Efficient Pseudorandom Functions via OntheFly Adaptation
Abstract
Pseudorandom functions (PRFs) are one of the most fundamental building blocks in cryptography with numerous applications such as message authentication codes and private key encryption. In this work, we propose a new framework to construct PRFs with the overall goal to build efficient PRFs from standard assumptions with an almost tight proof of security. The main idea of our framework is to start from a PRF for any small domain (i.e. polysized domain) and turn it into an \(\ell \)bounded pseudorandom function, i.e., into a PRF whose outputs are pseudorandom for the first \(\ell \) distinct queries to F. In the second step, we apply a novel technique which we call onthefly adaptation that turns any bounded PRF into a fullyfledged (large domain) PRF. Both steps of our framework have a tight security reduction, meaning that any successful attacker can be turned into an efficient algorithm for the underlying hard computational problem without any significant increase in the running time or loss of success probability.
Instantiating our framework with specific number theoretic assumptions, we construct a PRF based on kLIN (and thus DDH) that is faster than all known constructions, which reduces almost tightly to the underlying problem, and which has shorter keys.Instantiating our framework with general assumptions, we construct a PRF with very flat circuits whose security tightly reduces to the security of some small domain PRF.
Keywords
Pseudorandom functions Efficient reductions DDH KLIN LWE1 Introduction
The first step in our framework is to extend the domain of a smalldomain PRF into a bounded pseudorandom function (bPRF). A function F is an \(\ell \)bounded pseudorandom function (for an \(\ell \le \mathsf {poly}(\lambda )\)), if the outputs of F are pseudorandom for the first \(\ell \) distinct queries to F and if F can be computed “super efficiently” (i.e., in time \(\mathsf {poly}(\lambda , \log (\ell ))\)). In some sense, this primitive can be seen as the computational analogue to \(\ell \)wise independent functions.
The second step in our framework is a reduction technique we call onthefly adaptation. The goal of this technique is to construct a PRF F in which we can dynamically embed an \(\ell \)bounded PRF \(F_\ell \) for every \(\ell \) that grows at most polynomially. Now assume we have a PPT distinguisher \(\mathcal {D}\) that distinguishes F from a truly random function. Since \(\mathcal {D}\) is efficient, it sends at most \(q = \mathsf {poly}(\lambda )\) queries to its oracle (for an apriori unknown q). Onthefly adaptation allows us to turn this distinguisher against F into a distinguisher \(\mathcal {D}'\) against a bounded PRF \(F_q\) that has the same advantage.
We will now discuss domain extension for arbitrary PRFs and provide a simple domain extension technique that uses only linear functions to pre and postprocess a small domain PRF. This, together with the generic onthefly adaptation technique described above yields a PRF construction from any small domain PRF. We will discuss an instantiation of this general construction based on LWE.
Domain Extension for Arbitrary PRFs. The problem of domain extension for pseudorandom functions was first considered by Levin [20]. Levin showed that if the domain of a certain PRF is already sufficiently large, then it can be extended by using a universal hash function to hash larger inputs into the domain of this PRF. However, this technique is vulnerable to a “birthday attack”, which means that after a certain number of queries there is a high probability of finding a collision in the hash function. Levin’s technique also fails for small domain PRFs, i.e., PRFs with domains of polynomial size. Jain, Pietrzak, and Tentes [19] provided a domain extension technique which also works for small domains, but has an unfavorable security loss in this case. Moreover, as mentioned by the authors, their technique does not seem to be directly applicable to efficient PRF such as the one’s based on DDH [19]. The work of Jain et al. [19] was refined by Chandran and Garg [8]. Berman et al. [5] also showed how to bypass the birthday barrier via Cuckoo hashing.
1.1 A General Transformation
Above we described our onthefly adaptation technique that works for any bounded PRF. Combining this technique with a general domain extension technique, we obtain large domain pseudorandom function with almost tight security (i.e., only a logarithmic loss) from any suitable small domain PRF. In a nutshell, a small domain PRF is suitable for this technique if its security loss only depends on the size of its input domain, but not (polynomially) on the number queries a distinguisher sends^{1}. The computational problems from which PRFs with such a small security loss can be constructed usually have one feature in common: they support a statistical random selfreduction. Candidate PRFs with this property are PRFs based on the LWE [28, 30] problem, such as the PRF of Banerjee, Peikert, and Rosen [1]. Using the BPR PRF as small domain PRF in our general construction, we obtain a large domain PRF which is secure under a weaker assumption, which has a tighter proof of security, and a shallower evaluation circuit than instantiating the BPR scheme with a large domain directly.
In the remaining part of this section, we discuss more efficient instantiations based on DDH and kLIN. Here, we exploit specific number theoretic properties in order to improve the efficiency and security of the resulting PRF.
1.2 Efficient PRFs Based on DDH and kLIN
One appealing property of our framework is that it yields several new constructions of PRFs based on weak standard assumptions, such as kLIN (and thus DDH) with an almost tight proof of security. A tight reduction means that a successful attacker can be turned into an efficient algorithm for the hard computational problem without any significant increase in the running time or significant loss of success probability^{2}. We will provide a specific onthefly adaptation technique that exploits algebraic properties of the underlying number theoretic assumptions. We can thus avoid the blow up of the general onthefly adaptation technique described in the last paragraph and obtain PRFs that improve upon known constructions in terms of efficiency, security, and keysize.
The observation that functions of the form as \(F_\ell \) in (3) can be computed in time \(\log \ell \) via a closed form as (1) was previously made by Benadbbas, Gennaro, and Vahlis for the NaorReingold PRF [3] and Fiore and Gennaro for the LewkoWaters PRF [12]. The fact that \(F_\ell \) is a bounded PRF was independently observed by Hazay [15].
Comparison to NaorReingold [25]. Our full fledged PRF with input domain \(\mathbb {Z}_p\) improves upon the NaorReingold PRF (NRPRF) in terms of tightness of the security reduction and compactness. In contrast to the NRPRF, the loss of our security reduction is only a factor of \(\log (q)\) (where \(q = \mathsf {poly}(\lambda )\) is the number of queries required by the distinguisher \(\mathcal {D}\)), compared to a factor n for the NRPRF. Our PRF is very compact as it only requires \(\omega (\log (\lambda ))\) \(\mathbb {Z}_p\) elements for its key, whereas the NaorReingold needs n \(\mathbb {Z}_p\) elements. Since the exponentiation is the dominating factor in the computation of both PRFs, the costs to evaluate both functions is roughly the same.
Comparison to LewkoWaters [21]. Our PRF improves upon the LewkoWaters PRF (LWPRF) in terms of efficiency, tightness of the security reduction, and compactness. A single evaluation of the LWPRF involves n matrix multiplications and a single exponentiation. In our case, the computation requires only \(t = \omega (\log (\lambda ))\) matrix multiplications and a single exponentiation. For larger k, the cost of the matrix multiplication dominates the cost of the exponentiation, so in this case our construction is more efficient. The security reduction of Lewko and Waters loses a factor of \(k \cdot n\) while our reduction only losses a factor of \(k \log q\). The keys of the LWPRF consist of n \(k \times k\) matrices over \(\mathbb {Z}_p\), while ours consists merely of \(t = \omega (\log \lambda )\) such matrices.
1.3 Other Related Work
Many numbertheoretic PRF constructions follow the GGM paradigm [13], such as [1, 21, 25]. Naor and Reingold introduced pseudorandom synthesizer (PRS) that can be used to construct parallel computable pseudorandom function [1, 24]. A PRF construction that is not based on either the GGM or synthesizers paradigm is the PRF of DodisYampolskiy, which is in fact a direct construction, but whose security is closely related to its underlying bilinear qtype assumption [10]. Recently, Chase and Meiklejohn showed that this qtype assumption can be reduced to the subgroup hiding assumption in composite order groups [9]. The PRF of Naor, Reingold, and Rosen is a clever variant of the NaorReingold PRF that is secure under the factoring assumption [27]. The work of Boneh, Montgomery, and Raghunathan combines a generalization of the GGM tree with the DodisYampolskiy PRF to get a largedomain (simulateable) verifiable random function [7].
2 Preliminaries
Throughout this paper, we will use \(\lambda \) to denote the security parameter. We will denote the concatenation of two bit strings x and y by \(x \Vert y\). We will generally assume that logarithms are rounded to the next biggest integer, i.e., when we write \(\log (\ell )\) we actually mean \(\lceil \log (\ell ) \rceil \). To avoid confusion, we will sometimes still write \(\lceil \log (\ell ) \rceil \), e.g. when we write \(2^{\lceil \log (\ell ) \rceil }\) to indicate that this can be different from \(\ell \).
Definition 1
We will usually omit the \(\lambda \) subscript in the definition of \(\mathcal {K}\), \(\mathcal {X}\) and \(\mathcal {Y}\). Moreover, we will henceforth implicitly assume that distinguisher gets \(1^\lambda \) as an additional input without explicitly stating this.
As mentioned in the outline, bounded pseudorandom functions can be seen as a computational analogue of limitedwise independent functions. Basically, the difference between true PRFs and bounded PRFs manifests itself in their security guarantee. While a distinguisher against a true PRF can query the PRF an apriori unbounded number of times, a distinguisher against an \(\ell \)bounded PRF can query the PRF with at most \(\ell \) distinct queries.
Definition 2
Notice that in the definition of bounded PRFs we allow the keyspace to depend on \(\ell \), but \(\mathcal {X}\) and \(\mathcal {Y}\) are independent of \(\ell \). Moreover, as we require that \(F_\ell \) is computable in time \(\mathsf {poly}(\lambda ,\log (\ell ))\), we implicitly also require that \(\mathcal {K}_\ell  \le \mathsf {poly}(\lambda ,\log (\ell ))\). Requiring that \(F_\ell \) can be computed in time \(\mathsf {poly}(\lambda ,\log (\ell ))\) allows us to evaluate \(F_\ell \) for superpolynomial \(\ell \), while we only require security for \(\ell ^*\) which are at most polynomial.
The following lemma states that if a function F outputs uniformly random outputs under benign inputs, then the statistical distance from F to a uniformly random function \(F'\) can be bounded by the probability that a nonadaptive sequence of inputs is not benign. Intuitively, an adaptive distinguisher \(\mathcal {D}\) learns nothing about the set of bad inputs unless it finds such an input by chance, as otherwise the function F reveals no information about the set of bad inputs. This lemma is a simplified version of a more general statement due to Maurer [23].
Lemma 1
A proof of Lemma 1 can be found in the full version.
3 A Generic Construction
In this section, we will first provide an efficient construction of \(\ell \)bounded pseudorandom function any small domain PRF with input space of (polynomial) size \(n \cdot \ell \). Security of the \(\ell \)bounded PRF follows tightly from the underlying small domain PRF. Second, we will provide a general construction of a PRF from \(\ell \)bounded PRFs, where security also follows tightly.
3.1 Bounded PRFs via Domain Extension of Small Domain PRFs
We will need universal hash functions for our domain extension technique.
Definition 3
(Universal Hash Functions). Let \(\mathcal {X}\) and \(\mathcal {Y}\) be finite sets. We say that a family \(\mathcal {H}\) of functions from \(\mathcal {X}\) to \(\mathcal {Y}\) is a family of universal hash functions, if it holds for all \(x \ne x' \in \mathcal {X}\) that \(\Pr [H(x) = H(x')] \le 1/ \mathcal {Y} \), where the probability is taken over the random choice of \(H \leftarrow _{{\$}}\mathcal {H}\).
Universal hash functions can be constructed very efficiently, see e.g., [18].
Construction 1
The following theorem states that \(F_\ell \) is an \(\ell \)bounded pseudorandom function if \(\mathsf {PRF}_\ell \) is a pseudorandom function.
Theorem 1
Let \(\mathsf {PRF}_\ell \) and \(F_\ell \) be as in Construction 1. If \(\mathsf {PRF}_\ell \) is a pseudorandom function, then \(F_\ell \) is an \(\ell \)bounded pseudorandom function. More specifically, assume there exists an \(\ell ^*\le \mathsf {poly}(\lambda )\) and an \(\ell ^*\)query PPT distinguisher \(\mathcal {D}\) that distinguishes \(F_{\ell ^*}\) from a truly random function with advantage \(\epsilon \), then there exists a PPT distinguisher \(\mathcal {D}'\) with essentially the same runtime as \(\mathcal {D}\) that distinguishes \(\mathsf {PRF}_{\ell ^*}\) from a truly random function with advantage at least \(\epsilon  \ell ^*\cdot 2^{\lambda }\).
The proof of Theorem 1 will be given in the full version.
3.2 PRFs via OntheFly Adaptation of Bounded PRFs
In this section we provide a generic onthefly adaptation technique which converts a bounded PRF into a standard PRF.
Construction 2
We will now show that F is in fact a pseudorandom function.
Theorem 2
Let \(F_\ell \) and F be as in Construction 2. Assume that \(F_\ell \) is an \(\ell \)bounded PRF for every efficiently computable \(\ell = \ell (\lambda )\). Then F is a pseudorandom function. Specifically, if \(\mathcal {D}\) is a PPT distinguisher against F with advantage \(\epsilon \) that makes at most \(q = \mathsf {poly}(\lambda )\) distinct queries, then there exists a PPT distinguisher \(\mathcal {D}'\) (with essentially the same runtime as \(\mathcal {D}\)) with advantage \(\epsilon \) against \(F_{\ell ^*}\), where \(\ell ^*= 2^{\lceil \log (q) \rceil } \le 2q = \mathsf {poly}(\lambda )\).
Proof
Let \(\mathcal {D}\) be a PPT distinguisher against F with advantage \(\epsilon \) that makes at most q distinct queries. Note that since \(q = \mathsf {poly}(\lambda )\) and \(t = \omega (\log (\lambda ))\), it holds \(\log (q) \le t\) (for a sufficiently large \(\lambda \)). We will now construct an \(\ell ^*\)query distinguisher \(\mathcal {D}'\) against \(F_{\ell ^*}\), which is given in Fig. 2.
3.3 Instantiations
Combining Theorems 1 and 2 yields the following
Theorem 3
If \(\mathsf {PRF}_\ell \) is a PRF for every \(\ell = \mathsf {poly}(\lambda )\), then F is a PRF. More specifically, if there exists an distinguisher \(\mathcal {D}\) that makes at most \(q = \mathsf {poly}(\lambda )\) queries and distinguishes F with advantage \(\epsilon \), then there exists a distinguisher \(\mathcal {D}'\) with essentially the same runtime as \(\mathcal {D}\) that distinguishes \(\mathsf {PRF}_{2^{\lceil q \rceil }}\) with advantage \(\epsilon  q \cdot 2^{\lambda }\).
We will briefly discuss efficiency aspects of the construction provided in Theorem 3. First of all notice that the transformation preserves the parallel complexity of the underlying small domain PRF. Moreover, the pre and postprocessing steps are entirely linear, i.e. the computation of universal hash functions and XORing the results.
We will now discuss an instantiation of this PRF using a small domain PRF based on lattice problems. As already mentioned in the introduction, the main purpose of our constructions is obtaining PRFs from standard assumptions that are as tight as possible. Since the construction in the last section allows reducing the security of the constructed large domain PRF to the security of an adversary specific small domain PRF, we need a family of small domain PRFs with security as tight as possible. The NaorReingold PRF with domain \(\{0,1\}^n\) allows for a security loss of a factor of n, while the security loss of a comparable GGM PRF is \(q \cdot n\). This holds because the DDH problem possesses a statistical random selfreduction which allows to compute an arbitrary number of DDH samples from a given sample. The learning with errors (LWE) problem enjoys a similar property, which is stated explicitly in the assumption.
Definition 4
(Decisional LWE [28, 30]). Let \(p = p(\lambda )\) be a modulus, \(k = k(\lambda ) = \mathsf {poly}(\lambda )\) be a positive integer and \(\chi _r = D_{\mathbf {Z},r}\) be a gaussian distribution with noise parameter r . Let \(\mathbf {s} \leftarrow _{{\$}}\mathbb {Z}_p^k\) be chosen uniformly at random. The goal of the \(\mathsf {LWE}(p,n,\chi _r)\) problem is to distinguish an arbitrary number of samples \((\mathbf {a},\langle \mathbf {a},\mathbf {s} \rangle + e)\) where \(\mathbf {a} \leftarrow _{{\$}}\mathbb {Z}_p^k\) and \(e \leftarrow _{{\$}}\chi _\alpha \) from samples \((\mathbf {a},u)\) where \(u \leftarrow _{{\$}}\mathbb {Z}_p\) is chosen uniformly at random.
Banerjee, Peikert and Rosen [1] constructed a PRF based on the LWE problem. The PRF has a structure which is similar to the LewkoWaters PRF but uses a rounding operation instead of exponentiation. Let \(p_1 \gg p_2\). For an \(x \in \mathbb {Z}_{p_1}\) define \(\lfloor x \rceil _{p_2} = \lceil (p_2 / p_1) \cdot x \rfloor \mod p_2\). For vectors \(\mathbf {x} \in \mathbb {Z}_{p_1}^k\) define \(\lfloor \cdot \rceil _{p_2}\) componentwise. We can now state the BPR PRF.
Theorem 4
Assume that \(\mathsf {LWE}(p_1,k,\chi _r)\) is hard. Then \(\mathsf {BPR}_n\) is a pseudorandom function. Specifically, if there exists a distinguisher \(\mathcal {D}\) that distinguishes \(\mathsf {BPR}_n\) with advantage \(\epsilon \) from a random function, then there exists a distinguisher \(\mathcal {D}'\) with essentially the same runtime as \(\mathcal {D}\) that distinguishes \(\mathsf {LWE}(p_1,k,\chi _r)\) with advantage \(\epsilon / (k \cdot n)\).
Observe that in Theorem 4 the underlying hardness assumption changes when we increase the input length n. More specifically, the smaller the term \(p_1 / r\) is, the harder the underlying LWE problem \(\mathsf {LWE}(p_1,k,\chi _r)\) becomes. The term \(p_1 / r\) is dominated by \((C r \sqrt{k})^n\), thus we aim towards minimizing n. Observe that we can fix a modulus \(p_2\) for the whole family \(\mathsf {BPR}_n\), therefore all functions in this family have the same output domain. Plugging the \(\mathsf {BPR}_n\) as small domain PRF in the construction of Theorem 3 yields that n never becomes larger than \(\log (q)\) for some \(q = \mathsf {poly}(n)\). Thus we can base the security of the PRF in Theorem 3 on \(\mathsf {LWE}(p_1,k,\chi _r)\) with \(p_1 = p_2 \cdot n \cdot (C r \sqrt{k} )^{\log (2\lambda q)} \cdot k^{\omega (1)}\), which is slightly superpolynomial (instead of subexponential). Moreover, since the \(\mathsf {BPR}_n\) loses only a factor \(k \cdot n\) in its security reduction to LWE, the resulting PRF from Theorem 3 loses only a factor of \(k \cdot \log (2 \lambda q)\). We remark that using the more efficient and tighter RingLWE based PRF of [1], the security reduction to RingLWE loses only a factor of \(\log (2 \lambda q)\).
While the construction from Theorem 3 preserves the parallel complexity of the small domain PRF, the overall complexity of evaluating the PRF may actually increase. We consider it an interesting problem to find a PRF construction which enjoys similar properties as the kLIN based construction in Sect. 4, i.e. one improves the underlying small domain PRF in all aspects, in particular key size and evaluation complexity.
4 A Direct Construction from the kLIN Problem
In this section, we will provide our efficient constructions of numbertheoretic PRFs. As discussed above, we will first develop a specialized domain extension technique and then construct a large domain PRF using a tailormade onthefly adaptation strategy.
4.1 Preliminaries
In this section, we will generally index vectors of length n with indices \(0,\dots ,n1\). We will denote the identity matrix in \(\mathbb {Z}_p^{k \times k}\) by \(\mathbf {I}\). For vectors \(\mathbf {a} \in \mathbb {Z}_p^k\) we define exponentiation componentwise, i.e. \(g^{\mathbf {a}} = (g^{a_0},\dots ,g^{a_{k1}})\). The decisional klinear assumption (kLIN) [17, 31] generalizes the decisional DDH problem. The decisional kLinear assumption becomes (generically) weaker when the parameter k grows, where the instance \(k=1\) corresponds to DDH and \(k=2\) to the linear assumption [6]. The main motivation for these assumptions is that groups are known, where the DDH assumption is easy, but the computational Diffie Hellman problem is supposedly hard [16].
Definition 5
We will use the PRF construction of Lewko and Waters [21] as underlying small domain PRF in our construction.
Theorem 5
The LewkoWaters PRF \(\mathsf {LW}\) as described in the construction in Theorem 5 outputs k group elements and therefore requires k exponentiations. We can truncate the output of the LW PRF to a single group element, thereby only requiring a single exponentiation.
4.2 A Bounded PRF From kLIN
We will now provide an efficient construction of a bounded PRF from kLIN. The security of this bounded PRF tightly reduces to the security of a small domain \(\mathsf {LW}\) PRF and therefore to kLIN with only a logarithmic loss.
Construction 3
For a bit \(b \in \{0,1\}\) let \(\lnot b = 1  b\) denote the negation of b. For a bitvector \(\mathbf {c} \in \{0,1\}^m\) let \(\lnot \mathbf {c}\) denote the bitwise negation of \(\mathbf {c}\). We will need the following technical lemma.
Lemma 2
The proof of Lemma 2 works by inductively expanding the left side of the equation and can be found in the full version of this paper. We will now show that the function \(F_\ell \) given in Construction 3 is a bounded PRF.
Theorem 6
Assume that the kLIN problem is hard in \(\mathbb {G}\). Then the function \(F_{\ell }\) defined in Construction 3 is a bounded PRF. More specifically let \(\ell ^*\le \mathsf {poly}(\lambda )\) and assume that \(\mathcal {D}\) is an \(\ell ^*\)query PPT distinguisher with advantage \(\epsilon \) against the pseudorandomness of \(F_{\ell ^*}\). Then there exists a distinguisher \(\mathcal {D}'\) (with essentially the same runtime as \(\mathcal {D}\)) with advantage \(\frac{\epsilon }{k \cdot \log (\ell ^*)}\) against kLIN.
Proof
4.3 InPlace OntheFly Adaptation
While the general onthefly adaptation strategy we will provide in Sect. 3.2 needs to replicate the the underlying bounded PRF t times, we will now provide a specific onthefly adaptation technique for the bounded PRF \(F_\ell \) provided in the last paragraph that involves no expansion whatsoever. Due to the special algebraic structure of \(F_\ell \), this onthefly adaptation can be done inplace. To obtain an unbounded PRF from the bounded PRF of Construction 3, we will set the upper limit of the product in the exponent from \(\log (\ell )\) to some \(t = \omega (\log (\lambda ))\). We thereby ensure that t is large enough that we can embed \(F_{\ell ^*}\) in this PRF for any \(\ell ^*\le \mathsf {poly}(\lambda )\).
Construction 4
We still need the following auxiliary lemma which states that a randomly chosen matrix from \(\mathbb {Z}_p^{k \times k}\) has full rank, except with small probability.
Lemma 3
The proof of Lemma 3 is standard.
Theorem 7
Assume that the kLIN problem is hard in \(\mathbb {G}\). Then the function F defined in Construction 4 is a PRF. More specifically assume that \(\mathcal {D}\) is PPT distinguisher that makes at most \(q = \mathsf {poly}(\lambda )\) queries and distinguishes F with advantage \(\epsilon \) from a uniformly random function. Then there exists a PPT distinguisher \(\mathcal {D}^*\) (with essentially the same runtime as \(\mathcal {D}\)) with advantage \(\frac{1}{k \cdot \log (q)} \cdot \left( \epsilon  \frac{qt}{(p1)} \right) \) against kLIN in \(\mathbb {G}\).
Proof
Let \(\mathcal {D}\) be a distinguisher with advantage \(\epsilon \) against the pseudorandomness of F which makes at most \(q = \mathsf {poly}(n)\) queries. Note that since \(q = \mathsf {poly}(\lambda )\) and \(t = \omega (\log (\lambda ))\), it holds \(\log (q) \le t1\) (for a sufficiently large \(\lambda \)). We will define 3 hybrid experiments. In hybrid i \(\mathcal {D}\) is given access to a function \(F^{(i)}:\mathbb {Z}_p \rightarrow \mathbb {G}^k\).

Hybrid \(\mathfrak {H}_1\): In this experiment \(\mathcal {D}\) is given oracle access to the function \(F^{(1)}\) given by \(F^{(1)}(x) = F(K,x)\) for a randomly chosen \(K \leftarrow _{{\$}}\mathcal {K}\).
 Hybrid \(\mathfrak {H}_2\): In this experiment \(\mathcal {D}\) is given oracle access to the function \(F^{(2)}\) defined bywhere \(\mathbf {r}: \mathbb {Z}_p \rightarrow \mathbb {Z}_p^k\) is a uniformly random function and \(\mathbf {S}_{\log (q)},\dots ,\mathbf {S}_{t1} \leftarrow _{{\$}}\mathbb {Z}_p^{k \times k}\).$$ F^{(2)}(x) = g^{\mathbf {r}(x)^\top \cdot \prod _{j = \log (q) }^t (\mathbf {S}_j + x^{2^j}\mathbf {I})}, $$

Hybrid \(\mathfrak {H}_3\): In this experiment \(\mathcal {D}\) is given oracle access to a uniformly random function \(F^{(3)}\).
PRF with Shorter Keys. Escala et al. [11] suggested a framework that generalizes DiffieHellman like decisional assumptions and proposed a variant of the LewkoWaters PRF with short keys based on the socalled MatrixDDH (MDDH) assumption. The proof of Theorem 6 immediately generalizes to this setting. Theorem 7 also holds in this setting, given that the distribution of aggregated transformation matrices \(\mathbf {T}\) corresponding to the matrix distribution \(\mathcal {D}_{\ell ,k}\) (c.f. [11], Sect. 5.3) used in the MDDH problem satisfies \(\Pr [\mathsf {rank}(\mathbf {T} + x \cdot \mathbf {I}) < k] \le \mathsf {negl}\) for all \(x \in \mathbb {Z}_p\).
Footnotes
 1.
The Naor Reingold PRF would be such a suitable PRF as its security reduction only loses a factor of n. However, as discussed above we provide a much more efficient direct construction based on the NR PRF.
 2.
Usually even a polynomiallybounded increase/loss is considered as significant, if the polynomial may be large. An increase/loss by a small constant factor is not considered as significant.
Notes
Acknowledgements
We thank Max Rabkin and the reviewers of CRYPTO 2015 for their helpful comments and feedback.
References
 1.Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 2.Bellare, M., Goldwasser, S.: New paradigms for digital signatures and message authentication based on noninteractive zero knowledge proofs. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 194–211. Springer, Heidelberg (1990) Google Scholar
 3.Benabbas, S., Gennaro, R., Vahlis, Y.: Verifiable delegation of computation over large datasets. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 111–131. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 4.Berman, I., Haitner, I.: From nonadaptive to adaptive pseudorandom functions. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 357–368. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 5.Berman, I., Haitner, I., Komargodski, I., Naor, M.: Hardness preserving reductions via cuckoo hashing. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 40–59. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 6.Boneh, D., Boyen, X.: Efficient selectiveID Secure identitybased encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 7.Boneh, D., Montgomery, H.W., Raghunathan, A.: Algebraic pseudorandom functions with improved efficiency from the augmented cascade. In: AlShaer, E., Keromytis, A.D., Shmatikov, V. (eds.) ACM CCS 10, pp. 131–140. ACM Press, Chicago (2010) Google Scholar
 8.Chandran, N., Garg, S.: Balancing output length and query bound in hardness preserving constructions of pseudorandom functions. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 89–103. Springer, Berlin (2014)Google Scholar
 9.Chase, M., Meiklejohn, S.: Déjà Q: Using dual systems to revisit qtype assumptions. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 622–639. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 10.Dodis, Y., Yampolskiy, A.: A verifiable random function with short proofs and keys. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 416–431. Springer, Heidelberg (2005) CrossRefGoogle Scholar
 11.Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.: An algebraic framework for diffiehellman assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 129–147. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 12.Fiore, D., Gennaro, R.: Publicly verifiable delegation of large polynomials and matrix computations, with applications. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) ACM CCS 12, pp. 501–512. ACM Press, Raleigh (2012) CrossRefGoogle Scholar
 13.Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions (extended abstract). In: 25th FOCS, 24–26 October 1984, pp. 464–479. IEEE Computer Society Press, Singer Island (1984)Google Scholar
 14.Goldreich, O., Goldwasser, S., Micali, S.: On the cryptographic applications of random functions. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 276–288. Springer, Heidelberg (1985) Google Scholar
 15.Hazay, C.: Oblivious polynomial evaluation and secure setintersection from algebraic prfs. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part II. LNCS, vol. 9015, pp. 90–120. Springer, Heidelberg (2015) Google Scholar
 16.Herranz, J., Hofheinz, D., Kiltz, E.: The kurosawadesmedt key encapsulation is not chosenciphertext secure. Cryptology ePrint Archive, Report 2006/207 (2006). http://eprint.iacr.org/
 17.Hofheinz, D., Kiltz, E.: Secure hybrid encryption from weakened key encapsulation. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 553–571. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 18.Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Cryptography with constant computational overhead. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 433–442. ACM Press, Canada (2008) Google Scholar
 19.Jain, A., Pietrzak, K., Tentes, A.: Hardness preserving constructions of pseudorandom functions. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 369–382. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 20.Levin, L.: One way functions and pseudorandom generators. Combinatorica 7(4), 357–363 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
 21.Lewko, A.B., Waters, B.: Efficient pseudorandom functions from the decisional linear assumption and weaker variants. In: AlShaer, E., Jha, S., Keromytis, A.D. (eds.) ACM CCS 09, pp. 112–120. ACM Press, Chicago (2009) CrossRefGoogle Scholar
 22.Luby, M.: Pseudorandomness and Cryptographic Applications. Princeton University Press, Princeton, NJ, USA (1994)Google Scholar
 23.Maurer, U.M.: Indistinguishability of random systems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 110–132. Springer, Heidelberg (2002) CrossRefGoogle Scholar
 24.Naor, M., Reingold, O.: Synthesizers and their application to the parallel construction of pseudorandom functions. In: 36th FOCS, 23–25 October 1995, pp. 170–181. IEEE Computer Society Press, Milwaukee (1995)Google Scholar
 25.Naor, M., Reingold, O.: Numbertheoretic constructions of efficient pseudorandom functions. In: 38th FOCS, 19–22 October 1997, pp. 458–467. IEEE Computer Society Press, Miami Beach (1997)Google Scholar
 26.Naor, M., Reingold, O.: On the construction of pseudorandom permutations: LubyRackoff revisited (extended abstract). In: 29th ACM STOC, 4–6 May 1997, pp. 189–199. ACM Press, El Pas (1997)Google Scholar
 27.Naor, M., Reingold, O., Rosen, A.: Pseudorandom functions and factoring (extended abstract). In: 32nd ACM STOC, 21–23 May 2000, pp. 11–20. ACM Press, Portland (2000)Google Scholar
 28.Peikert, C.: Publickey cryptosystems from the worstcase shortest vector problem: extended abstract. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, Bethesda, MD, USA, 31 May  2 June 2009, pp. 333–342 (2009)Google Scholar
 29.Razborov, A.A., Rudich, S.: Natural proofs. In: 26th ACM STOC, 23–25 May 1994, pp. 204–213. ACM Press, Montréal (1994)Google Scholar
 30.Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, 22–24 May 2005, pp. 84–93 (2005)Google Scholar
 31.Shacham, H.: A cramershoup encryption scheme from the linear assumption and from progressively weaker linear variants. Cryptology ePrint Archive, Report 2007/074 (2007). http://eprint.iacr.org/
 32.Valiant, L.G.: A theory of the learnable. Commun. ACM 27(11), 1134–1142 (1984). http://doi.acm.org/10.1145/1968.1972 CrossRefzbMATHGoogle Scholar