Robust Distributed Pseudorandom Functions for mNP Access Structures

Abstract

Distributed pseudorandom functions (DPRFs) formally defined by Naor et al. (EUROCRYPT’99) provide the properties of regular PRFs as well as the ability to distribute the evaluation of the PRF function; rendering them useful against single point of failures in multiple settings (e.g., key distribution centres). To avoid the corruption of the partial PRF values computed by distributed servers, Naor et al. proposed the notion of robust distributed PRFs, which not only allows the evaluation of the PRF value by a set of distributed servers, but also allows to verify if the partial evaluation values are computed correctly.

In this paper, we investigate different approaches to build non-interactive robust distributed PRFs for a general class of access structures, going beyond the existing threshold and monotone span programs (MSP). More precisely, our contributions are two fold: (i) we first adapt the notion of single round robust distributed PRFs for threshold access structures to one for any mNP access structure (monotone functions in NP), and (ii) we provide a provably secure general construction of robust distributed PRFs by employing puncturable PRFs, a non-interactive witness indistinguishable proof (NIWI) and indistinguishable obfuscation. We compare our robust DPRF with existing DPRFs in terms of security guarantees, underlying assumptions and required primitives.

A Appendix

1.1 A.1 Preliminaries

Definition 5

(Indistinguishability obfuscation [11]). A probabilistic polynomial time (PPT) algorithm \(i\mathcal {O}\) is said to be an indistinguishability obfuscator for a circuit class \(\{\mathcal {C}_{\lambda }\}\), if the following conditions are satisfied:

• For all security parameters \(\lambda \in \mathbb {N}\), for all \(C\in C_{\lambda }\), for all inputs x, we have that

  $$\begin{aligned} \mathrm {Pr}[C'(x)=C(x): C'\leftarrow i\mathcal {O}(\lambda , C)]=1. \end{aligned}$$

• For any (not necessarily uniform) PPT adversaries \((\textsf {Samp}, D)\), there exists a negligible function \(negl(\cdot )\) such that the following holds: if \(\mathrm {Pr}[\forall x, C_0(x)=C_1(x):(C_0,C_1,\sigma )\leftarrow \textsf {Samp}(1^{\lambda })]>1-negl(\lambda )\), then we have:

  $$\begin{aligned} \begin{aligned} \big |&\mathrm {Pr}[D(\sigma ,i\mathcal {O}(\lambda ,C_{0}))=1:(C_0,C_1,\sigma )\leftarrow \textsf {Samp}(1^{\lambda })] \\&-\mathrm {Pr}[D(\sigma ,i\mathcal {O}(\lambda ,C_{1}))=1:(C_0,C_1,\sigma )\leftarrow \textsf {Samp}(1^{\lambda })]\big |\le negl(\lambda ). \end{aligned} \end{aligned}$$

Definition 6

(Puncturable PRFs [29]). A puncturable family of PRFs F mapping is given by a triple of Turing Machines \((\textsf {Setup}_{F}\), \(\textsf {Puncture}_{F}\), and \(\textsf {Eval}_{F})\), and a pair of computable functions \(\tau _{1}(\cdot )\) and \(\tau _{2}(\cdot )\), satisfying the following conditions:

• (Functionality preserved under puncturing) For every PPT adversary \(\mathcal {A}\) such that \(\mathcal {A}(1^{\lambda })\) outputs a set \(S\subseteq \{0, 1\}^{\tau _{1}(\lambda )}\), then for all \(x\in \{0, 1\}^{\tau _{1}(\lambda )}\) where \(x\notin S\), we have that:

  $$\begin{aligned} \mathrm {Pr}[\textsf {Eval}_{F}(K, x)=\textsf {Eval}_{F}(K_{S}, x):&K\leftarrow \textsf {Setup}_{F}(1^{\lambda }),\\&K_{S}= \textsf {Puncture}_{F}(K, S)]= 1. \end{aligned}$$

• (Pseudorandom at punctured points) For every PPT adversary \((\mathcal {A}_{1},\mathcal {A}_{2})\) such that \(\mathcal {A}_{1}(1^{\lambda })\) outputs a set \(S\subseteq \{0, 1\}^{\tau _{1}(\lambda )}\) and state \(\sigma \), consider an experiment where \(K\leftarrow \textsf {Setup}_{F}(1^{\lambda })\) and \(K_{S}=\textsf {Puncture}_{F}(K, S)\). Then, we have:

  $$\begin{aligned} \big |\mathrm {Pr}[\mathcal {A}_{2}(\sigma ,K_{S}, S, \textsf {Eval}_{F}(K, S))&= 1] \\&-\mathrm {Pr}[\mathcal {A}_{2}(\sigma ,K_{S}, S, U_{\tau _{2}(\lambda )\cdot |S|})= 1]\big |= negl(\lambda ), \end{aligned}$$

where \(\textsf {Eval}_{F}(K, S)\) denotes the concatenation of \(\textsf {Eval}_{F}(K, x_1),\ldots ,\textsf {Eval}_{F}(K, x_k)\) where \(S= \{x_1,\ldots , x_k\}\) is the enumeration of the elements of S in lexicographic order, \(negl(\cdot )\) is a negligible function, and \(U_{\tau _{2}(\lambda )\cdot |S|}\) denotes the uniform distribution over \(\tau _{2}(\lambda )\cdot |S|\) bits.

Theorem 2

[29] If one-way functions exist, then for all efficiently computable functions \(\tau _{1}(\lambda )\) and \(\tau _{2}(\lambda )\), there exists a family of puncturable PRFs that maps \(\tau _{1}(\lambda )\) bits to \(\tau _{2}(\lambda )\) bits.