Privately Constraining and Programming PRFs, the LWE Way

Transcription

1 Privately Constraining and Programming PRFs, the LWE Way Chris Peikert Sina Shiehian January 10, 2018 Abstrat Constrained pseudorandom funtions allow for delegating onstrained seret keys that let one ompute the funtion at ertain authorized inputs as speified by a onstraining prediate while keeping the funtion value at unauthorized inputs pseudorandom. In the onstraint-hiding variant, the onstrained key hides the prediate. On top of this, programmable variants allow the delegator to expliitly set the output values yielded by the delegated key for a partiular set of unauthorized inputs. Reent years have seen rapid progress on appliations and onstrutions of these objets for progressively riher onstraint lasses, resulting most reently in onstraint-hiding onstrained PRFs for arbitrary polynomial-time onstraints from Learning With Errors (LWE) [Brakerski, Tsabary, Vaikuntanathan, and Wee, TCC 17], and privately programmable PRFs from indistinguishability obfusation (io) [Boneh, Lewi, and Wu, PKC 17]. In this work we give a unified approah for onstruting both of the above kinds of PRFs from LWE with subexponential exp(n ε ) approximation fators. Our onstrutions follow straightforwardly from a new notion we all a shift-hiding shiftable funtion, whih allows for deriving a key for the sum of the original funtion and any desired hidden shift funtion. In partiular, we obtain the first privately programmable PRFs from non-io assumptions. Computer Siene and Engineering, University of Mihigan. peikert@umih.edu. This material is based upon work supported by the National Siene Foundation under CAREER Award CCF and CNS The views expressed are those of the authors and do not neessarily reflet the offiial poliy or position of the National Siene Foundation or the Sloan Foundation. Computer Siene and Engineering, University of Mihigan. shiayan@umih.edu. 1

2 1 Introdution Sine the introdution of pseudorandom funtions (PRFs) more than thirty years ago by Goldreih, Goldwasser, and Miali [GGM84], many variants of this fundamental primitive have been proposed. For example, onstrained PRFs (also known as delegatable or funtional PRFs) [KPTZ13, BW13, BGI14] allow issuing onstrained keys whih an be used to evaluate the PRF on an authorized subset of the domain, while preserving the pseudorandomness of the PRF values on the remaining unauthorized inputs. Assuming the existene of one-way funtions, onstrained PRFs were first onstruted for the lass of prefix-fixing onstraints, i.e., the onstrained key allows evaluating the PRF on inputs whih start with a speified bit string [KPTZ13, BW13, BGI14]. Subsequently, by building on a sequene of works [BPR12, BLMR13, BP14] that gave PRFs from the Learning With Errors (LWE) problem [Reg05], Brakerski and Vaikuntanathan [BV15] onstruted onstrained PRFs where the set of authorized inputs an be speified by an arbitrary polynomial-time prediate, although for a weaker seurity notion that allows the attaker to obtain only a single onstrained key and funtion value. In the original notion of onstrained PRF, the onstrained key may reveal the onstraint itself. Boneh, Lewi, and Wu [BLW17] proposed a stronger variant in whih the onstraint is hidden, alling them privately onstrained PRFs also known as onstraint-hiding onstrained PRFs (CHC-PRFs) and gave several ompelling appliations, like searhable symmetri enryption, watermarking PRFs, and funtion seret sharing [BGI15]. They also onstruted CHC-PRFs for arbitrary polynomial-time onstraining funtions under the strong assumption that indistinguishability obfusation (io) exists [BGI + 01, GGH + 13]. Soon after, CHC-PRFs for various onstraint lasses were onstruted from more standard LWE assumptions: Boneh, Kim, and Montgomery [BKM17] onstruted them for the lass of point-funtion onstraints (i.e., all but one input is authorized). Thorough a different approah, Canetti and Chen [CC17] onstruted them for onstraints in NC 1, i.e., polynomial-size formulas. Most reently, Brakerski, Tsabary, Vaikuntanathan, and Wee [BTVW17] improved on the onstrution from [BKM17] to support arbitrary polynomial-size onstraints. All these onstrutions have a somewhat weaker seurity guarantee ompared to the io-based onstrution of [BLW17], namely, the adversary gets just one onstrained key (but an unbounded number of funtion values), whereas in [BLW17] it an get unboundedly many onstrained keys. Indeed, this restrition reflets a fundamental barrier: CHC-PRFs that are seure for even two onstrained keys (for arbitrary onstraining funtions) imply io [CC17]. Boneh et al. [BLW17] also defined and onstruted what they all privately programmable PRFs (PP- PRFs), whih are CHC-PRFs for the lass of point funtions along with an additional programmability property: when deriving a onstrained key, one an speify the outputs the key yields at the unauthorized points. They showed how to use PP-PRFs to build watermarking PRFs, a notion defined in [CHN + 16]. While the PP-PRF and resulting watermarking PRF from [BLW17] were based on indistinguishability obfusation, Kim and Wu [KW17] later onstruted watermarking PRFs from LWE, but via a different route that does not require PP-PRFs. To date, it has remained an open question whether PP-PRFs exist based on more standard (non-io) assumptions. 1.1 Our Results Our main ontribution is a unified approah for onstruting both onstraint-hiding onstrained PRFs for arbitrary polynomial-time onstraints, and privately programmable PRFs, from LWE with subexponen- 2

3 tial exp(n ε ) approximation fators (i.e., inverse error rates), for any onstant ε > 0. Both objets follow straightforwardly from a single LWE-based onstrution that we all a shift-hiding shiftable funtion (SHSF). Essentially, an SHSF allows for deriving a shifted key for a desired shift funtion, whih remains hidden. The shifted key allows one to evaluate the sum of the original funtion and the shift funtion. We onstrut CHC-PRFs and PP-PRFs very simply by using an appropriate shift funtion, whih is zero at authorized inputs, and either pseudorandom or programmed at unauthorized inputs. CHC-PRFs. In omparison with [BTVW17], while we ahieve the same ultimate result of CHC-PRFs for arbitrary onstraints (with essentially the same effiieny metris), our onstrution is more modular and arguably a good deal simpler. 1 Speifially, our SHSF onstrution uses just a few well-worn tehniques from the literature on LWE-based fully homomorphi and attribute-based ryptography [GSW13, BGG + 14, GVW15b, GVW15a], and we get a CHC-PRF by invoking our SHSF with an arbitrary PRF as the shift funtion. By ontrast, the onstrution from [BTVW17] melds the FHE/ABE tehniques with a speifi LWEbased PRF [BP14], and involves a handful of ad-ho tehniques to deal with various tehnial ompliations that arise. PP-PRFs. Our approah also yields the first privately programmable PRFs from LWE, or indeed, any nonio assumption. In fat, our PP-PRF allows for programming any polynomial number of inputs. Previously, the only potential approah for onstruting PP-PRFs without io [KW17] was from CHC-PRFs having ertain extra properties (whih onstrutions prior to our work did not possess), and was limited to programming only a logarithmi number of inputs. 1.2 Tehniques As mentioned above, the main ingredient in our onstrutions is what we all a shift-hiding shiftable funtion (SHSF). We briefly desribe its properties. We have a keyed funtion Eval : K X Y, where Y is some finite additive group, and an algorithm Shift(, ) to derive shifted keys. Given a seret key msk K and a funtion H : X Y, we an derive a shifted key sk H Shift(msk, H). This key has the following two main properties: sk H hides the shifting funtion H, and given sk H we an ompute an approximation of Eval(msk, ) + H( ) at any input, i.e, there exists a shifted evaluation algorithm SEval suh that for every x X, SEval(sk H, x) Eval(msk, x) + H(x). (1.1) We emphasize that the SHSF itself does not have any pseudorandomness property; this will ome from rounding the funtion in our PRF onstrutions, desribed next. CHC-PRFs and PP-PRFs. We first briefly outline how we use SHSFs to onstrut CHC-PRFs and PP- PRFs. To onstrut a CHC-PRF we instantiate the SHSF with range Y = Z m q for an appropriately hosen q. The CHC-PRF key is just a SHSF master key msk. 1 Our onstrution was atually developed independently of [BTVW17], though not onurrently; we were unaware of its earlier non-publi versions. 3

4 To evaluate on an input x X using msk we output Eval(msk, x) p, where p denotes (oordinatewise) rounding from Z q to Z p for some appropriate p q. To generate a onstrained key for a onstraint iruit C : X {0, 1}, we sample a key k for an ordinary PRF F, define the shift funtion H C,k (x) := C(x) F k (x), and output the shifted key sk C Shift(msk, H C,k ). Sine Shift hides the iruit H C,k, it follows that sk C hides C. To evaluate on an input x using the onstrained key sk C, we output SEval(sk C, x) p. Observe that for authorized inputs x (where C(x) = 0), we have H C,k (x) = 0, so SEval(sk C, x) Eval(msk, x) and therefore their rounded ounterparts are equal with high probability. (This relies on the additional property that Eval(msk, x) is not to lose to a rounding border. ) For unauthorized points x (where C(x) = 1), to see that the CHC-PRF output is pseudorandom given sk C, notie that by Equation (1.1), the output is (with high probability) Eval(msk, x) p = SEval(sk C, x) H(x) p. (1.2) Beause F is a pseudorandom funtion, H(x) = F k (x) ompletely randomizes the right-hand side above. Turning now to PP-PRFs, for simpliity onsider the ase where we want to program the onstrained key at a single input x (generalizing to polynomially many inputs is straightforward). A first idea is to use the same algorithms as in the above CHC-PRF, exept that to program a key to output y at input x we define the shift funtion { y Eval(msk, x ) if x = x, H x,y(x) = 0 otherwise, where y Z m q is hosen uniformly onditioned on y p = y. As before, the programmed key is just the shifted key sk x,y Shift(msk, H x,y). By Equation (1.1), evaluating on the unauthorized input x using sk x,y indeed yields y p = y. However, it is unlear whether the true (non-programmed) value of the funtion at the unauthorized input x = x is pseudorandom given sk x,y: in partiular, beause y is hosen by the adversary, y Z m q may not be uniformly random. To address this issue, we observe that the above onstrution satisfies a weaker pseudorandomness guarantee: if the adversary does not speify y but instead y is uniformly random, then by Equation (1.2) the PP-PRF is pseudorandom at x. This observation leads us to our atual PP-PRF onstrution: we instantiate two of the above weak PP-PRFs with keys msk 1 and msk 2. To generate a programmed key for input x and output y, we first generate random additive shares y 1, y 2 suh that y = y 1 + y 2, and output the programmed key sk x,y := (sk x,y 1, sk x,y 2 ) where sk x,y i Shift(msk i, H x,y i ) for i = 1, 2. Eah evaluation algorithm (ordinary and programmed) is then defined simply as the sum of the orresponding evaluation algorithm from the weak onstrution using the two omponent keys. Beause both programmed keys are generated for random target outputs y i, we an prove pseudorandomness of the real funtion value. Construting SHSFs. We now give an overview of our onstrution of shift-hiding shifted funtions. For simpliity, suppose the range of the funtions is Y = Z q ; extending this to Z m q (as in our atual onstrutions) is straightforward. As in [KW17, BKM17] our main tools are the gadget-matrix homomorphisms developed in the literature on fully homomorphi and attribute-based ryptography [GSW13, BGG + 14, GVW15b, GVW15a]. 4

5 At a high level, our SHSF works as follows. The master seret key is just an LWE seret s whose first oordinate is 1. A shifted key for a shift funtion H : X Z q onsists of LWE vetors (using seret s) relative to some publi matries that have been shifted by multiples of the gadget matrix G [MP12]; more speifially, the multiples are the bits of FHE iphertexts enrypting H, and the Z q -entries of the FHE seret key sk. To ompute the shifted funtion on an input x, we do the following: 1. Using the gadget homomorphisms for boolean gates [GSW13, BGG + 14] on the LWE vetors orresponding to the FHE enryption of H, we ompute LWE vetors relative to some publily omputable matries, shifted by multiples of G orresponding to the bits of an FHE iphertext enrypting H(x). 2. Then, using the gadget homomorphisms for hidden linear funtions [GVW15a] with the LWE vetors orresponding to the FHE seret key, we ompute LWE vetors relative to some publily omputable matrix B x, but shifted by (H(x) + e)g where H(x) + e H(x) Z q is the noisy plaintext arising as the inner produt of the FHE iphertext and seret key. Taking just the first olumn, we therefore have an LWE sample relative to some vetor b x + (H(x) + e)u 1, where u 1 is the first standard basis (olumn) vetor. 3. Finally, beause the first oordinate of the LWE seret s is 1, the above LWE sample is simply s, b x + H(x) + e s, b x + H(x) Z q. With the above in mind, we then define the (unshifted) funtion itself on an input x to simply ompute b x from the publi parameters as above, and output s, b x. This yields Equation (1.1). 2 Preliminaries We denote row vetors by lower-ase bold letters, e.g., a. We denote matries by upper-ase bold letters, e.g., A. The Kroneker produt A B of two matries (or vetors) A and B is obtained by replaing eah entry a i,j of A with the blok a i,j B. The Kroneker produt obeys the mixed-produt property: (A B)(C D) = (AC) (BD) for any matries A, B, C, D with ompatible dimensions. 2.1 Gadgets and Homomorphisms Here we reall gadgets [MP12] over Z q and several of their homomorphi properties, some of whih were impliit in [GSW13], and whih were developed and exploited further in [BGG + 14, GVW15b, GVW15a]. For an integer modulus q, the gadget (or powers-of-two) vetor over Z q is defined as g = (1, 2, 4,..., 2 lg q 1 lg q ) Zq. For every u Z q, there is an (effiiently omputable) binary vetor x {0, 1} lg q suh that g, x = g x t = u (mod q). Phrased differently, (x g) r t = u (mod q) (2.1) for a ertain binary r {0, 1} lg q 2, namely, the one that selets all the produts of the orresponding entries of x and g. The gadget matrix is defined as G n = I n g Z n m q, 5

6 where m = n lg q. We often drop the subsript n when it is lear from ontext. We use algorithms BoolEval and LinEval, whih have the following properties. BoolEval(C, x, A), given a boolean iruit C : {0, 1} l {0, 1} k of depth d, an x {0, 1} l, and some A Z n (l+1)m q, outputs an integral matrix R C,x Z (l+1)m km with m O(d) -bounded entries for whih (A + (1, x) G) R C,x = A C + C(x) G, (2.2) where A C Z n m q depends only on A and C (and not on x). 2 LinEval(x, C), given an x {0, 1} l and a matrix C Z n lm q, outputs an integral matrix R x Z 2lm m with poly(m, l)-bounded entries suh that, for all A, C Z n lm q and k Z l q, [A + x G C + k G] R x = B + x, k G, (2.3) where B Z n m q depends only on A and C (and not on x or k). 3 More generally, for x {0, 1} kl by applying the above to the l-bit hunks of x, in Equation (2.3) we replae x, k G = (x k t ) G with (x (I k k t )) G, and now R x Z (k+1)lm km, A Z n klm q, and B Z n km q. 2.2 Fully Homomorphi Enryption We use the GSW (leveled) fully homomorphi enryption sheme [GSW13] (KG, En, Eval), whose relevant properties for our needs are summarized as follows (we use only a symmetri-key version, whih is suffiient for our purposes): KG(1 λ, q), given a seurity parameter λ and a requested modulus q, outputs a seret key k Z τ q (for some τ = poly(λ, log q)). En(k, m), given a seret key k and a message m {0, 1}, outputs a iphertext t, whih is a binary string. Eval(C, t 1,..., t l ), given a boolean iruit C : {0, 1} l {0, 1} and iphertexts t 1, t 2,..., t l, outputs a iphertext t {0, 1} τ lg q. Notie that in the above definition there is no expliit deryption algorithm. Instead we express the essential noisy linear relation between the result of homomorphi evaluation and the seret key: for any k KG(1 λ, q), any boolean iruit C : {0, 1} l {0, 1} of depth at most d, any messages m j {0, 1} and iphertexts t j En(k, m j ) for j = 1,..., l, we have Eval(C, t 1,..., t l ) (I lg q k t ) = C(m 1,..., m l ) g + e (mod q) (2.4) for some integral error vetor e [ B, B] lg q, where B = λ O(d). In other words, multiplying (the τ-bit hunks of) the result of homomorphi evaluation with the seret key yields a noisy version of a robust enoding of the result (where the enoding is via the powers of two). While the robust enoding allows the noise to be removed, we will not need to do so expliitly. More generally, if the iruit C has k-bit output, then Eval outputs a iphertext in {0, 1} τk lg q and Equation (2.4) holds with I lg q replaed by I k lg q. 2 This property is obtained by omposing homomorphi addition and multipliation of G-multiples; the extra 1 attahed to x is needed to support NOT gates. 3 We stress that LinEval does not need to know k, whih we view as representing a seret linear funtion that is hidden by C. 6

7 2.3 Learning With Errors For a positive integer dimension n and modulus q, and an error distribution χ over Z, the LWE distribution and deision problem are defined as follows. For an s Z n, the LWE distribution A s,χ is sampled by hoosing a uniformly random a Z n q and an error term e χ, and outputting (a, b = s, a + e) Z n+1 q. Definition 2.1. The deision-lwe n,q,χ problem is to distinguish, with non-negligible advantage, between any desired (but polynomially bounded) number of independent samples drawn from A s,χ for a single s Z n q, and the same number of uniformly random and independent samples over Z n+1 q. In this work we use a form of LWE where the first oordinate of the seret vetor s is 1, i.e. s = (1, s) where s Z n 1 q. It is easy to see that this is equivalent to LWE with an (n 1)-dimensional seret: the transformation mapping (a, b) Z n 1 q Z q to ((r, a), b + r) for a uniformly random r Z q (hosen freshly for eah sample) maps samples from A s,χ to samples from A s,χ, and maps uniform samples to uniform samples. A standard instantiation of LWE is to let χ be a disrete Gaussian distribution (over Z) with parameter r = 2 n. A sample drawn from this distribution has magnitude bounded by, say, r n = Θ(n) exept with probability at most 2 n. For this parameterization, it is known that LWE is at least as hard as quantumly approximating ertain short vetor problems on n-dimensional latties, in the worst ase, to within Õ(q n) fators [Reg05, PRS17]. Classial redutions are also known for different parameterizations [Pei09, BLP + 13]. 2.4 One Dimensional Rounded Short Integer Solution As in [BV15, BKM17, KW17] we make use of a speial one-dimensional, rounded variant of the short integer solution problem (SIS). For the parameters we will use, this problem is atually no easier to solve than LWE is, but it is onvenient to define it separately. Definition 2.2 (1D-R-SIS [BV15, BKM17]). Let p N and let p 1 < p 2 < < p k be pairwise oprime and oprime with p. Let q = p k i=1 p i. Then for positive numbers m N and B, the 1D-R-SIS m,p,q,b problem is as follows: given a uniformly random vetor v Z m q, find z Z m suh that z B and v, z q p (Z ) + [ B, B]. For suffiiently large p 1 B poly(k, log q), solving 1D-R-SIS is at least as hard as approximating ertain short vetor problems on k-dimensional latties, in the worst ase, to within ertain B poly(k) fators [Ajt96, MR04, BV15, BKM17]. 3 Shift-Hiding Shiftable Funtions Here we present our onstrution of what we all shift-hiding shiftable funtions (SHSFs), whih we use in our subsequent onstrutions of CHC-PRFs and PP-PRFs. Beause there are several parameters and we need some speifi algebrai properties, we do not give an abstrat definition of SHSF, but instead just give a onstrution (Setion 3.2) and show the requisite properties (Setion 3.3). 7

8 3.1 Notation Let GSW = (KG, En, Eval) denote the GSW fully homomorphi enryption sheme (Setion 2.2), where the seret key is in Z τ q for some τ = τ(λ). Reall that homomorphi evaluation of a funtion with k output bits produes a τk lg q -bit iphertext. Our onstrution represents shift funtions H : {0, 1} l Z m q by (bounded-size) boolean iruits. Speifially, we let H : {0, 1} l {0, 1} k for k = m lg q be a boolean iruit where H (x) is the binary deomposition of H(x), so that, following Equation (2.1), (H (x) g) (I m r t ) = H(x) Z m q. (3.1) Let U(H, x) = H (x) denote a universal iruit for boolean iruits H : {0, 1} l {0, 1} k of size σ, and let U x ( ) = U(, x). Its homomorphi analogue is as follows: letting z be the total length of fresh GSW iphertexts enrypting a iruit of size σ, for any x {0, 1} l define U x : {0, 1} z τk lg q {0, 1} U x (t) = GSW.Eval(U x, t). Observe that U x an be implemented as a boolean iruit of size (and hene depth) poly(λ, σ). 3.2 Constrution Here we give the tuple of algorithms (Setup, KeyGen, Eval, Shift, SEval, S) that make up our SHSF. For seurity parameter λ and onstraint iruit size σ the algorithms are parameterized by some n = poly(λ, σ) and q = 2 poly(λ,σ), with m = n lg q = poly(λ, σ); we instantiate these more preisely in Setion 3.4 below. Constrution 3.1. Let X = {0, 1} l and Y = Z m q. Define: Setup(1 λ, 1 σ ): Sample uniformly random and independent matries A Zq n (z+1)m and output pp = (A, C). and C Z n τm q, (The n-by-m hunks of A will orrespond to the z bits of a GSW enryption of the shift funtion; similarly, the hunks of C will orrespond to the GSW seret key in Z τ q.) KeyGen(pp): Sample s Z n 1 q and set s = (1, s ). Output the master seret key msk = s. Eval(pp, msk, x {0, 1} l ): ompute R 0 = BoolEval(U x, 0 z (z+1)m τk lg q m, A) Z and let A x = (A + (1, 0 z ) G) R 0 U x (0 z n τk lg q m ) G Zq. (Observe that by Equation (2.2), A x = A C for the iruit C = U x, and does not depend on the dummy iphertext 0 z, whih stands in for a GSW enryption of a shift funtion.) Next, ompute R 0 = LinEval(U x (0 z τ(k lg q +1)m k lg q m ), C) Z 8

9 and let B x = [A x + U x (0 z ) G C] R n k lg q m 0 Zq. (Observe that this orresponds to taking k = 0 in Equation (2.3), so B x does not depend on the dummy iphertext 0 z ; it depends only on A x, hene A and x, and C.) Finally, output s B x (I m r t u t 1) Z m q, where r {0, 1} lg q 2 is as in Equation (3.1) and u 1 Z m is the first standard basis vetor. Shift(pp, msk, H): for a shift funtion H : {0, 1} l Z m q whose binary deomposition H : {0, 1} l {0, 1} k an be implemented by a iruit of size σ, sample a GSW enryption key k GSW.KG(1 λ, q), then enrypt H bit-by-bit under this key to obtain a iphertext t GSW.En k (H ). Next, let a = s(a + (1, t) G) + e = s(c + k G) + e where e and e are error vetors whose entries are sampled independently from χ. Output sk H = (t, a, ). (Reall that A = A + (1, t) G and C = C + k G support homomorphi operations on t and k via right-multipliation by short matries, using the gadget homomorphisms. Shifted evaluation, defined next, performs suh right-multipliations on a sa, sc.) SEval(pp, sk H, x): On input sk H = (t, a, ) and x {0, 1} l, ompute R t = BoolEval(U x, t, A) a x = a R t. (By Equation (2.2), we have a x s(a x + U x (t) G), where reall that U x (t) is a GSW enryption of H (x), omputed homomorphially.) Next, ompute R t = LinEval(U x (t), C) b x = [a x ] R t. (By Equations (2.3) for LinEval and (2.4) for GSW deryption, we have b x s(b x +h G), where h is a noisy version of the robust enoding H (x) g.) Finally, output where r, u 1 are as in Eval above. b x (I m r t u t 1) Z m q, (Here the I m r t term reonstruts a noisy version of H(x) Z m q from h as in Equation (3.1), and the u t 1 Zm term selets the first olumn of G, whose inner produt with s is 1.) S(1 λ, 1 σ ): Sample a GSW seret key k GSW.KG(1 λ, q) and ompute (by enrypting bit-by-bit) t GSW.En k (C), where C is some arbitrary size-σ boolean iruit. Sample uniformly random and independent A Z n (z+1)m q, a Z q (z+1)m, C Z n τm q, Z τm q. Output pp = (A, C) and sk = (t, a, ). 9

10 3.3 Properties Here we prove the three main properties of our SHSF that we will use in subsequent setions. proedure RealKey A (1 λ, 1 ρ ) H A(1 λ, 1 σ ) pp Setup(1 λ, 1 ρ ) msk KeyGen(pp) sk Shift(pp, msk, H) (pp, sk) A (a) The real shifted key generation experiment proedure IdealKey A (1 λ, 1 σ ) H A(1 λ, 1 σ ) (pp, sk) S(1 λ, 1 σ ) (pp, sk) A (b) The random key generation experiment Figure 1: The real and random shifted key generation experiments. Lemma 3.2 (Shift Hiding). Assuming the hardness of LWE n 1,q,χ and CPA seurity of the GSW enryption sheme, for any PPT A and any σ = σ(λ) = poly(λ), {RealKey A (1 λ, 1 σ )} λ N {IdealKeyA (1 λ, 1 σ )} λ N, (3.2) where RealKey and IdealKey are the respetive views of A in the experiments defined in Figure 1. Proof. Let A be any polynomial-time adversary. To show that Equation (3.2) holds we define a sequene of hybrid experiments and show that they are indistinguishable. Hybrid H 0 : This is the experiment RealKey. Hybrid H 1 : This is the same as H 0, exept that we modify how the A and C are onstruted as follows: after we generate t and k we hoose uniformly random A and C and set A = A (1, t) G C = C k G. Hybrid H 2 : This is the same as H 1, exept that we sample the a i and j uniformly at random from Z m q. Hybrid H 3 : This is the same as H 2, exept that we again diretly hoose A, C uniformly at random (without hoosing A, C ). Hybrid H 4 : This is the same as H 2, exept that t enrypts the (arbitrary) size-σ iruit C (as in S) instead of H, i.e., we set t GSW.En k (C). Observe that this is exatly the experiment IdealKey. Claim 3.3. H 0 and H 1 are idential. Proof. This is beause A and C are uniformly random and independent of t and k. Claim 3.4. Assuming the hardness of LWE n 1,q,χ, we have H 1 H2. Proof. We use any adversary A that attempts to distinguish H 1 from H 2 to build an adversary A that solves LWE n 1,q,χ with the same advantage. First, A reeives samples (A, a) Z n (z+1)m q Z q (z+1)m and 10

11 (C, ) Z n τm q Z τm q, then proeeds exatly as in H 1 to interat with A, and outputs what A outputs. If, then the samples are LWE samples from A s,χ where s = (1, s ) for s Z n 1 q a = s A + e = s(a + (1, t) G) + e = s C + e = s(c + k G) + e for error vetors e, e whose entries are drawn from χ, therefore A s view is idential to its view in H 1. If the samples are uniformly random, then A s view is idential to its view in H 2. This proves the laim. Claim 3.5. H 2 and H 3 are idential. Proof. This is beause A, C are uniformly random and independent of t and k. Claim 3.6. If GSW is CPA-seure then H 3 H4. Proof. This follows immediately from the fat that the GSW seret key k GSW.KG(1 λ, q) is used only to enrypt H (yielding t) or the arbitrary iruit C, respetively, in H 3 and H 4. This ompletes the proof of Lemma 3.2. Lemma 3.7 (Border Avoiding). For any PPT A, i [m], λ N and σ = poly(λ), assuming the hardness of 1D-R-SIS (z+τ+1)m,p,q,b for some large enough B = m poly(λ,σ) = λ poly(λ), we have ] Pr [Eval(pp, sk, x) i q (pp,sk) S(1 λ,1 σ p (Z ) + [ B, +B] negl(λ). ) x A(pp,sk) Proof. We show how to use an adversary whih finds an x X suh that SEval(pp, sk, x) i q p (Z ) + [ B, +B] (3.3) for some i [m] to solve 1D-R-SIS. Given a (uniformly random) 1D-R-SIS (z+τ+1)m,p,q,b hallenge v = (a, ) Z (z+1)m q Z τm q, we put a, in the sk given to A, and generate pp in the same way as in the S algorithm. Let x be a query output by A, and onsider the response y x = SEval(pp, (t, a, ), x) = b x U [ ] Rt = [a ] R t U, I τm }{{} T where R t, R t are m poly(λ,σ) -bounded matries as omputed by SEval, and U is a binary matrix. Now if Equation (3.3) holds for some i [m], then (y x ) i q p (Z ) + [ B, B], whih means that the ith olumn of T is a valid 1D-R-SIS (z+τ+1)m,p,q,b solution to the hallenge v = (a, ), as desired. 11

12 Lemma 3.8 (Approximate Shift Corretness). For any shift funtion H : {0, 1} l Z m q whose binary deomposition H : {0, 1} l {0, 1} k an be represented by a boolean iruit of size σ, and any x {0, 1} l, pp Setup(1 λ, 1 ρ ), msk KeyGen(pp) and sk H Shift(pp, msk, H), we have SEval(pp, sk H, x) Eval(pp, msk, x) + H(x) where the approximation hides some λ poly(λ) -bounded error vetor. Proof. Let a, a x, b x,, A x and B x be as defined in algorithms SEval, Eval and Shift. First, observe that by definition of a s(a + (1, t) G), a x = a R t, and Equation (2.2), we have a x s(a + (1, t) G) R t = s(a x + U x (t) G), where the approximation hides an error vetor with entries bounded by m poly(λ,σ) = λ poly(λ). Similarly, by definition of b x, the generalized Equation (2.3), and the generalized Equation (2.4) we have b x = [a x ] R t s[a x + U x (t) G C + k G] R t = s(b x + (U x (t) (I k lg q k t )) G) = s(b x + (H (x) g + e x ) G) where the approximation hides some λ poly(λ) -bounded error, and e x is also λ poly(λ) -bounded. Therefore, by Equation (3.1), the mixed-produt property, and beause G u t 1 = ut 1 Zn q, and the first oordinate of s is 1, the output of SEval(pp, sk H, x) is b x (I m r t u t 1) sb x (I m r t u t 1) + s((h (x) g + e x ) G) (I m r t u t 1) = Eval(pp, msk, x) + s((h(x) + e x (I m r t )) u t 1) = Eval(pp, msk, x) + H(x) + e x (I m r t ) Eval(pp, msk, x) + H(x), where again the approximations hide λ poly(λ) -bounded error vetors, as laimed. The following is an immediate onsequene of Lemma 3.8. Corollary 3.9. Fix the same notation as in Lemma 3.8. If for all i [m] we have (SEval(pp, sk, x) H(x)) i / q p (Z ) + [ B, +B], then SEval(pp, sk, x) H(x) p = Eval(pp, msk, x) p. 12

13 3.4 Parameter Instantiation We now instantiate the LWE parameters n, q and the 1D-R-SIS parameter k to orrespond with subexponential exp(n ε ) and exp(k ε ) approximation fators for the underlying worst-ase lattie problems, for an arbitrary desired onstant ε > 0. Let B = λ poly(λ) be the bound from Corollary 3.9. For 1D-R-SIS we need to hoose k suffiiently large primes p i = B poly(λ) = λ poly(λ) to get an approximation fator of B poly(λ) = λ poly(λ) for k-dimensional latties. Therefore, we an hoose a suffiiently large k = poly(λ) to make this fator exp(k ε ). We then set k q = p p i = p λ k poly(λ) = λ poly(λ), i=1 whih orresponds to some λ poly(λ) approximation fator for n-dimensional latties. Again, we an hoose a suffiiently large n = poly(λ) to make this fator exp(n ε ). 4 Constraint-Hiding Constrained PRF In this setion we formally define onstraint-hiding onstrained PRFs (CHC-PRFs) and give a onstrution based on our shiftable PRF from Setion Definition Here we give the definition of CHC-PRFs, speializing the simulation-based definition of [CC17] to the ase of a single onstrained-key query. Definition 4.1. A onstrained funtion is a tuple of effiient algorithms (Setup, KeyGen, Eval, Constrain, CEval) having the following interfaes (where the domain X and range Y may depend on the seurity parameter): Setup(1 λ, 1 σ ), given the seurity parameter λ and an upper bound σ on the size of the onstraining iruit, outputs publi parameters pp. KeyGen(pp), given the publi parameters pp, outputs a master seret key msk. Eval(pp, msk, x), given the master seret key and an input x X, outputs some y Y. Constrain(pp, msk, C), given the master seret key and a iruit C of size at most σ, outputs a onstrained key sk C. CEval(pp, sk C, x), given a onstrained key sk C and an input x X, outputs some y Y. Definition 4.2. A onstrained funtion is a onstraint-hiding onstrained PRF (CHC-PRF) if there is a PPT simulator S suh that, for any PPT adversary A (that without loss of generality never repeats a query) and any σ = σ(λ) = poly(λ), {Real A (1 λ, 1 σ )} λ N {IdealA,S (1 λ, 1 σ )} λ N, where Real and Ideal are the respetive views of A in the experiments defined in Figure 2. 13

14 The above simulation-based definition simultaneously aptures privay of the onstraining funtion, pseudorandomness on unauthorized inputs, and orretness of onstrained evaluation on authorized inputs. The first two properties (privay and pseudorandomness) follow beause in the ideal experiment, the simulator must generate a onstrained key without knowing the onstraining funtion, and the adversary gets orale aess to a funtion that is uniformly random on unauthorized inputs. For orretness, we laim that the real experiment is omputationally indistinguishable from a modified one where eah query x is answered as CEval(pp, sk C, x) if x is authorized (i.e., C(x) = 0), and as Eval(pp, msk, x) otherwise. In partiular, this implies that Eval(pp, msk, x) = CEval(pp, sk C, x) with all but negligible probability for all the adversary s authorized queries x. Indistinguishability of the real and modified experiments follows by a routine hybrid argument, with the ideal experiment as the intermediate one. In partiular, the redution that links the ideal and modified real experiments itself answers authorized queries x using CEval, and handles unauthorized queries by passing them to its orale. proedure Real A (1 λ, 1 σ ) C A(1 λ, 1 σ ) pp Setup(1 λ ) msk KeyGen(pp) sk C Constrain(pp, msk, C) (pp, sk C ) A repeat x A Eval(pp, msk, x) A until A halts (a) The real experiment proedure Ideal A,S (1 λ, 1 σ ) C A(1 λ, 1 σ ) (pp, sk) S(1 λ, 1 σ ) (pp, sk) A repeat x A if C(x) = 0 then CEval(pp, sk, x) A else y Y; y A until A halts (b) The ideal experiment Figure 2: The real and ideal experiments. 4.2 Constrution We now desribe our onstrution of a CHC-PRF for domain X = {0, 1} l and range Y = Z m p, whih handles onstraining iruits of size σ. It uses the following omponents: as A pseudorandom funtion PRF = (PRF.KG, PRF.Eval) having domain {0, 1} l and range Z m q, with key spae {0, 1} κ. The shift hiding shiftable funtion SHSF = (Setup, KeyGen, Eval, Shift, SEval, Sim) from Setion 3, whih has parameters q, B that appear in the analysis below. For a boolean iruit C of size at most σ and some k {0, 1} κ define the funtion H C,k : {0, 1} l Z m q { PRF.Eval(k, x) if U(C, x) = 1 H C,k (x) = C(x) PRF.Eval(k, x) = 0 otherwise. Notie that the size of (the binary deomposition of) H C,k is upper bounded by σ = σ + s + poly(n, log q), (4.1) 14

15 where s is the iruit size of (the binary deomposition of) PRF.Eval(k, ). Constrution 4.3. Our CHC-PRF with domain X = {0, 1} l and range Y = Z m p is defined as follows: Setup(1 λ, 1 σ ): output pp SHSF.Setup(1 λ, 1 σ ) where σ is defined as in Equation (4.1). KeyGen(pp): output msk SHSF.KeyGen(pp). Eval(pp, msk, x {0, 1} l ): ompute y x = SHSF.Eval(pp, msk, x) and output y x p. Constrain(pp, msk, C): on input a iruit C of size at most σ, sample a PRF key k PRF.KG(1 λ ) and output sk C SHSF.Shift(pp, msk, H C,k ). CEval(pp, sk C, x): on input a onstrained key sk C and x {0, 1} l, output SHSF.SEval(pp, sk C, x) p. 4.3 Seurity Proof Theorem 4.4. Constrution 4.3 is a onstraint-hiding onstrained PRF assuming the hardness of LWE n 1,q,χ and 1D-R-SIS (zσ +τ+1)m,p,q,b (where z, τ are respetively the lengths of fresh GSW iphertexts and seret keys as used in SHSF), the CPA seurity of the GSW enryption sheme, and that PRF is a pseudorandom funtion. Proof. Our simulator S(1 λ, 1 σ ) for Constrution 4.3 simply outputs SHSF.S(1 λ, 1 σ ). Now let A be any polynomial-time adversary. To show that S satisfies Definition 4.2 we define a sequene of hybrid experiments and show that they are indistinguishable. Before defining the experiments in detail, we first define a partiular bad event in all but one of them. Definition 4.5. In eah of the following hybrid experiments exept H 0, eah query x is answered as y x p for some y x that is omputed in a ertain way. Define Borderline to be the event that at least one suh y x has some oordinate in q p (Z ) + [ B, B]. Hybrid H 0 : This is the ideal experiment Ideal A,S. Hybrid H 1 : This is the same as H 0, exept that on every unauthorized query x (i.e., where C(x) = 1), instead of returning a uniformly random value from Z m p, we hoose y x Z m q and output y x p. Hybrid H 2 : This is the same as H 1, exept that we abort the experiment if Borderline happens. Hybrid H 3 : This is the same as H 2, exept that we initially hoose a PRF key k PRF.KG(1 λ ) and hange how unauthorized queries x (i.e., where C(x) = 1) are handled, answering all queries aording to a slightly modified CEval. Speifially, for any query x we answer y x p where y x = SHSF.SEval(pp, sk, x) C(x) PRF.Eval(k, x). Hybrid H 4 : This is the same as H 3, exept that (pp, sk) are generated as in the real experiment. More formally we instantiate pp SHSF.Setup(1 λ, 1 σ ), msk SHSF.KeyGen(pp) and ompute sk SHSF.Shift(pp, msk, H C,k ). Hybrid H 5 : This is the same as H 4, exept that we answer all evaluation queries as in the Eval algorithm, i.e., we output y x p where y x = SHSF.Eval(pp, msk, x). 15

16 Hybrid H 6 : This is the same as H 5, exept that we no longer abort when Borderline happens. Observe that this is exatly the real experiment Real A. We now prove that adjaent pairs of hybrid experiments are indistinguishable. Claim 4.6. Experiments H 0 and H 1 are idential. Proof. This follows diretly from the fat that p divides q. Claim 4.7. Assuming that 1D-R-SIS (zσ +τ+1)m,p,q,b is hard, we have H 1 event Borderline happens with negligible probability. H2. In partiular, in H 1 the Proof. Let A be an adversary attempting to distinguish H 1 and H 2. We want to show that in H 1 event Borderline happens with negligible probability. Let x be a query made by A. If C(x) = 1 then y x is uniformly random in Z m q, so for any i [m] we have Pr[(y x ) i q p (Z ) + [ B, B]] 2 B p/q = negl(λ). If C(x) = 0, the laim follows immediately by the border-avoiding property of SHSF (Lemma 3.7). Claim 4.8. If PRF is a pseudorandom funtion then H 2 H3. Proof. We use any adversary A that attempts to distinguish H 2 from H 3 to build an adversary A having the same advantage against the pseudorandomness of PRF. Here A is given aess to an orale O whih is either PRF.Eval(k, ) for k PRF.KG(1 λ ), or a uniformly random funtion f : {0, 1} l Z m q. We define A to proeed as in H 2 to simulate the view of A, exept that on eah query x it sets y x = SHSF.SEval(pp, sk, x) C(x) O(x) and answers y x p. Finally, A outputs whatever A outputs. Clearly, if O is PRF.Eval(k, ) then the view of A is idential to H 3, whereas if the orale is f( ) then the view of A is idential to its view in H 2. This proves the laim. Claim 4.9. Assuming the hardness of LWE n 1,q,χ and CPA-seurity of GSW, H 3 H4. Proof. This follows immediately from the shift hiding property of SHSF, i.e., Lemma 3.2. Claim H 4 and H 5 are idential. Proof. This follows by Corollary 3.9 and notiing that both experiments abort if Borderline happens. Claim Under the hypotheses of Theorem 4.4, we have H 5 H6. Proof. This follows by ombining all the previous laims and realling that we have proved that Borderline happens with negligible probability in H 1. This ompletes the proof of Theorem

17 5 Privately Programmable PRF In this setion we formally define privately programmable PRFs (PP-PRFs) and give a onstrution based on our shiftable PRF from Setion Definitions We start by giving a variety of definitions related to programmable funtions and privately programmable PRFs. In partiular, we give a simulation-based definition that is adapted from [BLW17]. Definition 5.1. A programmable funtion is a tuple (Setup, KeyGen, Eval, Program, PEval) of effiient algorithms having the following interfaes (where the domain X and range Y may depend on the seurity parameter): Setup(1 λ, 1 k ), given the seurity parameter λ and a number k of programmable inputs, outputs publi parameters pp. KeyGen(pp), given the publi parameters pp, outputs a master seret key msk. Eval(pp, msk, x), given the master seret key and an input x X, outputs some y Y. Program(pp, msk, P = {(x i, y i )}), given the master seret key msk and k pairs (x i, y i ) X Y for distint x i, outputs a programmed key sk P. PEval(pp, sk P, x), given a programmed key sk P and an input x X, outputs some y Y. We now give several definitions that apture various funtionality and seurity properties for programmable funtions. We start with the following orretness property for programmed inputs. Definition 5.2. A programmable funtion is statistially programmable if for all λ, k = poly(λ) N, all sets of k pairs P = {(x i, y i )} X Y (with distint x i ), and all i [k] we have Pr [PEval(pp, sk P, x i ) y i ] = negl(λ). pp Setup(1 λ,1 k ) msk KeyGen(pp) sk P Program(pp,msk,P) We now define a notion of weak simulation seurity, in whih the adversary names the inputs at whih the funtion is programmed, but the outputs are hosen at random (and not revealed to the adversary). As before, we always assume without loss of generality that the adversary never queries the same input x more than one in the various experiments we define. Definition 5.3. A programmable funtion is weakly simulation seure if there is a PPT simulator S suh that for any PPT adversary A and any polynomial k = k(λ), {RealWeakPPRF A (1 λ, 1 k )} λ N {IdealWeakPPRFA,S (1 λ, 1 k )} λ N, where RealWeakPPRF and IdealWeakPPRF are the respetive views of A in the proedures defined in Figure 3. Similarly to Definition 4.2, the above definition simultaneously aptures privay of the programmed inputs given the programmed key, pseudorandomness on those inputs, and orretness of PEval on non-programmed inputs. 17

18 proedure RealWeakPPRF A (1 λ, 1 k ) {x i } i [k] A(1 λ, 1 k ) {y i } i [k] Y pp Setup(1 λ, 1 k ) msk KeyGen(pp) sk Program(pp, msk, {(x i, y i )}) (pp, sk) A repeat x A Eval(pp, msk, x) A until A halts (a) The real experiment proedure IdealWeakPPRF A,S (1 λ, 1 k ) {x i } i [k] A(1 λ, 1 k ) (pp, sk) S(1 λ, 1 k ) (pp, sk) A repeat x A if x / {x i } then PEval(pp, sk, x) A else y Y; y A until A halts (b) The ideal experiment Figure 3: The (weak) real and ideal experiments. Definition 5.4. A programmable funtion is a weak privately programmable PRF if it is statistially programmable (Definition 5.2) and weakly simulation seure (Definition 5.3). We now define a notion of (non-weak) simulation seurity for programmable funtions. This differs from the weak notion in that the adversary speifies the programmed inputs and orresponding outputs, and the simulator in the ideal game is also given these input-output pairs. The simulator needs this information beause otherwise the adversary ould trivially distinguish the real and ideal experiments by heking whether PEval(pp, sk P, x i ) = y i for one of the programmed input-output pairs (x i, y i ). Simulation seurity itself therefore does not guarantee any privay of the programmed inputs; below we give a separate simulation-based definition whih does. proedure RealPPRF A (1 λ, 1 k ) P = {(x i, y i )} A(1 λ, 1 k ) pp Setup(1 λ, 1 k ) msk KeyGen(pp) sk P Program(pp, msk, P) (pp, sk P ) A repeat x A Eval(pp, msk, x) A until A halts (a) The real experiment proedure IdealPPRF A,S (1 λ, 1 k ) P = {(x i, y i )} A(1 λ, 1 k ) (pp, sk P ) S(1 λ, P) (pp, sk P ) A repeat x A if x / {x i } then PEval(pp, sk P, x) A else y Y; y A until A halt (b) The ideal experiment Figure 4: The real and ideal experiments Definition 5.5. A programmable funtion is simulation seure if there is a PPT simulator S suh that for any PPT adversary A and any polynomial k = k(λ), {RealPPRF A (1 λ, 1 k )} λ N {IdealPPRFA,S (1 λ, 1 k )} λ N, 18

19 where Real and Ideal are the respetive views of A in the proedures defined in Figure 4. We mention that a straightforward hybrid argument similar to one from [BKM17] shows that simulation seurity implies that (KeyGen, Eval) is a pseudorandom funtion. Finally, we define a notion of privay for the programmed inputs. This says that a key programmed on adversarially hosen inputs and random orresponding outputs (that are not revealed to the adversary) does not reveal anything about the programmed inputs. proedure RealPPRFPrivay A (1 λ, 1 k ) {x i } i [k] A(1 λ, 1 k ) {y i } i [k] Y pp Setup(1 λ, 1 k ) msk KeyGen(pp) sk Program(pp, msk, {(x i, y i )}) (pp, sk) A proedure IdealPPRFPrivay A,S (1 λ, 1 k ) {x i } i [k] A(1 λ, 1 k ) (pp, sk) S(1 λ, 1 k ) (pp, sk) A (b) The ideal experiment (a) The real experiment Figure 5: The real and ideal privay experiments Definition 5.6. A programmable funtion is privately programmable if there is a PPT simulator S suh that for any PPT adversary A and any polynomial k = k(λ), {RealPPRFPrivay A (1 λ, 1 k )} λ N {IdealPPRFPrivayA (1 λ, 1 k )} λ N, where RealPPRFPrivay and IdealPPRFPrivay are the respetive views of A in the proedures defined in Figure 5. We now give our main seurity definition for PP-PRFs. Definition 5.7. A programmable funtion is a privately programmable PRF if it is statistially programmable, simulation seure, and privately programmable. 5.2 From Weak PP-PRFs to PP-PRFs In this setion we desribe a general onstrution of a privately programmable PRF from any weak privately programmable PRF. Let Π = (Setup, KeyGen, Eval, Program, PEval) be a programmable funtion with domain X and range Y, where we assume that Y is a finite additive group. The basi idea behind the onstrution is simple: define the funtion as the sum of two parallel opies of Π, and program it by programming the opies aording to additive seret-sharings of the desired outputs. Eah omponent is therefore programmed to uniformly random outputs, as required by weak simulation seurity. Constrution 5.8. We onstrut a programmable funtion Π as follows: Π.Setup(1 λ, 1 k ): generate pp i Π.Setup(1 λ, 1 k ) for i = 1, 2 and output pp = (pp 1, pp 2 ). Π.KeyGen(pp): on input pp = (pp 1, pp 2 ) generate msk i Π.KeyGen(pp i ) for i = 1, 2, and output msk = (msk 1, msk 2 ). 19

20 Π.Eval(pp, msk, x): on input pp = (pp 1, pp 2 ), msk = (msk 1, msk 2 ), and x X output Π.Eval(pp 1, msk 1, x) + Π.Eval(pp 2, msk 2, x). Π.Program(pp, msk, P): on input pp = (pp 1, pp 2 ), msk = (msk 1, msk 2 ), k pairs (x i, y i ) X Y, first sample uniformly random r i Y for i [k], then output sk P = (sk 1, sk 2 ) where sk 1 Π.Program(pp 1, msk 1, P 1 = {(x i, r i )}) sk 2 Π.Program(pp 2, msk 2, P 2 = {(x i, y i r i )}). Π.PEval(pp, sk P, x): on input pp = (pp 1, pp 2 ), sk P = (sk 1, sk 2 ), and x X output Π.PEval(pp 1, sk 1, x) + Π.PEval(pp 2, sk 2, x). Theorem 5.9. If Π is a weak privately programmable PRF then Constrution 5.8 is a privately programmable PRF. Proof. This follows diretly from Theorem 5.10 and Theorem 5.15, whih respetively prove the simulation seurity and private programmability of Constrution 5.8, and from the statistial programmability of Π, whih obviously implies the statistial programmability of Constrution 5.8. Theorem If Π is a weak privately programmable PRF then Π is simulation seure. Proof. Let S be the simulator algorithm for the weak simulation seurity of Π (Definition 5.3). Our simulator S(1 λ, P = {(x i, y i )}) for the simulation seurity of Π (Definition 5.5) works as follows: 1. Compute (pp 2, sk 2 ) S (1 λ, 1 k ) where k = P. 2. Compute pp 1 Π.Setup(1 λ, 1 k ), msk 1 Π.KeyGen(pp 1 ), and sk 1 Π.Program(pp 1, msk 1, {(x i, y i Π.PEval(pp 2, sk 2, x i ))}). 3. Output (pp = (pp 1, pp 2 ), sk = (sk 1, sk 2 )). We now define the following hybrids and show that they are indistinguishable. Hybrid H 0 : This is the real experiment RealPPRF A from Figure 4, up to negligible statistial distane. Speifially: the adversary A first outputs {(x i, y i )}. We then generate pp i Π.Setup(1 λ, 1 k ) and msk i Π.KeyGen(pp i ) for i = 1, 2. We hoose uniformly random r i Y for i [k], and let sk 1 Π.Program(pp 1, msk 1, {(x i, r i )}) sk 2 Π.Program(pp 2, msk 2, {(x i, y i Π.PEval(pp 1, sk 1, x i ))}). (Note that in y i r i we have replaed r i with a all to Π.PEval; these are equivalent up to negligible statistial distane by statistial programmability.) We give (pp = (pp 1, pp 2 ), sk = (sk 1, sk 2 )) to A. Then A is given query aess to Π.Eval(pp 1, msk 1, ) + Π.Eval(pp 2, msk 2, ). 20

21 Hybrid H 1 : This is the same as the previous experiment, exept we hange how pp 1 and sk 1 are generated, and how queries are answered. We generate (pp 1, sk 1 ) S (1 λ, 1 k ), and no longer generate msk 1. To answer eah query x, if x / {x i } then we output Π.PEval(pp 1, sk 1, x) + Π.Eval(pp 2, msk 2, x); otherwise, we output a uniformly random value from Y. Hybrid H 2 : This is the same as the (real) experiment H 0, exept that for queries x / {x i }, just as in H 1 we output Π.PEval(pp 1, sk 1, x) + Π.Eval(pp 2, msk 2, x). Hybrid H 3 : This is the same as the previous experiment, exept we replae y i Π.PEval(pp 1, sk 1, x i ) with y i r i, then we swap the roles of r i and y i r i (using r i when omputing sk 2 and y i r i when omputing sk 1 ), then replae y i r i with y i Π.PEval(pp 2, sk 2, x i ). Hybrid H 4 : This is the same as the previous experiment, exept we hange how pp 2 and sk 2 are generated and how queries are answered. We generate (pp 2, sk 2 ) S (1 λ, 1 k ), and no longer generate msk 2. To answer a query x, if x / {x i } then we respond with Π.PEval(pp 1, sk 1, x)+π.peval(pp 2, sk 2, x); otherwise, we respond with a uniformly random value from Y. Observe that this hybrid is idential to the ideal experiment IdealPPRF A,S from Figure 4. We now show that adjaent hybrid experiments are indistinguishable. Claim We have H 0 H1. Proof. Let A be an adversary attempting to distinguish H 0 from H 1. We build an adversary A against the weak simulation seurity of Π that runs A internally and works as follows: When A outputs {(x i, y i )}, A outputs {x i } and reeives some (pp 1, sk 1 ). A omputes pp 2 Π.Setup(1 λ, 1 k ), msk 2 Π.KeyGen(pp 2 ), and sk 2 Π.Program(pp 2, msk 2, {(x i, y i Π.PEval(pp 1, sk 1, x i ))}), and gives (pp = (pp 1, pp 2 ), sk = (sk 1, sk 2 )) to A. When A queries some x, A queries x and reeives a response y, and returns y +Π.Eval(pp 2, msk 2, x) as the answer to A. Beause the r i are uniformly random in H 0, it is straightforward to verify that if A is in the RealWeakPPRF (respetively, IdealWeakPRF) experiment, then the view of A is idential to its view in H 0 (resp., H 1 ). So by weak simulation seurity of Π, we have H 0 H1. Claim We have H 1 H2. Proof. Let A be an adversary attempting to distinguish H 1 from H 2. We build an adversary A against the weak simulation seurity of Π that works exatly like the A from the proof of Claim 5.11, exept for how it handles queries x: if x / {x i }, then A responds with Π.PEval(pp 1, sk 1, x) + Π.Eval(pp 2, msk 2, x); otherwise, A queries x and reeives a response y, then responds with y + Π.Eval(pp 2, msk 2, x). It is straightforward to verify that if A is in experiment IdealWeakPPRF (respetively, IdealRealPPRF), then the view of A is idential to its view in H 1 (resp., H 2 ). So by weak simulation seurity of Π, we have H 0 H1. 21