Constructing Verifiable Random Functions for Large Input Spaces

Brent WatersSusan Hohenberger

2

Pseudo Random Functions [GGM84]

FK(¢)

K?

Applications:• Sym Key Enc• Removing State…

Constructions:• OWF -- GGM/HILL • DDH –NR97

3

Verifiable Random Functions [MRV99]

FK(¢)

K PK

FK(x), ¼x

FK(x’), ¼x’

…

VRFsSetup(1¸) ! K, PK

Evaluate(K, x 2 {0,1}n) ! FK(x)

Prove(K, x 2 {0,1}n) ! ¼x

Verify(PK, (x,y,¼) ) = {T,F}

Non-Interactive!

Deterministic

5

Security: Pseudorandomness

FK(x1)

K

?PK

x1

FK(x2) x2

FK(x3) x3

AdvA = Pr[b’=b]-1/2

FK(x*) or R x*b b’

6

Security: Uniqueness

K

PK

Impossible:Exists (x,y1, y2, ¼1,¼2)1) y1 y2

2) Ver(PK,x,y1,¼1) = T Ver(PK,x,y2,¼2) = T

The Technical Challenge

• No Interaction• No Common Ref. String• No Randomness (in output)

Proof by Partitioning

SimulatorInput Space = {0,1}n

Query SpaceChallenge Space

x1

x2

… xQ

x* (challenge input)

Attacker

“All-But-One” Proofs

SimulatorInput Space = {0,1}n

Guess x* ~ (1/2)n Security LossShort Input Spaces

MRV99, DY05 (2n Time-blowup), ACF09L02 Interactive Assumption – (Partition Changes)

Extend Input: CRHF H:{0,1}* ! {0,1}n (Complexity Leveraging)

Goal: Large Input Space (& Poly Reductions) Input bits =n, Queries = Q

~1/Q fraction

Similar to IBE BB04 =>W05

Bilinear Map OverviewG : multiplicative of prime order p.

Bilinear map e: GG GT e(ga, gb) = e(g,g)ab a,bZp, gG

Construction (Similar to L02, ACF09)

Setup(1¸) ! K= (u’,u0,u1,…,un)PK = (g,h, U’=gu’ , U0= gu0,…, Un=gun )

FK(x)= e( gt, h ) t = u’u_0 j=1,…,n uj xj

Prove(K, x 2 {0,1}n) ¼=(¼0,…,¼n) ¼i=gu’zi zi = u’ u0 j=1,…,i ujxj

Verify(PK, (x,y,¼) ) “Stepping Stone” w/ PK, ¼i

* Changed from Conference Proceedings

Proof Overview: Hidden Programming Input bits =n, Queries = Q

~1/Q fraction

k DDHE Assumption: Given: g,h,ga, ga2,…, gak-1, , gak+1, …, ga2k

Distinguish: e(g,h)ak from R

“Hole”

Use k=4Q(n+1)

Partitioning and Aborts

Simulator ID Space

Query SpaceChallenge Space

x1

x2……xQ

x* (challenge ID)Attacker

Abort andtry again

Proof Sketch (leaving out randomization)

Setup: PK = (g,h, U’=gak , U0= ga4Q(t)+r0, Uj=garj )

k=4Q(n+1) DDHE Assumption: Given: g,h,ga, ga2,…, gak-1, , gak+1, …, ga2k

Choose: r0,…,rn 2 Zp , t 2 [0,n]C(x) = 4Q(1+t)+r0+ j 2 X rj

FK(x) = e(gaC(x),h)

Query: C(x) 0 mod 4QChallenge: C(x) = k

Other Details & Improvements

• Precise Analysis (Similar to W05)• “Artificial Abort”• HK08 Slightly tighter proofs• BR09 Worse Assumption Here

Comparisons

System Assumption Sec. Loss TimeMRV99 RSA 2-n ~A+2N

DY05 2n DBHI 2-n ~A+2N

ACF09 n DBHI 2-n ~AHW10 4Qn DDHE ~(1/Qn) ~A

* DY05, MRV99 : Short Proofs

Summary & FutureLarge Input SpacesHidden CompressionUseful: Look for high level similarities

Open: Static Assumptions

New: Hierarchical VRFWhy?Are we stuck with exponential loss?

19

Thank you