Constructing Verifiable Random Functions for Large Input Spaces
description
Transcript of Constructing Verifiable Random Functions for Large Input Spaces
Constructing Verifiable Random Functions for Large Input Spaces
Brent WatersSusan Hohenberger
2
Pseudo Random Functions [GGM84]
FK(¢)
K?
Applications:• Sym Key Enc• Removing State…
Constructions:• OWF -- GGM/HILL • DDH –NR97
3
Verifiable Random Functions [MRV99]
FK(¢)
K PK
FK(x), ¼x
FK(x’), ¼x’
…
VRFsSetup(1¸) ! K, PK
Evaluate(K, x 2 {0,1}n) ! FK(x)
Prove(K, x 2 {0,1}n) ! ¼x
Verify(PK, (x,y,¼) ) = {T,F}
Non-Interactive!
Deterministic
5
Security: Pseudorandomness
FK(x1)
K
?PK
x1
FK(x2) x2
FK(x3) x3
AdvA = Pr[b’=b]-1/2
FK(x*) or R x*b b’
6
Security: Uniqueness
K
PK
Impossible:Exists (x,y1, y2, ¼1,¼2)1) y1 y2
2) Ver(PK,x,y1,¼1) = T Ver(PK,x,y2,¼2) = T
The Technical Challenge
• No Interaction• No Common Ref. String• No Randomness (in output)
Proof by Partitioning
SimulatorInput Space = {0,1}n
Query SpaceChallenge Space
x1
x2
… xQ
x* (challenge input)
Attacker
“All-But-One” Proofs
SimulatorInput Space = {0,1}n
Guess x* ~ (1/2)n Security LossShort Input Spaces
MRV99, DY05 (2n Time-blowup), ACF09L02 Interactive Assumption – (Partition Changes)
Extend Input: CRHF H:{0,1}* ! {0,1}n (Complexity Leveraging)
Goal: Large Input Space (& Poly Reductions) Input bits =n, Queries = Q
~1/Q fraction
Similar to IBE BB04 =>W05
Bilinear Map OverviewG : multiplicative of prime order p.
Bilinear map e: GG GT e(ga, gb) = e(g,g)ab a,bZp, gG
Construction (Similar to L02, ACF09)
Setup(1¸) ! K= (u’,u0,u1,…,un)PK = (g,h, U’=gu’ , U0= gu0,…, Un=gun )
FK(x)= e( gt, h ) t = u’u_0 j=1,…,n uj xj
Prove(K, x 2 {0,1}n) ¼=(¼0,…,¼n) ¼i=gu’zi zi = u’ u0 j=1,…,i ujxj
Verify(PK, (x,y,¼) ) “Stepping Stone” w/ PK, ¼i
* Changed from Conference Proceedings
Proof Overview: Hidden Programming Input bits =n, Queries = Q
~1/Q fraction
k DDHE Assumption: Given: g,h,ga, ga2,…, gak-1, , gak+1, …, ga2k
Distinguish: e(g,h)ak from R
“Hole”
Use k=4Q(n+1)
Partitioning and Aborts
Simulator ID Space
Query SpaceChallenge Space
x1
x2……xQ
x* (challenge ID)Attacker
Abort andtry again
Proof Sketch (leaving out randomization)
Setup: PK = (g,h, U’=gak , U0= ga4Q(t)+r0, Uj=garj )
k=4Q(n+1) DDHE Assumption: Given: g,h,ga, ga2,…, gak-1, , gak+1, …, ga2k
Choose: r0,…,rn 2 Zp , t 2 [0,n]C(x) = 4Q(1+t)+r0+ j 2 X rj
FK(x) = e(gaC(x),h)
Query: C(x) 0 mod 4QChallenge: C(x) = k
Other Details & Improvements
• Precise Analysis (Similar to W05)• “Artificial Abort”• HK08 Slightly tighter proofs• BR09 Worse Assumption Here
Comparisons
System Assumption Sec. Loss TimeMRV99 RSA 2-n ~A+2N
DY05 2n DBHI 2-n ~A+2N
ACF09 n DBHI 2-n ~AHW10 4Qn DDHE ~(1/Qn) ~A
* DY05, MRV99 : Short Proofs
Summary & FutureLarge Input SpacesHidden CompressionUseful: Look for high level similarities
Open: Static Assumptions
New: Hierarchical VRFWhy?Are we stuck with exponential loss?
19
Thank you