1 Introduction

A function family is a dual PRF [6] if it is a PRF and also remains so when its key and input are switched. This property was used as an assumption on the compression function in order to prove security of two hash function-based PRFs, namely the widely-used HMAC [8] and the newer AMAC [7]. Dual PRFs are also now being assumed in TLS 1.3 [19, 22] and other Internet security protocols [1, 15, 18, 28, 32].

We have, however, no constructions of dual PRFs under standard assumptions, and thus little idea how strong is the assumption, or if it is even valid. We address this with a foundational treatment of dual PRFs, giving constructions based on standard assumptions. This is the first theoretical evidence that dual PRFs exist, and provides what we call a generic validation of the dual PRF assumption. Tools that we introduce and use for our construction include leakage hardcore functions and symmetric PRFs.

\(\underline{\textsc {PRFs.}}\) Let \({\textsf{F}}{\,{:}\,}{\textsf{F}}.\textsf{Keys}\times {\textsf{F}}.\textsf{Inp} \rightarrow {\textsf{F}}.\textsf{Out}\) be a function family taking a key and an input \(x\in {\textsf{F}}.\textsf{Inp}\) to (deterministically) return the output . We recall that \({\textsf{F}}\) is a PRF [24] if an efficient adversary has negligible advantage in distinguishing whether its oracle is or a random function, where is chosen at random from \({\textsf{F}}.\textsf{Keys}\). This well-known notion has seen an enormous number of applications in both theoretical and applied cryptography.

\(\underline{\textsc {Dual}\,\,\textsc {PRFs.}}\) Let \({\textsf{S}}{\,{:}\,}S_0 \times S_1 \rightarrow {\textsf{S}}.\textsf{Out}\) be a function family. Let \({\textsf{S}}^{\textrm{swap}} {\,{:}\,}S_1 \times S_0 \rightarrow {\textsf{S}}.\textsf{Out}\) be defined by \({\textsf{S}}^{\textrm{swap}}(a_0,a_1) = {\textsf{S}}(a_1,a_0)\). That is, the key for \({\textsf{S}}^{\textrm{swap}}\) is the input for \({\textsf{S}}\) and the input for \({\textsf{S}}^{\textrm{swap}}\) is the key for \({\textsf{S}}\). Both \({\textsf{S}}\) and \({\textsf{S}}^{\textrm{swap}}\) are legitimate function families, and we can ask if they are PRFs. We say that \({\textsf{S}}\) is a dual PRF [6] if both \({\textsf{S}}\) and \({\textsf{S}}^{\textrm{swap}}\) are PRFs. That is (1) an oracle for \({\textsf{S}}(a_0,\cdot )\) is indistinguishable from an oracle for a random function when \(a_0\) is chosen at random and, separately but also, (2) an oracle for \({\textsf{S}}(\cdot ,a_1)\) is indistinguishable from an oracle for a random function when \(a_1\) is chosen at random. The question we consider in this paper is, do dual PRFs exist, and, if so, under what assumptions?

\(\underline{\textsc {Context.}}\) Dual PRFs were introduced by Bellare [6] in the context of HMAC. Recall that HMAC [8] is a cryptographic-hash function-based PRF implemented in TLS and many other places. From the proof perspective, the underlying primitive is the compression function h of the hash function, and this is assumed in [6] to be a dual PRF in order to conclude PRF security of HMAC. (In a little more detail, one starts with a related and simpler design, NMAC [8], that is, PRF-secure assuming that h is a PRF [3, 6, 23]. The dual PRF assumption on h arises in stepping from NMAC to HMAC [6].)

AMAC is a hash function-based PRF used in the widely deployed Ed25519 signature scheme [13], and its analysis also assumes the compression function is a dual PRF [7]. And since then, the use of dual PRFs has widened even further. Dual PRFs are now invoked in the design and analysis of many Internet security protocols, including TLS 1.3 [19, 22], hybrid key-exchange [15, 32], post-quantum versions of WireGuard [28] and Noise [1], and Message Layer Security (MLS) [18].

\(\underline{\textsc {Generic}\,\,\textsc {validation.}}\) The assumption that a function h is a dual PRF could fail for two reasons. One is generic, namely that nothing can be a dual PRF. Dual PRFs may simply not exist. The second reason is specific, namely that although some functions may be dual PRFs, the particular h used in some particular application isn’t.

Generic failure can be ruled out by showing that the security goal is achievable under standard assumptions. We call this generic validation. It has value because generic failure is not an idle fear. It has happened for several (attractive) goals, for example virtual blackbox obfuscation [5, 26] and commitment secure against selective opening [10] to name just a few.

Generic validation won’t show that a particular candidate practical construct satisfies the assumption. This needs dedicated validation, meaning either a dedicated proof or cryptanalysis. But generic validation is the first step. In its absence, the goal may be just wishful thinking, and the candidate construct doomed. In its presence, the candidate is at least in principle plausible, and successful dedicated validation is a possibility. Generic validation is thus desirable for the security goal underlying any new assumption.

For (standard) PRFs, we have strong generic validation: Classical foundational results say that PRFs exist assuming only that one-way functions exist. (OWFs imply PRGs [27] which imply PRFs [24].) We also have constructions from many particular assumptions [4, 29, 30]. Dual PRFs, in contrast, have at this point no generic validation. Despite their having been introduced ten years ago [6], and despite their use as an assumption in supporting the security of the widely-used HMAC [6], there has been no construction under any (standard or not) assumption. This is the gap we fill.

\(\underline{\textsc {Negative}\,\,\textsc {results.}}\) One’s first thought may be that every PRF \({\textsf{S}}\) is also a dual PRF. It is easy to see that this is not true. For example, suppose \({\textsf{S}}{\,{:}\,}\{0,1\}^k \times \{0,1\}^k \rightarrow \{0,1\}^k\) is a PRF with the property that \({\textsf{S}}(0^k,a)=a\) for all a. This will not contradict PRF security of \({\textsf{S}}\) because \(0^k\) has negligible probability of being chosen as the key in the PRF game. However, \({\textsf{S}}^{\textrm{swap}}\) is clearly not a PRF because \({\textsf{S}}^{\textrm{swap}}(a,0^k) = {\textsf{S}}(0^k,a) = a\) so an adversary can query its oracle at \(0^k\) and it will get back the key a, using which it can easily violate PRF security.

Thus, we need special constructions. The next natural question is whether known constructions of PRFs are dual PRFs. But they are not. For example, take the classic GGM construction [24] of a PRF from a PRG. We show in Sect. 3 that there is a choice of the PRG under which the constructed PRF is not a dual PRF. Or take the Naor–Reingold PRF. We give in Sect. 3 a direct attack violating dual PRF security. The Dodis–Yampolskiy PRF [21] is promising because the formula adds the key and input, thereby seeming to give them symmetric roles, but security requires that the input comes from a much smaller space than the key, and this precludes being a symmetric PRF as per our definition. See Sect. 3 for more information.

\(\underline{\textsc {Symmetric}\,\,\textsc {PRFs.}}\) Our approach to construct dual PRFs is based on the notion we introduce of a symmetric PRF. Let \({\textsf{S}}{\,{:}\,}S \times S \rightarrow {\textsf{S}}.\textsf{Out}\) be a function family whose keyspace and input space are the same set, call it S. We say that \({\textsf{S}}\) is symmetric if \({\textsf{S}}(a_0,a_1) = {\textsf{S}}(a_1,a_0)\) for all \(a_0,a_1\in S\). That is, \({\textsf{S}}\) is unchanged if the order of its inputs is swapped. Then, we make the following observation. Suppose \({\textsf{S}}\) is (1) A PRF, and (2) is symmetric. Then, it is a dual PRF. This is easy to see because the symmetry implies that \({\textsf{S}}^{\textrm{swap}} = {\textsf{S}}\); namely, \({\textsf{S}}^{\textrm{swap}}\) is in fact identical to \({\textsf{S}}\). So its PRF security follows directly from the fact that \({\textsf{S}}\) is a PRF. We will construct symmetric PRFs.

\(\underline{\textsc {SPRF.}}\) In Sect. 5, we give a general construction of a symmetric (hence dual) PRF \({\textsf{S}}{\,{:}\,}D\times D \rightarrow \{0,1\}^k\). It is defined in terms of three other functions EHR as follows:

figure a

Here, \({\textsf{R}}\) is a PRF with range \(\{0,1\}^k\) and D is some appropriate domain. The functions EH can be thought of roughly as “extract” and “hash,” and they will be instantiated in different ways. The idea is that \(r_0,z_0\) depend on the input \(a_0\), while \(r_1,z_1\) depend on the input \(a_1\), and only in the application of \({\textsf{R}}\) are the inputs “mixed.” Two applications of \({\textsf{R}}\) are used, the key being an r-value and the input the opposing z-value. Note that the use of this high-level structure with the xor already guarantees that \({\textsf{S}}\) is symmetric, regardless of the choices of \({\textsf{R}},E,H\).

Now, we need to find choices of EH under which \({\textsf{S}}\) is a PRF. Intuitively, a difficulty in using the PRF security of \({\textsf{R}}\) is that the construction does not use a key for \({\textsf{R}}\) in a blackbox way. If we think of \(r_0\) as the key, then \(z_0\) is related information that is needed to simulate an attacker against \({\textsf{S}}\).

Very roughly, we want E to extract hardcore bits, and we want H to provide some kind of collision resistance (CR). In the proof that \({\textsf{S}}\) is a PRF we would first use the security of E to move to a game in which \(r_0\) is random. Then, we would use the PRF security of \({\textsf{R}}\) to replace \({\textsf{R}}(r_0,\cdot )\) with a random function R. Finally, we would use the CR-security of H to say that the \(z_1\) values do not repeat, which means in each xor the first component, and hence the whole, is random.

However, getting this to work requires some care. We strive to make the conditions on EH as weak and general as possible so as to allow the maximum flexibility in instantiation and the ability to instantiate under assumptions as weak as possible. In this spirit, one choice we make is to allow both E and H to be keyed. Both the key and the input would be derived from the single input \(a_i\) above. Now, the main difficulty is that no standard notion of hardcore function security suffices for E. Instead, we introduce the notion of E being a leakage hardcore function for H. Roughly—the formal definition is in Sect. 4—this means that E with a target key applied to a hidden \(x_0\) continues to look random even given an oracle that can get the results of H at \(x_0\) under other, different keys of its choice. For H, we ask that it be computationally almost universal (CAU) [6]. This is a weak form of collision resistance in which the adversary must produce its collision without knowing the key. See Sect. 5 for the full construction and Theorem 4 for the formal claim and proof of PRF security.

\(\underline{\textsc {Instantiations.}}\) To obtain constructions of symmetric (and hence dual) PRFs under specific, standard assumptions, we instantiate the primitives in our general SPRF construction under the assumption in question. In Sect. 6, we give two corresponding results, one under one-way permutations (OWPs) and the other under collision-resistant (CR) hash functions, meaning either of these assumptions now yield symmetric and dual PRFs. The OWP instantiation uses the Blum–Micali–Yao (BMY) PRG [16, 33] to instantiate the leakage hardcore function E and an iterated OWP to instantiate H. The CR hash function instantiation uses CR hash to instantiate H and uses a strong randomness extractor to instantiate E.

\(\underline{\textsc {Discussion}\,\,\textsc {and}\,\,\textsc {open}\,\,\textsc {questions.}}\) The main open question that evades us is a construction of a symmetric and dual PRF from any one-way function (OWF). The first question is whether one can instantiate our SPRF construction under a OWF. If not, the next question is whether there is some other, different construction.

We note that while our result about SPRF has striven to make as general and weak-as-possible assumptions on the component EH functions, we have not, in our instantiations, found a way to take full advantage of this. The only way we have found to get a leakage hardcore function E for H is to make H a keyless CR function, in which case Lemma 2 says that E being a standard hardcore function for H suffices. But there may, potentially, exist choices of keyed, CAU functions H for which a leakage hardcore function E exists, and this may then be a direction toward a OWF-based dual PRF.

\(\underline{\textsc {Subsequent}\,\,\textsc {work.}}\) The motivation for our new constructions of dual PRFs was primarily theoretical, namely to give a generic validation for the dual PRF assumption on the compression function used in the proof of PRF security of HMAC [6]. Following the posting of our paper on the Cryptology ePrint Archive [11], however, Aviram, Dowling, Komargodski, Paterson, Ronen and Yogev (ADKPRY) [2] revisit the problem of constructing dual PRFs with a more practical motivation, namely the use of dual PRFs as key combiners in the TLS 1.3 key schedule. They extend our general construction above to apply, at the end, an output function G, meaning their dual PRF returns \(G({\textsf{S}}(a_0,a_1))\) where \({\textsf{S}}(a_0,a_1)\) is defined via \({\textsf{R}},E,H\) as above. They then instantiate \({\textsf{R}},E,H,G\) via HMAC to obtain an efficient dual PRF.

The assumption made in TLS 1.3 [19, 22] and the other above-mentioned Internet security protocols [1, 15, 18, 28, 32] is that HMAC itself is a dual PRF. This assumption has been validated by Backendal, Bellare, Günther and Scarlata (BBGS) [3] via a proof of dual PRF security of HMAC based on certain assumptions on the underlying compression function h. We note that these assumptions include that h is itself a dual PRF.

2 Basic Definitions

Our treatment is concrete rather than asymptotic. For any security goal for a primitive, for example, PRF security of a function family, we define an advantage metric, in this case the PRF advantage of an adversary against the function family, which is a number. There is no explicit security parameter; one way of thinking about it is to consider that the security parameter has been fixed. For a function family to be a PRF typically means, informally, that “efficient” adversaries have “negligible” PRF advantage; in the absence of a security parameter, this is defined in quantitative, rather than asymptotic, terms. Theorems are made formal by giving the concrete security of reductions. Discussion surrounding theorems will clarify what they mean qualitatively. The concrete treatment makes notation somewhat simpler, allows us to see the quantitative security of reductions, and is more in keeping with the motivating setting of HMAC, where there are no asymptotics.

\(\underline{\textsc {Notation}\,\,\textsc {and}\,\,\textsc {conventions.}}\) We let \(\varepsilon \) denote the empty string. If y is a string, then |y| denotes its length and y[i] denotes its i-th coordinate for \(1\le i \le |y|\). If \({X}\) is a finite set, we let denote picking an element of \({X}\) uniformly at random and assigning it to x. Algorithms may be randomized unless otherwise indicated. Running time is worst case. If A is an algorithm, we let \(y \leftarrow A(x_1,\ldots ;r)\) denote running A with random coins r on inputs \(x_1,\ldots \) and assigning the output to y. We let be the result of picking r at random and letting \(y \leftarrow A(x_1,\ldots ;r)\). We let \([A(x_1,\ldots )]\) denote the set of all possible outputs of A when invoked with inputs \(x_1,\ldots \).

We use the code-based game playing framework of [12]. (See Fig. 1 for an example.) By \(\textrm{Pr}[\textrm{G}]\), we denote the event that the execution of game \(\textrm{G}\) results in the game returning \(\textsf{true}\). We adopt the convention that the running time of an adversary refers to the worst-case execution time of the game with the adversary, so that the time for the execution of oracles to compute replies to oracle queries is included. This means that usually in reductions, adversary running time is roughly maintained. In writing a game, we assume Boolean variables (e.g., \(\textsf{bad}\)) are automatically initialized to \(\textsf{false}\).

\(\underline{\textsc {Function}\,\,\textsc {families.}}\) A function family \({\textsf{F}}{\,{:}\,}{\textsf{F}}.\textsf{Keys}\times {\textsf{F}}.\textsf{Inp}\rightarrow {\textsf{F}}.\textsf{Out}\) is a 2-argument function taking a key in the keyspace \({\textsf{F}}.\textsf{Keys}\) and an input x in the input space \({\textsf{F}}.\textsf{Inp}\) to return an output in the output space \({\textsf{F}}.\textsf{Out}\). For , we let be defined by for all \(x\in {\textsf{F}}.\textsf{Inp}\). We say that \({\textsf{F}}\) is a permutation family if \({\textsf{F}}.\textsf{Inp}={\textsf{F}}.\textsf{Out}\) and is a permutation for every . We say that \({\textsf{F}}\) is keyless if \({\textsf{F}}.\textsf{Keys}=\{\varepsilon \}\) consists only of the empty string. (It is tempting in this case to just drop the key in the notation but it makes it harder to pattern-match with the definitions and so, somewhat pedantically, we tend to explicitly write \(\varepsilon \) as the key when dealing with keyless families.) The reason to consider such families is that some notions of security, such as one-wayness, hold just as well for them. (For others, like PRF security, keying is crucial.)

Fig. 1
figure 1

Games for defining PRF and OWF security of a function family \({\textsf{F}}\), CAU-security of a function family \({\textsf{H}}\) and \(\textsf{HC}\) being a hardcore function family for \({\textsf{H}}\)

Full size image

\(\underline{\textsc {Pseudo-random}\,\,\textsc {functions.}}\) The security of function family \({\textsf{F}}\) as a PRF is defined via game \({\textbf{G}}^{\textsf{prf}}_{{\textsf{F}}}(\mathcal{A})\) of Fig. 1 associated with \({\textsf{F}}\) and adversary \(\mathcal{A}\). Table T is assumed initially \(\bot \) everywhere. The PRF advantage of \(\mathcal{A}\) is

$$\begin{aligned} \textbf{Adv}^{\textsf{prf}}_{{\textsf{F}}}(\mathcal{A})&= 2 \textrm{Pr}[{\textbf{G}}^{\textsf{prf}}_{{\textsf{F}}}(\mathcal{A})] - 1 \nonumber \\&= {\textrm{Pr}}[\,{\textbf{G}}^{\textsf{prf}}_{{\textsf{F}}}(\mathcal{A})\,|\,c=1\,] - \left( 1-{\textrm{Pr}}[\,{\textbf{G}}^{\textsf{prf}}_{{\textsf{F}}}(\mathcal{A})\,|\,c=0\,]\right) \;. \end{aligned}$$
(1)

The first equation is the definition, while the second is an alternative representation known to be equal by a standard conditioning argument.

\(\underline{\textsc {One-way}\,\,\textsc {functions.}}\) The security of function family \({\textsf{F}}\) as a OWF is defined via game \({\textbf{G}}^{\textsf{ow}}_{{\textsf{F}}}(\mathcal{A})\) of Fig. 1 associated with \({\textsf{F}}\) and adversary \(\mathcal{A}\). The point \(x'\) returned by the latter is required to be in \({\textsf{F}}.\textsf{Inp}\). The owf advantage of \(\mathcal{A}\) is defined as \(\textbf{Adv}^{\textsf{ow}}_{{\textsf{F}}}(\mathcal{A}) = \textrm{Pr}[{\textbf{G}}^{\textsf{prf}}_{{\textsf{F}}}(\mathcal{A})]\). In this case, \({\textsf{F}}\) may or may not be keyed. A one-way permutation (OWP) is simply a family of permutations that is a OWF.

\(\underline{\textsc {Universal}\,\,\textsc {and} \,\,\text {CAU}\,\,\textsc { functions.}}\) Consider game \({\textbf{G}}^{\textsf{cau}}_{{\textsf{H}}}(\mathcal{A})\) of Fig. 1 associated with \({\textsf{H}}\) and adversary \(\mathcal{A}\). The points \(x_0,x_1\) returned by the latter are required to be in \({\textsf{H}}.\textsf{Inp}\). The CAU-advantage of \(\mathcal{A}\) is defined as \(\textbf{Adv}^{\textsf{cau}}_{{\textsf{H}}}(\mathcal{A}) = \textrm{Pr}[{\textbf{G}}^{\textsf{cau}}_{{\textsf{H}}}(\mathcal{A})]\). We say that \({\textsf{H}}\) is universal if \(\textbf{Adv}^{\textsf{cau}}_{{\textsf{H}}}(\mathcal{A}) = 1 / |{\textsf{H}}.\textsf{Out}|\) for all adversaries \(\mathcal{A}\), regardless of their computing time. Computational almost universal functions, introduced by Bellare [6], are a relaxation of universal functions in which the advantage is treated as a computational metric in the usual way and adversaries may be computationally bounded.

\(\underline{\textsc {CR}\,\,\textsc {functions.}}\) The security of function family \({\textsf{H}}\) as a collision-resistant (CR) function is defined via game \({\textbf{G}}^{\textsf{cr}}_{{\textsf{H}}}(\mathcal{A})\) of Fig. 1 associated with \({\textsf{H}}\) and adversary \(\mathcal{A}\). The points \(x_0,x_1\) returned by the latter are required to be in \({\textsf{H}}.\textsf{Inp}\). The CR advantage of \(\mathcal{A}\) is defined as \(\textbf{Adv}^{\textsf{cr}}_{{\textsf{H}}}(\mathcal{A}) = \textrm{Pr}[{\textbf{G}}^{\textsf{cr}}_{{\textsf{H}}}(\mathcal{A})]\). Practical CR hash functions such as SHA-256 are keyless. A CR function family is CAU, giving an easy way to get the latter.

\(\underline{\textsc {Extractors.}}\) Let XY be random variables. We define \(\textbf{SD}(X,Y)\), the statistical distance between X and Y; \({\textbf{H}}_{\infty }(X)\), the min-entropy of X; and \({\textbf{H}}_{\infty }(X|Y)\), the min-entropy of X given Y, via:

$$\begin{aligned} \textbf{SD}(X,Y)&= \frac{1}{2} \sum _{z} | \textrm{Pr}[X=z] - \textrm{Pr}[Y=z] | \\ 2^{-{\textbf{H}}_{\infty }(X)}&= \max _x \textrm{Pr}[X=x] \\ 2^{-{\textbf{H}}_{\infty }(X|Y)}&= \sum _y \textrm{Pr}[Y=y] \cdot \max _x {\textrm{Pr}}[\,X=x\,|\,Y=y\,] \;. \end{aligned}$$

Recall, paraphrasing the definition above, that a function family \(\textsf{Ext}{\,{:}\,}\{0,1\}^s\times \{0,1\}^n\rightarrow \{0,1\}^m\) is universal if for every distinct \(x_1,x_2\in \{0,1\}^n\) we have where the probability is over . The following is a generalized version of the leftover hash lemma (LHL) [20, 27].

Lemma 1

Let \(\textsf{Ext}{\,{:}\,}\{0,1\}^s\times \{0,1\}^n\rightarrow \{0,1\}^m\) be a function family that is universal. Let X be a random variable over \(\{0,1\}^n\). Let \(U_s,U_m\) be random variables distributed uniformly over \(\{0,1\}^s\) and \(\{0,1\}^m\), respectively, and let Y be a random variable. Assume the three random variables \((X,Y),U_s,U_m\) are independent. Then,

$$\begin{aligned} \textbf{SD}((U_s,\textsf{Ext}(U_s,X),Y),(U_s,U_m,Y))&\le \frac{1}{2} \sqrt{2^{m-{\textbf{H}}_{\infty }(X|Y)}} \;. \end{aligned}$$
(2)

\(\underline{\textsc {Symmetric}\,\,\textsc {PRFs.}}\) Let \({\textsf{S}}{\,{:}\,}S_0 \times S_1 \rightarrow {\textsf{S}}.\textsf{Out}\) be a function family. Let \({\textsf{S}}^{\textrm{swap}} {\,{:}\,}S_1 \times S_0 \rightarrow {\textsf{S}}.\textsf{Out}\) be defined by \({\textsf{S}}^{\textrm{swap}}(a_0,a_1) = {\textsf{S}}(a_1,a_0)\). We say that \({\textsf{S}}\) is a dual PRF if both \({\textsf{S}}\) and \({\textsf{S}}^{\textrm{swap}}\) are PRFs. We say that \({\textsf{S}}\) is symmetric if \(S_0=S_1\) and \({\textsf{S}}(a_0,a_1) = {\textsf{S}}(a_1,a_0)\) for every \(a_0,a_1\in S_1\). If \({\textsf{S}}\) is symmetric, then \({\textsf{S}}^{\textrm{swap}} = {\textsf{S}}\). Thus, if \({\textsf{S}}\) is symmetric and a PRF, it is automatically a dual PRF. We will accordingly target the stronger notion of a symmetric PRF and obtain a dual PRF as a consequence.

3 Dual PRF Security of Existing PRF Constructions

If we seek dual PRFs, the first and natural question is whether existing constructions of PRFs might happen to already be dual. Here, we look at a few popular ones and show this is not the case.

\(\underline{\textsc {GGM.}}\) Let \({\textsf{F}}_1 {\,{:}\,}\{0,1\}^k \times \{0,1\}\rightarrow \{0,1\}^k\) be a PRF with input space \(\{0,1\}\). The GGM construction [24] builds from it the PRF \(\textsf{GGM}{\,{:}\,}\{0,1\}^k \times \{0,1\}^k \rightarrow \{0,1\}^k\) defined as follows.

figure b

Suppose \({\textsf{F}}_1\) has the property that \({\textsf{F}}_1(0^k,0)={\textsf{F}}_1(0^k,1)=0^k\). It could still be a PRF, and in particular, if PRFs exist, we can easily build a PRF \({\textsf{F}}_1\) with this property. But then \(\textsf{GGM}^{\textrm{swap}}(y,0^k) = \textsf{GGM}(0^k,y) = 0^k\) so \(\textsf{GGM}^{\textrm{swap}}\) is certainly not a PRF. Thus, \(\textsf{GGM}\) is not a dual PRF. This shows that the GGM construction does not in general yield a dual PRF.

\(\underline{\textsc {Naor}\,\,\textsc {Reingold.}}\) Let \(\mathbb {G}\) be prime-order group in which the DDH problem is hard, and let \(g\in \mathbb {G}\) be a generator of \(\mathbb {G}\). Let \(q = |\mathbb {G}|\). The Naor–Reingold PRF [30] \(\textsf{NR}{\,{:}\,}{{{\mathbb {Z}}}}_q^{n+1} \times \{0,1\}^n \rightarrow \mathbb {G}\) is defined by

figure c

Here, the key \({\textbf{a}}\) is a \((n+1)\)-vector over \(\mathbb {G}\) and its i-th component is denoted \({\textbf{a}}[i] \in \mathbb {G}\), with the components indexed from 0 to n. Let \(\texttt{1}_{\mathbb {G}}\) denote the identity element of \(\mathbb {G}\), and let \({\textbf{0}} = (0,\ldots ,0) \in \mathbb {G}^{n+1}\) denote the \((n+1)\)-vector all of whose components equal 0. Then, \(\textsf{NR}^{\textrm{swap}}(x,{\textbf{0}}) = \textsf{NR}({\textbf{0}},x) = g^0 = \texttt{1}_{\mathbb {G}}\) for all \(x\in \{0,1\}^n\). Thus, \(\textsf{NR}^{\textrm{swap}}\) cannot be a PRF and \(\textsf{NR}\) is not a dual PRF. This is true for all choices of \(\mathbb {G},g\).

Some variants of \(\textsf{NR}\) [9] restrict the keyspace to \(({{{\mathbb {Z}}}}_q^*)^{n+1}\), which would preclude the above attack on \(\textsf{NR}^{\textrm{swap}}\). However, \(\textsf{NR}^{\textrm{swap}}\) is still subject to attack by setting \({\textbf{a}}\) to all 1s.

\(\underline{\textsc {Dodis}\,\,\textsc {Yampolskiy.}}\) Let \({\textbf{e}}{\,{:}\,}\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\) be a non-degenerate bilinear map, where groups \(\mathbb {G},\mathbb {G}_T\) have prime order p. Let g be a generator of \(\mathbb {G}\) and \(S\subseteq {{{\mathbb {Z}}}}_p\) a set of size N. Then, the Dodis–Yampolskiy PRF [21] \(\textsf{DY}{\,{:}\,}{{{\mathbb {Z}}}}_p\times S\rightarrow \mathbb {G}_T\) is defined by

figure d

This construction is promising because the roles of a and x are symmetric, so we may think we can swap them and have a symmetric PRF. The difficulty is that for security the input x must come from a much smaller space than the key, meaning \(N=|S|\) is much less than p. This is because security is based on the q-BDHI assumption, and as per [21, Theorem 2], security of the PRF requires \(q = N\) and security of q-BDHI for adversaries with running time more than N. In particular, the construction is not shown secure when \(S = {{{\mathbb {Z}}}}_p\). But to meet our definition of a symmetric PRF from Sect. 2, the keyspace and domain must be the same set. This asymmetry in the key and input for \(\textsf{DY}\), and how it precludes some applications, has been pointed out before in several contexts, including in BC [9] for security against related-key attack.

Finally, we note that if \(S={{{\mathbb {Z}}}}_p\), then \(\textsf{DY}\) is symmetric. Hence, if it is a PRF, then it is also a dual PRF. So is it a PRF when \(S={{{\mathbb {Z}}}}_p\)? To the best of our knowledge, this is an open question; we are aware of neither a proof nor an attack.

\(\underline{\textsc {Discussion.}}\) Although this should be obvious, we should nonetheless clarify that the above attacks do not represent any bugs or critiques. These constructions were not designed or claimed to be dual PRFs. But the first question one should ask in seeking dual PRFs is whether existing constructions of PRFs happen to be dual PRFs. The above indicates that this is not the case and one must seek new constructions.

4 Leakage Hardcore Functions

For our construction, we will introduce an extension of the standard notion of a hardcore function. We call it a leakage hardcore function. To understand it, it is useful to begin by recalling the usual notion.

\(\underline{\textsc {Hardcore}\,\,\textsc {functions.}}\) Suppose \({\textsf{H}}\) is a function family. A hardcore function for \({\textsf{H}}\) is a function family \(\textsf{HC}{\,{:}\,}\textsf{HC}.\textsf{Keys} \times ({\textsf{H}}.\textsf{Keys}\times {\textsf{H}}.\textsf{Inp}) \rightarrow \textsf{HC}.\textsf{Out}\), so that an input is a pair consisting of a key for \({\textsf{H}}\) and an input for \({\textsf{H}}\). We say that \(\textsf{HC}\) is a hardcore predicate for \({\textsf{H}}\) if \(\textsf{HC}.\textsf{Out} = \{0,1\}\). (Some hardcore functions are unkeyed; in fact both the RSA and the DL function families have unkeyed hardcore functions. On the other hand, the Goldreich–Levin hardcore predicate has a key that is a randomly chosen string.) Recall that security considers an adversary given a key defining the function , a key for the hardcore function, and the result of evaluating the function at . Now, the adversary gets \(s_c\) for a challenge bit c where is the output of the hardcore function on \(x_0\) and \(s_0\) is a random string of the same length. The adversary should have a hard time figuring out c. Formally, the security of \(\textsf{HC}\) as a hardcore function for \({\textsf{H}}\) is defined via game \({\textbf{G}}^{\textsf{hc}}_{{\textsf{H}},\textsf{HC}}(\mathcal{A})\) of Fig. 2 associated with \({\textsf{H}},\textsf{HC}\) and adversary \(\mathcal{A}\). The hcf advantage of \(\mathcal{A}\) is defined as \(\textbf{Adv}^{\textsf{hc}}_{{\textsf{H}},\textsf{HC}}(\mathcal{A}) = 2\textrm{Pr}[{\textbf{G}}^{\textsf{hc}}_{{\textsf{H}}}(\mathcal{A})]-1\).

Fig. 2
figure 2

Games for defining security of \(\textsf{HC}\) as a standard and leakage hardcore function for \({\textsf{H}}\)

Full size image

\(\underline{\textsc {Leakage}\,\,\textsc {hardcore}\,\,\textsc {functions.}}\) A leakage hardcore (LHC) function for \({\textsf{H}}\) is again a function family \(\textsf{HC}{\,{:}\,}\textsf{HC}.\textsf{Keys} \times ({\textsf{H}}.\textsf{Keys}\times {\textsf{H}}.\textsf{Inp}) \rightarrow \textsf{HC}.\textsf{Out}\), so that an input is a pair consisting of a key for \({\textsf{H}}\) and an input for \({\textsf{H}}\). Again we say that \(\textsf{HC}\) is a leakage hardcore predicate for \({\textsf{H}}\) if \(\textsf{HC}.\textsf{Out} = \{0,1\}\). The new element in a leakage hardcore function is that the adversary has an oracle \(\textsc {Lk}\) via which it can obtain “leakage” about \(x_0\). This leakage has a very particular form (although one could define LHC functions more generally, allowing other leakage as well); namely, the adversary can obtain the value of the same function family \({\textsf{H}}\) on \(x_0\) under any key of its choice. Thus, \(\textsc {Lk}\) takes input and returns , the result of evaluating \({\textsf{H}}\) on the given key under the hidden input \(x_0\). The requirement is that figuring out the challenge bit remains hard. The formalization uses game \({\textbf{G}}^{\textsf{lhc}}_{{\textsf{H}},\textsf{HC}}(\mathcal{A})\) of Fig. 2 associated with \({\textsf{H}},\textsf{HC}\) and adversary \(\mathcal{A}\). The lhc-advantage of \(\mathcal{A}\) is defined as \(\textbf{Adv}^{\textsf{lhc}}_{{\textsf{H}},\textsf{HC}}(\mathcal{A}) = 2\textrm{Pr}[{\textbf{G}}^{\textsf{lhc}}_{{\textsf{H}}}(\mathcal{A})] - 1\). Since \(\mathcal{A}\) could in particular call its oracle on , we omit giving it as input as in the standard game.

\(\underline{\textsc {Building}\,\,\textsc {leakage}\,\,\textsc {hardcore}\,\,\textsc {functions.}}\) Toward getting a leakage hardcore function for a given function family \({\textsf{H}}\), one simple observation is that if \({\textsf{H}}\) is keyless, then a standard hardcore function is leakage hardcore. This is captured by the following lemma.

Lemma 2

Suppose \({\textsf{H}}\) is a keyless function family and \(\textsf{HC}{\,{:}\,}\textsf{HC}.\textsf{Inp} \times (\{\varepsilon \} \times {\textsf{H}}.\textsf{Inp}) \rightarrow \textsf{HC}.\textsf{Out}\) is a function family. Let \(\mathcal{A}\) be a lhc-adversary. Then, the proof constructs a hc-adversary \(\mathcal{A}_0\) such that

$$\begin{aligned} \textbf{Adv}^{\textsf{lhc}}_{{\textsf{H}},\textsf{HC}}(\mathcal{A}) \le \textbf{Adv}^{\textsf{hc}}_{{\textsf{H}},\textsf{HC}}(\mathcal{A}) . \end{aligned}$$

Adversary \(\mathcal{A}_0\) has about the same running time as adversary \(\mathcal{A}\).

Proof

(of Lemma 2) Adversary \(\mathcal{A}_0\) gets inputs and runs \(\mathcal{A}\) on inputs . Since \({\textsf{H}}.\textsf{Keys} = \{\varepsilon \}\), the \(\textsc {Lk}\) oracle is intuitively useless to \(\mathcal{A}\). Formally, if a query is made by \(\mathcal{A}\) to \(\textsc {Lk}\), then it must be that , and thus, \(\mathcal{A}_1\) can simulate the oracle, returning \(w_0\) as the response. Eventually \(\mathcal{A}\) outputs a bit \(c'\), and \(\mathcal{A}_1\) outputs the same bit. \(\square \)

Our construction of a symmetric PRF will need a CAU function family that has a leakage hardcore function which outputs lots of bits. In Sect. 5, we will assume it. Later we will give various constructions from various assumptions.

5 The SPRF Construction

We provide our general SPRF construction of a symmetric, and hence dual, PRF.

\(\underline{\textsc {Ingredients.}}\) Our construction of a symmetric PRF has the following ingredients:

  • A CAU function family \({\textsf{H}}{\,{:}\,}{\textsf{H}}.\textsf{Keys} \times {\textsf{H}}.\textsf{Inp} \rightarrow {\textsf{H}}.\textsf{Out}\)

  • A leakage hardcore function family \(\textsf{HC}{\,{:}\,}\textsf{HC}.\textsf{Keys} \times ({\textsf{H}}.\textsf{Keys}\times {\textsf{H}}.\textsf{Inp}) \rightarrow \textsf{HC}.\textsf{Out}\) for \({\textsf{H}}\).

  • A PRF \({\textsf{R}}{\,{:}\,}\textsf{HC}.\textsf{Out} \times {\textsf{R}}.\textsf{Inp} \rightarrow {\textsf{R}}.\textsf{Out}\) such that \({\textsf{H}}.\textsf{Out}\times {\textsf{H}}.\textsf{Keys}\times \textsf{HC}.\textsf{Keys} \subseteq {\textsf{R}}.\textsf{Inp}\) and the range \({\textsf{R}}.\textsf{Out}\) is a commutative group whose operation we denote \(*\). Thus, a key for \({\textsf{R}}\) is an output of \(\textsf{HC}\), while a triple consisting of an output of \({\textsf{H}}\), a key for \({\textsf{H}}\), and a key for \(\textsf{HC}\) is a valid input for \({\textsf{R}}\).

We refer to a triple \(({\textsf{H}},\textsf{HC},{\textsf{R}})\) of function families satisfying the above conditions as a suite. The simplest case for the group is that \({\textsf{R}}.\textsf{Out} = \{0,1\}^{{\textsf{R}}.\textsf{ol}}\) is the set of all strings of some length \({\textsf{R}}.\textsf{ol}\), and \(y_1 *y_2 = y_1 {\oplus }y_2\), but the existence of efficient PRFs with algebraic ranges [30] motivates being more general.

Fig. 3
figure 3

Our SPRF construction

Full size image

\(\underline{\textsc {SPRF}\,\,\textsc {construction.}}\) Our construction associates with any suite \(({\textsf{H}},\textsf{HC},{\textsf{R}})\) as above the function family \({\textsf{S}}= \textbf{SPRF}[{\textsf{H}},\textsf{HC},{\textsf{R}}]\) defined as follows. It has \({\textsf{S}}.\textsf{Keys} = {\textsf{S}}.\textsf{Inp} = {\textsf{H}}.\textsf{Inp} \times {\textsf{H}}.\textsf{Keys} \times \textsf{HC}.\textsf{Keys}\), meaning a key or input is a triple consisting of a point \(x\in {\textsf{H}}.\textsf{Inp} \), a key for the CAU family \({\textsf{H}}\) and a key for the hardcore function family \(\textsf{HC}\). It has range the group \({\textsf{S}}.\textsf{Out} = {\textsf{R}}.\textsf{Out}\). The function family is then defined as shown in Fig. 3.

Proposition 3

Let \(({\textsf{H}},\textsf{HC},{\textsf{R}})\) be a suite of function families. Let \({\textsf{S}}= \textbf{SPRF}[{\textsf{H}},\textsf{HC}, {\textsf{R}}]\) be the function family associated with them as above. Then, \({\textsf{S}}\) is symmetric.

Proof

(Proposition 3) The first condition, that the keyspace and input space of \({\textsf{S}}\) are the same set, is met by definition. For \(a_0,a_1\) in this common set, we now need to show that \({\textsf{S}}(a_0,a_1)={\textsf{S}}(a_1,a_0)\). This follows from the symmetry in the description of \({\textsf{S}}\) and the assumption that the group \({\textsf{R}}.\textsf{Out}\) is commutative. \(\square \)

\(\underline{\textsc {PRF}\,\,\textsc {security}\,\,\textsc {of}\,\,\textsc {SPRF.}}\) To show \({\textsf{S}}\) is a dual PRF, it suffices by Proposition 3 to show that \({\textsf{S}}\) is a PRF. This is the claim of the following theorem.

Theorem 4

Let \(({\textsf{H}},\textsf{HC},{\textsf{R}})\) be a suite of function families. Let \({\textsf{S}}= \textbf{SPRF}[{\textsf{H}},\textsf{HC}, {\textsf{R}}]\) be the (symmetric) function family associated with them as above. Let \(\mathcal{A}\) be an adversary making at most q queries to its \(\textsc {Fn}\) oracle. Then, the proof constructs adversaries \(\mathcal{A}_{{\textsf{H}}},\mathcal{A}_{\textsf{HC}},\mathcal{A}_{{\textsf{R}}}\) such that

$$\begin{aligned} \textbf{Adv}^{\textsf{prf}}_{{\textsf{S}}}(\mathcal{A})&\le \textbf{Adv}^{\textsf{lhc}}_{{\textsf{H}},\textsf{HC}}(\mathcal{A}_{\textsf{HC}}) + \textbf{Adv}^{\textsf{prf}}_{{\textsf{R}}}(\mathcal{A}_{{\textsf{R}}}) + \frac{q(q-1)}{2} \cdot \textbf{Adv}^{\textsf{cau}}_{{\textsf{H}}}(\mathcal{A}_{{\textsf{H}}}) \;. \end{aligned}$$
(3)

The running times of the constructed adversaries are about the same as that of the original.

Fig. 4
figure 4

Games for proof of Theorem 4

Full size image

Proof

(Theorem 4) Consider games \(\textrm{G}_0\)\(\textrm{G}_4\) of Fig. 4. In the code for games \(\textrm{G}_0,\textrm{G}_1\), if a line is followed by the name of a game, then that line is included only in the named game. Unmarked lines are included in both games. Game \(\textrm{G}_2\) includes the boxed code, while game \(\textrm{G}_3\) does not.

We assume wlog that the oracle queries of \(\mathcal{A}\) are always all distinct. This means the “If \(T[x]=\bot \)” test in game \({\textbf{G}}^{\textsf{prf}}_{{\textsf{S}}}(\mathcal{A})\) of Fig. 1 will always return \(\textsf{true}\) and so we can drop it. The \(c=1\) case of \({\textbf{G}}^{\textsf{prf}}_{{\textsf{S}}}(\mathcal{A})\) is thus captured by game \(\textrm{G}_0\). On the other hand, game \(\textrm{G}_4\) captures the \(c=0\) case of game \({\textbf{G}}^{\textsf{prf}}_{{\textsf{S}}}(\mathcal{A})\) except that it returns \(\textsf{true}\) iff the latter returns \(\textsf{false}\). From Equation (1), we thus have

$$\begin{aligned} \textbf{Adv}^{\textsf{prf}}_{{\textsf{S}}}(\mathcal{A})&= {\textrm{Pr}}[\,{\textbf{G}}^{\textsf{prf}}_{{\textsf{S}}}(\mathcal{A})\,|\,c=1\,] - \left( 1-{\textrm{Pr}}[\,{\textbf{G}}^{\textsf{prf}}_{{\textsf{S}}}(\mathcal{A})\,|\,c=0\,]\right) \nonumber \\&= \textrm{Pr}[\textrm{G}_0] - \textrm{Pr}[\textrm{G}_4] \nonumber \\&= p_0 + p_1 + p_2 + p_3 \;, \end{aligned}$$
(4)

where for \(i\in \{0,1,2,3\}\) we have let

$$\begin{aligned} p_i&= \textrm{Pr}[\textrm{G}_i] - \textrm{Pr}[\textrm{G}_{i+1}] \;. \end{aligned}$$

We will build adversaries \(\mathcal{A}_{{\textsf{H}}},\mathcal{A}_{\textsf{HC}},\mathcal{A}_{{\textsf{R}}}\) such that

$$\begin{aligned} p_0&\le \textbf{Adv}^{\textsf{lhc}}_{{\textsf{H}},\textsf{HC}}(\mathcal{A}_{\textsf{HC}}) \end{aligned}$$
(5)
$$\begin{aligned} p_1&\le \textbf{Adv}^{\textsf{prf}}_{{\textsf{R}}}(\mathcal{A}_{{\textsf{R}}}) \end{aligned}$$
(6)
$$\begin{aligned} p_2&\le \frac{q(q-1)}{2} \cdot \textbf{Adv}^{\textsf{cau}}_{{\textsf{H}}}(\mathcal{A}_{{\textsf{H}}}) \;. \end{aligned}$$
(7)

We will also observe that

$$\begin{aligned} p_3&= 0 \;. \end{aligned}$$
(8)

Putting together Equations (4), (5), (6), (7) and (8), we get Equation (3). We now justify the above claims.

In game \(\textrm{G}_1\), the key \(r_0\) for the first application of \({\textsf{R}}\) is chosen at random rather than obtained as . Consider adversary \(\mathcal{A}_{\textsf{HC}}\) shown in Fig. 5. It is playing game \({\textbf{G}}^{\textsf{lhc}}_{{\textsf{H}},\textsf{HC}}(\mathcal{A}_{\textsf{HC}})\), so it has input . It runs \(\mathcal{A}\), simulating the latter’s \(\textsc {Fn}\) oracle via a procedure \(\textsc {FnSim}\) that is shown in the code. The key point is that \(\mathcal{A}_{\textsf{HC}}\) invokes its \(\textsc {Lk}\) oracle to compute \(w_0\). Letting c be the challenge bit in game \({\textbf{G}}^{\textsf{lhc}}_{{\textsf{H}},\textsf{HC}}(\mathcal{A}_{\textsf{HC}})\), we have

$$\begin{aligned}{} & {} \textbf{Adv}^{\textsf{lhc}}_{{\textsf{H}},\textsf{HC}}(\mathcal{A}_{\textsf{HC}}) \\{} & {} \quad = {\textrm{Pr}}[\,\textbf{Adv}^{\textsf{lhc}}_{{\textsf{H}},\textsf{HC}}(\mathcal{A}_{\textsf{HC}})\,|\,c=1\,]-\left( 1-{\textrm{Pr}}[\,\textbf{Adv}^{\textsf{lhc}}_{{\textsf{H}},\textsf{HC}}(\mathcal{A}_{\textsf{HC}})\,|\,c=0\,]\right) \\{} & {} \quad = \textrm{Pr}[\textrm{G}_0] - \textrm{Pr}[\textrm{G}_1] = p_0 \end{aligned}$$

which establishes Equation (5).

Fig. 5
figure 5

Adversaries for proof of Theorem 4

Full size image

Game \(\textrm{G}_2\) maintains a table \(R[\cdot ]\) that is initially everywhere \(\bot \). It optimistically picks \(y_0\) at random and sets \(R[z_1]\) to this value. However, in between these two steps, it first checks whether \(R[z_1]\) was already defined, and if so, sets the flag \(\textsf{bad}\) to \(\textsf{true}\). This means that the setting of \(R[z_1]\) to the newly-chosen \(y_0\) was wrong. Accordingly (via the boxed code which is included in game \(\textrm{G}_2\)), a correction is made, resetting \(y_0\) back to \(R[z_1]\), so that in this game, \(R[z_1]\) is the result of a random function on \(z_1\). Now, consider adversary \(\mathcal{A}_{{\textsf{R}}}\) shown in Fig. 5. It has an \(\textsc {Fn}\) oracle and runs \(\mathcal{A}\). In the simulation of \(\mathcal{A}\)’s oracle, it applies \(\textsc {Fn}\) to \(z_1\) to get \(y_0\). With c the challenge bit in game \({\textbf{G}}^{\textsf{prf}}_{{\textsf{R}}}(\mathcal{A}_{{\textsf{R}}})\), we have

$$\begin{aligned} \textbf{Adv}^{\textsf{prf}}_{{\textsf{R}}}(\mathcal{A}_{{\textsf{R}}})= & {} {\textrm{Pr}}[\,{\textbf{G}}^{\textsf{prf}}_{{\textsf{R}}}(\mathcal{A}_{{\textsf{R}}})\,|\,c=1\,]-\left( 1- {\textrm{Pr}}[\,{\textbf{G}}^{\textsf{prf}}_{{\textsf{R}}}(\mathcal{A}_{{\textsf{R}}})\,|\,c=0\,] \right) \\= & {} \textrm{Pr}[\textrm{G}_1] - \textrm{Pr}[\textrm{G}_2] = p_1 \end{aligned}$$

which establishes Equation (6).

In game \(\textrm{G}_3\), we may set \(\textsf{bad}\), but since the boxed code is absent, \(y_0\) is always a fresh, random value. Games \(\textrm{G}_2,\textrm{G}_3\) are identical until \(\textsf{bad}\) (differ only in code following the setting of \(\textsf{bad}\) to \(\textsf{true}\)) so by the Fundamental Lemma of Game Playing [12],

$$\begin{aligned} p_2 = \textrm{Pr}[\textrm{G}_2]-\textrm{Pr}[\textrm{G}_3] \le \textrm{Pr}[\textrm{G}_3 \text{ sets } \textsf{bad}] \;. \end{aligned}$$
(9)

We now design \(\mathcal{A}_{{\textsf{H}}}\) so that

$$\begin{aligned} \textrm{Pr}[\textrm{G}_3 \text{ sets } \textsf{bad}] \le \frac{q(q-1)}{2} \cdot \textbf{Adv}^{\textsf{cau}}_{{\textsf{H}}}(\mathcal{A}_{{\textsf{H}}})\;. \end{aligned}$$
(10)

Adversary \(\mathcal{A}_{{\textsf{H}}}\) is shown in Fig. 5. The integer i is the number of \(\textsc {Fn}\) queries made by \(\mathcal{A}\), and we consider two cases. The first is if \(i\le 1\). Then, the probability that \(\textsf{bad}\) is set in \(\textrm{G}_3\) is zero, so Equation (10) is true no matter what \(\mathcal{A}_{{\textsf{H}}}\) returns. So, as a default, we just have \(\mathcal{A}_{{\textsf{H}}}\) return a pair \((u_1,u_2)\) of random inputs. Now, assume \(i\ge 2\). This permits the choices of \(j_1,j_2\) as shown. Now, we note that for game \(\textrm{G}_3\) to set \(\textsf{bad}\), a \(z_1\) value must repeat across queries. By assumption the queries are distinct, so the only way this could happen is if there were queries \(j_1 < j_2\) such that the values in these queries were the same but the \(x_1\) values were different. This would be a collision for . Now, we have to argue that such a collision can be found by a CAU-adversary \(\mathcal{A}_{{\textsf{H}}}\). This adversary does not know , so how can it simulate \(\mathcal{A}\)? In game \(\textrm{G}_3\), the point \(y_0\) is always random. Since \({\textsf{R}}.\textsf{Out}\) is a group, y is also random. So \(\mathcal{A}_{{\textsf{H}}}\) can simulate \(\mathcal{A}\)’s oracle by just returning random values. It does this, collecting all the \(x_1\) values in the queries. In the end, it picks at random two of these values and returns them. This justifies Equation (10), which, combined with Equation (9), justifies Equation (7).

As we have just said, in game \(\textrm{G}_3\), the point \(y_0\) is always random and independent of anything else. Since \({\textsf{R}}.\textsf{Out}\) is a group, y is also random. This justifies Equation (8) and completes the proof. \(\square \)

6 Instantiations

We instantiate our SPRF construction to get symmetric and dual PRFs under specific assumptions.

6.1 Construction from (keyless) CR hash functions

We give a construction from any keyless collision-resistant hash function. It itself will play the role of \({\textsf{H}}\). The following lemma says that for suitable choices of parameters, an extractor (see Sect. 2 for background) will provide a leakage hardcore function.

Lemma 5

Let \({\textsf{H}}{\,{:}\,}\{\varepsilon \}\times \{0,1\}^n\rightarrow \{0,1\}^r\) be a keyless function family. Let \(\textsf{Ext}{\,{:}\,}\{0,1\}^s\times \{0,1\}^n\rightarrow \{0,1\}^m\) be a function family that is universal. Let \(\textsf{HC}{\,{:}\,}\{0,1\}^s\times (\{\varepsilon \}\times \{0,1\}^n)\rightarrow \{0,1\}^m\) be defined by . Let \(\mathcal{A}\) be a LHC-adversary. Then,

$$\begin{aligned} \textbf{Adv}^{\textsf{lhc}}_{{\textsf{H}},\textsf{HC}}(\mathcal{A})&\le 2^{-(n+2-m-r)/2} \;. \end{aligned}$$
(11)

The result is information-theoretic, meaning it is true regardless of the running time of \(\mathcal{A}\).

Proof

(of Lemma 5) Let random variable X be uniformly distributed over \(\{0,1\}^n\). Let \(U_s,U_m\) be random variables distributed uniformly over \(\{0,1\}^s\) and \(\{0,1\}^m\), respectively, and let \(Y = {\textsf{H}}(\varepsilon ,X)\). The following chain of inequalities, which establishes the lemma, is justified below:

$$\begin{aligned} \textbf{Adv}^{\textsf{lhc}}_{{\textsf{H}},\textsf{HC}}(\mathcal{A})&\le \textbf{SD}((U_s,\textsf{Ext}(U_s,X),Y),(U_s,U_m,Y)) \end{aligned}$$
(12)
$$\begin{aligned}&\le \frac{1}{2} \sqrt{2^{m-{\textbf{H}}_{\infty }(X|Y)}} \end{aligned}$$
(13)
$$\begin{aligned}&\le 2^{-(n+2-m-r)/2} \;. \end{aligned}$$
(14)

Let X and \(U_s\) represent, respectively, the randomly chosen \(x_0\) and in game \({\textbf{G}}^{\textsf{lhc}}_{{\textsf{H}},\textsf{HC}}(\mathcal{A})\) of Fig. 2. Then, \(\textsf{Ext}(U_s,X)\) represents \(s_1\), while \(U_m\) represents \(s_0\). Since \({\textsf{H}}\) is keyless, the only information \(\mathcal{A}\) can get from its \(\textsc {Lk}\) oracle is \(Y = {\textsf{H}}(\varepsilon ,X)\). The statistical distance of Equation (12) then represents the maximum possible advantage that \(\mathcal{A}\) can obtain. The three random variables \((X,Y),U_s, U_m\) are independent so we can apply Lemma 1 to get Equation (13). Since \(|Y|=r\), we have \({\textbf{H}}_{\infty }(X|Y) \ge n-r\), which, together with some simplification, yields Equation (14). \(\square \)

Our symmetric and dual PRF \({\textsf{S}}_{m,r}\) is parameterized by integers mr. Given these, we proceed as follows:

  • We select n so that \(2^{-(n+2-m-r)/2}\) is negligible. Specifically, set \(n=3(m+r)\), so that \(2^{-(n+2-m-r)/2}=2^{-(m+r+1)}\).

  • Then, we select a function family \(\textsf{Ext}{\,{:}\,}\{0,1\}^s\times \{0,1\}^n\rightarrow \{0,1\}^m\) that is universal.

  • Next we select a keyless, collision-resistant function family \({\textsf{H}}{\,{:}\,}\{\varepsilon \}\times \{0,1\}^n\rightarrow \{0,1\}^r\). Since it is collision resistant, it is certainly CAU.

  • We let \(\textsf{HC}{\,{:}\,}\{0,1\}^s\times (\{\varepsilon \}\times \{0,1\}^n)\rightarrow \{0,1\}^m\) be defined as in Lemma 5 based on \({\textsf{H}},\textsf{Ext}\), namely .

  • Finally, we select a PRF \({\textsf{R}}{\,{:}\,}\{0,1\}^m \times {\textsf{R}}.\textsf{Inp} \rightarrow {\textsf{R}}.\textsf{Out}\) such that \(\{0,1\}^r \times \{\varepsilon \}\times \{0,1\}^s \subseteq {\textsf{R}}.\textsf{Inp}\), and also, \({\textsf{R}}.\textsf{Out}\) is a commutative group, for simplicity \(\{0,1\}^l\) for some l with the group operation being bitwise xor. As we explain below, this can ultimately be built from a CR hash function, making the latter the only assumption.

We now have a suite \(({\textsf{H}},\textsf{HC},{\textsf{R}})\) and can apply our \(\textbf{SPRF}\) transform. The resulting symmetric and dual PRF is \({\textsf{S}}_{m,r}{\,{:}\,}(\{0,1\}^n\times \{\varepsilon \}\times \{0,1\}^s)\times (\{0,1\}^n\times \{\varepsilon \}\times \{0,1\}^s) \rightarrow \{0,1\}^l\), defined as follows:

figure e

The following shows that \({\textsf{S}}_{m,r}\) is a PRF. Since it is symmetric, it is thus also a dual PRF.

Theorem 6

Let \(m,r\ge 1\) be integers, and select \(n,\textsf{Ext},{\textsf{H}},\textsf{HC},{\textsf{R}}\) as above to define the (symmetric) function family \({\textsf{S}}_{m,r}\) also as above. Let \(\mathcal{A}\) be an adversary. Then, the proof constructs adversaries \(\mathcal{A}_{{\textsf{H}}}',\mathcal{A}_{{\textsf{R}}}\) such that

$$\begin{aligned} \textbf{Adv}^{\textsf{prf}}_{{\textsf{S}}_{m,r}}(\mathcal{A})&\le 2^{-(m+r+1)} + \textbf{Adv}^{\textsf{prf}}_{{\textsf{R}}}(\mathcal{A}_{{\textsf{R}}}) + \textbf{Adv}^{\textsf{cr}}_{{\textsf{H}}}(\mathcal{A}_{{\textsf{H}}}') \;. \end{aligned}$$
(15)

The running times of the constructed adversaries are about the same as that of the original.

The above theorem assumes that \({\textsf{H}}\) is CR and \({\textsf{R}}\) is a a PRF. Our ultimate claim is to rely only on the CR assumption. This is possible because (compressing) CR functions imply OWFs, which in turn imply PRGs [27] which in turn imply PRFs [24]. (A direct construction of a PRG from a CR function is also possible [17] but assumes regularity and exponential hardness of the CR function, which we do not want to assume.) We do not give a formal result encompassing the final claim of a dual PRF from just a CR function because, in our concrete-security framework, the statement would need concrete bounds, and we do not know these bounds for the chain of just-mentioned reductions from prior work. Instead, we leave this final theoretical result (CR hash functions imply dual PRFs) as understood asymptotically.

Proof

(Theorem 6) Theorem 4 yields adversaries \(\mathcal{A}_{{\textsf{H}}},\mathcal{A}_{\textsf{HC}},\mathcal{A}_{{\textsf{R}}}\) such that

$$\begin{aligned} \textbf{Adv}^{\textsf{prf}}_{{\textsf{S}}_{m,r}}(\mathcal{A})&\le \textbf{Adv}^{\textsf{lhc}}_{{\textsf{H}},\textsf{HC}}(\mathcal{A}_{\textsf{HC}}) + \textbf{Adv}^{\textsf{prf}}_{{\textsf{R}}}(\mathcal{A}_{{\textsf{R}}}) + \frac{q(q-1)}{2} \cdot \textbf{Adv}^{\textsf{cau}}_{{\textsf{H}}}(\mathcal{A}_{{\textsf{H}}}) \;, \end{aligned}$$

where q is the number of queries \(\mathcal{A}\) makes to its \(\textsc {Fn}\) oracle. Lemma 5 together with the choice of n made above implies that

$$\begin{aligned} \textbf{Adv}^{\textsf{lhc}}_{{\textsf{H}},\textsf{HC}}(\mathcal{A}_{\textsf{HC}}) \le 2^{-(n+2-m-r)/2} =2^{-(m+r+1)}\;, \end{aligned}$$

explaining the first term in Equation (15). Now, we perform a small optimization. Cau-Adversary \(\mathcal{A}_{{\textsf{H}}}\) in the proof of Theorem 4 guessed a colliding pair of inputs for \({\textsf{H}}\), but our \({\textsf{H}}\) is keyless and we assume CR. A CR-adversary \(\mathcal{A}_{{\textsf{H}}}'\) can instead try all candidate pairs and return one (if any) that works. So we can replace \(q(q-1)/2 \cdot \textbf{Adv}^{\textsf{cau}}_{{\textsf{H}}}(\mathcal{A}_{{\textsf{H}}})\) by \(\textbf{Adv}^{\textsf{cr}}_{{\textsf{H}}}(\mathcal{A}_{{\textsf{H}}}')\). This justifies Equation (15). \(\square \)

Remark 7

While unkeyed hash functions assumed to be CR are a practical reality (SHA-256 is an example), their formal treatment involves some subtleties. In the asymptotic setting, they cannot exist if we allow non-uniform adversaries. (Such an adversary could hardwire a collision for each choice of the security parameter.) If adversaries are assumed uniform, however, this anomaly goes away, and the assumption of the existence of such a family is meaningful. The concrete setting is inherently non-uniform [14] but results (like ours) are still meaningful because they give explicit reductions (adversary constructions). Further elaboration can be found in [31].

6.2 Construction from any OWP

We show that the existence of one-way permutations (OWPs) implies the existence of dual PRFs. We do this by instantiating our SPRF construction using an iterated OWP for \({\textsf{H}}\) and a leakage hardcore function obtained via the BMY PRG [16, 33].

Let \({\textsf{F}}{\,{:}\,}\{\varepsilon \}\times X \rightarrow X\) be a keyless one-way family of permutations with domain and range a set X. (The standard definition of a OWP is indeed keyless.) For \(i \ge 1\), let \({\textsf{F}}^{(i)} {\,{:}\,}\{\varepsilon \}\times X \rightarrow X\) be the i-th iterate of \({\textsf{F}}\), defined inductively by

$$\begin{aligned} {\textsf{F}}^{(0)}(\varepsilon ,x)=x \hspace{10pt} \text{ and } \hspace{10pt} {\textsf{F}}^{(i)}(\varepsilon ,x) = {\textsf{F}}(\varepsilon ,{\textsf{F}}^{(i-1)}(\varepsilon ,x)) \text{ for } i\ge 1 . \end{aligned}$$

Our symmetric and dual PRF \({\textsf{S}}_m\) is parameterized by an integer m. Let \({\textsf{R}}{\,{:}\,}\{0,1\}^m \times {\textsf{R}}.\textsf{Inp} \rightarrow {\textsf{R}}.\textsf{Out}\) be a PRF such that \(X \times \{\varepsilon \}\times \{\varepsilon \} \subseteq {\textsf{R}}.\textsf{Inp}\), and also, \({\textsf{R}}.\textsf{Out}\) is a commutative group, for simplicity \(\{0,1\}^l\) for some l with the group operation being bitwise xor. This is not an extra assumption because OWPs imply PRGs [16, 25, 33] which in turn imply PRFs [24]. Let \({\textsf{H}}= {\textsf{F}}^{(m)}\) be the m-fold iterate of \({\textsf{F}}\). We assume a hardcore predicate \(\textsf{HC}_1{\,{:}\,}\{\varepsilon \}\times (\{\varepsilon \}\times {\textsf{H}}.\textsf{Inp}) \rightarrow \{0,1\}\) for \({\textsf{F}}\). (Any OWP can be modified to one that has a keyless hardcore predicate, making this assumption wlog.) Let \(\textsf{HC}{\,{:}\,}\{\varepsilon \}\times (\{\varepsilon \}\times {\textsf{H}}.\textsf{Inp}) \rightarrow \{0,1\}^m\) be defined by

figure f

Then, \(\textsf{HC}\) is a hardcore function for \({\textsf{H}}= {\textsf{F}}^{(m)}\) assuming only one-wayness of \({\textsf{F}}\). Now, we have two observations. First, since \({\textsf{F}}\), and hence \({\textsf{H}}\), is keyless, and we know that \(\textsf{HC}\) is a hardcore function for \({\textsf{H}}\), Lemma 2 implies that it is also a leakage hardcore function for \({\textsf{H}}\). Second, \({\textsf{H}}\) is trivially CAU, because it is a permutation family, so there simply do not exist collisions. We can thus apply our \(\textbf{SPRF}\) transform to the suite \(({\textsf{H}},\textsf{HC},{\textsf{R}})\) to get a symmetric function family \({\textsf{S}}_m\) that, by Theorem 4, is a PRF.

The following says that \({\textsf{S}}_m\) is a PRF. Since it is symmetric, it is also a dual PRF.

Theorem 8

Let \(m\ge 1\) be an integer, and select \({\textsf{F}},{\textsf{H}},\textsf{HC},{\textsf{R}}\) as above to define the (symmetric) function family \({\textsf{S}}_{m}\) also as above. Let \(\mathcal{A}\) be an adversary. Then, the proof constructs adversaries \(\mathcal{A}_{\textsf{HC}},\mathcal{A}_{{\textsf{R}}}\) such that

$$\begin{aligned} \textbf{Adv}^{\textsf{prf}}_{{\textsf{S}}_{m}}(\mathcal{A})&\le \textbf{Adv}^{\textsf{hc}}_{{\textsf{H}},\textsf{HC}}(\mathcal{A}_{\textsf{HC}}) + \textbf{Adv}^{\textsf{prf}}_{{\textsf{R}}}(\mathcal{A}_{{\textsf{R}}}) \;. \end{aligned}$$
(16)

The running times of the constructed adversaries are about the same as that of the original.

As with Theorem 6, we stop short of a formal statement encompassing the final theoretical claim that OWPs alone imply dual PRFs, due to the challenges of casting this in a concrete framework. We have, however, already discussed above how it is obtained asymptotically. Briefly, OWPs imply PRFs and, if OWPs exist, so do OWPs with keyless hardcore predicates as assumed above.

Proof

(Theorem 8) Theorem 4 yields adversaries \(\mathcal{A}_{{\textsf{H}}},\mathcal{A}_{\textsf{HC}},\mathcal{A}_{{\textsf{R}}}\) such that

$$\begin{aligned} \textbf{Adv}^{\textsf{prf}}_{{\textsf{S}}_{m,r}}(\mathcal{A})&\le \textbf{Adv}^{\textsf{lhc}}_{{\textsf{H}},\textsf{HC}}(\mathcal{A}_{\textsf{HC}}) + \textbf{Adv}^{\textsf{prf}}_{{\textsf{R}}}(\mathcal{A}_{{\textsf{R}}}) + \frac{q(q-1)}{2} \cdot \textbf{Adv}^{\textsf{cau}}_{{\textsf{H}}}(\mathcal{A}_{{\textsf{H}}}) \;, \end{aligned}$$

where q is the number of queries \(\mathcal{A}\) makes to its \(\textsc {Fn}\) oracle. However, \(\textbf{Adv}^{\textsf{cau}}_{{\textsf{H}}}(\mathcal{A}_{{\textsf{H}}})=0\) since \({\textsf{H}}\) is a permutation, so this term disappears. Also, since \({\textsf{H}}\) is keyless, the lhc-advantage is the same as the hc-advantage. This justifies Equation (16). \(\square \)

6.3 Ending Remarks

A construction of a dual PRF from any OWF eludes us, and we see this as an interesting open question. Since PRFs are known to exist given a OWF [24, 27], Theorem 4 reduces the task of building a dual PRF from a OWF to the task of building, from a OWF, a CAU function family \({\textsf{H}}\) with a leakage hardcore function \(\textsf{HC}\) with long-enough output. However, at present we do not know a way to do this.

One may ask what is the conclusion for HMAC. As discussed in Sect. 1, our intent was to give a generic validation of the dual PRF assumption made in various places including on HMAC’s compression function h in [6]. We have successfully done this through constructions of dual PRFs under standard assumptions. We could, in principle, plug one of our dual PRFs in as the choice of h for HMAC. Then, the results of [6] combined with ours would imply PRF security of this alternative HMAC, the assumptions being (only) the ones in our results. However, we are not aware of any practical utility, or value, of this alternative HMAC.