Efficient Pseudorandom Functions from the Decisional Linear Assumption and Weaker Variants

Transcription

1 Efficient Pseudorandom Functions from the Decisiona Linear Assumption and Weaker Variants ABSTRACT Aison B Lewko University of Texas at Austin 1 University Station Austin, TX abishop@mathutexasedu In this paper, we generaize Naor and Reingod s construction of pseudorandom functions under the DDH Assumption [22] to yied a construction of pseudorandom functions under the decisiona k-linear Assumption, for each k 1 The decisiona Linear Assumption was first introduced by Boneh, Boyen, and Shacham in [5] as an aternative assumption for settings where the DDH probem is easy, such as biinear groups Shacham [25] and Hofheinz and Kitz [16] independenty introduced the generaized decisiona k- Linear Assumptions and showed that the decisiona (k + 1)- Linear probem is hard for generic groups even when the decisiona k-linear probem is easy It is thus desirabe to have constructions of cryptographic primitives based on the decisiona k-linear Assumption instead of DDH Not surprisingy, one must pay a sma price for added security: as k increases, our constructed functions become sighty ess efficient to compute and the key size increases (quadraticay in k) Categories and Subject Descriptors G3 [Probabiity and Statistics]: Random number generation Genera Terms Agorithms, Security, Theory 1 INTRODUCTION Pseudorandom functions were first defined by Godreich, Godwasser, and Micai [14] Informay, a pseudorandom Supported by Nationa Defense Science and Engineering Graduate Feowship Supported by NSF CNS , Air Force Office of Scientific Research (AFO SR) under the MURI award for Coaborative poicies and assured information sharing (Project PRESIDIO) Permission to make digita or hard copies of a or part of this work for persona or cassroom use is granted without fee provided that copies are not made or distributed for profit or commercia advantage and that copies bear this notice and the fu citation on the first page To copy otherwise, to repubish, to post on servers or to redistribute to ists, requires prior specific permission and/or a fee CCS 09, November 9 13, 2009, Chicago, Iinois, USA Copyright 2009 ACM /09/11 $1000 Brent Waters University of Texas at Austin 1 University Station Austin, TX bwaters@csutexasedu function ensembe is a coection of functions that can be efficienty samped and computed, but cannot be distinguished from random functions by a poynomia time adversary with ony back-box access We wi give a forma definition in the next section These cryptographic primitives have many appications (eg [3, 7, 12, 13, 19, 24, 27]) For exampe, a pseudorandom function is often substituted for a truy random function in an appication where true randomness woud be unacceptaby inefficient In private-key cryptography, a reativey short description of a pseudorandom function can be used as a private key, aowing parties who share this private key to send encrypted messages or verify each other s knowedge of the shared secret without needing to revea the secret itsef For appications of pseudorandom functions in private-key cryptography, see eg [7, 13, 19] Pseudorandom functions are aso used in pubic-key cryptography (eg [3, 12]), earning theory (eg [27]), and compexity theory (eg [24]) Motivation These numerous appications make it desirabe to have constructions of pseudorandom functions which are both efficient enough to be impemented in practice and based on we-estabished assumptions Godreich, Godwasser, and Micai gave the first construction of a pseudorandom function ensembe, known as the GGM-Construction [14] This construction reied ony on pseudorandom generators, which can be buit from any one-way function (as shown in [15]) In [22], Noar and Reingod gave two constructions of pseudorandom functions which are much more efficient to compute than the GGM functions One construction was based on the Decisiona Diffie-Heman Assumption (DDH) and the other was based on the assumption that factoring Bum integers is hard (See section 2 for the definition of the DDH Assumption) The DDH Assumption is a commony used assumption with severa attractive quaities Its appications incude the Diffie-Heman key-exchange protoco (the context in which DDH was introduced) [10], EGama encryption [11], Cramer-Shoup CCA-secure pubic key encryption [8], undeniabe signatures [6], verifiabe secret sharing [26], and many others Naor and Reingod gave a reduction between the worst-case and the average-case DDH probem, showing that it is either hard on average or easy even in the worst case 112

2 Though such a reduction gives credence to the beief that the DDH Assumption hods in groups where it is not known to be easy on average, there are groups where the DDH Assumption fais Most notaby, the DDH probem is easy in biinear groups In [20], Menezes, Okamoto, and Vanstone showed that there are subexponentia attacks on the discrete og probem in certain eiptic curve groups (supersinguar curves) which had been previousy been suggested for use in cryptographic systems This exampe shows that even we-estabished assumptions can be found to have surprising weaknesses in certain impementations Deveoping cryptographic primitives and systems based on progressivey weaker assumptions is therefore advantageous because it provides some protection against future advances in cryptanaysis There is evidence that groups exist in which the DDH probem is easy but the CDH probem (Computationa Diffie- Heman) is hard [17] In such groups, we might sti rey on the difficuty of computing discrete ogarithms, but we must avoid the DDH Assumption One aternative is the decisiona Linear Assumption, introduced by Boneh, Boyen, and Shacham [5] This assumption was generaized by Shacham [25] and Hofheinz and Kitz [16] to yied the decisiona k- Linear Assumptions, which we wi refer to simpy as the k-linear Assumptions for brevity The 1-Linear Assumption is DDH, and the 2-Linear Assumption is the Linear Assumption from [5] Both [16, 25] note that the (k+1)-linear Assumption hods in a generic group even when the k-linear probem is easy and give constructions of chosen-ciphertext secure cryptosystems based on the k-linear Assumption for any positive integer k Our Contribution We generaize the construction of Naor and Reingod to yied pseudorandom function ensembes based on the Linear and k-linear Assumptions We thus achieve added security, and we do so with reativey itte cost in efficiency It is not too difficut to see that a change to the Naor-Reingod construction is necessary if the DDH probem is easy The Naor- Reingod construction maps an n-bit string x =(x 1,,x n) into a cycic group G of prime order p generated by g A pseudorandom function f is specified by the group G, g, p, and n + 1 vaues in Z p denoted by a 0,a 1,,a n Naor and Reingod define: f G,p,g,a0,,a n (x) =(g a 0 x ) i =1 a i (1) If we have access to an agorithm A that soves the DDH probem with non-negigibe advantage, then we can distinguish such an f from a truy random function with nonnegigibe advantage as foows We query f on four inputs and obtain responses: f(1, 1,,1, 1) = B 1, f(1, 1,,1, 0) = B 2, f(0, 0,,0, 1) = B 3, f(0, 0,,0, 0) = B 4 If f is a Naor-Reingod pseudorandom function with key {G, p, g, a 0,,a n}, thenb 1 = g a 0a 1 a n, B 2 = g a 0a 1 a n 1, B 3 = g a 0a n,andb 4 = g a 0 We set g = B 4, g a = B 3, g b = B 2, and T = B 1 If f is pseudorandom, then g = g a 0, a = a n, b = a 1 a n 1, andt = g ab If f is truy random, then T is uniformy random Hence, when g, g a, g b, T are given to A as input, the output of A canbeusedto distinguish whether f is pseudorandomortruy randomwith non-negigibe advantage Our generaized construction and the proof of its security differ from the Naor-Reingod version in two primary ways First, the additiona compexity required to accommodate the weaker assumptions means that our functions can no onger be described by cosed-form formuas ike (1) Nonetheess, the additiona cost in computationa efficiency is rather sma Second, the Linear Assumption cannot be embedded into our construction as directy as the DDH Assumption is embedded in Naor-Reingod, so we must use two separate instantiations of the hybrid technique to prove the pseudorandomness of our construction instead of just one More specificay, the Naor-Reingod construction reies on a pseudorandom generator that doubes its input and arises very naturay from the DDH Assumption Obtaining a suitabe pseudorandom generator that doubes its input from the Linear Assumption is more difficut, and requires use of the hybrid technique We discuss this issue in more detai in section 3 Other Reated Work In practice, ad hoc designs of cryptographic primitives are often substituted for constructions which are proven to be secure under standard assumptions This may yied greater efficiency, but it has been shown to be very dangerous The potentia for compromising vunerabiities in ad hoc designs further motivates our search for efficient constructions of cryptographic primitives with accompanying proofs of security under weak assumptions Coision attacks against commony used hash functions ike MD5, SHA-0, and SHA-1 have recenty been demonstrated [4, 28] There is aso an ad hoc design of pseudorandom functions, known as TLS, that uses both SHA-1 and MD5 [9] This design is intended to be secure if both SHA-1 and MD5 are secure, but this is not rigorousy proven and it may be that both of these hash functions are vunerabe Beare, Canetti, and Krawczyk give two constructions, NMAC and HMAC, which are proven to be secure under the assumption that the underying hash function is suitaby secure [2], but it may sti be the case that an ad hoc hash function chosen for a practica impementation has previousy unknown weaknesses To impement our construction in practice, one must baance efficiency with security in the choice of the group where the k-linear Assumption wi be reied upon One usuay chooses the security parameters based on the best known attacks In particuar, if one chooses two arge primes p and q such that p divides q 1, we can work in a subgroup of order p in Z q The known attacks on the discrete ogarithm probem in this case incude Shanks baby-step giant-step agorithm [18] and Poard s rho method [23], both of which take O( p) time There is aso ( the index cacuus ) agorithm [1], which runs in time O 2 O( og q og og q) This is a subexponentia attack, but sti not poynomia time These known attacks mean that if we want roughy 80 bits of security in this group, we need to set the size of p to at east 160 bits and the size of q to at east 1024 bits Naor and Reingod additionay show that the agebraic simpicity of their construction impies that interactive zeroknowedge proofs can be given for statements of the form y = f s(x) and y f s(x) once the party computing the pseudorandom function f s has committed to the key s [22] 113

3 Micai, Rabin, and Vadhan define and construct verifiabe random functions [21], which have an even stronger property: the proofs of statements y = f s(x) do not require interaction or a trusted shared random string We wi not be concerned with such properties for our construction, as our primary goas are computationa efficiency and heightened security Organization In the next section, we formay define pseudorandom functions and the k-linear Assumptions We aso estabish a basic property shared by these assumptions that wi be usefu to us In section 3, we give our construction based on the Linear Assumption (the case k = 2) and prove it is pseudorandom In section 4, we generaize our construction to hod under the k-linear Assumption for each positive integer k and summarize the generaized proof In section 5, we summarize the important properties of our pseudorandom functions and anayze their performance In section 6, we briefy concude 2 BACKGROUND 21 Forma Definition of Pseudorandom Functions We give the definition that is provided in [22]: Definition 1 (efficienty computabe pseudorandom function ensembe) Let {A n,b n} be a sequence of domains and ranges and et F = {F n} n N be a function ensembe where each F n is a random variabe taking vaues in the set of functions from A n to B n Then F is an efficienty computabe pseudorandom function ensembe if it satisfies the foowing two conditions: 1 for every probabiistic poynomia time orace machine M, everyconstantc>0, and a but finitey many n s, Pr[M Fn (1 n )=1] Pr[M Rn (1 n )=1] < 1 n, c where R n is uniformy distributed over the set of a functions from A n to B n, 2 there exist probabiistic poynomia time agorithms I and V and a mapping φ from strings to functions such that φ(i(1 n )) and F n are identicay distributed (so F n can be efficienty samped) and V(i, x) =(φ(i))(x) (the samped function can be efficienty computed) We note that orace machine M in requirement 1 can know the description of the pseudorandom function ensembe, just not the key of the particuar function it is querying 22 The Decisiona k-linear Assumptions We define the Linear probem in a cycic group G of prime order p: giveng 0,g 1,g 2,g r 1 2,gr 0 0 G, distinguish whether r 0 = r 1+r 2 or is random The assumption is that no poynomia time agorithm can distinguish between these two cases of r 0 with non-negigibe advantage More formay, Definition 2 Linear probem in G: given g 0, g 1, g 2, g r 1 1, g r 2 2, gr 0 0 G, output yes if r0 = r1 +r2 and no otherwise The advantage of an agorithm A in deciding the Linear probem is defined to be: Adv A = Pr[A(g0,g1,g2,gr 1 2,gr 1+r 2 0 )=yes] Pr[A(g 0,g 1,g 2,g r 1 2,gr 0 0 )=yes], where g 0, g 1, g 2 are chosen uniformy randomy from G and r 1, r 2, r 0 are chosen uniformy randomy from Z p Definition 3 Linear Assumption in G: no poynomia time agorithm can achieve non-negigibe advantage in deciding the Linear probem in G We now define a generaization of the Linear probem For k 1, the k-linear probem in G is: Definition 4 k-linear probem in G: giveng 1, g 2,,g k, g 0, g r 1 1, gr 2 2,,gr k k, gr 0 0 G, output yes if r 0 = k i=1 ri and no otherwise Definition 5 k-linear Assumption in G: no poynomia time agorithm can achieve non-negigibe advantage in deciding the k-linear probem in G (The advantage of an agorithm A in deciding the k-linear probem is defined anaogousy to the Linear case above) We note that the 1-Linear probem is the Decisiona Diffie- Heman (DDH) probem and the 2-Linear probem is the Linear probem The DDH probem is usuay defined with different (though equivaent) notation: Definition 6 DDH probem: given g,g a,g b,t, output yes if T = g ab and no otherwise These generaized assumptions are usefu because they get weaker as k increases, in generic groups at east (this was proved in [16, 25]) In particuar, some k-linear Assumption might hod in a biinear group G where the DDH Probem is easy The k-linear probem aso has a hepfu property that we wi use ater: given a singe instance of the probem, one can randomy generate new instances (This was proved for the DDH probem in [22]) Lemma 1 Given g 1,,g k,g 0,g r 1 1,,gr k k,gr 0 0 G, one can generate g r 1 1,,gr k k,gr 0 0 such that r 1,,r k are uniformy random in Z p and r 0 = k i=1 r i if r 0 = k i=1 ri and is uniformy random otherwise Proof We pick e 0,e 1,,e k Z p uniformy randomy We then define r i = e 0r i + e i for i from 1 to k and r 0 = e 0r 0 + e e k We can aso write this as: r r e 0 r 1 e 1 r 2 r k 0 0 = 0 1 e k 1 r k r e k r If r 0 = k i=1 ri, then r 0 = k i=1 r i and r 1,,r k are uniformy random If r 0 k i=1 ri, then the square matrix on the eft of the above expression has a non-zero determinant and is invertibe over Z p (One can easiy show by induction on k that the determinant of this matrix is ( 1) k (r 0 r 1 r k )) Thus, any (k + 1)-tupe of vaues r 1,,r k,r 0 Z p can be uniquey formed by one setting of the vaues of e 0,e 1,,e k So r 1,,r k,r 0 are uniformy random Iterative appication of this emma aows us to generate any number of random instances of the k-linear probem from a singe instance As was noted for the DDH case in [22], we can use this emma and standard ampification techniques to show that the k-linear probem is either hard on average or easy even in the worst case 114

4 3 OUR CORE CONSTRUCTION Intuition The key observation behind the Naor-Reingod construction is that the DDH Assumption impies the existence of a pseudorandom generator that doubes its input We use the phrase pseudorandom generator somewhat oosey here, since their generator is not efficienty computabe without knowedge of secret parameters Specificay, a group eement g a is fixed, and this gives a generator G g,g a which takes in one random group eement, g b, and outputs two pseudorandom group eements: G g a(g b )=(g b,g ab ) (To compute this pseudorandom generator efficienty, one needs to know either a or b, but this does not pose a probem for their construction) This generator is then used aong with the GGM construction (which nests n copies of the generator for an n-bit input) to yied the Naor-Reingod construction More formay, the GGM construction takes a pseudorandom generator G that doubes its input and writes its output G(x) as(g 0 (x),g 1 (x)) A pseudorandom function f s : {0, 1} n {0, 1} n is then defined from a key s (which is a uniformy chosen n-bit string) by: f s(x) =G xn ( (G x 2 (G x 1 (s))) ) Naor and Reingod modify this sighty by using a different g a for the generator at each step: xn f a0,,a n (x) = G g an ( ( G x 1 g a 1 (g a 0 )) )=(g a 0 x ) i =1 a i We might hope to obtain a pseudorandom generator G from the Linear Assumption that doubes its input by defining G g0,g 1,g 2,g r 1 (gr 2 2 )=(gr 2 2,gr 1+r 2 0 ), but this does not work 1 because fixing r 1 makes this generator fai if DDH fais For exampe, suppose we receive four output pairs from this generator: (A, A ), (B,B ), (C, C ), (D, D ) We can set g = A/B, g b = C/D, g a = A /B, and T = C /D If these pairs were uniformy random in G 2,thenT woud be uniformy random Since these pairs come from our generator, we must have A = g r1 2 2,A = g r 1+r2 1 0,B = g r2 2 2,B = g r 1+r2 2 0,C = g r3 2 2,C = g r 1+r2 3 0,D = g r4 2 2,D = g r 1+r2 4 0 for some vaues r 1,r2,,r In this case, g = g r1 2 r2 2 2, b = r3 2 r4 2, a r2 1 r2 2 satisfies g2 a = g 0,andT = g ab This is a DDH tupe, so this generator is no more secure than DDH Instead, we can get a generator G from the Linear Assumption which takes in two random group eements, g r 1 2, and outputs 3 pseudorandom group eements: G g 0,g 1,g 2 (g r 1 2 )=(gr 1 2,gr 1+r 2 0 ) Pseudorandomness for this generator under the Linear Assumption foows from Lemma 7 Since this generator does not doube its input, we cannot simpy pug it into the GGM construction in the way that the Naor-Reingod construction is obtained There is a standard technique for taking a pseudorandom generator that ony sighty stretches its input size and obtaining a new pseudorandom generator that (eg) doubes its input size, but the proof that this generic approach maintains pseudorandomness assumes that the pseudorandom generator is efficienty computabe, whichoursisnot (Oneneedstoknowr 1 and r 2 in order to compute it, and if one knows r 1 and r 2, it is no onger pseudorandom) To overcome this difficuty, we proceed as foows We can rename g r 1 1 as A, g r 2 2 as B, and note that there exist c, d Z p such that g1 c = g 0 and g2 d = g 0 We rename g 1 as g c and g 2 as g d to refect this reationship (ie g c is defined to be g0 c 1 ) In this notation, our pseudorandom generator G, can be written as: ( G g 0,g c,g d (A, B) = A, B, A c B d) To modify this so that it doubes its input, we can simpy fix additiona vaues e, f Z p and define: ( ) G g0,g c,g d,g e,g f (A, B) = A, B, A c B d,a e B f One needs to know c, d, e, f in order to compute this generator, but this wi not pose a probem for our construction Perhaps more worrisome is that the Linear Assumption is no onger directy embedded in the generator Nonetheess, we can use a hybrid argument to show that sampes of outputs from this generator G are indistinguishabe from random under the Linear Assumption (This is accompished by Lemma 10 in the proof of security for our pseudorandom function ensembe beow) We wi use this pseudorandom generator aong with the GGM construction (modifying it ike Naor-Reingod) to obtain our construction 31 Construction We now construct our function ensembe F = {F n} n N and prove it is pseudorandom under the Linear Assumption Each F n is a set of functions from n-bit strings to a group G, where G is a cycic group of prime order p generated by g A function f F n is associated with a unique key consisting of G, g, p and 4n + 2 eements of Z p More formay, we give a Setup agorithm that constructs one of our pseudorandom functions and an Evauation agorithm that computes its vaue on a specified input string Setup(λ) SK Our Setup agorithm takes in a security parameter λ and chooses a group G of prime order p which is arge enough with respect to λ It then chooses a generator g of G and 4n + 2 uniformy random eements of Z p, denoted by y 0, z 0, y 1, z 1, w 1, v 1,,y n, z n, w n, v n It outputs: SK = {G, p, g, y 0,z 0,y 1,z 1,w 1,v 1,,y n,z n,w n,v n} We describe the Evauation agorithm for the function f associated with SK as foows We et x = x 1x 2 x n denote the input bit string Evauation(x, SK) f(x) Initiaize variabes a and b in Z p as a = y 0,b= z 0 For i from 1 to n do: If x i =0,seta = a and b = b If x i =1,seta = ay i + bz i and b = aw i + bv i Output f(x) =g a For the step when x i = 1, the new vaues of a and b are both defined in terms of the od vaues of a and b, ie we do not first update a and then use the updated vaue of a in updating b Technicay, our pseudorandom functions deviate sighty from definition 1, since different functions in F n wi have different groups as their ranges As Naor and Reingod note, this does not pose a probem in many 115

5 appications Aternativey, one can get a of the functions in F n to have the same range by using suitabe famiies of hash functions [22] We note that our Evauation agorithm is very efficient: it performs at most 4n mutipications in Z p,2n additions in Z p, and one exponentiation in G This construction is a generaization of the construction in [22], which was proven to be pseudorandom under the DDH Assumption In the next section, we wi further generaize the construction to be pseudorandom under the k-linear Assumption for each k 1 But first, we give a proof for this specia case of k =2 32 Security Theorem 2 Under the Linear Assumption, this function ensembe is pseudorandom Proof We first note that f can be equivaenty defined by the foowing (ess efficient) agorithm: Inefficient Evauation(x, SK) f(x) Initiaize variabes A and B in G as A = g y 0,B = g z 0 For i from 1 to n do: If x i =0,setA = A and B = B If x i =1,setA = A y i B z i and B = A w i B v i Output f(x) =A We note that one woud not actuay compute f this way in practice, but using this agorithm yieds the same function vaues as the more efficient agorithm we gave above (To see this, note that A has repaced g a and B has repaced g b We are simpy performing exponentiations now as we go aong instead of waiting unti the end) We describe f in this aternative way because it is more convenient for our proof, and it aso reveas the reationship between our construction and the GGM construction We reca that we defined our pseudorandom generator G as: ( ) G g0,g c,g d,g e,g f (A, B) = A, B, A c B d,a e B f We can now see that our construction is formed by using G in the GGM construction, where at each eve we use a new c, d, e, f Wecanwritef(x) equivaentyas: G xn g,g yn,g zn,g wn,g vn ( (G x 1 g,g y1,g z1,g w1,g vn (g y 0,g z 0 )) ) We prove this is a pseudorandom function famiy using the hybrid technique We begin by defining a sequence of games: Game 0, Game 1,, Game n Each game consists of a chaenger and an attacker The attacker can query the chaenger for vaues of a function on inputs x = x 1 x n that it chooses Game j The chaenger fixes random vaues y j+1,z j+1,w j+1,v j+1,,y n,z n,w n,v n Z p The chaenger answers queries for input x s by setting A and B to be random functions of the first j bits of the input and then foowing the iterative procedure above for i from j +1to n It then outputs the fina vaue of A as the answer to the query The attacker must output either 0 or 1 We note that in Game 0, the chaenger is impementing a function from our function famiy and in Game n, the chaenger is impementing a truy random function Thus, our function famiy is pseudorandom if and ony if Game 0 cannot be distinguished from Game n (with non-negigibe advantage) by any poynomia time attacker So if our functions are not pseudorandom, then there exists a probabiistic agorithm D which can distinguish Game 0fromGamen In other words, we suppose Pr[D =1 Game n] Pr[D =1 Game 0] = ɛ, where ɛ>0 is non-negigibe We then observe: n 1 ɛ = Pr[D =1 Game j +1] Pr[D =1 Game j] j=0 By the triange inequaity, this impies that there exists j such that: Pr[D =1 Game j +1] Pr[D =1 Game j] ɛ n ɛ Since ɛ is non-negigibe, is non-negigibe So we can assume that D aso distinguishes some pair of adjacent games n j and j +1 The heart of our construction is the pseudorandom generator which takes input A, B and expands it to 4 eements: A, B, A y i B z i,a w i B v i We wi first show that if our construction is not pseudorandom, then this generator is not pseudorandom either More precisey, we wi show that if there is a probabiistic agorithm D abe to distinguish Game j from Game j +1 for some j, then there is another probabiistic agorithm M which can distinguish sampes of the form (A, B, A y i B z i,a w i B v i ) from uniformy random 4- tupes To state this formay, we define two additiona games We ca them Game 1 and Game 3 because they wi ater appear as parts of a three game hybrid Game 1 An attacker queries the chaenger for 4-tupes in G Each time the chaenger responds by sending a new 4-tupe (A, B, C, D) uniformy chosen in G 4 Game 3 An attacker queries the chaenger for 4-tupes in G The chaenger chooses eements y,z, w, v uniformy from Z p and keeps these fixed For each query, the chaenger chooses eements A, B uniformy from G and responds with (A, B, A y B z, A w B v ) Lemma 3 Suppose there is an agorithm D such that Pr[D =1 Game j +1] Pr[D =1 Game j] ɛ Then there exists an agorithm M such that Pr[M =1 Game 1] Pr[M =1 Game 3] ɛ Proof Suppose that M receives t 4-tupes (A 1,B 1,C 1,D 1),,(A t,b t,c t,d t), where t is an upper bound on the number of queries that D makes These 4-tupes are either a uniformy random in G G G G, or A i,b i are uniformy random and C i = A y i Bz i,d i = A w i Bi v for a i (Note that y,z, w, v are fixed and do not change with i) It is M s task to distinguish 116

6 between these two cases M wi accompish this task by simuating the chaenger in Game j or Game j + 1and caing on D M starts the simuation by choosing y j+2, z j+2, w j+2, v j+2,,y n, z n, w n, v n Z p randomy When D queries M with input x = x 1 x n, M defines (x) :{0, 1} j [t] to be an injective function of the first j bits of x Ifx j+1 =0, M sets A = A (x) and B = B (x) (these vaues are taken from the 4-tupes M has been given) If x j+1 =1,M sets A = C (x) and B = D (x) M then foows the iterative procedure from our construction for steps j +2 to n and outputs the fina vaue of A We note that if the 4-tupes M has received are uniformy random, then M has simuated game j +1 Ifinstead C i = A y i Bz i,d i = A w i Bi v for a i, thenm has simuated game j with y j+1 = y, z j+1 = z, w j+1 = w, andv j+1 = v SoifM outputs 1 when D outputs 1, we have: Pr[M =1 Game 1] Pr[M =1 Game 3] = Pr[D =1 Game j +1] Pr[D =1 Game j] = ɛ To compete our proof of Theorem 8, we show that the existence of such an M vioates the Linear Assumption To do this, we once again use the hybrid technique This time, we ony need 3 games Games 1 and 3 are defined as before, but we incude them beow for competeness Game 1 M is given sampes of the form (A, B, C, D) whichare uniformy random in G 4 Game 2 M is given sampes of the form (A, B, A y B z, D), where A, B, D are uniformy random in G and y, z are fixed Game 3 M is given sampes of the form (A, B, A y B z, A w B v ) where A, B are uniformy random in G and y,z, w, v are fixed We suppose that Pr[M =1 Game 1] Pr[M =1 Game 3] = ɛ This means that at east one of the foowing must hod: (1) Pr[M =1 Game 1] Pr[M =1 Game 2] ɛ 2, (2) Pr[M =1 Game 2] Pr[M =1 Game 3] ɛ 2 Lemma 4 If either (1) or (2) hods, then there exists an agorithm N with Adv N ɛ in deciding the Linear probem 2 Proof We suppose that (1) hods (ie M can distinguish between Game 1 and Game 2) We wi show how to define the agorithm N to break the Linear Assumption The Linear chaenger gives N an instance g 0,g 1,g 2,g r 1 2,gr 0 0 G of the Linear probem N cas M EachtimeM requests a 4-tupe, N uses Lemma 1 to generate a new instance of its Linear probem From this instance, g 0,g 1,g 2,g r 1 1,gr 2 2,gr 0 0 G, N creates a 4-tupe (A, B, C, D) by setting A = g r 1 1, B = g r 2 2, C = gr 0 0, and setting D randomy If the origina r 0 is uniformy random, then the Linear attacker has simuated Game 1 If r 0 = r 1 + r 2, then the Linear attacker has simuated Game 2 with y and z such that g y 1 = g0 and g2 z = g 0 (Note that these vaues of y and z are uniformy random in Z p because g 0,g 1,g 2 were chosen uniformy randomy from G) Hence, if N outputs yes when M outputs 1, we wi have: Pr[N = yes r R 0 Z p] Pr[N = yes r 0 = r 1 + r 2] = Pr[M =1 Game 1] Pr[M =1 Game 2] ɛ 2 Simiary, if (2) hods (ie M can distinguish between Game 2 and Game 3), then N sets y and z randomy and generates 4-tupes (A, B, C, D) by setting A = g r 1 1,B = g r 2 2,C = Ay B z,d = g r 0 0 If r0 is random, this is Game 2 If r 0 = r 1 + r 2, this is Game 3 In both cases, we have shown that we obtain an N such that Pr[N = yes r R 0 Z p] Pr[N = yes r 0 = r 1 + r 2] ɛ 2 Putting it a together, we have shown that if our function ensembe is not pseudorandom, then there exists a probabiistic agorithm N which has non-negigibe advantage in deciding the Linear probem Hence, if the Linear Assumption hods, our function ensembe is pseudorandom This competes our proof of Theorem 8 4 OUR GENERALIZED CONSTRUCTION 41 Construction We now generaize the construction of the previous section to create a function ensembe which is pseudorandom under the k-linear Assumption, for each k 1 We note that for k = 1, this is precisey the construction of [22] which was proven under the DDH Assumption (aka the 1-Linear Assumption) We wi denote our function ensembe by F k = {F n} Each function in F n is a function from {0, 1} n to a group G of prime order p generated by g Thekeyspecifying a function f F n consists of G, p, g and k 2 n + k eements of Z p: Setup(λ) SK Our Setup agorithm takes in a security parameter λ and chooses a group G of prime order p which is arge with respect to λ It then chooses a generator g of G and k 2 n + k uniformy random eements of Z p, denoted by c m,b i m, where 1 m, k, and1 i n It outputs: SK = {G, p, g, c m,b i m, : i [n], (m, ) [k] [k]} Here, [n] denotes the set {1, 2,,n} and [k] denotes the set {1, 2,,k} (The i s are superscripts, and do not denote exponentiations) To define and compute f(x) forthe function f corresponding to SK, we use the foowing Evauation agorithm: 117

7 Evauation(x, SK) f(x) Initiaize variabes a 1 = c 1,,a k = c k in Z p For i from 1 to n do: If x i =0,seta m = a m for each m [k] If x i =1,seta m = k =1 a b i m, for each m [k] Output f(x) =g a 1 We note that the output is aways one group eement whie the key size grows quadraticay in k To compute the a vaue f(x), we ony need to do one exponentiation in G, perform k 2 n mutipications in Z p,and (k 1)kn additions in Z p 42 Security Theorem 5 For each k 1, if the k-linear Assumption hods, then F k is a pseudorandom function ensembe Proof The proof is essentiay the same as the proof of Theorem 8 Again, we first give an equivaent definition of f using a ess efficient agorithm This woud not be used in practice, but is more convenient for use in the proof Inefficient Evauation(x, SK) f(x) Initiaize variabes A 1 = g c 1,,A k = g c k in G For i from 1 to n do: If x i =0,setA m = A m for each m [k] If x i =1,setA m = k =1 Abi m, for each m [k] Output f(x) =A 1 We define a sequence of games, Game 0 through Game n Each game has a chaenger and an attacker who makes function queries Game j The chaenger fixes vaues b i m, Z p for (m, ) [k] [k] and i from j +1 to n To respond to a query, the chaenger sets A 1,,A k as a random function of the first j bits of the input and then foows the iterative procedure above for bits j +1ton If our function famiy F n is not pseudorandom, this impies there exists an attacker D who can distinguish between two consecutive games j and j + 1 with non-negigibe advantage Using the same argument as in the proof of Theorem 8, we note that D canbeusedtodefineanattackerm who receives 2k-tupes of the form (A 1,,A k,b 1,,B k ), where either these tupes are uniformy chosen from G 2k or (A 1,,A k ) is uniformy chosen from G k and each B m = k =1 Ab m, for fixed vaues b m, M wi distinguish between these two cases with non-negigibe advantage We wi show that such an M can be used to break the k-linear Assumption using a hybrid argument We define new Games 0 through k Game j M is given input tupes of the form (A 1,,A k, B 1,, B j,b j+1,,b k ), Computation time 1 exponentiation in G + k 2 n mutipications in Z p Private key storage k 2 n + k eements of Z p + G, g, p Computationa storage 2k eements of Z p + og p eements of G Tabe 1: Properties of our construction where A m s and B m s are chosen uniformy randomy from G and B m is equa to k =1 Ab m, for some fixed vaues b m, Since M distinguishes between Game 0 and Game k, it must distinguish between some Game j and Game j +1 with non-negigibe advantage (assuming k is poynomia in the security parameter) A k-linear attacker can then use M as foows First, upon receiving one instance of the k-linear Probem from the k-linear chaenger, g 0,g 1,,g k,g r 1 1,,gr k k,gr 0 0, the k-linear attacker generates t instances with the same g 0,,g k but different r 0,,r k vaues using Lemma 2 repeatedy The i th instance is then used to generate the i th tupe to send to M In the tupe, A m = g r m m for m from 1 to k Then b m, are chosen randomy from Z p for from 1 to k and m from 1 to j Form from 1 to j, Bm = k =1 Ab m, The j + 1 eement of the tupe is set to g r 0 0 Eements B j+2,,b k are then chosen randomy from G If r 0 = r r k, then the j + 1 eement of the tupe is B j+1 = k =1 Ab j+1,,whereb j+1, satisfies g b j+1, = g 0 If r 0 is random, then the j + 1 eement of the tupe is a random eement B j+1 Hence, when M correcty distinguishes between Game j and Game j + 1, it wi aow the k-linear attacker to distinguish r 0 = r 1+ +r k from random Thus, our function ensembe is pseudorandom under the k-linear Assumption 5 DISCUSSION AND PERFORMANCE The primary advantage of our construction is an increase in security with ony a sma cost in efficiency We summarize the reevant properties of our construction in Tabe 1 (with domain {0, 1} n under the k-linear Assumption) The 2k eements of Z p in the computationa storage come from the fact that we must retain a of the od vaues of the a i s in our efficient agorithm whie we are computing the updated ones The og p eements of Z q come from preprocessing: we compute and store the vaues of g 2i mod q for i from0toogp andusethesetosavetimeincomputing the fina exponentiation We do not incude the private key in our computationa storage because we have isted it separatey We impemented our construction in a subgroup <g>of order p in Z q,whereq is a 1024-bit prime and p is a 160- bit prime dividing q 1 We used 160-bit inputs (ie n = 160) We chose a random key and computed our function on randomy chosen inputs Tabe 2 shows our running times as a function of the parameter k If we approximate these times with a quadratic poynomia using a east squares fit, we get the poynomia k +3957k 2 Tabe 2 aso demonstrates how cosey our times mimic this function 118

8 k microseconds k +3957k Tabe 2: Running times for n = 160 and 1 function evauation Our impementation was programmed in C using the GNU Mutipe-Precision Library (GMP) It was run on an Inte Core GHz PC running the Ubuntu (Linux-based) operating system and compied with gcc 424 The efficient Evauation agorithm given above is essentiay pseudocode for our impementation (we aso pre-computed the vaues of g 2i for i from0toogp to speed up the fina exponentiation) These actua times are ess important than the genera behavior they demonstrate: for sma vaues of k, thequadratic growth in the computation time is rather muted by the constant factor, so the increase in running time caused by increasing k is very mid In particuar, one can increase k from 1 to 2 to rey on the Linear Assumption instead of DDH, and the running time is ony increased by a factor of roughy 1255 We note that the output of our construction (based on the k-linear Assumption) coud be expanded to k eements, A 1 = g a 1,,A k = g a k Pseudorandomness sti hods for this arger output by the same proof There is a cost in efficiency: computing the arger output takes k exponentiations in G instead of just one However, if one needs to generate more pseudorandom output eements, then it is more efficient to use the version with k outputs instead of computing the version with one output on k different inputs This is because the computations in Z p are then done ony once instead of k times 6 CONCLUSION We have constructed reativey efficient pseudorandom functions and proven their security under the progressivey weaker k-linear Assumptions Our proof reies on a nove appication of two hybrid arguments to accomodate the weaker assumptions An increase in the vaue of k eads to an increase in security (for generic groups at east) and ony a mid quadratic increase in running time and private key size Thus, we have made progress towards the important goa of providing provaby secure aternatives to ad hoc constructions without sacrificing too much efficiency 7 ACKNOWLEDGEMENTS We thank Drake Dowsett for hep with programming our impementation and the anonymous reviewers for their hepfu comments 8 REFERENCES [1] L Ademan A subexponentia agorithm for the discrete ogarithm probem with appications to cryptography In Proceedings of the 20th IEEE Foundations of Computer Science Symposium, voume 2656, 1979 [2] MBeare,RCanetti,andHKrawczykKeyinghash functions for message authentication In Advances in Cryptoogy - CRYPTO 96, voume 1109 of LNCS, pages 1 16 Springer, 1996 [3] M Beare and S Godwasser New paradigms for digita signatures and message authentication based on non-interactive zero knowedge proofs In Advances in Cryptoogy - CRYPTO 89, voume 435 of LNCS, pages Springer, 1990 [4] E Biham, R Chen, A Joux, P Carribaut, C Lemuet, and W Jaby Coisions of sha-0 and reduced sha-1 In Advances in Cryptoogy - EUROCRYPT 2005, LNCS [5] D Boneh, X Boyen, and H Shacham Short group signatures In Advances in Cryptoogy - CRYPTO 2004, voume 3152 of LNCS, pages Springer, 2004 [6] S Brands An efficient off-ine eectronic cash system based on the representation probem 1993 [7] G Brassard Modern cryptoogy voume 325 of LNCS Springer, 1988 [8] R Cramer and V Shoup A practica pubic key cryptosystem provaby secure against adaptive chosen ciphertext attack In Advances in Cryptoogy - CRYPTO 98, voume 1462 of LNCS, pages Springer, 1998 [9] T Dierks and C Aen The ts protoco version 10 rfc 2246 January 1999 [10] W Diffie and M Heman New directions in cryptography In IEEE Transactions in Information Theory, voume 22, pages , 1976 [11] T EGama A pubic-key cryptosystem and a signature scheme based on discrete ogarithms In Advances in Cryptoogy - CRYPTO 84, voume 196 of LNCS, pages Springer, 1985 [12] O Godreich Two remarks concerning the godwasser-micai-rivest signature scheme In Advances in Cryptoogy - CRYPTO 84, voume 263 of LNCS, pages Springer, 1987 [13] O Godreich, S Godwasser, and S Micai On the cryptographic appications of random functions In Advances in Cryptoogy - CRYPTO 84, voume 196 of LNCS, pages Springer, 1985 [14] O Godriech, S Godwasser, and S Micai How to construct random functions In Journa of the ACM, voume 33, pages , 1986 [15] J Hastad, R Impagiazzo, L A Levin, and M Luby Construction of a pseudo-random generator from any one-way function In SIAM Journa on Computing, voume 28, pages , 1999 [16] D Hofheinz and E Kitz Secure hybrid encryption from weakened key encapsuation In Advances in Cryptoogy - CRYPTO 2007, voume 4622 of LNCS, pages Springer, 2007 [17] A Joux and K Nguyen Separating decision diffie-heman from computationa diffie-heman in cryptographic groups In Journa of Cryptoogy, voume 16, pages , September 2003 [18] D E Knuth In The Art of Computer Programming, voume 3, pages ,

9 [19] M Luby In Pseudo-randomness and appications Princeton University Press, 1996 [20] A Menezes, T Okamoto, and S Vanstone Reducing eiptic curve ogarithms to ogarithms in a finite fied In IEEE Transactions on Information Theory, voume 39, pages , 1993 [21] S Micai, M Rabin, and S Vadhan Verifiabe random functions In Proceedings of 40th Annua Symposium on Foundations of Computer Science, pages , 1999 [22] M Naor and O Reingod Number-theoretic constructions of efficient pseudo-random functions In 38th Annua Symposium on Foundations of Computer Science, pages , 1997 [23] J Poard Monte caro methods for index computations ( mod p) In Mathematics of Computation, voume 32, pages , 1978 [24] A Razborov and S Rudich Natura proofs In Journa of Computer and System Sciences, voume 55, pages 24 35, 1997 [25] H Shacham A cramer-shoup encryption scheme from the inear assumption and from progressivey weaker inear variants 2007 [26] M Stader Pubicy verifiabe secret sharing In Advances in Cryptoogy - EUROCRYPT 96, voume 1070 of LNCS, pages Springer, 1996 [27] L Vaiant A theory of the earnabe In Communications of the ACM, voume 27, pages , 1984 [28] X Wang and H Yu How to break md5 and other hash functions In Advances in Cryptoogy - EUROCRYPT 2005, voume 3494 of LNCS, pages Springer,