The oblivious PRF evaluation functionalityFPRF is an important functionality that is defined by(K, x) 7→
(−,PRFK(x)). One known example for a protocol that implements FPRF is the instantiation based on
the Naor-Reingold pseudorandom function [NR97] (specified in Section 3.1.2), that is implemented by the protocol presented in [FIPR05] (and proven secure in the malicious setting in [HL10a]). This protocol involves executing an oblivious transfer for every bit of the inputx. Nevertheless, it has major drawback since it does not enforce the usage of the samekey for multiple evaluations, which is often required. In this section, we observe first that the algebraic closed form efficiency of PRFsPRF1 andPRF2, specified
in Section 3.1, are PRFs as well. Moreover, the protocols for securely evaluating these functions induce efficient implementations for the committed oblivious PRF evaluation functionality with respect to these new PRFs in the presence of adaptive inputs. This is because the PRF evaluations protocols are implemented with respect to the same set of key commitments. We formally define this functionality in Figure 1.
More formally, let PRFbe an algebraic PRF from a domain {0,1}m into a groupG. Then define the new function PRF′ : Zp 7→ Gby PRF′K(x) =
∏l
i=0[PRFK(i)]x
i
. Note that the domain size ofPRF′
must be bounded byl+ 1, since upon observingl+ 1evaluations ofPRF′ it is possible to interpolate the coefficients of the polynomial{PRFK(i)}i(in the exponent). On the other hand, it is easy to verify that if
lis polynomial in the security parameter then PRF′ is a PRF. Since the domain size is upper bounded by
l+ 1, this means that the domain size must be polynomial.
Theorem 5.1 Assume thatPRF:{0,1}m 7→Gis a PRF, thenPRF′is a PRF forlthat is polynomial in the
security parameter.
Proof: We prove security by a reduction to the pseudorandomness ofPRF. Namely, assume by contradic- tion a distinguisherDF′ that distinguishesPRF′ from a truly random function. We construct a distinguisher
DF that distinguishes PRF from a truly random function. Specifically, consider a reduction in which a
responsesf0, . . . , fl,DF computes
∏l i=0fx
i
i for any queryx ∈ Zp made byDF′, as long as the number
of distinct queries is bounded byl+ 1. Finally,DF outputs whateverDF′ does. Clearly, ifDF′ breaks the
security ofPRF′thenDF breaks the security ofPRF.
We implement PRF′ using the two PRFs from Section 3.1.1 and obtain two new PRF constructions under the strong-DDH and DDH assumptions. LetK = (k0, k1) be the key for the PRFPRF1 with the
strong-DDH based security, and recall that the closed form efficiency for this function is defined by
PRF′K(x) =CFEvalh(x, K) =g
k0(kd1+1xd+1−1) k1x−1 .
This implies thatPRF′ only requires a constant number of modular exponentiations. See Section 3.3 for secure implementations of obliviously evaluating PRF′. Next, let K = (k0, . . . , km) be the key for the
Naor-Reingold PRF, and recall that the closed form efficiency of this function is defined by
PRF′K(x) =CFEvalh,z(x, K) =gk0(1+k1,x)(1+k2x 2)...(1+k
mx2 m
)
which requiresO(logl) =O(m)operations, namely, a logarithmic number of operations in the domain size wherexis an m-bits string. This is the same order of overhead induced by the [FIPR05] implementation that requires an OT for each input bit. Nevertheless, our construction has the advantage that it also achieves easily the property of a committed key since multiple evaluations can be computed with respect to the same committed PRF key. Plugging-in our protocol inside the protocols for keyword search, OT with adaptive queries [FIPR05] and set-intersection [HL10a] implies security against malicious adversaries fairly immediately. It is further useful for search functionalities as demonstrated below.
5.1 The Set-Intersection Protocol
We continue with describing our set-intersection protocol. Informally, P0 generates a PRF key for PRF
and evaluates this function on its set X. It then sends the evaluation results to P1 and the parties engage
in a committed oblivious PRF protocol that evaluatesPRF on the setY. P1 then concludes the intersec-
tion. In order to handle a technicality in the security proof, we require thatP0 must generate its PRF key independentlyof its inputX, since otherwise it may maliciously pick a secret key that implies collisions on elements fromXandY, causing the simulation to fail. We ensure key independence by asking the parties to mutually generate the PRF key afterP0has committed to its input. Then upon choosing the PRF key, the
parties invoke two variations of functionalityFCPRF, denoted byFCPRF0 andF
1
CPRFdefined below.
Definition 5.2 LetX andY be subsets of a predetermined arbitrary domain{0,1}tandmX andmY the
respective upper bounds on the sizes ofXandY. Then we define functionalityFCPRF0 as follows:
((K,(x1, . . . , xmX), R),(cKEY,(c1, . . . , cmX),PK))7→(−,(PRFK(x1), . . . ,PRFK(xmX)))
ifciencryptsxifor alliandcKEYis a commitment ofKwhere verification is carried out using the random-
nessR.
In the final step of the set-intersection protocol the parties call functionalityFCPRF1 in order to evaluate the
PRF on the setY.
Definition 5.3 LetX andY be subsets of a predetermined arbitrary domain{0,1}tandmX andmY the
respective upper bounds on the sizes ofXandY. Then we define functionalityFCPRF1 as follows:
((K, R),(cKEY,(y1, . . . , ymY)))7→(−,(PRFK(y1), . . . ,PRFK(ymY)))
ifcKEYis a commitment ofKwhere verification is carried out using the randomnessR.
5.1.1 RealizingFCPRF0 andFCPRF1
Implantation-wise, there is not much of a difference between the protocols for the two functionalities, which mainly differ due to the identity of the party that enters the input values to the PRF (where the same com- mitted key is used for both protocol executions). We note that the realizations ofFCPRF0 andF
1
CPRFcan be
carried out securely based on the implementations of the closed form efficiency functions shown in Sec- tion 3.3, since our committed PRFs are based on these functions. More concretely, the difference with respect to functionality FCPRF0 is that now when P0 is corrupted the simulator needs to extract the ran-
domness used for committing the PRF key and thexi’s elements which can be achieved using the proof of
knowledgeπ2DLsince the parties use the El Gamal PKE. Next, the parties continue with the PRF evaluations
where the ZK proofs are carried out with respect to the same key commitment. Finally, the implementation ofFCPRF1 follows similarly but without the additional proof we added above forF
0
CPRF in order to extract
the randomness of the committed input ofP0. We next describe a detailed protocol that securely realizes
F1
CPRFfor PRFPRF1from Section 3.1.1, which is very similar to Protocol 3 from Section 3.3 and is based
on the same building blocks. A protocol realizingFCPRF0 follows analogously, except thatP0performs the
computations based on(x1, . . . , xmX)and proves consistency with the commitments thatP1holds.
Protocol 8 (Protocolπ1CPRFwith malicious security.)
• Input:PartyP0is given a PRF keyK= (k0, k1)and randomnessR. PartyP1is given(cKEY,(y1, . . . , ymY),PK). Both parties are given a security parameter1nand(G, p, g)for a group descriptionGof prime orderpand a generatorg.
• The protocol:
1. Proving the knowledge ofR. P0andP1engage in a pair of parallel executions ofπ2DLfor whichP0
proves the knowledge ofcKEY. Note thatcKEYis a pair of ciphertexts(ck1, ck2)that respectively encrypts
(k1, k2)and that given an El Gamal ciphertext ⟨c1, c2⟩ = ⟨gr, hrgm⟩, the proven statement isc2 for
whichP0proves that it knowsrandm.
2. Generating additively homomorphic keys. P0runs(PK′,SK′)←Gen′(1n)and sendsPK′ toP1, as
well as an encryption ofk1, denoted byc′k1 =Enc ′
pk′(k1).P0proves consistency withck1usingπEq−Exp.
Next, the following steps are performed for any element from the set(y1, . . . , ymY)in parallel. 3. Computing encryption of (masked)k1yi−1. P1 responds withc′ = Enc′PK′
(
(k1yi−1)·r )
and
cr=EncPK(r)for some random maskr.12
4. Computing encryption of(k1yi−1)−1. Upon receiving ciphertextc′ fromP1,P0decrypts it and re-
encrypts it, as well as the inverse of this plaintext modulop, underPK, creating ciphertextsc, cINV and proving consistency betweenc′andcusingπEq−Exp, and betweencand(cINV,EncPK(g1))usingπMULT,
where the latter ciphertext is generated byP0and proven correct usingπDDH.
As a response,P1unmasksrfrom the plaintext within ciphertextcby raising it to the power ofrmodp,
creating ciphertextcr−1and proving consistency withcrusingπEQ.
5. Computing encryptions ofkd1+1andydi+1.P0computes an encryption ofk1d+1, denoted byck1d+1, and proves consistency betweengd+1 andc
kd+1 1 using
πEQ. Similarly,P0computes the encryption ofydi+1, denoted bycyd+1
i , and proves correctness (where an encryption of
yican be recovered from the encryption ofk1yi−1, denoted above bycr−1).
6. Computing encryptions ofk0(k1yi−1)−1andk0k1d+1(k1yi−1)−1.Given ciphertextscINV,ckd+1 1 andck0,P0computes the encryptions ofk0(k1yi−1)−
1andk
0kd1+1(k1yi−1)−1and proves consistency relative tocINV,ckd+1
1 andck0 usingπEQ(where the proof of the later computation involves runningπEQ twice). Letc0andc′0denote the respective outcomes.
7. Computing encryption ofk0kd1+1y d+1
i (k1yi−1)−
1.Given ciphertextsc
yid+1andc′0,P1computes the
encryption ofk0k1d+1y
d+1
i (k1yi−1)−1and proves consistency usingπEQ. Letc1denote the respective
outcome.
8. Outcome.Finally, the parties decryptc1/c0forP1by runningπDec, that outputs the result.
Theorem 5.4 AssumeΠ = (πKeyGen,Enc, πDEC),Π′ = (Gen′,Enc′,Dec′)are as in Section 3.3, then Pro-
tocol 8 securely realizes functionalityFCPRF1 with respect toPRF1in the presence of malicious adversaries
in the{F2DL,FEq−Exp,FMULT, πDDH,FEQ}-hybrid model.
Intuitively speaking, the security proof follows due to the ZK proofs that force the parties to behave honestly, and is a direct extension of the security proof of Protocol 3. A protocol based onPRF2 can be
constructed similarly to the idea presented in Section 3.3.
5.1.2 The Complete Protocol
Next, we describe our set-intersection protocol using committed oblivious PRF.
Protocol 9 (Protocolπ∩with malicious security from committed oblivious PRF.)
• Input:PartyP0is given a setX of sizemX. PartyP1is given a setY of sizemY. Both parties are given a security parameter1n.
• The protocol:
1. Distributed key generation. P0 andP1run protocolπKeyGen(1
n,1n)in order to generate additive El Gamal public keyPK=⟨G, p, g, h⟩where the corresponding shares of the secret keySKare(SK0,SK1).
2. Input commitment and PRF key generation. P0 sends encryptions of its inputX underPK; denote
this set of ciphertexts byC= (c1, . . . cmX).
P0invokes(K, param)←KeyGen(1n, d= log(mX+mY))whereparamincludes a group description
Gof prime orderpand a generatorg, and sendsP1param, and a ciphertextEncPK(gK;R).
P1picks a new key(K′, param)←KeyGen(1n, d = log(mX+mY))and sends it toP0. The parties
then compute the encryptioncKEYofg e
K =gKK′, relying on the homomorphic property of El Gamal. 3. PRF evaluations onX. The parties call functionalityF0
CPRF whereP0 enters the setX, keyKe and randomnessRandP1 entersC, cKEYand PK. Denote byPRFX ={PRF′Ke(x)}x∈X the output ofP1
from this ideal call only ifCis a vector of ciphertexts that encryptsX andcKEYis a commitment ofKe, where verification is computed using randomnessR.
4. Oblivious PRF evaluations onY.The parties call functionalityFCPRF1 whereP0enters the keyKe and randomnessR andP1 enters the commitmentcKEY and the setY. Denote byPRFY = {fy}y∈Y the output ofP1from this ideal call only ifcKEYis a commitment ofKe where verification is computed using randomnessR.
P1outputs ally∈Y for whichfy∈PRFX.
Theorem 5.5 AssumeΠ = (πKeyGen,Enc, πDEC)is as in Section 3.3 and PRF′K(·)is a PRF according to
Theorem 5.1, then Protocol 9 securely realizes functionalityF∩in the presence of malicious adversaries in the{FCPRF0 ,F
1
CPRF}-hybrid model.
Proof: We prove security for each corruption case separately. We assume that the simulator is givenmX
P0is corrupted. LetAbe a PPT adversary corrupting partyP0, we design a PPT simulatorSthat gener-
ates the view ofAas follows.
1. Given(1n, X, z),Sengages in an execution ofπKeyGen(1n,1n)withA. Denote the outcome by PK.
2. Sreceives the encryptionsC= (c1, . . . cmX)ofA’s input.
3. Upon receiving fromAits commitment for the PRF keyK,Spicks a new key shareK′ ←KeyGen(1n, d= log(mX +mY))and sends it toA.
4. Sextracts the adversary’s inputX′from the input to the ideal callFCPRF0 and checks for consistency
with the setC. If so, thenS sendsX′ to the trusted party and completes the execution as would the honestP1do on an arbitrary set.
5. Soutputs whateverAdoes.
Claim 5.1 For any tuple of inputs(X, Y)and auxiliary inputz,
{IDEALF∩,S(z)(n,(X, Y))}n∈N s ≈ {HYBRID π{FDL,F 0 CPRF,FCPRF1 } ∩ ,A(z) (n,(X, Y))}n∈N.
It is simple to verify that the adversary’s view is identical in both executions, as the adversary does not receive any message fromP1 that depends onY. An important observation here is that the probability of
the event for which there existsy ∈Y such thaty /∈X′and yetPRFKe(y)∈PRFX′ is negligible, since the
keyKe is picked independently of the setX′. This argument follows similarly to the proof in [HL10a] and implies thatP1’s output in both executions is identical condition that the above event does not occur. P1 is corrupted. LetAbe a PPT adversary corrupting partyP1, we design a PPT simulatorSthat gener-
ates the view ofAas follows.
1. Given(1n, Y, z),Sengages in an execution ofπ
KeyGen(1n,1n)withA. Denote the outcome by PK.
2. Spicks a set ofmX arbitrary elementsXS fromZpand sends the encryptionsC = (c1, . . . cmX)of this set toA.
3. Spicks a PRF key shareK ←KeyGen(1n, d= log(mX+mY))and sends its encryption toAusing
PK. Upon receivingA’s key shareK′the simulator sets the combined key byKe =KK′.
4. S then emulates the ideal callFCPRF0 and hands the adversary a random setU of sizemX of proper
length.
5. Finally, the simulator extracts the adversary’s inputY′ to the ideal callFCPRF1 and sends this set to
the trusted party, receiving backZ =X∩Y′. The simulator completes the execution as follows. For each elementy′∈Y′∩Z it programs the ideal answer ofFCPRF1 to ber ∈U whereris picked from
the remaining elements from the setU that were not picked thus far. Otherwise, the simulator returns a fresh random element fromZp.
6. Soutputs whateverAdoes. Next we prove the following claim.
Claim 5.2 For any tuple of inputs(X, Y)and auxiliary inputz, {IDEALF∩,S(z)(n,(X, Y))}n∈N c ≈ {HYBRID π{FDL,F 0 CPRF,FCPRF1 } ∩ ,A(z) (n,(X, Y))}n∈N.
Proof: The proof follows by the IND-CPA security of the El Gamal PKE and the security of the PRF. That is, the simulated view is different from the hybrid view relative to the encrypted input ofP0and the fact that
the simulator uses a random function to evaluate the setsXS′ andY′. Our proof follows by defining hybrid games and proving indistinguishability from both the simulated and the hybrid executions.
HybridHyb1. Consider a hybrid gameHyb1 where there is no trusted party and the simulatorSHyb1 uses
P0’s real inputXfor the PRF evaluations (namely, it usesXas an input to functionalityFPRF0 ) but completes
the simulation as in the original simulation (namely, sends encryptions of fake inputXSand fake PRF key). More formally, we mark in bold the underlying differences from the simulation.
1. Given(1n,X, Y, z),SHyb1 engages in an execution ofπKeyGen(1n,1n)withA. Denote the outcome
by PK.
2. Spicks a set ofmX arbitrary elementsXS fromZpand sends the encryptionsC = (c1, . . . cmX)of this set toA.
3. Spicks a PRF key shareK ←KeyGen(1n, d= log(mX+mY))and sends its encryption toAusing
PK. Upon receivingA’s key shareK′the simulator sets the combined key byKe =KK′. 4. SHyb
1 emulates the ideal callF
0
CPRFon the setXand keyKK′, and hands the adversary a random
setU of sizemX of proper length.
5. Finally, the simulator extracts the adversary’s input Y′ to the ideal call FCPRF1 and computes Z =
X∩Y′. It then completes the execution as follows. For each elementy′ ∈ Y′∩Z it programs the ideal answer ofFCPRF1 to ber ∈U whereris picked from the remaining elements from the setUthat
were not picked thus far. Otherwise, the simulator returns a fresh random element fromZp.
SubClaim 5.3 For any tuple of inputs(X, Y)and auxiliary inputz,
{IDEALF∩,S(z)(n,(X, Y))}n∈N≡ {Hyb1 π{FDL,F 0 CPRF,FCPRF1 } ∩ ,A(z) (n,(X, Y))}n∈N.
Proof: It is easy to verify that the distributions are identical as in both executions the simulator uses a random function for which its outcomes are independent of the inputs to the function. HybridHyb2. Next, consider a hybrid gameHyb2where the simulatorSHyb
2 uses a PRF instead of a ran-
dom function when emulating functionalitiesFCPRF0 andF