Advertisement

On the Query Complexity of Constructing PRFs from Non-adaptive PRFs

Conference paper
  • 216 Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12238)

Abstract

This paper studies constructions of pseudorandom functions (PRFs) from non-adaptive PRFs (naPRFs), i.e., PRFs which are secure only against distinguishers issuing all of their queries at once.

Berman and Haitner (Journal of Cryptology, ’15) gave a one-call construction which, however, is not hardness preserving – to obtain a secure PRF (against polynomial-time distinguishers), they need to rely on a naPRF secure against superpolynomial-time distinguishers; in contrast, all known hardness-preserving constructions require \(\omega (1)\) calls. This leaves open the question of whether a stronger superpolynomial-time assumption is necessary for one-call (or constant-call) approaches. Here, we show that a large class of one-call constructions (which in particular includes the one of Berman and Haitner) cannot be proved to be a secure PRF under a black-box reduction to the (polynomial-time) naPRF security of the underlying function.

Our result complements existing impossibility results (Myers, EUROCRYPT ’04; Pietrzak, CRYPTO ’05) ruling out natural specific approaches, such as parallel and sequential composition. Furthermore, we show that our techniques extend to rule out a natural class of constructions making parallel but arbitrary number of calls which in particular includes parallel composition and the two-call, cuckoo-hashing based construction of Berman et al. (Journal of Cryptology, ’19).

Keywords

Pseudorandom functions Black-box separations Foundations 

Notes

Acknowledgements

This work was partially supported by NSF grants CNS-1553758 (CAREER), CNS-1719146 and by a Sloan Research Fellowship. The first author was additionally supported by NSF grants CNS-1528178, CNS-1929901, CNS-1936825 (CAREER), the Defense Advanced Research Projects Agency (DARPA) and Army Research Office (ARO) under Contract No. W911NF-15-C-0236, and a subcontract No. 2017-002 through Galois. The views and conclusions contained in this document are those of the authors and should not be interpreted as the official policies, either expressed or implied, of the Defense Advanced Research Projects Agency or the US Government.

References

  1. 1.
    Applebaum, B., Raykov, P.: Fast pseudorandom functions based on expander graphs. In: Hirt, M., Smith, A. (eds.) TCC 2016-B, Part I. LNCS, vol. 9985, pp. 27–56. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53641-4_2CrossRefGoogle Scholar
  2. 2.
    Barak, B., Mahmoody-Ghidary, M.: Lower bounds on signatures from symmetric primitives. In: 48th FOCS, pp. 680–688. IEEE Computer Society Press, October 2007Google Scholar
  3. 3.
    Bellare, M., Canetti, R., Krawczyk, H.: Pseudorandom functions revisited: the cascade construction and its concrete security. In: 37th FOCS, pp. 514–523. IEEE Computer Society Press, October 1996Google Scholar
  4. 4.
    Berman, I., Haitner, I.: From non-adaptive to adaptive pseudorandom functions. J. Cryptol. 28(2), 297–311 (2013).  https://doi.org/10.1007/s00145-013-9169-2MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Berman, I., Haitner, I., Komargodski, I., Naor, M.: Hardness-preserving reductions via cuckoo hashing. J. Cryptol. 32(2), 361–392 (2019).  https://doi.org/10.1007/s00145-018-9293-0MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Bronson, J., Juma, A., Papakonstantinou, P.A.: Limits on the stretch of non-adaptive constructions of pseudo-random generators. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 504–521. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-19571-6_30CrossRefzbMATHGoogle Scholar
  7. 7.
    Buldas, A., Laur, S., Niitsoo, M.: Oracle separation in the non-uniform model. In: Pieprzyk, J., Zhang, F. (eds.) ProvSec 2009. LNCS, vol. 5848, pp. 230–244. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-04642-1_19CrossRefGoogle Scholar
  8. 8.
    Cho, C., Lee, C.-K., Ostrovsky, R.: Equivalence of uniform key agreement and composition insecurity. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 447–464. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14623-7_24CrossRefGoogle Scholar
  9. 9.
    Gennaro, R., Gertner, Y., Katz, J.: Lower bounds on the efficiency of encryption and digital signature schemes. In: 35th ACM STOC, pp. 417–425. ACM Press, June 2003Google Scholar
  10. 10.
    Gennaro, R., Trevisan, L.: Lower bounds on the efficiency of generic cryptographic constructions. In: 41st FOCS, pp. 305–313. IEEE Computer Society Press, November 2000Google Scholar
  11. 11.
    Gertner, Y., Malkin, T., Reingold, O.: On the impossibility of basing trapdoor functions on trapdoor predicates. In: 42nd FOCS, pp. 126–135. IEEE Computer Society Press, October 2001Google Scholar
  12. 12.
    Holenstein, T., Sinha, M.: Constructing a pseudorandom generator requires an almost linear number of calls. In: 53rd FOCS, pp. 698–707. IEEE Computer Society Press, October 2012Google Scholar
  13. 13.
    Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 8–26. Springer, New York (1990).  https://doi.org/10.1007/0-387-34799-2_2CrossRefGoogle Scholar
  14. 14.
    Maurer, U., Pietrzak, K.: Composition of random systems: when two weak make one strong. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 410–427. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-24638-1_23CrossRefzbMATHGoogle Scholar
  15. 15.
    Maurer, U., Pietrzak, K., Renner, R.: Indistinguishability amplification. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 130–149. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-74143-5_8CrossRefGoogle Scholar
  16. 16.
    Miles, E., Viola, E.: On the complexity of non-adaptively increasing the stretch of pseudorandom generators. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 522–539. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-19571-6_31CrossRefzbMATHGoogle Scholar
  17. 17.
    Myers, S.: Black-box composition does not imply adaptive security. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 189–206. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-24676-3_12CrossRefGoogle Scholar
  18. 18.
    Pietrzak, K.: Composition does not imply adaptive security. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 55–65. Springer, Heidelberg (2005).  https://doi.org/10.1007/11535218_4CrossRefGoogle Scholar
  19. 19.
    Pietrzak, K.: Composition implies adaptive security in minicrypt. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 328–338. Springer, Heidelberg (2006).  https://doi.org/10.1007/11761679_20CrossRefGoogle Scholar
  20. 20.
    Reingold, O., Trevisan, L., Vadhan, S.: Notions of reducibility between cryptographic primitives. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 1–20. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-24638-1_1CrossRefzbMATHGoogle Scholar
  21. 21.
    Stinson, D.R.: Universal hashing and authentication codes. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 74–85. Springer, Heidelberg (1992).  https://doi.org/10.1007/3-540-46766-1_5CrossRefGoogle Scholar
  22. 22.
    Vaudenay, S.: Decorrelation: a theory for block cipher security. J. Cryptol. 16(4), 249–286 (2003)MathSciNetCrossRefGoogle Scholar
  23. 23.
    Viola, E.: On constructing parallel pseudorandom generators from one-way functions. Cryptology ePrint Archive, Report 2005/159 (2005). http://eprint.iacr.org/2005/159
  24. 24.
    Wegman, M.N., Carter, L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22, 265–279 (1981)MathSciNetCrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.University of CaliforniaSanta BarbaraUSA
  2. 2.Paul G. Allen School of Computer Science & EngineeringUniversity of WashingtonSeattleUSA

Personalised recommendations