Security of Our CPRF - Adaptively Single-Key Secure Constrained PRFs for NC1

We present the proof of Theorem4.1in this section.

Proof. We prove the theorem by following steps. We denote the master secret key of the scheme bymsk0

for notational convenience. LetAbe a PPT adversary that breaks adaptive single-key security of the scheme. In addition, let=(λ)andQ=Q(λ)be its advantage and the upper bound on the number of

evaluation queries, respectively. By assumption,Q(λ)is polynomially bounded and there exists a noticeable

function0(λ)such that(λ) ≥0(λ)holds for infinitely manyλ. By the property of the balanced AHF

(Definition2.4, Item1),Pr[u←R AdmSample(1λ, Q(λ), 0(λ)) :u∈ {0,1}m] = 1for all sufficiently large

λ. Therefore, in the following, we assume that this condition always holds. We show the security of the

scheme via the following sequence of games.

Game0: This is the real single-key security experimentExptcprf_CPRF_,F,A(λ)against an admissible adversary

A= (A1,A2). Namely, coin← {R 0,1} pp←R Setup(1λ) msk0 R ←KeyGen(pp) X∗← RR (f,stA) R ← AOChal(·),Eval(msk0,·) 1 (pp) skf R ←iO(ConstrainedKey[msk, f]) d

coin← AR OChal(·),Eval(msk0,·)

2 (skf,stA)

Return(coind

? =coin)

where the challenge oracle O_Chal(·) is described

below.

O_Chal(x∗): Givenx∗∈ {0,1}n_{as input, it returns}

Eval(msk0, x∗)ifcoin= 1andX∗ifcoin= 0.

We recall that O_Chal(·) is queried at most once

during the game.

Game1: In this game, we changeGame0so that the game performs the following additional step at the

end of the experiment. First, the game samplesu←R AdmSample(1λ, Q, 0)and checks whether the

following condition holds:

Pu(h(x1)) =· · ·=Pu(h(xQ)) = 1 ∧ Pu(h(x∗)) = 0, (3)

wherex1, . . . , xQ are inputs to the PRF for whichAcalled the evaluation oracleEval(msk0,·). If

it does not hold, the game ignores the outputcoind of A, and replace it with a fresh random coin d

coin← {R 0,1}. In this case, we say that the game aborts.

Game2: In this game, we change the way skf is generated and the oracles return answers. At the

beginning of the game, we samplemsk0

← KeyGen(pp) andmsk1

← KeyGen(pp), and compute k[msk0,msk1,⊥m]

← Merge[msk0,msk1,⊥m]. We then set C := MEval(k[msk0,msk1,⊥m],·).

Furthermore,skf given toA2is generated asskf

←iO(ConstrainedKeyAlt[C, f])instead ofskf

R ←

iO(ConstrainedKey[msk, f]), where the circuitConstrainedKeyAlt[C, f]is depicted in Figure8. We

also replace the evaluation oracleEval(msk0,·)and the challenge oracleOe_Chal(·)with the following oracles.

Eval(C,·): Givenx∈ {0,1}n_{as input, it returns}_C₍_x₎_.

ConstrainedKeyAlt[C, f] Input: x∈ {0,1}n Constants: pp,C, andf Iff(x) = 0 OutputC(x) Else Output⊥

Figure 8: Description of ProgramConstrainedKeyAlt[C, f]

e C[sk0,g,msk1, f, u] Input: x∈ {0,1}n Constants: pp,sk0,g,msk1,f,u Iff(x) = 0 ∧ Pu(h(x)) = 0 OutputCEval(sk0,g, x) Iff(x) = 0 ∧ Pu(h(x)) = 1 OutputEval(msk1, x) Else Output⊥

Figure 9: Description of ProgramCe[sk₀_,g,msk₁, f, u]

Game3: Recall that inGame2, it is checked whether the abort condition Eq. (3) holds or not at the end of

the game. In this game, we change the game so that it samplesuat the beginning of the game and

aborts and outputs a random bit as soon as the abort condition becomes true.

Game4: In this game, we further change the wayCis generated. At the beginning of the game, the game

samples k[msk0,msk1, u]

← Merge[msk0,msk1, u]and then set C := MEval(k[msk0,msk1, u],·)

instead ofC:=MEval(k[msk0,msk1,⊥m],·).

Game5: In this game, we replaceEval(g C,·)andOe_Chal(C,·)with the following oracles.

Eval(msk1,·): Givenx∈ {0,1}nas input, it returnsEval(msk1, x). ¯

O_Chal(msk0,·): Givenx∗∈ {0,1}nas input, it returnsEval(msk0, x∗)ifcoin= 1andX∗ifcoin= 0. Game6: In this game, we change the wayskf is generated whenA1makes the call toOChal(namely, the

challenge query is made beforef is chosen byA). Letx∗be the challenge query made byA₁. We set the functiongx∗ : {0,1}n → {0,1} asg_x∗(x) = (x =? x∗). To generatesk_f, we first sample sk0,gx∗

←Constrain(msk0, gx∗)and setsk_f ←R iO(Ce[sk₀_,g

x∗,msk1, f, u]), whereCe[sk0,g,msk1, f, u] is depicted in Figure9. Note that ifA1does not make the challenge query, we do not change the way skf is generated.

Game7: In this game, we change the way skf is generated when A1 stops without making challenge

query (namely, the challenge query will be made afterAchoosesf). In such a case, we first sample sk0,f

←Constrain(msk0, f)and setskf

←iO(Ce[sk₀_,f,msk₁, f, u]).

Lemma 4.3.Ifhis a balanced AHF and|Pr[T0]−1/2|is non-negligible, so is|Pr[T1]−1/2|.

Proof. We apply Lemma2.6to evaluate|Pr[T1]−1/2|. To apply the lemma, we set the input toDandD0

to becoinused in the game, the output ofD(coin)to be(X= (x∗, x1, . . . , xQ),coin)d inGame0, the output ofD0_(coin)_{to be that in}_Game₁_{, and}_γ₍_X₎_{to be the probability that Eq. (}₃_{) holds for}_X_{= (}_x∗_{, x}

1, . . . , xQ)

when randomness is taken over the choice ofu←R AdmSample(1λ, Q, 0). Then,

Pr[T1]− 1 2 ≥γmin− γmax−γmin 2 ≥γmin0− γmax−γmin 2 | {z } :=τ

holds for infinitely manyλby the lemma, whereγmin = minXγ(X)andγmax := maxXγ(X). By the

property of the balanced AHFh(Definition2.4, Item2), we have thatτ is a noticeable function. This implies

that|Pr[T1]−1/2|is noticeable for infinitely manyλ, and thus the term is non-negligible. Lemma 4.4.IfiOis a secure indistinguishability obfuscator, then|Pr[T2]−Pr[T1]|= negl(λ).

Proof. We first observe thatC(x) =MEval(k[msk0,msk1,⊥m], x) =Eval(msk0, x)sinceP⊥m(h(x)) = 0 for allx∈ {0,1}n_{. Therefore, the change for the evaluation and the challenge oracles is only conceptual. Fur-}

thermore,ConstrainedKey[msk0, f]andConstrainedKeyAlt[C, f]withC =MEval(k[msk0,msk1,⊥m],·)

have identical functionalities. Therefore|Pr[T2]−Pr[T1]|is negligible by the security ofiO. Lemma 4.5.We havePr[T3] = Pr[T2].

Proof. Since the change is only conceptual, the lemma trivially follows.

Lemma 4.6.IfPCPRFis partition-hiding with respect toh, we have|Pr[T4]−Pr[T3]|= negl(λ). Proof. For the sake of the contradiction, let us assume that|Pr[T4]−Pr[T3]|is non-negligible. We then

construct an adversaryB= (B1,B2)that breaks the partitioning hiding ofPCPRFusingA= (A1,A2). In

the following, we differentiate two random variablescoinandcoin0. The former denotes the random variable

thatAtries to guess in the adaptive single key security game, while the latter denotes the random variable thatBtries to guess in the partition-hiding game.

B1(pp): Givenpp,B1first samplesu

←AdmSample(1λ, Q, 0),coin

← {0,1}, andX∗ ←R _G. It then sets

stB = (pp, u, X∗,coin)and outputs(u,stB).

B₂(k,stB): Given k, B2 first parses stB → (pp, u, X∗,coin) and sets C := MEval(k,·). Here, k

R ←

iO[msk0,msk1,⊥m]ifcoin0 = 0andk

←iO[msk0,msk1, u]ifcoin0 = 1. It then runsA1 on input pp. WhenA1 makes the query forOe_Chal(C,·)on inputx∗,B₂ first checks whetherP_u(h(x∗)) = 0 holds. If it holds,B2 returnsC(x)ifcoin= 1andX∗ otherwise. If it does not hold,B2 stops the

experiment and outputs a random coin as its guess. WhenA₁makes a query forEval(g C,·)on input

x,B2 first checks whetherPu(h(x)) = 1holds. If it holds, it returnsC(x). Otherwise,B2stops the

experiment and outputs a random coin as its guess. At some point, A1 outputs (f,stA). B2 then

computesskf

←iO(ConstrainedKeyAlt[C, f])and gives(skf,stA)toA2. The oracle queries made

byA₂are handled similarly to the case ofA₁. At last,A₂outputscoind as its guess forcoin. Then,B₂ outputs(coind

=coin)as its guess.

It can easily be seen that B simulates Game4 if coin0 = 1 and Game3 otherwise. The lemma readily

Lemma 4.7.We havePr[T5] = Pr[T4].

Proof. We observe that for anyx∈ {0,1}n_{, we have}_C₍_x_{) =}_MEval(k[msk

0,msk1, u], x) =Eval(mskb, x)

forb=Pu(h(x)). By the change made inGame3, the experiment stops and outputs a random bit as soon

asAmakes an evaluation query forxsuch thatPu(h(x)) = 0. Therefore, from the view point ofA, the

response ofEval(g C,·)andEval(msk₁,·)are completely the same. Similarly, since the experiment aborts as soon asAmakes the challenge query forx∗ such thatPu(h(x∗)) = 1, the response ofOe_Chal(C,·)and

O_Chal(msk0,·)are completely the same. Therefore, the change made inGame5is only conceptual and the

lemma follows.

Lemma 4.8.IfiOis a secure indistinguishability obfuscator, then|Pr[T6]−Pr[T5]|= negl(λ).

Proof. We first observe thatskfis sampled asskf

←iO(ConstrainedKeyAlt[C, f])forC=MEval(k[msk0, msk1, u],·)inGame5, whereas it is sampled asskf

←iO(Ce[sk₀_,g

x∗,msk1, f, u])inGame6ifA1 makes the challenge query. We prove that the programsConstrainedKeyAlt[C, f]andCe[sk₀_,g

x∗,msk1, f, u]are functionally equivalent. First, it is easy to see that both circuits output⊥for an inputxsuch thatf(x) = 1.

Forxsuch thatf(x) = 0andPu(h(x)) = 1, it is also easy to see that both circuits outputEval(msk1, x).

In the case of f(x) = 0 and Pu(h(x)) = 0, ConstrainedKeyAlt[C, f] outputs Eval(msk0, x) whereas

C[sk0,gx∗,msk1, f, u]outputsCEval(sk0,gx∗, x). Sincef(x

∗_{) = 1}_{, we have}_x₆₌_x∗_{and thus}_g

x∗(x) = 0. By

the correctness ofPCPRF, this impliesCEval(sk0,gx∗, x) =Eval(msk0, x). Therefore,|Pr[T6]−Pr[T5]|is negligible by the security ofiO.

Lemma 4.9.IfiOis a secure indistinguishability obfuscator, then|Pr[T7]−Pr[T6]|= negl(λ).

Proof. We first observe thatskfis sampled asskf

←iO(ConstrainedKeyAlt[C, f])forC=k[msk0,msk1, u]

inGame 6, whereas it is sampled asskf

← iO(Ce[sk₀_,f,msk₁, f, u]) inGame6 ifA₁ has not made the challenge query. We prove thatConstrainedKeyAlt[C, f]andCe[sk₀_,f,msk₁, f, u]are functionally equivalent. First, it is easy to see that both circuits output ⊥for an input x such that f(x) = 1. Forx such that f(x) = 0andPu(h(x)) = 1, it is also easy to see that both outputEval(msk1, x). In the case off(x) = 0

andPu(h(x)) = 0, ConstrainedKeyAlt[C, f]outputsEval(msk0, x) whereasCe[sk₀_,f,msk₁, f, u]outputs

CEval(sk0,f, x). Sincef(x) = 0, we haveCEval(sk0,f, x) =Eval(msk0, x)by the correctness ofPCPRF.

Therefore,|Pr[T7]−Pr[T6]|is negligible by the security ofiO.

Lemma 4.10.IfPCPRFis selective-constraint no-evaluation secure,|Pr[T7]−1/2|= negl(λ).

Proof. For the sake of the contradiction, let us assume that|Pr[T7]−1/2| is non-negligible. We then

construct an adversaryB= (B1,B2)that breaks the selective-constraint no-evaluation security ofPCPRF

usingA= (A₁,A₂). In the following, we denote the random coin thatBshould guess bycoin. Looking

ahead, the random coin thatAhas to guess in the simulation ofGame7will be set as the same bit.

B1(pp): Givenpp,B1first samplesu

←AdmSample(1λ, Q, 0),msk1

←KeyGen(pp). It then runsA1on

inputpp. WhenA1 makes the evaluation query forEval(msk1,·)on inputx,B1first checks whether

Pu(h(x)) = 1holds. If it holds, it returnsEval(msk1, x). Otherwise,B1setsstB =abortand outputs

(g=1,stB), whereg=1is the constant function that always outputs1. IfA1makes the challenge query for

x∗,B1first checks whetherPu(h(x∗)) = 0holds. If it holds,B1setsstB:= (postchal,msk1, u, x∗)

and outputs(gx∗,st_B). Otherwise, it setsst_B =abortand outputs(g₌₁,st_B). IfA₁stops and outputs (f,stA)without having made the challenge query,B1setsstB:= (prechal,msk1, u,stA)and outputs

Given the output fromB₁, the selective-constraint no-evaluation security game forBrunsmsk0

←KeyGen(pp)

andsk←R Constrain(msk0, g)wheregis eitherforg=1orgx∗. Then,skis given toB2.

B2(sk,stB): It is given a constrained key sk for some function and the statestB as input. By the way

we definedB1, these should be in the form of (sk = skg=1,stB = abort) or(sk = sk0,f,stB :=

(prechal,msk1, u,stA))or(sk=sk0,gx∗,stB := (postchal,msk1, u, x

∗₎₎_.

- In the case of(sk=skg=1,stB =abort),B2immediately aborts and outputs a random bit. - In the case of(sk=sk0,gx∗,stB := (postchal,msk1, u, x

∗₎₎_,_B

2 first makes the challenge query

for its own challenge oracle on inputx∗and is given the challenge term, which isX∗ifcoin= 0and Eval(msk0, x∗)ifcoin= 1. It then gives the challenge term toA1. WhenA1makes an evaluation

query on inputx,B₂first checks whetherPu(h(x)) = 1holds. If it holds, it returnsEval(msk1, x).

Otherwise,B2aborts and outputs a random bit. At some point,A1outputs(f,stA). B2 then sets skf

←iO(Ce[sk₀_,g

x∗,msk1, f, u])and runsA2(skf,stA). The evaluation queries thatA2makes are handled as above. Eventually,A2outputs its guesscoind. Then,B₂outputscoind as its guess. - In the case of(sk =sk0,f,stB := (prechal,msk1, u,stA)),B2first computesskf

←iO(Ce[sk₀_,f,

msk1, f, u])and runsA2 on input(skf,stA). WhenA2 makes an evaluation query forx,B2first

checks whetherPu(h(x)) = 1holds. If it holds, it returnsEval(msk1, x). Otherwise,B1aborts and

outputs a random bit. WhenA₂makes the challenge query forO_Chal(msk0,·)on inputx∗, it first

checks whetherPu(h(x∗)) = 0and aborts and outputs a random bit if it does not hold. On the other

hand, ifPu(h(x∗)) = 0holds, it then makes the challenge query for its own challenge oracle on input

x∗and is given the challenge term, which isX∗orEval(msk0)depending on the value ofcoin. Then

it gives the challenge term toA₂. Eventually,A₂outputs its guesscoind. Then,B₂outputscoind as its guess.

It can be seen thatBdefined above perfectly simulatesGame7forA, wherecoinin the game is set as the

same bit as the random coin thatBhas to guess. Therefore, the lemma readily follows.

From Lemma4.3, we have that|Pr[T1]−1/2|is non-negligible. Then, by Lemma4.4,4.5,4.6,4.7,4.8,

and4.9, we have that|Pr[T7]−1/2|is non-negligible as well. However, this contradicts Lemma4.10. This

concludes the proof of the theorem.

Remark 4.11. As one may notice, in the hybrids, we obfuscate a program that contains a merged key k[msk0,msk1, u]that itself is also an obfuscation of some program in our construction. Therefore when

generating a constrained key,ConstrainedKey[msk, f]should be padded to the maximum size of an obfuscated

program that appears in the hybrids, and thus the size ofskf is the size of an obfuscation of an obfuscation.

Actually, this “obfuscation of obfuscation” blowup could be avoided if we directly construct an adaptively secure CPRF based oniOand the subgroup hiding assumption. However, we believe that the abstraction of

PCPRF makes it easier to understand our security proof, and there should be further applications of it.

Acknowledgments

We would like to thank Yilei Chen for the valuable discussion about adaptive security of the LWE-based constraint-hiding CPRFs. The first, second, and fourth authors were supported by JST CREST Grant Number JPMJCR1688, Japan.

References

[ABB10] Shweta Agrawal, Dan Boneh, and Xavier Boyen. Efficient lattice (H)IBE in the standard model. In Henri Gilbert, editor,EUROCRYPT 2010, volume 6110 ofLNCS, pages 553–572. Springer,

Heidelberg, May / June 2010. (Cited on page10.)

[AFP16] Hamza Abusalah, Georg Fuchsbauer, and Krzysztof Pietrzak. Constrained PRFs for unbounded inputs. In Kazue Sako, editor,CT-RSA 2016, volume 9610 ofLNCS, pages 413–428. Springer,

Heidelberg, February / March 2016. (Cited on page1,2.)

[AMN+_{18] Nuttapong Attrapadung, Takahiro Matsuda, Ryo Nishimaki, Shota Yamada, and Takashi}

Yamakawa. Constrained PRFs forNC1in traditional groups. In Hovav Shacham and Alexandra

Boldyreva, editors,CRYPTO 2018, Part II, volume 10992 ofLNCS, pages 543–574. Springer,

Heidelberg, August 2018. (Cited on page1,4,6,10,11,14,16,17.)

[BB04] Dan Boneh and Xavier Boyen. Secure identity based encryption without random oracles. In Matthew Franklin, editor, CRYPTO 2004, volume 3152 ofLNCS, pages 443–459. Springer,

Heidelberg, August 2004. (Cited on page2,9.)

[BFP+_{15] Abhishek Banerjee, Georg Fuchsbauer, Chris Peikert, Krzysztof Pietrzak, and Sophie Stevens.}

Key-homomorphic constrained pseudorandom functions. In Yevgeniy Dodis and Jesper Buus Nielsen, editors,TCC 2015, Part II, volume 9015 ofLNCS, pages 31–60. Springer, Heidelberg,

March 2015. (Cited on page1.)

[BGI+_{12] Boaz Barak, Oded Goldreich, Russell Impagliazzo, Steven Rudich, Amit Sahai, Salil P. Vadhan,}

and Ke Yang. On the (im)possibility of obfuscating programs. J. ACM, 59(2):6:1–6:48, 2012.

(Cited on page1,12.)

[BGI14] Elette Boyle, Shafi Goldwasser, and Ioana Ivan. Functional signatures and pseudorandom functions. In Hugo Krawczyk, editor, PKC 2014, volume 8383 of LNCS, pages 501–519.

Springer, Heidelberg, March 2014. (Cited on page1.)

[Bit17] Nir Bitansky. Verifiable random functions from non-interactive witness-indistinguishable proofs. In Yael Kalai and Leonid Reyzin, editors,TCC 2017, Part II, volume 10678 ofLNCS, pages

567–594. Springer, Heidelberg, November 2017. (Cited on page1.)

[BKM17] Dan Boneh, Sam Kim, and Hart William Montgomery. Private puncturable PRFs from standard lattice assumptions. In Jean-Sébastien Coron and Jesper Buus Nielsen, editors,

EUROCRYPT 2017, Part I, volume 10210 of LNCS, pages 415–445. Springer, Heidelberg,

April / May 2017. (Cited on page1.)

[BLW17] Dan Boneh, Kevin Lewi, and David J. Wu. Constraining pseudorandom functions privately. In Serge Fehr, editor,PKC 2017, Part II, volume 10175 ofLNCS, pages 494–524. Springer,

Heidelberg, March 2017. (Cited on page1,2,7.)

[BR09] Mihir Bellare and Thomas Ristenpart. Simulation without the artificial abort: Simplified proof and improved concrete security for Waters’ IBE scheme. In Antoine Joux, editor,

EUROCRYPT 2009, volume 5479 ofLNCS, pages 407–424. Springer, Heidelberg, April 2009.

[BTVW17] Zvika Brakerski, Rotem Tsabary, Vinod Vaikuntanathan, and Hoeteck Wee. Private constrained PRFs (and more) from LWE. In Yael Kalai and Leonid Reyzin, editors, TCC 2017, Part I,

volume 10677 ofLNCS, pages 264–302. Springer, Heidelberg, November 2017. (Cited on

page1,6.)

[BV15] Zvika Brakerski and Vinod Vaikuntanathan. Constrained key-homomorphic PRFs from standard lattice assumptions - or: How to secretly embed a circuit in your PRF. In Yevgeniy Dodis and Jesper Buus Nielsen, editors,TCC 2015, Part II, volume 9015 ofLNCS, pages 1–30. Springer,

Heidelberg, March 2015. (Cited on page1,6.)

[BW13] Dan Boneh and Brent Waters. Constrained pseudorandom functions and their applications. In Kazue Sako and Palash Sarkar, editors,ASIACRYPT 2013, Part II, volume 8270 ofLNCS, pages

280–300. Springer, Heidelberg, December 2013. (Cited on page1,11,12.)

[BZ14] Dan Boneh and Mark Zhandry. Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation. In Juan A. Garay and Rosario Gennaro, editors,CRYPTO 2014, Part I, volume 8616 ofLNCS, pages 480–499. Springer, Heidelberg, August 2014. (Cited on

page1,2,3,4,6.)

[CC17a] Ran Canetti and Yilei Chen. Constraint-hiding constrained PRFs for NC1 from LWE. Cryptology ePrint Archive, Report 2017/143, 2017. http://eprint.iacr.org/2017/143. (Cited on

page7.)

[CC17b] Ran Canetti and Yilei Chen. Constraint-hiding constrained PRFs for NC1 _{from LWE. In}

Jean-Sébastien Coron and Jesper Buus Nielsen, editors,EUROCRYPT 2017, Part I, volume

10210 ofLNCS, pages 446–476. Springer, Heidelberg, April / May 2017. (Cited on page1,7.)

[CGH04] Ran Canetti, Oded Goldreich, and Shai Halevi. The random oracle methodology, revisited. J. ACM, 51(4):557–594, 2004. (Cited on page1.)

[CH85] Stephen A. Cook and H. James Hoover. A depth-universal circuit. SIAM J. Comput., 14(4):833–

839, 1985. (Cited on page14.)

[CHKP12] David Cash, Dennis Hofheinz, Eike Kiltz, and Chris Peikert. Bonsai trees, or how to delegate a lattice basis. Journal of Cryptology, 25(4):601–639, October 2012. (Cited on page2,9.)

[CLTV15] Ran Canetti, Huijia Lin, Stefano Tessaro, and Vinod Vaikuntanathan. Obfuscation of probabilistic circuits and applications. In Yevgeniy Dodis and Jesper Buus Nielsen, editors,TCC 2015, Part II,

volume 9015 ofLNCS, pages 468–497. Springer, Heidelberg, March 2015. (Cited on page19.)

[DDM17] Pratish Datta, Ratna Dutta, and Sourav Mukhopadhyay. Constrained pseudorandom functions for unconstrained inputs revisited: Achieving verifiability and key delegation. In Serge Fehr, editor,PKC 2017, Part II, volume 10175 ofLNCS, pages 463–493. Springer, Heidelberg, March

2017. (Cited on page2.)

[DKNY18] Alex Davidson, Shuichi Katsumata, Ryo Nishimaki, and Shota Yamada. Constrained prfs for bit-fixing from owfs with constant collusion resistance. IACR Cryptology ePrint Archive,

[DKW16] Apoorvaa Deshpande, Venkata Koppula, and Brent Waters. Constrained pseudorandom functions for unconstrained inputs. In Marc Fischlin and Jean-Sébastien Coron, editors,EUROCRYPT 2016, Part II, volume 9666 ofLNCS, pages 124–153. Springer, Heidelberg, May 2016. (Cited on

page1,2.)

[FHPS13] Eduarda S. V. Freire, Dennis Hofheinz, Kenneth G. Paterson, and Christoph Striecks. Pro- grammable hash functions in the multilinear setting. In Ran Canetti and Juan A. Garay, editors,

CRYPTO 2013, Part I, volume 8042 ofLNCS, pages 513–530. Springer, Heidelberg, August

2013. (Cited on page10.)

[FKPR14] Georg Fuchsbauer, Momchil Konstantinov, Krzysztof Pietrzak, and Vanishree Rao. Adaptive security of constrained PRFs. In Palash Sarkar and Tetsu Iwata, editors,ASIACRYPT 2014, Part II, volume 8874 ofLNCS, pages 82–101. Springer, Heidelberg, December 2014. (Cited on

page7.)

[Fre10] David Mandell Freeman. Converting pairing-based cryptosystems from composite-order groups to prime-order groups. In Henri Gilbert, editor,EUROCRYPT 2010, volume 6110 ofLNCS,

pages 44–61. Springer, Heidelberg, May / June 2010. (Cited on page6.)

[GGH+_{16] Sanjam Garg, Craig Gentry, Shai Halevi, Mariana Raykova, Amit Sahai, and Brent Waters.}

Candidate indistinguishability obfuscation and functional encryption for all circuits. SIAM J.

In document Adaptively Single-Key Secure Constrained PRFs for NC1 (Page 30-39)