privately constraining and programming prfs the lwe way
play

Privately Constraining and Programming PRFs, the LWE Way Chris - PowerPoint PPT Presentation

Privately Constraining and Programming PRFs, the LWE Way Chris Peikert Sina Shiehian PKC 2018 1 / 15 Constrained Pseudorandom Functions [KPTZ13,BW13,BGI14] 1 Ordinary evaluation algorithm Eval ( msk, x ) . 2 / 15 Constrained


  1. Privately Constraining and Programming PRFs, the LWE Way Chris Peikert Sina Shiehian PKC 2018 1 / 15

  2. Constrained Pseudorandom Functions [KPTZ’13,BW’13,BGI’14] 1 Ordinary evaluation algorithm Eval ( msk, x ) . 2 / 15

  3. Constrained Pseudorandom Functions [KPTZ’13,BW’13,BGI’14] 1 Ordinary evaluation algorithm Eval ( msk, x ) . 2 For any constraint C ∈ C , can generate a constrained key sk C (using msk ). 2 / 15

  4. Constrained Pseudorandom Functions [KPTZ’13,BW’13,BGI’14] 1 Ordinary evaluation algorithm Eval ( msk, x ) . 2 For any constraint C ∈ C , can generate a constrained key sk C (using msk ). 3 Constrained evaluation algorithm CEval ( sk C , x ) . 2 / 15

  5. Constrained Pseudorandom Functions [KPTZ’13,BW’13,BGI’14] 1 Ordinary evaluation algorithm Eval ( msk, x ) . 2 For any constraint C ∈ C , can generate a constrained key sk C (using msk ). 3 Constrained evaluation algorithm CEval ( sk C , x ) . Correctness ◮ If C ( x ) = 0 (“authorized”) then CEval ( sk C , x ) = Eval ( msk, x ) . 2 / 15

  6. Constrained Pseudorandom Functions [KPTZ’13,BW’13,BGI’14] 1 Ordinary evaluation algorithm Eval ( msk, x ) . 2 For any constraint C ∈ C , can generate a constrained key sk C (using msk ). 3 Constrained evaluation algorithm CEval ( sk C , x ) . Correctness ◮ If C ( x ) = 0 (“authorized”) then CEval ( sk C , x ) = Eval ( msk, x ) . Security c ◮ If C ( x ) = 1 (“unauth”) then Eval ( msk, x ) ≈ random (even w/ sk C ). 2 / 15

  7. Constrained Pseudorandom Functions [KPTZ’13,BW’13,BGI’14] 1 Ordinary evaluation algorithm Eval ( msk, x ) . 2 For any constraint C ∈ C , can generate a constrained key sk C (using msk ). 3 Constrained evaluation algorithm CEval ( sk C , x ) . Correctness ◮ If C ( x ) = 0 (“authorized”) then CEval ( sk C , x ) = Eval ( msk, x ) . Security c ◮ If C ( x ) = 1 (“unauth”) then Eval ( msk, x ) ≈ random (even w/ sk C ). ◮ Applications: uses of iO [SW’14] , ID-based key exchange, broadcast encryption, . . . 2 / 15

  8. Privacy and Programmability [BonehLewiWu’17] ◮ Ordinarily, a constrained key sk C may reveal C . (It hides only the PRF output at unauthorized x .) 3 / 15

  9. Privacy and Programmability [BonehLewiWu’17] ◮ Ordinarily, a constrained key sk C may reveal C . (It hides only the PRF output at unauthorized x .) Privacy (a.k.a. Constraint Hiding) ◮ Constrained key sk C reveals nothing about C . In particular, it hides whether x is (un)authorized. 3 / 15

  10. Privacy and Programmability [BonehLewiWu’17] ◮ Ordinarily, a constrained key sk C may reveal C . (It hides only the PRF output at unauthorized x .) Privacy (a.k.a. Constraint Hiding) ◮ Constrained key sk C reveals nothing about C . In particular, it hides whether x is (un)authorized. ◮ Applications: searchable encryption, function secret sharing [BGI’15] . 3 / 15

  11. Privacy and Programmability [BonehLewiWu’17] ◮ Ordinarily, a constrained key sk C may reveal C . (It hides only the PRF output at unauthorized x .) Privacy (a.k.a. Constraint Hiding) ◮ Constrained key sk C reveals nothing about C . In particular, it hides whether x is (un)authorized. ◮ Applications: searchable encryption, function secret sharing [BGI’15] . Programmability ◮ Can program sk C to produce a desired value at some unauthorized x ∗ . (Nontrivial only if unauthorized x are hidden.) 3 / 15

  12. Privacy and Programmability [BonehLewiWu’17] ◮ Ordinarily, a constrained key sk C may reveal C . (It hides only the PRF output at unauthorized x .) Privacy (a.k.a. Constraint Hiding) ◮ Constrained key sk C reveals nothing about C . In particular, it hides whether x is (un)authorized. ◮ Applications: searchable encryption, function secret sharing [BGI’15] . Programmability ◮ Can program sk C to produce a desired value at some unauthorized x ∗ . (Nontrivial only if unauthorized x are hidden.) ◮ Applications: watermarking PRFs, ???. 3 / 15

  13. Prior Results BLW’17 Private constrained PRFs for all functions, & programmable PRFs, from iO . 4 / 15

  14. Prior Results BLW’17 Private constrained PRFs for all functions, & programmable PRFs, from iO . BKM’17 Private constrained PRFs for point functions, from LWE. 4 / 15

  15. Prior Results BLW’17 Private constrained PRFs for all functions, & programmable PRFs, from iO . BKM’17 Private constrained PRFs for point functions, from LWE. CC’17 Private constrained PRFs for NC 1 circuits, from LWE. 4 / 15

  16. Prior Results BLW’17 Private constrained PRFs for all functions, & programmable PRFs, from iO . BKM’17 Private constrained PRFs for point functions, from LWE. CC’17 Private constrained PRFs for NC 1 circuits, from LWE. BTVW’17 Private constrained PRFs for all circuits, from LWE. 4 / 15

  17. Prior Results BLW’17 Private constrained PRFs for all functions, & programmable PRFs, from iO . BKM’17 Private constrained PRFs for point functions, from LWE. CC’17 Private constrained PRFs for NC 1 circuits, from LWE. BTVW’17 Private constrained PRFs for all circuits, from LWE. Caveat! Limited to one constrained key. Two keys for arbitrary circuits ⇒ iO [CC’17] 4 / 15

  18. Prior Results BLW’17 Private constrained PRFs for all functions, & programmable PRFs, from iO . BKM’17 Private constrained PRFs for point functions, from LWE. CC’17 Private constrained PRFs for NC 1 circuits, from LWE. BTVW’17 Private constrained PRFs for all circuits, from LWE. Caveat! Limited to one constrained key. Two keys for arbitrary circuits ⇒ iO [CC’17] Open Programmable PRFs from a non- iO assumption. 4 / 15

  19. Our Results Main Message ◮ A unified approach to private constrained and programmable PRFs from LWE: shift-hiding functions. ◮ Simple, modular constructions via the ‘right’ choice of shift function. 5 / 15

  20. Our Results Main Message ◮ A unified approach to private constrained and programmable PRFs from LWE: shift-hiding functions. ◮ Simple, modular constructions via the ‘right’ choice of shift function. Constructions 1 Shift-hiding functions from LWE by standard FHE/ABE/PE tech [GSW’13,BGG+’14,GVW’15] 5 / 15

  21. Our Results Main Message ◮ A unified approach to private constrained and programmable PRFs from LWE: shift-hiding functions. ◮ Simple, modular constructions via the ‘right’ choice of shift function. Constructions 1 Shift-hiding functions from LWE by standard FHE/ABE/PE tech [GSW’13,BGG+’14,GVW’15] 2 Private constrained & programmable PRFs, simply by letting shift = constraint × (pseudo)random function 5 / 15

  22. Our Results Main Message ◮ A unified approach to private constrained and programmable PRFs from LWE: shift-hiding functions. ◮ Simple, modular constructions via the ‘right’ choice of shift function. Constructions 1 Shift-hiding functions from LWE by standard FHE/ABE/PE tech [GSW’13,BGG+’14,GVW’15] 2 Private constrained & programmable PRFs, simply by letting shift = constraint × (pseudo)random function In particular, the first programmable PRFs from non- iO assumptions. 5 / 15

  23. Our Results Main Message ◮ A unified approach to private constrained and programmable PRFs from LWE: shift-hiding functions. ◮ Simple, modular constructions via the ‘right’ choice of shift function. Constructions 1 Shift-hiding functions from LWE by standard FHE/ABE/PE tech [GSW’13,BGG+’14,GVW’15] 2 Private constrained & programmable PRFs, simply by letting shift = constraint × (pseudo)random function In particular, the first programmable PRFs from non- iO assumptions. Selectively simulation-secure, for a priori bounded-size functions. 5 / 15

  24. Shift-Hiding Functions ⇓ Private/Programmable PRFs 6 / 15

  25. Main Tool: Shift-Hiding Functions 1 Ordinary evaluation algorithm Eval ( msk, · ): X → Z q . 7 / 15

  26. Main Tool: Shift-Hiding Functions 1 Ordinary evaluation algorithm Eval ( msk, · ): X → Z q . 2 Shifting algorithm sk H ← Shift ( msk, H ) for shift fct H : X → Z q . 7 / 15

  27. Main Tool: Shift-Hiding Functions 1 Ordinary evaluation algorithm Eval ( msk, · ): X → Z q . 2 Shifting algorithm sk H ← Shift ( msk, H ) for shift fct H : X → Z q . 3 Shifted evaluation algorithm SEval ( sk H , · ): X → Z q . 7 / 15

  28. Main Tool: Shift-Hiding Functions 1 Ordinary evaluation algorithm Eval ( msk, · ): X → Z q . 2 Shifting algorithm sk H ← Shift ( msk, H ) for shift fct H : X → Z q . 3 Shifted evaluation algorithm SEval ( sk H , · ): X → Z q . Shifting ◮ For every shift function H and every x ∈ X : SEval ( sk H , x ) ≈ Eval ( msk, x ) + H ( x ) (mod q ) 7 / 15

  29. Main Tool: Shift-Hiding Functions 1 Ordinary evaluation algorithm Eval ( msk, · ): X → Z q . 2 Shifting algorithm sk H ← Shift ( msk, H ) for shift fct H : X → Z q . 3 Shifted evaluation algorithm SEval ( sk H , · ): X → Z q . Shifting ◮ For every shift function H and every x ∈ X : SEval ( sk H , x ) ≈ Eval ( msk, x ) + H ( x ) (mod q ) Hiding ◮ sk H reveals nothing about H . 7 / 15

  30. Shift-Hiding Functions ⇒ Private Constrained PRFs ◮ F ( msk, x ) := ⌊ Eval ( msk, x ) ⌉ , where ⌊·⌉ : Z q → Z 2 “rounds off.” 8 / 15

  31. Shift-Hiding Functions ⇒ Private Constrained PRFs ◮ F ( msk, x ) := ⌊ Eval ( msk, x ) ⌉ , where ⌊·⌉ : Z q → Z 2 “rounds off.” ◮ To generate a constrained key for circuit C , define shift function H ( x ) = C ( x ) · PRF k ( x ) and output sk C ← Shift ( msk, H ) . This hides H , hence C (and k ). 8 / 15

Recommend


More recommend