Constrained Verifiable Random Functions
43
Georg Fuchsbauer IST Austria SCN 2014, 3 September 2014 (Full version: eprint 2014/537) Constrained Verifiable Random Functions
Transcript of Constrained Verifiable Random Functions
Georg FuchsbauerIST Austria
SCN 2014, 3 September 2014
(Full version: eprint 2014/537)
Constrained Verifiable Random Functions
Overview
Pseudorandom functions(PRF)
Verifiable random functions (VRF)
Constrained PRF
1/16
Constrained VRF
Overview
Pseudorandom functions(PRF)
Verifiable random functions (VRF)
Constrained PRF
● Formal definition
● Constructions
1/16
PRFs
● Pseudorandom function [GGM86]:
– Function
2/16
PRFs
● Pseudorandom function [GGM86]:
– Function
A PRF key is a compact description ofan exponentially long (pseudo) random
string.
2/16
PRFs
● Pseudorandom function [GGM86]:
– Function
● Application:
– Symmetric encryption: Key:
Encryption:
A PRF key is a compact description ofan exponentially long (pseudo) random
string.
2/16
Constrained PRFs
● Constrained PRF [BW13, KPTZ13, BGI14]:
– Function
for set system
– Algorithms:●
●
3/16
Constrained PRFs
● Constrained PRF [BW13, KPTZ13, BGI14]:
– Function
for set system
– Algorithms:●
●
3/16
Security of Constrained PRFs
● Pseudorandomness of constrained PRFs:
– Function should look random where:● we have not seen its value● we cannot evaluate it using a constrained key
4/16
Security of Constrained PRFs
● Pseudorandomness of constrained PRFs:
– Function should look random where:● we have not seen its value● we cannot evaluate it using a constrained key
Challenger
Adver sary
Oracles:
4/16
Instantiations of Constrained PRFs
● Instantiations for set systems :
– prefix-constrained PRF [BW13, KPTZ13, BGI14]:
keys for sets
5/16
Instantiations of Constrained PRFs
● Instantiations for set systems :
– prefix-constrained PRF [BW13, KPTZ13, BGI14]:
keys for sets
– bit-fixing PRF [BW13]:
keys for sets defined by as
5/16
Instantiations of Constrained PRFs
● Instantiations for set systems :
– prefix-constrained PRF [BW13, KPTZ13, BGI14]:
keys for sets
– bit-fixing PRF [BW13]:
keys for sets defined by as
– circuit-constrained PRF [BW13]:
keys defined by circuit C:
5/16
Applications of Constrained PRFs
● Identity-based non-interactive key exchange (ID-NIKE)
from bit-fixing PRF [BW13]
● Broadcast encryption with optimal ciphertext length [BW13]
7/16
Applications of Constrained PRFs
● Identity-based non-interactive key exchange (ID-NIKE)
from bit-fixing PRF [BW13]
● Broadcast encryption with optimal ciphertext length [BW13]
● Punctured PRFs [BW13, KPTZ13, BGI14]:
– constr. keys for domain
– many applications in combination with indistinguishability obfuscation [GGH+13]
7/16
VRFs
● Verifiable random function [MRV99]:
– Function
– Algorithms:●
●
●
8/16
VRFs
● Verifiable random function [MRV99]:
– Function
– Algorithms:●
●
●
● Provability
8/16
Security of VRFs
● Uniqueness:
– For all
9/16
Security of VRFs
● Uniqueness:
– For all
● Pseudorandomness:
– Adv gets oracle
– submits that has not been queried
– receives either or
9/16
Security of VRFs
● Uniqueness:
– For all
● Pseudorandomness:
– Adv gets oracle
– submits that has not been queried
– receives either or
A VRF public key can be seen as a compact commitment to an
exponential number of (pseudo) random bits.
9/16
Application of VRFs
● Micropayments:
– e.g. many payments of 1¢, too expensive to process
● User U pays merchant M with cheque:
● Rate : with , a cheque is “payable”● payable: M receives ¢● else cheque is discarded
“Rivest's lottery”:
10/16
Application of VRFs
● Micropayments:
– e.g. many payments of 1¢, too expensive to process
● User U pays merchant M with cheque:
● Rate : with , a cheque is “payable”● payable: M receives ¢● else cheque is discarded
“Rivest's lottery”:
How do we decide which should be payable (in fair way)?
- M publishes for VRF with
- is payable if
10/16
Constrained Verifiable Random Functions
Constrained VRFs
● Constrained VRF [This work]:
– Function
for set system
– Algorithms:●
●
●
●
11/16
Constrained VRFs
● Constrained VRF [This work]:
– Function
for set system
– Algorithms:●
●
●
●
11/16
Provability
Security of Constrained VRFs
● Uniqueness:
12/16
Security of Constrained VRFs
● Uniqueness:
● Pseudorandomness of constrained PRFs:
Challenger Oracles:
Ad
ver sary
12/16
Security of Constrained VRFs
● Uniqueness:
● Constraint-hiding:
● Pseudorandomness of constrained PRFs:
Challenger Oracles:
Adve
r sary
12/16
Possible Application of Constrained VRF
● Micropayments: “Rivest's lottery”
- M publishes for VRF with
- is payable if
13/16
Possible Application of Constrained VRF
● Micropayments: “Rivest's lottery”
- M publishes for VRF with
- is payable if
Drawback
- need PKI for merchants' keys
13/16
Identity-based solution?
Possible Application of Constrained VRF
● Micropayments: “Rivest's lottery”
- M publishes for VRF with
- is payable if
Drawback
- need PKI for merchants' keys
13/16
constrained VRFs
- every M uses same key
- is payable if
- Merchant M gets constr. key
for set
Constructions
– from PRG [GGM86]
– under DDH [NR97]
PRFs VRFs
14/16
– under q-DDHI [DY05]but: poly-size domain only!
– under q-type assumptions,value in target grouplarge proofs [HW10,ACF13]
Constructions
– from PRG [GGM86]
– under DDH [NR97]
● prefix-fixing:
– from PRG [BW13, KPTZ13, BGI14]
● bit-fixing, circuit-constr:
– from multilin. maps
– under MDDH [BW13]
– under q-DDHI [DY05]but: poly-size domain only!
– under q-type assumptions,value in target grouplarge proofs [HW10,ACF13]
PRFs
constrained PRFs
VRFs
14/16
Constructions
– from PRG [GGM86]
– under DDH [NR97]
● prefix-fixing:
– from PRG [BW13, KPTZ13, BGI14]
● bit-fixing, circuit-constr:
– from multilin. maps
– under MDDH [BW13]
– under q-DDHI [DY05]but: poly-size domain only!
– under q-type assumptions,value in target grouplarge proofs [HW10,ACF13]
● bit-fixing, circuit-constr:
– from multilin. maps
– under MDDH [this work]
PRFs
constrained PRFs
VRFs
constrained VRFs
14/16
14/16
Constructions
– from PRG [GGM86]
– under DDH [NR97]
● prefix-fixing:
– from PRG [BW13, KPTZ13, BGI14]
● bit-fixing, circuit-constr:
– from multilin. maps
– under MDDH [BW13]
– under q-DDHI [DY05]but: poly-size domain only!
– under q-type assumptions,large proofs [HW10,ACF13]
● bit-fixing, circuit-constr:
– from multilin. maps
– under MDDH [this work]
constrained PRFs
VRFs
constrained VRFs
- same function value
- based on sameassumptions
● based on same assumption
● same function values
→ verifiability “for free”
PRFs
Construction of Constrained VRFs
● Multilinear maps:
– Groups , each generated by
– Maps
● MDDH assumption:
given then looks random
15/16
Construction of Constrained VRFs
● Boneh-Waters cPRF:
(bit-fixing)
secure under -MDDH
16/16
Construction of Constrained VRFs
● Boneh-Waters cPRF:
(bit-fixing)
● Observation: Even when and
are public, still pseudorandom
16/16
Construction of Constrained VRFs
● Boneh-Waters cPRF:
(bit-fixing)
● Observation: Even when and
are public, still pseudorandom
● Split , publish and
16/16
Construction of Constrained VRFs
● Boneh-Waters cPRF:
(bit-fixing)
● Observation: Even when and
are public, still pseudorandom
● Split , publish and
● Observation: publicly computable
16/16
Construction of Constrained VRFs
● Boneh-Waters cPRF:
(bit-fixing)
● Observation: Even when and
are public, still pseudorandom
● Split , publish and
● Observation: publicly computable
● Define proof:
16/16
Construction of Constrained VRFs
● Boneh-Waters cPRF:
(bit-fixing)
● Observation: Even when and
are public, still pseudorandom
● Split , publish and
● Observation: publicly computable
● Define proof:
● Verification of : 16/16
Thank you
