Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Constrained PRFs for Unbounded Inputswith Short Keys
Hamza Abusalah Georg Fuchsbauer
ACNS 2016
Outline
1. Constrained Pseudorandom Functions (CPRFs)
2. Identity-Based Non-interactive Key Exchange
3. Unbounded-Input CPRFs
4. Unbounded-Input CPRFs with Short Keys
Pseudorandom Functions (PRFs)[GGM86]
k
x
Fk(x) F
Pseudorandom Functions (PRFs)
Randomx
y k
x
Fk(x) F
[GGM86]
Pseudorandom Functions (PRFs)
Randomx
y k
x
Fk(x) F
[GGM86]
≈
Pseudorandom Functions (PRFs)
Randomx
y
Unbounded-input PRFs [Goldreich04]: supports x ∈ {0, 1}∗
k
x
Fk(x) F
[GGM86]
≈
Constrained Pseudorandom Functions (CPRFs)[BW13],[KPTZ13],[BGI14]
Constr
S
k
Constrained Pseudorandom Functions (CPRFs)
F
x {Fk(x) if x ∈ S⊥ otherwisekSConstr
S
k
[BW13],[KPTZ13],[BGI14]
Constrained Pseudorandom Functions (CPRFs)
F
x {Fk(x) if x ∈ S⊥ otherwisekSConstr
S
k
[BW13],[KPTZ13],[BGI14]
x∗
Constrained Pseudorandom Functions (CPRFs)
F
x {Fk(x) if x ∈ S⊥ otherwisekSConstr
S
k
k
Fy
[BW13],[KPTZ13],[BGI14]
x∗
x 6= x∗
Constrained Pseudorandom Functions (CPRFs)
F
x {Fk(x) if x ∈ S⊥ otherwisekSConstr
S
k
k
Fy
ConstrkS
[BW13],[KPTZ13],[BGI14]
x∗
x 6= x∗
S 63 x∗
Constrained Pseudorandom Functions (CPRFs)
F
x {Fk(x) if x ∈ S⊥ otherwisekSConstr
S
k
k
Fy
Fk(x∗)y random
[BW13],[KPTZ13],[BGI14]
x∗
ConstrkS
≈
x 6= x∗
S 63 x∗
Types of CPRFs
• Polynomial-size S: Any PRF F is a CPRF
S = {x1, . . . , xp}, kS = {Fk(x1), . . . , Fk(xp)}
Types of CPRFs
• Polynomial-size S: Any PRF F is a CPRF
S = {x1, . . . , xp}, kS = {Fk(x1), . . . , Fk(xp)}
• Puncturable [SW14]: x∗ input
kx∗ ⇒ Fk(x) if x 6= x∗
(from PRGs)
Types of CPRFs
• Polynomial-size S: Any PRF F is a CPRF
S = {x1, . . . , xp}, kS = {Fk(x1), . . . , Fk(xp)}
• Puncturable [SW14]: x∗ input
kx∗ ⇒ Fk(x) if x 6= x∗
(from PRGs)
• Circuit [BW13]: C circuit
kC ⇒ Fk(x) if C(x) = 1
(from multilin. maps)
CPRFs for Unbounded Inputs
• TMs [AFP16]: M Turing machine
kM ⇒ Fk(x) if M(x) = 1
(from public-coin diO)
Accepts unbounded inputs x ∈ {0, 1}∗
CPRFs for Unbounded Inputs
• TMs [AFP16]: M Turing machine
kM ⇒ Fk(x) if M(x) = 1
(from public-coin diO)
Accepts unbounded inputs x ∈ {0, 1}∗
• TMs [DKW16]: (from iO)
CPRFs for Unbounded Inputs
Drawback: constrained keys are obfuscated circuits
This work: constrained keys are short signatures
• TMs [AFP16]: M Turing machine
kM ⇒ Fk(x) if M(x) = 1
(from public-coin diO)
Accepts unbounded inputs x ∈ {0, 1}∗
• TMs [DKW16]: (from iO)
Application
Identity-Based Non-interactive Key Exchange
a@mail
b@mail
c@mail
c@mail
kc
c@mailka
d@mail
Identity-Based Non-interactive Key Exchange
ka
a@mail
b@mail
c@mail
a@mail
c@mail
kc
c@mailka
d@mail
k
Identity-Based Non-interactive Key Exchange
a@mail
b@mail
c@mail
ka
kb
kc
c@mail
kc
c@mailka
d@mailkd
ka
a@mail
k
Identity-Based Non-interactive Key Exchange
a@mail
b@mail
c@mail
ka
kb
kc
c@mail
kc
c@mailka
d@mailkd
,kac
,kac
k
Identity-Based Non-interactive Key Exchange
a@mail
b@mail
c@mail
ka
kb
kc
c@mail
kc
c@mailka
d@mailkd
e@mail
ke
e@mailke
k
Identity-Based Non-interactive Key Exchange
a@mail
b@mail
ka
kb
c@mail
kc
c@mailka
e@mailke
,kabe
,kabe
,kabe
k
c@mailkc
d@mailkd
Identity-Based Non-interactive Key Exchange
a@mail
b@mail
c@mail
kc
c@mailka
Fk : {0, 1}∗ → {0, 1}m
k
Identity-Based Non-interactive Key Exchange
c@mail
kc
c@mailka
kabe :=Fk(a@mail‖b@mail‖e@mail)
Fk : {0, 1}∗ → {0, 1}ma@mail
b@mail
k
Identity-Based Non-interactive Key Exchange
c@mail
kc
c@mailka
b@mailb@mail
Fk : {0, 1}∗ → {0, 1}m
k
Identity-Based Non-interactive Key Exchange
c@mail
kc
c@mailka
b@mail
Fk : {0, 1}∗ → {0, 1}m
k
b@mail
Mb(x) =
{1 if x = . . . b@mail . . .0 otherwise
Identity-Based Non-interactive Key Exchange
c@mail
kc
c@mailka
kConstr
b@mail
Fk : {0, 1}∗ → {0, 1}m
b@mail
Mb(x) =
{1 if x = . . . b@mail . . .0 otherwise
Identity-Based Non-interactive Key Exchange
c@mail
kc
c@mailka
kConstr
kMb
b@mail
Fk : {0, 1}∗ → {0, 1}m
b@mail
Mb(x) =
{1 if x = . . . b@mail . . .0 otherwise
Obfuscation
ObfuscationApplication
Program Obfuscation
Virtual black-box[BGI+01]
Differing-input[BGI+01],[BCP14]
Public-coin differing-input[ISP15]
Indistinguishability[BGI+01], [GGH+13]
Program Obfuscation
Virtual black-box[BGI+01]
Differing-input[BGI+01],[BCP14]
Public-coin differing-input[ISP15]
Indistinguishability[BGI+01], [GGH+13]
Impossible[BGI+01]
Implausible[GGH+14]
TM-impossible[BSW16]
Program Obfuscation
P Obf P̃ ≡ P(∀x : P̃ (x) = P (x))
Functionality:
Program Obfuscation
P P̃ ≡ P
P0, P1
b ∈ {0, 1}b?
PbP̃b
Obf
Obf
Security:
Functionality:
Program Obfuscation
P P̃ ≡ PObf
• diO: must be hard to find x: P0(x) 6= P1(x)
Security:
Functionality:
Program Obfuscation
P P̃ ≡ PObf
• diO: must be hard to find x: P0(x) 6= P1(x)
• public-coin diO:hard to find x: P0(x) 6= P1(x)
even when given coins for computing P0, P1
Security:
Functionality:
Program Obfuscation
P P̃ ≡ PObf
• diO: must be hard to find x: P0(x) 6= P1(x)
• public-coin diO:hard to find x: P0(x) 6= P1(x)
even when given coins for computing P0, P1
• iO: P0 ≡ P1
Security:
Functionality:
ConstructionsObfuscation
Constructions
TM CPRFs
1) Warm-up: A circuit CPRF assuming
• Puncturable PRFs
• iO
TM CPRFs
1) Warm-up: A circuit CPRF assuming
• Puncturable PRFs
• iO
2) A Turing-machine CPRF assuming
• Puncturable PRFs
• Public-coin diO
• SNARKs (Succinct non-interactive arguments of knowledge)
TM CPRFs
1) Warm-up: A circuit CPRF assuming
• Puncturable PRFs
• iO
2) A Turing-machine CPRF assuming
• Puncturable PRFs
• Public-coin diO
• SNARKs (Succinct non-interactive arguments of knowledge)
3) A TM CPRF with short keys
• assuming the same
A Circuit CPRF
Circuit-constrained PRF:
• Fk(x) := PFk(x)
• puncturable PRF PFk
• iO
A Circuit CPRF
Circuit-constrained PRF:
• Fk(x) := PFk(x)
• Constr(k,C)→ kC :
Pk,C(x) :=
{PFk(x) if C(x) = 1⊥ otherwise
• puncturable PRF PFk
• iO
A Circuit CPRF
Circuit-constrained PRF:
• Fk(x) := PFk(x)
• Constr(k,C)→ kC :
kC ← iO
(Pk,C(x) :=
{PFk(x) if C(x) = 1⊥ otherwise
)
• puncturable PRF PFk
• iO
A Circuit CPRF
Circuit-constrained PRF:
• Fk(x) := PFk(x)
• Constr(k,C)→ kC :
Theorem. F is a secure circuit CPRF.
• puncturable PRF PFk
• iO
kC ← iO
(Pk,C(x) :=
{PFk(x) if C(x) = 1⊥ otherwise
)
A Circuit CPRF
Circuit-constrained PRF:
• Fk(x) := PFkx∗(x)
• Constr(k,C)→ kC :
Theorem. F is a secure circuit CPRF.
• puncturable PRF PFk
• iO
kC ← iO
(Pk,C(x) :=
{PFkx∗(x) if C(x) = 1⊥ otherwise
)
A CPRF for Unbounded Inputs
• Fk(x) := PFk(x)
• Constr(k,C):
kC ← iO
(Pk,C(x) :=
{PFk(x) if C(x) = 1⊥ otherwise
)
A CPRF for Unbounded Inputs
• Fk(x) := PFk(x)
• Constr(k,C):
kC ← iO
(Pk,C(x) :=
{PFk(x) if C(x) = 1⊥ otherwise
)
M?
A CPRF for Unbounded Inputs
• Fk(x) := PFk(x)
• Constr(k,C):
kC ← iO
(Pk,C(x) :=
{PFk(x) if C(x) = 1⊥ otherwise
)
M?
Circuit!
A CPRF for Unbounded Inputs
• Fk(x) := PFk(x)
• Constr(k,C):
kC ← iO
(Pk,C(x) :=
{PFk(x) if C(x) = 1⊥ otherwise
)
M?
Circuit! • cannot run TM⇒ use SNARK proving M(x) = 1
A CPRF for Unbounded Inputs
• Fk(x) := PFk(x)
• Constr(k,C):
kC ← iO
(Pk,C(x) :=
{PFk(x) if C(x) = 1⊥ otherwise
)
Circuit! • cannot run TM⇒ use SNARK proving M(x) = 1
• does not accept x ∈ {0, 1}∗⇒ hash x
unbounded!
A CPRF for Unbounded Inputs
• Fk(x) := PFk(H(x)) with H : {0, 1}∗ → {0, 1}n
A CPRF for Unbounded Inputs
• Fk(x) := PFk(H(x))
• Constr(k,M):
Pk,M (h, π)=
{PFk(h) if π proves ∃x : H(x) = h
∧ M(x) = 1⊥ otherwise
A CPRF for Unbounded Inputs
• Fk(x) := PFk(H(x))
• Constr(k,M):
kM←diO
(Pk,M (h, π)=
{PFk(h) if π proves ∃x : H(x) = h
∧ M(x) = 1⊥ otherwise
)
A CPRF for Unbounded Inputs
• Fk(x) := PFk(H(x))
• Constr(k,M):
kM←diO
(Pk,M (h, π)=
{PFk(h) if π proves ∃x : H(x) = h
∧ M(x) = 1⊥ otherwise
)
Why diO?
• consider M with M(x∗) = 0
M(x′) = 1H(x∗) = H(x′)
⇒ Pk,M 6≡ Pkx∗ ,M
A CPRF for Unbounded Inputs with Short Keys
• Fk(x) := PFk(H(x))
• Constr(k,M): signature σ on M
A CPRF for Unbounded Inputs with Short Keys
• Fk(x) := PFk(H(x))
• Constr(k,M): signature σ on M
• public:
diO
(Pk,vk(M,h, π, σ)=
PFk(h) if π proves ∃x : H(x) = h
∧ M(x) = 1and Verify(vk,M, σ)
⊥ otherwise
)
A CPRF for Unbounded Inputs with Short Keys
• Fk(x) := PFk(H(x))
• Constr(k,M): signature σ on M
• public:
diO
(Pk,vk(M,h, π, σ)=
PFk(h) if π proves ∃x : H(x) = h
∧ M(x) = 1and Verify(vk,M, σ)
⊥ otherwise
)
Security:
• diO(Pk,vk) ≈ diO(Pkx∗,vk)
A CPRF for Unbounded Inputs with Short Keys
• Fk(x) := PFk(H(x))
• Constr(k,M): signature σ on M
• public:
diO
(Pk,vk(M,h, π, σ)=
PFk(h) if π proves ∃x : H(x) = h
∧ M(x) = 1and Verify(vk,M, σ)
⊥ otherwise
)
Security:
• diO(Pk,vk) ≈ diO(Pkx∗,vk)
• Differing inputs? Yes: σ on M with M(x∗) = 1
A CPRF for Unbounded Inputs with Short Keys
• Fk(x) := PFk(H(x))
• Constr(k,M): signature σ on M
• public:
diO
(Pk,vk(M,h, π, σ)=
PFk(h) if π proves ∃x : H(x) = h
∧ M(x) = 1and Verify(vk,M, σ)
⊥ otherwise
)
Security:
• diO(Pk,vk) ≈ diO(Pkx∗,vk)
• Differing inputs? Yes: σ on M with M(x∗) = 1
• Hard to find when given coins? No! can reconstructsigning key
Functional Signatures w/ Obliv. Samplable Keys
Signature scheme with sampling algorithm
(vk∗, skx∗)← OSmp(x∗; r)
Functional Signatures w/ Obliv. Samplable Keys
Signature scheme with sampling algorithm
(vk∗, skx∗)← OSmp(x∗; r)
such that:
• vk∗ ≈ vk
Functional Signatures w/ Obliv. Samplable Keys
Signature scheme with sampling algorithm
(vk∗, skx∗)← OSmp(x∗; r)
such that:
• vk∗ ≈ vk
• skx∗ allows signing M ’s with M(x∗) = 0
Functional Signatures w/ Obliv. Samplable Keys
Signature scheme with sampling algorithm
(vk∗, skx∗)← OSmp(x∗; r)
such that:
• vk∗ ≈ vk
• skx∗ allows signing M ’s with M(x∗) = 0
• given r, hard to forge σ on M with M(x∗) = 1
Functional Signatures w/ Obliv. Samplable Keys
Signature scheme with sampling algorithm
(vk∗, skx∗)← OSmp(x∗; r)
such that:
• vk∗ ≈ vk Reduction can answer Constr queries
• skx∗ allows signing M ’s with M(x∗) = 0
• given r, hard to forge σ on M with M(x∗) = 1
Functional Signatures w/ Obliv. Samplable Keys
Signature scheme with sampling algorithm
(vk∗, skx∗)← OSmp(x∗; r)
such that:
• vk∗ ≈ vk
• skx∗ allows signing M ’s with M(x∗) = 0
• given r, hard to forge σ on M with M(x∗) = 1
− hard to find differing input
− apply diO
Functional Signatures w/ Obliv. Samplable Keys
Signature scheme with sampling algorithm
(vk∗, skx∗)← OSmp(x∗; r)
such that:
• vk∗ ≈ vk
• skx∗ allows signing M ’s with M(x∗) = 0
• given r, hard to forge σ on M with M(x∗) = 1
Construction from: commitment, PRF, SNARK
Functional Signatures w/ Obliv. Samplable Keys
Signature scheme with sampling algorithm
(vk∗, skx∗)← OSmp(x∗; r)
such that:
• vk∗ ≈ vk
• skx∗ allows signing M ’s with M(x∗) = 0
• given r, hard to forge σ on M with M(x∗) = 1
Construction from: commitment, PRF, SNARK
Thank you!
(and thanks to Hamza Abusalah for letting me reuse his slides)