More Efficient Lattice PRFs from Keyed Pseudorandom Synthesizers

We develop new constructions of lattice-based PRFs using keyed pseudorandom synthesizers. We generalize all of the known `basic\u27 parallel lattice-based PRFs--those of [BPR12], [BLMR13], and [BP14]--to build highly parallel lattice-based PRFs with smaller modulus (and thus better reductions from worst-case lattice problems) while still maintaining computational efficiency asymptotically equal to the fastest known lattice-based PRFs at only the cost of larger key sizes. In particular, we build several parallel (in $NC^{2}$) lattice-based PRFs with modulus independent of the number of PRF input bits based on both standard LWE and ring LWE. Our modulus for these PRFs is just $O \left(m^{ f \left(m \right)} \right)$ for lattice dimension $m$ and any function $f \left(m \right) \in \omega \left(1 \right)$. The only known parallel construction of a lattice-based PRF with such a small modulus is a construction from Banerjee\u27s thesis, and some of our parallel PRFs with equivalently small modulus have smaller key sizes and are very slightly faster (when using FFT multiplication). These PRFs also asymptotically match the computational efficiency of the most efficient PRFs built from any LWE- or ring LWE-based assumptions known (potentially excluding some concurrent work), respectively, and concretely require less computation per output than any known parallel lattice-based PRFs (again when using FFT multiplication). We additionally use our techniques to build other efficient PRFs with very low circuit complexity (but higher modulus) which improve known results on highly parallel lattice PRFs. For instance, for input length $\lambda$, we show that there exists a ring LWE-based PRF in $NC^{1}$ with modulus proportional to $m^{\lambda^{c}}$ for any $c \in \left(0, 1 \right)$. Constructions from lattices with this circuit depth were only previously known from larger moduli

Symmetric Primitives with Structured Secrets

Securely managing encrypted data on an untrusted party is a challenging problem that has motivated the study of a variety of cryptographic primitives. A special class of such primitives allows an untrusted party to transform a ciphertext encrypted under one key to a ciphertext under another key, using some auxiliary information that does not leak the underlying data. Prominent examples of such primitives in the symmetric-key setting are key-homomorphic PRFs, updatable encryption, and proxy re-encryption. Although these primitives differ significantly in terms of their constructions and security requirements, they share two important properties: (a) they have secrets with structure or extra functionality, and (b) all known constructions of these primitives satisfying reasonably strong definitions of security are based on concrete public-key assumptions, e.g., DDH and LWE. This raises the question of whether these objects inherently belong to the world of public-key primitives, or they can potentially be built from simple symmetric-key objects such as pseudorandom functions. In this work, we show that the latter possibility is unlikely. More specifically, we show that: • Any (bounded) key-homomorphic weak PRF with an abelian output group implies a (bounded) input-homomorphic weak PRF, which has recently been shown to imply not only public-key encryption (PKE), but also a variety of primitives such as PIR, lossy TDFs, and even IBE. • Any ciphertext-independent updatable encryption scheme that is forward and post-compromise secure implies PKE. Moreover, any symmetric-key proxy re-encryption scheme with reasonably strong security guarantees implies a forward and post-compromise secure ciphertext-independent updatable encryption, and hence PKE. In addition, we show that unbounded (or exact) key-homomorphic weak PRFs over abelian groups are impossible in the quantum world. In other words, over abelian groups, bounded key-homomorphism is the best that we can hope for in terms of post-quantum security. Our attack also works over other structured primitives with abelian groups and exact homomorphisms, including homomorphic one-way functions and input-homomorphic weak PRFs

CAPYBARA and TSUBAKI: Verifiable Random Functions from Group Actions and Isogenies

In this work, we propose two post-quantum verifiable random functions (VRFs) constructions based on group actions and isogenies, one of which is based on the standard DDH assumption. VRF is a cryptographic tool that enables a user to generate a pseudorandom output along with a publicly verifiable proof. The residual pseudorandomness of VRF ensures the pseudorandomness of unrevealed inputs, even if an arbitrary number of outputs and proofs are revealed. Furthermore, it is infeasible to generate proofs to validate distinct values as outputs for the same input. In practical applications, VRFs have a wide range of uses, including in DNSSEC protocols, blockchain and cryptocurrency. Currently, most VRF constructions rely on elliptic curve cryptography (ECC), pairing, or Decisional Diffie-Hellman (DDH) type assumptions. These assumptions, however, cannot thwart the threats from quantum adversaries. In light of this, there is a growing need for post-quantum VRFs, which are currently less widely developed in the literature. We contribute to the study by presenting two VRF proposals from group actions and isogenies. Our constructions are fairly simple and derived from number-theoretic pseudorandom functions. We present a proof system that allows us to prove the factorization of group actions and set elements, providing a proof for our VRFs. The first one is based on the standard DDH problem. For the proof we introduce a new problem, the master decisional Diffie-Hellman problem over group actions, which we prove to be equivalent to the standard DDH problem. Furthermore, we present a new use of quadratic twists to reduce costs by expanding the input size and relaxing the assumption to the square DDH problem. Additionally, we employ advanced techniques in the isogeny literature to optimize the proof size to 39KB and 34 KB using CSIDH512 without compromising VRF notions. To the best of our knowledge, they are the first two provably secure VRF constructions based on isogenies

Key-Homomorphic Pseudorandom Functions from LWE with a Small Modulus

Pseudorandom functions (PRFs) are fundamental objects in cryptography that play a central role in symmetric-key cryptography. Although PRFs can be constructed from one-way functions generically, these black-box constructions are usually inefficient and require deep circuits to evaluate compared to direct PRF constructions that rely on specific algebraic assumptions. From lattices, one can directly construct PRFs from the Learning with Errors (LWE) assumption (or its ring variant) using the result of Banerjee, Peikert, and Rosen (Eurocrypt 2012) and its subsequent works. However, all existing PRFs in this line of work rely on the hardness of the LWE problem where the associated modulus is super-polynomial in the security parameter. In this work, we provide two new PRF constructions from the LWE problem that each focuses on either minimizing the depth of its evaluation circuit or providing key-homomorphism while relying on the hardness of the LWE problem with either a polynomial modulus or nearly polynomial modulus. Along the way, we introduce a new variant of the LWE problem called the Learning with Rounding and Errors (LWRE) problem. We show that for certain settings of parameters, the LWRE problem is as hard as the LWE problem. We then show that the hardness of the LWRE problem naturally induces a pseudorandom synthesizer that can be used to construct a low-depth PRF. The techniques that we introduce to study the LWRE problem can then be used to derive variants of existing key-homomorphic PRFs whose security can be reduced from the hardness of the LWE problem with a much smaller modulus

Algebraic Frameworks for Cryptographic Primitives

A fundamental goal in theoretical cryptography is to identify the conceptually simplest abstractions that generically imply a collection of other cryptographic primitives. For symmetric-key primitives, this goal has been accomplished by showing that one-way functions are necessary and sufficient to realize primitives ranging from symmetric-key encryption to digital signatures. By contrast, for asymmetric primitives, we have no (known) unifying simple abstraction even for a few of its most basic objects. Moreover, even for public-key encryption (PKE) alone, we have no unifying abstraction that all known constructions follow. The fact that almost all known PKE constructions exploit some algebraic structure suggests considering abstractions that have some basic algebraic properties, irrespective of their concrete instantiation. We make progress on the aforementioned fundamental goal by identifying simple and useful cryptographic abstractions and showing that they imply a variety of asymmetric primitives. Our general approach is to augment symmetric abstractions with algebraic structure that turns out to be sufficient for PKE and much more, thus yielding a “bridge” between symmetric and asymmetric primitives. We introduce two algebraic frameworks that capture almost all concrete instantiations of (asymmetric) cryptographic primitives, and we also demonstrate their applicability by showing their cryptographic implications. Therefore, rather than manually building different cryptosystems from a new assumption, one only needs to build one (or more) of our simple structured primitives, and a whole host of cryptosystems immediately follows.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/166137/1/alamati_1.pd