Dan Boneh, Yuval Ishai, Alain Passelègue, Amit Sahai, and David J. Wu Exploring Crypto Dark Matter: New Simple PRF Candidates and Their Applications Dan Boneh, Yuval Ishai, Alain Passelègue, Amit Sahai, and David J. Wu

The landscape of cryptography Theory-driven Practice-oriented Lattices (LWE, SIS, ...) block-ciphers LowMC AES RASTA DES LPN hash functions Keccak SHA Factoring (RSA, QR, ...) Blake Discrete Log (DDH, DLin, ...) stream-ciphers ChaCha FLIP Salsa20 1 /29 figure not drawn to scale not to scale & non-exhaustive

The landscape of cryptography Theory-driven Practice-oriented Lattices (LWE, SIS, ...) block-ciphers LowMC AES RASTA DES LPN hash functions Keccak SHA Factoring (RSA, QR, ...) Blake Discrete Log (DDH, DLin, ...) stream-ciphers ChaCha FLIP Salsa20 crypto dark matter not to scale & non-exhaustive 1 /29 figure not drawn to scale

Exploring crypto dark matter Objectives: Study simplest unexplored areas of cryptography, i.e. new simple assumptions such that: Validity ⇒ Efficient, simple constructions suitable for advanced cryptographic applications (MPC, FHE, ...) Invalidity ⇒ Positive results in other domains Better understand boundaries of cryptographic hardness Examples: Goldreich’s PRG [Gol01] Candidate low-complexity PRFs [MV12,ABGKR14] 2 /29

Our focus: (weak) pseudorandom functions e.g., 𝑋= 0,1 𝑛 Deterministic keyed function 𝐹 𝑘 :𝑋→𝑌 Efficiently computable Indistinguishable from a truly random function 𝑓:𝑋→𝑌 if the key is secret Weak PRF: Security is guaranteed as long as 𝑥 is uniformly random 𝑥 𝐹 𝑘 𝑥 𝑓 ≈ 𝑐 𝐹 𝑘 (𝑥) 𝑓(𝑥) PRFs are widely-used as a building block for symmetric encryption, authentication, ... 3 /29

Our focus: (weak) pseudorandom functions e.g., 𝑋= 0,1 𝑛 Deterministic keyed function 𝐹 𝑘 :𝑋→𝑌 Efficiently computable Indistinguishable from a truly random function 𝑓:𝑋→𝑌 if the key is secret Symmetric encryption from weak PRF Weak PRF: Security is guaranteed as long as 𝑥 is uniformly random 𝒌,𝒎 𝒌 𝐹 𝑘 𝑥 𝑓 𝑥 ≈ 𝑐 $ 𝑟←𝑋 𝑐←𝑚+ 𝐹 𝑘 𝑟 𝑓(𝑥) 𝑚←𝑐− 𝐹 𝑘 𝑟 𝐹 𝑘 (𝑥) (𝑟,𝑐) PRFs are widely-used as a building block for symmetric encryption, authentication, ... 3 /29

Existing PRF candidates One-way functions ⇒ Length-doubling PRG 𝐺: 0,1 𝑛 → 0,1 2𝑛 𝐹 𝑘 : 0,1 2 → 0,1 𝑛 𝑘 𝐺 𝑘 = 𝑠 0 ∥ 𝑠 1 𝑠 0 𝑠 1 𝐺 𝑠 1 = 𝑠 10 ∥ 𝑠 11 𝑠 00 𝑠 01 𝑠 10 𝑠 11 𝐹 𝑘 (00) 𝐹 𝑘 (01) 𝐹 𝑘 (10) 𝐹 𝑘 (11) 4 /29

Existing PRF candidates One-way functions ⇒ Length-doubling PRG 𝐺: 0,1 𝑛 → 0,1 2𝑛 𝐹 𝑘 : 0,1 2 → 0,1 𝑛 𝑘 𝐺 𝑘 = 𝑠 0 ∥ 𝑠 1 𝑠 0 𝑠 1 𝐺 𝑠 1 = 𝑠 10 ∥ 𝑠 11 𝑠 00 𝑠 01 𝑠 10 𝑠 11 𝐹 𝑘 (00) 𝐹 𝑘 (01) 𝐹 𝑘 (10) 𝐹 𝑘 (11) [GGM84] 𝐹 𝑔, 𝑘 1 , 𝑘 2 ,…, 𝑘 𝑛 𝑥 ≔ 𝑔 𝑖∈ 𝑛 𝑘 𝑖 𝑥 𝑖 [NR97] 4 /29

Existing PRF candidates Theory-driven Practice-oriented 𝑘 𝑠 0 𝑠 1 DES (1975) 𝑠 00 𝑠 01 𝑠 10 𝑠 11 [GGM84] 𝐹 𝑔, 𝑘 1 , 𝑘 2 ,…, 𝑘 𝑛 𝑥 ≔ 𝑔 𝑖∈ 𝑛 𝑘 𝑖 𝑥 𝑖 [NR97] AES (1998) 4 /29

Starting point: hardness from modulus mixing Define the function 𝑚𝑎𝑝: 0,1 𝑛 → ℤ 3 : 𝑚𝑎𝑝 𝑥 ≔ 𝑖∈ 𝑛 𝑥 𝑖 (mod 3) “mod-3 sum of binary vector” 𝑚𝑎𝑝 cannot be approximated by a low-degree polynomial over ℤ 2 [Raz87,Smo87] Could this be a source of hardness? 5 /29

“secret matrix-vector product over ℤ 2 , sum resulting values mod 3” Our weak PRF candidate 𝑨 𝑥 𝐹 𝑨 𝑥 ≔𝑚𝑎𝑝 × PRF key input 𝑨∈ ℤ 2 𝑛×𝑛 𝑥∈ ℤ 2 𝑛 2 and 3 and not some other thing: best concrete efficiency some application depend on this specific choice in this order “secret matrix-vector product over ℤ 2 , sum resulting values mod 3” 6 /29

Extensions and variants 𝑨 𝑥 𝐹 𝑨 𝑥 ≔𝑚𝑎𝑝 × 𝐦𝐨𝐝 𝟐 𝐦𝐨𝐝 𝟑 𝟏𝟏 … 𝟏 7 /29

Extensions and variants 𝑨 𝑥 × 𝐦𝐨𝐝 𝟐 𝐦𝐨𝐝 𝒑 𝐦𝐨𝐝 𝟑 𝐦𝐨𝐝 𝒒 𝟏𝟏 … 𝟏 mod-𝑝/mod-𝑞 instead of mod-2/mod-3 7 /29

Extensions and variants 𝑨 𝑨 𝑥 × 𝐦𝐨𝐝 𝒑 𝐦𝐨𝐝 𝒒 𝑩 𝑩 𝟏𝟏 … 𝟏 mod-𝑝/mod-𝑞 instead of mod-2/mod-3 multiple output bits compact keys: use structured matrices (e.g., circulant or Toeplitz matrix) 7 /29

“secret matrix-vector product over ℤ 2 , sum resulting values mod 3” This talk 𝑨 𝑥 𝐹 𝑨 𝑥 ≔𝑚𝑎𝑝 × “secret matrix-vector product over ℤ 2 , sum resulting values mod 3” Focus on the basic mod-2/mod-3 candidate 8 /29

“secret matrix-vector product over ℤ 2 , sum resulting values mod 3” Conjectures 𝐹 𝑨 𝑥 ≔𝑚𝑎𝑝(𝑨𝑥) where 𝑨∈ ℤ 2 𝑛×𝑛 “secret matrix-vector product over ℤ 2 , sum resulting values mod 3” Conjecture (Informal): The above function family is a weak PRF family. Basic conjecture: advantage of poly(𝜆)-time adversary is negl 𝜆 when 𝑛=poly(𝜆) Stronger conjecture: advantage of 2 𝜆 -time distinguishers is 2 −Ω 𝜆 when 𝑛=𝑂(𝜆) – exponential hardness 9 /29

Rationales for security 1/2 𝐹 𝑨 𝑥 ≔𝑚𝑎𝑝(𝑨𝑥) where 𝑨∈ ℤ 2 𝑛×𝑛 “secret matrix-vector product over ℤ 2 , sum resulting values mod 3” Cannot be approximated by low-degree polynomials Mod-2 computation: high degree over ℤ 3 Mod-3 computation: high degree over ℤ 2 10 /29

Rationales for security 1/2 𝐹 𝑨 𝑥 ≔𝑚𝑎𝑝(𝑨𝑥) where 𝑨∈ ℤ 2 𝑛×𝑛 “secret matrix-vector product over ℤ 2 , sum resulting values mod 3” Cannot be approximated by low-degree polynomials Mod-2 computation: high degree over ℤ 3 Mod-3 computation: high degree over ℤ 2 ⇒ High degree over both ℤ 2 and ℤ 3 BKW-type attacks on LPN relies on constructing new samples by taking linear combinations of existing samples... The 𝑚𝑎𝑝 function is highly non-linear 10 /29

PRFs and hardness of learning theory Learning algorithm for a class C: Black-box access to unknown function 𝑓∈ C Objective: Predict values of 𝑓 from known values Learning phase Prediction phase Collect samples 𝑥,𝑓 𝑥 𝑥 Can predict/approximate 𝑓(⋅) Theorem: C is learnable ⇒ there is no PRF in C Proof: Run the learning algorithm for C 𝐹 𝑘 ⋅ can be predicted from samples 𝑥, 𝐹 𝑘 𝑥 , a random function cannot! 11 /29

Rationales for security 2/2 𝐹 𝑨 𝑥 ≔𝑚𝑎𝑝(𝑨𝑥) where 𝑨∈ ℤ 2 𝑛×𝑛 “secret matrix-vector product over ℤ 2 , sum resulting values mod 3” We rule out statistical learning attacks (attacks that find a good approximation of the function in a fixed family via testing a statistical property, e.g., Linial et al. [LMN89]): We prove that the above function family is only negligibly correlated with any fixed function family of size 2 𝑛/2 We invite further cryptanalysis! 12 /29

In what ways is it simple? 𝐹 𝑨 𝑥 ≔𝑚𝑎𝑝(𝑨𝑥) where 𝑨∈ ℤ 2 𝑛×𝑛 “secret matrix-vector product over ℤ 2 , sum resulting values mod 3” Conceptually simple: no mention of groups, S-boxes, ... 13 /29

In what ways is it simple? 𝐹 𝑨 𝑥 ≔𝑚𝑎𝑝(𝑨𝑥) where 𝑨∈ ℤ 2 𝑛×𝑛 “secret matrix-vector product over ℤ 2 , sum resulting values mod 3” Conceptually simple: no mention of groups, S-boxes, ... Low-complexity: computable by depth-2 ACC circuits MO D 𝑝 𝑥 = { 1 if Σ 𝑖 𝑥 𝑖 =0 mod 𝑝 0 otherwise 13 /29

In what ways is it simple? 𝐹 𝑨 𝑥 ≔𝑚𝑎𝑝(𝑨𝑥) where 𝑨∈ ℤ 2 𝑛×𝑛 “secret matrix-vector product over ℤ 2 , sum resulting values mod 3” Conceptually simple: no mention of groups, S-boxes, ... Low-complexity: computable by depth-2 ACC circuits MO D 𝑝 𝑥 = { 1 if Σ 𝑖 𝑥 𝑖 =0 mod 𝑝 0 otherwise MO D 3 MO D 2 ⋯ MO D 2 𝑥 1 𝑥 2 𝑥 3 ⋯ 𝑥 𝑛 13 /29

In what ways is it simple? 𝐹 𝑨 𝑥 ≔𝑚𝑎𝑝(𝑨𝑥) where 𝑨∈ ℤ 2 𝑛×𝑛 “secret matrix-vector product over ℤ 2 , sum resulting values mod 3” Conceptually simple: no mention of groups, S-boxes, ... Low-complexity: computable by depth-2 ACC circuits computable by width-3 branching programs [Bar85] specifically the 2-3 candidate MO D 3 How much simpler could it be? MO D 2 ⋯ MO D 2 𝑥 1 𝑥 2 𝑥 3 ⋯ 𝑥 𝑛 13 /29

Theoretical implications 1/2 AC 0 ACC 0 [𝑝] ACC 0 [𝑚] this work: weak PRF (exponential) no strong PRFs for broad classes of depth-2 circuits depth 2 [BV96] weak PRF [AR16] (quasi-polynomial) weak PRF [ABGKR14] (quasi-polynomial) this work: strong PRF (exponential) depth 3 weak PRF [Kha93] (quasi-polynomial) strong PRF [Vio13] (quasi-polynomial) depth >3 quasi-poly attack against weak PRFs quasi-poly attack against strong PRFs [LMN89] [CIKK16] Under our conjectures: Depth-2 ACC is not PAC-learnable in sub-exponential time under the uniform distribution Width-3 BPs are not PAC-learnable in sub-exponential time under the uniform distribution remove bullet 1, just tell it add connexion with hardness of learning above 2 + sparse poly 14 /29

Connection with sparse polynomial interpolation 𝐹 𝑨 𝑥 ≔𝑚𝑎𝑝(𝑨𝑥) where 𝑨∈ ℤ 2 𝑛×𝑛 “secret matrix-vector product over ℤ 2 , sum resulting values mod 3” Consider a change of variables: 𝑦 𝑖 ≔1+ 𝑥 𝑖 mod 3 0↦1 and 1↦−1 Then 𝑨 𝑖 ,𝑥 mod 2 ↦ 𝑗∈ 𝑛 𝑦 𝑗 𝐴 𝑖,𝑗 Sparse multilinear polynomial of degree 𝑛 over ℤ 3 (only 𝑛 non-zero coefficients) remove bullet 1, just tell it add connexion with hardness of learning above 2 + sparse poly 𝐹 𝑨 𝑦 ≔ 𝑖∈ 𝑛 𝑗∈ 𝑛 𝑦 𝑗 𝑨 𝑖,𝑗 (mod 3) 15 /29

Theoretical implications 2/2 Under our conjectures: Sparse multivariate polynomials over ℤ 3 are hard to interpolate in sub-exponential time given evaluations at random points in −1,1 𝑛 It is even hard to test if a function can be represented as a sparse multivariate polynomial in sub-exponential time! (Property testing) remove bullet 1, just tell it add connexion with hardness of learning above 2 + sparse poly Known results on interpolating or property testing require making queries over the full domain! Not much known from only queries over a subset of the domain... 16 /29

Application to MPC: Distributed evaluation Distributed symmetric searchable encryption (SSE) Secret key is secret-shared across multiple parties Encrypted public database (e.g., movies) “Movie” is encrypted with the key 𝐹 𝑨 𝐻 "Movie" 𝑨= 𝑨 𝟏 + 𝑨 𝟐 + 𝑨 𝟑 (mod 𝑚) 𝑥 1 𝑥 2 𝑥 3 Client can pay the servers to get a movie Client/servers do not learn anything about 𝑨 Servers do not learn which movie Client wants 𝑦 2 𝑦 1 𝑦 3 𝑥= 𝑥 1 + 𝑥 2 + 𝑥 3 (mod 𝑚) 𝐹 𝑨 𝑥 = 𝑦 1 + 𝑦 2 + 𝑦 3 (mod 𝑚) 17 /29

Application to MPC: Distributed evaluation Distributed symmetric searchable encryption (SSE) Secret key is secret-shared across multiple parties Encrypted public database (e.g., movies) “Movie” is encrypted with the key 𝐹 𝑨 𝐻 "Movie" 𝑨= 𝑨 𝟏 + 𝑨 𝟐 + 𝑨 𝟑 (mod 𝑚) In typical MPC protocols, costs (e.g., communication or round complexity) scale with the number of non-linear operations 𝑥 1 𝑥 2 𝑥 3 Client can pay the servers to get a movie Client/servers do not learn anything about 𝑨 Servers do not learn which movie Client wants 𝑦 2 𝑦 1 𝑦 3 𝑥= 𝑥 1 + 𝑥 2 + 𝑥 3 (mod 𝑚) 𝐹 𝑨 𝑥 = 𝑦 1 + 𝑦 2 + 𝑦 3 (mod 𝑚) 17 /29

3-party secret-sharing based MPC [AFLNO16] 𝒂= 𝒂 𝟏 + 𝒂 𝟐 + 𝒂 𝟑 𝒙= 𝒙 𝟏 + 𝒙 𝟐 + 𝒙 𝟑 𝒂 𝟏 𝒙 𝟏 𝒂 𝟐 𝒙 𝟐 𝒂 𝟑 𝒙 𝟑 Servers want to compute shares of 𝜆⋅𝑎+𝜇⋅𝑥 ⇒ Easy, no interaction needed 18 /29

3-party secret-sharing based MPC [AFLNO16] 𝒂= 𝒂 𝟏 + 𝒂 𝟐 + 𝒂 𝟑 𝒙= 𝒙 𝟏 + 𝒙 𝟐 + 𝒙 𝟑 𝒂 𝟏 𝒙 𝟏 𝒂 𝟐 𝒙 𝟐 𝒂 𝟑 𝒙 𝟑 Servers want to compute shares of 𝑎𝑥? Servers want to compute shares of 𝜆⋅𝑎+𝜇⋅𝑥 ⇒ Easy, no interaction needed 18 /29

3-party secret-sharing based MPC [AFLNO16] 𝒂= 𝒂 𝟏 + 𝒂 𝟐 + 𝒂 𝟑 𝒙= 𝒙 𝟏 + 𝒙 𝟐 + 𝒙 𝟑 𝒂 𝟏 𝒙 𝟏 𝒂 𝟐 𝒙 𝟐 𝒂 𝟑 𝒙 𝟑 Servers want to compute shares of 𝑎𝑥? 𝑎𝑥= 𝑎 1 + 𝑎 2 + 𝑎 3 𝑥 1 + 𝑥 2 + 𝑥 3 Server 𝑖 can only compute 𝑎 𝑖 𝑥 𝑖 All the cross-terms are missing! Need interaction? 18 /29

3-party secret-sharing based MPC [AFLNO16] 𝒂= 𝒂 𝟏 + 𝒂 𝟐 + 𝒂 𝟑 𝒙= 𝒙 𝟏 + 𝒙 𝟐 + 𝒙 𝟑 𝒂 𝟏 𝒙 𝟏 𝒂 𝟐 𝒙 𝟐 𝒂 𝟑 𝒙 𝟑 𝒂 𝟑 𝒙 𝟑 𝒂 𝟏 𝒙 𝟏 𝒂 𝟐 𝒙 𝟐 Servers want to compute shares of 𝑎𝑥? 𝑎𝑥= 𝑎 1 + 𝑎 2 + 𝑎 3 𝑥 1 + 𝑥 2 + 𝑥 3 Server 𝑖 can only compute 𝑎 𝑖 𝑥 𝑖 All the cross-terms are missing! Need interaction? Idea: Give 2 shares to each server! 18 /29

3-party secret-sharing based MPC [AFLNO16] 𝒂= 𝒂 𝟏 + 𝒂 𝟐 + 𝒂 𝟑 𝒙= 𝒙 𝟏 + 𝒙 𝟐 + 𝒙 𝟑 𝒂 𝟏 𝒙 𝟏 𝒂 𝟐 𝒙 𝟐 𝒂 𝟑 𝒙 𝟑 𝒂 𝟑 𝒙 𝟑 𝒂 𝟏 𝒙 𝟏 𝒂 𝟐 𝒙 𝟐 Servers want to compute shares of 𝑎𝑥? 𝑎𝑥= 𝑎 1 + 𝑎 2 + 𝑎 3 𝑥 1 + 𝑥 2 + 𝑥 3 Each server can produce 4 out of the 9 terms ⇒ 1 multiplication without interaction Server 𝑖 can only compute 𝑎 𝑖 𝑥 𝑖 All the cross-terms are missing! Need interaction? (Interaction needed for a second multiplication as each server needs to get 2-out-of-3 shares again) Idea: Give 2 shares to each server! 18 /29

3-party secret-sharing based MPC [AFLNO16] Overall cost: Linear operations are for free 1 round of interaction per multiplication Communication per multiplication = |output| 𝐹 𝑨 𝑥 ≔𝑚𝑎𝑝(𝑨𝑥) where 𝑨∈ ℤ 2 𝑛×𝑛 Only the modulus switching is non-linear... It can be implemented with only 2 multiplications! 18 /29

Distributed evaluation in the 3-server setting Complexity for output size 128 Round complexity Communication complexity (in kb) AES 𝟒𝟎 𝟏𝟔 LowMC (min-depth) 𝟏𝟒 𝟕.𝟗 LowMC (min-gates) 𝟐𝟓𝟐 2.3 Rasta (min-depth) 2 𝟐.𝟔⋅ 𝟏𝟎 𝟕 Rasta (min-gates) 𝟔 𝟔.𝟑 Our candidate 𝟐 𝟑.𝟖 19 /29

2-server protocol in the preprocessing model We propose 2-server protocol for distributed evaluation in the preprocessing model: The 2 servers share common randomness Non-interactive, input-independent preprocessing Our protocol is based on oblivious transfers (OT) and oblivious affine function evaluation (OAFE) in the preprocessing model 20 /29

Distributed evaluation in the 2-server setting Complexity for output size 128 Round complexity Online communication (in kb) Preprocessing size (in kb) Yao + AES 2 𝟔𝟓.𝟖 𝟏𝟒𝟗𝟏.𝟐 Yao + LowMC 2 𝟔𝟓.𝟖 𝟐𝟗𝟐.𝟏 Our candidate 4 𝟐.𝟔 𝟑.𝟓 21 /29

From weak PRF to strong PRF 𝐹 𝑨 𝑥 ≔𝑚𝑎𝑝(𝑨𝑥) where 𝑨∈ ℤ 2 𝑛×𝑛 This is not a strong PRF! (At least) 2 attacks against strong PRF security: Non-adaptive attack based on representation as a sparse 𝑛-variate polynomial Adaptive attack based on representation as a finite automaton with multiplicity [BV94] Known attacks require close inputs (for the Hamming distance)... Idea: Require inputs to be pairwise far 22 /29

Encoded-input PRFs 𝑋 𝑌 𝐹 not a strong PRF 23 /29

strong PRF on a fixed sparse subset public keyless encoding Encoded-input PRFs (𝐸,𝐹) such that 𝐹 ′ =𝐹∘𝐸 is a strong PRF 𝐹 𝑘 ′ 𝑥 = 𝐹 𝑘 𝐸 𝑥 𝑋 𝑌 𝐸 𝐷 𝐹 strong PRF on a fixed sparse subset not a strong PRF public keyless encoding “Pushing the complexity of the PRF back into the public encoding 𝐸, while leaving security in the simple evaluation of 𝐹” 23 /29

Applications of EI-PRFs (𝐸,𝐹) such that 𝐹 ′ =𝐹∘𝐸 is a strong PRF 𝐹 𝑘 ′ 𝑥 = 𝐹 𝑘 𝐸 𝑥 For applications, we can provide directly 𝐸 𝑥 and a proof that it is a valid encoding... It is easy to verify it with a depth-2 circuit ⇒ only the complexity of 𝐹 really matters Symmetric encryption from weak PRF 𝒌,𝒎 𝒌 $ 𝑟←𝑋 𝑐←𝑚+ 𝐹 𝑘 𝑟 𝑚←𝑐− 𝐹 𝑘 𝑟 (𝑟,𝑐) 24 /29

Applications of EI-PRFs (𝐸,𝐹) such that 𝐹 ′ =𝐹∘𝐸 is a strong PRF 𝐹 𝑘 ′ 𝑥 = 𝐹 𝑘 𝐸 𝑥 For applications, we can provide directly 𝐸 𝑥 and a proof that it is a valid encoding... It is easy to verify it with a depth-2 circuit ⇒ only the complexity of 𝐹 really matters Symmetric encryption from weak PRF EI-PRF 𝒌,𝒎 𝒌 𝒙←𝑿 𝒓←𝑬 𝒙 𝒄←𝒎+ 𝑭 𝒌 𝒓 $ 𝑟←𝑋 𝑐←𝑚+ 𝐹 𝑘 𝑟 𝑚←𝑐− 𝐹 𝑘 𝑟 (𝑟,𝑐) 24 /29

Applications of EI-PRFs (𝐸,𝐹) such that 𝐹 ′ =𝐹∘𝐸 is a strong PRF 𝐹 𝑘 ′ 𝑥 = 𝐹 𝑘 𝐸 𝑥 For applications, we can provide directly 𝐸 𝑥 and a proof that it is a valid encoding... It is easy to verify it with a depth-2 circuit ⇒ only the complexity of 𝐹 really matters Assuming 𝐹 has low-depth, we obtain: Symmetric encryption with low-depth decryption MAC with low-depth verification CCA-secure symmetric encryption with low-depth decryption Symmetric encryption from EI-PRF 𝒌,𝒎 𝒌 𝒙←𝑿 𝒓←𝑬 𝒙 𝒄←𝒎+ 𝑭 𝒌 𝒓 $ 𝑟←𝑋 𝑐←𝑚+ 𝐹 𝑘 𝑟 𝑚←𝑐− 𝐹 𝑘 𝑟 (𝑟,𝑐) 24 /29

EI-PRFs from our candidate pairwise far inputs ∈ 0,1 𝑛 𝑮 a linear code over ℤ 𝟑 over ℤ 𝟑 𝑌 0,1 𝑚 𝐵𝑖𝑛(𝑮𝒛) 𝐵𝑖𝑛(𝑮𝒛) 𝑚𝑎𝑝(𝑨𝒙) We are just mixing moduli again: mod-3/mod-2/mod-3 computation 25 /29

Depth-3 𝐀𝐂𝐂 strong PRF candidate 𝑨∈ ℤ 2 𝑚×𝑚 𝑮∈ ℤ 3 𝑚×𝑛 𝑨 𝑮 × 𝑥 𝐹 𝑨 𝑥 ≔𝑚𝑎𝑝 BinDec Secret linear mapping Public encoding procedure Conjecture: This is a strong PRF (with plausible exponential security) 26 /29

Asymptotically-optimal strong PRFs Does there exist strong PRFs with exponential security that can be computed by a linear-size circuit? 𝑨 𝑥 𝐹 𝑨 𝑥 ≔𝑚𝑎𝑝 × 𝑮 BinDec 𝑨 and 𝑮 generator matrices of linear-time encodable codes (over ℤ 2 and ℤ 3 ) [IKOS08,DI14] ⇒ Resulting construction is linear-time computable 27 /29

An alternative candidate weak PRF 𝐹 𝒌 𝒙 = 𝒌,𝒙 mod 2 + 𝒌,𝒙 mod 3 mod 2 ∈ 0,1 𝑛 ∈ 0,1 𝑛 1 if 𝒌,𝒙 mod 6∈{3,4,5} = 0 otherwise This is almost Learning With Rounding (LWR) Surprisingly, known efficient attacks against LWR with constant prime moduli seem to fail with composite modulus... Need further cryptanalysis! 28 /29

Conclusion Modulus mixing is a relatively unexplored source of hardness: Enables simple cryptographic primitives: First candidate depth-2 weak PRF and depth-3 strong PRF Useful for efficient MPC Natural connections to complexity theory, learning theory, mathematics, ... Much more to explore: Further cryptanalysis Other primitives: MPC-friendly primitives give natural candidate for post-quantum signatures [IKOS07] More crypto dark matter 29 /29

Thank you!

Extensions and variants 𝑨 𝑥 𝐹 𝑨 𝑥 ≔𝑚𝑎𝑝 × 𝐦𝐨𝐝 𝟐 𝐦𝐨𝐝 𝟑 𝟏𝟏 … 𝟏

Extensions and variants 𝑨 𝑥 × 𝐦𝐨𝐝 𝟐 𝐦𝐨𝐝 𝒑 𝐦𝐨𝐝 𝟑 𝐦𝐨𝐝 𝒒 𝟏𝟏 … 𝟏 mod-𝑝/mod-𝑞 instead of mod-2/mod-3

Extensions and variants 𝑨 𝑨 𝑥 × 𝐦𝐨𝐝 𝒑 𝐦𝐨𝐝 𝒒 𝑩 𝑩 𝟏𝟏 … 𝟏 mod-𝑝/mod-𝑞 instead of mod-2/mod-3 multiple output bits compact keys: use structured matrices (e.g., Toeplitz matrix)

“secret matrix-vector product over ℤ 2 , sum resulting values mod 3” This talk 𝑨 𝑥 𝐹 𝑨 𝑥 ≔𝑚𝑎𝑝 × “secret matrix-vector product over ℤ 2 , sum resulting values mod 3” Focus on the basic mod-2/mod-3 candidate

How Do We Design Cryptographic Primitives? Concrete efficiency of these constructions often limited by structure of computational assumptions (e.g., algebraic PRFs vs. AES) Introduce hardness assumption (e.g., RSA, discrete log , LWE) Reduce security to breaking hardness assumption Often exist non-trivial attacks (e.g., sub-exponential attacks, quantum attacks) Theory-Driven

How Do We Design Cryptographic Primitives? Designs often complex and difficult to analyze Design primitive (e.g., block ciphers, hash functions) with focus on concrete efficiency Security relies on heuristics, cryptanalysis Security based on heuristics, experience, cryptanalysis Typically, designs tailored to one type of application Practice-Oriented

How do we design cryptographic primitives? theory-driven practice-oriented build efficient specific primitives (e.g., block ciphers, hash functions, ...) security based on heuristics, experience, cryptanalysis, ... introduce hardness assumptions (e.g., LWE, factoring, ...) reduce security of constructions to hardness assumptions + easy to analyze “𝑛 primitives ↔ 1 assumption” + efficient algebraic structure: limited efficiency can be exploited in attacks tailored to one specific application: hard to analyze “𝑛 primitives ↔𝑛 assumptions” - -

The landscape of cryptography lattice-based (LWE, SIS, ...) ChaCha factoring-based (RSA, QR, ...) Salsa20 FLIP Dlog-based (DDH, DLin, ...) Keccak SHA Blake LowMC AES RASTA DES crypto dark matter figure not drawn to scale

Not a strong PRF 𝐹 𝑨 𝑥 ≔𝑚𝑎𝑝(𝑨𝑥) where 𝑨∈ ℤ 2 𝑛×𝑛 “secret matrix-vector product over ℤ 2 , sum resulting values mod 3” Conjecture (Informal): The above function family is a weak PRF family. not a strong PRF: a non-adaptive attack can be mounted based on representing the computation as evaluating a sparse polynomial (non-adaptive = fixed set of queries)

Rationales for security 1/2 𝐹 𝑨 𝑥 ≔𝑚𝑎𝑝(𝑨𝑥) where 𝑨∈ ℤ 2 𝑛×𝑛 “secret matrix-vector product over ℤ 2 , sum resulting values mod 3” 𝐹 𝑨 is hard to approximate: it cannot be approximated by a low-degree polynomial Conjecture: 𝐹 𝑨 cannot be approximated by a low-degree rational function [Raz87, Smo87]

Rationales for security 2/2 𝐹 𝑨 𝑥 ≔𝑚𝑎𝑝(𝑨𝑥) where 𝑨∈ ℤ 2 𝑛×𝑛 “secret matrix-vector product over ℤ 2 , sum resulting values mod 3” 𝐹 𝑨 is hard to learn: it is only negligibly correlated to any fixed function families of size 2 𝑛/2 ⇒ rules out LMN-style algorithms 𝐹 𝑨 is highly non-linear: it seems hard to create new samples by taking linear combinations of existing samples ⇒ BKW-style attacks seem irrelevant We invite further cryptanalysis!

(𝐹,𝐸) is an encoded-input PRF if 𝐹 ′ 𝑘,𝑥 ≔𝐹 𝑘,𝐸 𝑥 is a strong PRF Encoded-input PRFs Encoded-input PRF: function whose behavior is pseudorandom on a sparse subset of the domain (𝐹,𝐸) is an encoded-input PRF if 𝐹 ′ 𝑘,𝑥 ≔𝐹 𝑘,𝐸 𝑥 is a strong PRF Advantage: checking that an input is properly encoded is simple (depth-2 circuit); this is useful for many applications domain

(𝐹,𝐸) is an encoded-input PRF if 𝐹 ′ 𝑘,𝑥 ≔𝐹 𝑘,𝐸 𝑥 is a strong PRF Encoded-Input PRFs Implication: If 𝐹 can be computed by a low-depth circuit, then the combination of checking than an input is properly-encoded + computing 𝐹 is also low-depth (even if 𝐸 is complex!) Given EI-PRF with low-depth 𝐹: Symmetric encryption with low-depth decryption MACs with low-depth verification CCA-secure symmetric encryption with low-depth decryption Encoded-input PRF: function whose behavior is pseudorandom on a sparse subset of the domain (𝐹,𝐸) is an encoded-input PRF if 𝐹 ′ 𝑘,𝑥 ≔𝐹 𝑘,𝐸 𝑥 is a strong PRF Advantage: checking that an input is properly encoded is simple (depth-2 circuit); this is useful for many applications

(𝐹,𝐸) is an encoded-input PRF if 𝐹 ′ 𝑘,𝑥 ≔𝐹 𝑘,𝐸 𝑥 is a strong PRF Encoded-Input PRFs Implication: If 𝐹 can be computed by a low-depth circuit, then the combination of checking than an input is properly-encoded + computing 𝐹 is also low-depth (even if 𝐸 is complex!) Given EI-PRF with low-depth 𝐹: Symmetric encryption with low-depth decryption MACs with low-depth verification CCA-secure symmetric encryption with low-depth decryption Encoded-input PRF: function whose behavior is pseudorandom on a sparse subset of the domain (𝐹,𝐸) is an encoded-input PRF if 𝐹 ′ 𝑘,𝑥 ≔𝐹 𝑘,𝐸 𝑥 is a strong PRF A way to bypass impossibility results for weak/strong PRFs (e.g., can have EI-PRF in complexity class where weak/strong PRFs do not exist)

(𝐹,𝐸) is an encoded-input PRF if 𝐹 ′ 𝑘,𝑥 ≔𝐹 𝑘,𝐸 𝑥 is a strong PRF Encoded-Input PRFs Encoded-input PRF: function whose behavior is pseudorandom on a sparse subset of the domain (𝐹,𝐸) is an encoded-input PRF if 𝐹 ′ 𝑘,𝑥 ≔𝐹 𝑘,𝐸 𝑥 is a strong PRF Concrete proposal: take encoding function to be encoding algorithm of a linear error-correcting code domain

(𝐹,𝐸) is an encoded-input PRF if 𝐹 ′ 𝑘,𝑥 ≔𝐹 𝑘,𝐸 𝑥 is a strong PRF Encoded-Input PRFs 𝑥 ′ ∈ ℤ 2 𝑛 ′ Encoded-input PRF: function whose behavior is pseudorandom on a sparse subset of the domain 𝑥 ′ 𝑥∈ ℤ 2 𝑛 𝑥 𝐸(𝑥) map 𝐴 𝑥 ′ (𝐹,𝐸) is an encoded-input PRF if 𝐹 ′ 𝑘,𝑥 ≔𝐹 𝑘,𝐸 𝑥 is a strong PRF Concrete proposal: take encoding function to be encoding algorithm of a linear error-correcting code Encoding is done using a linear ECC over ℤ 3 and taking the binary decomposition

(𝐹,𝐸) is an encoded-input PRF if 𝐹 ′ 𝑘,𝑥 ≔𝐹 𝑘,𝐸 𝑥 is a strong PRF Encoded-Input PRFs 𝑥 ′ ∈ ℤ 2 𝑛 ′ Encoded-input PRF: function whose behavior is pseudorandom on a sparse subset of the domain 𝑥 ′ 𝑥∈ ℤ 2 𝑛 𝑥 𝐸(𝑥) map 𝐴 𝑥 ′ (𝐹,𝐸) is an encoded-input PRF if 𝐹 ′ 𝑘,𝑥 ≔𝐹 𝑘,𝐸 𝑥 is a strong PRF Important to consider ECC over ℤ 3 and not ℤ 2 since otherwise, encoding and multiplication by secret key 𝐴 can be combined (again relies on modulus mixing!) Encoding is done using a linear ECC over ℤ 3 and taking the binary decomposition

Encoded-Input PRFs and strong PRFs 𝑨∈ ℤ 2 𝑚×𝑚 𝑮∈ ℤ 3 𝑚×𝑛 𝑥∈ 0,1 𝑛 𝑨 𝑥 𝐹 𝑨 𝑥 ≔map × 𝑮 BinaryDec Secret linear mapping Public encoding procedure Conjecture: 𝐹 𝐴 is a strong PRF (when considering the composition of encoding with weak PRF)

Encoded-Input PRFs and strong PRFs 𝑨∈ ℤ 2 𝑚×𝑚 𝑮∈ ℤ 3 𝑚×𝑛 𝑥∈ 0,1 𝑛 𝑨 𝑥 𝐹 𝑨 𝑥 ≔map × 𝑮 BinaryDec First candidate strong PRF in depth-3 ACC 0 (and even has plausible exponential security) Conjecture: 𝐹 𝐴 is a strong PRF (when considering the composition of encoding with weak PRF)

Asymptotically-Optimal Strong PRFs Does there exist strong PRFs with exponential security that can be computed by linear-size circuits? 𝑨 𝑥 𝐹 𝑨 𝑥 ≔map × 𝑮 BinaryDec Resulting construction can be implemented by a linear-size ACC 0 circuit Can instantiate with linear-time encodable codes (e.g., IKOS / Druk-Ishai family)

Asymptotically-Optimal Strong PRFs Does there exist strong PRFs with exponential security that can be computed by linear-size circuits? 𝑨 𝑥 𝐹 𝑨 𝑥 ≔map × 𝑮 BinaryDec Gives new natural proof barrier (Razborov-Rudich style) against proving super-linear circuit lower bounds Resulting construction can be implemented by a linear-size ACC 0 circuit Can instantiate with linear-time encodable codes (e.g., IKOS / Druk-Ishai family)