Theory of Cryptography Conference

TCC 2015: Theory of Cryptography pp 1-30

Constrained Key-Homomorphic PRFs from Standard Lattice Assumptions

Or: How to Secretly Embed a Circuit in Your PRF
  • Zvika Brakerski
  • Vinod Vaikuntanathan
Conference paper

DOI: 10.1007/978-3-662-46497-7_1

Part of the Lecture Notes in Computer Science book series (LNCS, volume 9015)
Cite this paper as:
Brakerski Z., Vaikuntanathan V. (2015) Constrained Key-Homomorphic PRFs from Standard Lattice Assumptions. In: Dodis Y., Nielsen J.B. (eds) Theory of Cryptography. TCC 2015. Lecture Notes in Computer Science, vol 9015. Springer, Berlin, Heidelberg


Boneh et al. (Crypto 13) and Banerjee and Peikert (Crypto 14) constructed pseudorandom functions (PRFs) from the Learning with Errors (LWE) assumption by embedding combinatorial objects, a path and a tree respectively, in instances of the LWE problem. In this work, we show how to generalize this approach to embed circuits, inspired by recent progress in the study of Attribute Based Encryption.

Embedding a universal circuit for some class of functions allows us to produce constrained keys for functions in this class, which gives us the first standard-lattice-assumption-based constrained PRF (CPRF) for general bounded-description bounded-depth functions, for arbitrary polynomial bounds on the description size and the depth. (A constrained key w.r.t a circuit C enables one to evaluate the PRF on all x for which C(x) = 1, but reveals nothing on the PRF values at other points.) We rely on the LWE assumption and on the one-dimensional SIS (Short Integer Solution) assumption, which are both related to the worst case hardness of general lattice problems. Previous constructions for similar function classes relied on such exotic assumptions as the existence of multilinear maps or secure program obfuscation. The main drawback of our construction is that it does not allow collusion (i.e. to provide more than a single constrained key to an adversary). Similarly to the aforementioned previous works, our PRF family is also key homomorphic.

Interestingly, our constrained keys are very short. Their length does not depend directly either on the size of the constraint circuit or on the input length. We are not aware of any prior construction achieving this property, even relying on strong assumptions such as indistinguishability obfuscation.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Zvika Brakerski
    • 1
  • Vinod Vaikuntanathan
    • 2
  1. 1.Weizmann Institute of ScienceRehovotIsrael
  2. 2.Massachusetts Institute of TechnologyCambridgeUSA

Personalised recommendations