Presentation is loading. Please wait.

Presentation is loading. Please wait.

Pairing-Based Verifiable Random Functions Yevgeniy Dodis New York University.

Similar presentations


Presentation on theme: "Pairing-Based Verifiable Random Functions Yevgeniy Dodis New York University."— Presentation transcript:

1

2 Pairing-Based Verifiable Random Functions Yevgeniy Dodis New York University

3 Random Oracle Model [BeRo92]Oracle x H(x)Laura I trust you, Oracle. Thank you for sending the correct, truly random value H(x)

4 Random Oracle Model (cont.) Idealized Model of ComputationIdealized Model of Computation Assumes a truly random function H: {0,1} * ->{0,1} kAssumes a truly random function H: {0,1} * ->{0,1} k –H is publicly available/verifiable/transferable/random Has found gigantic # of applications, including many where no standard solution is knownHas found gigantic # of applications, including many where no standard solution is known Problem: random oracles do not existProblem: random oracles do not exist (disclaimer: not counting SHA1/MD5 and the like) –The danger can be formalized [CGH98,…] Challenge: Can we provably eliminate RO ?Challenge: Can we provably eliminate RO ? (to the maximum extent possible)

5 Alternatives Verifiable Random Functions (VRFs) [MRV99,Lys02,Dod03,DY05] Distributed PRFs (DPRFs) [MiSi95,NPR99,Nie02] Distributed VRFs (DVRFs) [Dod03,DY05] Pseudorandom Functions (PRFs) [GGM86,NaRe97] This talk

6 Pseudorandom Functions (PRF) x F SK (x)TTT Secret SK Oded is just an efficient and indistinguishable implementation of Phil F is not (pseudo)random to Oded Laura cant check its correctness or convince outside partiesLaura Your value F SK (x) looks random to me. But Im not sure its correct, and cant convince anybody else

7 Current PRFs Based on block-ciphers (CBC-MAC,HMAC,…)Based on block-ciphers (CBC-MAC,HMAC,…) Very fast and useful in symmetric-key crypto Very fast and useful in symmetric-key crypto Ad-hoc security Ad-hoc security Not applicable for protocols Not applicable for protocols Not applicable for distributed computation Not applicable for distributed computation Based on number theory (Naor-Reingold,…)Based on number theory (Naor-Reingold,…) Nicer assumptions, more elegant Nicer assumptions, more elegant Applicable for protocols Applicable for protocols Can be distributed Can be distributed Slow and inefficient Slow and inefficient uses one exponentiation and secret key per input bit uses one exponentiation and secret key per input bit

8 Naor-Reingold PRF Say, G is a group of prime order q.Say, G is a group of prime order q. NR g,a[1],…,a[k] (x[1],…,x[k]) = g {all a[i] such that x[i]=1} –x = path on a binary tree –Root is g –going left = do nothing –going right = raise to a[i] –Here g G and a[i] Z q are random (and secret) –Theorem [NR97]: NR is a PRF under DDH in G. –Under DDH, all nodes look random and independent… Toy example: k=6, x= a[1] a[2] a[3] a[4] a[5] a[6] g g a[2] g a[2]a[3] g a[2]a[3]a[5] g a[2]a[3] g a[2]a[3]a[5]a[6] g

9 Question 1 Can we build a number-theoretic PRF which does not process the input bit-by-bit?Can we build a number-theoretic PRF which does not process the input bit-by-bit? –Stay tuned…

10 PRFs Give No Verifiability x F SK (x)+5 TTT George W is trusted to not only keep SK secret, but also to also give the correct function value. To check the correctness of F(x), need to ask George again (and again).Laura "There's a huge trust. I see it all the time when people come up to me and say, 'I don't want you to let me down again.'" Boston, Massachusetts, October 3, 2000 "I think if you know what you believe, it makes it a lot easier to answer questions. I can't answer your question" --Reynoldsburg, Ohio, October 4, 2000

11 Non-interactive lottery [MR02] Lottery organizer has secret function F SK (. ) Each participant chooses a lottery ticket x and sends it to the organizer F SK (. ) x 1 = 3 x 2 = 8 x 3 = 5 Organizer

12 Non-interactive lottery (cont.) Organizer computes y = F SK (x) for each x he receives The value y somehow determines if user wins; e.g., user wins $100 if his y is prime F SK (. ) F SK (3) = 10 F SK (8) = 11 F SK (5) = 15 Organizer

13 Non-interactive lottery (cont.) This scheme almost works except… Problem 1: We must ensure that users cannot bias the lottery; i.e., F SK (x) should look random and unpredictable –Regular PRF is enough Problem 2: What stops the organizer from lying about the true F SK (x) value? –Need verifiability (and uniqueness!) –Leads to VRFs !

14 Verifiable Random Functions (VRF) x F SK (x), π SK (x) Semi-TTT Secret SK Public PK Michael is just an efficient and indistinguishable implementation of Phil F is not (pseudo)random to Michael However, Laura can check its correctness and convince outside partiesLaura Using PK and proof π SK (x), I can see that F SK (x) is correct. Without proof, it would look random

15 SK PK x1x1 F SK (x 1 ), π SK (x 1 ) x2x2 F SK (x 2 ), π SK (x 2 )... z y x i F SK (x i ), π SK (x i )... b Secure VRF if Pr[b=b] ½ y 0 := F SK (z) y 1 := random pick random b y := y b PRFs with a special property: –in addition to the secret key SK, there is also PK –the holder of the VRFs SK can produce a proof π SK (x) that y = F SK (x) for a unique y –security: Verifiable Random Functions [MRV99] PK

16 Applications VRFs are unique signatures –intuitively, VRF = PRF + sig Lottery application [MR02] Verifiable KDC, long-term encryption [NPR99] A tool in protocol design –Three-round resettable ZK [MR01] –Verifiable Transaction Escrow [JS04] –Efficient E-Cash [CHL05] (need PRF w./ special properties like having efficient ZK proofs)

17 Compact e-cash [CHL05] Offline anonymous e-cash scheme. –A user can withdraw a wallet of 2 l coins from the bank and later spend them. In best known schemes, withdraw and spend operations take O(2 l ¢ k) time (k = sec. param.). In EuroCrypt 05, [CHL05] used [DY05] VRF to construct a scheme whose withdraw/spend operations take O(l+k) time. –Also have O(l ¢ k) scheme using VRF variant of [Dod03] (more convenient for ZK) PRF sufficed, but needed nice algebraic structure to do efficient ZK proofs !

18 Constructing VRFs MRV99Lys02Dod03DY05 Pairing- Based? noyes Short proofs/keys no no (bit-by-bit) yes Mapping of Inputs yes (primes) yes (codes) no Expensive VUF-VRF yes no Distributed no yes Good for protocols? no maybeyes Practical? no hmm…yes

19 Constructing VRFs no yes (codes) yes (primes) Mapping of Inputs no yes Expensive VUF-VRF yes no Pairing- Based? yes no (bit-by-bit) no Short proofs/keys DY05Dod03Lys02MRV99 Resolves Question 1

20 VUF to VRF Transformation First, get nice and elegant VUF construction –Verifiable unpredictable function is just like VRF except hard to compute any new value Expensive generic VUF->VRF transform (a) Goldreich-Levin to get VRF: (log n) -> 1 bit Also terrible exact security loss… (b) Several such (a)s to get |input| |output| (c) Another tree-based construction on (a)+(b) to get large input and small output (d) Several such (a)+(b)+(c)s to get large output Results in a very bulky and inelegant VRF –Stay tuned for better efficiency with pairings !

21 Constructing VRFs yes no Distributed no yes (codes) yes (primes) Mapping of Inputs no yes Expensive VUF-VRF yes no Pairing- Based? yes no (bit-by-bit) no Short proofs/keys yeshmm…no Practical? yesmaybeno Good for protocols? DY05Dod03Lys02MRV99

22 Roadmap for Constructions Work in groups where DDH is easy –VUF under CDH-like assumption [Lys02] –Full power of pairings not needed yet… Two ways of avoiding Goldreich-Levin : –Encoding + decisional assumption [Dod03] –Use pairings explicitly ! (with new assumption) Set VRF SK (x) = e ( VUF SK (x), g ) Direct Construct with Pairings [DY05] –Simple and Efficient VUF based on [BB04] –Still set VRF SK (x) = e ( VUF SK (x), g ), but for more efficient VUF !

23 (011011) (011011)NR(011011) Using DDH-easy Groups Recall, NR g,a[1],…,a[k] (x[1],…,x[k]) = g {all a[i] such that x[i]=1}Recall, NR g,a[1],…,a[k] (x[1],…,x[k]) = g {all a[i] such that x[i]=1} Problem: nobody can verifyProblem: nobody can verify g g a[2] g a[2]a[3] g a[2]a[3]a[5] g a[2]a[3] g a[2]a[3]a[5]a[6] g But assume DDH is easy! But assume DDH is easy! – Publish PK=(g, h, h a[1],…, h a[k] ) – (x) = all children of NR(x) – Use DDH and the public key to test all consecutive children test all consecutive children Get verifiability, but what about pseudorandomness? Get verifiability, but what aaabout pseudorandomness? – No! Say, NR(0 k )=g, or [NR(x0),NR(x1),NR(z0),NR(z1)] [NR(x0),NR(x1),NR(z0),NR(z1)] form a DDH-tuple for any x,z form a DDH-tuple for any x,z – What do we do? h a[1] h a[2] h a[4] h a[5] h a[6] h a[3]

24 Option 1: settle for VUF [Lys02] NR(x) still seems to be hard to compute,NR(x) still seems to be hard to compute, –even if DDH is easy (modulo the triviality that append 1 to each input) Need CDH-like assumption in DDH-easy groups (called generalized CDH)Need CDH-like assumption in DDH-easy groups (called generalized CDH) Notation:Notation: –Given x, let 1 x = {i | x[i]=1}, –Given g, a[1],…, a[L], and set I in {1…L}, let Exp(I) = g {all a[i] such that i I} –E.g., NR(x) = Exp(1 x ) (well use Exp(1 x1 ))

25 I1I1 I2I2... J, v J {I 1, …,I m }=1 & Pr[ v = Exp(J) ] = negl Adv is given oracle access to Exp(I), for I {1..L} G satisfies gCDH of order L if: Generalized CDH of order L Exp(I 1 ) Exp(I 2 )...

26 VUF under gCDH [Lys02] Tautological if set order L = k+1Tautological if set order L = k+1 –Note: [NR] needed gDDH. Luckily, gDDH DDH [STW] Most work in [Lys02]:Most work in [Lys02]: –Reduce order to O(log k) (note, L=2 gives CDH) –Force Adv to forge J = {1..L} (full set) –Reason: allows to make assumption non-interactive Cleaver use of encoding C: {0,1} k -> {0,1} LCleaver use of encoding C: {0,1} k -> {0,1} L –Set NR C g,a[1],…,a[L] (x[1],…,x[k]) = Exp(1 C(x) ) –Choose special C to make this work for L=O(k) –Turns our need an error-correcting code Instead, well use encoding for a different reason:Instead, well use encoding for a different reason: –to get direct VRF, without going through VUF ! [Dod03]

27 Option 2: Use Encoding [Dod03] As before, use encoding C: {0,1} k -> {0,1} L and NR C g,a[1],…,a[L] (x[1],…,x[k]) = Exp(1 C(x) )As before, use encoding C: {0,1} k -> {0,1} L and NR C g,a[1],…,a[L] (x[1],…,x[k]) = Exp(1 C(x) ) Reasoning: almost as efficient as C=identity when L is close to k, but a lot of freedom…Reasoning: almost as efficient as C=identity when L is close to k, but a lot of freedom… –For example, [NR C (x0), NR C (x1), NR C (z0), NR C (z1)] do not have to form a DDH tuple for a lot of C,x,z… –In fact, if no DDH-tuples among {Exp(1 C(x) )}, for all we know NR C might be a PRF despite DDH being false! –And if no DDH-tuples including a leaf even if add the proofs (root-leaf paths for different leaves), then might get a VRF… Leads to sum-free DDH [Dod03]Leads to sum-free DDH [Dod03]

28 I1I1 Exp(I 1 ) I2I2 Exp(I 2 )... J y I i Exp(I i )... b Pr[b=b] ½ & no J 1,J 2,J 3 {I 1 … I m } exist making [Exp(J), Exp(J 1 ), Exp(J 2 ), Exp(J 3 )] form a DDH tuple y 0 := Exp(J) y 1 := random pick random b y := y b Adv is given oracle access to Exp(I), for I {1..L} G satisfies sf-DDH of order L if: Sum-Free DDH of order L

29 Using sf-DDH [Dod03] Intuitively, says that everything is random except if a DDH-tuple is foundIntuitively, says that everything is random except if a DDH-tuple is found Challenge: build encodings C forcing VRF attacker to respect sum-free restrictionChallenge: build encodings C forcing VRF attacker to respect sum-free restriction Theorem:[Dod03] (view k-bit x as GF(2 k )) –If C(x) = x 3 º x, then NR C is a PRF under sf-DDH assumption of order 2k (no need for DDH easy yet) –If C(x) = x 3 º x º 1 º x º 1 and DDH is easy, then NR C is a VRF under sf-DDH assumption of order 3k+3 –Both orders can be reduced to O(log k) using ECCs: allows to get non-interactive assumption this way… So far no need to use pairing explicitly…

30 Lemma: if C is s.t. C(x 1 ) + C(x 2 ) C(x 3 ) + C(x 4 ), then NR C is a PRF under sf-DDH of order L Suffices to construct a 4-wise independent C: –For no x 1, x 2, x 3, x 4, have C(x 1 ) C(x 2 ) C(x 3 ) C(x 4 ) = 0 –Such constructions are well known from coding theory (parity matrix for BCH codes of distance 5) and derandomization Example: View {0,1} k as GF(2 k ). Let L=2k and C(x) = x 3 º x. –Very simple and efficient encoding Theorem: If C(x) = x 3 º x, then NR C is a PRF under sf- DDH assumption of order 2k Problem: Order 2k is too large. Can we get O(log k)? –Yes, put an outer linear error-correcting code E: C(x) = E(C(x)) –Similar to [Lys02] for constructing VUF Punchline: simple PRF under sf-DDH of order O(log k) (note, dont need DDH to be false yet…) Building PRF from sf-DDH

31 Now, assume DDH is false and sf-DDH is true. Publish PK=(g, h, h a[1],…, h a[k] )Publish PK=(g, h, h a[1],…, h a[k] ) Let proof (x) = all children of NR C (x)Let proof (x) = all children of NR C (x) Use DDH and the public key to verify all neighbors.Use DDH and the public key to verify all neighbors. Problem: with each Exp(1 C(x) ), Adv also learns values Exp(I), for all prefixes I of 1 C(x).Problem: with each Exp(1 C(x) ), Adv also learns values Exp(I), for all prefixes I of 1 C(x). –Need C s.t. for no x 1, x 2, x 3, x 4, prefixes I 2 of C(x 2 ), I 3 of C(x 3 ) and I 4 of C(x 4 ), have C(x 1 ) I 2 I 3 I 4 = 0 –Call it 4-wise prefix independence. Lemma: If C(x) is 4-wise independent, then C(x) = C(x) º 1 º x º 1 is 4-wise prefix independent.Lemma: If C(x) is 4-wise independent, then C(x) = C(x) º 1 º x º 1 is 4-wise prefix independent. Theorem: If C(x) = x 3 º x º 1 º x º 1 and DDH is false, then NR C is a VRF under sf-DDH assumption of order 3k+3.Theorem: If C(x) = x 3 º x º 1 º x º 1 and DDH is false, then NR C is a VRF under sf-DDH assumption of order 3k+3. As with PRFs, can reduce order to O(log k) using ECCs.As with PRFs, can reduce order to O(log k) using ECCs. From PRF to VRF

32 Option 3: Use Bloody Pairings ! Formula for general VUF -> VRF conversionFormula for general VUF -> VRF conversion – SK (x) = ( SK (x), F SK (x)), – F SK (x) = H ( F SK (x) ), for good H. But which H?But which H? – If H is RO, then trivially works, but useless – Standard H are difficult in general (Goldreich-Levin) Idea: so far we have F SK (x) = g something and use pairings only to solve DDH in G (to verify SK (x))Idea: so far we have F SK (x) = g something and use pairings only to solve DDH in G (to verify SK (x)) –Why not use H(y) = e(g,y) ?!? Hope that if y is hard to compute, then reasonable to assume e(g,y) is pseudorandom !Hope that if y is hard to compute, then reasonable to assume e(g,y) is pseudorandom !

33 Option 3: Using Pairings Given VUF (F, ) with values in G and bilinear mapGiven VUF (F, ) with values in G and bilinear map e: G £ G G define – SK (x) = ( SK (x), F SK (x)), – F SK (x) = e(g, F SK (x)) (now in G) Can apply to VUF of [Lys02] and get …Can apply to VUF of [Lys02] and get … –PRF (under reasonable decisional assumption) –VRF? No, proofs spoil everything (DDH easy) –VRF? No, proofs spoil everything (DDH easy) –Still long proofs/keys + bit-by-bit processing Instead, [DY05] follows this option with a new, more efficient VUF where it all works !Instead, [DY05] follows this option with a new, more efficient VUF where it all works !

34 Simple VUF [DY05, BB04] Start from Boneh-Boyen signature [BB04] Algorithm Gen(1 k ): Pick s 2 R Z p *.The secret key is SK = s. The public key is PK = g s. Algorithm Sign SK (x): To sign x, compute y = g 1/(x+SK). Algorithm Ver PK (x, y): Check that e(y, g x ¢ PK) = e(g, g).

35 Our VUF (cont.) Boneh-Boyen signature is secure against non- adaptive queries (and uses q-SDH assumption) A VUF must be secure against adaptive queries adversary challenger (PK, SK) PK x1x1 x2x2 xkxk … y1y1 y2y2 ykyk … adversary challenger (PK, SK)PK xixi yiyi

36 Our VUF (cont.) Solution 1: assume [BB04] is a secure VUF –Leads to tautological interactive assumption –Although we believe it is reasonable… Solution 2: Restrict input size to be small, a(k) = (log s(k)), where s(k) will be the (super-poly) security that we will assume –Allows us to enumerate all possible queries in less than s(k) time and give answers adaptively –Can make more standard q-DHI assumption (which is weaker than q-SDH of [BB04]) –Still show get decent and practical parameters

37 Our VUF (cont.) Then, Boneh-Boyen signature becomes a VUF for small inputs Can use GL to convert a VUF into a VRF, but this is very inefficient Instead, use pairing-based transformation suggested earlier: VRF SK (x) = e(VUF SK (x),g) –get direct VRF for small inputs (stay tuned) –use stronger, but still already studied q- DBDHI assumption [BB04]

38 Our VRF Instead, we construct a VRF directly: Algorithm Gen(1 k ): Pick s 2 R Z p *.The secret key is SK = s. The public key is PK = g s. Algorithm Prove SK (x) : Compute (F SK (x), SK (x)) = (e(g,g) 1/(x+SK), g 1/(x+SK) ) Algorithm Ver PK (x,y, ): Verify that e(g x ¢ PK, ) = e(g,g) and y = e(g, ). our VUF

39 Complexity Assumptions We make two assumptions: –q-DHI assumption: given (g, g x, …, g (x q ) ), it is hard to compute g 1/x [MSK02] Used for the security of [BB04] VUF –q-DBDHI assumption: given (g, g x, …, g (x q ) ), it is hard to distinguish e(g,g) 1/x from random [BB04] Used for the security of [DY05] VRF Hard = adversary running for s(k) steps is unlikely to succeed. –s(k) is between (poly(k)) and s(k)=o(2 k ).

40 Security Statement Our VRF/VUF is provably secure for inputs of small size, a(k) = O (log s(k)). If there is an algorithm A that breaks the VRF/VUF in time t, with prob., then there is an algorithm B that solves the q-DBDHI/q-DHI problem (q=2 a(k) ) in time ¼ t/(2 a(k) ¢ poly(k)), with prob. /2 a(k). Big security loss, but –Believe artifact of the assumption/analysis –Using CRHF suffices to support a(k) < 200 –Results in pretty good concrete parameters…

41 Proof of Security : big picture B A Construct reduction algorithm B that answers As queries and then uses As answers to solve the q-DBDHI instance (g, g, …, g ( q ), ) Is = e(g,g) 1/ Challenger VRF game …

42 Proof of Security : sketch Idea: 1.Want to know if = e(g,g) 1/ ? 2.Guess that A can distinguish VRF value of x * from random. 3.Prepare keys (PK, SK) such that SK = - x* is unknown, yet we can correctly compute h F SK (x), SK (x) i for any x x *. 4.We construct * from such that F SK (x*) = * if = e(g,g) 1/ F SK (x*) = $ if = $

43 Efficiency Length of proofs and keys Group size [DY05]125 bytes1,000 bits, elliptic group [MRV99]280,000 bytes 14,383 bits, Z n * [Dod03], [Lys02] >3,200 bytes>160 bits, elliptic group Suppose a(k) = 160 bits (length of SHA-1 digests) We then have:

44 Practical Application: Compact e-cash [CHL05] Offline anonymous e-cash scheme. –A user can withdraw a wallet of 2 l coins from the bank and later spend them. In best known schemes, withdraw and spend operations take O(2 l ¢ k) time (k = sec. param.). In EuroCrypt 05, [CHL05] used [DY05] VRF to construct a scheme whose withdraw/spend operations take O(l+k) time. –Also have O(l ¢ k) scheme using VRF variant of [Dod03] (more convenient for ZK) PRF sufficed, but needed nice algebraic structure to do efficient ZK proofs !

45 Conclusion Pairings seem very useful for VRF design –Simple and efficient VRF constructions Can be instantiated with elliptic groups of reasonable size Can be made distributed and proactive Can use algebra for efficient protocols –Obtain VRF value on committed values –ZK proof of knowledge of VRF value [DY05]: Proofs and keys consist of only one group element regardless of the input size Open: get efficient (full-blown) VRF under more established assumptions

46

47

48 I1I1 Exp(I 1 ) I2I2 Exp(I 2 )... J y I i Exp(I i )... b R(J,I 1, …,I m )=1 & Pr[b=b] ½ y 0 := Exp(J) y 1 := random pick random b y := y b Fix L and let R(J,I 1, …) be some relation Adv is given oracle access to Exp(I) G satisfies gDDH of order L relative to R if: Generalized DDH relative to some R

49 Lemma: if R and C are such that R(C(z),C(x 1 ),…)=1, then NR C is a PRF under gDDH of order L relative to R –Proof: trivial, compare definitions Example1: R true iff J {I 1, …, I m } –usual gDDH assumption. –Known [NR97,STW96]: DDH gDDH (due to RSR) –Immediately gives that NR identity is a PRF under DDH Example2: R is true iff no J 1, J 2, J 3 {I 1, …, I m } s.t. [Exp(J), Exp(J 1 ), Exp(J 2 ), Exp(J 3 )] form a DDH tuple –Intuitively, can only distinguish if found a DDH tuple –Mathematically, J+ J 3 = J 1 + J 2 (bitwise over integers) –Say, = = –Call the resulting assumption sum-free-DDH of order L Some Observations about gDDH

50 Now, assume DDH is false but sf-DDH holds. More hacking needed due to prefixes…More hacking needed due to prefixes… End Result: If C(x) = x 3 º x º 1 º x º 1 and DDH is false, then NR C is a VRF under sf- DDH assumption of order 3k+3.End Result: If C(x) = x 3 º x º 1 º x º 1 and DDH is false, then NR C is a VRF under sf- DDH assumption of order 3k+3. As with PRFs, can reduce order to O(log k) using ECCs.As with PRFs, can reduce order to O(log k) using ECCs. Step 4: From PRF to VRF

51 Distributing Trust Not a bad thought, Moti. After I finish my wine, I promise to vigorously attack this problem… Yvo, why should we let a single party know all the secrets and be a single point of failure?

52 Distributing Trust We have to move towards a group-oriented society: Threshold cryptography !

53 Distributed PRFs (DPRF) No verifiability yet, only PRF functionalityNo verifiability yet, only PRF functionality The secret key SK is shared among n serversThe secret key SK is shared among n servers No coalition of up to t servers can compute the PRF or distinguish if from a random functionNo coalition of up to t servers can compute the PRF or distinguish if from a random function Any (t+1) servers can evaluate the PRFAny (t+1) servers can evaluate the PRF Two Flavors:Two Flavors: –Non-interactive [MiSi95,NRP99]: servers do not know about each other and only talk to Laura

54 x x x y3y3 y2y2 y1y1 F SK (x) Secret SK 1 Secret SK 2 Secret SK 3

55 Distributed PRFs (DPRF) No verifiability yet, only PRF functionalityNo verifiability yet, only PRF functionality The secret key SK is shared among n serversThe secret key SK is shared among n servers No coalition of up to t servers can compute the PRF or distinguish if from a random functionNo coalition of up to t servers can compute the PRF or distinguish if from a random function Any (t+1) servers can evaluate the PRFAny (t+1) servers can evaluate the PRF Two Flavors:Two Flavors: –Non-interactive [MiSi95,NPR99]: servers do not know about each other and only talk to Laura –Interactive [NaRe97,Nie02]: much less attractive for the purposes of eliminating the random oracle…

56 x F SK (x) Secret SK 1 Secret SK 9 … Well Known Group Laura Same experience as PRF, but let many men argue before giving me the answer I cant check

57 Applications and Constructions Applications: distributed KDCs, threshold Cramer- Shoup, metering on the web, Byzantine agreement,…Applications: distributed KDCs, threshold Cramer- Shoup, metering on the web, Byzantine agreement,… [MiSi95]: only for small n and t (complexity ~ n t )[MiSi95]: only for small n and t (complexity ~ n t ) [NPR99]: several constructions[NPR99]: several constructions –weak PRF under DDH: W g,a (x)=x a. (secure only for random x) –Trivial to distribute (non-interactive + 1 round) –Using random oracle, get regular PRF F g,a (x) = W g,a (H(x)) = H(x) a [Nie02,NR97]: can distribute Naor-Reingold PRF[Nie02,NR97]: can distribute Naor-Reingold PRF –Highly interactive –Need concurrent ZKs –Many rounds (=|input|) –Need honest majority to give the result to Laura No non-interactive regular DPRF was knownNo non-interactive regular DPRF was known

58 Distributed VRFs (DVRF) Distributed computation of (F SK (x), SK (x)).Distributed computation of (F SK (x), SK (x)). Most attractive replacement to the ROMost attractive replacement to the RO –Distribution of trust –High Availability (especially non-interactive) –No bottlenecks –Can check the correctness of F(x) using the proof –Can transfer the proof to the third party without further interaction –By themselves give a threshold signature scheme –Already have, and will find more applications Not studied prior to this work…Not studied prior to this work…

59 My Results (Part II) First (and very simple!) DVRF constructionFirst (and very simple!) DVRF construction Non-interactive (albeit multi-round)Non-interactive (albeit multi-round) More efficient than regular DPRF of [Nie02]More efficient than regular DPRF of [Nie02] –no interaction, ZKs, fewer rounds –but also verifiable Tolerates any threshold (including honest minority)Tolerates any threshold (including honest minority)

60 Not hard at all since our VRF is so simple!Not hard at all since our VRF is so simple! Standard Shamirs secret sharing and Lagrange interpolation tricksStandard Shamirs secret sharing and Lagrange interpolation tricks –except can do it non-interactively Punchline: DDH easy makes it possible to do this very standard computation non-interactively Step 5: From VRF to DVRF

61 Need to compute Exp(1 C(x) ) and all its prefixes Exp(I i )Need to compute Exp(1 C(x) ) and all its prefixes Exp(I i ) Distribute a[i] to n servers via Shamir:Distribute a[i] to n servers via Shamir: –server j gets share a[ij] and publishes y[ij] = h a[ij] Proceed in |1 C(x) | rounds between Laura & servers:Proceed in |1 C(x) | rounds between Laura & servers: –In each such round i where C(x)[i]=1, have value s i = Exp(I i ) and need to compute s i+1 = s i a[i] using h and h a[i]. Trivial with DDH… –Each server sends s i a[ij], and Laura checks DDH(s i,s i a[ij],h,y[ij]) –After (t+1) correct answers, interpolate (necessarily) correct s i+1 and send it to each server, who checks it using DDH(s i,s i+1,h,y[i]) Punchline: DDH easy makes it possible to do this very standard computation non-interactively Step 5: From VRF to DVRF

62 Recently, groups where DDH is easy received a lot of attention: –applications to ID-based [BF01], hierarchical [GS02] and other kinds of encryption, short signatures [BLS01], credential systems [V01],... –Candidates proposed [SOK00,JN01] based on certain bilinear (Weil, Tate) pairings on elliptic curves –No multi-linear variant is known and likely to exist [BoSi02] –For all we know, g abc still looks random given g, g a, g b, g c –sf-DDH assumption takes this belief one step further: the only way to distinguish g some power from random is to get a DDH tuple for doing so. Most ambitious assumption conceivable when DDH is false Why settle for it and not for something less ambitious? –To get the simplest possible construction + target for breaking –Even if false, techniques of this paper seem to generalize… Step 6: Do We Believe in sf-DDH?

63 Conclusions, Open Problems Constructed first simple, efficient and direct VRF and non-interactive DPRF/DVRF Motivated the study of new sf-DDH assumption –Can we reduce the assumption? –Relate it to known ones? –Break it? One-round DPRFs/DVRFs? Adaptively secure DPRFs/DVRFs? More efficient constructions? More applications? Practical implementation? –Well, lets not get carried away…


Download ppt "Pairing-Based Verifiable Random Functions Yevgeniy Dodis New York University."

Similar presentations


Ads by Google