Adaptively Secure Constrained Pseudorandom Functions

Abstract

A constrained pseudo random function (PRF) behaves like a standard PRF, but with the added feature that the (master) secret key holder, having secret key K, can produce a constrained key, \(K_f\), that allows for the evaluation of the PRF on a subset of the domain as determined by a predicate function f within some family \(\mathcal {F}\). While previous constructions gave constrained PRFs for poly-sized circuits, all reductions for such functionality were based in the selective model of security where an attacker declares which point he is attacking before seeing any constrained keys.

In this paper we give new constrained PRF constructions for arbitrary circuits in the random oracle model based on indistinguishability obfuscation. Our solution is constructed from two recently emerged primitives: an adaptively secure Attribute-Based Encryption (ABE) for circuits and a Universal Sampler Scheme as introduced by Hofheinz et al. Both primitives are constructible from indistinguishability obfuscation (\(i\mathcal {O}\)) (and injective pseudorandom generators) with only polynomial loss.

Supported by NSF CNS-0952692, CNS-1228599 and CNS-1414082. DARPA through the U.S. Office of Naval Research under Contract N00014-11-1-0382, Google Faculty Research award, the Alfred P. Sloan Fellowship, Microsoft Faculty Fellowship, and Packard Foundation Fellowship.

A Preliminaries Continued

1.1 A.1 Universal Samplers

In a recent work, Hofheinz et al. [19] introduced the notion of universal samplers. Intuitively, a universal sampler scheme provides a concise way to sample pseudorandomly from arbitrary distributions. More formally, a universal sampler scheme \(\mathcal {U}\), parameterized by polynomials \(\ell _{\mathrm {ckt}}, \ell _{\mathrm {inp}}\) and \(\ell _{\mathrm {out}}\), consists of algorithms \(\mathsf {US.setup}\) and \(\mathsf {US.sample}\) defined below.

• \(\mathsf {US.setup}({1^{\lambda }})\) takes as input the security parameter \(\lambda \) and outputs the sampler parameters U.

• \(\mathsf {US.sample}(U, d)\) is a deterministic algorithm that takes as input the sampler parameters U and a circuit d of size at most \(\ell _{\mathrm {ckt}}\) bits. The circuit d takes as input \(\ell _{\mathrm {inp}}\) bits and outputs \(\ell _{\mathrm {out}}\) bits. The output of \(\mathsf {US.sample}\) also consists of \(\ell _{\mathrm {out}}\) bits.

Intuitively, \(\mathsf {US.sample}\) is supposed to sample from \(d\), in the sense that it outputs a value \(d(z)\) for pseudorandom and hidden random coins \(z\). However, it is nontrivial to define what it means that the random coins \(z\) are hidden, and that even multiple outputs (for adversarially and possibly even adaptively chosen circuits \(d\)) look pseudorandom.

Hofheinz et al. [19] formalize security by mandating that \(\mathsf {US.sample}\) is programmable in the random oracle model. In particular, there should be an efficient way to simulate \(U\) and the random oracle, such that \(\mathsf {US.sample}\) outputs an externally given value that is honestly sampled from \(d\). This programming should work even for arbitrarily many \(\mathsf {US.sample}\) outputs for adversarially chosen inputs \(d\) simultaneously, and it should be indistinguishable from a real execution of \(\mathsf {US.setup}\) and \(\mathsf {US.sample}\).

In this work, we will be using a universal sampler scheme that is even adaptively secure. In order to formally define adaptive security for universal samplers, let us first define the notion of an admissible adversary \(\mathcal {A}\).

An admissible adversary \(\mathcal {A}\) is defined to be an efficient interactive Turing Machine that outputs one bit, with the following input/output behavior:

• \(\mathcal {A}\) takes as input security parameter \(\lambda \) and sampler parameters U.

• \(\mathcal {A}\) can send a random oracle query \((\mathsf {RO}, x)\), and receives the output of the random oracle on input x.

• \(\mathcal {A}\) can send a message of the form \((\mathsf {params}, d)\) where \(d \in \mathcal {C}[\ell _{\mathrm {ckt}}, \ell _{\mathrm {inp}}, \ell _{\mathrm {out}}]\). Upon sending this message, \(\mathcal {A}\) is required to honestly compute \(p_d = \mathsf {US.sample}(U,d)\), making use of any additional random oracle queries, and \(\mathcal {A}\) appends \((d, p_d)\) to an auxiliary tape (this is required to check for Honest Sample Violation in the Ideal experiment).

Let \(\mathsf {SimUGen}\) and \(\mathsf {SimRO}\) be PPT algorithms. Consider the following two experiments:

\(\mathsf {Real}^{\mathcal {A}}({1^{\lambda }})\):

1. 1.

   The random oracle \(\mathsf {RO}\) is implemented by assigning random outputs to each unique query made to \(\mathsf {RO}\).

2. 2.

   \(U \leftarrow \mathsf {US.setup}^{\mathsf {RO}}({1^{\lambda }})\).

3. 3.

   \(\mathcal {A}({1^{\lambda }},U)\) is executed, where every random oracle query, represented by a message of the form \((\mathsf {RO},x)\), receives the response \(\mathsf {RO}(x)\).

4. 4.

   Upon termination of \(\mathcal {A}\), the output of the experiment is the final output of the execution of \(\mathcal {A}\).

\(\mathsf {Ideal}^{\mathcal {A}}_{\mathsf {SimUGen}, \mathsf {SimRO}}({1^{\lambda }})\):

1. 1.

   A truly random function F that maps \(\ell _{\mathrm {ckt}}\) bits to \(\ell _{\mathrm {inp}}\) bits is implemented by assigning random \(\ell _{\mathrm {inp}}\)-bit outputs to each unique query made to F. Throughout this experiment, a Samples Oracle O is implemented as follows: On input d, where \(d \in \mathcal {C}[\ell _{\mathrm {ckt}}, \ell _{\mathrm {inp}}, \ell _{\mathrm {out}}]\), O outputs d(F(d)).

2. 2.

   \((U,\tau ) \leftarrow \mathsf {SimUGen}({1^{\lambda }})\). Here, \(\mathsf {SimUGen}\) can make arbitrary queries to the Samples Oracle O.

3. 3.

   \(\mathcal {A}({1^{\lambda }},U)\) and \(\mathsf {SimRO}(\tau )\) begin simultaneous execution.

   • Whenever \(\mathcal {A}\) sends a message of the form \((\mathsf {RO}, x)\), this is forwarded to \(\mathsf {SimRO}\), which produces a response to be sent back to \(\mathcal {A}\).

   • \(\mathsf {SimRO}\) can make any number of queries to the Samples Oracle O.

   • Finally, after \(\mathcal {A}\) sends any message of the form \((\mathsf {params},d)\), the auxiliary tape of \(\mathcal {A}\) is examined until an entry of the form \((d,p_d)\) is added to it. At this point, if \(p_d\) is not equal to d(F(d)), then experiment aborts, resulting in an Honest Sample Violation.

4. 4.

   Upon termination of \(\mathcal {A}\), the output of the experiment is the final output of the execution of \(\mathcal {A}\).

Definition 2

A universal sampler scheme , parameterized by polynomials \(\ell _{\mathrm {ckt}}, \ell _{\mathrm {inp}}\) and \(\ell _{\mathrm {out}}\), is said to be adaptively secure in the random oracle model if there exist PPT algorithms \(\mathsf {SimUGen}\) and \(\mathsf {SimRO}\) such that for all admissible PPT adversaries \(\mathcal {A}\), the following hold:⁸

$$\Pr [\mathsf {Ideal}^{\mathcal {A}}_{\mathsf {SimUGen}, \mathsf {SimRO}}({1^{\lambda }}) \text { aborts }] = 0,$$

and

$$\left| \Pr [\mathsf {Real}^{\mathcal {A}}({1^{\lambda }}) = 1] - \Pr [\mathsf {Ideal}^{\mathcal {A}}_{\mathsf {SimUGen}, \mathsf {SimRO}}({1^{\lambda }}) = 1] \right| \le \textit{negl}(\lambda ) $$

Hofheinz et al. [19] construct a universal sampler scheme that is adaptively secure in the random oracle model, assuming a secure indistinguishability obfuscator, a selectively secure puncturable PRF and an injective pseudorandom generator.

1.2 A.2 Attribute Based Encryption

An attribute based encryption scheme \(\mathsf {ABE}\) for a circuit family \(\mathcal {F}\) with message space \(\mathcal {M}\) and attribute space \(\mathcal {X}\) consists of algorithms \(\mathsf {ABE.setup}\), \(\mathsf {ABE.keygen}\), \(\mathsf {ABE.enc}\) and \(\mathsf {ABE.dec}\) defined below.

• \(\mathsf {ABE.setup}({1^{\lambda }})\) is a PPT algorithm that takes as input the security parameter and outputs the public key \(\mathsf {pk}_{\mathsf {ABE}}\) and the master secret key \(\mathsf {msk}_{\mathsf {ABE}}\).

• \(\mathsf {ABE.keygen}(\mathsf {msk}_{\mathsf {ABE}}, C)\) is a PPT algorithm that takes as input the master secret key \(\mathsf {msk}_{\mathsf {ABE}}\), a circuit \(C \in \mathcal {F}\) and outputs a secret key \(\mathsf {sk}_{C}\) for circuit C.

• \(\mathsf {ABE.enc}(\mathsf {pk}_{\mathsf {ABE}}, m, x)\) takes as input a public key \(\mathsf {pk}_{\mathsf {ABE}}\), message \(m \in \mathcal {M}\), an attribute \(x\in \mathcal {X}\) and outputs a ciphertext \(c\). We will assume the encryption algorithm takes \(\ell _{\mathrm {rnd}}\) bits of randomness⁹. The notation \(\mathsf {ABE.enc}(\mathsf {pk}_{\mathsf {ABE}}, m, x; r)\) is used to represent the randomness r used by \(\mathsf {ABE.enc}\).

• \(\mathsf {ABE.dec}(\mathsf {sk}_C, c)\) takes as input secret key \(\mathsf {sk}_C\), ciphertext \(c\) and outputs \(y \in \mathcal {M}\cup \{\perp \}\).

Correctness. For any circuit \(C\in \mathcal {F}\), \((\mathsf {pk}_{\mathsf {ABE}}, \mathsf {msk}_{\mathsf {ABE}}) \leftarrow \mathsf {ABE.setup}({1^{\lambda }})\), message \(m \in \mathcal {M}\), attribute \(x\in \mathcal {X}\) such that \(C(x) = 1\), we require the following:

$$\mathsf {ABE.dec}(\mathsf {ABE.keygen}(\mathsf {msk}_{\mathsf {ABE}}, C), \mathsf {ABE.enc}(\mathsf {pk}_{\mathsf {ABE}}, m, x)) = m.$$

For simplicity of notation, we will assume \(\mathsf {ABE.dec}\)(\(\mathsf {msk}_{\mathsf {ABE}}\), \(\mathsf {ABE.enc}(\mathsf {pk}_{\mathsf {ABE}}\), m, x)) = m for all messages m, attributes x¹⁰.

Security. Security for an ABE scheme is defined via the following adaptive security game between a challenger and adversary \(\mathsf {Att}\).

1. 1.

   Setup Phase. The challenger chooses \((\mathsf {pk}_{\mathsf {ABE}}, \mathsf {msk}_{\mathsf {ABE}}) \leftarrow \mathsf {ABE.setup}({1^{\lambda }})\) and sends \(\mathsf {pk}_{\mathsf {ABE}}\) to \(\mathsf {Att}\).

2. 2.

   Pre-Challenge Phase. The challenger receives multiple secret key queries. For each \(C \in \mathcal {F}\) queried, it computes \(\mathsf {sk}_C \leftarrow \mathsf {ABE.keygen}(\mathsf {msk}_{\mathsf {ABE}}, C)\) and sends \(\mathsf {sk}_C\) to \(\mathsf {Att}\).

3. 3.

   Challenge. \(\mathsf {Att}\) sends messages \(m_0, m_1 \in \mathcal {M}\) and attribute \(x \in \mathcal {X}\) such that \(C(x) = 0\) for all circuits queried during the Pre-Challenge phase. The challenger chooses \(b\leftarrow \{0,1\}\), computes \(c\) \(\leftarrow \) \(\mathsf {ABE.enc}(\mathsf {pk}_{\mathsf {ABE}}\), \(m_b\), x) and sends \(c\) to \(\mathsf {Att}\).

4. 4.

   Post-Challenge Phase. \(\mathsf {Att}\) sends multiple secret key queries \(C \in \mathcal {F}\) as in the Pre-Challenge phase, but with the added restriction that \(C(x)=0\). It receives \(\mathsf {sk}_{C}\) \(\leftarrow \mathsf {ABE.keygen}(\mathsf {msk}_{\mathsf {ABE}}\), C).

5. 5.

   Guess. Finally, \(\mathsf {Att}\) outputs its guess \(b'\).

\(\mathsf {Att}\) wins the ABE security game for scheme \(\mathsf {ABE}\) if \(b=b'\). Let \(\mathsf {Adv}_{\mathsf {Att}}^{\mathsf {ABE}} = \Big | \Pr [\mathsf {Att}\text { wins}] - 1/2 ~ \Big |\).

Definition 3

An ABE scheme \(\mathsf {ABE}= (\mathsf {ABE.setup}\), \(\mathsf {ABE.keygen}\), \(\mathsf {ABE.enc}\), \(\mathsf {ABE.dec})\) is said to be adaptively secure if for all PPT adversaries \(\mathsf {Att}\), \(\mathsf {Adv}_{\mathsf {Att}}^{\mathsf {ABE}} \le \textit{negl}(\lambda )\).

In a recent work, Waters [30] showed a construction for an adaptively secure functional encryption scheme, using indistinguishability obfuscation. An adaptively secure functional encryption scheme implies an adaptively secure attribute based encryption scheme. Garg, Gentry, Halevi and Zhandry [15] showed a direct construction based on multilinear encodings. Ananth, Brakerski, Segev and Vaikuntanathan [2] showed how to transform any selectively secure FE scheme to achieve adaptive security.