Constrained Keys for Invertible Pseudorandom Functions. Dan Boneh, Sam Kim, and David J. Wu Stanford University

Size: px

Start display at page:

Download "Constrained Keys for Invertible Pseudorandom Functions. Dan Boneh, Sam Kim, and David J. Wu Stanford University"

Holly Randall
5 years ago
Views:

1 Constrained Keys for Invertible Pseudorandom Functions Dan Boneh, Sam Kim, and David J. Wu Stanford University

2 Pseudorandom Functions (PRFs) [GGM84] k R K Pseudorandom f R Funs[X, Y] Random F: K X Y x X F k, x c x X f(x) b b

3 Constrained PRFs [BW13, BGI13, KPTZ13] Constrained PRF: PRF with additional constrain functionality F: K X Y

4 Constrained PRFs [BW13, BGI13, KPTZ13] Constrained PRF: PRF with additional constrain functionality Constrain C PRF key F: K X Y

5 Constrained PRFs [BW13, BGI13, KPTZ13] Constrained PRF: PRF with additional constrain functionality Constrain C PRF key F: K X Y Constrained key Can be used to evaluate at all points x X where C x = 1

6 Constrained PRFs [BW13, BGI13, KPTZ13] Constrain C Correctness: constrained evaluation at x X where C x = 1 yields PRF value at x

7 Constrained PRFs [BW13, BGI13, KPTZ13] Constrain C Correctness: constrained evaluation at x X where C x = 1 yields PRF value at x Security: PRF value at points x X where C x = 0 are indistinguishable from random given the constrained key

8 Constrained PRFs [BW13, BGI13, KPTZ13] Constrain C Many applications: Punctured programming paradigm [SW14]

9 Constrained PRFs [BW13, BGI13, KPTZ13] Constrain C Many applications: Punctured programming paradigm [SW14] Identity-based key exchange, broadcast encryption [BW13]

10 Constrained PRFs [BW13, BGI13, KPTZ13] Constrain C Known constructions: Puncturable PRFs from one-way functions [BW13, BGI13, KPTZ13] Punctured key can be used to evaluate the PRF at all but one point

11 Constrained PRFs [BW13, BGI13, KPTZ13] Constrain C Known constructions: Puncturable PRFs from one-way functions [BW13, BGI13, KPTZ13] (Single-key) circuit-constrained PRFs from LWE [BV15]

12 Can we constrain other cryptographic primitives, such as pseudorandom permutations (PRPs)?

13 Our Results Constrained PRPs for many natural classes of constraints do not exist

14 Our Results Constrained PRPs for many natural classes of constraints do not exist However, the relaxed notion of a constrained invertible pseudorandom function (IPF) does exist

15 Pseudorandom Permutations (PRPs) F: K X X F(k, ) implements a permutation over X

16 Constrained PRPs Image of points where C x = 1 Set where C x = 1 F: K X X Constrained key enables forward and backward evaluation

17 Constrained PRPs Image of points where C x = 1 Set where C x = 1 Correctness: Forward evaluation when C x = 1

18 Correctness: Forward evaluation when C x = 1 Backward evaluation on points y if y = F(k, x) and C x = 1 Constrained PRPs Image of points where C x = 1 Set where C x = 1

19 Difficulties in Constraining PRPs Theorem (Informal). Any constrained PRP that allows issuing a constrained key that can evaluate on a non-negligible fraction of the domain is insecure. [See paper for details]

20 Difficulties in Constraining PRPs Theorem (Informal). Any constrained PRP that allows issuing a constrained key that can evaluate on a non-negligible fraction of the domain is insecure. Puncturable PRPs do not exist. [See paper for details]

21 Difficulties in Constraining PRPs Theorem (Informal). Any constrained PRP that allows issuing a constrained key that can evaluate on a non-negligible fraction of the domain is insecure. Puncturable PRPs do not exist. Open Question: Do prefix-constrained PRPs (where prefix is ω(log λ) bits) exist? [See paper for details]

22 Relaxing the Notion Theorem (Informal). Any constrained PRP that allows issuing a constrained key that can evaluate on a non-negligible fraction of the domain is insecure. Lower bound critically relies on the set of points that satisfy the constraint being a non-negligible fraction of the range of the PRP

23 Relaxing the Notion Theorem (Informal). Any constrained PRP that allows issuing a constrained key that can evaluate on a non-negligible fraction of the domain is insecure. Domain X Range Y Relaxation: Allow range to be much larger than the domain

24 Invertible Pseudorandom Functions (IPFs) Domain X Range Y An IPF F: K X Y satisfies the following properties:

25 Invertible Pseudorandom Functions (IPFs) Domain X Range Y An IPF F: K X Y satisfies the following properties: F(k, ) is injective for all k K

26 Invertible Pseudorandom Functions (IPFs) Domain X Range Y An IPF F: K X Y satisfies the following properties: F(k, ) is injective for all k K There exists an efficiently computable inverse F 1 : K Y X

27 Invertible Pseudorandom Functions (IPFs) Domain X Range Y An IPF F: K X Y satisfies the following properties: F(k, ) is injective for all k K There exists an efficiently computable inverse F 1 : K Y X F 1 k, F k, x = x for all x X

28 Invertible Pseudorandom Functions (IPFs) Domain X Range Y An IPF F: K X Y satisfies the following properties: F(k, ) is injective for all k K There exists an efficiently computable inverse F 1 : K Y X F 1 k, F k, x = x for all x X F 1 k, y = for all y not in the range of F(k, )

29 Invertible Pseudorandom Functions (IPFs) IPFs are closely related to the notion of deterministic authenticated encryption (DAE) [RS06]. IPFs can be used to build DAE, so our constrained IPF constructions imply constrained DAE. An IPF F: K X Y satisfies the following properties: F(k, ) is injective for all k K There exists an efficiently computable inverse F 1 : K Y X F 1 k, F k, x = x for all x X F 1 k, y = for all y not in the range of F(k, )

30 Invertible Pseudorandom Functions (IPFs) k R K F: K X Y Pseudorandom Set of injective functions f R InjFuns[X, Y] Random x X F k, x y Y F 1 k, y c x X f(x) y Y f 1 (y) Outputs if y has no inverse under f b b

31 Invertible Pseudorandom Functions (IPFs) k R K Pseudorandom f R InjFuns[X, Y] x X F k, x y Y F 1 k, y c x X f(x) y Y b b Random f 1 (y) When X = Y, security definition is equivalent to that for a strong PRP

32 Constrained IPFs Direct generalization of constrained PRFs Constrain C IPF key Constrained key F: K X Y

33 Constrained IPFs Direct generalization of constrained PRFs Constrain C IPF key F: K X Y Constrained key Can be used to evaluate at all points x X where C x = 1 and invert at all points y whenever y = F(k, x) for some x where C x = 1

34 A Puncturable IPF Starting point: DAE construction called synthetic IV (SIV) [RS06]

35 A Puncturable IPF x Starting point: DAE construction called synthetic IV (SIV) [RS06]

36 y 1 y 1 = PRF 1 k 1, x A Puncturable IPF x Starting point: DAE construction called synthetic IV (SIV) [RS06] PRF 1 (k 1, )

37 y 1 y 1 = PRF 1 k 1, x A Puncturable IPF x Starting point: DAE construction called synthetic IV (SIV) [RS06] PRF 1 (k 1, ) PRF 2 (k 2, )

38 y 1 y 2 y 1 = PRF 1 k 1, x y 2 = x PRF 2 (k 2, y 1 ) A Puncturable IPF x Starting point: DAE construction called synthetic IV (SIV) [RS06] PRF 1 (k 1, ) PRF 2 (k 2, )

39 y 1 y 2 y 1 = PRF 1 k 1, x y 2 = x PRF 2 (k 2, y 1 ) A Puncturable IPF x Starting point: DAE construction called synthetic IV (SIV) [RS06] PRF 1 (k 1, ) Can also be viewed as an unbalanced Feistel network (with one block set to all 0s) PRF 2 (k 2, )

40 A Puncturable IPF x y 1 PRF 1 (k 1, ) PRF 2 (k 2, ) PRF 2 (k 2, ) y 1 y 2 y 1 = PRF 1 k 1, x y 2 = x PRF 2 (k 2, y 1 )

41 A Puncturable IPF x y 1 y 2 PRF 1 (k 1, ) PRF 2 (k 2, ) PRF 2 (k 2, ) x y 1 y 2 y 1 = PRF 1 k 1, x y 2 = x PRF 2 (k 2, y 1 )

42 A Puncturable IPF x y 1 y 2 PRF 1 (k 1, ) PRF 2 (k 2, ) y 1 y 2 y 1 = PRF 1 k 1, x y 2 = x PRF 2 (k 2, y 1 ) PRF 2 (k 2, ) x Verify y 1 = PRF(k 1, x) and output if y 1 PRF(k 1, x)

43 A Puncturable IPF x How to puncture this construction? PRF 1 (k 1, ) PRF 2 (k 2, ) y 1 y 2

44 A Puncturable IPF x How to puncture this construction? First attempt: only puncture k 1 at x PRF 1 (k 1, ) PRF 2 (k 2, ) y 1 y 2

45 A Puncturable IPF x How to puncture this construction? First attempt: only puncture k 1 at x PRF 1 (k 1, ) PRF 2 (k 2, ) Given challenge y 1, y 2, can test whether y 2 PRF 2 k 2, y 1 = x y 1 y 2

46 A Puncturable IPF x PRF 1 (k 1, ) PRF 2 (k 2, ) y 1 y 2 How to puncture this construction? First attempt: only puncture k 1 at x Given challenge y 1, y 2, can test whether y 2 PRF 2 k 2, y 1 = x Second attempt: also puncture k 2 at y 1 = PRF 1 k 1, x

47 A Puncturable IPF x PRF 1 (k 1, ) PRF 2 (k 2, ) y 1 y 2 How to puncture this construction? First attempt: only puncture k 1 at x Given challenge y 1, y 2, can test whether y 2 PRF 2 k 2, y 1 = x Second attempt: also puncture k 2 at y 1 = PRF 1 k 1, x Punctured key reveals punctured point!

48 A Puncturable IPF x How to puncture this construction? First attempt: only puncture k 1 at x PRF 1 (k 1, ) PRF 2 (k 2, ) y 1 y 2 Solution: use private puncturing Second attempt: also puncture k 2 at y 1 = PRF 1 k 1, x Punctured key reveals punctured point!

49 A Puncturable IPF x Master key: k = (k 1, k 2 ) PRF 1 (k 1, ) PRF 2 (k 2, ) y 1 y 2

50 A Puncturable IPF x Master key: k = (k 1, k 2 ) Punctured key (punctured at x ): PRF 1 (k 1, ) PRF 2 (k 2, ) y 1 y 2

51 A Puncturable IPF PRF 1 (k 1, ) x Master key: k = (k 1, k 2 ) Punctured key (punctured at x ): k 1 punctured at x PRF 2 (k 2, ) y 1 y 2

52 A Puncturable IPF PRF 1 (k 1, ) x Master key: k = (k 1, k 2 ) Punctured key (punctured at x ): k 1 punctured at x k 2 privately punctured at PRF 1 (k 1, x ) PRF 2 (k 2, ) y 1 y 2

53 A Puncturable IPF PRF 1 (k 1, ) PRF 2 (k 2, ) x Master key: k = (k 1, k 2 ) Punctured key (punctured at x ): k 1 punctured at x k 2 privately punctured at PRF 1 (k 1, x ) y 1 = PRF 1 k 1, x y 2 = x PRF 2 (k 2, y 1 ) y 1 y 2

54 A Puncturable IPF x Master key: k = (k 1, k 2 ) PRF 1 (k 1, ) PRF 2 (k 2, ) y 1 y 2 Punctured key (punctured at x ): k 1 punctured at x k 2 privately punctured at PRF 1 (k 1, x ) y 1 = PRF 1 k 1, x y 2 = x PRF 2 (k 2, y 1 ) Indistinguishable from uniform by constrained security of PRF 2

55 A Puncturable IPF x PRF 1 (k 1, ) PRF 2 (k 2, ) y 1 y 2 Master key: k = (k 1, k 2 ) Punctured key (punctured at x ): k 1 punctured at x k 2 privately punctured at PRF 1 (k 1, x ) Hides y 1 y 1 = PRF 1 k 1, x y 2 = x PRF 2 (k 2, y 1 ) Indistinguishable from uniform by constrained security of PRF 2

56 A Puncturable IPF x PRF 1 (k 1, ) PRF 2 (k 2, ) y 1 y 2 Master key: k = (k 1, k 2 ) Punctured key (punctured at x ): k 1 punctured at x Indistinguishable k 2 privately from punctured at uniform by constrained PRF 1 (k 1, x ) security of PRF 1 Hides y 1 y 1 = PRF 1 k 1, x y 2 = x PRF 2 (k 2, y 1 ) Indistinguishable from uniform by constrained security of PRF 2

57 A Puncturable IPF PRF 1 (k 1, ) PRF 2 (k 2, ) x Master key: k = (k 1, k 2 ) Punctured key (punctured at x ): k 1 punctured at x k 2 privately punctured at PRF 1 (k 1, x ) Can be instantiated from standard lattice assumptions [BKM17, CC17, BTVW17] y 1 y 2

58 Circuit-Constrained IPFs x Master key: k = (k 1, k 2 ) PRF 1 (k 1, ) PRF 2 (k 2, ) y 1 y 2

59 Circuit-Constrained IPFs PRF 1 (k 1, ) x Master key: k = (k 1, k 2 ) For puncturing at x : Puncture k 1 at x Puncture k 2 at PRF 1 (k 1, x ) PRF 2 (k 2, ) y 1 y 2

60 Circuit-Constrained IPFs PRF 1 (k 1, ) PRF 2 (k 2, ) x Master key: k = (k 1, k 2 ) For puncturing at x : Puncture k 1 at x Puncture k 2 at PRF 1 (k 1, x ) To constrain to a circuit C: y 1 y 2

61 Circuit-Constrained IPFs PRF 1 (k 1, ) PRF 2 (k 2, ) x Master key: k = (k 1, k 2 ) For puncturing at x : Puncture k 1 at x Puncture k 2 at PRF 1 (k 1, x ) To constrain to a circuit C: Constrain k 1 to C y 1 y 2

62 Circuit-Constrained IPFs PRF 1 (k 1, ) x Master key: k = (k 1, k 2 ) For puncturing at x : Puncture k 1 at x Puncture k 2 at PRF 1 (k 1, x ) PRF 2 (k 2, ) y 1 y 2 To constrain to a circuit C: Constrain k 1 to C Difficulty: Need to constrain k 2 on a pseudorandom set (the image of PRF 1 (k 1, ) on the points allowed by C)

63 Circuit-Constrained IPFs x PRF 1 (k 1, ) PRF 2 (k 2, ) y 1 y 2 Master key: k = (k 1, k 2 ) For puncturing at x : Puncture k 1 at x Puncture k 2 at PRF 1 (k 1, x ) This set does not have a To constrain simple to circuit description C: unless Constrain PRF 1 is efficiently k 1 to C invertible Difficulty: Need to constrain k 2 on a pseudorandom set (the image of PRF 1 (k 1, ) on the points allowed by C)

64 Circuit-Constrained IPFs Master key: k = (k 1, k 2 ) See paper for construction For puncturing at x : Puncture k 1 at x Puncture k 2 at PRF 1 (k 1, x ) This set does not have a To constrain simple to circuit description C: unless Constrain PRF 1 is efficiently k 1 to C invertible Difficulty: Need to constrain k 2 on a pseudorandom set (the image of PRF 1 (k 1, ) on the points allowed by C)

65 Conclusions

66 Conclusions Can we constrain other cryptographic primitives, such as pseudorandom permutations (PRPs)?

67 Conclusions Can we constrain other cryptographic primitives, such as pseudorandom permutations (PRPs)? Constrained PRPs for many natural classes of constraints do not exist

68 Conclusions Can we constrain other cryptographic primitives, such as pseudorandom permutations (PRPs)? Constrained PRPs for many natural classes of constraints do not exist (Single-key) circuit-constrained invertible pseudorandom functions (IPFs) where the range is superpolynomially larger than the domain can be constructed from standard lattice assumptions

69 Open Problems Can we construct constrained PRPs for sufficiently restrictive constraint classes (e.g., prefix-constrained PRPs)?

70 Open Problems Can we construct constrained PRPs for sufficiently restrictive constraint classes (e.g., prefix-constrained PRPs)? Can we build puncturable IPFs from weaker assumptions?

71 Open Problems Can we construct constrained PRPs for sufficiently restrictive constraint classes (e.g., prefix-constrained PRPs)? Can we build puncturable IPFs from weaker assumptions? Can we construct a multi-key circuit-constrained IPF from standard assumptions?

72 Open Problems Can we construct constrained PRPs for sufficiently restrictive constraint classes (e.g., prefix-constrained PRPs)? Can we build puncturable IPFs from weaker assumptions? Can we construct a multi-key circuit-constrained IPF from standard assumptions? Thank you!

Constraining Pseudorandom Functions Privately

Constraining Pseudorandom Functions Privately David Wu Stanford University Joint work with Dan Boneh and Kevin Lewi Pseudorandom Functions (PRFs) [GGM84] : Pseudorandom Funs, Random, Constrained PRFs [BW13,