Skip to main content
SpringerLink
Log in

Adaptively Secure Distributed PRFs from \(\textsf {LWE}\)

  • Published:
Journal of Cryptology Aims and scope Submit manuscript

Abstract

In distributed pseudorandom functions (DPRFs), a PRF secret key SK is secret shared among N servers so that each server can locally compute a partial evaluation of the PRF on some input X. A combiner that collects t partial evaluations can then reconstruct the evaluation F(SKX) of the PRF under the initial secret key. So far, all non-interactive constructions in the standard model are based on lattice assumptions. One caveat is that they are only known to be secure in the static corruption setting, where the adversary chooses the servers to corrupt at the very beginning of the game, before any evaluation query. In this work, we construct the first fully non-interactive adaptively secure DPRF in the standard model. Our construction is proved secure under the \(\textsf {LWE}\) assumption against adversaries that may adaptively decide which servers they want to corrupt. We also extend our construction in order to achieve robustness against malicious adversaries.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Notes

  1. We note that this use of lossy trapdoor functions is somewhat unusual since their injective mode is usually used to handle adversarial queries while the lossy mode comes into play in the challenge phase.

  2. We use a “find-then-guess” security game where the adversary obtains correct evaluation for inputs of its choice before trying to distinguish a real function evaluation from a random element of the range.

  3. Except in some cases in which all players always correctly provide their contribution to the computation.

  4. Note that a threshold-t function can be obtained from the majority function by fixing the desired number of input bits, so that we need a majority function of size \(\le 2N\) to construct a threshold function \(T_{t,N}\).

  5. Note that conditioned on \((L_{{\mathcal {C}}^\star } , L_{{\mathcal {C}}^\star } \cdot {\varvec{\varGamma }})\), the rows of \({\varvec{\varGamma }}^\top \) are Gaussian on affine lines, but a column of \({\varvec{\varGamma }}^\top \) is an inner product of unit vector with all these rows.

  6. The proof of Yamada’s IBE [68] requires to have \(P_\textsf {T}'(x^\star )=0\) in the challenge phase and \(P_\textsf {T}'(x)=1\) in all adversarial queries while we need the opposite. This is not a problem here since we can just evaluate the logical NOT of his partitioning function \(P_\textsf {T}'\).

  7. Without this assumption, an adaptive adversary could distinguish the two games by corrupting a server after having obtained a partial evaluation from it.

References

  1. M. Abe, S. Fehr, Adaptively secure Feldman VSS and applications to universally-composable threshold cryptography, in Crypto (2004)

  2. S. Agrawal, D. Boneh, X. Boyen, Efficient lattice (H)IBE in the standard model, in Eurocrypt (2010)

  3. S. Agrawal, X. Boyen, V. Vaikuntanathan, P. Voulgaris, and H. Wee. Functional encryption for threshold functions (or fuzzy ibe) from lattices, in PKC (2012)

  4. S. Agrawal, B. Libert, D. Stehlé, Fully secure functional encryption for inner products from standard assumptions, in Crypto (2016)

  5. S. Agrawal, P. Mohassel, P. Mukherjee, P. Rindal, DiSE: distributed symmetric-key encryption, in ACM-CCS (2018)

  6. I. Almansa, I. Damgård, J.-B. Nielsen, Simplified threshold RSA with adaptive and proactive security, in Eurocrypt (2006)

  7. J. Alwen, S. Krenn, K. Pietrzak, D. Wichs, Learning with rounding, revisited—new reduction, properties and applications, in Crypto (2013)

  8. A. Banerjee, C. Peikert, New and improved key-homomorphic pseudo-random functions, in Crypto (2014)

  9. A. Banerjee, C. Peikert, A. Rosen, Pseudorandom functions and lattices, in Eurocrypt (2012)

  10. M. Bellare, E. Kiltz, C. Peikert, B. Waters, Identity-based (lossy) trapdoor functions and applications, in Eurocrypt (2012)

  11. J. Benaloh, J. Leichter, Generalized secret sharing and monotone functions, in Crypto (1988)

  12. R. Bendlin, I. Damgård, Threshold decryption and zero-knowledge proofs for lattice-based cryptosystems, in TCC (2010)

  13. R. Bendlin, S. Krehbiel, C. Peikert, How to share a lattice trapdoor: threshold protocols for signatures and (H)IBE, in ACNS (2013)

  14. D. Boneh, X. Boyen, Secure identity based encryption without random oracles, in Crypto (2004)

  15. D. Boneh, R. Gennaro, S. Goldfeder, A. Jain, S. Kim, P. Rasmussen, A. Sahai, Threshold cryptosystems from threshold fully homomorphic encryption, in Crypto (2018)

  16. D. Boneh, R. Gennaro, S. Goldfeder, S. Kim, A lattice-based universal thresholdizer for cryptographic systems. Cryptology ePrint Archive: Report 2017/251, September (2017)

  17. D. Boneh, K. Lewi, H. Montgomery, A. Raghunathan, Key-homomorphic PRFs and their applications, in Crypto (2013)

  18. D. Boneh, H. Montogomery, A. Raghunathan, Algebraic pseudorandom functions with improved efficiency from the augmented cascade, in ACM-CCS (2010)

  19. C. Cachin, K. Kursawe, V. Shoup, Random oracles in constantinople: practical asynchronous byzantine agreement using cryptography, in PODC (2000)

  20. R. Canetti, R. Gennaro, S. Jarecki, H. Krawczyk, T. Rabin, Adaptive security for threshold cryptosystems, in Crypto (1999)

  21. R. Canetti, S. Goldwasser, An efficient threshold public key cryptosystem secure against adaptive chosen-ciphertext attacks, in Eurocrypt (1999)

  22. M. Chase, S. Meiklejohn, Déjà Q: using dual systems to revisit q-type assumptions, in Eurocrypt (2004)

  23. J. Chotard, E. Dufour Sans, R. Gay, D.-H. Phan, D. Pointcheval, Decentralized multi-client functional encryption for inner product, in Asiacrypt (2018)

  24. R. Cramer, I. Damgård, S. Dziembowski, M. Hirt, T. Rabin, Efficient multi-party computations secure against an adaptive adversary, in Eurocrypt (1999)

  25. R. Cramer, S. Fehr, Optimal black-box secret sharing over arbitrary abelian groups, in Crypto (2002)

  26. I. Damgård, R. Thorbek, Linear integer secret sharing and distributed exponentiation, in PKC (2006)

  27. Y. Desmedt, Y. Frankel, Threshold cryptosystems, in Crypto (1989)

  28. Y. Dodis, Exposure-resilient cryptography. PhD thesis, MIT (2000)

  29. Y. Dodis, Efficient construction of (distributed) verifiable random functions, in PKC (2003)

  30. Y. Dodis, A. Yampolskiy, A verifiable random function with short proofs and keys, in PKC (2005)

  31. Y. Dodis, A. Yampolskiy, M. Yung, Threshold and proactive pseudo-random permutations, in TCC (2006)

  32. Y. Frankel, P. MacKenzie, M. Yung, Adaptively-secure distributed public-key systems, in ESA (1999)

  33. E. Freire, D. Hofheinz, K. Paterson, C. Striecks, Programmable hash functions in the multilinear setting, in Crypto (2013)

  34. C. Gentry, C. Peikert, V. Vaikuntanathan, Trapdoors for hard lattices and new cryptographic constructions, in Proceedings of STOC (ACM, 2008), pp. 197–206

  35. C. Gentry, A. Sahai, B. Waters, Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based, in Crypto. LNCS, vol. 8042 (2013), pp. 75–92

    MATH  Google Scholar 

  36. O. Goldreich, Valiant’s polynomial-size monotone formula for majority (2014)

  37. O. Goldreich, S. Goldwasser, S. Micali, How to construct random functions. J. ACM 33, 792–807 (1986)

    Article  MathSciNet  Google Scholar 

  38. S. Goldwasser, S. Gordon, V. Goyal, A. Jain, J. Katz, F.-H. Liu, A. Sahai, E. Shi, H.-S. Zhou, Multi-input functional encryption, in Eurocrypt (2014)

  39. S. Goldwasser, Y. Kalai, C. Peikert, V. Vaikuntanathan, Robustness of the Learning with Errors assumption, in ICS (2010)

  40. S. Gorbunov, V. Vaikuntanathan, D. Wichs, Leveled fully homomorphic signatures from standard lattices, in STOC (2015)

  41. R. Goyal, S. Hohenberger, V. Koppula, B. Waters, A generic approach to constructing and proving verifiable random functions, in TCC (2017)

  42. J. Hastad, R. Impagliazzo, L. Levin, M. Luby, A pseudorandom generator from any one-way function. SIAM J. Comput. 8(4), 1364–1396 (1999)

    Article  MathSciNet  Google Scholar 

  43. D. Hofheinz, E. Kiltz, Programmable hash functions and their applications, in Crypto (2008)

  44. S. Hoory, A. Hager, T. Pitassi, Monotone circuits for the majority function, in APPROX-RANDOM (2006)

  45. T. Jager, Verifiable random functions from weaker assumptions, in TCC (2015)

  46. S. Jarecki, A. Lysyanskaya, Adaptively secure threshold cryptography: introducing concurrency, removing erasures, in Eurocrypt (2000)

  47. S. Katsumata, S. Yamada, Partitioning via non-linear polynomial functions: more compact IBEs from ideal lattices and bilinear maps, in Asiacrypt (2016)

  48. A. Lewko, B. Waters, Efficient pseudorandom functions from the decisional linear assumption and weaker variants, in ACM-CCS (2009)

  49. B. Libert, M. Joye, M. Yung, Born and raised distributively: Fully distributed non-interactive adaptively secure threshold signatures with short shares, in PODC (2014)

  50. B. Libert, R. Titiu, Multi-client functional encryption for linear functions in the standard model from LWE, in Asiacrypt (2019)

  51. A. Lysyanskaya, C. Peikert, Adaptive security in the threshold setting: from cryptosystems to signature schemes, in Asiacrypt (2001)

  52. S. Micali, R. Sidney, A simple method for generating and sharing pseudo-random functions, in Crypto (1995)

  53. D. Micciancio, C. Peikert, Trapdoors for lattices: Simpler, tighter, faster, smaller, in Proceedings of EUROCRYPT (Springer, 2012), pp. 700–718

  54. D. Micciancio, O. Regev, Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)

    Article  MathSciNet  Google Scholar 

  55. M. Naor, B. Pinkas, O. Reingold, Distributed pseudo-random functions and KDCs, in Eurocrypt (1999)

  56. M. Naor, O. Reingold, Number-theoretic constructions of efficient pseudo-random functions, in FOCS (1997)

  57. M. Naor, O. Reingold, A. Rosen, Pseudo-random functions and factoring, in STOC (2000)

  58. J.-B. Nielsen, A threshold pseudorandom function construction and its applications, in Crypto (2002)

  59. C. Peikert, B. Waters, Lossy trapdoor functions and their applications, in STOC (ACM, 2008), pp. 187–196

  60. A. Raghunathan, G. Segev, S. Vadhan, Deterministic public-key encryption for adaptively chosen plaintext distributions, in Eurocrypt (2013)

  61. A. Razborov, S. Rudich, Natural proofs. J. Comput. Syst. Sci. 55(1), 24–35 (1987)

    Article  MathSciNet  Google Scholar 

  62. O. Regev, On lattices, learning with errors, random linear codes, and cryptography, in STOC (2005)

  63. R. Thorbek, Linear integer secret sharing. PhD thesis, Department of Computer Science - University of Arhus (2009)

  64. L. Trevisan, S. Vadhan, Extracting randomness from samplable distributions, in FOCS (2000)

  65. L. Valiant, Short monotone formulae for the majority function. J. Algorithms 3(5), 363–366 (1984).

    Article  MathSciNet  Google Scholar 

  66. L. Valiant, A theorey of the learnable. Commun. ACM, 27(11), 1134–1142 (1984)

    Article  Google Scholar 

  67. B. Waters, Efficient identity-based encryption without random oracles, in Eurocrypt (2005)

  68. S. Yamada, Asymptotically compact adaptively secure lattice IBEs and verifiable random functions via generalized partitioning techniques, in Crypto (2017)

Download references

Acknowledgements

We thank Javier Herranz for his suggestion to use linear integer secret sharing schemes. Part of this research was funded by the French ANR ALAMBIC project (ANR-16-CE39-0006) and by BPI-France in the context of the national project RISQ (P141580). This work was also supported in part by the European Union PROMETHEUS project (Horizon 2020 Research and Innovation Program, grant 780701). The second author was supported by ERC Starting Grant ERC-2013-StG-335086-LATTAC.

Author information

Authors and Affiliations

  1. CNRS, Laboratoire LIP, Lyon, France

    Benoît Libert

  2. ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS, ENSL, INRIA, UCBL), Lyon, France

    Benoît Libert, Damien Stehlé & Radu Titiu

  3. Bitdefender, Bucharest, Romania

    Radu Titiu

Authors
  1. Benoît Libert
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Damien Stehlé
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Radu Titiu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Benoît Libert.

Additional information

Communicated by Frederik Vercauteren.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This is the full version of a paper published in the proceedings of TCC 2018. It contains all the proofs that were omitted from the proceedings version.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Libert, B., Stehlé, D. & Titiu, R. Adaptively Secure Distributed PRFs from \(\textsf {LWE}\). J Cryptol 34, 29 (2021). https://doi.org/10.1007/s00145-021-09393-0

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s00145-021-09393-0

Keywords

Search

Navigation