E_2\) denotes the event that the execution of \(\mathscr {A}\) with game \(\text {G}_3\) sets \(\mathsf {flag}_2\) to \(\mathsf {true}\). We design an adversary \(\mathscr {C}\) attacking the cr security of H such that

$$\begin{aligned} {\Pr \left[ \,{E_2}\,\right] } \;\le \;\mathbf {Adv}^{\mathsf {cr}}_{H}(\mathscr {C}). \end{aligned}$$

Adversary \(\mathscr {C}\) starts by picking \(K {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathcal {K}\) and initializes \(j \leftarrow 0\). It runs \(\mathscr {A}\). When the latter makes an \(\mathbf{RKFn } \)-query \((\phi ,x)\), adversary \(\mathscr {C}\) responds via:

When \(\mathscr {A}\) halts, \(\mathscr {C}\) searches for a, b satisfying \(1 \le a < b \le j\) such that \(h_a = h_b\) and, if it finds them, outputs \((x_a,w_a),(x_b,w_b)\) and halts. The pairs \((x_a,w_a)\) and \((x_b,w_b)\) are distinct. Indeed, consider two cases: first, if \(\phi _a\) = \(\phi _b\) then since \(\mathscr {A}\) never repeats an oracle query, \(x_a \ne x_b\) hence \((x_a,w_a) \ne (x_b,w_b)\). Second, if \(\phi _a \ne \phi _b\), then condition \((*)\) ensures that \(w_a \ne w_b\). Hence once again, \((x_a,w_a) \ne (x_b,w_b)\), and then

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_3}\,\right] } \;\le \;{\Pr \left[ \,{{\textsc {Succ}}_4}\,\right] } + \mathbf {Adv}^{\mathsf {cr}}_{H}(\mathscr {C}). \end{aligned}$$

In game \(\text {G}_5\), we use the key transformer \(\mathsf {KT}\) to compute \(M(\phi (K),\cdot )\) via oracle calls to \(M(K,\cdot )\). The correctness property of the key transformer implies

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_4}\,\right] } = {\Pr \left[ \,{{\textsc {Succ}}_5}\,\right] } . \end{aligned}$$

In game \(\text {G}_6\), we replace the oracle \(M(K,\cdot )\) given to the key transformer \(\mathsf {KT}\) by a random function f. We design an adversary \(\mathscr {B}\) attacking the prf security of M such that

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_5}\,\right] } \;\le \;{\Pr \left[ \,{{\textsc {Succ}}_6}\,\right] } + \mathbf {Adv}^{\mathsf {prf}}_{M}{(\mathscr {B})}. \end{aligned}$$

Adversary \(\mathscr {B}\) runs \(\mathscr {A}\). When the latter makes an RKFn-query \((\phi ,x)\), adversary \(\mathscr {B}\) responds via

where \(\mathbf{Fn }\) is \(\mathscr {B}\)’s own oracle. When \(\mathscr {A}\) halts, \(\mathscr {B}\) halts with the same output. Then,

$$\begin{aligned} {\Pr \left[ \,{{\mathrm {PRFReal}}^\mathscr {B}_M \Rightarrow 1}\,\right] } = {\Pr \left[ \,{{\textsc {Succ}}_5}\,\right] } \; \; \; \text{ and } \; \; \; {\Pr \left[ \,{{\mathrm {PRFRand}}^\mathscr {B}_M \Rightarrow 1}\,\right] } = {\Pr \left[ \,{{\textsc {Succ}}_6}\,\right] } . \end{aligned}$$

In game \(\text {G}_7\), instead of computing the output y using the key-transformer, we set the value y to a uniformly random value. To show that games \(\text {G}_6\) and \(\text {G}_7\) are perfectly indistinguishable, we use the uniformity condition of the Key-Transformer \(\mathsf {KT}\). Let us recall that, as formally defined in [2, Section 3.1], the uniformity condition states that for any (even inefficient) \({\Phi } \)-restricted, unique-input adversary \(\mathscr {U}\),

$$\begin{aligned} {\Pr \left[ \,{{}\text {KTReal}_{\mathsf {KT}}^{\mathscr {U}} \Rightarrow 1}\,\right] } = {\Pr \left[ \,{\text {KTRand}_{\mathsf {KT}}^{\mathscr {U}} \Rightarrow 1}\,\right] }, \end{aligned}$$

where game \({}\text {KTReal}_{\mathsf {KT}}\) picks \(f {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathsf {Fun}(\mathcal {D},\mathcal {R})\) during the initialization and responds to oracle query \(\mathbf{KTFn } (\phi ,x)\) via \(\mathsf {KT}^f(\phi ,x)\), while game \(\text {KTRand}_{\mathsf {KT}}\) has no initialization and responds to oracle query \(\mathbf{KTFn } (\phi ,x)\) by returning a value \(y {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathcal {R}\) chosen uniformly at random in \(\mathcal {R}\). We show that if an adversary \(\mathscr {A}\) can distinguish games \(\text {G}_6\) and \(\text {G}_7\), then we can construct a unique-input adversary \(\mathscr {U}\) that can distinguish games \({}\text {KTReal}_{\mathsf {KT}}\) and \(\text {KTRand}_{\mathsf {KT}}\); since \(\mathsf {KT}\) is a key-transformer, these two games are perfectly indistinguishable for a unique-input adversary by the uniformity condition. Hence, so are \(\text {G}_6\) and \(\text {G}_7\).

Adversary \(\mathscr {U}\) starts by querying \((\mathsf {id},w)\) to its oracle, for every \(w \in \mathsf {Qrs}(\mathsf {KT},M,{\Phi },\vec {\omega })\) and stores these values. This step can be performed since we assume \(\mathsf {id}\in {\Phi } \). We denote by \(f_w\) the output of \(\mathscr {U}\)’s oracle on input \((\mathsf {id},w)\). By definition of \(\mathsf {Qrs}(\mathsf {KT},M,{\Phi },\vec {\omega })\), the set \(\{f_w\,\vert \,w \in \mathsf {Qrs}(\mathsf {KT},M,{\Phi },\vec {\omega })\}\) can be used to compute \(\vec {\overline{\omega }}\).

Depending on \(\mathscr {U}\)’s oracle, the value of \(f_w\) for \(w \in \mathsf {Qrs}(\mathsf {KT},M,{\Phi },\vec {\omega })\) is either \(\mathsf {KT}^f (\mathsf {id},w) = f(w)\) (\({}\text {KTReal}_{\mathsf {KT}}\)), with f being the random function defined in the \(\mathbf{Initialize }\) procedure of \({}\text {KTReal}_{\mathsf {KT}}\), or a uniformly random value from \(\mathcal {R}\) (\(\text {KTRand}_{\mathsf {KT}}\)).

Now, \(\mathscr {U}\) initializes sets \(D \leftarrow \emptyset \), \(E \leftarrow \emptyset \), \(G \leftarrow \emptyset \), and runs \(\mathscr {A}\). When \(\mathscr {A}\) makes an oracle query \((\phi ,x)\), \(\mathscr {U}\) does the following:

Notice that the step \((**)\) guarantees that all values h used are in \(\mathcal {S}\) and are all distinct as long as \(\mathscr {A}\) makes at most \(\vert \mathcal {S}\vert \) queries. The value y returned by \(\mathscr {U}\) to \(\mathscr {A}\) at step \((***)\) is either \(\mathsf {KT}^f (\phi ,h)\) or a uniformly random value. When \(\mathscr {A}\) halts, \(\mathscr {U}\) halts with the same output.

The compatibility condition ensures that \(\mathcal {S}\) does not contain any w with \(w \in \mathsf {Qrs}(\mathsf {KT}, M,{\Phi },\vec {\omega })\), hence \(\mathscr {U}\) is unique-input. Finally, it is clear that if \(\mathscr {U}\)’s oracle is \({}\text {KTReal}_{\mathsf {KT}}\), then it simulates exactly game \(\text {G}_6\) with f being the function f chosen at random in the \(\mathbf{Initialize }\) procedure of game \({}\text {KTReal}_{\mathsf {KT}}\). Otherwise, it simulates exactly game \(\text {G}_7\) since the values given to \(\mathscr {A}\) are uniformly random values. Then, we have

$$\begin{aligned} {\Pr \left[ \,{{}\text {KTReal}^{\mathscr {U}}_{\mathsf {KT}} \Rightarrow 1}\,\right] } = {\Pr \left[ \,{{\textsc {Succ}}_6}\,\right] } \; \; \; \text{ and } \; \; \; {\Pr \left[ \,{\text {KTRand}^{\mathscr {U}}_{\mathsf {KT}} \Rightarrow 1}\,\right] } = {\Pr \left[ \,{{\textsc {Succ}}_7}\,\right] } \end{aligned}$$

and then, since \({\Pr \left[ \,{{}\text {KTReal}^{\mathscr {U}}_{\mathsf {KT}} \Rightarrow 1}\,\right] } = {\Pr \left[ \,{\text {KTRand}^{\mathscr {U}}_{\mathsf {KT}} \Rightarrow 1}\,\right] }\) for any unique-input adversary \(\mathscr {U}\), we finally have

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_6}\,\right] } = {\Pr \left[ \,{{\textsc {Succ}}_7}\,\right] } . \end{aligned}$$

Games \(\text {G}_7\) and \(\text {G}_8\) are identical since even if two different queries lead to the same key, the “If” test ensures that the returned value is still uniformly random over \(\mathcal {R}\). Hence,

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_7}\,\right] } = {\Pr \left[ \,{{\textsc {Succ}}_8}\,\right] } . \end{aligned}$$

Games \(\text {G}_8\) and \(\text {G}_{9}\) are identical until \(\mathsf {flag}_3\) is set to \(\mathsf {true}\); hence, we have

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_8}\,\right] } \;\le \;{\Pr \left[ \,{{\textsc {Succ}}_{9}}\,\right] } + {\Pr \left[ \,{E_3}\,\right] } \end{aligned}$$

where \(E_3\) denotes the event that the execution of \(\mathscr {A}\) with game \(\text {G}_{9}\) sets \(\mathsf {flag}_3\) to \(\mathsf {true}\). We design an adversary \(\mathscr {E}\) breaking \({\Phi } \)-skc security for \(\mathsf {Fun}({\mathcal {K}},\mathcal {D}, \mathcal {R})\) such that:

$$\begin{aligned} {\Pr \left[ \,{E_3}\,\right] } \;\le \;\mathbf {Adv}_{{\Phi }}^{\mathsf {skc}}{(\mathscr {E})}. \end{aligned}$$

Adversary \(\mathscr {E}\) runs \(\mathscr {A}\). When the latter makes a \(\mathbf{RKFn }\)-query \((\phi ,x)\), so does \(\mathscr {E}\) and \(\mathscr {E}\) returns the value it receives to \(\mathscr {A}\). When \(\mathscr {A}\) stops, if \(\mathscr {A}\) has queried two different functions \(\phi _1\) and \(\phi _2\) such that \(\phi _1(K) = \phi _2(K)\), then \(b'\) was set to 1 when the second of these two functions was queried by \(\mathscr {E}\), and then \(\mathscr {E}\) wins. (Of course, if the class of RKD functions is claw-free, this probability is 0.)

Games \(\text {G}_{9}\) and \(\text {G}_{10}\) are identical, so

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_{9}}\,\right] } = {\Pr \left[ \,{{\textsc {Succ}}_{10}}\,\right] } . \end{aligned}$$

Equation (1) on page 9 now follows by combining the bounds arising in the different game hops. \(\square \)

4 Related-Key Security for Affine RKD Functions

In this section, we apply the above framework to the variant \({\mathsf {NR}^{*}} \) of the Naor–Reingold PRF. Recall that \({\mathsf {NR}^{*}} {:\;\;}{{\mathbb {Z}}}_p^{n} \times \{0,1\}^n {\setminus } \{0^n\} \rightarrow \mathbb {G}\) was defined in [2] by:

$$\begin{aligned} {\mathsf {NR}^{*}} ({\vec {a}},x) = \left[ {\prod _{i=1}^n a_i^{x_i}}\right] \end{aligned}$$

for all \({\vec {a}} \in {{\mathbb {Z}}}_p^n\) and \(x \in \{0,1\}^n {\setminus } \{0^n\}\). We recall the definition of \({\Phi } _{\mathsf {aff}}\) (\(= {\Phi } _{1}\)) from the introduction. Using the above theorem, we prove that \({\mathsf {NR}^{*}} \) can be used to build a \({\Phi } _{\mathsf {aff}}\)-RKA-secure PRF under the \(\mathrm {DDH}\) assumption, thereby recovering and strengthening the withdrawn result from [2]. We first recall the following lemma from [2].

Lemma 4.1

Let \(\mathbb {G}= \langle g \rangle \) be a group of prime order p and let \({\mathsf {NR}^{*}} \) be defined via \({\mathsf {NR}^{*}} ({\vec {a}},x)=\left[ {\prod _{i=1}^{n}a_i^{x_i}}\right] \), where \({\vec {a}} \in {{\mathbb {Z}}}_p^n\) and \(x \in \{0,1\}^n {\setminus } \{0^n\}\). Let \(\mathscr {A}\) be an adversary against the standard prf security of \({\mathsf {NR}^{*}} \) that makes \(Q_\mathscr {A}\) oracle queries. Then we can construct an adversary \(\mathscr {B}\) against the \(\mathrm {DDH}\) problem such that

$$\begin{aligned} \mathbf {Adv}^{\mathsf {prf}}_{{\mathsf {NR}^{*}}}{(\mathscr {A})} \;\le \;(n-1) \cdot \mathbf {Adv}^{\mathsf {ddh}}_{\mathbb {G}}{(\mathscr {B})}. \end{aligned}$$

The running time of B is equal to the running time of A, plus the time required to compute \(O(Q_{\mathscr {A}})\) exponentiations in \(\mathbb {G}\).

In what follows, we prove the properties needed to apply Theorem 3.1 to \({\mathsf {NR}^{*}} \).

Strong Key Fingerprint. Let \(\omega _i = 0^{i-1}{\,\Vert \,}1{\,\Vert \,}0^{n-i}\), for \(i = 1,\ldots ,n\). Then \(\vec {\omega }\) is a strong key fingerprint for \({\mathsf {NR}^{*}} \). Indeed, we have \(({\mathsf {NR}^{*}} ({\vec {a}},\omega _1),\ldots ,{\mathsf {NR}^{*}} ({\vec {a}},\omega _n)) = (\left[ {a_1}\right] ,\ldots ,\left[ {a_n}\right] )\), so if \({\vec {a}} \ne \vec {a}'\) are two distinct keys in \(\mathcal {K}= {{\mathbb {Z}}}_p^n\), then there exists \(i \in \{1,\ldots ,n\}\) such that \(a_i \ne a'_i\), so \(\left[ {a_i}\right] \ne \left[ {{\vec {a}}'_i}\right] \).

Compatible Hash Function. We have \(\mathsf {Qrs}(\mathsf {KT}_{{\Phi } _{\mathsf {aff}}},{\mathsf {NR}^{*}},{\Phi } _{\mathsf {aff}},\vec {\omega }) = \{\omega _1,\ldots ,\omega _n \}\), so let \(\overline{{\mathcal {D}}} = \{0,1\}^n \times \mathbb {G}^n\) and let \(h {:\;\;}\overline{\mathcal {D}} \rightarrow \{0,1\}^{n-2}\) be a collision-resistant hash function. Then, the hash function defined by \(H(x,\vec {z}) = 11{\,\Vert \,}h(x,\vec {z})\) is a collision-resistant hash function that is compatible with \((\mathsf {KT}_{{\Phi } _{\mathsf {aff}}},{\mathsf {NR}^{*}},{\Phi } _{\mathsf {aff}},\vec {\omega })\) since every element of \(\mathsf {Qrs}(\mathsf {KT}_{{\Phi } _{\mathsf {aff}}},{\mathsf {NR}^{*}},{\Phi } _{\mathsf {aff}},\vec {\omega })\) has at most one 1 bit and every output of H has at least two 1 bits. Note that in particular the output of H is never \(0^n\), so it is always in the domain of \({\mathsf {NR}^{*}} \).

Lemma 4.2

Let \(\mathbb {G}= \langle g \rangle \) be a group of prime order p and let \({\mathsf {NR}^{*}} \) be defined via \({\mathsf {NR}^{*}} ({\vec {a}},x)=\left[ {\prod _{i=1}^{n}a_i^{x_i}}\right] \), where \({\vec {a}} \in {{\mathbb {Z}}}_p^n\) and \(x \in \{0,1\}^n {\setminus } \{0^n\}\). Let \(\mathscr {D}\) be an adversary against the \({\Phi } _{\mathsf {aff}}\)-key-collision security of \({\mathsf {NR}^{*}} \) that makes \(Q_\mathscr {D}\) oracle queries. Then, we can construct an adversary \(\mathscr {C}\) against the \(\mathrm {DL}\) problem in \(\mathbb {G}\) with approximately the same running time as that of \(\mathscr {D}\) such that

$$\begin{aligned} \mathbf {Adv}_{{\Phi } _{\mathsf {aff}},{\mathsf {NR}^{*}}}^{\mathsf {kc}}{(\mathscr {D})} \;\le \;n \cdot \mathbf {Adv}^{\mathsf {dl}}_{\mathbb {G}}(\mathscr {C}). \end{aligned}$$

Since the hardness of \(\mathrm {DDH}\) implies the hardness of \(\mathrm {DL}\), the above lemma does not introduce any additional hardness assumptions beyond \(\mathrm {DDH}\).

Proof of Lemma 4.2

Let \(\mathscr {D}\) be an adversary against the \({\Phi } _{\mathsf {aff}}\)-key-collision security of \({\mathsf {NR}^{*}} \) that makes \(Q_\mathscr {D}\) oracle queries. Then we construct an adversary \(\mathscr {C}\) against the \(\mathrm {DL}\) problem in \(\mathbb {G}\) as follows. Adversary \(\mathscr {C}\) receives as input a DL tuple ([1], [a]). Adversary \(\mathscr {C}\) then picks \(j {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\{1,\ldots ,n\}\) at random; This is a guess of a coordinate where the two vectors of affine functions \(\vec {\phi }^{(1)}\) and \(\vec {\phi }^{(2)}\) that \(\mathscr {D}\) will use as inputs in the \(\mathbf{Finalize }\) procedure are different. Then, \(\mathscr {C}\) picks \(a_i {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}{{\mathbb {Z}}}_p\) for \(i = 1,\ldots ,n, i \ne j\) at random. Adversary \(\mathscr {C}\) implicitly sets \(a_j = a\).

When \(\mathscr {D}\) makes a query \((\phi ,x)\), \(\mathscr {C}\) computes \(y = {([{\phi _j(a_j)^{x_j}}])}^{\prod _{\overset{i=1}{i \ne j}}^n {\phi _i(a_{i})^{x_i}}} = \Big [\prod _{i=1}^{n}{\phi _i(a_i)^{x_i}}\Big ] = {\mathsf {NR}^{*}} ({\vec {a}},x)\), where \({\vec {a}} = (a_{1},\ldots ,a_{n})\). Here, \(\mathscr {C}\) uses its input \(\left[ {a}\right] \) to compute an “affine function in the exponent” for \(\left[ {\phi _j(a_{j})}\right] \). At the end, \(\mathscr {D}\) sends \((\vec {\phi }^{(1)},\vec {\phi }^{(2)})\) to \(\mathscr {C}\) and \(\mathscr {D}\) wins if \(\vec {\phi }^{(1)} \ne \vec {\phi }^{(2)}\) and \(\vec {\phi }^{(1)}({\vec {a}}) = \vec {\phi }^{(2)}({\vec {a}})\), where \(\vec {\phi }^{(i)} = (\phi ^{(i)}_1,\ldots ,\phi ^{(i)}_n), i \in \{1,2\}\). Since j was chosen uniformly at random and \(\vec {\phi }^{(1)} \ne \vec {\phi }^{(2)}\), with probability at least \(\frac{1}{n}\), we have \(\phi ^{(1)}_j \ne \phi ^{(2)}_j\) but \(\phi ^{(1)}_j(a_{j}) = \phi ^{(2)}_j(a_{j})\). In this case, \(a_{j} = a\) is the root of the nonzero affine function \(\psi = \phi ^{(1)}_j - \phi ^{(2)}_j\), that can be easily computed. Hence, we have

$$\begin{aligned} \mathbf {Adv}_{{\Phi } _{\mathsf {aff}},{\mathsf {NR}^{*}}}^{\mathsf {kc}}{(\mathscr {D})} \;\le \;n \cdot \mathbf {Adv}^{\mathsf {dl}}_{\mathbb {G}}(\mathscr {C}) \end{aligned}$$

and the claim follows. \(\square \)

Lemma 4.3

Let \(\mathbb {G}= \langle g \rangle \) be a group of prime order p and let \({\mathsf {NR}^{*}} \) be defined via \({\mathsf {NR}^{*}} ({\vec {a}},x)=\left[ {\prod _{i=1}^{n}a_i^{x_i}}\right] \), where \({\vec {a}} \in {{\mathbb {Z}}}_p^n\) and \(x \in \{0,1\}^n {\setminus } \{0^n\}\). Let \(\mathsf {KT}_{{\Phi } _{\mathsf {aff}}}\) be defined via

$$\begin{aligned} \mathsf {KT}_{{\Phi } _{\mathsf {aff}}}^f (\phi ,x) = \left[ {\prod _{i \in S(x)} c_i}\right] \cdot \prod _{y \preceq x, y \ne 0^n} f(y)^{\prod _{j \in S(y)} b_j \prod _{k \in S(x) {\setminus } S(y)}c_k} \end{aligned}$$

where \(\vec {\phi } = (\phi _1,\ldots ,\phi _n) \in {\Phi } _{\mathsf {aff}}\), with \(\phi _i {:\;\;}a \in {{\mathbb {Z}}}_p \mapsto b_i a + c_i \in {{\mathbb {Z}}}_p\), \(b_i \ne 0\), for \(i = 1, \ldots , n\). Then \(\mathsf {KT}_{{\Phi } _{\mathsf {aff}}}\) is a key-transformer for \(({\mathsf {NR}^{*}},{\Phi } _{\mathsf {aff}})\). Moreover, the worst-case running time of this key-transformer is the time required to compute \(O(2^n)\) exponentiations in \(\mathbb {G}\).

Proof of Lemma 4.3

Let us first check the correctness condition.

$$\begin{aligned} \mathsf {KT}_{{\Phi } _{\mathsf {aff}}}^{{\mathsf {NR}^{*}} ({\vec {a}},\cdot )} (\vec {\phi },x)&= \left[ {\prod _{i \in S(x)} c_i}\right] \cdot \prod _{y \preceq x, y \ne 0^n} \left[ {\prod _{l \in S(y)}a_{l}}\right] ^{\prod _{j \in S(y)} b_j \prod _{k \in S(x) {\setminus } S(y)}c_k} \\&\!\! =\!\! \prod _{R \subseteq S(x)} \left[ {\prod _{i \in R} (b_i \cdot a_i) \prod _{j \in S(x) {\setminus } R} c_j}\right] = \left[ {\sum _{R \subseteq S(x)} \prod _{i \in R} (b_i \cdot a_i) \prod _{j \in S(x) {\setminus } R} c_j}\right] \\&= \left[ {\prod _{i \in S(x)} (b_i \cdot a_{i} + c_i)}\right] = \left[ {\prod _{i = 1}^n (b_i \cdot a_{i} + c_i)^{x_{i}}}\right] = {\mathsf {NR}^{*}} (\vec {\phi }({\vec {a}}),x) . \end{aligned}$$

Then, we have verified the correctness condition, and it is clear that the worst-case running time is the time to compute \(2^n\) exponentiations in \(\mathbb {G}\), when \(x = 11 {\,\Vert \,}\ldots {\,\Vert \,}1\) and none of the exponents is 0. Hence, only the uniformity condition remains to prove. We use the sequence of games in Fig. 4. Let us recall that the adversary is supposed to be unique-input, meaning that for any sequence of queries \((\vec {\phi }_1,x_1),\ldots ,(\vec {\phi }_q,x_q)\), the entries \(x_i\), for \(i = 1,\ldots ,q\) are all distinct. We denote by \(\mathsf {hw}\)(x) the Hamming weight of a bitstring x. Let \({\textsc {Succ}}_i\) denote the event that game \(\text {G}_i\) output takes the value 1.

Fig. 4

Games for the proof of Lemma 4.3

In game \(\text {G}_0\), the “If” statement will always pass since \(\mathsf {hw}(x) \le n\) for any bitstring of length n. Hence, we have

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_0}\,\right] } = {\Pr \left[ \,{{}\text {KTReal}_{\mathsf {KT}}^\mathscr {A}\Rightarrow 1}\,\right] } . \end{aligned}$$

We claim that for all \(0 \le i \le n-1\),

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_i}\,\right] } = {\Pr \left[ \,{{\textsc {Succ}}_{i+1}}\,\right] } . \end{aligned}$$

The only difference between games \(\text {G}_i\) and \(\text {G}_{i+1}\) is in the way that bitstrings x of Hamming weight \(n-i\) are handled. Indeed, such a string is fed to \(\mathsf {KT}_{{\Phi } _{\mathsf {aff}}}^f (\vec {\phi },x)\) in \(\text {G}_i\), which computes

$$\begin{aligned} \mathsf {KT}_{{\Phi } _{\mathsf {aff}}}^f (\vec {\phi },x) = \left[ {\prod _{i \in S(x)} c_i}\right] \cdot \prod _{y \preceq x, y \ne 0^n} f(y)^{\prod _{j \in S(y)} b_j \prod _{k \in S(x) {\setminus } S(y)}c_k} \end{aligned}$$

where \(\vec {\phi } = (\phi _1,\ldots ,\phi _n) \in {\Phi } _{\mathsf {aff}}\), with \(\phi _i {:\;\;}\vec {T}\mapsto b_i T_i + c_i\), \(b_i \ne 0\), for \(i = 1, \ldots , n\). Now, since we need only deal with unique-input adversaries, this is the only time that \(\text {G}_i\) will query f at input x (all other queries to f will be at other points with the same Hamming weight or at points with strictly smaller Hamming weight). Hence, the entire value computed above can equivalently be set to a value chosen uniformly at random. (This relies on the exponent for f(x) used in the computation being nonzero; this is guaranteed by the requirement that \(b_i \ne 0\), for \(i = 1, \ldots , n\) and the fact that when \(y=x\), the product \(\prod _{k \in S(x) {\setminus } S(y)}c_k\) is empty.) Setting the entire value to a uniformly random value is exactly what is done in \(\text {G}_{i+1}\), and the claim follows.

Finally, in \(\text {G}_n\), the “If” statement will never pass since \(\mathsf {hw}(x) > 0\) for any \(x \in \{0,1\}^n {\setminus } \{0\}^n\), so we have

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_n}\,\right] } = {\Pr \left[ \,{\text {KTRand}_{\mathsf {KT}}^\mathscr {A}\Rightarrow 1}\,\right] } . \end{aligned}$$

The uniformity condition follows. \(\square \)

Lemma 4.4

Let \(\mathbb {G}= \langle g \rangle \) be a group of prime order p. Let \(\mathscr {A}\) be an adversary against the \({\Phi } _{\mathsf {aff}}\)-statistical-key-collision security for \(\mathsf {Fun}({{\mathbb {Z}}}_p^n,\{0,1\}^n,\mathbb {G})\) making \(Q_\mathscr {A}\) queries. Then we have

$$\begin{aligned} \mathbf {Adv}_{{\Phi } _{\mathsf {aff}}}^{\mathsf {skc}}{(\mathscr {A})} \;\le \;\frac{Q_\mathscr {A}^2}{2 p}. \end{aligned}$$

Proof of Lemma 4.4

Let \(\mathscr {A}\) be an adversary against the \({\Phi } _{\mathsf {aff}}\)-statistical-key-collision security for \(\mathsf {Fun}({{\mathbb {Z}}}_p^n,\{0,1\}^n, \mathbb {G})\) that makes \(Q_{\mathscr {A}}\) queries. Since the function F defined in the \(\mathbf{Initialize }\) procedure is a random function, \(\mathscr {A}\) does not learn any information on the key \({\vec {a}}\) until \(b' \leftarrow 1\), so \(\mathbf {Adv}_{{\Phi } _{\mathsf {aff}}}^{\mathsf {skc}}{(\mathscr {A})}\) is bounded by the probability that \(\mathscr {A}\) makes use in its queries of two different \(\mathrm {RKD}\) functions that lead to the same key. We claim that

$$\begin{aligned} \mathbf {Adv}_{{\Phi } _{\mathsf {aff}}}^{\mathsf {skc}}{(\mathscr {A})} \;\le \;\frac{Q_A^2}{2 p}. \end{aligned}$$

This follows easily on noting that, if two different \(\mathrm {RKD}\) functions lead to the same key, then those two functions must differ in some coordinate k. This means that the difference in those components is a non-constant affine function \(\psi _k\) such that \(\psi _k(a_{k}) = 0\), where \(a_{k}\) is the kth component of key \({\vec {a}}\) that was taken uniformly at random in the \(\mathbf{Initialize }\) procedure. Since \(\psi _k\) is a non-constant affine function and \(a_{k}\) is uniformly random in \({{\mathbb {Z}}}_p\), the probability that \(\psi _k(a_{k}) = 0\) is bounded by \(\frac{1}{p}\). To obtain the final result, one simply applies a union bound over the (at most) \(\left( {\begin{array}{c}Q_\mathscr {A}\\ 2\end{array}}\right) \) pairs of choices of different \(\mathrm {RKD}\) functions accessed by \(\mathscr {A}\). \(\square \)

We now have everything we need to apply Theorem 3.1 to \({\mathsf {NR}^{*}} \). Combining Theorem 3.1, Lemmas 4.1–4.4 and the above properties, we obtain the following theorem.

Theorem 4.5

Let \(\mathbb {G}= \langle g \rangle \) be a group of prime order p and let \({\mathsf {NR}^{*}} \) be defined via \({\mathsf {NR}^{*}} ({\vec {a}},x)=\left[ {\prod _{i=1}^{n}a_i^{x_i}}\right] \), where \({\vec {a}} \in {{\mathbb {Z}}}_p^n\) and \(x \in \{0,1\}^n {\setminus } \{0^n\}\). Let \(\overline{{\mathcal {D}}} = \{0,1\}^n \times \mathbb {G}^n\) and let \(h {:\;\;}\overline{\mathcal {D}} \rightarrow \{0,1\}^{n-2}\) be a hash function. Let \(\omega _i = 0^{i-1}{\,\Vert \,}1{\,\Vert \,}0^{n-i}\), for \(i = 1,\ldots ,n\). Define \(F {:\;\;}{{\mathbb {Z}}}_p^n \times \{0,1\}^n \rightarrow \mathbb {G}\) by

$$\begin{aligned} F({\vec {a}},x) = {\mathsf {NR}^{*}} ({\vec {a}}, 11{\,\Vert \,}h(x,{\mathsf {NR}^{*}} ({\vec {a}},\vec {\omega }))) \end{aligned}$$

for all \({\vec {a}} \in {{\mathbb {Z}}}_p^n\) and \(x \in \{0,1\}^n\). Let \(\mathscr {A}\) be a \({\Phi } _{\mathsf {aff}}\)-restricted adversary against the prf-rka security of F that makes \(Q_\mathscr {A}\) oracle queries. Then, we can construct an adversary \(\mathscr {B}\) against the \(\mathrm {DDH}\) problem in \(\mathbb {G}\), an adversary \(\mathscr {C}\) against the cr security of h, and an adversary \(\mathscr {D}\) against the \(\mathrm {DL}\) problem in \(\mathbb {G}\), such that

$$\begin{aligned} \mathbf {Adv}^{\mathsf {prf}\text{- }\mathsf {rka}}_{{\Phi } _{\mathsf {aff}},F}{(\mathscr {A})} \;\le \;n \cdot \mathbf {Adv}^{\mathsf {ddh}}_{\mathbb {G}}{(\mathscr {B})} + \mathbf {Adv}^{\mathsf {cr}}_{h}(\mathscr {C}) + n \cdot \mathbf {Adv}^{\mathsf {dl}}_{\mathbb {G}}(\mathscr {D}) + \frac{Q_\mathscr {A}^2}{2 p} . \end{aligned}$$

The running time of \(\mathscr {B}\) is that of \(\mathscr {A}\) plus the time required to compute \(O(Q_{\mathscr {A}} \cdot (n+1) \cdot 2^n) \) exponentiations in \(\mathbb {G}\). The running times of \(\mathscr {C}\) and \(\mathscr {D}\) are the same as that of \(\mathscr {A}\).

5 Further Generalization of the Bellare–Cash Framework

We introduce a new type of PRF, called an \((\mathcal {S},{\Phi })\textit{-Unique-Input-RKA-PRF}\). We then use this notion as a tool in a further extension of the Bellare–Cash framework that can be applied to non-key-malleable PRFs and non-claw-free classes of \(\mathrm {RKD}\) functions. This new framework provides in particular a route to proving that the variant of the Naor–Reingold PRF introduced in Sect. 4 is actually \({\Phi } _{d}\)-RKA secure.

\((\mathcal {S},{\Phi })\textit{-Unique-Input-RKA-PRF}\). An \((\mathcal {S},{\Phi })\text {-unique-input-RKA-PRF}\) M is a relaxation of the standard notion of unique-input RKA-PRF, in which the adversary is required to be unique-input only with respect to points in the set \(\mathcal {S}\). Moreover, for points outside of the set \(\mathcal {S}\), the queries are always answered using M. More formally, let \(M {:\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) be a family of functions. Let \(\mathcal {S}\) be a subset of \(\mathcal {D}\) and \({\Phi } \) be a class of RKD functions. We consider the security game defined in Fig. 5, for the restricted class of adversaries \(\mathscr {A}\), such that all queries \((\phi ,x)\) with \(x \in \mathcal {S}\) made by \(\mathscr {A}\) to its oracle are for distinct values of x. That is, for any sequence of \(\mathscr {A}\)’s queries \((\phi _1,x_1),\ldots ,(\phi _q,x_q)\) with \(x_i \in \mathcal {S}\) for all \(i = 1,\ldots ,q\), we require all the \(x_i\) to be distinct (no such restriction is made for queries \((\phi _i,x_i)\) with \(x_i \notin \mathcal {S}\)). We denote the advantage of such an adversary \(\mathscr {A}\) by \(\mathbf {Adv}^{(\mathcal {S},{\Phi })\mathsf {\text{- }ui\text{- }prf\text{- }rka}}_{M}(\mathscr {B})\).

Fig. 5

Game defining the \((\mathcal {S},{\Phi })\text {-unique-input-prf-rka security}\) of a PRF M

The following theorem is an analogue of Theorem 3.1 in which the roles of key malleability and hash function compatibility are replaced by our new notion, \((\mathcal {S},{\Phi })\text {-unique-input-prf-rka security}\).

Theorem 5.1

Let \(M {:\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) be a family of functions and \({\Phi } \) be a class of \(\mathrm {RKD}\) functions. Let \(\vec {\omega }\in {\mathcal {D}}^m\) be a strong key fingerprint for M. Let \(\overline{{\mathcal {D}}} = {\mathcal {D}} \times {\mathcal {R}}^m\) and let \(H {:\;\;}\overline{\mathcal {D}} \rightarrow \mathcal {S}\) be a hash function, where \(\mathcal {S}\subseteq {\mathcal {D}} {\setminus } \{\omega _1,\ldots ,\omega _m\}\). Define \(F {:\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) by

$$\begin{aligned} F(K,x) = M(K,H(x,M(K,\vec {\omega }))) \end{aligned}$$

for all \(K \in \mathcal {K}\) and \(x \in \mathcal {D}\). Let \(\mathscr {A}\) be a \({\Phi } \)-restricted adversary against the prf-rka security of F that makes \(Q_\mathscr {A}\le \vert \mathcal {S}\vert \) oracle queries. Then, we can construct an adversary \(\mathscr {B}\) against the \((\mathcal {S},{\Phi })\text {-unique-input-prf-rka security}\) of M, an adversary \(\mathscr {C}\) against the cr security of H, an adversary \(\mathscr {D}\) against the \({\Phi } \)-kc security of M and an adversary \(\mathscr {E}\) against \({\Phi } \)-skc security for \(\mathsf {Fun}({\mathcal {K}},{\mathcal {D}}, {\mathcal {R}})\) such that

$$\begin{aligned} \mathbf {Adv}^{\mathsf {prf}\text{- }\mathsf {rka}}_{{\Phi },F}{(\mathscr {A})} \;\le \;\mathbf {Adv}^{(\mathcal {S},{\Phi })\mathsf {\text{- }ui\text{- }prf\text{- }rka}}_{M}(\mathscr {B}) + \mathbf {Adv}^{\mathsf {cr}}_{H}(\mathscr {C}) + \mathbf {Adv}_{{\Phi },M}^{\mathsf {kc}}{(\mathscr {D})} + \mathbf {Adv}_{{\Phi }}^{\mathsf {skc}}{(\mathscr {E})} . \end{aligned}$$

(2)

Adversaries \(\mathscr {C}\), \(\mathscr {D}\) and \(\mathscr {E}\) have approximately the same running time as \(\mathscr {A}\). Adversary \(\mathscr {B}\) makes \((m + 1) \cdot Q_A\) oracle queries and has approximately the same running time as \(\mathscr {A}\).

Fig. 6

Games for the proof of Theorem 5.1

Overview of the Proof. The proof of the above theorem is detailed below and relies on the sequence of 10 games (games \(\text {G}_0-\text {G}_{9}\)) described in Fig. 6. Here we provide a brief overview. Since the RKD functions that we consider in our case may have claws, we start by dealing with possible collisions on the related keys in the RKPRFReal case, using the key-collision notion (games \(\text {G}_0-\text {G}_2\)). Then, in games \(\text {G}_3-\text {G}_4\), we deal with possible collisions on hash values in order to ensure that the hash values h used to compute the output y are distinct. Then, in contrast to the proof of Theorem 3.1, we use the new \((\mathcal {S},{\Phi })\text {-unique-input-RKA-PRF}\) notion and the compatibility condition to show that it is hard to distinguish the output of F from a uniformly random output (games \(\text {G}_5-\text {G}_6\)). Finally, we use the statistical-key-collision security notion to deal with possible key collisions in the RKPRFRand case (games \(\text {G}_7-\text {G}_{9}\)) so that \(\text {G}_{9}\) matches the description of the RKPRFRand Game.

Remark 5.2

In Appendix A, we explore the relationship between key-malleable PRFs and unique-input-RKA-secure PRFs. Specifically, we show that the \((\mathcal {S},{\Phi })\text {-unique-input-prf-rka security}\) of a \({\Phi } \)-key-malleable PRF M is implied by its regular prf security if the key-transformer \(\mathsf {KT}\) associated with M satisfies a new condition that we call \(\mathcal {S}\)-uniformity. This condition demands that the usual uniformity condition for \(\mathsf {KT}\) should hold on the subset \(\mathcal {S}\) of \(\mathcal {D}\) rather than on all of \(\mathcal {D}\). Whether \(\mathcal {S}\)-uniformity is implied by (regular) uniformity is an open question.

Proof of Theorem 5.1

The proof is based on the sequence of games in Fig. 6. Much of the proof is similar to the proof of Theorem 3.1 (which itself is based on the proof of the general framework of Bellare and Cash from [2]). The current proof, however, is somewhat simpler and has fewer games since it relies on a stronger security property of the underlying PRF M, namely its \((\mathcal {S},{\Phi })\text {-unique-input-prf-rka security}\). Let \({\textsc {Succ}}_i\) denote the event that game \(\text {G}_i\) output takes the value 1.

Game \(\text {G}_1\) introduces storage of used \(\mathrm {RKD}\) functions and values of \(\vec {\overline{\omega }}\) in sets D and E, respectively, and sets \(\mathsf {flag}_1\) to \(\mathsf {true}\) if the same value of \(\vec {\overline{\omega }}\) arises for two different \(\mathrm {RKD}\) functions. Since this storage does not affect the values returned by \(\mathbf{RKFn } \)

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_1}\,\right] } = {\Pr \left[ \,{{\textsc {Succ}}_0}\,\right] } . \end{aligned}$$

Game \(\text {G}_2\) adds the boxed code which changes how the repetition of an \(\vec {\overline{\omega }}\) value is handled, by picking instead a random value from \(\mathcal {R}^m {\setminus } E\) that will not repeat any previous one. Games \(\text {G}_1\) and \(\text {G}_2\) are identical until \(\mathsf {flag}_1\) is set to \(\mathsf {true}\); hence, we have

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_1}\,\right] } \;\le \;{\Pr \left[ \,{{\textsc {Succ}}_2}\,\right] } + {\Pr \left[ \,{E_1}\,\right] } \end{aligned}$$

where \(E_1\) denotes the event that the execution of \(\mathscr {A}\) with game \(\text {G}_1\) sets \(\mathsf {flag}_1\) to \(\mathsf {true}\). We design an adversary \(\mathscr {D}\) attacking the \({\Phi } \)-key-collision security of M such that

$$\begin{aligned} {\Pr \left[ \,{E_1}\,\right] } \;\le \;\mathbf {Adv}_{{\Phi },M}^{\mathsf {kc}}{(\mathscr {D})} . \end{aligned}$$

Adversary \(\mathscr {D}\) runs \(\mathscr {A}\). When the latter makes a \(\mathbf{RKFn } \)-query \((\phi ,x)\), adversary \(\mathscr {D}\) queries \((\phi ,\omega _{i})\), for \(i = 1,\ldots ,\vert \vec {\omega }\vert \), to its oracle, then computes \(\vec {\overline{\omega }}\) and then \(h = H(x,\vec {\overline{\omega }})\) and finally queries \((\phi ,h)\) to its oracle and sends it to \(\mathscr {A}\). When \(\mathscr {A}\) stops, \(\mathscr {D}\) searches for two different \(\mathrm {RKD}\) functions \(\phi \) queried by \(\mathscr {A}\) that lead to the same value \(\vec {\overline{\omega }}\) and returns these two functions if found. Since \(\vec {\omega }\) is a strong key fingerprint, two such functions lead to the same key, so \(\mathscr {D}\) wins if it finds such two functions. (Of course, if the class of \(\mathrm {RKD}\) functions is claw-free, the advantage of the attacker is 0.)

Game \(\text {G}_3\) introduces the storage of hash values in a set G and sets \(\mathsf {flag}_2\) to \(\mathsf {true}\) if the same hash output arises twice. Since this storage does not affect the values returned by \(\mathbf{RKFn } \), we have

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_3}\,\right] } = {\Pr \left[ \,{{\textsc {Succ}}_2}\,\right] } . \end{aligned}$$

Game \(\text {G}_4\) adds the boxed code which changes how repetition of hash values is handled, by picking instead a random value h from \(\mathcal {S}{\setminus } G\) that will not repeat any previously used hash value. Games \(\text {G}_3\) and \(\text {G}_4\) are identical until \(\mathsf {flag}_2\) is set to \(\mathsf {true}\), hence we have

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_3}\,\right] } \;\le \;{\Pr \left[ \,{{\textsc {Succ}}_4}\,\right] } + {\Pr \left[ \,{E_2}\,\right] } \end{aligned}$$

where \(E_2\) denotes the event that the execution of \(\mathscr {A}\) with game \(\text {G}_3\) sets \(\mathsf {flag}_2\) to \(\mathsf {true}\). We design an adversary \(\mathscr {C}\) attacking the cr-security of H such that

$$\begin{aligned} {\Pr \left[ \,{E_2}\,\right] } \;\le \;\mathbf {Adv}^{\mathsf {cr}}_{H}(\mathscr {C}) . \end{aligned}$$

Adversary \(\mathscr {C}\) starts by picking \(K {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathcal {K}\) and initializes \(j \leftarrow 0\). It runs \(\mathscr {A}\). When the latter makes a \(\mathbf{RKFn } \)-query \((\phi ,x)\), adversary \(\mathscr {C}\) responds via

When \(\mathscr {A}\) halts, \(\mathscr {C}\) searches for a, b satisfying \(1 \le a < b \le j\) such that \(h_a = h_b\) and, if it finds them, outputs \((x_a,w_a),(x_b,w_b)\) and halts. The pairs \((x_a,w_a)\) and \((x_b,w_b)\) are distinct. Indeed, consider two cases: first, if \(\phi _a\) = \(\phi _b\) then since \(\mathscr {A}\) never repeats an oracle query, \(x_a \ne x_b\) hence \((x_a,w_a) \ne (x_b,w_b)\). Second, if \(\phi _a \ne \phi _b\), then condition \((*)\) ensures that \(w_a \ne w_b\). Hence once again, \((x_a,w_a) \ne (x_b,w_b)\), and then

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_3}\,\right] } \;\le \;{\Pr \left[ \,{{\textsc {Succ}}_4}\,\right] } + \mathbf {Adv}^{\mathsf {cr}}_{H}(\mathscr {C}) \;. \end{aligned}$$

In game \(\text {G}_5\), instead of returning the value \(M(\phi (K),h)\), we always return a random value. To show that games \(\text {G}_4\) and \(\text {G}_5\) are indistinguishable, we design an adversary \(\mathscr {B}\) against the \((\mathcal {S},{\Phi })\text {-unique-input-prf-rka security}\) of M such that

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_4}\,\right] } \;\le \;{\Pr \left[ \,{{\textsc {Succ}}_5}\,\right] } + \mathbf {Adv}^{(\mathcal {S},{\Phi })\mathsf {\text{- }ui\text{- }prf\text{- }rka}}_{M}(\mathscr {B}) . \end{aligned}$$

Adversary \(\mathscr {B}\) starts by initializing sets \(D \leftarrow \emptyset \), \(E \leftarrow \emptyset \), \(G \leftarrow \emptyset \). Then \(\mathscr {B}\) runs \(\mathscr {A}\). When the latter makes an \(\mathbf{RKFn }\)-query \((\phi ,x)\), \(\mathscr {B}\) responds as follows:

Since for all \(i = 1,\ldots , \vert \vec {\omega }\vert \), \(\omega _{i} \notin \mathcal {S}\) by assumption, the value \(\mathscr {B}\) gets from its oracle for the first step \((*)\) is always \(M(\phi (K),\omega _{i}) \). Also, the step \((**)\) guarantees that all values h are in \(\mathcal {S}\) and are all distinct as long as \(\mathscr {A}\) makes at most \(\vert \mathcal {S}\vert \) queries. Finally, h always being in \(\mathcal {S}\), the value of y in step \((***)\) is either \(M(\phi (K),h)\) or a uniformly random value by definition of the oracle. When \(\mathscr {A}\) halts, \(\mathscr {B}\) halts with the same output.

Since \(\mathcal {S}\) does not contain any \(\omega _{i}\) for \(i = 1,\ldots , \vert \vec {\omega }\vert \), it is clear that \(\mathscr {B}\) is a unique-input adversary for queries in \(\mathcal {S}\). Finally, it is clear that if \(\mathscr {B}\)’s oracle gives real outputs of M for queries in \(\mathcal {S}\), then it simulates exactly game \(\text {G}_4\) and if \(\mathscr {B}\)’s oracle gives uniformly random values for queries in \(\mathcal {S}\), then it simulates exactly game \(\text {G}_5\).

In game \(\text {G}_6\), we simply set the value y to a uniformly random value. Clearly, \(\text {G}_5\) and \(\text {G}_6\) are identical since the value returned is a uniformly random value for any query. Then, we have

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_5}\,\right] } = {\Pr \left[ \,{{\textsc {Succ}}_6}\,\right] } . \end{aligned}$$

In game \(\text {G}_7\), we check if two different queries can lead to a key collision. Since the “If” test ensures that the returned value is still uniformly random over \(\mathcal {R}\) even when two different queries result in the same key, games \(\text {G}_6\) and \(\text {G}_7\) are identical. Hence,

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_6}\,\right] } = {\Pr \left[ \,{{\textsc {Succ}}_7}\,\right] } . \end{aligned}$$

In game \(\text {G}_8\), we compute the output of \(\mathbf{RKFn } \) using a random function G in \(\mathsf {Fun}(\mathcal {K},\mathcal {D},\mathcal {R})\). Since games \(\text {G}_7\) and \(\text {G}_{8}\) are identical until \(\mathsf {flag}_3\) is set to \(\mathsf {true}\), we have

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_7}\,\right] } \;\le \;{\Pr \left[ \,{{\textsc {Succ}}_{8}}\,\right] } + {\Pr \left[ \,{E_3}\,\right] } \end{aligned}$$

where \(E_3\) denotes the event that the execution of \(\mathscr {A}\) with game \(\text {G}_{8}\) sets \(\mathsf {flag}_3\) to \(\mathsf {true}\). To bound the probability of event \(E_3\), we design an adversary \(\mathscr {E}\) attacking \({\Phi } \)-statistical-key-collision security for \(\mathsf {Fun}({\mathcal {K}}, \mathcal {D}, \mathcal {R})\) such that

$$\begin{aligned} {\Pr \left[ \,{E_3}\,\right] } \;\le \;\mathbf {Adv}_{{\Phi }}^{\mathsf {skc}}{(\mathscr {E})} . \end{aligned}$$

Adversary \(\mathscr {E}\) runs \(\mathscr {A}\). When the latter makes an \(\mathbf{RKFn }\)-query \((\phi ,x)\), so does \(\mathscr {E}\) and \(\mathscr {E}\) returns the value it receives to \(\mathscr {A}\). When \(\mathscr {A}\) stops, if \(\mathscr {A}\) has queried two different functions \(\phi _1\) and \(\phi _2\) such that \(\phi _1(K) = \phi _2(K)\) then \(b'\) was set to 1 when the second of these two functions was queried by \(\mathscr {E}\), and then \(\mathscr {E}\) wins. (Of course, if the class of \(\mathrm {RKD}\) functions is claw-free, this probability is 0.)

Since \(\mathscr {A}\) does not repeat oracle queries and since key collisions are dealt with in a similar way, it follows that games \(\text {G}_{8}\) and \(\text {G}_{9}\) are identical. Thus,

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_{8}}\,\right] } = {\Pr \left[ \,{{\textsc {Succ}}_{9}}\,\right] } . \end{aligned}$$

Equation (2) on page 18 now follows by combining the bounds arising in the different game hops. \(\square \)

6 Related-Key Security for Polynomial RKD Functions

We apply Theorem 5.1 to the variant \({\mathsf {NR}^{*}} \) of the Naor–Reingold PRF for the class of RKD functions \({\Phi } _{d} = \{\phi {:\;\;}\mathcal {K}\rightarrow \mathcal {K}\,\Big |\, \phi _i {:\;\;}\vec {T} \mapsto \sum _{j=0}^{d} \alpha _{i,j} \cdot T^j, (\alpha _{i,1},\ldots , \alpha _{i,d}) \ne 0^d ; \forall i = 1,\ldots ,n\}\). Specifically, we prove that \({\mathsf {NR}^{*}} \) can be used to build a \({\Phi } _{d}\)-RKA-secure PRF, under the \({d}\text{-DDHI }\) assumption. Remarkably, our proof provides an efficient reduction, avoiding an exponential running time like that seen in Theorem 4.5. The key step in establishing our result is Lemma 6.3. Its proof involves at its core the construction of a bespoke key-transformer to handle \({\Phi } _{d}\) and a delicate analysis of it using sequences of hybrid games.

6.1 Construction

In what follows, we prove the various properties needed to apply Theorem 5.1 to \({\mathsf {NR}^{*}} \).

Strong Key Fingerprint. Let \(\omega _i = 0^{i-1}{\,\Vert \,}1{\,\Vert \,}0^{n-i}\), for \(i = 1,\ldots ,n\). Then, as before, \(\vec {\omega }\) is a strong key fingerprint for \({\mathsf {NR}^{*}} \).

Hash Function. Let \(\overline{\mathcal {D}} = \{0,1\}^n \times \mathbb {G}^n\) and let \(h {:\;\;}\overline{\mathcal {D}}\rightarrow \{0,1\}^{n-2}\) be a collision-resistant hash function. Then, as previously, the hash function defined by \(H(x,\vec {z}) = 11{\,\Vert \,}h(x,\vec {z})\) is a collision-resistant hash function with range \(\mathcal {S}\) satisfying \(\mathcal {S}\subseteq {\{0,1\}^n} {\setminus } (\{\omega _{1},\ldots ,\omega _{n} \} \cup \{ 0 ^n \})\).

Lemma 6.1

Let \(\mathbb {G}= \langle g \rangle \) be a group of prime order p and let \({\mathsf {NR}^{*}} \) be defined via \({\mathsf {NR}^{*}} ({\vec {a}},x)=\left[ {\prod _{i=1}^{n}a_i^{x_i}}\right] \), where \({\vec {a}} \in {{\mathbb {Z}}}_p^n\) and \(x \in \{0,1\}^n {\setminus } \{0^n\}\). Let \(\mathscr {D}\) be an adversary against the \({\Phi } _{d}\)-key-collision security of \({\mathsf {NR}^{*}} \) that makes \(Q_\mathscr {D}\) oracle queries. Then, we can construct an adversary \(\mathscr {C}\) against the \({d} \text{-SDL }\) problem in \(\mathbb {G}\) such that

$$\begin{aligned} \mathbf {Adv}_{{\Phi } _{d},{\mathsf {NR}^{*}}}^{\mathsf {kc}}{(\mathscr {D})} \le n \cdot \mathbf {Adv}^{{d}\mathsf {\text{- }sdl}}_{\mathbb {G}}(\mathscr {C}). \end{aligned}$$

The running time of \(\mathscr {C}\) is that of \(\mathscr {D}\) plus the time required to factorize a polynomial of degree at most d in \({{\mathbb {F}}}_p\) (sub-quadratic in d and logarithmic in p) plus \(O(Q_{\mathscr {D}} \cdot d)\) exponentiations in \(\mathbb {G}\).

Proof of Lemma 6.1

Let \(\mathscr {D}\) be an adversary against the \({\Phi } _{d}\)-key-collision security of \({\mathsf {NR}^{*}} \) that makes \(Q_\mathscr {D}\) oracle queries. Then we construct an adversary \(\mathscr {C}\) against the \({d} \text{-SDL }\) problem in \(\mathbb {G}\) as follows.

Adversary \(\mathscr {C}\) receives as input a \({d} \text{-SDL }\) tuple \(([{1}],[{a}],\ldots ,[{a^d}])\) where \(a {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}{{\mathbb {Z}}}_{p}\). Adversary \(\mathscr {C}\) then picks \(j {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\{1,\ldots ,n\}\) at random; this is a guess of a coordinate where the two vectors of polynomial functions \(\vec {\phi }^{(1)}\) and \(\vec {\phi }^{(2)}\) that \(\mathscr {D}\) will use as inputs in the \(\mathbf{Finalize }\) procedure are different. Then \(\mathscr {C}\) picks \(a_{i} {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}{{\mathbb {Z}}}_p\) for \(i = 1,\ldots ,n, i \ne j\) at random. Adversary \(\mathscr {C}\) implicitly set \(a_{j} = a\).

When \(\mathscr {D}\) makes a query \((\vec {phi},x)\), \(\mathscr {C}\) computes \(y = {(\left[ {\phi _j(a_{j})^{x_{j}}}\right] )}^{\prod _{\overset{i=1}{i \ne j}}^{n}{\phi _i(a_{i})^{x_{i}}}} = \left[ {\prod _{i=1}^{n}{\phi _i(a_{i})^{x_{i}}}}\right] = {\mathsf {NR}^{*}} ({\vec {a}},x)\), where \({\vec {a}} = (a_{1},\ldots ,a_{n})\). Here, \(\mathscr {C}\) uses its input \((\left[ {1}\right] ,\left[ {a}\right] ,\ldots ,\left[ {a^d}\right] )\) to compute a “polynomial function in the exponent” for \(\left[ {\phi _j(a_{j})}\right] \).

At the end, \(\mathscr {D}\) sends \((\vec {\phi }^{(1)},\vec {\phi }^{(2)})\) to \(\mathscr {C}\) and \(\mathscr {D}\) wins if \(\vec {\phi }^{(1)} \ne \vec {\phi }^{(2)}\) and \(\vec {\phi }^{(1)}({\vec {a}}) = \vec {\phi }^{(2)}({\vec {a}})\), where \(\vec {\phi }^{(i)} = (\phi ^{(i)}_1,\ldots ,\phi ^{(i)}_n), i \in \{1,2\}\). Since j was chosen uniformly at random and \(\vec {\phi }^{(1)} \ne \vec {\phi }^{(2)}\), with probability at least \(\frac{1}{n}\), we have \({\phi }^{(1)}_j \ne {\phi }^{(2)}_j\) but \({\phi }^{(1)}_j(a_{j}) = {\phi }^{(2)}_j(a_{j})\). In this case \(a_{j} = a\) is a root of the polynomial \(\psi := {\phi }^{(1)}_j - \phi ^{(2)}_j\), whose degree is at most d. So \(\mathscr {D}\) factorizes \(\psi \) (using, for instance, the Kedlaya-Umans algorithm [21], which has complexity sub-quadratic in d and logarithmic in p), and selects as its output the unique root r such that \(\left[ {r}\right] = \left[ {a}\right] \). The claim follows. \(\square \)

Lemma 6.2

Let \(\mathbb {G}\) be a group of prime order p. Let \(\mathsf {Fun}({{\mathbb {Z}}}_p^{n},\{0,1\}^n {\setminus } \{0^n\}, \mathbb {G})\) be the set of functions from which the random function in the \({\Phi } _{d}\)-statistical-key-collision security game is taken. Let \(\mathscr {A}\) be an adversary against the \({\Phi } _{d}\)-statistical-key-collision security that makes \(Q_\mathscr {A}\) queries. Then we have

$$\begin{aligned} \mathbf {Adv}_{{\Phi } _{d}}^{\mathsf {skc}}{(\mathscr {A})} \le \frac{d \cdot Q_\mathscr {A}^2}{2 p}. \end{aligned}$$

Proof of Lemma 6.2

Let \(\mathscr {A}\) be an adversary against the \({\Phi } _{d}\)-statistical-key-collision security that makes \(Q_\mathscr {A}\) queries. Since the function F defined in the \(\mathbf{Initialize }\) procedure is a random function, \(\mathscr {A}\) does not learn any information on the key \({\vec {a}}\) until \(b' \leftarrow 1\), so \(\mathbf {Adv}_{{\Phi } _{d}}^{\mathsf {skc}}{(\mathscr {A})}\) is bounded by the probability that \(\mathscr {A}\) makes use in its queries of two different RKD functions that lead to the same key. We claim that

$$\begin{aligned} \mathbf {Adv}_{{\Phi } _{d}}^{\mathsf {skc}}{(\mathscr {A})} \;\le \;\frac{d \cdot Q_\mathscr {A}^2}{2 p} . \end{aligned}$$

This follows easily on noting that if two different \(\mathrm {RKD}\) functions do lead to the same key, then those two functions must differ in some coordinate k, meaning that the difference in those components is a nonzero polynomial \(\psi _k\) of degree at most d such that \(\psi _k(a_{k}) = 0\). Here \(a_{k}\) is the kth component of vector \({\vec {a}}\) that was selected uniformly at random in the \(\mathbf{Initialize }\) procedure. Since \(\psi _k\) has at most d roots and \(a_{k}\) is uniformly random in \({{\mathbb {Z}}}_{p}\), the probability that \(\psi _k(a_{k}) = 0\) is bounded by d / p. To obtain the final result, one simply applies a union bound over the (at most) \(\left( {\begin{array}{c}Q_{\mathscr {A}}\\ 2\end{array}}\right) \) pairs of choices of different \(\mathrm {RKD}\) functions accessed by \(\mathscr {A}\). \(\square \)

Lemma 6.3

Let \(\mathbb {G}= \langle g \rangle \) be a group of prime order p and let \({\mathsf {NR}^{*}} \) be defined via \({\mathsf {NR}^{*}} ({\vec {a}},x)=\left[ {\prod _{i=1}^{n}a_{i}^{x_{i}}}\right] \), where \({\vec {a}} \in {{\mathbb {Z}}}_p^n\) and \(x \in \{0,1\}^n {\setminus } \{0^n\}\). Let \(\mathcal {S}\) be the set \({\{0,1\}^n} {\setminus } (\{ 0 ^n \} \cup \{\omega _{1},\ldots ,\omega _{n} \})\). Let \(\mathscr {A}\) be an adversary against the \((\mathcal {S},{\Phi } _{d})\text {-unique-input-prf-rka security}\) of \({\mathsf {NR}^{*}} \) that makes \(Q_\mathscr {A}\) oracle queries. Then, assuming \(nd \le \sqrt{p}\), we can design an adversary \(\mathscr {B}\) against the \({d}\text{-DDHI }\) problem in \(\mathbb {G}\) such that

$$\begin{aligned} \mathbf {Adv}^{(\mathcal {S},{\Phi } _{d})\mathsf {\text{- }ui\text{- }prf\text{- }rka}}_{{\mathsf {NR}^{*}}}(\mathscr {B}) \le \left( n \cdot d \cdot \left( \frac{p}{p-1}\right) ^2 + n\cdot (d-1)\right) \cdot \mathbf {Adv}^{{d} {\mathsf {\text{- }ddhi}}}_{\mathbb {G}}{(\mathscr {A})} + \frac{2n \cdot Q_\mathscr {A}}{p} . \end{aligned}$$

The running time of \(\mathscr {B}\) is that of \(\mathscr {A}\) plus the time required to compute \(O(d \cdot (n + Q_\mathscr {A}))\) exponentiations in \(\mathbb {G}\) and \(O(Q_\mathscr {A}^3 \cdot (n d+ Q_\mathscr {A}))\) operations in \({{\mathbb {Z}}}_p\).

The proof of the above lemma is described in the following subsections. We first introduce two intermediate assumptions and prove a statement based on these assumptions. Then, we relate these assumptions to the standard \({d}\text{-DDHI }\) assumption.

6.2 Proof of Lemma 6.3

Let \(\mathcal {S}\) denote \({\{0,1\}^n} {\setminus } (\{\omega _{1},\ldots ,\omega _{n}\} \cup \{ 0 ^n \})\). To prove the \((\mathcal {S},{\Phi } _{d})\text {-unique-input-prf-rka security}\) of \(\mathsf {NR}^{*}\) based on the \({d}\text{-DDHI }\) problem in \(\mathbb {G}\), we first prove a similar statement in Lemma 6.4 based on hardness of two intermediate problems termed the \((N,d){\text{-PDDH }}\) and the \((N,d){\text{-EDDH }}\) problems in \(\mathbb {G}\). Then, in Sect. 6.2.4 (Lemmas 6.6–6.11), we relate the hardness of both these problems to the hardness of the \({d}\text{-DDHI }\) problem in \(\mathbb {G}\).

6.2.1 Intermediate Assumptions

Let us start by introducing the two above intermediate assumptions that we reduce to the \({d}\text{-DDHI }\) assumption in Sect. 6.2.4.

(N, d)-Polynomial DDH (\((N,d){\text{-PDDH }}\)). Let \(\mathbb {G}\) be a group of prime order p. For \(d \ge 1\), the \((N,d){\text{-PDDH }}\) problem in \(\mathbb {G}\) consists of deciding, given \((\left[ {1}\right] ,\vec {X}_1,\ldots ,\vec {X}_N)\) with \(\mathbb {G}= \langle g \rangle \) and \(\vec {X}_i = (\left[ {a_i}\right] ,\ldots ,\left[ {a_i^d}\right] ,z_i)\), where \(a_i \in {{\mathbb {Z}}}_p^*\), for \(i = 1,\ldots ,N\), whether \(z_i = \left[ {a_i^{d+1}}\right] \) for \(i = 1,\ldots ,N\) (corresponding to \((N,d){\text{-PDDH-Real }}\)) or whether \(z_i = \left[ {c_i}\right] \) for random \(c_i \in {{\mathbb {Z}}}_p^*\) for \(i = 1,\ldots ,N\) (corresponding to \((N,d){\text{-PDDH-Rand }}\)). The advantage of an adversary \(\mathscr {B}\) against the \((N,d){\text{-PDDH }}\) problem in \(\mathbb {G}\), denoted by \(\mathbf {Adv}^{(N,d){\mathsf {\text{- }pddh}}}_{\mathbb {G}}{(\mathscr {B})}\) is defined to be:

$$\begin{aligned} \mathbf {Adv}^{(N,d){\mathsf {\text{- }pddh}}}_{\mathbb {G}}{(\mathscr {B})} = {\Pr \left[ \,{(N,d){\text{-PDDH-Real }} \Rightarrow 1}\,\right] } - {\Pr \left[ \,{(N,d){\text{-PDDH-Rand }} \Rightarrow 1}\,\right] } \end{aligned}$$

where the probabilities are over \(a_i,c_i {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}{{\mathbb {Z}}}_p^*\), \(i = 1,\ldots ,N\).

(N, d)-Extended DDH (\((N,d){\text{-EDDH }}\)). Let \(\mathbb {G}\) be a group of prime order p with generator \(\left[ {1}\right] \). Then, the \((N,d){\text{-EDDH }}\) problem in \(\mathbb {G}\) consists of deciding, given \(\vec {Z} = ({Z}_{k,l})\), for \(k = 0,\ldots ,N\) and \(l = 0,\ldots ,d\) with \(Z_{0,0} = \left[ {1}\right] \), whether \({Z}_{k,l} = \left[ {a_k b^l}\right] \), with \(a_0 = 1\), \(a_k \in {{\mathbb {Z}}}_p^*\) for \(k = 1,\ldots ,N\) and \(b \in {{\mathbb {Z}}}_p^*\) (corresponding to \((N,d){\text{-EDDH-Real }}\)) or whether \({Z}_{k,l} = \left[ {c_{k,l}}\right] \), for \((k,l) \ne (0,0)\), with \(c_{k,l} \in {{\mathbb {Z}}}_p^*\) (corresponding to \((N,d){\text{-EDDH-Rand }}\)). The advantage of an adversary \(\mathscr {B}\) against the \((N,d){\text{-EDDH }}\) problem in \(\mathbb {G}\), denoted by \(\mathbf {Adv}^{(N,d){\mathsf {\text{- }eddh}}}_{\mathbb {G}}{(\mathscr {B})}\) is defined to be:

$$\begin{aligned} \mathbf {Adv}^{(N,d){\mathsf {\text{- }eddh}}}_{\mathbb {G}}{(\mathscr {B})} = {\Pr \left[ \,{(N,d){\text{-EDDH-Real }} \Rightarrow 1}\,\right] } - {\Pr \left[ \,{(N,d){\text{-EDDH-Rand }} \Rightarrow 1}\,\right] } \end{aligned}$$

where the probabilities are over \(a_k {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}{{\mathbb {Z}}}_p^*\), for \(k = 1,\ldots ,N\), \(b{\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}{{\mathbb {Z}}}_p^*\), and \(c_{k,l} {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}{{\mathbb {Z}}}_p^*\), for \((k,l) \ne (0,0)\).

6.2.2 Unique-Input RKA-PRF Security from Intermediate Assumptions

We now prove an intermediate lemma based on the above assumptions. We will then obtain Lemma 6.3 by simply reducing our intermediate assumptions to the \({d}\text{-DDHI }\) assumption.

Lemma 6.4

Let \(\mathbb {G}\) be a group of prime order p. Let \(g = \left[ {1}\right] \) be a generator of \(\mathbb {G}\) and \({\mathsf {NR}^{*}} {:\;\;}{{\mathbb {Z}}}_{p}^{n} \times (\{0,1\}^{n}{\setminus } \{0^{n}\}) \rightarrow \mathbb {G}\) defined via \({\mathsf {NR}^{*}} ({\vec {a}},x)=\left[ {\prod _{i=1}^{n}a_{i}^{x_{i}}}\right] \). Let \(\mathcal {S}\) denote the set \({\{0,1\}^n} {\setminus } (\{ 0 ^n \} \cup \{\omega _{1},\ldots ,\omega _{n} \})\). Let \(\mathscr {B}\) be an adversary against the \((\mathcal {S},{\Phi } _{d})\text {-unique-input-prf-rka security}\) of \({\mathsf {NR}^{*}} \) that makes \(Q_\mathscr {B}\) oracle queries. Then, assuming \(nd \le \sqrt{p}\), we can design adversaries \(\mathscr {B}_j\) against the \((Q_\mathscr {B},d){\text{-EDDH }}\) problem in \(\mathbb {G}\), for \(j = 0,\ldots ,n-1\), and adversaries \(\mathscr {D}_k\) against the \((n,k){\text{-PDDH }}\) problem in \(\mathbb {G}\), for \(k = 1,\ldots ,d-1\) such that

$$\begin{aligned} \mathbf {Adv}^{(\mathcal {S},{\Phi } _{d})\mathsf {\text{- }ui\text{- }prf\text{- }rka}}_{{\mathsf {NR}^{*}}}(\mathscr {B}) \;\le \;\sum _{j=0}^{n-1} \mathbf {Adv}^{(Q_\mathscr {B},d){\mathsf {\text{- }eddh}}}_{\mathbb {G}}{(\mathscr {B}_j)} \; + \frac{2n \cdot Q_\mathscr {B}}{p} \; + \sum _{k=1}^{d-1} \mathbf {Adv}^{(n,k){\mathsf {\text{- }pddh}}}_{\mathbb {G}}{(\mathscr {D}_k)} . \end{aligned}$$

(3)

The running time of \(\mathscr {B}_j\) is that of \(\mathscr {B}\) plus \(O(Q_\mathscr {B}^3 (n \cdot d + Q_\mathscr {B}))\) operations in \({{\mathbb {Z}}}_p\). The running time of \(\mathscr {D}_k\) is that of \(\mathscr {B}\) plus the time required to compute (at most) \(d \cdot Q_{\mathscr {B}}\) exponentiations in \(\mathbb {G}\).

Remark 6.5

Before going into the details of the proof, please note that when \(d = 1\), the last term (depending on the \((N,1){\text{-PDDH }}\) assumption) does not appear and the \((\mathcal {S},{\Phi } _{d})\text {-unique-input-prf-rka security}\) of \({\mathsf {NR}^{*}} \) can be reduced to the \((N,1){\text{-EDDH }}\) assumption. This latter assumption is exactly the same as the \(\mathrm {DDH}\) assumption via random self-reducibility of the \(\mathrm {DDH}\) assumption.

Fig. 7

Game for the proof of the \((\mathcal {S},{\Phi } _{d})\text {-unique-input-prf-rka security}\) of \({\mathsf {NR}^{*}} \)

Proof of Lemma 6.4

The proof is based on the sequence of games of Fig. 7. Let \(\mathscr {B}\) be an adversary against the \((\mathcal {S},{\Phi } _{d})\text {-unique-input-prf-rka security}\) of \({\mathsf {NR}^{*}} \), so \(\mathscr {B}\) never queries the same entry x twice, for any \(x \in \mathcal {S}\).

Preliminaries. For a \(\mathrm {RKD}\) function \(\vec {\phi } = (\phi _1,\ldots ,\phi _n) \in {\Phi } _{d} \), we let \(\phi _i\) be the polynomial defined by \(\phi _i : T_i \mapsto \sum _{k=0}^{d} \alpha _{i,k} \cdot T_i^k\), for each \(i = 1,\ldots ,n\).

To each query \((\vec {\phi },x)\) of the adversary, we associate the following polynomials, for \(j=1, \ldots ,n\):

$$\begin{aligned} P_{\vec {\phi },x,j}(\vec {T}) = \prod _{i=1}^j \phi _i(T_i)^{x_{i}} = \sum _{z \preceq d \cdot x_{1, \ldots ,j}} \prod _{i=1}^j \alpha _{i,z_i} T_i^{z_i} , \end{aligned}$$

with indeterminates \(\vec {T}=(T_1, \ldots ,T_j)\). These polynomials may have up to \((d+1)^j\) (distinct) monomials and so cannot be expanded efficiently. But they can still be formally considered as row vectors \((P_{\vec {\phi },x,j}^{(z)})_{z\in \{0, \ldots ,d\}^j}\) in \({{\mathbb {Z}}}_p^{(d+1)^j}\), where \(P_{\vec {\phi },x,j}^{(z)}\) is the coefficient of the monomial \(T_1^{z[1]} \cdots T_j^{z[j]}\).

As vectors, they can be multiplied to other vectors or matrices (with indices from the set \(\{0, \ldots ,d\}^j\)) over \({{\mathbb {Z}}}_p\). We can also define the multiplication of such a vector with a column vector over \(\mathbb {G}\). Specifically, if \(\vec {U}={(U_z)}_z\) is a column vector with entries from \(\mathbb {G}\), then we write:

$$\begin{aligned} P_{\vec {\phi },x,j} \odot \vec {U} = \prod _{z \in \{0, \ldots ,d\}^j} U_z^{P_{\vec {\phi },x,j}^{(z)}} = \prod _{z \preceq d \cdot x_{1, \ldots ,j}} U_z^{\prod _{i=1}^j \alpha _{i,z_i}} . \end{aligned}$$

Let us suppose that we have a polynomial-time procedure \(\mathbf{TestLin }\) which takes as input j, a list \(\mathcal {L}\) of pairs \((\vec {\phi }_l,x_l)\) (for \(l=1, \ldots ,L\), such that \(P_{\vec {\phi }_l,x_l,j}\) are linearly independent as polynomials) together with a pair \((\vec {\phi },x)\) and which outputs:

$$\begin{aligned} {\left\{ \begin{array}{ll} \perp &{}\text {if } P_{\vec {\phi },x,j} \text { is linearly independent of the set } \{ P_{\vec {\phi }_l,x_l,j} | l=1, \ldots ,L \} \\ \vec {\lambda } = (\lambda _1, \ldots ,\lambda _L) &{}\text {otherwise, so that } P_{\vec {\phi },x,j} = \sum \nolimits _{l=1}^L \lambda _l P_{\vec {\phi }_l,x_l,j} \end{array}\right. } \end{aligned}$$

Since the \(P_{\vec {\phi }_l,x_l,j}\) are linearly independent polynomials, there is at most one possible \(\vec {\lambda }\). Unfortunately, we do not know any such polynomial-time procedure. But, as we will see later, we can approximate such a procedure by evaluating the polynomials, and this is sufficient for our purposes.

Indistinguishability of Game \(\text {G}_0\) and Game \(\text {G}_1\). It is clear that game \(\text {G}_0\) instantiates exactly the game defining the \((\mathcal {S},{\Phi } _{d})\text {-unique-input-prf-rka security}\) of \({\mathsf {NR}^{*}} \) when \(b = 0\).

In game \(\text {G}_1\), we respond to queries in \(\mathcal {S}\) by uniformly random values, as is done in the game defining the \((\mathcal {S},{\Phi } _{d})\text {-unique-input-prf-rka security}\) of \({\mathsf {NR}^{*}} \) when \(b = 1\). However, we do not reply to queries \(x \notin \mathcal {S}\) as is done in that game. We design adversaries \(\mathscr {B}_j\) attacking the \((Q_\mathscr {B},d){\text{-EDDH }}\) problem in \(\mathbb {G}\) such that

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_{0}}\,\right] } - {\Pr \left[ \,{{\textsc {Succ}}_{1}}\,\right] } \;\le \;\sum _{j=0}^{n-1} \mathbf {Adv}^{(Q_\mathscr {B},d){\mathsf {\text{- }eddh}}}_{\mathbb {G}}{(\mathscr {B}_j)} . \end{aligned}$$

For that purpose, we use the sequence of games in Fig. 8, in the following order: \(\text {G}_{0,0},\text {G}'_{0,0},\text {G}_{0,1}, \ldots ,\text {G}'_{0,n-1},\text {G}_{0,n}\). More precisely, we prove that \(\text {G}_{0,j}\) is indistinguishable from \(\text {G}'_{0,j}\) under the \((Q_\mathscr {B},d){\text{-EDDH }}\) assumption, while we show that \(\text {G}'_{0,j}\) is perfectly indistinguishable from \(\text {G}_{0,j+1}\).

In \(\text {G}_{0,0}\), \(\mathbf{TestLin }\) always returns an empty vector \(\vec {\lambda }\), \(\mathcal {L}\) and \(\mathsf {T}\) remain empty, and y is set to 1, i.e., the empty product. So \(\text {G}_{0,0}\) is exactly \(\text {G}_0\).

Fig. 8

Games \(\text {G}_{0,j}\) and \(\text {G}'_{0,j}\) for the proof of Lemma 6.4

Indistinguishability of Game \(\text {G}_{0,j}\) and Game \(\text {G}'_{0,j}\) Under the \((Q_\mathscr {B},d){\text{-EDDH }}\) Assumption. Let us now design adversaries \(\mathscr {B}_j\) attacking the \((Q_\mathscr {B},d){\text{-EDDH }}\) problem in \(\mathbb {G}\) such that

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_{0,j}}\,\right] } - {\Pr \left[ \,{{\textsc {Succ}}'_{0,j}}\,\right] } \;\le \;\mathbf {Adv}^{(Q_\mathscr {B},d){\mathsf {\text{- }eddh}}}_{\mathbb {G}}{(\mathscr {B}_j)} \, ; \, \forall j = 0,\ldots ,n-1 \end{aligned}$$

assuming the existence of a perfect \(\mathbf{TestLin }\) oracle (which we recall does not exist). Later, we will get the real bound using a concrete, approximate \(\mathbf{TestLin }\) procedure.

Let \(\vec {Z}\) be an \((N,d){\text{-EDDH }}\) tuple. So \({Z}_{0,0} = \left[ {1}\right] = g\) with \(\mathbb {G}= \langle g \rangle \). In the \((Q_\mathscr {B},d){\text{-EDDH-Real }}\) case, we have \(Z_{l,k} = \left[ {a_l b^k}\right] \), with \(a_0 = 1\) and \(b,a_l {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}{{\mathbb {Z}}}_p^*\) for \(l=1,\ldots ,Q_\mathscr {B}\) and \(k = 0,\ldots ,d\). In the \((Q_\mathscr {B},d){\text{-EDDH-Rand }}\) case, we have \(Z_{l,k} = \left[ {c_{l,k}}\right] \) where \(c_{l,k} {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}{{\mathbb {Z}}}_p^*\), for \((l,k) \in \{0,\ldots ,Q_\mathscr {B}\} \times \{0,\ldots ,d\}\), \((l,k) \ne (0,0)\).

Adversary \(\mathscr {B}_j\) starts by picking \(a_{i} {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}{{\mathbb {Z}}}_p \), for \(i = j+2,\ldots ,n\). Adversary \(\mathscr {B}_j\) then runs \(\mathscr {A}\). When the latter makes an \(\mathbf{RKFn } \)-query \((\vec {\phi },x)\), adversary \(\mathscr {B}_j\) does everything as in Game \(\text {G}_{0,j}\), except it does not return \(y'\) but instead computes z and \(z'\) as follows:

$$\begin{aligned} \displaystyle z\leftarrow & {} \prod _{l=1}^L \prod _{k=0}^{d \cdot x_{j+1}} Z_{l,k}^{\lambda _l \cdot \alpha _{j+1,k}^{x_{j+1}}} \\ z'\leftarrow & {} z^{\prod _{i=j+2}^n \phi _i(a_{i})^{x_{i}}} \end{aligned}$$

and returns \(z'\). Adversary \(\mathscr {B}_j\) does not compute y and \(y'\).

If \(\vec {Z}\) is a real \((Q_\mathscr {B},d){\text{-EDDH }}\) tuple, then

$$\begin{aligned} z = \prod _{l=1}^L \prod _{k=0}^{d \cdot x_{j+1}} Z_{l,0}^{b^k \cdot {\lambda }_l \cdot \alpha _{j+1,k}^{x_{j+1}}} = \prod _{l=1}^L Z_{l,0}^{\lambda _l \cdot \phi _{j+1}(b)^{x_{j+1}}} = \left( \prod _{l=1}^L Z_{l,0}^{\lambda _l} \right) ^{\phi _{j+1}(b)^{x_{j+1}}}, \end{aligned}$$

and so \(z = y^{\phi _{j+1}(b)}\) and \(z' = y'\), where y and \(y'\) are computed as in Game \(\text {G}_{0,j}\) and when \(a_{j}=b\) and \(\mathsf {T}[l] = Z_{l,0}\) (which are random and used nowhere else). So, in this case, \(\mathscr {B}_j\) simulates perfectly Game \(\text {G}_{0,j}\).

Now, if \(\vec {Z}\) is a random \((Q_\mathscr {B},d){\text{-EDDH }}\) tuple, then \(\mathscr {B}_j\) simulates perfectly Game \(\text {G}_{0,j}\), when \(\mathsf {T}[l,k] = Z_{l,k}\) (which are random and used nowhere else), \(z'=y'\) and \(z=y\).

Perfect Indistinguishability of Game \(\text {G}'_{0,j}\) and Game \(\text {G}_{0,j+1}\). It remains to prove that Game \(\text {G}'_{0,j}\) is perfectly indistinguishable from Game \(\text {G}_{0,j+1}\). To establish that, we will consider another intermediate game (Game \(\text {G}''_{0,j}\) in Fig. 9). This game is not polynomial-time (since \(\vec {U}\) contains \((d+1)^{j+1}\) entries), but we will show that it is perfectly indistinguishable from Game \(\text {G}'_{0,j}\) and Game \(\text {G}_{0,j+1}\).

Fig. 9

Games \(\text {G}''_{0,j}\) for the proof of Lemma 6.4

Let us first prove that Game \(\text {G}'_{0,j}\) is perfectly indistinguishable from Game \(\text {G}''_{0,j}\). We do this in two steps:

1. 1.

   Let us show that we can compute \(\mathsf {T}\) in \(\text {G}'_{0,j}\) as follows:

   $$\begin{aligned} \mathsf {T}[l,k] = \left( P_{\vec {\phi }_l,x_l,j} \cdot T_{j+1}^k \right) \odot \vec {U} \end{aligned}$$

   (4)

   with \(\vec {U}\) computed as in \(\text {G}''_{0,j}\) and \(\mathcal {L}[l] = (\vec {\phi }_l,x_l)\). If we look at \(\mathsf {T} = (\mathsf {T}[l,k])_{l,k}\) as a vector over \({{\mathbb {Z}}}_p^{L(d+1)}\) and \(\varvec{M} = (P_{\vec {\phi }_l,x_l,j} \cdot T_{j+1}^k)_{l,k}\) as a matrix of \(L(d+1)\) rows and \((d+1)^{j+1}\) columns (each row corresponding to a polynomial \(P_{\vec {\phi }_l,x_l,j} \cdot T_{j+1}^k\)), then we can write this as:

   $$\begin{aligned} \mathsf {T} = \varvec{M} \odot \vec {U} . \end{aligned}$$

   But since the polynomials \(P_{\vec {\phi }_l,x_l,j}\) are linearly independent (and do not contain \(T_{j+1}\)), the rows of \(\varvec{M}\) are also linearly independent, and \(\varvec{M}\) is full rank. Therefore, if \(\vec {U}\) is random, then so is \(\mathsf {T}\), exactly as in Game \(\text {G}'_{0,j}\).

2. 2.

   Supposing \(\mathsf {T}\) is computed as in Eq. (4), then the output y in Game \(\text {G}'_{0,j}\) is equal to:

   $$\begin{aligned} y&= \prod _{l=1}^L \prod _{k=0}^{d \cdot x_{j+1}} \mathsf {T}[l,k]^{\lambda _l \cdot \alpha _{j+1,k}^{x_{j+1}}} = \prod _{l=1}^L \prod _{k=0}^{d \cdot x_{j+1}} \left( \left( \lambda _l \cdot \alpha _{j+1,k}^{x_{j+1}} \cdot P_{\vec {\phi }_l,x_l,j} \cdot T_{j+1}^k \right) \odot \vec {U} \right) \\&= \left( \sum _{l=1}^L \lambda _l \cdot P_{\vec {\phi }_l,x_l,j} \cdot \phi _{j+1}(T_{j+1})^{x_{j+1}} \right) \odot \vec {U} = \left( P_{\vec {\phi },x,j} \cdot \phi _{j+1}(T_{j+1})^{x_{j+1}} \right) \odot \vec {U}\\&= P_{\vec {\phi },x,j+1} \odot \vec {U} \end{aligned}$$

   which is exactly the way it is computed in Game \(\text {G}''_{0,j}\).

Let us now prove that Game \(\text {G}''_{0,j}\) is perfectly indistinguishable from Game \(\text {G}_{0,j+1}\). We again use two steps, which are very similar to the previous ones:

1. 1.

   Let us show that we can compute \(\mathsf {T}\) in \(\text {G}_{0,j+1}\) as follows:

   $$\begin{aligned} \mathsf {T}[l] = P_{\vec {\phi }_l,x_l,j+1} \odot \vec {U} \end{aligned}$$

   (5)

   with \(\vec {U}\) computed as in \(\text {G}''_{0,j}\) and \(\mathcal {L}[l] = (\vec {\phi }_l,x_l)\). If we look at \(\mathsf {T} = (\mathsf {T}[l])_{l}\) as a vector over \({{\mathbb {Z}}}_p^{L}\) and \(\varvec{M} = (P_{\vec {\phi }_l,x_l,j+1})_{l}\) as a matrix of L rows and \((d+1)^{j+1}\) columns (each row corresponding to a polynomial \(P_{\vec {\phi }_l,x_l,j+1}\)), then we can write this as:

   $$\begin{aligned} \mathsf {T} = \varvec{M} \odot \vec {U} . \end{aligned}$$

   But since the polynomials \(P_{\vec {\phi }_l,x_l,j+1}\) are linearly independent, the rows of \(\varvec{M}\) are also linearly independent, and \(\varvec{M}\) is full rank. Therefore, if \(\vec {U}\) is random, then so is \(\mathsf {T}\), exactly as in Game \(\text {G}_{0,j+1}\).

2. 2.

   Supposing \(\mathsf {T}\) is computed as in Eq. (5), then the output y in Game \(\text {G}_{0,j+1}\) is equal to:

   $$\begin{aligned} y&= \prod _{l=1}^L \mathsf {T}[l]^{\lambda _l} = \prod _{l=1}^L \left( \left( \lambda _l \cdot P_{\vec {\phi }_l,x_l,j+1} \right) \odot \vec {U} \right) \\&= \left( \sum _{l=1}^L \lambda _l \cdot P_{\vec {\phi }_l,x_l,j+1} \right) \odot \vec {U} = P_{\vec {\phi },x,j+1} \odot \vec {U} \end{aligned}$$

   which is exactly the way it is computed in Game \(\text {G}''_{0,j}\).

Perfect Indistinguishability of Game \(\text {G}_{0,n}\) and Game \(\text {G}_{1}\). Let us now prove that Game \(\text {G}_{0,n}\) is perfectly indistinguishable from Game \(\text {G}_{1}\). We just need to prove that all polynomials \(P_{\vec {\phi },x,n}\) corresponding to queries \((\vec {\phi },x)\) with \(x \in \mathcal {S}\) are linearly independent of all other polynomials \(P_{\vec {\phi }',x',n}\) corresponding to queries \((\vec {\phi }',x')\) with \(x' \ne x\). To prove this, let us suppose \(P_{\vec {\phi },x,n}\) with \(x \in \mathcal {S}\) is a linear combination of some \(P_{\vec {\phi }_2,x_2,n}, \ldots ,P_{\vec {\phi }_m,x_m,n}\):

$$\begin{aligned} \sum _{i=1}^m {\lambda }_i \cdot P_{\vec {\phi }_i,x_i,n} = 0 , \end{aligned}$$

with \({\lambda }_i \ne 0\) for all i, and with \(\vec {\phi }_1 = \vec {\phi }\) and \(x_1 = x\). Then, in this sum, let us consider an arbitrary monomial \(T_1^{z_1}\cdots T_n^{z_n}\) with z of highest Hamming weight. Necessarily, the Hamming weight of z is at least 2, since the Hamming weight of \(x_1 = x \in \mathcal {S}\) is at least 2. But, since the sum is the zero polynomial, there must exist two distinct polynomials \(P_{\vec {\phi }_{i},x_{i},n}\) and \(P_{\vec {\phi }_{ij},x_{j},n}\) containing this monomial \(T_1^{z_1}\cdots T_n^{z_n}\).

Let \(\hat{z}\) be the n-bit string such that \(\hat{z}_i = 0\) if \(z_i = 0\), while \(\hat{z}_i = 1\) otherwise, for all i. Then, since z has the highest possible Hamming weight, \(x_{i} = x_{j} = \hat{z}\) (from the definitions of \(P_{\vec {\phi }_{i},x_{i},n}\) and \(P_{\vec {\phi }_{j},x_{j},n}\)). In addition \(\hat{z} \in \mathcal {S}\), because the Hamming weight of z is at least 2, and so is the Hamming weight of \(\hat{z}\). This means the adversary \(\mathscr {B}\) queried twice \(\hat{z} \in \mathcal {S}\), which is forbidden.

It remains to provide a polynomial-time \(\mathbf{TestLin }\) procedure, which we do in the next subsection. As no such deterministic procedure in known, we provide an approximate polynomial-time procedure that fails with probability at most \(\frac{1}{p}\). Therefore, replacing a perfect \(\mathbf{TestLin }\) oracle by this \(\mathbf{TestLin }\) procedure is 1 / p-statistically indistinguishable. In addition, the only parts where we supposed \(\mathbf{TestLin }\) to be exact, was for proving the perfect indistinguishability of \(\text {G}'_{0,j}\) and \(\text {G}_{0,j+1}\) (for \(j=0, \ldots ,n-2\)), and the perfect indistinguishability of \(\text {G}'_{0,n-1}\), \(\text {G}_{0,n}\) and \(\text {G}_{1}\) (note that we actually do not need \(\text {G}_{0,n}\) and we can directly go from \(\text {G}'_{0,n-1}\) to \(\text {G}_1\)). The computational indistinguishability of \(\text {G}_{0,j}\) and \(\text {G}'_{0,j}\) does not use any property of \(\mathbf{TestLin }\). Since this procedure is called at most \(Q_\mathscr {B}\) times in \(\text {G}_{0,j}\), \(\text {G}_{0,j'}\), and \(\text {G}_1\) we have:

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}'_{0,j}}\,\right] } - {\Pr \left[ \,{{\textsc {Succ}}_{0,j+1}}\,\right] }&\;\le \;\frac{Q_\mathscr {B}}{p} \, ; \, \forall j = 0,\ldots ,n-2 , \\ {\Pr \left[ \,{{\textsc {Succ}}'_{0,n-1}}\,\right] } - {\Pr \left[ \,{{\textsc {Succ}}_{1}}\,\right] }&\;\le \;\frac{Q_\mathscr {B}}{p} . \end{aligned}$$

Hence, we obtain the following bound:

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_{0}}\,\right] } - {\Pr \left[ \,{{\textsc {Succ}}_{1}}\,\right] } \;\le \;\sum _{j=0}^{n-1} \mathbf {Adv}^{(Q_\mathscr {B},d){\mathsf {\text{- }eddh}}}_{\mathbb {G}}{(\mathscr {B}_j)} + \frac{2 n Q_\mathscr {B}}{p} . \end{aligned}$$

(6)

Regarding the running time, \(\mathbf{TestLin }\) evaluates \(L+1\) polynomials (which are themselves products of j univariate polynomials of degree d) in \(N=2L+4\) points, which costs \(O(L N d j) = O(L^2 d n)\) operations in \({{\mathbb {Z}}}_p\) (using the Hörner scheme); and then it does a Gaussian elimination on a matrix of \(L+1\) rows and N columns, which costs \(O(N^3) = O(L^3)\) operations in \({{\mathbb {Z}}}_p\). In total, \(\mathscr {B}_j\) has a running time that is the same as that of \(\mathscr {B}\) plus \(O(Q_\mathscr {B}^3 (d n+ Q_\mathscr {B}))\) operations in \({{\mathbb {Z}}}_p\) (since \(L \le Q_\mathscr {B}\)). Please refer to the next subsection for details about the procedure.

Indistinguishability of Game \(\text {G}_1\) and Game \(\text {G}_2\) Under \((n,k){\text{-PDDH }}\). Game \(\text {G}_2\) instantiates exactly the game defining the \((\mathcal {S},{\Phi } _{d})\text {-unique-input-prf-rka security}\) of \({\mathsf {NR}^{*}} \) when \(b = 1\), so the only difference with game \(\text {G}_1\) is in the way queries x with \(x \notin \mathcal {S}\) are handled. We design adversaries \(\mathscr {D}_k\) against the \((n,k){\text{-PDDH }}\) problem in \(\mathbb {G}\) such that

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_{1}}\,\right] } - {\Pr \left[ \,{{\textsc {Succ}}_{2}}\,\right] } \;\le \;\sum _{k=1}^{d-1} \mathbf {Adv}^{(n,k){\mathsf {\text{- }pddh}}}_{\mathbb {G}}{(\mathscr {D}_k)} . \end{aligned}$$

(7)

We prove this statement using the sequence of games of Fig. 10.

Fig. 10

Games \(\text {G}_{1,k}\) for the proof of Lemma 6.4

Game \(\text {G}_{1,1}\) is identical to Game \(\text {G}_{1}\), since every value in the table is chosen uniformly at random, so we have

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_{1}}\,\right] } = {\Pr \left[ \,{{\textsc {Succ}}'_{1,1} }\,\right] } . \end{aligned}$$

The only difference between games \(\text {G}_{1,k}\) and \(\text {G}_{1,k+1}\) is the definition of the table values \(\mathsf {T}[0^{i-1} {\,\Vert \,}k+1 {\,\Vert \,}0^{n-i}]\), for \(i = 1,\ldots ,n\). Indeed, this value is taken uniformly at random in game \(\text {G}_{1,k}\) but set to \(\left[ {a_i^{k+1}}\right] \) in game \(\text {G}_{1,k+1}\). We design an adversary \(\mathscr {D}_k\) against the \((n,k){\text{-PDDH }}\) problem in \(\mathbb {G}\) such that

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}'_{1,k}}\,\right] } - {\Pr \left[ \,{{\textsc {Succ}}'_{1,k+1}}\,\right] } \;\le \;\mathbf {Adv}^{(n,k){\mathsf {\text{- }pddh}}}_{\mathbb {G}}{(\mathscr {D}_k)} . \end{aligned}$$

Adversary \(\mathscr {D}_k\) does the following. It gets an \((n,k){\text{-PDDH }}\) tuple \((\left[ {1}\right] ,\vec {X}_1,\ldots ,\vec {X}_n)\) with for \(i = 1,\ldots ,n\), \(\vec {X}_i = (\left[ {a_i}\right] ,\ldots ,\left[ {a_i^k}\right] ,z_i)\) where \(a_i {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}{{\mathbb {Z}}}_p^*\) and either \(z_i = \left[ {a_i^{k+1}}\right] \) or \(z_i = \left[ {c_i}\right] \) for \(c_i {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}{{\mathbb {Z}}}_p^*\). Then \(\mathscr {D}_k\) sets \(\mathsf {T}[0^{n}] \leftarrow \left[ {1}\right] \) and \(\mathsf {T}[0^{i-1} {\,\Vert \,}l {\,\Vert \,}0^{n-i}] {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathbb {G}\), for \(l = k+2,\ldots ,d\) and \(i = 1,\ldots ,n\). It also sets \(\mathsf {T}[0^{i-1} {\,\Vert \,}l {\,\Vert \,}0^{n-i}] \leftarrow \vec {X}_{i,l} = \left[ {a_i^l}\right] \), for \(l = 1,\ldots ,k\) and \(\mathsf {T}[0^{i-1} {\,\Vert \,}k+1 {\,\Vert \,}0^{n-i}] \leftarrow \vec {X}_{i,k+1} = z_i\), for \(i = 1,\ldots ,n\). Hence, if \((\left[ {1}\right] ,\vec {X}_1,\ldots ,\vec {X}_n)\) is a real \((n,k){\text{-PDDH }}\) tuple, we have \(\mathsf {T}[0^{i-1} {\,\Vert \,}k+1 {\,\Vert \,}0^{n-i}] = \left[ {a_i^{k+1}}\right] \), for \(i = 1,\ldots ,n\), and then we simulate exactly game \(\text {G}_{1,k+1}\). If \((\left[ {1}\right] ,\vec {X}_1,\ldots ,\vec {X}_n)\) is a random \((n,k){\text{-PDDH }}\) tuple, then \(\mathsf {T}[0^{i-1} {\,\Vert \,}k+1 {\,\Vert \,}0^{n-i}] = \left[ {c_i}\right] \) is a uniformly random value, for all \(i = 1,\ldots ,n\) and then we simulate exactly game \(\text {G}_{1,k}\). This proves the above statement.

To conclude, it is clear that game \(\text {G}_{1,d}\) is identical to game \(\text {G}_2\).

Equation (3) now follows from Eqs. (6) and (7). \(\square \)

6.2.3 An Approximate \(\mathbf{TestLin }\) Procedure

In this section, we provide a polynomial-time \(\mathbf{TestLin }\) procedure. Unfortunately, we do not know any polynomial-time exact procedure, but we provide an approximate one in Fig. 11. We assume in the analysis that \(nd \le \sqrt{p}\), which is true for sufficiently large p and fixed d, n.

Let us prove that this approximate procedure is incorrect with probability at most \(\frac{1}{p}\) (over its random coins). The polynomials \(P_{\vec {\phi }_l,x_l,j}\) with \(l=1, \ldots ,L\) are supposed to be linearly independent. Then, there are two cases:

1. 1.

   If \(P_{\vec {\phi },x,j} = P_{\vec {\phi }_{L+1},x_{L+1},j}\) is linearly independent from \(P_{\vec {\phi }_1,x_1,j},\ldots ,P_{\vec {\phi }_L,x_L,j}\), then the probability that the procedure does not return \(\perp \) is (over the value of X):

   $$\begin{aligned}&{\Pr \left[ \,{\exists \vec {\lambda } \in {{\mathbb {Z}}}_p^{(L+1)},\, \vec {\lambda } \cdot \varvec{M} = 0}\,\right] } \le \sum _{\vec {\lambda } \in {{\mathbb {Z}}}_p^{(L+1)}} {\Pr \left[ \,{\vec {\lambda } \cdot \varvec{M} = 0}\,\right] } \\&\quad \le \sum _{\vec {\lambda } \in {{\mathbb {Z}}}_p^{(L+1)}} {\Pr \left[ \,{\forall k=1, \ldots ,N,\, \left( \sum _{l=1}^{L+1} {\lambda }_l P_{\vec {\phi }_l,x_l,j}\right) (\gamma _{k}) = 0}\,\right] } \end{aligned}$$

   and \(\sum _{l=1}^{L+1} {\lambda }_l P_{\vec {\phi }_l,x_l,j}\) is a nonzero polynomial of degree at most jd. Since \(\gamma _{k}\) are chosen independently and uniformly at random in \({{\mathbb {Z}}}_p^n\), according to the Schwartz-Zippel lemma, the error probability is at most:

   $$\begin{aligned} \sum _{\vec {\lambda } \in {{\mathbb {Z}}}_p^{(L+1)}} \left( \frac{j d}{p} \right) ^{N} = p^{L+1} \cdot \left( \frac{j d}{p} \right) ^N \le p^{L+1} \cdot \frac{1}{p^{L+2}} = \frac{1}{p} , \end{aligned}$$

   since \(jd \le nd \le \sqrt{p}\) and \(N=2L+4\).

2. 2.

   If \(P_{\vec {\phi },x,j} = P_{\vec {\phi }_{l+1},x_{L+1},j}\) is such that there exists \(\vec {\lambda } \in {{\mathbb {Z}}}_p^L\) such that \(P_{\vec {\phi },x,j} = \sum _{l=1}^L {\lambda }_l P_{\vec {\phi }_l,x_l,j}\), then such \(\vec {\lambda }\) is unique. Let us prove that the probability that the \(\mathbf{TestLin }\) procedure does not return \(\vec {\lambda }\) is at most \(\frac{1}{p}\). Let \(\Lambda \) be the set of \(\vec {\lambda '} \in {{\mathbb {Z}}}_p^{L+1}\) such that \({\lambda '}_{L+1} \cdot \vec {\lambda } \ne \vec {\lambda '}_{1, \ldots ,L}\). Then, the error probability of the \(\mathbf{TestLin }\) procedure is at most:

   $$\begin{aligned} {\Pr \left[ \,{\exists \vec {\lambda '} \in \Lambda ,\, \vec {\lambda '} \cdot \varvec{M} = 0}\,\right] } \le \sum _{\vec {\lambda '} \in \Lambda } {\Pr \left[ \,{\forall k=1, \ldots ,N,\, \left( \sum _{l=1}^{L+1} {\lambda '}_l P_{\vec {\phi }_l,x_l,j}\right) (\gamma _{k}) = 0}\,\right] } . \end{aligned}$$

   Moreover, \(\sum _{l=1}^{L+1} {\lambda '}_l P_{\vec {\phi }_l,x_l,j}\) is a polynomial of degree at most jd, which is nonzero because otherwise the \(P_{\vec {\phi }_1,x_1,j},\ldots ,P_{\vec {\phi }_L,x_L,j}\) would not be independent. We can conclude the proof as in the first case, since \(\vert \Lambda \vert \le |{{\mathbb {Z}}}_p^{(L+1)}|\).

Fig. 11

\(\mathbf{TestLin }\) procedure

6.2.4 Reducing our Intermediate Assumptions to the \({d}\text{-DDHI }\) Assumption

We finally explain how the \((N,d){\text{-PDDH }}\) assumption and the \((N,d){\text{-EDDH }}\) assumption are related to the \({d}\text{-DDHI }\) assumption. We first introduce another intermediate assumption, termed the d-Hybrid EDDH assumption. We also implicitly define the d-Polynomial Decisional Diffie–Hellman (\(d{\text{-PDDH }}\)) problem as the particular case of the \((N,d){\text{-PDDH }}\) problem with \(N = 1\). In particular, this problem is an extension of the Decisional SqDH problem (\(d = 1\)).

d-Hybrid EDDH. Let \(\mathbb {G}\) be a group of prime order p. The \(d{\text{-HEDDH }}\) problem in \(\mathbb {G}\) consists of deciding, given \((\vec {X},\vec {Y}) \in \mathbb {G}^{d+1}\), with \(X_i = [{a^i}]_{g}\), \({Y}_i = [{a^i}]_h\) for \(i = 0,\ldots ,d-1\), whether \(X_d = [{a^d}]_{g}\), \(Y_d = [{a^d}]_{h}\), (corresponding to \(d{\text{-HEDDH-Real }}\)) or whether \(X_d = \left[ {c_1}\right] , Y_d = [{c_2}]_{h}\) are both uniformly random and independent (corresponding to \(d\text{-HEDDH-Rand }\)). Here \(a,c_1,c_2 {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}{{\mathbb {Z}}}_p^*\), and \(g = [{1}]_{g}\) and \(h = [{1}]_{h}\) are random generators of \(\mathbb {G}\). The advantage of an adversary \(\mathscr {B}\) against the \(d{\text{-HEDDH }}\) problem in \(\mathbb {G}\), denoted by \(\mathbf {Adv}^{d\mathsf {\text{- }heddh}}_{\mathbb {G}}{(\mathscr {B})}\) is

$$\begin{aligned} \mathbf {Adv}^{d\mathsf {\text{- }heddh}}_{\mathbb {G}}{(\mathscr {B})} = {\Pr \left[ \,{d{\text{-HEDDH-Real }} \Rightarrow 1}\,\right] } - {\Pr \left[ \,{d\text{-HEDDH-Rand } \Rightarrow 1}\,\right] } \end{aligned}$$

where the probabilities are over \(a,c_1,c_2 {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}{{\mathbb {Z}}}_p^*\) and \(g,h {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathbb {G}{\setminus } \{1\}\).

Lemma 6.6

Let \(\mathbb {G}\) be a group of prime order p and \(d \ge 2\). Let \(\mathscr {A}\) be an adversary against the \((N,d){\text{-PDDH }}\) problem in \(\mathbb {G}\). Then, we can construct an adversary \(\mathscr {B}\) against the \(d{\text{-PDDH }}\) problem in \(\mathbb {G}\) such that

$$\begin{aligned} \mathbf {Adv}^{(N,d){\mathsf {\text{- }pddh}}}_{\mathbb {G}}{(\mathscr {A})} \;\le \;N \cdot \mathbf {Adv}^{d{\mathsf {\text{- }pddh}}}_{\mathbb {G}}{(\mathscr {B})} . \end{aligned}$$

The running time of \(\mathscr {B}\) is that of \(\mathscr {A}\) plus the time required to compute \((N-1) \cdot d\) exponentiations in \(\mathbb {G}\).

Proof of Lemma 6.6

The proof follows a standard hybrid argument. We define games \(\text {H}_j\) for \(j = 0,\ldots ,N\) as in Fig. 12. Clearly, we have \(\text {H}_0 \equiv d\text{-PDDH-Rand }\) and \(\text {H}_N \equiv d\text{-PDDH-Real }\). Moreover, it is straightforward to construct an adversary \(\mathscr {B}\) such that \({\Pr \left[ \,{\text {H}_{j} \Rightarrow 1}\,\right] } - {\Pr \left[ \,{\text {H}_{j-1} \Rightarrow 1}\,\right] } \;\le \;\mathbf {Adv}^{d{\mathsf {\text{- }pddh}}}_{\mathbb {G}}{(\mathscr {B})}\), for \(j = 1,\ldots ,N\). Adversary \(\mathscr {B}\) does the following. It gets a \(d{\text{-PDDH }}\) tuple \((\left[ {1}\right] ,\left[ {a}\right] ,\ldots ,\left[ {a^d}\right] ,z)\) and picks \(a_i\), \(c_i\) at random in \({{\mathbb {Z}}}_p^*\), for \(i = 1,\ldots ,N\). Then, it set \(\vec {X}_i = (\left[ {a_i}\right] ,\ldots ,\left[ {a_i^{d+1}}\right] )\), for \(i = 1,\ldots ,j-1\) and \(\vec {X}_i = (\left[ {a_i}\right] ,\ldots ,\left[ {a_i^{d}}\right] , \left[ {c_i}\right] )\), for \(i = j+1,\ldots ,N\) and finally let \(\vec {X}_j = (\left[ {a}\right] ,\ldots ,\left[ {a^d}\right] ,z)\), and sends \((\left[ {1}\right] ,\vec {X}_1,\ldots ,\vec {X}_n)\) to \(\mathscr {A}\). The lemma easily follows.

\(\square \)

Fig. 12

Game for the proof of Lemma 6.6

Lemma 6.7

Let \(\mathbb {G}\) be a group of prime order p and \(d \ge 2\). Let \(2 \;\le \;j \;\le \;d\). Let \(\mathscr {A}\) be an adversary against the \(j{\text{-PDDH }}\) problem in \(\mathbb {G}\). Then, we can construct an adversary \(\mathscr {B}\) against the \(d{\text{-PDDH }}\) problem in \(\mathbb {G}\) such that

$$\begin{aligned} \mathbf {Adv}^{j{\mathsf {\text{- }pddh}}}_{\mathbb {G}}{(\mathscr {A})} \;\le \;\mathbf {Adv}^{d{\mathsf {\text{- }pddh}}}_{\mathbb {G}}{(\mathscr {B})} . \end{aligned}$$

The running time of \(\mathscr {B}\) is the same as that of \(\mathscr {A}\).

Proof of Lemma 6.7

Adversary \(\mathscr {B}\) does the following. It gets a \(d{\text{-PDDH }}\) tuple \((\left[ {1}\right] ,\left[ {a}\right] ,\ldots ,\left[ {a^d}\right] ,z)\). Then, it just sends \((\left[ {a^{d-j}}\right] ,\left[ {a^{d-j+1}}\right] ,\ldots , \left[ {a^{d}}\right] ,z)\) to \(\mathscr {A}\). When \(\mathscr {A}\) halts, \(\mathscr {B}\) halts with the same output. Since \(\left[ {1}\right] = g\) is a random generator of \(\mathbb {G}\) and since a is random in \({{\mathbb {Z}}}_p^*\), then \(\left[ {a^{d-j}}\right] \) is a random generator of \(\mathbb {G}\) and \((\left[ {a^{d-j}}\right] ,\left[ {a^{d-j+1}}\right] ,\ldots , \left[ {a^{d}}\right] ,z)\) simulates perfectly a \(j{\text{-PDDH }}\) tuple (with generator \(\left[ {a^{d-j}}\right] \) and exponent a). The lemma easily follows.\(\square \)

Lemma 6.8

Let \(\mathbb {G}\) be a group of prime order p and \(d \ge 2\). Let \((\vec {X},\vec {Y})\) be a \(d{\text{-HEDDH }}\) tuple. Then there exists a randomized algorithm \(\mathsf {R}_d\) that takes \((\vec {X},\vec {Y}) \in \mathbb {G}^{d+1} \times \mathbb {G}^{d+1}\) as input and outputs \(\vec {Y'} \in \mathbb {G}^{d+1}\) with the following properties:

• If \((\vec {X},\vec {Y})\) is a real \(d{\text{-HEDDH }}\) tuple, then so is \((\vec {X},\vec {Y'})\). Moreover, \(Y'_0\) is uniformly random and independent from \((\vec {X},\vec {Y})\);

• If \((\vec {X},\vec {Y})\) is a random \(d{\text{-HEDDH }}\) tuple, then so is \((\vec {X},\vec {Y'})\). Moreover, both \(Y'_0\) and \(Y'_d\) are uniformly random and independent from \((\vec {X},\vec {Y})\) with probability \((1 - \frac{1}{p})\) (over \(\vec {X}\) and \(\vec {Y}\) only).

Proof of Lemma 6.8

Let \((\vec {X},\vec {Y})\) be a \(d{\text{-HEDDH }}\) tuple. Let b be the discrete logarithm of \(Y_0 = h = [{1}]_h\) in base \(g = [{1}]_g = X_0\) and let a be the discrete logarithm of \(X_1\) in base g, so that \(X_1 = [{a}]_{g}\) and \(Y_0 = h = [{b}]_{g}\), with \(a,b {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}{{\mathbb {Z}}}_p^*\). Then the idea in the algorithm \(\mathrm {R}_d\) is to randomize the tuple \(\vec {Y}\) to produce a new tuple \(\vec {Y'}\). We pick \(\alpha ,\beta {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}{{\mathbb {Z}}}_p\) at random. We compute \(\vec {Y'}_i \leftarrow {Y}_i^{\alpha } \cdot {X}_i^{\beta }\) for \(i = 0,\ldots ,d\). Hence, we have \(Y'_0 = h' = [{\alpha b + \beta }]_{g} \). For \(i = 1,\ldots ,d-1\), it is straightforward that \(\vec {Y'}_i = [{a^i}]_{h'} \).

If \((\vec {X},\vec {Y})\) is a real \(d{\text{-HEDDH }}\) tuple, then \(Y'_d = \left( \left[ {b a^{d}}\right] _{g}\right) ^{\alpha } \cdot \left( \left[ {a^{d}}\right] _{g}\right) ^{\beta } = \left[ {(\alpha b + \beta ) a^d}\right] _{g} = [{a^d}]_{h'}\). Let \(b' = \alpha b + \beta \). Since for any fixed \(b',b \in {{\mathbb {Z}}}_p^*\) and for any fixed \(\alpha \in {{\mathbb {Z}}}_p\), there exists a unique \(\beta \in {{\mathbb {Z}}}_p\) such that \(\alpha b + \beta = b'\), it is clear that \(Y'_0 = h' = [{b'}]_{g}\) is uniformly random in \(\mathbb {G}\) and independent from \((\vec {X},\vec {Y})\). Then \((\vec {X},\vec {Y'})\) is a real \(d{\text{-HEDDH }}\) tuple.

Now, if \((\vec {X},\vec {Y})\) is a random \(d{\text{-HEDDH }}\) tuple, then \(Y'_d = {[{c_2}]_{h}}^{\alpha } \cdot {[{c_1}]_{g}}^{\beta } = [{\alpha b c_2 + \beta c_1}]_{g}\) and we still have \(Y'_0 = h' = [{\alpha b + \beta }]_{g} \). Here it is not immediately clear that \(\vec {Y'} \) is uniformly random and independent from \((\vec {X},\vec {Y})\). To show this, we fix \(b,c_1,c_2\). Let \(b' = \alpha b + \beta \) and \(c' = \alpha b c_2 + \beta c_1\). Then \(\vec {Y'}\) is uniformly random and independent from \((\vec {X},\vec {Y})\) if and only if for any fixed \(b',c' \in {{\mathbb {Z}}}_p^*\), there is a unique \((\alpha ,\beta ) \in {{\mathbb {Z}}}_p\) such that \(\alpha b + \beta = b'\) and \(\alpha b c_2 + \beta c_1 = c'\). Hence, we need the determinant of the matrix \(\begin{pmatrix} b &{} 1 \\ bc_2 &{} c_1 \end{pmatrix}\) to be nonzero. This determinant is \(D = b (c_1 - c_2)\) so it is nonzero if and only if \(b \ne 0\) and \(c_1 \ne c_2\). Since \(h = [{b}]_{g}\) is a generator of \(\mathbb {G}\), it is clear that \(b \ne 0\). Hence, we have \(D \ne 0\) if and only if \(c_1 \ne c_2\), which happens with probability \(\frac{p-1}{p}\). The claim now follows. \(\square \)

Lemma 6.9

Let \(\mathbb {G}\) be a group of prime order p and \(d \ge 1\). Let \(\mathscr {A}\) be an adversary against the \((N,d){\text{-EDDH }}\) problem in \(\mathbb {G}\). Then, we can construct adversaries \(\mathscr {B}_j\) against the \(j{\text{-HEDDH }}\) problem in \(\mathbb {G}\), for \(j = 1,\ldots ,d\) such that

$$\begin{aligned} \mathbf {Adv}^{(N,d){\mathsf {\text{- }eddh}}}_{\mathbb {G}}{(\mathscr {A})} \;\le \;\sum _{j = 1}^d \frac{p}{p-1} \mathbf {Adv}^{j\mathsf {\text{- }heddh}}_{\mathbb {G}}{(\mathscr {B}_j)} \;\le \;\frac{p}{p-1} \cdot d \cdot \mathbf {Adv}^{d\mathsf {\text{- }heddh}}_{\mathbb {G}}{(\mathscr {B}_d)} . \end{aligned}$$

The running time of \(\mathscr {B}_j\) is that of \(\mathscr {A}\) plus the time required to compute \((N-1) \cdot 2 \cdot (j+1)\) exponentiations in \(\mathbb {G}\).

Proof of Lemma 6.9

The proof follows a standard hybrid argument. We define games \(\text {H}_j\) for \(j = 0,\ldots ,d\) as in Fig. 13. Clearly, we have \(\text {H}_0 \equiv (N,d){\text{-EDDH-Rand }}\) and \(\text {H}_d \equiv (N,d){\text{-EDDH-Real }}\). Moreover, it is straightforward to construct an adversary \(\mathscr {B}_j\) such that \({\Pr \left[ \,{\text {H}_{j} \Rightarrow 1}\,\right] } - {\Pr \left[ \,{\text {H}_{j-1} \Rightarrow 1}\,\right] } \le \mathbf {Adv}^{j\mathsf {\text{- }heddh}}_{\mathbb {G}}{(\mathscr {B}_j)}\), for \(j = 1,\ldots ,d\). Adversary \(\mathscr {B}_j\) just executes \(N-1\) times algorithm \(\mathsf {R}_j\) to compute \(Z_{k,l}\) for \(k = 2,\ldots ,N\) and \(l = 0,\ldots ,j\), using the \(j{\text{-HEDDH }}\) tuple it gets as input, so its running time is that of \(\mathscr {A}\) plus the time to compute \((N-1) \cdot 2 \cdot (j+1)\) exponentiations in \(\mathbb {G}\). Moreover, the simulation is perfect with probability \(1-\frac{1}{p}\).

Finally, it is clear that for \(j = 1,\ldots ,d\), \(\mathbf {Adv}^{j\mathsf {\text{- }heddh}}_{\mathbb {G}}{(\mathscr {B}_j)} \le \mathbf {Adv}^{d\mathsf {\text{- }heddh}}_{\mathbb {G}}{(\mathscr {B}_d)}\), since from a \(d{\text{-HEDDH }}\) tuple \((\vec {X},\vec {Y})\), with \(\vec {X}_i = [{a^i}]_{g}\), \({Y}_i = [{a^i}]_{h}\) for \(i = 0,\ldots ,d-1\), and with \(X_d = [{a^d}]_{g}\) and \(Y_d = [{a^d}]_{h}\) or \(X_d = [{c_1}]_{g} \) and \( Y_d = [{c_2}]_{h}\) where \(a,c_1,c_2 {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}{{\mathbb {Z}}}_p^*\) and g and h are random generators of \(\mathbb {G}\), we can extract a \(j{\text{-HEDDH }}\) tuple using the last \(j+1\) components of \(\vec {X}\) and \(\vec {Y}\) (generators are now \({[a^{d-j}]_{g}}\) and \([{a^{d-j}]_h}\), which are random generators of \(\mathbb {G}\) since g, h are random generators of \(\mathbb {G}\) and since a is random). The lemma easily follows. \(\square \)

Fig. 13

Game for the proof of Lemma 6.9

Lemma 6.10

Let \(\mathbb {G}\) be a group of prime order p and \(d \ge 1\). Let \(\mathscr {A}\) be an adversary against the \(d{\text{-HEDDH }}\) problem in \(\mathbb {G}\). Then, we can construct an adversary \(\mathscr {B}\) against the \(d{\text{-PDDH }}\) problem in \(\mathbb {G}\), such that

$$\begin{aligned} \mathbf {Adv}^{d\mathsf {\text{- }heddh}}_{\mathbb {G}}{(\mathscr {A})} \;\le \;\frac{p}{p-1} \mathbf {Adv}^{d{\mathsf {\text{- }pddh}}}_{\mathbb {G}}{(\mathscr {B})}. \end{aligned}$$

The running time of \(\mathscr {B}\) is that of \(\mathscr {A}\) plus the time required to compute \(2 \cdot (d+1)\) exponentiations in \(\mathbb {G}\).

Proof of Lemma 6.10

Let \(\mathbb {G}\) be a group of prime order p and \(d \ge 1\). Adversary \(\mathscr {B}\) gets a \(d{\text{-PDDH }}\) tuple \(\vec {Z} = (\left[ {1}\right] ,\left[ {a}\right] ,\ldots ,\left[ {a^{d}}\right] ,z) = (Z_0,\ldots ,Z_{d+1}) \in \mathbb {G}^{d+2} \) and set \({X}_i \leftarrow Z_{i+1}\), for \(i = 0,\ldots ,d\), so \(\vec {X} = (\left[ {a}\right] ,\ldots ,\left[ {a^d}\right] ,z)\). Next, \(\mathscr {B}\) does the following. It first chooses \(\alpha ,\beta {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}{{\mathbb {Z}}}_p\) at random and computes the tuple \(\vec {Y}\) by letting \(Y_l \leftarrow Z_{l+1}^{\alpha } \cdot Z_l^\beta \) for \(l = 0,\ldots ,d\). Hence, for \(l = 0,\ldots ,d-1\), it is clear that \(Y_l = \left[ {(\alpha a + \beta ) \cdot a^l}\right] \).

If \(Z_{d+1} =\left[ {a^{d+1}}\right] \), we have \(Y_d = \left[ {(\alpha a + \beta ) \cdot a^d}\right] \) and \(X_d = \left[ {a \cdot a^{d}}\right] \). Hence, since g and \(a \in {{\mathbb {Z}}}_p^*\) are random, \(X_0 = \left[ {a}\right] \) is a random generator of \(\mathbb {G}\) and \(Y_0 = \left[ {\alpha a + \beta }\right] \) is uniformly random and independent from \(X_0\) (these claims follow using similar arguments to those in the proof of Lemma 6.8) and \((\vec {X},\vec {Y})\) is a real \(d{\text{-HEDDH }}\) tuple.

If \(Z_{d+1} = \left[ {c}\right] \) with \(c {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}{{\mathbb {Z}}}_p^*\), then \(Y_d = \left[ {\alpha c + \beta a^d}\right] \). We fix \(a,c \in {{\mathbb {Z}}}_p^*\) and we let \(b' = \alpha a + \beta \) and \(c' = \alpha c + \beta a^d\). Then, \({Y}_d\) is uniformly random and independent from \({X}_d\) if and only if for any fixed \(b',c' \in {{\mathbb {Z}}}_p^*\), there is a unique \((\alpha ,\beta ) \in {{\mathbb {Z}}}_p\) such that \(b' = \alpha a + \beta \) and \(c' = \alpha c + \beta a^d\). Hence, we need the determinant of the matrix \(\begin{pmatrix} a &{} 1 \\ c &{} a^d \end{pmatrix}\) to be nonzero. This determinant is \(D = a^{d+1} - c\) so it is nonzero if and only if \(c \ne a^{d+1}\). Since c is by definition uniformly random in \({{\mathbb {Z}}}_p\), we have \(D \ne 0\) with probability \(\frac{p-1}{p}\). The claim easily follows. \(\square \)

Lemma 6.11

Let \(\mathbb {G}\) be a group of prime order p and \(d \ge 1\). Let \(\mathscr {A}\) be an adversary against the \(d{\text{-PDDH }}\) problem in \(\mathbb {G}\). Then, we can construct an adversary \(\mathscr {B}\) against the \({d}\text{-DDHI }\) problem in \(\mathbb {G}\) such that

$$\begin{aligned} \mathbf {Adv}^{d{\mathsf {\text{- }pddh}}}_{\mathbb {G}}{(\mathscr {A})} \;\le \;\mathbf {Adv}^{{d} {\mathsf {\text{- }ddhi}}}_{\mathbb {G}}{(\mathscr {B})} . \end{aligned}$$

Moreover, the running time of \(\mathscr {B}\) is the same as \(\mathscr {A}\).

Proof of Lemma 6.11

Let \(\mathbb {G}\) be a group of prime order p and \(d \ge 1\). \(\mathscr {B}\) gets a \({d}\text{-DDHI }\) tuple \((\left[ {1}\right] ,\left[ {a}\right] ,\ldots ,\left[ {a^{d}}\right] ,z) \in \mathbb {G}^{d+2} \). Then, \(\mathscr {B}\) runs \(\mathscr {A}\), giving it the tuple \((\left[ {a^d}\right] ,\left[ {a^{d-1}}\right] ,\ldots , \left[ {a}\right] ,\left[ {1}\right] ,z)\). When \(\mathscr {A}\) halts, \(\mathscr {B}\) halts with the same output. Since \(g = \left[ {1}\right] \) and a are random, \(h = \left[ {a^d}\right] \) is a random generator of \(\mathbb {G}\) and \(\frac{1}{a}\) is random in \({{\mathbb {Z}}}_p^*\), so we have \(\left[ {a^{d-j}}\right] = [{(\frac{1}{a})^j}]_h \), for \(j = 0,\ldots ,d\) and if \((\left[ {1}\right] ,\left[ {a}\right] ,\ldots ,\left[ {a^{d}}\right] ,z)\) is a real \({d}\text{-DDHI }\) tuple then z is equal to \(\left[ {\frac{1}{a}}\right] = [{(\frac{1}{a})^{d+1}}]_h\), otherwise z is random in \(\mathbb {G}\). Hence, the simulation is perfect and the claim follows. \(\square \)

Lemma 6.3 now follows from combining Lemmas 6.4–6.11.

6.2.5 Putting Everything Together

Finally, by combining the results in Lemmas 6.1–6.3 with Theorem 5.1, we can prove the following theorem.

Theorem 6.12

Let \(\mathbb {G}= \langle g \rangle \) be a group of prime order p and let \({\mathsf {NR}^{*}} \) be defined via \({\mathsf {NR}^{*}} ({\vec {a}},x)=\left[ {\prod _{i=1}^{n}a_{i}^{x[i]}}\right] \), where \({\vec {a}} \in {{\mathbb {Z}}}_p^n\) and \(x \in \{0,1\}^n {\setminus } \{0^n\}\). Let \(\overline{\mathcal {D}}= \{0,1\}^{n} \times \mathbb {G}^{n}\) and let \(h {:\;\;}\overline{\mathcal {D}}\rightarrow \{0,1\}^{n-2}\) be a hash function. Let \(\omega _{i} = 0^{i-1}{\,\Vert \,}1{\,\Vert \,}0^{n-i}\), for \(i = 1,\ldots ,n\). Define \(F {:\;\;}{{\mathbb {Z}}}_p^n \times \{0,1\}^n \rightarrow \mathbb {G}\) by

$$\begin{aligned} F({\vec {a}},x) = {\mathsf {NR}^{*}} ({\vec {a}}, 11{\,\Vert \,}h(x,{\mathsf {NR}^{*}} ({\vec {a}},\vec {\omega }))) \end{aligned}$$

for all \({\vec {a}} \in {{\mathbb {Z}}}_p^n\) and \(x \in \{0,1\}^n\). Let \(\mathscr {A}\) be a \({\Phi } _{d}\)-restricted adversary against the prf-rka security of F that makes \(Q_{\mathscr {A}} \le \vert \{0,1\}^{n-2} \vert \) oracle queries. Then, assuming \(nd \le \sqrt{p}\), we can construct an adversary \(\mathscr {B}\) against the \({d}\text{-DDHI }\) problem in \(\mathbb {G}\), an adversary \(\mathscr {C}\) against the cr security of h, and an adversary \(\mathscr {D}\) against the \({d} \text{-SDL }\) problem in \(\mathbb {G}\) such that

$$\begin{aligned}&\mathbf {Adv}^{\mathsf {prf}\text{- }\mathsf {rka}}_{{\Phi } _{d},F}{(\mathscr {A})} \;\le \;\left( n \cdot d \cdot (1-1/p)^2 + n \cdot (d-1)\right) \cdot \mathbf {Adv}^{{d} {\mathsf {\text{- }ddhi}}}_{\mathbb {G}}{(\mathscr {B})} \\&\quad +\, \mathbf {Adv}^{\mathsf {cr}}_{h}(\mathscr {C}) + n \cdot \mathbf {Adv}^{{d}\mathsf {\text{- }sdl}}_{\mathbb {G}}(\mathscr {D}) + \left( d \cdot Q_\mathscr {A}^2 + 4n \cdot Q_\mathscr {A}\right) /(2 p) . \end{aligned}$$

The running time of \(\mathscr {B}\) is that of \(\mathscr {A}\) plus \(O(d \cdot (n + Q_{\mathscr {A}}))\) exponentiations in \(\mathbb {G}\) and \(O(Q_\mathscr {A}^3 \cdot (n d + Q_\mathscr {A}))\) operations in \({{\mathbb {Z}}}_p\). \(\mathscr {C}\) has approximately the same running time as \(\mathscr {A}\). The running time of \(\mathscr {D}\) is that of \(\mathscr {A}\) plus the time required to factorize a polynomial of degree at most d in \({{\mathbb {F}}}_p\), which is sub-quadratic in d, logarithmic in p.

Remark 6.13

Using Remark 6.5, when \(d = 1\) (i.e., in the case of affine related-key deriving functions), one can easily obtain a similar statement based on the polynomial hardness of the \(\mathrm {DDH}\) problem in \(\mathbb {G}\).

A From Malleability to Unique-Input-RKA Security

In this section, we explore the relationship between key-malleable PRFs and unique-input RKA-secure PRFs. Specifically, we show that the \((\mathcal {S},{\Phi })\text {-unique-input-prf-rka security}\) of a \({\Phi } \)-key-malleable PRF M is implied by its regular prf security if the key-transformer \(\mathsf {KT}\) associated with M satisfies a new notion of uniformity that we call \(\mathcal {S}\)-uniformity and which is defined below.

\(\mathcal {S}\)-Uniform Key-Transformer. Let \(M {:\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) be a family of functions and \({\Phi } \) be a class of \(\mathrm {RKD}\) functions, such that there is a key-transformer \(\mathsf {KT}\) for \((M,{\Phi })\). We generalize the uniformity property of a key-transformer, defined in [2, Section 3.1], by allowing the uniformity condition to be restricted to a subset \(\mathcal {S}\) of \(\mathcal {D}\). Indeed, let \(\mathcal {S}\) be a subset of \(\mathcal {D}\); then we say that \(\mathsf {KT}\) is an \(\mathcal {S}\)-Uniform Key-Transformer if the games \(\mathcal {S}\text{-KTReal }\) and \(\mathcal {S}\text{-KTRand }\) defined in Fig. 14 are perfectly indistinguishable for any \({\Phi } \)-restricted adversary \(\mathscr {A}\), where \(\mathscr {A}\) belongs to the class of adversaries such that all queries \((\phi , x)\) with \(x \in \mathcal {S}\) made by \(\mathscr {A}\) to its oracle are for distinct values of x. That is,

$$\begin{aligned} {\Pr \left[ \,{\mathcal {S}\text{-KTReal }_{\mathsf {T}}^\mathscr {A}\Rightarrow 1}\,\right] } = {\Pr \left[ \,{\mathcal {S}\text{-KTRand }_{\mathsf {T}}^\mathscr {A}\Rightarrow 1}\,\right] } . \end{aligned}$$

Note that the standard uniformity condition given in Sect. 2 corresponds to the \(\mathsf {KT}\) being a \(\mathcal {D}\)-uniform key-transformer.

Fig. 14

Games used in the definition of an \(\mathcal {S}\)-uniform key-transformer \(\mathsf {KT}\)

Theorem A.1

Let \(M {:\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) be a family of functions and \({\Phi } \) be a class of \(\mathrm {RKD}\) functions, such that there exists an \(\mathcal {S}\)-uniform key-transformer \(\mathsf {KT}\) for \((M,{\Phi })\). Let \(\mathscr {A}\) be an adversary against the \((\mathcal {S},{\Phi })\text {-unique-input-prf-rka security}\) of M that makes \(Q_{\mathscr {A}}\) oracle queries. Then, we can design an adversary \(\mathscr {B}\) against the standard prf security of M such that

$$\begin{aligned} \mathbf {Adv}^{(\mathcal {S},{\Phi })\mathsf {\text{- }ui\text{- }prf\text{- }rka}}_{M}(\mathscr {A}) \le 2 \cdot \mathbf {Adv}^{\mathsf {prf}}_{M}{(\mathscr {B})} . \end{aligned}$$

(8)

Moreover, the running time of \(\mathscr {B}\) is that of \(\mathscr {A}\) plus the time required to execute \(Q_{\mathscr {A}}\) times the key-transformer.

Proof of Theorem A.1

The proof is based on the sequence of games in Fig. 15. Let \({\textsc {Succ}}_i\) denote the event that game \(\text {G}_i\) output takes the value 1.

In game \(\text {G}_1\), we use the key-transformer \(\mathsf {KT}\) to compute \(M(\phi (K),\cdot )\) via oracle calls to \(M(K,\cdot )\). The correctness property of the key transformer implies

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_0}\,\right] } = {\Pr \left[ \,{{\textsc {Succ}}_1}\,\right] } . \end{aligned}$$

Fig. 15

Games for the proof of Theorem A.1

In game \(\text {G}_2\), we replace the oracle \(M(K,\cdot )\) given to the key transformer \(\mathsf {KT}\) by a random function f. We design an adversary \(\mathscr {B}\) attacking the standard prf security of M such that

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_1}\,\right] } \le {\Pr \left[ \,{{\textsc {Succ}}_2}\,\right] } + \mathbf {Adv}^{\mathsf {prf}}_{M}{(\mathscr {B})} . \end{aligned}$$

Adversary \(\mathscr {B}\) runs \(\mathscr {A}\). When the latter makes an RKFn-query \((\phi ,x)\), adversary \(\mathscr {B}\) responds via

where \(\mathbf{Fn }\) is \(\mathscr {B}\)’s own oracle. When \(\mathscr {A}\) halts, \(\mathscr {B}\) halts with the same output. Then,

$$\begin{aligned} {\Pr \left[ \,{{\mathrm {PRFReal}}^\mathscr {B}_M \Rightarrow 1}\,\right] } = {\Pr \left[ \,{{\textsc {Succ}}_1}\,\right] } \; \; \; \text{ and } \; \; \; {\Pr \left[ \,{{\mathrm {PRFRand}}^\mathscr {B}_M \Rightarrow 1}\,\right] } = {\Pr \left[ \,{{\textsc {Succ}}_2}\,\right] } . \end{aligned}$$

Games \(\text {G}_2\) and \(\text {G}_3\) differ only in the way that queries \((\phi ,x)\) with \(x \in \mathcal {S}\) are handled. Indeed, for such queries, in \(\text {G}_3\), the output is just taken uniformly at random instead of computed using the key-transformer. Since the adversary \(\mathscr {A}\) belongs to the class of \({\Phi } \)-restricted adversaries such that all queries \((\phi , x)\) with \(x \in \mathcal {S}\) made by \(\mathscr {A}\) to its oracle are for distinct values of x, games \(\text {G}_2\) and \(\text {G}_3\) match exactly games \(\mathcal {S}\text{-KTReal }\) and \(\mathcal {S}\text{-KTRand }\), respectively. Since we assume that \(\mathsf {KT}\) is an \(\mathcal {S}\)-uniform key-transformer \(\mathsf {KT}\), these two games are perfectly indistinguishable. So

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_2}\,\right] } = {\Pr \left[ \,{{\textsc {Succ}}_3}\,\right] } . \end{aligned}$$

In game \(\text {G}_4\), we replace the random function f given to the key-transformer \(\mathsf {KT}\) by the oracle \(M(K,\cdot )\). We design an adversary \(\mathscr {B}\) attacking the prf security of M such that

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_3}\,\right] } \le {\Pr \left[ \,{{\textsc {Succ}}_4}\,\right] } + \mathbf {Adv}^{\mathsf {prf}}_{M}{(\mathscr {B})}. \end{aligned}$$

Adversary \(\mathscr {B}\) runs \(\mathscr {A}\). When the latter makes an RKFn-query \((\phi ,x)\), adversary \(\mathscr {B}\) responds via

where \(\mathbf{Fn }\) is \(\mathscr {B}\)’s own oracle. When \(\mathscr {A}\) halts with output b, \(\mathscr {B}\) halts with output \(1-b\). Then

$$\begin{aligned} {\Pr \left[ \,{{\mathrm {PRFReal}}^\mathscr {B}_M \Rightarrow 1}\,\right] } = {\Pr \left[ \,{{\textsc {Succ}}_3}\,\right] } \; \; \; \text{ and } \; \; \; {\Pr \left[ \,{{\mathrm {PRFRand}}^B_M \Rightarrow 1}\,\right] } = {\Pr \left[ \,{{\textsc {Succ}}_4}\,\right] } . \end{aligned}$$

Finally, in game \(\text {G}_5\), instead of using the key-transformer \(\mathsf {KT}\) to compute \(M(\phi (K),\cdot )\) via oracle calls to \(M(K,\cdot )\), we use M directly. The correctness property of the key transformer implies that

$$\begin{aligned} {\Pr \left[ \,{{\textsc {Succ}}_4}\,\right] } = {\Pr \left[ \,{{\textsc {Succ}}_5}\,\right] } . \end{aligned}$$

Equation (8) on 37 now follows by combining the bounds arising in the different game hops. \(\square \)

Application to \({\mathsf {NR}^{*}} \). In what follows, we apply Theorem A.1 and Theorem 5.1 to \({\mathsf {NR}^{*}} \) to prove that the construction given in Sect. 4 is a \({\Phi } _{\mathsf {aff}}\)-RKA-secure PRF. Note that this gives an alternative proof of Theorem 4.5.

Let \(\mathcal {S}= {\{0,1\}^n} {\setminus } (\{\omega _1,\ldots ,\omega _n \} \cup \{ 0 ^n \})\). The only point that remains to prove is that there exists an \(\mathcal {S}\)-uniform key-transformer \(\mathsf {KT}_{{\Phi } _{\mathsf {aff}}}\) for \({\mathsf {NR}^{*}} \) and the class \({\Phi } _{\mathsf {aff}}\) of RKD functions. This result is actually implied by Lemma 4.3. Indeed, the same key-transformer is an \(\mathcal {S}\)-uniform key-transformer for \(({\mathsf {NR}^{*}},{\Phi } _{\mathsf {aff}})\). This statement is implied by the fact that games \(\text {G}_0\) and \(\text {G}_{n-1}\), defined in the proof of Lemma 4.3, are indistinguishable, even when the adversary is not a unique-input adversary with respect to the set \(\overline{\mathcal {S}}\) (where \(\overline{\mathcal {S}}\) denotes the complement of \(\mathcal {S}\)).

To see why, note that the argument used to prove that Games \(\text {G}_j\) and \(\text {G}_{j+1}\) are indistinguishable in that proof remains valid because all points in \(\overline{\mathcal {S}}\) have a strictly smaller Hamming weight than those in \(\mathcal {S}\). Hence, there exists an \(\mathcal {S}\)-uniform key-transformer \(\mathsf {KT}_{{\Phi } _{\mathsf {aff}}}\) for \(({\mathsf {NR}^{*}},{\Phi } _{\mathsf {aff}})\), and the \((\mathcal {S},{\Phi } _{\mathsf {aff}})\text {-unique-input-prf-rka security}\) of \(\mathsf {NR}^{*}\) follows. Finally, by applying Theorem 5.1, we can prove a similar statement to the one in Theorem 4.5.

Remark A.2

It is worth noting that it is not clear that the usual uniformity condition of a key-transformer directly implies that the same key-transformer is \(\mathcal {S}\)-uniform for \(\mathcal {S}\subset \mathcal {D}\) without making additional assumptions about the key-transformer.