Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Pseudorandom functions (PRFs), originally defined by Goldreich, Goldwasser, and Micali [19], are one of the most fundamental primitives in cryptography. Informally speaking, a function is said to be pseudorandom if its outputs are indistinguishable from that of a random function with respect to a computationally bounded adversary which only has black-box access to it. Hence, even if the adversary can control the inputs on which the function is computed and see the corresponding outputs, he or she should still not be able to distinguish this function from a perfectly random one.

Due to their simplicity and security properties, pseudorandom functions have been used in numerous applications, including symmetric encryption, authentication, and key exchange. In particular, since pseudorandom functions can be used to model real-world block-ciphers, such as AES [3], they are also extremely useful for the security analysis of protocols that rely on these primitives.

Number-Theoretic Constructions. Despite its elegance, the original construction of pseudorandom functions by Goldreich, Goldwasser, and Micali based on pseudorandom generators was not very efficient. In order to improve its efficiency while still being able to prove its security under reasonable complexity assumptions, Naor and Reingold [27] proposed a new construction based on the Decisional Diffie-Hellman assumption (\(\mathrm {DDH}\)) [27]. Let \(\vec {a} = (a_0,\ldots ,a_n) \in {{\mathbb Z}}_p^{n+1}\) be the key and \(x = x_1{\,\Vert \,}\ldots {\,\Vert \,}x_n \in \{0,1\}^n\) be the input of the PRF. Let g be a fixed public generator of a group \(\mathbb {G}\) of prime order p. The Naor-Reingold PRF is then defined as

$$\begin{aligned} \mathsf NR (\vec {a},x) = \left[ a_0 \prod _{i=1}^{n} a_{i}^{x_i}\right] \end{aligned}$$

where for any \(a \in {{\mathbb Z}}_p\), \(\left[ {a}\right] \) stands for \(g^a\), as defined in [18].

As mentioned in [17], the algebraic nature of the Naor-Reingold PRF has led to many applications, such as verifiable random functions [2, 22], distributed PRFs [27], and related-key-secure PRFs [8], which are hard to obtain from generic PRFs. Hence, due to its importance, several other extensions of the Naor-Reingold PRF have been proposed [17, 26] based on different assumptions, such as the Decision Linear assumption (\(\mathrm {DLin}\)) [15] and the d-DDHI assumption [17, 20].

In this work, our main contribution is to further extend the above line of work by providing a generic algebraic framework for building pseudorandom functions. In particular, all of the algebraic constructions mentioned above can be seen as a particular instantiations of our framework. In addition, our framework is general enough that it captures and extends other constructions such as the related-key-secure PRF constructions by Bellare and Cash [8] (BC) and by Abdalla et al.  [1] (ABPP).

Linearly Independent Polynomial Security. To obtain our results, our first contribution is to introduce a new notion of linearly independent polynomial (\(\mathrm {LIP}\)) security. Informally, it states that the values \((\left[ {{P_1(\vec {a})}}\right] , \ldots , \left[ {{P_q(\vec {a})}}\right] )\) are indistinguishable from a random tuple of the same size, when \(P_1, \ldots , P_q\) are linearly independent multivariate polynomials of degree at most d in any indeterminate and \(\vec {a}\) is the PRF secret key vector. The new notion is based on a new \(\mathrm {MDDH}\) assumption [18] over the underlying group \(\mathbb {G}\), denoted \(\mathcal {E}_{1,d}\mathsf - \mathrm {MDDH}\), which can be (tightly) reduced to either \(\mathrm {DDH}\) or DDHI depending on value of d.

In order to illustrate the usefulness of the new notion, we show in Sect. 4 how to use it to provide alternative security proofs for the Naor-Reingold PRF [27] and the PRF by Boneh, Montgomery, and Raghunathan (\({\mathsf {BMR}} \)) in [17] as well as generalizations of both these PRFs, that we call weighted \(\mathsf{NR } \) and weighted \({\mathsf {BMR}} \). Intuitively, all these PRFs are defined over a prime order group \(\mathbb {G}= \langle g \rangle \) as a function F that takes a key \(\vec {a}\) and an input x and outputs an element in \(\mathbb {G}\) of the shape \(F(\vec {a},x) = \left[ {{P_x(\vec {a})}}\right] \) where the polynomial \(P_x\) depends on x. Hence, to prove the security of such constructions, we just need to prove that all polynomials \(P_x\), for any entries x, are linearly independent.

We would like to remark that the actual formulation of the \(\mathrm {LIP}\) security in Sect. 3 includes a value \(a' \in {{\mathbb Z}}_p\) multiplying each \(P_i(\vec {a})\) term, which allows for the use of different generators in the PRF constructions. While we could dispense with \(a'\) in the case where \(a'\) and the \(a_i\) values in \(\vec {a}\) are scalars, we opted to use it to be consistent with the case in which these values are matrices, as in Sect. 6.

Applications to Related-Key Security. Related-key attacks (RKAs) were first introduced by Biham and Knudsen [11, 24] and consider the setting in which an adversary could force a given cryptographic primitive to execute under a different but related key. Over the years, such attacks became more predominant and several related-key attacks have been proposed against existing block-ciphers (e.g., [12, 13, 23]). Since these attacks are quite powerful and hard to defend against, Bellare and Kohno [9] introduced a formal treatment of these attacks in the context of PRFs and pseudorandom permutations (PRPs) to better understand if and how one could achieve security in the presence of related-key attacks. One of their main observations is that certain classes of related-key attacks are impossible to protect against and, hence, their goal was to identify the set of classes \(\mathrm {\Phi } \) for which one could design secure RKA-PRFs and RKA-PRPs.

Let \(F{{:}\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) be a family of functions for a security parameter \(\kappa \), and let \(\mathrm {\Phi } = \{\phi {{:}\;\;}\mathcal {K}\rightarrow \mathcal {K}\}\) be a set of related-key deriving (RKD) functions on the key space \(\mathcal {K}\). Let \(G {{:}\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) be a random function and let \(K \in \mathcal {K}\) be a random target key. Informally, in the RKA security model of [9], F is said to be a \(\mathrm {\Phi } \)-RKA-PRF if no polynomial-time adversary can distinguish the output of \(F(\phi (K),x)\) from the output of \(G(\phi (K),x)\), for pairs \((\phi , x)\) of its choice, with non-negligible probability.

Our second contribution is to show that the new \(\mathrm {LIP}\) security notion can be used to prove directly the related-key security of certain constructions. In particular, we show that a particular case of our weighted \({\mathsf {BMR}} {}\) PRF construction is secure against permutations of the secret key. In these attacks, the attacker can obtain the output of the PRF with respect to any key that is a permutation of the original one.

To understand why RKA security can follow from the \(\mathrm {LIP}\) security notion, let F be a PRF defined over a prime-order group \(\mathbb {G}= \langle g \rangle \) that takes a key \(\vec {a}\) and an input x and outputs \(F(\vec {a},x) = \left[ {{P_x(\vec {a})}}\right] \). Let \(\mathrm {\Phi } \) be a class of RKD functions, where functions \(\vec {\phi }=(\phi _1,\dots ,\phi _n) \in \mathrm {\Phi } \) are such that \(\phi _i\) are multivariate polynomials in \({{\mathbb Z}}_p[T_1,\ldots ,T_{n}]\). Then, for a RKD function \(\vec {\phi }\) and an input x, the PRF outputs \(F(\vec {\phi }(\vec {a}),x) = \left[ {{P_{\vec {\phi },x}(\vec {a})}}\right] \), where the polynomial \(P_{\vec {\phi },x}(\vec {T}) = P_x(\vec {\phi }(\vec {T})) = P_x(\phi _1(\vec {T}),\dots ,\phi _n(\vec {T}))\) depends on \(\vec {\phi }\) and x, with \(\vec {T}= (T_1,\ldots ,T_{n})\). Hence, when all polynomials \(P_{\vec {\phi },x}\) are linearly independent, the \(\mathrm {LIP}\) security notion directly shows that F is \(\mathrm {\Phi } \)-RKA-secure.

Related-Key Security with Respect to Unique-Input Adversaries. Unfortunately, the case in which the polynomials \(P_{\vec {\phi },x}\) are all linearly independent is not so easy to instantiate as we would like, and we have only been able to directly obtain RKA security for very restricted classes. Hence, to overcome these restrictions, our third contribution is to further extend our results in Sect. 5.2 to deal with the case where polynomials are only linearly independent when all the inputs x are distinct. This scenario is similar to the one considered in [1]. In particular, our new algebraic framework extends the one from [1] and provides constructions for new and larger classes of RKD functions. More precisely, we build in Sect. 5.2 RKA-PRFs against classes of permutations of univariate polynomials. Furthermore, in the full version, we also consider classes of univariate polynomials and multivariate affine RKD functions.

For simplicity, the results in Sect. 5.2 only hold with respect to PRFs of the form \(\left[ {P_x(\vec {a})}\right] \) where \(P_x\) is a polynomial that depends on x. However, a more general framework which does not make this assumption is described in the full version.

An Algebraic Framework for Non-commutative Structures. Finally, our last contribution is to extend the \(\mathrm {LIP}\) security notion to work under weaker assumptions than \(\mathrm {DDH}\), such as \(\mathrm {DLin}\). As we point out in Sect. 6, the main difficulty in this case is that the key values \(a_i\)’s may be matrices, which do not necessarily commute. To address this issue, we introduce natural conditions on the order of indeterminates which makes non-commutative and commutative polynomials behave in a similar manner. Through the new generalization, we not only deal with cases already covered by the \(\mathrm {LIP}\) security notion, but we also capture PRFs based on the \(\mathrm {DLin} \) and \(\mathrm {MDDH} \) assumptions [18].

Further Discussions. In addition to the foundational work of Goldreich, Goldwasser, and Micali [19], several other frameworks for constructing PRFs have appeared in the literature, including [7, 17, 28] to name a few.

In [28], Naor and Reingold proposed the notion of pseudorandom synthesizers and provided several instantiations for it based on different complexity assumptions. Informally speaking, a pseudorandom synthesizer is a two-variable function, \(S(\cdot ,\cdot )\), so that, for polynomially many random and independent input assignments \((x_1, \ldots , x_m)\) and \((y_1, \ldots , y_m)\), the set of values \(\{S(x_i,y_j)\}\) are computationally indistinguishable from uniform for i and j in \(\{1,\ldots ,m\}\).

In [7], Bellare, Canetti, and Krawczyk provide a framework for building variable-length input PRFs from fixed-length input ones, known as the cascade construction. In their framework, one obtains a larger-domain PRF \(F'\) simply by partitioning the input x into a number n of small blocks \(x_1, \ldots , x_n\) matching the domain of the underlying PRF F and using the output of F on key \(k_i\) and input \(x_i\) as the secret key \(k_{i+1}\) for the next stage. Since their framework requires the output of the underlying PRF to be at least as long as the secret key, it cannot be applied to PRFs with very small domains.

To circumvent the restrictions of the cascade construction, Boneh, Montgomery, and Raghunathan proposed an extension in [17], known as the augmented cascade construction, in which supplemental secret information is provided in every iteration. Unlike the cascade construction, its security does not follow from the standard security of the underlying PRF, requiring it to meet a new notion called parallel security.

While these frameworks are more general than ours and capable of handling different complexity assumptions (e.g., [6]), they are more combinatorial in nature and do not fully exploit the algebraic nature of the underlying PRFs. In particular, it is not clear how to extend them to the RKA setting, which is one of the main applications of our new algebraic framework. Moreover, even in the standard PRF setting, our framework seems to possess complementary features compared to the existing ones. Notably, it only requires the verification of an algebraic condition (such as testing the linear independence of the polynomials) for each instantiation, which is generally easier to prove.

Other Related Work. It is worth mentioning that in the context of related-key security, Lewi, Montgomery and Raghunathan [25] designed RKA-PRFs for similar classes of polynomial RKD functions. However, unlike their constructions, ours do not require multilinear maps. Also, our constructions are proven fully RKA-secure while theirs are only proven unique-input RKA-secure.

2 Definitions

Notations and Conventions. We denote by \(\kappa \) the security parameter. Let \(F {{:}\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) be a function that takes a key \(K \in \mathcal {K}\) and an input \(x \in \mathcal {D}\) and returns an output \(F(K,x) \in \mathcal {R}\). The set of all functions \(F {{:}\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) is then denoted by \(\mathsf {Fun}(\mathcal {K}, \mathcal {D},\mathcal {R})\). Likewise, \(\mathsf {Fun}(\mathcal {D},\mathcal {R})\) denotes the set of all functions mapping \(\mathcal {D}\) to \(\mathcal {R}\). If S is a set, then \(\vert S \vert \) denotes its size. We denote by \(s \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}S\) the operation of picking at random s in S. If \(\vec {x}\) is a vector then we denote by \(\vert \vec {x} \vert \) its length, so \(\vec {x} = ({x}_1,\ldots ,{x}_{\vert \vec {x} \vert })\). For a binary string x, we denote its length by \(\vert x \vert \) so \(x \in \{0,1\}^{\vert x \vert }\), \(x_i\) its i-th bit, so \(x = x_1 {\,\Vert \,}\ldots {\,\Vert \,}x_n\). We extend these notations to any d-ary string x, for \(d \ge 2\). For a matrix \({{\varvec{A}}}\) of size \(k \times m\), we denote by \(a_{i,j}\) the coefficient of \({{\varvec{A}}}\) in the i-th row and the j-th column. For a vector \(\vec {\phi }=(\phi _1,\dots ,\phi _n)\) of n functions from \(S_1\) to \(S_2\) with \(\vert \vec {\phi } \vert = n\) and \(\vec {a} \in S_1\), we denote by \(\vec {\phi }(\vec {a})\) the vector \((\phi _1(\vec {a}),\ldots ,\phi _n(\vec {a})) \in S_2^n\). We denote by \({{\mathbb Z}}_p[T_1,\ldots ,T_{n}]\) the ring of multivariate polynomials in indeterminates \(T_1,\ldots ,T_{n}\). For a polynomial \(P \in {{\mathbb Z}}_p[T_1,\ldots ,T_{n}]\), we denote \(P(T_1,\ldots ,T_{n})\) by \(P(\vec {T})\) and by \(P(\vec {a})\) the evaluation of P by setting \(\vec {T}\) to \(\vec {a}\), meaning that we set \(T_1 = a_1,\ldots ,T_n = a_n\). For \(F {{:}\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) and for a vector \(\vec {x}\) over \(\mathcal {D}\), we denote by \(F(K,\vec {x})\) the vector \((F(K,{x}_1),\ldots ,F(K,{x}_{\vert \vec {x} \vert }))\). We denote by \(\mathfrak {S}_{n}\) the set of all permutations of \(\{1,\ldots ,n\}\).

Finally, we often implicitly consider a multiplicative group \(\mathbb {G}= \langle g \rangle \) with public generator g of order p and we denote by \(\left[ {[}\right] g]{a}\), or simply \(\left[ {a}\right] \) if there is no ambiguity about the generator, the element \(g^a\), for any \(a \in {{\mathbb Z}}_p\). Similarly, if \({{\varvec{A}}}\) is a matrix in \({{\mathbb Z}}_p^{k \times m}\), \(\left[ {{{\varvec{A}}}}\right] \) is a matrix \({\varvec{U}} \in \mathbb {G}^{k \times m}\), such that \(u_{i,j} = \left[ {a_{i,j}}\right] \) for \(i=1,\dots ,k\) and \(j=1,\dots ,m\).

Games [10]. Most of our definitions and proofs use the code-based game-playing framework, in which a game has an \(\mathbf{Initialize }\) procedure, procedures to respond to adversary oracle queries, and a \(\mathbf{Finalize }\) procedure. To execute a game \(\text {G}\) with an adversary \(\mathscr {A}\), we proceed as follows. First, \(\mathbf{Initialize }\) is executed and its outputs become the input of \(\mathscr {A}\). When \(\mathscr {A}\) executes, its oracle queries are answered by the corresponding procedures of \(\text {G}\). When \(\mathscr {A}\) terminates, its outputs become the input of \(\mathbf{Finalize }\). The output of the latter, denoted \(\text {G}^\mathscr {A}\) is called the output of the game, and we let “\(\text {G}^\mathscr {A}\Rightarrow 1\)” denote the event that this game output takes the value 1. The running time of an adversary by convention is the worst case time for the execution of the adversary with any of the games defining its security, so that the time of the called game procedures is included.

PRFs [8, 19]. The advantage of an adversary \(\mathscr {A}\) in attacking the standard PRF security of a function \(F {{:}\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) is defined via

$$\begin{aligned} {\mathbf {Adv}^{\mathsf {prf}}_{F}}({\mathscr {A}}) = {\Pr \left[ \,{\mathrm {PRFReal}_F^\mathscr {A}\Rightarrow 1}\,\right] } - {\Pr \left[ \,{\mathrm {PRFRand}_F^\mathscr {A}\Rightarrow 1}\,\right] }. \end{aligned}$$

Game \(\mathrm {PRFReal}_F\) first picks \(K \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathcal {K}\) and responds to oracle query \(\mathbf Fn (x)\) via F(Kx). Game \(\mathrm {PRFRand}_F\) first picks \(f \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathsf {Fun}(\mathcal {D}, \mathcal {R})\) and responds to oracle query \(\mathbf Fn (x)\) via f(x).

RKA-PRFs [8, 9]. Let \(F {{:}\;\;}\mathcal {K}\times \mathcal {D}\rightarrow \mathcal {R}\) be a function and \(\mathrm {\Phi } \subseteq \mathsf {Fun}({\mathcal {K}}, {\mathcal {K}})\). The members of \(\mathrm {\Phi } \) are called \(\mathrm {RKD}\) (Related-Key Deriving) functions. An adversary is said to be \(\mathrm {\Phi } \)-restricted if its oracle queries \((\phi ,x)\) satisfy \(\phi \in \mathrm {\Phi } \). The advantage of a \(\mathrm {\Phi } \)-restricted adversary \(\mathscr {A}\) in attacking the RKA-PRF security of F is defined via

$$\begin{aligned} \mathbf {Adv}^{\mathsf {prf}\text{- }\mathsf {rka}}_{\mathrm {\Phi },F}{(\mathscr {A})} = {\Pr \left[ \,{\mathrm {RKPRFReal}_F^\mathscr {A}\Rightarrow 1}\,\right] } - {\Pr \left[ \,{\mathrm {RKPRFRand}_F^\mathscr {A}\Rightarrow 1}\,\right] }. \end{aligned}$$

Game \(\mathrm {RKPRFReal}_F\) first picks \(K \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathcal {K}\) and responds to oracle query \(\mathbf{RKFn } (\phi ,x)\) via \(F(\phi (K),x)\). Game \(\mathrm {RKPRFRand}_F\) first picks \(K \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathcal {K}\) and \(G \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathsf {Fun}(\mathcal {K}, \mathcal {D}, \mathcal {R})\) and responds to oracle query \(\mathbf{RKFn } (\phi ,x)\) via \(G(\phi (K),x)\). We say that F is a \(\mathrm {\Phi } \)-RKA-secure PRF if for any \(\mathrm {\Phi } \)-restricted adversary, its advantage in attacking the RKA-PRF security is negligible.

Group Generators. All our PRFs and RKA-PRFs use a cyclic group of prime order p. The generator(s) used in their construction is supposed to be public. In particular, RKD functions cannot modify the generator(s). Our security proofs will then start by giving the generators to the adversary.

Hardness Assumptions. To get a simpler and unified framework, we introduce a particular \(\mathrm {MDDH}\) assumption [18]: the \(\mathcal {E}_{k,d}\mathsf - \mathrm {MDDH}\) assumption, defined by the matrix distribution \(\mathcal {E}_{k,d}\) which samples matrices \(\varvec{\varGamma }\) as follows

$$\begin{aligned} \varvec{\varGamma }= \begin{pmatrix} {{\varvec{A}}}_1^0 \cdot {{\varvec{A}}}_0 \\ {{\varvec{A}}}_1^1 \cdot {{\varvec{A}}}_0 \\ \vdots \\ {{\varvec{A}}}_1^d \cdot {{\varvec{A}}}_0 \end{pmatrix} \in {{\mathbb Z}}_p^{k(d+1) \times k} \quad \text {with } {{\varvec{A}}}_0, {\varvec{A}}_1 \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}{{\mathbb Z}}_p^{k \times k}. \end{aligned}$$
(1)

The advantage of an adversary \(\mathscr {D}\) against the \(\mathcal {E}_{k,d}\mathsf - \mathrm {MDDH}\) assumption is

$$\begin{aligned} \mathbf {Adv}^{\mathcal {E}_{k,d}\mathsf - \mathsf {mddh}}_{\mathbb {G}}{(\mathscr {D})} = {\Pr \left[ \,{\mathscr {D}(g,\left[ {\varvec{\varGamma }}\right] , \left[ {\varvec{\varGamma }\cdot {{\varvec{W}}}}\right] )}\,\right] } - {\Pr \left[ \,{\mathscr {D}(g,\left[ {\varvec{\varGamma }}\right] , \left[ {{\varvec{U}}}\right] )}\,\right] }, \end{aligned}$$

where \(\varvec{\varGamma }\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathcal {E}_{k,d}\), \({{\varvec{W}}}\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}{{\mathbb Z}}_p^{k \times 1}\), \({\varvec{U}}\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}{{\mathbb Z}}_p^{k(d+1) \times 1}\). As any \(\mathrm {MDDH}\) assumption and as recalled in the full version, this assumption is random self-reducible, which enables us to make relatively tight proofs.

Table 1. Security of \(\mathcal {E}_{k,d}\mathsf - \mathrm {MDDH}\)
Full size table

In Table 1, we summarize security results for \(\mathcal {E}_{k,d}\mathsf - \mathrm {MDDH}\). For \(k=1\) or \(d=1\), the \(\mathcal {E}_{k,d}\mathsf - \mathrm {MDDH}\) assumption is implied by standard assumptions (\(\mathrm {DDH}\), DDHI, or \(k\mathsf - \mathrm {Lin} \), recalled in the full version). \(\mathcal {E}_{1,1}\mathsf - \mathrm {MDDH} \) is actually exactly \(\mathrm {DDH}\).

For our RKA framework, we also make use of the d-Strong Discrete Logarithm (SDL) problem given in [20] and recalled in the full version.

3 Linearly Independent Polynomial Security

In this section, we define a new security notion, termed linearly independent polynomial (\(\mathrm {LIP}\)) security, which captures that, given a cyclic group \(\mathbb {G}=\langle g \rangle \) of prime order p, the hardness of distinguishing a tuple \((y_1,\dots ,y_q)=(\left[ {{P_1(\vec {a})} \cdot a'}\right] ,\dots ,\left[ {{P_q(\vec {a})} \cdot a'}\right] ) \in \mathbb {G}^q\) from a random tuple in \((y_1,\dots ,y_q) \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\mathbb {G}^q\), where \(\vec {a}\) is a secret random vector in \({{\mathbb Z}}_p^n\), \(a'\) is a secret random scalar in \({{\mathbb Z}}_p\), and \(P_j\) are linearly independent multivariate polynomials. Our \(\mathrm {LIP}\) theorem (Theorem 1) shows that distinguishing these two tuples is harder than the \(\mathcal {E}_{1,d}\mathsf - \mathrm {MDDH}\) problem in \(\mathbb {G}\), where d is the maximum degree in one indeterminate in polynomials \(P_1,\dots ,P_q\). We point out that, on the one hand, if there were a linear relation between the polynomials, i.e., if there exists \((\lambda _1,\dots ,\lambda _q) \in {{\mathbb Z}}_p^q \backslash \{(0,\dots ,0)\}\), such that \(\sum _{j=1}^q \lambda _j P_j = 0\), then it would be straightforward to break the \(\mathrm {LIP}\) security by checking whether \(\prod _{j=1}^q {y_j}^{\lambda _j} = 1\) (real case) or not (random case). So the linear independence of the \(P_j\)’s is required.

On the other hand, if the polynomials \(P_j\) are linearly independent, then distinguishing the two tuples is hard in the generic group model, since in this model, the adversary can only compute linear combinations of the group elements it is given (and check for equality). The \(\mathrm {LIP}\) security is therefore not surprising. What is surprising, is that it is possible to prove it under classical assumptions such as \(\mathcal {E}_{1,d}\mathsf - \mathrm {MDDH}\), without an exponential blow-up.

In the following, we first consider a particular case of the \(\mathrm {LIP}\) theorem in which the polynomials are given in their expanded form. This section not only serves as a warm-up for the sequel, but it also helps better grasp the challenges of the proof of the full theorem and gives a nice overview. Next, we formally state the \(\mathrm {LIP}\) theorem.

3.1 Warm-Up: Expanded Multilinear Polynomials

As a warm-up, let us first suppose the polynomials \(P_j\) are multilinear and given in their expanded form: \(P_j \in {{\mathbb Z}}_p[T_1,\ldots ,T_{n}]\) and

$$\begin{aligned} P_j(\vec {T}) = \sum _{i \in \{0,1\}^n} \alpha _{j,i} T_1^{i_1} \cdots T_n^{i_n}. \end{aligned}$$

There are \(2^n\) monomials \(T_1^{i_1} \cdots T_n^{i_n}\), even in that restricted case. So we need to suppose that either n is logarithmic in the security parameter, or, more generally, only a polynomial (in the security parameter) number of \(\alpha _{j,i}\) are non-zero.

Let us now prove the \(\mathrm {LIP}\) security of these polynomials. In the real case, we have:

$$\begin{aligned} y_j = \left[ {{P_j(\vec {a})} a'}\right] = \left[ {{\sum _{i \in \{0,1\}^n} \alpha _{j,i} a_1^{i_1} \cdots a_n^{i_n}} a'}\right] = \prod _{i \in \{0,1\}^n} \mathsf{NR } ((a',\vec {a}),i)^{\alpha _{j,i}}, \end{aligned}$$
(2)

where \(\mathsf{NR } ((a',\vec {a}),i) = \left[ {a' \prod _{k=1}^n a_k^{i_k}}\right] \) (for \(i \in \{0,1\}^n\)). \(\mathsf{NR } \) is a secure PRF under the \(\mathrm {DDH}\) assumption, meaning that all the values \(\mathsf{NR } ((a',\vec {a}),i)\) for all \(i \in \{0,1\}^n\) look independent and uniformly random. Let us write \(\vec {U}\) the column vector, with rows indexed by \(i \in \{0,1\}^n\), containing all the discrete logarithm of these values, i.e., \(u_i = a' \prod _{k=1}^n a_k^{i_k}\). Let us also write \({{\varvec{M}}}\) the \(q \times 2^n\) matrix, with columns indexed by \(i \in \{0,1\}^n\), defined by \(m_{j,i} = \alpha _{j,i}\). Then we can rewrite (2) as:

$$\begin{aligned} \begin{pmatrix} y_1&\ldots&y_q \end{pmatrix}^\intercal = \left[ { {{\varvec{M}}} \cdot \vec {U}}\right] . \end{aligned}$$

Since the polynomials \(P_j\) are linearly independent, the rows of \({{\varvec{M}}}\) are linearly independent. Therefore, as \(\left[ {\vec {U}}\right] \) looks uniformly random in \(\mathbb {G}^{2^n}\), \((y_1,\dots ,y_q)\) looks like a uniformly random tuple in \(\mathbb {G}^q\). This proves the result of the \(\mathrm {LIP}\) theorem in this multilinear case with expanded polynomial. Extending this result to non multilinear polynomial would just require slightly changing the assumption, as long as polynomials are given in their expanded form.

This result is already very useful. We will see in Sect. 4 that it enables to prove the security of the Naor-Reingold PRF and variants thereof.

Challenges for its Extension. Unfortunately, for certain settings such as those considered in the context of related-key security, or even for the Boneh-Montgomery-Raghunathan PRF [17], we cannot have polynomials in an expanded form, but only as a polynomial-size (in the number n of indeterminates and the maximum degree d in each indeterminate) formula (given by an abstract tree).Footnote 1 The problem is that the expanded version of these polynomials may be exponentially large. For example, \((T_1 + 1) \cdots (T_n + 1)\) has \(2^n\) monomials.

Therefore, the main challenge is to prove the theorem without expanding the polynomials. This requires a much more subtle proof that we sketch here. This first idea is the following: instead of replacing all monomials by independent random values at once, we first fix all values \(T_2,\dots ,T_n\) to randomly chosen \(a_2,\dots ,a_n\), and get polynomials in \(T_1\) only. These polynomials can be expanded without an exponential blow-up, and each monomial \(T_1,T_1^2,\dots \) can be replaced by an independent random value (instead of \(a_1,a_1^2, \dots \) for some value \(a_1\)). Then, we can fix only \(T_3,\dots ,T_n\) to randomly chosen \(a_3,\dots ,a_n\), get a polynomial in \(T_1\) and \(T_2\), and replace all distinct monomial (\(T_1,T_1^2,T_1T_2,T_2^2,\dots \)) by independent random values. And we can continue like that until all monomials are replaced.

Obviously, if we do that so naively, we get back to the original problem: we have an exponential number of monomials. The second idea is to remark that we actually do not need to expand polynomials to replace all distinct monomials by random values and get the result, at each step of the previous idea. We could just assign random values to all polynomials (after fixing \(T_{i+1},\dots ,T_n\) to \(a_{i+1},\dots ,a_n\)), if they are all linearly independent: this is exactly what we showed in the previous proof for expanded polynomials. And if they are not all linearly independent, we just need to take care of linear combinations, and compute the resulting value accordingly.

More precisely, for any polynomial P, let us write \(Q_P \in {{\mathbb Z}}_p[T_1,\ldots ,T_{i}]\) the polynomial obtained after fixing \(T_{i+1},\dots ,T_n\) to \(a_{i+1},\dots ,a_n\). To answer the j-th query \(P_j\), we check whether \(Q_{P_j}\) is linearly independent from \((Q_{P_l})_{l=1,\dots ,j-1}\). If that is the case, we answer with an independent random value \(y_j\). Otherwise, we find some linear combination between \(Q_{P_j}\) and \((Q_{P_l})_{l=1,\dots ,j-1}\), and we write \(Q_{P_j} = \sum _{l=1}^{j-1} \lambda _l Q_{P_l}\) and outputs \(\prod _{l=1}^{j-1} y_l^{\lambda _l}\), with \(y_l\) the output given for \(P_l\).

The last difficulty is that this proof requires a test of linear dependence of multivariate polynomials. One way to do that would be to expand them, which is exactly what we are trying to avoid. So, instead, we use a statistical test based on the Schwartz-Zippel lemma, which basically consists in evaluating the polynomials in enough random points and looking for linear combination among the vectors of these evaluations.

Fig. 1.
figure 1

Game defining the \((n,d)\)-\(\mathrm {LIP}\) security for a group \(\mathbb {G}\)

Full size image

3.2 Main Theorem: LIP Security

LIP Security. Let \(\mathbb {G}= \langle g \rangle \) be a group of prime order p. We define the advantage of an adversary \(\mathscr {A}\) against the \((n,d)\)-\(\mathrm {LIP}\) security of \(\mathbb {G}\), denoted \(\mathbf {Adv}^{(n,d)\mathsf - \mathsf {lip}}_{\mathbb {G}}(\mathscr {A})\) as the probability of success in the game defined in Fig. 1, with \(\mathscr {A}\) being restricted to make queries \(P \in {{\mathbb Z}}_p[T_1,\ldots ,T_{n}]\) such that for any query P, the maximum degree in one indeterminate in P is at most d, and for any sequence \((P_1,\dots ,P_q)\) of queries, the polynomials \((P_1,\dots ,P_q)\) are always linearly independent over \({{\mathbb Z}}_p\). Another way to look at the security definition is to consider that when \(b=0\), \(\mathbf{Pl } (P)\) outputs \(\left[ {P(\vec {a})}\right] _{h} = \left[ {P(\vec {a}) \cdot a'}\right] _{g}\), where the generator is \(h = \left[ {a'}\right] _{g}\), which is not public (but can be obtained by querying the polynomial 1), and g is a public generator.

Theorem 1

(\(\mathrm {LIP}\)). Let \(\mathbb {G}= \langle g \rangle \) be a group of prime order p. Let \(\mathscr {A}\) be an adversary against the \((n,d)\)-\(\mathrm {LIP}\) security of \(\mathbb {G}\) that makes q oracle queries \(P_1,\dots ,P_q\). Then we can design an adversary \(\mathscr {B}\) against the \(\mathcal {E}_{1,d}\mathsf - \mathrm {MDDH}\) problem in \(\mathbb {G}\), such that \( \mathbf {Adv}^{(n,d)\mathsf - \mathsf {lip}}_{\mathbb {G}}(\mathscr {A}) \le n \cdot d \cdot \mathbf {Adv}^{\mathcal {E}_{1,d}\mathsf - \mathsf {mddh}}_{\mathbb {G}}{(\mathscr {B})} + O(ndq/p) \). The running time of \(\mathscr {B}\) is that of \(\mathscr {A}\) plus the time to perform a polynomial number (in q, n, and d) of operations in \({{\mathbb Z}}_p\) and \(\mathbb {G}\).

The proof is detailed in the full version.

4 Recovering and Extending Existing Number-Theoretic PRFs

In Table 2, we recall known number-theoretic PRFs, namely the Naor-Reingold (\(\mathsf{NR } \)) PRF [27], its variant \({\mathsf {NR}^*} \) defined in [8], and the algebraic PRF by Boneh, Montgomery, and Raghunathan (\({\mathsf {BMR}} \)) in [17]. We also introduce weighted (extended) versions of these PRFs, namely weighted \(\mathsf{NR } \) (\(\mathsf {WNR}^{}\)) and weighted \({\mathsf {BMR}} \) (\(\mathsf {WBMR}^{}\)), in order to construct RKA-secure PRFs for new classes of RKD functions (Sect. 5). These weighted PRFs are obtained by applying particular permutations to the key space. Then, as PRFs, it is straightforward that the security of NR and \(\mathsf {BMR}\) implies the security of their weighted versions. However, as detailed in Sect. 5, in the RKA setting, we can prove that some of these weighted PRFs are secure against certain classes of RKD functions while both NR and \(\mathsf {BMR}\) are not, even if we apply the BC/ABPP frameworks.

Using the \(\mathrm {LIP}\) theorem and changing the generators used (to get PRFs of the form \(F(\vec {a},x) = \left[ {P_x(\vec {a}) \cdot a'}\right] \)), the security proof of \(\mathsf {WNR}^{}\) and \(\mathsf {WBMR}^{}\) is straightforward, and so is the security proof of \(\mathsf{NR } \), \({\mathsf {NR}^*} \), and \({\mathsf {BMR}} \), as particular cases of \(\mathsf {WNR}^{}\) and \(\mathsf {WBMR}^{}\). Concretely, for \(\mathsf {WBMR}^{\vec {w}}\), we start by revealing the generator h to the adversary where

$$\begin{aligned} h = \left[ {\left( \prod _{i = 1}^n \prod _{k \in \{0,\dots ,d\}} (a_i + w_i + k) \right) \cdot a'}\right] _{g} = \left[ {P(\vec {a}) \cdot a'}\right] _{g} \end{aligned}$$

which is a generator with overwhelming probability. Then, when the adversary makes a query x, it is clear that

$$\begin{aligned} \left[ {\prod _{i = 1}^n \frac{1}{a_i + w_i + x_i}}\right] _{h} = \left[ { \left( \prod _{i = 1}^n \prod _{k \in \{0,\dots ,d\} \setminus \{x_i\}} (a_i + w_i + k) \right) \cdot a' }\right] _{g} = \left[ {P_x(\vec {a}) \cdot a' }\right] _{g} \end{aligned}$$

As each polynomial \(P_x\) is null on every input \(-x'\) for \(x' \in \{0,\ldots ,d\}^n\), seen as a vector of \({{\mathbb Z}}_p^n\), except when \(x'=x\), and as P is null on all \(-x'\), P and \({(P_x)}_x\) are linearly independent. Then, we conclude the security proof of \(\mathsf {WBMR}^{\vec {w}}\) by applying the \(\mathrm {LIP}\) theorem. Formal proofs are provided in the full version.

Table 2. Existing number-theoretic PRFs and their weighted extensions
Full size table

5 Application to Related-Key Security

In this section, we show how our theorem can be used to build RKA-secure PRFs from a PRF F defined over a prime order group \(\mathbb {G}= \langle g \rangle \) that takes a key \(\vec {a}\) and an input x and outputs a group element \(F(\vec {a},x) = \left[ {P_x(\vec {a})}\right] \). Let \(\mathrm {\Phi } \) be a class of RKD functions, where functions \(\vec {\phi }=(\phi _1,\dots ,\phi _n) \in \mathrm {\Phi } \) are such that \(\phi _i\) are multivariate polynomials in \({{\mathbb Z}}_p[T_1,\ldots ,T_{n}]\). Then, for an RKD function \(\vec {\phi }\) and an input x, the PRF outputs \(F(\vec {\phi }(\vec {a}),x) = \left[ {P_{\vec {\phi },x}(\vec {a})}\right] \), where the polynomial \(P_{\vec {\phi },x}(\vec {T}) = P_x(\vec {\phi }(\vec {T})) = P_x(\phi _1(\vec {T}),\dots ,\phi _n(\vec {T}))\) depends on \(\vec {\phi }\) and x. In particular, \(P_{\mathsf {id},x} = P_x\) for all x, where \(\mathsf {id}\) is the identity function.

When all polynomials \(P_{\vec {\phi },x}\) and the constant polynomial 1 are linearly independent, the \(\mathrm {LIP}\) theorem directly shows that F is \(\mathrm {\Phi } \)-RKA-secure. To illustrate this, we construct in Sect. 5.1 a PRF that is secure against permutations of the secret key using this method.

However, to assume that all polynomials \(P_{\vec {\phi },x}\) are linearly independent is a very strong property and, in general, this is not the case for all x and \(\vec {\phi }\). Hence, in Sect. 5.2, we consider the less restrictive case where the polynomials \(P_{\vec {\phi }_1,x_1},\dots ,P_{\vec {\phi }_q,x_q}\) are linearly independent as long as the inputs \(x_1,\dots ,x_q\) are distinct (in which case the adversary is said to be unique-input). More precisely, we first design a new algebraic framework that extends the one from [1], when the PRF F is of the form \(\left[ {P_x(\vec {a})}\right] \) and the RKD functions are multivariate polynomials, and then use it to construct RKA-secure PRFs from F for new and larger classes of RKD functions.

5.1 Direct Constructions of RKA-Secure PRFs

In this section, we show how the \(\mathrm {LIP}\) theorem can be used to prove the \(\mathrm {\Phi } \)-\(\mathrm {RKA}\text {-}\mathrm {PRF}\) security in the particular case where all polynomials \(P_{\vec {\phi },x}\) are linearly independent, for any \(\vec {\phi } \in \mathrm {\Phi } \) and any input x.

Specifically, we consider the class \(\mathrm {\Phi } _{\mathfrak {S}_{n}}\) of functions defined as \(\{\sigma \, \mid \,\sigma \in \mathfrak {S}_{n}\}\) such that, applying a function \(\sigma \in \mathrm {\Phi } _{\mathfrak {S}_{n}}\) to a key \(\vec {a} = (a_1,\dots ,a_n) \in {{\mathbb Z}}_p^n\) leads to the key \(\sigma (\vec {a}) = (a_{\sigma ^{-1}(1)},\dots ,a_{\sigma ^{-1}(n)})\), so the i-th component of \(\vec {a}\) becomes the \(\sigma (i)\)-th component of the key \(\sigma (\vec {a})\).

It is clear that \(\mathsf {BMR}\) is not \(\mathrm {\Phi } _{\mathfrak {S}_{n}}\)-RKA-secure, since we can distinguish \(\mathsf {BMR}\) from a random function with only 2 queries. Indeed, let \(\mathsf {id}\) be the identity function and (12) be the permutation which switches the first two components of the key. Then, one can just first query \((\mathsf {id},100\dots 0)\) and \(((12),010\dots 0)\) and check whether the output of these queries are the same, which is the case in the real case while they are independent in the random case. However, we show in what follows that a particular case of \(\mathsf {WBMR}^{}\), defined below, is a \(\mathrm {\Phi } _{\mathfrak {S}_{n}}\)-RKA-secure PRF.

Linear \(\mathsf {WBMR}^{}\) PRF. We define \(\mathsf {WBMR}^{\mathsf {lin}}\) as the particular case of \(\mathsf {WBMR}^{}\), where \(w_i = (i-1)(d+1)\), for \(i = 1,\dots ,n\). Please refer to Table 2 for details.

Theorem 2

Let \(\mathbb {G}= \langle g \rangle \) be a group of prime order p and let \(\mathsf {WBMR}^{\mathsf {lin}}\) be the function defined above. Then we can reduce the \(\mathrm {\Phi } _{\mathfrak {S}_{n}}\)-\(\mathrm {RKA}\text {-}\mathrm {PRF}\) security of \(\mathsf {WBMR}^{\mathsf {lin}}\) to the hardness of the \({{(n(d+1)-1)} \text{- }}\mathrm {DDHI} \) problem in \(\mathbb {G}\), with a loss of a factor \(n(n(d+1)-1)\). Moreover, the time overhead of this reduction is polynomial in nd and in the number of queries made by the adversary.

The proof is given in the full version and is very similar to the proof of security of \(\mathsf {WBMR}^{}\) sketched in Sect. 4. The construction can actually be extended to also tolerates small additive factors in addition to permutations (see the full version).

5.2 Constructions via Unique-Input RKA-Secure PRFs

In this section, we address the less restrictive case where the polynomials \(P_{\vec {\phi }_1,x_1},\dots ,P_{\vec {\phi }_q,x_q}\) are linearly independent for any \(\vec {\phi }_1,\dots ,\vec {\phi }_q\) only when the inputs \(x_1,\dots ,x_q\) are all distinct. Please notice that this is the case for all the classes considered in [1, 8]. We now denote by M the “original” PRF: \(M(\vec {a},x) = \left[ {P_{x}(\vec {a})}\right] \).

In order to build RKA-secure PRFs from such PRFs, we would like to apply the ABPP generic framework [1] that allows to transform a PRF M which is RKA-secure with respect to unique-input adversaries (\(\mathrm {UI}\text {-}\mathrm {RKA}\)-secure) into an RKA-secure PRF F, when M is key-collision and statistical-key-collision secure. The latter means that it is hard to find two functions \({\phi }_{1},{\phi }_{2} \in \mathrm {\Phi } \) such that \({\phi }_{1}(K) = {\phi }_{2}(K)\), even with access to an oracle \(({\phi },x) \mapsto f({\phi }(K),x)\), when \(f=M\) (key-collision security), and when f is a random function (statistical key-collision security). The framework consists in transforming this \(\mathrm {UI}\text {-}\mathrm {RKA}\)-secure PRF M into an RKA-secure PRF F, as follows:

$$\begin{aligned} F(K,x) = M(K,H(x,M(K,\vec \omega ))), \end{aligned}$$

where H is a compatible collision-resistant hash function, and the vector \(\vec \omega \) is a strong key fingerprint, meaning that it is a vector of inputs such that the vector of outputs \(M(K,\vec \omega )\) completely defines K (recall that \(M(K,\vec {\omega }) = (M(K,\omega _1),\dots ,M(K,\omega _{\vert \vec {\omega } \vert })\)). As defined in [8], a hash function is said to be compatible if it guarantees that the inner calls to M in the construction above will never collide with the outer calls to M even under related keys.

Unfortunately, if we consider the PRF \(\mathsf {WNR}^{\vec {w}}\) with some \(w_i > 1\), then it is not clear how to find a strong key fingerprint, which can be used to apply the ABPP framework. Furthermore, this ABPP framework requires to prove several non-algebraic properties (statistical or computational), namely key-collision, statistical-key-collision, and \(\mathrm {UI}\text {-}\mathrm {RKA}\) securities.

For this reason, we design a new algebraic framework, that generalizes the ABPP framework in the particular case of PRFs of the shape \(M(\vec {a},x) = \left[ {P_x({\vec {a}})}\right] \) and of RKD functions which are multivariate polynomials. For completeness, a more general framework, which does not make any assumptions about the shape of a PRF, is also given in the full version. Afterwards, we use our algebraic framework to design new RKA-secure PRFs based on \(\mathsf {WNR}^{}\) for larger classes for which previous constructions from [1, 8] are not secure.

An Algebraic Framework for Related-Key Security. Here, we describe a new framework that transforms any PRF that satisfies that \(P_{\vec {\phi }_1,x_1},\dots ,P_{\vec {\phi }_q,x_q}\) are linearly independent, for any \(\vec {\phi }_1,\dots ,\vec {\phi }_q\) as long as \(x_1,\dots ,x_q\) are all distinct inputs, into a RKA-secure PRF. To do so, we first introduce three new notions, termed algebraic fingerprint, helper information, and expansion function, and defined as follows.

Group Generator. In this framework and its applications, we assume for simplicity that the generator used in the PRF construction, that is revealed to the adversary, is \(\left[ {a'}\right] \).

Algebraic Fingerprint. In order to overcome the eventual lack of a strong key fingerprint, we introduce algebraic fingerprint, which will be used to replace \(M(K,\vec \omega )\) in the construction in [1], where \(\vec \omega \) is a strong fingerprint. An algebraic fingerprintis simply an injective function \(\vec {\varOmega }{{:}\;\;}{{\mathbb Z}}_p^n \rightarrow \mathbb {G}^m\) such that the image \(\vec {\varOmega }(\vec {a})\) is a vector of group elements \((\left[ {{\varOmega _1}(\vec {a})a'}\right] ,\dots ,\left[ {{\varOmega _m}(\vec {a})a'}\right] )\) with \({\varOmega _1},\dots ,{\varOmega _m}\) being polynomials in \({{\mathbb Z}}_p[T_1,\ldots ,T_{n}]\) and \(a' \in {{\mathbb Z}}_p\). In our applications, we will simply have \(\vec {\varOmega }(\vec {a}) = (\left[ {a_1 a'}\right] ,\dots ,\left[ {a_n a'}\right] )\), so \(m = n\) and \(\varOmega _i(\vec {T}) = T_i\) for \(i = 1,\dots ,n\).

Helper Information. In order to prove the security of our framework, we need to be able to compute the image of the algebraic fingerprint, \(\vec {\varOmega }(\vec {\phi }(\vec {a}))=((\varOmega _1\circ \vec {\phi })(\vec {a}),\dots ,(\varOmega _m\circ \vec {\phi })(\vec {a}))\), for any related key \(\vec {\phi }(\vec {a}) \in {{\mathbb Z}}_p^n\), with \(\vec {\phi } \in \mathrm {\Phi } \), from some information which can somehow be made public without hurting security. We call this information a helper information, write it \(\mathsf {Help}_{\mathrm {\Phi }}(\vec {a})\), and call \(\mathsf {Help}_{\mathrm {\Phi }}\) the helper function. We suppose that \(\mathsf {Help}_{\mathrm {\Phi }}(\vec {a}) = (\left[ {\mathsf {help}_1(\vec {a}) a'}\right] ,\dots ,\left[ {\mathsf {help}_l(\vec {a}) a'}\right] )\), with \(\mathsf {help}_1,\dots ,\mathsf {help}_l\) linearly independent polynomials which generate a vector subspace of \({{\mathbb Z}}_p[T_1,\ldots ,T_{n}]\) containing the polynomials \({\varOmega _i \circ \vec {\phi }}\) for \(i = 1,\dots ,m\), and \(\vec {\phi } \in \mathrm {\Phi } \).

Hash Function and Expansion Function. Let \(\overline{{\mathcal {D}}} = {\mathcal {D}} \times \mathbb {G}^m\) where \(\mathcal {D}\) is the domain of the PRF M, and let h be a collision-resistant hash function \(h {{:}\;\;}\overline{{\mathcal {D}}} \rightarrow \mathsf {hSp}\) (definition recalled in the full version), where \(\mathsf {hSp}\) is a large enough space. The last thing we need to define is an expansion function, which is simply an injective function \(\mathsf {E}{{:}\;\;}\mathsf {hSp}\rightarrow \mathcal {S}\subseteq \mathcal {D}\) such that for any sequence \((\vec {\phi }_1,x_1),\dots ,(\vec {\phi }_q,x_q)\) where \(x_1,\dots ,x_q\) are distinct inputs in \(\mathcal {S}\) and \(\vec {\phi }_1,\dots ,\vec {\phi }_q\) are RKD functions, polynomials \(\mathsf {help}_1,\dots ,\mathsf {help}_l\) and polynomials \(P_{\vec {\phi }_1,x_1},\dots ,P_{\vec {\phi }_q,x_q}\) and 1 (which needs to be queried to define the generator \(\left[ {a'}\right] \)) are linearly independent over \({{\mathbb Z}}_p\) (in particular, \(\mathsf {E}\) has to be injective).

Using these new tools, we obtain the following framework.

Theorem 3

Let \(\mathbb {G}\) be a group of prime order p. We use the above definitions, with \(M {{:}\;\;}{{\mathbb Z}}_p^n \times \mathcal {D}\rightarrow \mathbb {G}\) defined by \(M(\vec {a},x) = \left[ {P_x(\vec {a})}\right] \). Let d be a upper bound for the maximum degree in any indeterminate of polynomials in \(\{\mathsf {help}_{1},\dots ,\mathsf {help}_l\} \cup \{P_{x,\vec {\phi }} \, \mid \,x \in \mathcal {S}, \vec {\phi } \in \mathrm {\Phi } \}\). Define \(F {{:}\;\;}{{\mathbb Z}}_p^n \times \mathcal {D}\rightarrow \mathbb {G}\) by

$$\begin{aligned} F(\vec {a},x) = M(\vec {a},\mathsf {E}(h(x,\vec {\varOmega }(\vec {a})))) \end{aligned}$$

for all \(\vec {a} \in {{\mathbb Z}}_p^n\) and \(x \in \mathcal {D}\). Then, we can reduce the \(\mathrm {\Phi } \)-\(\mathrm {RKA}\text {-}\mathrm {PRF}\) security of F to the \((n,d)\)-\(\mathrm {LIP}\) security, the collision-resistance security of h without any loss, and to the \({{[} \text{- }\mathrm {SDL}}d]\) assumption with a loss of a factor 2n. The running time overhead of this reduction is polynomial in nd and q.

Proof Overview. The proof of the above theorem is detailed in the full version and relies on the sequence of 10 games (games \(\text {G}_0-\text {G}_{9}\)). We first prove an intermediate statement whose proof is very similar to the proof of Theorem 3.1 from [1], under a notion termed extended key-collision security (that states the hardness of finding key collisions given access to PRF values and helper information) which is defined in the appendix. Afterwards, we reduce this notion to the hardness of the SDL in \(\mathbb {G}\). Here we provide a brief overview of the proof of the intermediate statement.

We start by giving the generator used for the PRF by querying polynomial 1. Hence, the generator is simply \(\left[ {a'}\right] \). Since we may have key collisions (i.e., two RKD functions \(\phi _1 \ne \phi _2\), such that \(\phi _1(\vec {a}) = \phi _2(\vec {a})\)), we start by dealing with possible collisions on the related keys in the RKAPRFReal case, using the extended key-collision notion (games \(\text {G}_0-\text {G}_2\)). These claws can be detected by looking for collisions on images of \(\vec {\varOmega }\) for different RKD functions.

Then, in games \(\text {G}_3-\text {G}_4\), we deal with possible collisions on hash values in order to ensure that the inputs \(t = \mathsf {E}(h(x,\vec {\varOmega }(\vec {a})))\) used to compute the output y are distinct (recall that \(\mathsf {E}\) is injective).

Then, we use the \((n,d)\)-\(\mathrm {LIP}\) security notion to show that it is hard to distinguish the output of F and the helper information from uniformly random values (games \(\text {G}_5-\text {G}_6\)).

Finally, we use once again the extended-key-collision security notion to deal with possible key collisions in the RKAPRFRand case (games \(\text {G}_7-\text {G}_{9}\)) so that \(\text {G}_{9}\) matches the description of the RKAPRFRand game. These key collisions can still be detected in these games by making crucial use of the helper information.

RKA-PRFs for Permutations of Univariate Polynomial Functions. We now apply our framework to a particular case of \(\mathsf {WNR}^{}\) and build the first RKA-secure PRF secure against permutations of univariate polynomials. We chose to set \(w_0\) to 0 in our construction in order to ease the readability so that the key space of the PRF stays \({{\mathbb Z}}_p^{n}\), but similar results can be proven with \(w_0 = 1\) or set to a prime number \(p_0 > d\) (and distinct to \(p_1,\ldots ,p_n\) defined below).

For \(d \ge 1\), let \(\mathrm {\Phi } _{d}\) be the class of degree at most d non-constant univariate polynomials defined as \(\mathrm {\Phi } _{d} = \{\vec {\phi } {{:}\;\;}{{{\mathbb Z}}_p^{n}} \rightarrow {{{\mathbb Z}}_p^{n}} \, \mid \,{\phi }_i : \vec {T}\mapsto \sum _{j=0}^{d} \alpha _{i,j} T_i^j, (\alpha _{i,1},\dots ,\alpha _{i,d}) \ne 0^d, \forall i = 1,\dots ,n\}\). Then we consider the class \(\mathrm {\Phi } _{\mathfrak {S}_{n},d}\) of permutations of degree at most d non-constant univariate polynomials, defined as follows:

$$\begin{aligned} \mathrm {\Phi } _{\mathfrak {S}_{n},d} = \{\sigma \circ \vec {\phi } \, \mid \,(\sigma ,\vec {\phi }) \in \mathfrak {S}_{n} \times \mathrm {\Phi } _{d} \} \; . \end{aligned}$$

For a key \(\vec {a} = (a_1,\dots ,a_n) \in {{\mathbb Z}}_p^{n}\), applying an RKD function \(\sigma \circ \vec {\phi } \in \mathrm {\Phi } _{\mathfrak {S}_{n},d}\), where \(\vec {\phi } = (\phi _1,\dots ,\phi _n) \) leads to the key \((\phi _{\sigma ^{-1}(1)}(\vec {a}),\dots ,\phi _{\sigma ^{-1}(n)}(\vec {a})) \in {{\mathbb Z}}_p^{n}\), so the i-th component \(a_i\) of the key is changed into \(\phi _i(\vec {a})\) and becomes the \(\sigma (i)\)-th component of the related key.

Before explaining our construction, we would like to point out that, even if we just consider the simple class of permutations \(\mathrm {\Phi } _{\mathfrak {S}_{n}} \subset \mathrm {\Phi } _{\mathfrak {S}_{n},1}\) introduced in Sect. 5.1, we can already show that \(\mathsf{NR } \) and \({\mathsf {NR}^*} \) are not \(\mathrm {\Phi } _{\mathfrak {S}_{n}}\)-RKA secure, even with respect to unique-input adversaries.

Indeed, let us consider \({\mathsf {NR}^*} \): let \(\mathsf {id}\) be the identity function and (12) be the permutation which switches the first two components of the key. Then, the output of the queries \((\mathsf {id},100\dots 0)\) and \(((12),010\dots 0)\) will be the same in the real case and independent in the random case.

In fact, we can generalize the attack above to show that there even exists a compatible collision-resistant hash function h such that the PRF that one obtains when applying the Bellare-Cash (or ABPP) transform to \({\mathsf {NR}^*} \) would not be RKA-secure with respect to the class of permutations. Indeed, let \(h'\) be a collision-resistant hash function. The counter-example for h could be as follows (where \(x_{1}\) and \(x_{2}\) are two arbitrary distinct inputs):

$$\begin{aligned} h(x,\left[ {a_1}\right] ,\dots ,\left[ {a_n}\right] ) = \left\{ \begin{array}{ll} 1110{\,\Vert \,}h'(x_{1},\left[ {a_1}\right] ,\dots ,\left[ {a_n}\right] ) &{} \text{ if } x = x_{1} \\ 1101{\,\Vert \,}h'(x_{1},\left[ {a_2}\right] ,\left[ {a_1}\right] ,\left[ {a_3}\right] ,\dots ,\left[ {a_n}\right] ) &{} \text{ if } x = x_{2} \\ 1111{\,\Vert \,}h'(x,\left[ {a_1}\right] ,\dots ,\left[ {a_n}\right] ) &{} \text{ otherwise. } \\ \end{array} \right. \end{aligned}$$

Note that h is a compatible collision-resistant hash function. It is easy to see that the output of the queries \((\mathsf {id},x_{1})\) and \(((12),x_{2})\) will be the same in the real case and independent in the random case. The same kind of attack can be mounted against \(\mathsf{NR } \).

However, while \(\mathsf{NR } \) and \({\mathsf {NR}^*} \) are not RKA-secure against permutations attacks, we show in what follows that a particular case of \(\mathsf {WNR}^{}\), defined below, yields a \(\mathrm {\Phi } _{\mathfrak {S}_{n},d}\)-RKA-secure PRF.

d -Linear Weighted NR PRF. Let \(d \ge 1\). Let \(p_1 < p_2 < \dots < p_n\) be distinct prime numbers such that \(p_1 > d\). We define \(\mathsf {WNR}^{{d}\mathsf - \mathsf {lin}}\) as the particular case of \(\mathsf {WNR}^{}\), where \(w_0 = 0\) and \(w_i = p_i\). Please refer to Table 2 for details. Using standard inequalities over prime numbers, it is easy to see that we can find \(p_1,\dots ,p_n\) such that \(p_n = \tilde{O}(d + n)\).

In order to apply the framework from Theorem 3 to \(\mathsf {WNR}^{{d}\mathsf - \mathsf {lin}}\) and \(\mathrm {\Phi } _{\mathfrak {S}_{n},d}\), we define:

  • \(\left[ {a'}\right] \in \mathbb {G}\) is the generator used for the PRF construction

  • \(\vec {\varOmega }{{:}\;\;}\vec {a} \in {{\mathbb Z}}_p^n \mapsto (\left[ {a_1 a'}\right] ,\dots ,\left[ {a_n a'}\right] ) \in \mathbb {G}^n\)

  • \(\mathsf {Help}_{\mathrm {\Phi } _{\mathfrak {S}_{n},d}} {{:}\;\;}\vec {a} \in {{\mathbb Z}}_p^n \mapsto (\left[ {a'}\right] ,\left[ {a_1 a'}\right] ,\dots ,\left[ {a_1^d a'}\right] ,\dots ,\left[ {a_n a'}\right] ,\dots ,\left[ {a_n^d a'}\right] ) \in \mathbb {G}^{nd + 1}\)

  • h can be any collision-resistant hash function \(h {{:}\;\;}\{0,1\}^n \times \mathbb {G}^n \rightarrow \{0,1\}^{n-2}\)

  • \(\mathsf {E}{{:}\;\;}z \in \{0,1\}^{n-2} \mapsto 11{\,\Vert \,}z \in \{0,1\}^n\).

We just need to prove that \(\mathsf {E}\) satisfies the linear independence property required to apply the framework, which is done in the full version, and sketched here. We order monomials of multivariate polynomials, with any order respecting the total degree of polynomials (e.g., the graded lexicographic order). The leading monomial (i.e., the first monomial for that order) of the polynomial \(P_{\vec \phi ,x}\) is \(T_1^{x_{\sigma (1)} p_{\sigma (1)} d_1} \cdots T_n^{x_{\sigma (n)} p_{\sigma (n)} d_{n}}\), with \(d_i > 0\) the degree of \(\phi _i\). The polynomials for the helper information (\(\mathsf {help}_k\)) are \(T_i^j\). Therefore, the leading monomials of \(\mathsf {help}_1,\dots ,\mathsf {help}_l,P_{\vec {\phi _1},x_1}, \dots , P_{\vec {\phi _q},x_q},1\) are all distinct, when \(x_1,\dots ,x_q\) are distinct inputs. This means that the matrix whose columns correspond to monomials (ordered as specified above) and whose rows correspond to the polynomials \(\mathsf {help}_1,\ldots ,\mathsf {help}_l,P_{\vec {\phi _1},x_1}, \dots , P_{\vec {\phi _q},x_q}, 1\) (ordered according to their leading monomial) is in echelon form. Hence, the latter polynomials are linearly independent. Finally, by combining Theorem 3 and the \(\mathrm {LIP}\) theorem, we obtain the following theorem.

Theorem 4

Let \(\vec {\varOmega }\), h and \(\mathsf {E}\) be defined as above. Define \(F {{:}\;\;}{{\mathbb Z}}_p^{n} \times \{0,1\}^n \rightarrow \mathbb {G}\) by \( F(\vec {a},x) = \mathsf {WNR}^{{d}\mathsf - \mathsf {lin}}(\vec {a}, \mathsf {E}(h(x,\vec {\varOmega }(\vec {a})))) \), for all \(\mathbf {a} \in {{\mathbb Z}}_p^{n}\) and \(x \in \{0,1\}^n\). Then we can reduce the \(\mathrm {\Phi } _{\mathfrak {S}_{n},d}\)-\(\mathrm {RKA}\text {-}\mathrm {PRF}\) security of F to the hardness of the \({{p_n d} \text{- }}\mathrm {DDHI}\) problem in \(\mathbb {G}\) and the \(\text {p}_\text {n} \text {d}\)-SDL problem in \(\mathbb {G}\), respectively with a loss of a factor \(n p_n d\) and of a factor n, and to the \(\mathrm {CR}\) security of h. Moreover, the time overhead of this reduction is polynomial in \(n,d,p_n\) and in the number of queries made by the adversary attacking the \(\mathrm {\Phi } _{\mathfrak {S}_{n},d}\)-\(\mathrm {RKA}\text {-}\mathrm {PRF}\) security of F.

6 Extension to PRFs in Symmetric Bilinear Groups

6.1 High-Level Overview of Existing Constructions and Challenges

All the previous constructions (of classical PRF and RKA-secure PRF) require at least \(\mathrm {DDH}\) to hold. In particular, they are insecure if there exists a symmetric pairing \(e: \mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\). In this section, we investigate how to adapt our linearly independent polynomials framework and the corresponding \(\mathrm {LIP}\) theorem to handle constructions of PRFs under weaker assumptions, which may hold in symmetric bilinear groups.

The first algebraic PRF based on \(\mathrm {DLin}\) is the Lewko-Waters PRF [26], which is defined as follows:

$$\begin{aligned} \mathsf {LW} (\vec {{{\varvec{A}}}},x) = \left[ { \prod _{i=1}^n {{\varvec{A}}}_i^{x_i} \cdot {{\varvec{A}}}' }\right] , \end{aligned}$$

with \(\vec {{{\varvec{A}}}}= ({{\varvec{A}}}_1,\dots ,{{\varvec{A}}}_n)\) being a vector of n uniformly random matrices in \({{\mathbb Z}}_p^{2 \times 2}\) and \({{\varvec{A}}}'\) a uniformly random matrix in \({{\mathbb Z}}_p^{2 \times m}\), for some \(m \ge 1\). \({{\varvec{A}}}'\) was actually in \({{\mathbb Z}}_p^{2 \times 1}\) (i.e., \(m=1\)) in [26] (with only the first group element being returned). This PRF is secure under \(\mathrm {DLin}\), and even under a weaker assumption, namely the \(\mathcal {U}_{2}\mathsf - \mathrm {MDDH} \)-assumption of Escala et al. [18]. In the latter paper, this PRF is extended to any \(\mathrm {MDDH}\)-assumption, which particularly encompasses \(\mathrm {DDH}\) and \(\mathrm {DLin}\). These instantiations differ by the size of the matrices and their distribution. Except for constructions using multilinear maps and lattices [5, 16] or trivial variants, we are not aware of any other construction.

Commutation Challenge. From a high level point of view, these PRFs are very similar to the one considered in our algebraic framework in Sect. 3, except elements of keys are now matrices. Unfortunately, matrices do not commute in general, and this lack of commutativity makes everything more complex.

One naive solution would be to extend the \(\mathrm {LIP}\) theorem by considering non-commutative polynomials, or in other words elements of the free algebra \({{\mathbb Z}}_p \langle T_1,\ldots ,T_{n}\rangle \). In this algebra, for example, \(T_1 T_2\) and \(T_2 T_1\) are distinct and linearly independent elements. The problem is that, as proven by Amitsur and Levitzki [4], for any matrices \({{\varvec{A}}}_1,\dots ,{{\varvec{A}}}_{4} \in {{\mathbb Z}}_p^{2\times 2}\), \( \sum _{\sigma \in \mathfrak {S}_{4}} \text {sgn}(\sigma ) \cdot {{\varvec{A}}}_{\sigma (1)} \cdot {{\varvec{A}}}_{\sigma (2)} \cdot {{\varvec{A}}}_{\sigma (3)} \cdot {{\varvec{A}}}_{\sigma (4)} = 0\), with \(\text {sgn}(\sigma )\) being the parity of the permutation \(\sigma \). Thus, while the family of non-commutative polynomials \((P_\sigma = T_{\sigma (1)} T_{\sigma (2)} T_{\sigma (3)} T_{\sigma (4)})_{\sigma \in \mathcal {S}_4}\) is linearly independent in the free algebra, the PRF of domain \(\mathcal {D}= \mathcal {S}_4\), the PRF defined by \(F(\vec {{{\varvec{A}}}},\sigma ) = \left[ {{{\varvec{A}}}_{\sigma (1)} {{\varvec{A}}}_{\sigma (2)} {{\varvec{A}}}_{\sigma (3)} {{\varvec{A}}}_{\sigma (4)} {{\varvec{A}}}'}\right] \) would clearly be insecure.

Assumption Challenge and Generic Symmetric Bilinear Group. The second challenge is to prove the hardness of the \(\mathcal {E}_{2,d}\mathsf - \mathrm {MDDH}\) assumption in the generic bilinear group, which is done in the full version, using a non-trivial technical lemma. Notably, contrary to the cyclic group case, it is not straightforward to check whether a PRF defined by \(F(\vec {{{\varvec{A}}}},x) = \left[ {P_x(\vec {{{\varvec{A}}}}) \cdot {{\varvec{A}}}'}\right] \) is secure in the generic bilinear group model, where \((P_x)_{x \in \mathcal {D}}\) is a family of non-commutative polynomials, \(\vec {{{\varvec{A}}}}\) is a vector of matrices from \({{\mathbb Z}}_p^{2 \times 2}\), and \({{\varvec{A}}}'\) is a matrix from \({{\mathbb Z}}_p^{2 \times m}\), for some \(m \ge 1\).

6.2 Generalized Polynomial Framework

Let us show how we address these challenges.

Generalized Polynomial ( \(\mathrm{GP}\) ) Security. Let us introduce the \((k,n,d)\)-\(\mathrm{GP}\) security of a cyclic group \(\mathbb {G}= \langle g \rangle \) as a generalization of the \((n,d)\)-\(\mathrm {LIP}\) security in Sect. 3.2, where the secret scalar \(a' \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}{{\mathbb Z}}_p\) and the secret vector of scalars \(\vec {a} \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}{{\mathbb Z}}_p^n\) are replaced by a secret matrix \({{\varvec{A}}}' \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}{{\mathbb Z}}_p^{k \times m}\) (for some \(m \ge 1\); for the sake of simplicity, in the sequel, we choose \(k = m\)) and a secret vector of matrices \(\vec {{{\varvec{A}}}}\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}{({{\mathbb Z}}_p^{k \times k})}^n\), respectively.

Result under \(\mathcal {E}_{2,d}\mathsf - \mathrm {MDDH}\). To extend Theorem 1 to symmetric bilinear groups and avoid the commutativity problem, we suppose that all indeterminates appear “in the same order when multiplied together” in each subexpression of the representation of the non-commutative polynomials \(P_j\) (e.g., \(P_1 = T_1 T_3 + T_3 T_2\) and \(P_2 = T_3 + T_1 T_2\), where \(T_1\) appears before \(T_3\) which appears before \(T_2\)). The condition is quite natural and is formally defined in the full version. That makes these non-commutative polynomials behave very similarly to commutative polynomial, and we get the following theorem.

Theorem 5

Let \(\mathbb {G}= \langle g \rangle \) be a group of prime order p. Let \(\mathscr {A}\) be an adversary against the \((2,n,d)\)-\(\mathrm{GP}\) security of \(\mathbb {G}\) that makes q oracle queries \(P_1,\ldots ,P_{q}\). We suppose that all indeterminates appear in the same order in each monomial of each non-commutative polynomials \(P_j\). Then we can build an adversary \(\mathscr {B}\) against the \(\mathcal {E}_{2,d}\mathsf - \mathrm {MDDH}\) problem in \(\mathbb {G}\), such that \( \mathbf {Adv}^{(2,n,d)\mathsf - \mathsf {gp}}_{\mathbb {G}}(\mathscr {A}) \le n \cdot d \cdot \mathbf {Adv}^{\mathcal {E}_{2,d}\mathsf - \mathsf {mddh}}_{\mathbb {G}}{(\mathscr {B})} + O(ndq/p)\). The running time of \(\mathscr {B}\) is that of \(\mathscr {A}\) plus the time to perform a polynomial number (in q, n, and d) of operations in \({{\mathbb Z}}_p\) and \(\mathbb {G}\).

The proof is similar to the proof of the \(\mathrm {LIP}\) theorem (with some additional care when partially evaluating polynomials to avoid having polynomials with matrix coefficients) and is given in the full version. Actually, this theorem can trivially be extended to the \((k,n,d)\)-\(\mathrm{GP}\) security and the \(\mathcal {E}_{k,d}\mathsf - \mathrm {MDDH}\) assumption. But for \(k \ge 3\) and \(n \ge 2\), it is not known if the latter assumption is secure in the generic k-linear group model.

Results in the Generic Bilinear Group Model. We may wonder whether the \((2,k,d)\)-\(\mathrm{GP}\) security still holds in the generic bilinear group model, when indeterminates do not necessarily appear in the same order in each polynomial \(P_j\). As seen before, it is not sufficient to suppose that \({(P_j)}_{j=1,\dots ,q}\) is a linearly independent family. But we show here that under a relatively natural condition, the DLM (distinct leading monomial) condition, the \((2,k,d)\)-\(\mathrm{GP}\) security still holds.

Table 3. Summary of our results related to generalized polynomial security
Full size table

To formally state our result, we need to introduce some notions, which are formally defined in the full version and which are informally described here. We consider a monomial order for \({{\mathbb Z}}_p[T_1,\ldots ,T_{n}]\), which is a total order on monomials \(T_1^{i_1} \cdots T_n^{i_n}\) compatible with multiplications and where 1 is the smallest monomial. We then define the commutative leading monomials of a non-commutative polynomial as the monomials which are the highest for our monomial order, when considered as commutative monomials. There may be many commutative leading monomials for a given polynomial (for example \(T_1 T_2^2 + 5 T_2 T_1 T_2\) has two commutative leading monomials: \(T_1 T_2^2\) and \(T_2 T_1 T_2\)). We say a polynomial has a unique commutative leading monomial if there is only one such monomial.

Finally, we say that a family of polynomials \({(P_j)}_j\) satisfies the DLM condition, if there exists a monomial order and an invertible matrix \({{\varvec{M}}} \in {{\mathbb Z}}_p^{q \times q}\) such that \({{\varvec{M}}} \cdot {(P_j)}_j\) is a vector of non-commutative polynomials with unique and distinct commutative leading monomials, where \({(P_j)}_j\) is the column vector of polynomials \(P_j\).

Theorem 6

Let \(\mathbb {G}= \langle g \rangle \) be a group of prime order p. Let \(\mathscr {A}\) be an adversary against the \((2,n,d)\)-\(\mathrm{GP}\) security of \(\mathbb {G}\) that makes q oracle queries \(P_1,\ldots ,P_{q}\). We suppose that \({(P_j)}_j\) satisfies the DLM condition. Then, the advantage \(\mathbf {Adv}^{(2,n,d)\mathsf - \mathsf {gp}}_{\mathbb {G}}(\mathscr {A})\) is negligible in the generic bilinear group model.

The proof of Theorem 6 is given in the full version. We remark that, in the case of commutative polynomials (i.e., \(\mathrm {LIP}\) theorem), the DLM condition is exactly the same as saying that the polynomials \(P_j\) are linearly independent (using the Gauss reduction). However, this is not the case with non-commutative polynomials (e.g., consider \(P_1 = T_1 T_2\) and \(P_2 = T_2 T_1\) which are linearly independent but which have the same leading monomial).

Summary. Table 3 provides a summary of all our results about \(\mathrm{GP}\) security.

6.3 Applications

RKA-PRFs in Generic Bilinear Groups. The RKA-PRF for permutation of univariate polynomial functions based on \(\mathsf {WNR}^{}\) (Sect. 5.2) can easily be transformed into an RKA-secure PRF for symmetric bilinear groups for the same set of RKD functions. It is sufficient to change keys from \(\vec {a} \mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}{{\mathbb Z}}_p^{n}\) to \(\vec {{{\varvec{A}}}}\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}{({{\mathbb Z}}_p^{2 \times 2})}^{n}\). Indeed, the RKA framework extends to this case easily, and the polynomials family we considered verifies the DLM condition as non-commutative polynomials. Actually, our proof of their linear independence can be seen as exhibiting a monomial order (namely the graded lexicographic order) for which these polynomials have distinct leading monomials. In addition, their leading monomials are always unique even as non-commutative polynomials.

RKA-PRFs under \(\mathcal {E}_{2,d}\mathsf - \mathrm {MDDH}\). Unfortunately, Theorem 5 does not apply to RKA-PRF for permutation, as permutation change the order of the indeterminates. However, it still easily enables to construct the first RKA-PRF for univariate polynomial functions, secure in symmetric bilinear groups, using the construction of Sect. 5.2 (or a slightly more efficient variant thereof in the full version). Again, the construction is straightforward and so is the proof.