Multilinear and Aggregate Pseudorandom Functions: New Constructions and Improved Security
Abstract
Since its introduction, pseudorandom functions (PRFs) have become one of the main building blocks of cryptographic protocols. In this work, we revisit two recent extensions of standard PRFs, namely multilinear and aggregate PRFs, and provide several new results for these primitives. In the case of aggregate PRFs, one of our main results is a proof of security for the NaorReingold PRF with respect to readonce boolean aggregate queries under the standard Decision DiffieHellman problem, which was an open problem. In the case of multilinear PRFs, one of our main contributions is the construction of new multilinear PRFs achieving indistinguishability from random symmetric and skewsymmetric multilinear functions, which was also left as an open problem. In order to achieve these results, our main technical tool is a simple and natural generalization of the recent linear independent polynomial framework for PRFs proposed by Abdalla, Benhamouda, and Passelègue in Crypto 2015, that can handle larger classes of PRF constructions. In addition to simplifying and unifying proofs for multilinear and aggregate PRFs, our new framework also yields new constructions which are secure under weaker assumptions, such as the decisional klinear assumption.
Keywords
Pseudorandom functions Multilinear PRFs Aggregate PRFs1 Introduction
Pseudorandom functions (PRFs) are one of the most fundamental primitives in cryptography. One of the features that makes PRFs so useful is the fact that they behave as truly random functions with respect to computationally bounded adversaries. Since being introduced by Goldreich, Goldwasser, and Micali [15], PRFs have been used in many cryptographic applications, varying from symmetric encryption and authentication schemes to key exchange. In particular, they are very useful for modeling the security of concrete block ciphers, such as AES [4].
Given the large applicability of pseudorandom functions, several extensions have been proposed in the literature over the years, with the goal of providing additional functionalities to these functions. One concrete example of such an extension are constrained PRFs [9, 11, 17], which provides the owner of the secret key with the capability of delegating the computation of the pseudorandom function for different subsets of the input domain, without compromising the pseudorandomness property for the other points of the input domain. In this paper, we focus on two recent extensions of pseudorandom functions, namely multilinear PRFs [13], and aggregate PRFs [12], and solve several open problems related to the construction of these primitives.
Aggregate Pseudorandom Functions. Aggregate pseudorandom functions were introduced by Cohen, Goldwasser, and Vaikuntanathan in [12]. The main interest of an aggregate PRF is to provide the user with the possibility of aggregating the values of the function over superpolynomially many PRF values with only a polynomialtime computation, without enabling a polynomialtime adversary to distinguish the function from a truly random function. For instance, one such example of an aggregate query could be to compute the product of all the output values of the PRF corresponding to a given exponentiallysized interval of the input domain.
In addition to proposing the notion of aggregate PRFs, Cohen, Goldwasser, and Vaikuntanathan [12] also proposed new constructions for several different classes of aggregate queries, such as decision trees, hypercubes, and readonce boolean formulas, achieving different levels of expressiveness. Unfortunately, for most of the constructions proposed in [12], the proofs of security suffer from an exponential (in the input length) overhead in their running time and have to rely on the subexponential hardness of the Decisional DiffieHellman (DDH) problem.
Indeed, to prove the security of their constructions, the authors use a generic result which is simply saying the following: given an adversary \(\mathscr {A}\) against the \(\mathrm {AGG}\text {}\mathrm {PRF}\) security of a PRF F, one can build an adversary \(\mathscr {B}\) against the standard PRF security of F. \(\mathscr {B}\) simply queries all the values required to compute the aggregate values (or the PRF values), and computes the aggregate values itself before sending them to \(\mathscr {A}\).
Clearly, this reduction proves that any secure PRF is actually also a secure aggregate PRF. However, this reduction is not efficient, since to answer to just one aggregate query, the adversary \(\mathscr {B}\) may have to query an exponential number of values to its oracle. Hence, as soon as we can aggregate in one query a superpolynomial number of PRF values, this generic reduction does not run in polynomial time.
Multilinear Pseudorandom Functions. In order to overcome the shortcomings of the work of Cohen, Goldwasser, and Vaikuntanathan [12], Cohen and Holmgren introduced the concept of multilinear pseudorandom functions in [13]. Informally speaking, a multilinear pseudorandom function is a variant of the standard notion of pseudorandom functions, which works with vector spaces and which guarantees indistinguishability from random multilinear functions with the same domain and range. As shown in [13], multilinear pseudorandom functions can be used to prove the \(\mathrm {AGG}\text {}\mathrm {PRF}\) security of the NaorReingold (\({\mathsf {NR}} \)) PRF [18] with a polynomial time reduction for the case of hypercubes and decision trees aggregations. Unfortunately, their technique does not extend to the more general case of readonce formulas aggregation, which is the most expressive form of aggregation in [12].
Our Techniques. In this work, we provide an alternative way of overcoming the limitations of the work of Cohen, Goldwasser, and Vaikuntanathan [12], based on a natural extension of the recent algebraic framework for pseudorandom functions proposed by Abdalla, Benhamouda, and Passelègue in [1], known as the linear independent polynomial (LIP) framework.
Unfortunately, the LIP framework is not enough to prove the security of multilinear PRFs or aggregate PRFs, as the outputs of the function (and the corresponding polynomials) may not be independent. To overcome these limitations, we provide a natural extension of the LIP framework, which we call polynomial linear pseudorandomness security (PLP), that can handle such dependences. Despite being a simple extension, the new PLP framework yields significant improvements over previous works on multilinear and aggregate PRFs. In particular, the multilinear constructions in [13] can be seen as a special case of our new PLP framework.
Main Results. Using our new PLP framework for pseudorandom functions, we obtain the following results.
First, we prove the security of the aggregate PRF for readonce formulas proposed in [12], under the \({\mathrm {DDH}}\) assumption and with a polynomialtime reduction. This in turn implies the security of all the other aggregate PRFs in [12], as the latter are particular cases of the aggregate PRFs for readonce formulas. The proof is very simple and based on linear algebra. Up to now, the only known reduction incurred an exponential blowup in the length n of the input.
Second, we show that our PLP framework enables to very easily prove the security of the multilinear pseudorandom function construction in [13]. More importantly, it enables us to directly show the security of the symmetric variant of this construction, under the \(d\text{ }{\mathrm {DDHI}}\) assumption, which was left as an open problem in [13].
Third, we extend all the above constructions to weaker assumptions, as the \(k\textsf {}{\mathrm {Lin}}\) assumption, which can hold in symmetric klinear groups, contrary to \({\mathrm {DDH}}\) or \(d\text{ }{\mathrm {DDHI}}\). Again, these extensions are straightforward to prove thanks to our PLP framework.
Additionally, we solve two other open problems respectively in [12, end of Sects. 1 and 2.2] and in [13]: We show that unless NP=BPP, there cannot exist aggregate PRFs for DNF formulas, although satisfiability of DNF formulas can be tested in polynomial time; and we propose the first skewsymmetric multilinear PRF.
Additional Contributions. As a side contribution, we prove the hardness of \(\mathcal {E}_{k,d}\textsf {}{\mathrm {MDDH}}\) (defined in [1] and recalled in Sect. 2) in the generic (symmetric) klinear group model, which was left as an open problem in [1] for \(k > 2\) and \(d > 1\). This result directly implies that all the results stated in [1] under the \(\mathcal {E}_{2,d}\textsf {}{\mathrm {MDDH}} \) now holds also for \(\mathcal {E}_{k,d}\textsf {}{\mathrm {MDDH}} \), for any \(k \ge 2\), which is also an interesting side contribution. To prove this result, we essentially need to prove there are no nontrivial polynomial relations of degree k between the elements of the assumptions (these elements being themselves polynomials), as in [8, 10, 14]. The proof is by induction over k: for the base case \(k=1\), the proof is straightforward as all the elements we consider are linearly independent; for the inductive case \(k=2\), we basically set some indeterminates to some carefully chosen values (for the polynomials defining the elements we consider) to come down to previous cases.
Paper Organization. The rest of the paper is composed of the following sections. In Sect. 2 and the full version [3], we give necessary background and notations. We introduce our general PLP security notion and explain our main result, termed PLP theorem (Theorem 1), in Sect. 3. We then present our new constructions and improved security bounds for aggregate and multilinear pseudorandom functions in Sect. 4 as well as some side results. The proofs of these results are detailed in the full version [3]. Finally, in the full version [3], we prove the hardness of our main assumption (the \(\mathcal {E}_{k,d}\textsf {}{\mathrm {MDDH}}\) assumption) in the generic klinear group model.
2 Definitions
Notations and Conventions. We denote by \(\kappa \) the security parameter. Let \(F {:\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) be a function that takes a key \(K \in \mathcal {K}\) and an input \(x \in \mathcal {D}\) and returns an output \(F(K,x) \in \mathcal {R}\). The set of all functions \(F {:\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) is denoted by \(\mathsf {Fun}(\mathcal {K}, \mathcal {D},\mathcal {R})\). Likewise, \(\mathsf {Fun}(\mathcal {D},\mathcal {R})\) denotes the set of all functions mapping \(\mathcal {D}\) to \(\mathcal {R}\). Also, if \(\mathcal {D}\) and \(\mathcal {R}\) are vector spaces, we denote by \(\mathsf {L}(\mathcal {D},\mathcal {R})\) the vector space of linear functions from \(\mathcal {D}\) to \(\mathcal {R}\). In addition, if \(\mathcal {D}_1,\dots ,\mathcal {D}_n\) are \(n\) vector spaces, then \(\mathsf {L}(\mathcal {D}_1 \otimes \cdots \otimes \mathcal {D}_n,\mathcal {R})\) is the vector space of \(n\)linear functions from \(\mathcal {D}_1 \times \cdots \times \mathcal {D}_n\) to \(\mathcal {R}\).
If S is a set, then \(\vert S \vert \) denotes its size. We denote by \(s \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}S\) the operation of picking at random s in S. If Open image in new window is a vector then we denote by Open image in new window its length, so Open image in new window . For a binary string x, we denote its length by \(\vert x \vert \) so \(x \in \{0,1\}^{\vert x \vert }\), \(x_i\) its ith bit, so \(x = x_1 {\,\Vert \,}\ldots {\,\Vert \,}x_{\vert x \vert }\). For a matrix \({\varvec{A}}\) of size \(k \times m\), we denote by \(a_{i,j}\) the coefficient of \({\varvec{A}}\) in the ith row and the jth column. We denote by \({{\mathbb Z}}_p[T_1,\ldots ,T_{n}]\) the subspace of multivariate polynomials in indeterminates \(T_1,\ldots ,T_{n}\), and by \({{\mathbb Z}}_p[T_1,\ldots ,T_{n}]_{\le d}\) the subring of polynomials of degree at most d in each indeterminate. For a polynomial \(P \in {{\mathbb Z}}_p[T_1,\ldots ,T_{n}]\), we denote by Open image in new window the polynomial \(P(T_1,\ldots ,T_{n})\) and by Open image in new window its evaluation by setting Open image in new window to Open image in new window , meaning that we set \(T_1 = a_1,\ldots ,T_n = a_n\).
We often implicitly consider a multiplicative group \(\mathbb {G}= \langle g \rangle \) with public generator g of order p and we denote by Open image in new window the element \(g^a\), for any \(a \in {{\mathbb Z}}_p\). Similarly, if \({\varvec{A}}\) is a matrix in \({{\mathbb Z}}_p^{k \times m}\), Open image in new window is a matrix \({\varvec{U}} \in \mathbb {G}^{k \times m}\), such that Open image in new window for \(i=1,\dots ,k\) and \(j=1,\dots ,m\). All vector spaces are implicitly supposed to be \({{\mathbb Z}}_p\)vector spaces.
Games [5]. Most of our definitions and proofs use the codebased gameplaying framework, in which a game has an \(\mathbf{Initialize } \) procedure, procedures to respond to adversary oracle queries, and a \({\mathbf{Finalize }}\) procedure. In the case where the \({\mathbf{Finalize }}\) procedure is not explicitly defined, it is implicitly defined as the procedure that simply outputs its input. To execute a game \( G \) with an adversary \(\mathscr {A}\), we proceed as follows. First, \(\mathbf{Initialize } \) is executed and its outputs become the input of \(\mathscr {A}\). When \(\mathscr {A}\) executes, its oracle queries are answered by the corresponding procedures of \( G \). When \(\mathscr {A}\) terminates, its outputs become the input of \({\mathbf{Finalize }}\). The output of the latter, denoted \( G ^\mathscr {A}\) is called the output of the game, and we let “\( G ^\mathscr {A}\Rightarrow 1\)” denote the event that this game output takes the value 1. The running time of an adversary by convention is the worst case time for the execution of the adversary with any of the games defining its security, so that the time of the called game procedures is included.

a collection \(\mathscr {S}\) of subsets S of the domain \(\mathcal {D}\);

an aggregation function \(\mathrm {\Gamma }{:\;\;}\mathcal {R}^* \rightarrow \mathcal {V}\) that takes as input a tuple of values from the range \(\mathcal {R}\) of F and aggregates them to produce a value in an output set \(\mathcal {V}\).
In addition, we require the set ensemble \(\mathscr {S}\) to be efficiently recognizable, meaning that for any \(S \in \mathscr {S}\), there exists a polynomial time procedure to check if \(x \in S\), for any \(x \in \mathcal {D}\). Also, we require the aggregation function \(\mathrm {\Gamma }\) to be polynomial time and the output of the function not to depend on the order of the elements provided as inputs. Finally, we require all sets S to have a representation of size polynomial in the security parameter \(\kappa \).
Given an aggregation function \((\mathscr {S},\mathrm {\Gamma })\), we define the aggregate function \(\mathrm {AGG}= \mathrm {AGG}_{f,\mathscr {S},\mathrm {\Gamma }}\) as the function that takes as input a set \(S \in \mathscr {S}\) and outputs the aggregation of all values f(x) for all \(x \in S\). That is, \(\mathrm {AGG}(S)\) outputs \(\mathrm {\Gamma }(f(x_1),\ldots ,f(x_{\vert S \vert }))\), where \(S = \{x_1,\ldots ,x_{\vert S \vert }\}\). We will require the computation of \(\mathrm {AGG}\) to be polynomial time (even if the input set S is exponentially large) if the function f provided is the pseudorandom function \(F(K,\cdot )\) we consider, where K is some key.
Security of \(\mathcal {E}_{k,d}\textsf {}{\mathrm {MDDH}}\)
\(k=1\)  \(k=2\)  \(k \ge 3\)  

\(d=1\)  \(=\mathbf {Adv}^{\mathsf {ddh}}_{\mathbb {G}}{}\)  \(\lesssim 2 \cdot \mathbf {Adv}^{\mathcal {U}_{2}\textsf {}\mathsf {mddh}}_{\mathbb {G}}{}\)  \(\lesssim k \cdot \mathbf {Adv}^{\mathcal {U}_{k}\textsf {}\mathsf {mddh}}_{\mathbb {G}}{}\) 
\(d \ge 2\)  \({\lesssim d \cdot {\mathbf{{Adv}}^{d\mathsf {ddhi}}_{\mathbb {G}}}^{a}}\)  Generic bilinear group\(^{b}\)  Generic klinear group\(^{c}\) 
3 Polynomial Linear Pseudorandomness Security
As we already mentioned in the introduction, while the LIP theorem from [1] is quite powerful to prove the security of numerous constructions of pseudorandom functions (and relatedkey secure pseudorandom functions), it falls short when we need to prove the security of multilinear pseudorandom functions or aggregate pseudorandom functions. Indeed, the LIP theorem requires that there is no linear dependence between the outputs of the function. Thus, for the latter primitives, it is clear that one cannot use the LIP theorem, since the main point of these primitives is precisely that outputs can be related.
In order to deal with these primitives, we introduce a new security notion, termed polynomial linear pseudorandomness security (PLP), which encompasses the LIP security notion, but allows to handle multilinear pseudorandom functions and aggregate pseudorandom functions.
3.1 Intuition
When \(P_1,\dots ,P_q\) are linearly independent, Open image in new window are independent random group elements in \(\mathbb {G}\). In that sense, the polynomial linear pseudorandomness security notion is a generalization of the LIP security notion.
We remark that, in the generic group model, the polynomial linear pseudorandomness security notion holds trivially, by definition. The difficulty of the work is to prove it under classical assumptions such as the \(\mathcal {E}_{1,d}\textsf {}{\mathrm {MDDH}}\) assumption.
PolynomialTime Games. When we want to formally define the polynomial linear pseudorandomness security notion, we quickly face a problem: how to compute Open image in new window for a random linear map \(U \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathsf {L}({{\mathbb Z}}_p[T_1,\ldots ,T_{n}]_{\le d},{{\mathbb Z}}_p)\)? Such a map can be represented by a (random) vector with \((d+1)^n\) entries. But doing so would make the game in the security notion exponential time. The idea is to define or draw U lazily: each time we need to evaluate it on a polynomial \(P_i\) linearly independent of all the previous polynomials \(P_j\) (with \(j<i\)), we define \(U(P_i) \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}{{\mathbb Z}}_p\); otherwise, we compute \(U(P_i)\) as a linear combination of \(U(P_j)\). More precisely, if \(P_i = \sum _{j=1}^{i1} \lambda _j \cdot P_j\), \(U(P_i) = \sum _{j=1}^{i1} \lambda _j \cdot U(P_j)\). As explained in Sect. 2, no deterministic polynomialtime algorithm for checking linear dependency between polynomials in \({{\mathbb Z}}_p[T_1,\ldots ,T_{n}]\) is known. But we can use one which is correct which overwhelming probability. We recall that we denote by \(\mathbf{TestLin } \) such an algorithm.
On the Representation of the Polynomials. A second challenge is to define how the polynomials are represented. We cannot say they have to be given in their expanded form, because it would restrict us to polynomials with a polynomial number of monomials and forbid polynomials such as \(\prod _{i=1}^n (a_i + 1)\).
Instead, we only suppose that polynomials can be (partially) evaluated, in polynomial time (in n and d, the maximum degree in each indeterminate). This encompasses polynomials defined by an expression (with \(+\) and \(\cdot \) operations, indeterminates, and scalars) of polynomial size (in n and d). Details are given in the full version [3].
Extension to Weaker Assumptions. Before, showing the formal definition and theorem, let us show an extension of our polynomial linear pseudorandomness security notion to handle weaker assumptions, namely \(\mathcal {E}_{k,d}\textsf {}{\mathrm {MDDH}} \), with \(k \ge 2\). In that case, we need to evaluate polynomials on matrices: Open image in new window , with \({\varvec{A}} \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}{{\mathbb Z}}_p^{k \times k}\) and \({\varvec{B}}\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}{{\mathbb Z}}_p^{k \times m}\) (with \(m \ge 1\) being a positive integer). As multiplication of matrices is not commutative, we need to be very careful. We therefore consider that \(T_n\) appears before \(T_{n1}\) (in products), \(T_{n1}\) before \(T_{n2}\), ...(or any other fixed ordering).
More formally, we suppose that polynomials are represented by an expression (similar to the case \(k=1\)), such that in any subexpression \(Q \cdot R\), if Q contains \(T_i\) (formally as an expression and not just when the expression is expanded), then R contains no monomial \(T_j\) with \(j > i\). Details are given in the full version [3].
3.2 Formal Security Notion and Theorem
Theorem 1
(PLP). Let \(\mathbb {G}= \langle g \rangle \) be a group of prime order p. Let \(\mathscr {A}\) be an adversary against the \((n,d,k{,m})\)PLP security of \(\mathbb {G}\) that makes q oracle queries \(P_1,\dots ,P_{q}\). Then we can design an adversary \(\mathscr {B}\) against the \(\mathcal {E}_{k,d}\textsf {}{\mathrm {MDDH}}\) problem in \(\mathbb {G}\), such that \(\mathbf {Adv}^{(n,d,k{,m})\textsf {}\mathsf {plp}}_{\mathbb {G}}(\mathscr {A}) \le n \cdot d \cdot \mathbf {Adv}^{\mathcal {E}_{k,d}\textsf {}\mathsf {mddh}}_{\mathbb {G}}{(\mathscr {B})} + O(n d q N/p)\), where N is an integer polynomial in the size of the representations of the polynomials and \(N=1\) when \(k=1\) (see the full version [3] for details). The running time of \(\mathscr {B}\) is that of \(\mathscr {A}\) plus the time to perform a polynomial number (in q, n, and d) of operations in \({{\mathbb Z}}_p\) and \(\mathbb {G}\).
The proof of Theorem 1 is detailed in the full version [3]. It is similar to the proof of the LIP theorem (in the matrix case) in [1]. More precisely, we show a series of indistinguishable games where the first game corresponds to the \((n,d,k{,m})\)PLP security game when \(b=0\), and the last game corresponds to this security game when \(b=1\). Basically, all the games except for the last two games are the same as in the proof of the LIP theorem. The two last games differ, as follows: for the LIP theorem, all polynomials are supposed to be linearly independent, and so in the last two games, all the returned values are drawn uniformly and independently, while for the PLP theorem, the returned values still have linear dependencies.
4 Applications
In this section, we describe how PLP theorem (Theorem 1) can be used to prove the security of aggregate pseudorandom functions as well as multilinear pseudorandom functions. In particular, we obtain polynomialtime reduction for all previous constructions of aggregatepseudorandom, even for aggregate where only exponentialtime reduction were known (readonce formulas). We also obtain a very simple proof of the multilinear pseudorandom function designed in [13]. Finally, we briefly explain how these results can be extended to build constructions based on weaker assumptions in an almost straightforward manner, by simply changing the key space. The proofs of security remain almost the same and consist in reducing the security to the adequate PLP security game.
4.1 Aggregate Pseudorandom Functions
In this subsection, we show that for all constructions proposed in [12], one can prove the \(\mathrm {AGG}\text {}\mathrm {PRF}\) security with a polynomial time reduction, while proofs proposed in this seminal paper suffered from an exponential (in the input size) overhead in the running time of the reduction. Moreover, our reductions are almost straightforward via the PLP theorem.
A first attempt to solve the issue of the exponential time of the original reductions was done in [13]. By introducing multilinear pseudorandom functions and giving a particular instantiation, Cohen and Holmgren showed that one can prove the \(\mathrm {AGG}\text {}\mathrm {PRF}\) security of \({\mathsf {NR}} \) with a polynomial time reduction for hypercubes and decision trees aggregation. However, their technique does not extend to the more general case of readonce formulas aggregation. Also, as we will show it the next subsection, their construction can be seen as a particular case of our main theorem, and then can be proven secure very easily using our result.
Here, we provide a polynomial time reduction for the general case of readonce formulas. This implies in particular the previous results on hypercubes and decision trees which are particular cases of readonce formulas.
Intuitively, if we consider the PLP security for \(k = 1\) and aggregation with the NaorReingold PRF, our PLP theorem (Theorem 1) implicitly says that as long as the aggregate values can be computed as a group element whose discrete logarithm is the evaluation of a multivariate polynomial on the key, then, if the corresponding polynomials have a small representation, the PLP theorem guarantees the security (with a polynomial time reduction), even if the number of points aggregated is superpolynomial. Please notice that if these polynomials do not have any small representation (e.g. the smallest representation is exponential in the input size), then there is no point of considering such aggregation, since the whole point of aggregate pseudorandom function lies in the possibility of aggregating superpolynomially many PRF values with a very efficient computation.
ReadOnce Formulas. A readonce formula is a circuit on \(x = (x_1,\dots ,x_n) \in \{0,1\}^n\) composed of only \({{\mathrm{\mathrm {AND}}}}\), \({{\mathrm{\mathrm {OR}}}}\) and \({{\mathrm{\mathrm {NOT}}}}\) gates with fanout 1, so that each input literal is fed into at most one gate and each gate output is fed into at most one other gate. We denote by \(\mathrm {ROF}_{n}\) the family of all readonce boolean formulas over \(x_1,\dots ,x_n\) variables. In order to ease the reading, we restrict these circuits to be in a standard form, so that they are composed of fanin 2 and fanout 1 \({{\mathrm{\mathrm {AND}}}}\) and \({{\mathrm{\mathrm {OR}}}}\) gates, and \({{\mathrm{\mathrm {NOT}}}}\) gates occurring only at the inputs. This common restriction can be done without loss of generality. Hence, one can see such a circuit as a binary tree where each leaf is labeled by a variable \(x_i\) or its negation \(\bar{x}_i\) and where each internal node has a label C and has two children with labels \(C_L\) and \(C_R\) and represents either an \({{\mathrm{\mathrm {AND}}}}\) or an \({{\mathrm{\mathrm {OR}}}}\) gate (with fanin 2). We identify a formula (and the set it represents) with the label of its root \(C_{\phi }\).
Aggregation for ReadOnce Formulas. We recall the definition of readonce formula aggregation used in [12]. For the sake of simplicity, we only consider the case of the NaorReingold PRF, defined as Open image in new window , where \(a_0,\dots ,a_n \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}{{\mathbb Z}}_p\) and \(x \in \{0,1\}^n\). We define the aggregation function for readonce formulas of length n as follows.
The collection \(\mathscr {S}_{\mathsf {rof}} \subseteq \{0,1\}^n\) corresponds to all the subsets of \(S \subseteq \{0,1\}^n\) such that there exists a readonce formula \(C_{\phi } \in \mathrm {ROF}_{n}\) such that \(S = \{x \in \{0,1\}^n \mid C_{\phi }(x) = 1\}\).

If C is a literal for variable \(x_i\), then \(A_{C,1} = T_i\) and \(A_{C,0} = 1\) if \(C = x_i\); and \(A_{C,1} = 1\) and \(A_{C,0} = T_i\) if \(C = \bar{x_i}\);

If C is an \({{\mathrm{\mathrm {AND}}}}\) gate with \(C_L\) and \(C_R\) its two children, then we have:
\(A_{C,1} = A_{C_L,1} \cdot A_{C_R,1}\)
\(A_{C,0} = A_{C_L,0} \cdot A_{C_R,0} + A_{C_L,1} \cdot A_{C_R,0} + A_{C_L,0} \cdot A_{C_R,1}\);

If C is an \({{\mathrm{\mathrm {OR}}}}\) gate with \(C_L\) and \(C_R\) its two children, then we have:
\(A_{C,1} = A_{C_L,1} \cdot A_{C_R,1} + A_{C_L,1} \cdot A_{C_R,0} + A_{C_L,0} \cdot A_{C_R,1}\)
\(A_{C,0} = A_{C_L,0} \cdot A_{C_R,0}\).
Now we have introduced everything, we can prove that \({\mathsf {NR}} \) (or more general constructions) is an \((\mathscr {S}_{\mathsf {rof}},\mathrm {\Gamma }_{\mathsf {rof}})\)\(\mathrm {AGG}\text {}\mathrm {PRF}\) under the standard \({\mathrm {DDH}}\) assumption, as stated in the lemma below.
Lemma 2
Let \(\mathbb {G}= \langle g \rangle \) be a group of prime order p and \({\mathsf {NR}} \) be the NaorReingold PRF defined as Open image in new window , where the key is \((a_0,\dots ,a_n) \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}{{\mathbb Z}}_p^{n+1}\) and the input is \(x \in \{0,1\}^n\). Then one can reduce the \((\mathscr {S}_{\mathsf {rof}},\mathrm {\Gamma }_{\mathsf {rof}})\)\(\mathrm {AGG}\text {}\mathrm {PRF}\) security of \({\mathsf {NR}} \) to the hardness of the \({\mathrm {DDH}}\) problem in \(\mathbb {G}\), with a loss of a factor n. Moreover, the time overhead is polynomial in n and in the number of queries made by the adversary.
The proof is straightforward using the PLP theorem: all queries in the security game for the aggregate PRF can be seen as a queries of the form \(\mathbf{Pl }(P)\) for some polynomial P with a small representation: \(\mathbf{Fn } (x)\) returns \(\mathbf{Pl }(T_0 \prod _{i=1}^n T_i^{x_i})\) and \(\mathrm {AGG}(C_\phi )\) returns Open image in new window . Details can be found in the full version [3].
Extensions. One can easily extend this result for \(k\textsf {}{\mathrm {Lin}} \)based PRFs similar to \({\mathsf {NR}} \) using our main theorem. Also, one can easily use our PLP theorem (Theorem 1) to prove the security for any aggregate (for instance with \({\mathsf {NR}} \)) as soon as the aggregate values can be represented as group elements whose discrete logarithms are the evaluation of a (multivariate) polynomial on the key (and that this polynomial is efficiently computable).
The case of DNF formulas (or more generally of any class for which satisfiability is tractable) was left as an important open problem in [12]. Here, we show that unless NP=BPP, there also does not exist an \((\mathscr {S},\mathrm {\Gamma })\)aggregate pseudorandom function as above, when \(\mathscr {S}\) contains \(S_\phi \) for any DNF (instead of CNF) formula \(\phi \) with nbit input. For that, we first remark that the formula \(\top \), always true, is a DNF formula (it is the disjunction of all the possible literals), and that the negation \(\bar{\phi }\) of a CNF formula \(\phi \) is a DNF formula. Then, given a SAT instance, a CNF formula \(\phi \), we compute \(\mathrm {AGG}(\bar{\phi })\) and \(\mathrm {AGG}(\top )\). If \(\phi \) is not satisfiable, \(\bar{\phi }\) is always true and \(\mathrm {AGG}(\bar{\phi })=\mathrm {AGG}(\top )\), while otherwise, \( \mathrm {AGG}(\bar{\phi }) = \mathrm {AGG}(\top ) / \prod _{x \in \{0,1\}^n, \; \phi (x) = 1} F(K,x)\). This latter value is not \(\mathrm {AGG}(\top )\) with high probability, otherwise we would get a nonuniform distinguisher against aggregate pseudorandomness.
4.2 Multilinear Pseudorandom Functions
Here, we explain how our main theorem can be used to prove directly the security of the multilinear pseudorandom function built in [13]. We first recall their construction before explaining how to prove its security.
In [13], Cohen and Holmgren prove that this construction is a secure multilinear pseudorandom function under the standard \({\mathrm {DDH}}\) assumption. One of their main contributions is to achieve a polynomial time reduction. Their technique can be seen as a special case of ours. In particular, using our main theorem, one can easily obtain the following lemma.
Lemma 3
Let \(\mathbb {G}= \langle g \rangle \) be a group of prime order p and \(\mathsf {CH} {:\;\;}({{\mathbb Z}}_p^{l_1} \times \dots \times {{\mathbb Z}}_p^{l_n}) \times ({{\mathbb Z}}_p^{l_1} \times \dots \times {{\mathbb Z}}_p^{l_n}) \rightarrow \mathbb {G}\) denote the above multilinear pseudorandom function. Then we can reduce the multilinear PRF security of \(\mathsf {CH} \) to the hardness of the \({\mathrm {DDH}}\) problem in \(\mathbb {G}\), with a loss of a factor \(l = \sum _{i = 1}^n l_i\). Moreover, the time overhead is polynomial in l and in the number of queries made by the adversary.
A detailed proof can be found in the full version [3], but we give an intuition of the proof in what follows.
Proof
Symmetric Multilinear Pseudorandom Function. In [12], constructing symmetric multilinear pseudorandom functions was left as an open problem. The definition of this notion is the same as the notion of multilinear pseudorandom function, except that we only require the function to be indistinguishable from a random symmetric multilinear function. In that case, we suppose that \(l_1=\dots =l_n=l\), i.e., all the vectors Open image in new window have the same size l. The authors wrote in [12] that the natural modification of the \(\mathsf {CH}\) construction to obtain a symmetric construction consisting in setting Open image in new window (simply denoted Open image in new window in what follows) leads to a symmetric multilinear pseudorandom function whose security is less clear, but claimed that it holds under the \(\mathcal {E}_{1,n}\textsf {}{\mathrm {MDDH}} \) assumption (which is exactly the nStrong DDH assumption), when Open image in new window . We show that this construction is actually secure under the same assumption for any Open image in new window as stated in the following lemma, whose proof is detailed in the full version [3] and is almost the same as the proof of Lemma 3.
Lemma 4
Let \(\mathbb {G}= \langle g \rangle \) be a group of prime order p and \(\mathsf {CH} _{\mathsf {sym}} {:\;\;}{{\mathbb Z}}_p^{l} \times {({{\mathbb Z}}_p^{l})}^n \rightarrow \mathbb {G}\) that takes as input a key Open image in new window and an input Open image in new window and outputs Open image in new window . Then we can reduce the symmetric multilinear PRF security of \(\mathsf {CH} _{\mathsf {sym}}\) to the hardness of the \(n\text{ }{\mathrm {DDHI}}\) problem in \(\mathbb {G}\), with a loss of a factor l. Moreover, the time overhead is polynomial in l and in the number of queries made by the adversary.
SkewSymmetric Multilinear Pseudorandom Function. In [12], the author left as an open problem the construction of a skewsymmetric multilinear pseudorandom function. The definition of this notion is the same as the notion of multilinear pseudorandom function, except that we only require the function to be indistinguishable from a random skewsymmetric multilinear function. We assume that \(l_1=\dots =l_n=l=n\), i.e., all the vectors Open image in new window have the same size \(l=n\). We need \(l = n\) because there is no skewsymmetric nmultilinear map from \(\left( {{\mathbb Z}}_p^l\right) ^n\) to \({{\mathbb Z}}_p\), when \(l < n\).
Footnotes
References
 1.Abdalla, M., Benhamouda, F., Passelègue, A.: An algebraic framework for pseudorandom functions and applications to relatedkey security. In: Gennaro, R., Robshaw, M.J.B. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 388–409. Springer, Heidelberg (2015)Google Scholar
 2.Abdalla, M., Benhamouda, F., Passelègue, A., Paterson, K.G.: Relatedkey security for pseudorandom functions beyond the linear barrier. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 77–94. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 3.Abdalla, M., Benhamouda, F., Passelgue, A.: Multilinear and aggregate pseudorandom functions: new constructions and improved security, full version of this paper available at Cryptology ePrint Archive. http://eprint.iacr.org
 4.Advanced Encryption Standard (AES). National Institute of Standards and Technology (NIST), FIPS PUB 197, U.S. Department of Commerce, November 2001Google Scholar
 5.Bellare, M., Rogaway, P.: The security of triple encryption and a framework for codebased gameplaying proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 6.Bogdanov, A., Wee, H.M.: A stateful implementation of a random function supporting parity queries over hypercubes. In: Jansen, K., Khanna, S., Rolim, J.D.P., Ron, D. (eds.) RANDOM 2004 and APPROX 2004. LNCS, vol. 3122, pp. 298–309. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 7.Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 8.Boneh, D., Boyen, X., Goh, E.J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005) CrossRefGoogle Scholar
 9.Boneh, D., Waters, B.: Constrained pseudorandom functions and their applications. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 280–300. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 10.Boyen, X.: The uberassumption family. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 39–56. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 11.Boyle, E., Goldwasser, S., Ivan, I.: Functional signatures and pseudorandom functions. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 501–519. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 12.Cohen, A., Goldwasser, S., Vaikuntanathan, V.: Aggregate pseudorandom functions and connections to learning. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part II. LNCS, vol. 9015, pp. 61–89. Springer, Heidelberg (2015) CrossRefGoogle Scholar
 13.Cohen, A., Holmgren, J.: Multilinear Pseudorandom Functions. In: Halldórsson, M.M., Iwama, K., Kobayashi, N., Speckmann, B. (eds.) ICALP 2015. LNCS, vol. 9134, pp. 331–342. Springer, Heidelberg (2015) Google Scholar
 14.Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.: An algebraic framework for DiffieHellman assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 129–147. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 15.Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
 16.Hofheinz, D., Kiltz, E.: Secure hybrid encryption from weakened key encapsulation. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 553–571. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 17.Kiayias, A., Papadopoulos, S., Triandopoulos, N., Zacharias, T.: Delegatable pseudorandom functions and applications. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, pp. 669–684, ACM Press, November 2013Google Scholar
 18.Naor, M., Reingold, O.: Numbertheoretic constructions of efficient pseudorandom functions. In: 38th FOCS, pp. 458–467, IEEE Computer Society Press, October 1997Google Scholar
 19.Shacham, H.: A cramershoup encryption scheme from the linear assumption and from progressively weaker linear variants. Cryptology ePrint Archive, Report 2007/074 (2007). http://eprint.iacr.org/2007/074