Constrained
Verifiable Random Functions
Georg Fuchsbauer
IST Austria
SCN 2014, 3 September 2014
(Full version: eprint 2014/537)
Overview
Pseudorandom functions
(PRF)
Constrained PRF
Verifiable random functions
(VRF)
1/16
Overview
Pseudorandom functions
(PRF)
Verifiable random functions
(VRF)
Constrained PRF
Constrained VRF
●
Formal definition
●
Constructions
1/16
PRFs
●
Pseudorandom function [GGM86]:
–
Function
2/16
PRFs
●
Pseudorandom function [GGM86]:
–
Function
A PRF key is a compact description of
an exponentially long (pseudo) random
string.
2/16
PRFs
●
Pseudorandom function [GGM86]:
–
Function
A PRF key is a compact description of
an exponentially long (pseudo) random
string.
●
Application:
–
Symmetric encryption:
Key:
Encryption:
2/16
Constrained PRFs
●
Constrained PRF [BW13, KPTZ13, BGI14]:
–
Function
for set system
–
Algorithms:
●
●
3/16
Constrained PRFs
●
Constrained PRF [BW13, KPTZ13, BGI14]:
–
Function
for set system
–
Algorithms:
●
●
3/16
Security of Constrained PRFs
●
Pseudorandomness of constrained PRFs:
–
Function should look random where:
●
●
we have not seen its value
we cannot evaluate it using a constrained key
4/16
Security of Constrained PRFs
●
Pseudorandomness of constrained PRFs:
–
Function should look random where:
●
●
we have not seen its value
we cannot evaluate it using a constrained key
Challenger
Oracles:
Adversary
4/16
Instantiations of Constrained PRFs
●
Instantiations for set systems
–
:
prefix-constrained PRF [BW13, KPTZ13, BGI14]:
keys for sets
5/16
Instantiations of Constrained PRFs
●
Instantiations for set systems
–
:
prefix-constrained PRF [BW13, KPTZ13, BGI14]:
keys for sets
–
bit-fixing PRF [BW13]:
keys for sets defined by
as
5/16
Instantiations of Constrained PRFs
●
Instantiations for set systems
–
:
prefix-constrained PRF [BW13, KPTZ13, BGI14]:
keys for sets
–
bit-fixing PRF [BW13]:
keys for sets defined by
–
as
circuit-constrained PRF [BW13]:
keys defined by circuit C:
5/16
Applications of Constrained PRFs
●
Identity-based non-interactive key exchange (ID-NIKE)
from bit-fixing PRF [BW13]
●
Broadcast encryption with optimal ciphertext length [BW13]
7/16
Applications of Constrained PRFs
●
Identity-based non-interactive key exchange (ID-NIKE)
from bit-fixing PRF [BW13]
●
Broadcast encryption with optimal ciphertext length [BW13]
●
Punctured PRFs [BW13, KPTZ13, BGI14]:
–
constr. keys for domain
–
many applications in combination with
indistinguishability obfuscation [GGH+13]
7/16
VRFs
●
Verifiable random function [MRV99]:
–
Function
–
Algorithms:
●
●
●
8/16
VRFs
●
Verifiable random function [MRV99]:
–
Function
–
Algorithms:
●
●
●
●
Provability
8/16
Security of VRFs
●
Uniqueness:
–
For all
9/16
Security of VRFs
●
Uniqueness:
–
●
For all
Pseudorandomness:
–
Adv gets
oracle
–
submits
–
receives either
that has not been queried
or
9/16
Security of VRFs
●
Uniqueness:
–
●
For all
A VRF public key can be seen as
a compact commitment to an
exponential number of (pseudo) random bits.
Pseudorandomness:
–
Adv gets
oracle
–
submits
–
receives either
that has not been queried
or
9/16
Application of VRFs
●
Micropayments:
–
e.g. many payments of 1¢, too expensive to process
“Rivest's lottery”:
●
User U pays merchant M with cheque:
●
Rate : with
, a cheque is “payable”
payable: M receives ¢
● else cheque is discarded
●
10/16
Application of VRFs
●
Micropayments:
–
How do we decide which
should
beexpensive
payable (in
way)?
e.g. many payments of
1¢, too
tofair
process
“Rivest's lottery”:
●
●
- M publishes
for VRF with
is payable if
User U pays merchant M with cheque:
Rate : with
, a cheque is “payable”
payable: M receives ¢
● else cheque is discarded
●
10/16
Constrained
Verifiable Random Functions
Constrained VRFs
●
Constrained VRF [This work]:
–
Function
for set system
–
Algorithms:
●
●
●
●
11/16
Constrained VRFs
●
Constrained VRF [This work]:
–
Function
for set system
–
Algorithms:
●
●
●
●
Provability
11/16
Security of Constrained VRFs
●
Uniqueness:
12/16
Security of Constrained VRFs
●
Uniqueness:
●
Pseudorandomness of constrained PRFs:
Challenger
Oracles:
Adversary
12/16
Security of Constrained VRFs
●
Uniqueness:
●
Constraint-hiding:
●
Pseudorandomness of constrained PRFs:
Challenger
Oracles:
Adversary
12/16
Possible Application of Constrained VRF
●
Micropayments:
“Rivest's lottery”
- M publishes
-
for VRF with
is payable if
13/16
Possible Application of Constrained VRF
●
Micropayments:
“Rivest's lottery”
- M publishes
-
for VRF with
is payable if
Drawback
- need PKI for merchants'
keys
Identity-based solution?
13/16
Possible Application of Constrained VRF
●
Micropayments:
“Rivest's lottery”
- M publishes
-
for VRF with
is payable if
Drawback
- need PKI for merchants'
keys
constrained VRFs
- every M uses same key
-
is payable if
- Merchant M gets constr. key
for set
13/16
Constructions
PRFs
–
from PRG [GGM86]
–
under DDH [NR97]
VRFs
–
under q-DDHI [DY05]
but: poly-size domain only!
–
under q-type assumptions,
value in target group
large proofs [HW10,ACF13]
14/16
Constructions
PRFs
–
from PRG [GGM86]
–
under DDH [NR97]
constrained PRFs
●
prefix-fixing:
–
VRFs
–
under q-DDHI [DY05]
but: poly-size domain only!
–
under q-type assumptions,
value in target group
large proofs [HW10,ACF13]
from PRG
[BW13, KPTZ13, BGI14]
●
bit-fixing, circuit-constr:
–
from multilin. maps
–
under MDDH [BW13]
14/16
Constructions
PRFs
–
from PRG [GGM86]
–
under DDH [NR97]
VRFs
–
under q-DDHI [DY05]
but: poly-size domain only!
–
under q-type assumptions,
value in target group
large proofs [HW10,ACF13]
constrained PRFs
●
prefix-fixing:
–
from PRG
[BW13, KPTZ13, BGI14]
●
bit-fixing, circuit-constr:
constrained VRFs
●
bit-fixing, circuit-constr:
–
from multilin. maps
–
from multilin. maps
–
under MDDH [BW13]
–
under MDDH [this work]
14/16
Constructions
PRFs
VRFs
● based on same
– under q-DDHI [DY05]
from PRG [GGM86]
assumption
but: poly-size domain only!
same
function value
– under DDH [NR97]
● same function–values
under q-type assumptions,
constrained PRFs - based on samelarge proofs [HW10,ACF13]
assumptions
→ verifiability
“for free”
● prefix-fixing:
–
–
from PRG
[BW13, KPTZ13, BGI14]
●
bit-fixing, circuit-constr:
constrained VRFs
●
bit-fixing, circuit-constr:
–
from multilin. maps
–
from multilin. maps
–
under MDDH [BW13]
–
under MDDH [this work]
14/16
Construction of Constrained VRFs
●
●
Multilinear maps:
–
Groups
–
Maps
, each generated by
MDDH assumption:
given
then
looks random
15/16
Construction of Constrained VRFs
●
Boneh-Waters cPRF:
(bit-fixing)
secure under
-MDDH
16/16
Construction of Constrained VRFs
●
Boneh-Waters cPRF:
(bit-fixing)
●
Observation: Even when
are public,
and
still pseudorandom
16/16
Construction of Constrained VRFs
●
Boneh-Waters cPRF:
(bit-fixing)
●
Observation: Even when
are public,
●
Split
, publish
and
still pseudorandom
and
16/16
Construction of Constrained VRFs
●
Boneh-Waters cPRF:
(bit-fixing)
●
Observation: Even when
are public,
●
Split
●
Observation:
, publish
and
still pseudorandom
and
publicly computable
16/16
Construction of Constrained VRFs
●
Boneh-Waters cPRF:
(bit-fixing)
●
Observation: Even when
are public,
●
Split
●
Observation:
●
Define proof:
, publish
and
still pseudorandom
and
publicly computable
16/16
Construction of Constrained VRFs
●
Boneh-Waters cPRF:
(bit-fixing)
●
Observation: Even when
are public,
●
Split
, publish
●
Observation:
●
Define proof:
●
Verification of :
and
still pseudorandom
and
publicly computable
16/16
Thank you