Constructing Verifiable Random Functions for Large Input Spaces Brent Waters Susan Hohenberger

2 Pseudo Random Functions [GGM84] FK(¢)FK(¢) K ? Applications: Sym Key Enc Removing State… Constructions: OWF -- GGM/HILL DDH –NR97

3 Verifiable Random Functions [MRV99] FK(¢)FK(¢) KPK F K (x), ¼ x F K (x’), ¼ x’ …

VRFs  Setup(1 ¸ ) ! K, PK  Evaluate(K, x 2 {0,1} n ) ! F K (x)  Prove(K, x 2 {0,1} n ) ! ¼ x  Verify(PK, (x,y, ¼ ) ) = {T,F} Non-Interactive! Deterministic

5 Security: Pseudorandomness F K (x 1 ) K ? PK x1x1 F K (x 2 )x2x2 F K (x 3 )x3x3 AdvA = Pr[b’=b]-1/2 F K (x * ) or Rx*x* b b’

6 Security: Uniqueness K PK Impossible: Exists (x,y 1, y 2, ¼ 1, ¼ 2 ) 1)y 1  y 2 2)Ver(PK,x,y 1, ¼ 1 ) = T Ver(PK,x,y 2, ¼ 2 ) = T

The Technical Challenge No Interaction No Common Ref. String No Randomness (in output)

Proof by Partitioning Simulator Input Space = {0,1} n Query Space Challenge Space x 1 x 2 … x Q x * (challenge input) Attacker

“All-But-One” Proofs Simulator Input Space = {0,1} n Guess x * ~ (1/2) n Security Loss Short Input Spaces MRV99, DY05 (2 n Time-blowup), ACF09 L02 Interactive Assumption – (Partition Changes) Extend Input: CRHF H:{0,1} * ! {0,1} n (Complexity Leveraging)

Goal: Large Input Space (& Poly Reductions) Input bits =n, Queries = Q ~1/Q fraction Similar to IBE BB04 =>W05

Bilinear Map Overview G : multiplicative of prime order p. Bilinear map e: GG  G T e(g a, g b ) = e(g,g) ab a,bZ p, gG

Construction (Similar to L02, ACF09)  Setup(1 ¸ ) ! K= (u’,u 0,u 1,…,u n ) PK = (g,h, U’=g u’, U 0 = g u 0,…, U n =g u n )  F K (x)= e( g t, h ) t = u’u_0  j=1,…,n u j x j  Prove(K, x 2 {0,1} n ) ¼ =( ¼ 0,…, ¼ n ) ¼ i =g u’z i z i = u’ u 0  j=1,…,i u j x j  Verify(PK, (x,y, ¼ ) ) “Stepping Stone” w/ PK, ¼ i * Changed from Conference Proceedings

Proof Overview: Hidden Programming Input bits =n, Queries = Q ~1/Q fraction k DDHE Assumption: Given: g,h,g a, g a 2,…, g a k-1,, g a k+1, …, g a 2k Distinguish: e(g,h) a k from R “Hole” Use k=4Q(n+1)

Partitioning and Aborts Simulator ID Space Query Space Challenge Space x 1 x 2 … … x Q x * (challenge ID)  Attacker Abort and try again

Proof Sketch (leaving out randomization) Setup: PK = (g,h, U’=g a k, U 0 = g a 4Q(t)+r 0, U j =g a r j ) k=4Q(n+1) DDHE Assumption: Given: g,h,g a, g a 2,…, g a k-1,, g a k+1, …, g a 2k Choose: r 0,…,r n 2 Z p, t 2 [0,n] C(x) = 4Q(1+t)+r 0 + j 2 X r j F K (x) = e(g a C(x),h) Query: C(x)  0 mod 4Q Challenge: C(x) = k

Other Details & Improvements Precise Analysis (Similar to W05) “Artificial Abort” HK08 Slightly tighter proofs BR09  Worse Assumption Here

Comparisons SystemAssumptionSec. LossTime MRV99RSA2 -n ~A+2 N DY052 n DBHI2 -n ~A+2 N ACF09n DBHI2 -n ~A HW104Qn DDHE~(1/Qn)~A * DY05, MRV99 : Short Proofs

Summary & Future  Large Input Spaces  Hidden Compression  Useful: Look for high level similarities  Open: Static Assumptions  New: Hierarchical VRF  Why?  Are we stuck with exponential loss?

19 Thank you