Functional Signatures and Pseudorandom Functions

Boyle, Elette; Goldwasser, Shafi; Ivan, Ioana

doi:10.1007/978-3-642-54631-0_29

Cited by 267 publications

(172 citation statements)

References 27 publications

Supporting

Mentioning

167

Contrasting

Order By: Relevance

“…Concurrently with this paper, similar notions to constrained PRFs were recently proposed by Kiayias et al [24] where they were called delegatable PRFs and Boyle et al [9] where they were called functional PRFs. Both papers give constructions for prefix constraints discussed in Section 3.3.…”

Section: Introductionmentioning

confidence: 63%

See 1 more Smart Citation

Constrained Pseudorandom Functions and Their Applications

Boneh

Waters²

2013

Lecture Notes in Computer Science

281

211

View full text Add to dashboard Cite

Abstract. We put forward a new notion of pseudorandom functions (PRFs) we call constrained PRFs. In a standard PRF there is a master key k that enables one to evaluate the function at all points in the domain of the function. In a constrained PRF it is possible to derive constrained keys ks from the master key k. A constrained key ks enables the evaluation of the PRF at a certain subset S of the domain and nowhere else. We present a formal framework for this concept and show that constrained PRFs can be used to construct powerful primitives such as identity-based key exchange and a broadcast encryption system with optimal ciphertext size. We then construct constrained PRFs for several natural set systems needed for these applications. We conclude with several open problems relating to this new concept.

show abstract

Section: Introductionmentioning

confidence: 63%

“…Both papers give constructions for prefix constraints discussed in Section 3.3. A related concept applied to digital signatures was explored by Bellare and Fuchsbauer [1] where it was called policy-based signatures and by Boyle et al [9] where it was called functional signatures.…”

Section: Introductionmentioning

confidence: 99%

Constrained Pseudorandom Functions and Their Applications

Boneh

Waters²

2013

Lecture Notes in Computer Science

281

211

View full text Add to dashboard Cite

show abstract

“…In order to achieve CRIND-security of MI-FE (as defined in Section 2.1), we make use of the following ideas inspired by the construction of fully IND-Secure FE of Boyle et al [14]. We assume a functional signature scheme FS [21]. Namely, our encryption procedure takes as input the first input m 1 and produces an obfuscation of a machine that has embedded m 1 and takes as input a second message m 2 and a functional signature for some function f and (1) verifies the signature and (2) outputs f (m 1 , m 2 ).…”

Section: Constructions Of Crind-secure Mi-fe From Eomentioning

confidence: 99%

Simulation-Based Secure Functional Encryption in the Random Oracle Model

Iovino

Żebroski

2015

Progress in Cryptology -- LATINCRYPT 2015

View full text Add to dashboard Cite

Abstract. One of the main lines of research in functional encryption (FE) has consisted in studying the security notions for FE and their achievability. This study was initiated by where it was first shown that for FE the indistinguishabilitybased (IND) security notion is not sufficient in the sense that there are FE schemes that are provably IND-Secure but concretely insecure. For this reason, researchers investigated the achievability of Simulation-based (SIM) security, a stronger notion of security. Unfortunately, the abovementioned works and others [e.g., Agrawal et al. -CRYPTO'13] have shown strong impossibility results for SIM-Security. One way to overcome these impossibility results was first suggested in the work of Boneh et al. where it was shown how to construct, in the Random Oracle (RO) model, SIM-Secure FE for restricted functionalities and was asked the generalization to more complex functionalities as a challenging problem in the area. Subsequently, proposed a candidate construction of SIM-Secure FE for all circuits in the RO model assuming the existence of an IND-Secure FE scheme for circuits with RO gates. To our knowledge there are no proposed candidate IND-Secure FE schemes for circuits with RO gates and they seem unlikely to exist. We propose the first constructions of SIM-Secure FE schemes in the RO model that overcome the current impossibility results in different settings. We can do that because we resort to the two following models:-In the public-key setting we assume a bound on the number of queries but this bound only affects the running-times of our encryption and decryption procedures. We stress that our FE schemes in this model are SIM-Secure and have ciphertexts and tokens of constantsize, whereas in the standard model, the current SIM-Secure FE schemes for general functionalities [De Caro et al., have ciphertexts and tokens of size growing as the number of queries. -In the symmetric-key setting we assume a timestamp on both ciphertexts and tokens. In this model, we provide FE schemes with short ciphertexts and tokens that are SIM-Secure against adversaries asking an unbounded number of queries. Both results also assume the RO model, but not functionalities with RO gates and rely on extractability obfuscation (and other standard primitives) secure only in the standard model.

show abstract

“…All prior works [BW13,BGI14,KPTZ13] only show selective security of the GGM constrained PRF, and [BW13] also only give a selective-security proof for their bit-fixing constrained PRF. In this paper we investigate the full security of these two constructions.…”

Section: Our Contributionsmentioning

confidence: 99%

“…All three papers [BW13,BGI14,KPTZ13] show that the classical GGM construction [GGM86] of the PRF GGM : {0, 1} λ × {0, 1} N → {0, 1} λ from a length-doubling pseudorandom generator (PRG) G : {0, 1} λ → {0, 1} 2λ directly yields a constrained PRF, where for any key K and input prefix z ∈ {0, 1} ≤N , one can generate a constrained key K z that allows to evaluate GGM(K, x) for any x with prefix z. This simple constrained PRF has found many applications; apart from those discussed in [BW13,BGI14,KPTZ13], it can be used to construct so-called "punctured" PRFs, which are a key ingredient in almost all the recent proofs of indistinguishability obfuscation [SW14,BCPR13,HSW14].…”

Section: Introductionmentioning

confidence: 99%

Adaptive Security of Constrained PRFs

Fuchsbauer

Konstantinov²,

Pietrzak

et al. 2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Constrained pseudorandom functions have recently been introduced independently by Boneh and Waters (Asiacrypt'13), Kiayias et al. (CCS'13), and Boyle et al. (PKC'14). In a standard pseudorandom function (PRF) a key K is used to evaluate the PRF on all inputs in the domain. Constrained PRFs additionally offer the functionality to delegate "constrained" keys KS which allow to evaluate the PRF only on a subset S of the domain. The three above-mentioned papers all show that the classical GGM construction (J.ACM'86) of a PRF from a pseudorandom generator (PRG) directly yields a constrained PRF where one can compute constrained keys to evaluate the PRF on all inputs with a given prefix. This constrained PRF has already found many interesting applications. Unfortunately, the existing security proofs only show selective security (by a reduction to the security of the underlying PRG). To achieve full security, one has to use complexity leveraging, which loses an exponential factor 2 N in security, where N is the input length. The first contribution of this paper is a new reduction that only loses a quasipolynomial factor q log N , where q is the number of adversarial queries. For this we develop a new proof technique which constructs a distinguisher by interleaving simple guessing steps and hybrid arguments a small number of times. This approach might be of interest also in other contexts where currently the only technique to achieve full security is complexity leveraging. Our second contribution is concerned with another constrained PRF, due to Boneh and Waters, which allows for constrained keys for the more general class of bit-fixing functions. Their security proof also suffers from a 2 N loss, which we show is inherent. We construct a meta-reduction which shows that any "simple" reduction of full security from a non-interactive hardness assumption must incur an exponential security loss.

show abstract

Functional Signatures and Pseudorandom Functions

Cited by 267 publications

References 27 publications

Constrained Pseudorandom Functions and Their Applications

Constrained Pseudorandom Functions and Their Applications

Simulation-Based Secure Functional Encryption in the Random Oracle Model

Adaptive Security of Constrained PRFs

Contact Info

Product

Resources

About