We would like to prove a similar statement for the weighted NR and BMR PRFs. However, given ~
fingerprint forWNRw~. Also, for any weight, it is not very clear that there exists a strong key-fingerprint forWBMR. Hence, in general, one cannot apply the above framework toWNR or WBMR.
For the above reason, in this section, we design a new framework, that generalizes the framework given in [ABPP14] and that can be applied, in particular, to bothWNR andWBMR. This generic framework encompasses in particular the framework we propose in Section5.2. However, our framework in the main body of this paper is significantly easier to use, which explains why we chose to give it first and propose this generic framework only as an appendix, for completeness.
We introduce new notions, defined as follows, that extends the notions introduced in Section5.2.
Perfectly Binding Key-Commitment. In order to overcome the lack of a strong key fingerprint, we introduce perfectly binding key-commitment. A perfectly binding key-commitment is a (deterministic) algorithm Com: K →ComSpthat takes a key K∈ Kas input and outputs a valueCom(K) such that for anyK, K0 inK, we haveCom(K) =Com(K0) if and only ifK=K0 (perfectly binding). As we will see later, we also want that forK∈ K,Com(K) hides the value ofK. However, we do not need special requirement for this in the present definition, since this requirement will be implied by the extended definitions of the key-collision and UI-PRF-RKA security problems defined below.
Helper Information. In order to prove the security of our framework, we need to be able to compute commitments of any related key from some (public) information. Then, we enable the adversary to have access to some helper information helpΦ= HelpΦ(K)∈ HelpSpabout the secret K, where HelpΦ is a function fromKtoHelpSp. The helper functionHelpΦdepends on the class Φ of RKD functions we are interested in. We suppose that it is possible to computeCom(φ(K)) just by knowing φandHelpΦ(K) but notK.
Then, we use the extended version of the key-collision and unique-input-rka-prf security games depicted in Figure8and Figure9, whereInitializealso leakshelpΦto the adversary. We remark that UI-PRF-RKA security implies thathelpΦhidesK, otherwise the extended UI-PRF-RKA security would be trivial to break. This directly implies that the commitment ofK is hiding, since it can be computed fromhelpΦ.
Remark G.1. We do not need a statistical-key-collision security property, because it is implied by the extended key-collision security property. The compatibility of the hash function is also simplified. We just require that it is a collision-resistant hash function and that its rangeS is such that the extended (S,Φ)-unique-input-prf-rka security is hard.
proc Initialize K← K$ helpΦ←HelpΦ(K) ReturnhelpΦ proc RKFn(φ, x) y←M(φ(K), x) Returny proc Finalize(φ1, φ2) Return (φ16=φ2andφ1(K) =φ2(K))
Figure 8: Game defining the extended Φ-key-collision security of a PRFM and helper functionHelp.
proc Initialize K← K$ ;b← {$ 0,1} helpΦ←HelpΦ(K) ReturnhelpΦ proc Finalize(b0) Returnb0 =b proc RKFn(φ, x) Ifx∈ S then Ifb= 0 then y←M(φ(K), x) Elsey← R$ Elsey←⊥ Returny
Figure 9: Game defining the extended (S,Φ)-unique-input-prf-rka security of a PRF M and helper functionHelp.
Using these new tools, we obtain the following framework, which generalizes [ABPP14, Theorem 3.1], as well as Theorem5.2from Section5.2.
Theorem G.2. LetM: K × D → Rbe a function andΦbe a class of RKD functions. Let Com: K → ComSpbe a perfectly binding key-commitment. Let HelpΦ: K →HelpSpbe the helper function associated
to Comand Φ. LetD=D ×ComSpand let H: D → S be a compatible collision-resistant hash function, withS ⊆ D. DefineF: K × D → Rby
F(K, x) =M(K, H(x,Com(K)))
for allK∈ Kand x∈ D. LetA be a Φ-restricted adversary against the PRF-RKA security ofF that makesq≤ |S|oracle queries. Then we can construct an adversary Bagainst the extended(S,Φ)-unique- input-prf-rka security of M, an adversaryC against the collision-resistance (cr) security ofH, and an adversaryD against the extendedΦ-kc security of M such that
AdvprfΦ,F-rka(A) ≤ AdvextΦ,S-ui,M-prf-rka(B) +AdvcrH(C) + 2·AdvextΦ,M-kc(D).
AdversariesC has the same running time as A. AdversariesB andD have the same running time as
A plus the time to computeq key-commitments using their helper information.
Proof Overview. The proof of the above theorem is detailed in AppendixG.3and relies on the sequence of 10 games (games G0−G9) described in Figure10. It is very similar to the proof of Theorem 3.1 from [ABPP14]. Here we provide a brief overview. Since the RKD functions that we consider in our case may have claws, we start by dealing with possible collisions on the related keys in the RKAPRFReal case, using the extended key-collision notion (games G0−G2). These claws can be detected by looking for collisions of perfectly binding key-commitments for different RKD functions. Then, in games G3−G4, we deal with possible collisions on hash values in order to ensure that the hash valuesh=H(x,Com(K)) used to compute the outputyare distinct. Then, we use the new extended (S,Φ)-unique-input-prf-rka security notion to show that it is hard to distinguish the output ofF from a uniformly random output (games G5−G6). Finally, we use once again the extended key-collision security notion to deal with possible key collisions in the RKAPRFRand case (games G7−G9) so that G9matches the description of the RKAPRFRand Game. These key collisions can still be detected in these games by making crucial use of the helper function.