Adaptively Secure Puncturable Pseudorandom Functions via Puncturable Identity-Based KEMs

Abstract

In this paper, we are interested in constructing Puncturable Pseudorandom Functions (PPRFs), a special class of constrained PRFs. While selectively secure PPRFs can be constructed from GGM tree-based PRFs, the adaptive counterpart is tricky to deal with. Inspired by previous works, we investigate on the possibility of directly obtaining adaptively-secure PPRF from Puncturable Identity-based Key Encapsulation Mechanism (PIB-KEM). Our contributions can be summarized as follows: (i) we show that one could derive adaptively-secure PPRFs very naturally originating from PIB-KEM satisfying two necessary conditions. (ii) we define t-puncturable IB-KEM (t-PIBKEM) and show its existence by an efficient conversion basing on Hierarchical IB-KEM (HIB-KEM). Furthermore, we demonstrate its application to constructing t-puncturable PRFs, a generalized notion of PPRFs.

Appendices

A Pseudorandom decapsulation of t-PIB-KEM (Fig. 4)

Fig. 4.

The pseudorandom decapsulation property of a t-PIB-KEM scheme. The oracle \(\mathsf {KeyDer}(\mathsf {msk},\mathsf {id})\) returns \(\mathsf {sk}_\mathsf {id}\) with the restriction that \(\mathcal {A}\) is not allowed to query \(\mathsf {KeyDer}(\mathsf {msk},\cdot )\) for identity \(\overline{\mathsf {id}}\). Meanwhile, the oracle \(\mathsf {Puncture}(\mathsf {msk},S)\) returns a punctured key \(\mathsf {msk}(S)\) where S is a set with size at most t and \(\mathcal {A}\) is only allowed to query \(\mathsf {Puncture}(\mathsf {msk},\cdot )\) for any set that contains the target identity \(\overline{\mathsf {id}}\).

B Proof of Theorem 2

Proof

The property of unique derivation obviously ensures it to be PRF.

Suppose there exists an adversary \(\mathcal {A}\) that breaks the adaptive pseudorandomness of t-puncturable \(\mathsf {PRF}\) with probability \(\frac{1}{2}+\epsilon (\lambda )\), where \(\epsilon (\lambda )\) is non-negligible, we build an algorithm \(\mathcal {B}\) which has advantage \(\epsilon (\lambda )\) in the t-PIB-KEM-RDECAP game.

\(\mathcal {B}\) gets as input \((\mathsf {mpk},C^*,\mathsf {id}^*)\) and simulates the adaptive pseudorandomness game with \(\mathcal {A}\). On receiving an evaluation query \(x\in \mathcal {ID}\) from \(\mathcal {A}\), \(\mathcal {B}\) queries its own \(\mathsf {KeyDer}(\cdot )\) oracle and obtains \(\mathsf {sk}_x\). Then it uses \(\mathsf {sk}_x\) to compute \(\mathsf {Decap}(C^*,\mathsf {sk}_x)\). That is, \(F(k,x)=\mathsf {Decap}(C^*,\mathsf {KeyDer}(\mathsf {msk},x))\). When \(\mathcal {A}\) issues a key query of a set S, \(\mathcal {B}\) submits this set to oracle \(\mathsf {Puncture}(\mathsf {msk},\cdot )\) and gets back \(\mathsf {Puncture}(\mathsf {msk},S)\). Then it returns \(k_S:=(\mathsf {msk}(S),C^*)\) to \(\mathcal {A}\). When \(\mathcal {A}\) sends the challenge point \(x^*\in \bigcap _{i=1}^q S_i\), \(\mathcal {B}\) sends the same point to its challenger and gets back \(K_b\) where \(K_b=\mathsf {Decap}(C^*,\mathsf {sk}_{x^*})\) or \(K_b\leftarrow \mathcal {K}\). It returns this \(K_b\) to \(\mathcal {A}\). Eventually, \(\mathcal {B}\) outputs whatever \(\mathcal {A}\) outputs to its challenger as \(b'\).

Since \(\mathcal {B}\) simulates perfectly the adaptive pseudorandomness game to \(\mathcal {A}\), the advantage of \(\mathcal {B}\) is the same as \(\mathcal {A}\), namely \(\epsilon (\lambda )\).    \(\square \)