1 / 19

Constructing Verifiable Random Functions for Large Input Spaces

Constructing Verifiable Random Functions for Large Input Spaces. Susan Hohenberger. Brent Waters. Pseudo Random Functions [GGM84]. K. ?. F K ( ¢ ). Applications: Sym Key Enc Removing State…. Constructions: OWF -- GGM/HILL DDH –NR97. 2. Verifiable Random Functions [MRV99]. K.

kylar
Download Presentation

Constructing Verifiable Random Functions for Large Input Spaces

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Constructing Verifiable Random Functions for Large Input Spaces Susan Hohenberger Brent Waters

  2. Pseudo Random Functions [GGM84] K ? FK(¢) • Applications: • Sym Key Enc • Removing State… • Constructions: • OWF -- GGM/HILL • DDH –NR97 2

  3. Verifiable Random Functions [MRV99] K PK FK(¢) FK(x), ¼x FK(x’), ¼x’ … 3

  4. VRFs Deterministic • Setup(1¸) ! K, PK • Evaluate(K, x 2 {0,1}n) ! FK(x) • Prove(K, x 2 {0,1}n) !¼x • Verify(PK, (x,y,¼) ) = {T,F} Non-Interactive!

  5. Security: Pseudorandomness K PK ? FK(x1) x1 FK(x2) x2 FK(x3) x3 b FK(x*) or R x* b’ AdvA = Pr[b’=b]-1/2 5

  6. Security: Uniqueness K PK • Impossible: • Exists (x,y1, y2, ¼1,¼2) • y1 y2 • Ver(PK,x,y1,¼1) = T Ver(PK,x,y2,¼2) = T 6

  7. The Technical Challenge • No Interaction • No Common Ref. String • No Randomness (in output)

  8. Proof by Partitioning x1 x2 … xQ x*(challenge input) Attacker Input Space = {0,1}n Simulator Query Space Challenge Space

  9. “All-But-One” Proofs Input Space = {0,1}n Simulator Guess x* ~ (1/2)n Security Loss Short Input Spaces MRV99, DY05 (2n Time-blowup), ACF09 L02 Interactive Assumption – (Partition Changes) Extend Input: CRHF H:{0,1}*! {0,1}n (Complexity Leveraging)

  10. Goal: Large Input Space (& Poly Reductions) Input bits =n, Queries = Q Similar to IBE BB04 =>W05 ~1/Q fraction

  11. Bilinear Map Overview G : multiplicative of prime order p. Bilinear mape: GG GT • e(ga, gb) = e(g,g)ab a,bZp, gG

  12. Construction (Similar to L02, ACF09) • Setup(1¸) ! K= (u’,u0,u1,…,un) PK = (g,h, U’=gu’ , U0= gu0,…, Un=gun ) • FK(x)= e( gt, h ) t = u’u_0 j=1,…,n ujxj • Prove(K, x 2 {0,1}n) ¼=(¼0,…,¼n) ¼i=gu’zi zi = u’ u0j=1,…,i ujxj • Verify(PK, (x,y,¼) ) “Stepping Stone” w/ PK, ¼i * Changed from Conference Proceedings

  13. Proof Overview: Hidden Programming Input bits =n, Queries = Q k DDHE Assumption: Given: g,h,ga, ga2,…, gak-1, , gak+1, …, ga2k Distinguish: e(g,h)ak from R “Hole” ~1/Q fraction Use k=4Q(n+1)

  14. Partitioning and Aborts ID Space Query Space Challenge Space Abort and try again Simulator Attacker x1 x2… … xQ x*(challenge ID) 

  15. Proof Sketch (leaving out randomization) k=4Q(n+1) DDHE Assumption: Given: g,h,ga, ga2,…, gak-1, , gak+1, …, ga2k Choose: r0,…,rn2 Zp , t 2 [0,n] C(x) = 4Q(1+t)+r0+j 2 X rj Setup: PK = (g,h, U’=gak , U0= ga4Q(t)+r0, Uj=garj ) FK(x) = e(gaC(x),h) Query: C(x)  0 mod 4Q Challenge: C(x) = k

  16. Other Details & Improvements • Precise Analysis (Similar to W05) • “Artificial Abort” • HK08 Slightly tighter proofs • BR09  Worse Assumption Here

  17. Comparisons * DY05, MRV99 : Short Proofs

  18. Summary & Future • Large Input Spaces • Hidden Compression • Useful: Look for high level similarities • Open: Static Assumptions • New: Hierarchical VRF • Why? • Are we stuck with exponential loss?

  19. Thank you

More Related