Key-Homomorphic PRFs

Following [BPR12], Bonehet al.(hereafter BLMR) [BLMR13] gave the first standard-model constructions ofkey homomorphicPRFs (KH-PRFs), using lattices/LWE. (Previously, the only constructions of KH-PRFs were in the random-oracle model [NPR99].) A KH-PRF family is a PRF family{Fk}with the additional property thatFk1+k2(x) =Fk1(x) +Fk2(x)for all keysk1, k2and inputsx, where both the key space and

output range are interpreted as finite additive groups. As shown in [NPR99, BLMR13], KH-PRFs have many useful applications, such as distributing the operation of a key-distribution center, and updatable symmetric-key encryption.

In the BLMR construction, the secret key is just a uniformly random vectorr∈_Zm

q form≈nlogq, and there are two short (e.g., binary or Gaussian) random square matricesB0,B1 ∈Zm×m, which are treated

as shared randomness common to all keys. Alternatively, we may see these matrices asBb = G−1(Ab) for some public uniformly randomAb ∈Zqn×m, where the decomposition functionG−1(·)is as defined in Equation (5.4.1). Like the BPR construction, for input domain{0,1}`the BLMR function is defined as the rounded subset-product Fr(x) = rt· ` Y i=1 Bxi p .

It is easy to verify that this construction is “almost” key-homomorphic, in thatFr1(x) +Fr2(x)andFr1+r2(x)

differ by at most one in each coordinate, due to the different order of rounding in the two cases.

BLMR prove that their construction is a secure PRF under the n-dimensional LWE assumption, for error ratesα =n−Ω(`), and hence for parameters that are comparable to those of the lowest-depth BPR construction (Equation (5.7.1)). The main idea used in the proof is that LWE with a “large” secretr∈_Zm q and short publicB=G−1(A)∈_Zm×m _{is as hard as LWE in dimensionn≈m/logq. This is because}

st·A= (stG)

| {z }

rt

·G−1(A),

so we can efficiently transform regular LWE samples with secretsinto those of the form described above. (The same idea has been used in many other works and contexts, such as [BV11b, MP12, BLP+13, GSW13].) Following [BLMR13], Banerjee and Peikert [BP14] gave key-homomorphic PRFs from substantially weaker LWE assumptions, e.g., error rates of only α = n−Ω(log`) or even α = n−ω(1), which yields better key sizes and runtimes. For example, the key sizes were reduced fromO˜(λ3) to O˜(λ) bits, and the shared randomness was reduced fromO˜(λ6_{) bits toO}˜_(λ2_{) bits, with comparable improvements for} ring-based constructions. These improvements come at the expense of slightly worse parallelism, specifically, a logarithmic factor in the depth of the “publicly computable” subset-product part of the function. The main idea in the construction from [BP14] is that instead of letting the PRF inputxdefine a subset-product of the short matricesBb =G−1(Ab), we let it define a matrixAx∈Znq×mvia a predefined scheduling of matrix multiplications andG−1(·)decompositions. In particular, a product of decomposed matrices may itself be decomposed, in a nested fashion. This has the effect of better controlling the expansion of the error terms in the security proof, allowing for the use of smaller parameters. These ideas inherit from recent literature on fully homomorphic and attribute-based encryption [BV14, BGG+14, AP14], as described next in Chapter 6.

Finally, we mention that recent independent works of Banerjee et al.[BFP+15] and Brakerski and Vaikuntanathan [BV15] generalized the construction of [BP14] in different ways to give key-homomorphic constrainedPRFs. Constrained PRFs, introduced in the concurrent and independent works [KPTZ13, BW13, BGI14], allow for delegation of secret keys that allow the PRF to be evaluated on inputs satisfying certain predicates, while at the same time preserving the pseudorandomness of the function outputs on all other inputs.

Chapter 6

Advanced Constructions

In this chapter we survey a selection of very powerful cryptographic objects, namely,fully homomorphic encryptionandattribute-based encryptionfor arbitrary circuits. To date, the only known constructions of such objects are based on lattice problems of various kinds. Here we mainly restrict our attention to constructions based on the LWE problem.

6.1

Fully Homomorphic Encryption

In 1978, Rivest, Adleman, and Dertouzos [RAD78] proposed a concept which has come to be known as fully homomorphic encryption, or FHE. (At the time they called it a “privacy homomorphism.”) In brief, an FHE scheme allowscomputation on encrypted data, or more concisely,homomorphic computation: given a ciphertext that encrypts some dataµ, one can compute a ciphertext that encryptsf(µ)for any desired (efficiently computable) functionf. We emphasize that this is possible without ever needing to decrypt the data or know the decryption key.

Fully homomorphic encryption was known to have abundant applications in cryptography, but for three decades no plausibly secure scheme was known. This changed in 2009, when Gentry proposed a candidate FHE scheme based on ideal lattices [Gen09b, Gen09a]. Gentry’s seminal work generated tremendous excitement, and was quickly followed by many works (e.g., [vDGHV10, Gen10b, SV11, BV11a, CMNT11, BV11b, BGV12, CNT12, GHS12b, Bra12, GHPS12, CCK+13, GSW13], among others) that offered various improvements in conceptual and technical simplicity, efficiency, security guarantees, etc. In this section we give an overview of the main ideas behind recent LWE-based FHE schemes, building on the tools described in the previous sections. For additional details, see the earlier surveys by Gentry [Gen10a] and Vaikuntanathan [Vai11].