Verifiable Random Functions from Weaker Assumptions

Verifiable Random Functions from

Weaker Assumptions

Tibor Jager

Horst G¨ortz Institute for IT Security Ruhr-University Bochum [email protected]

Abstract. The construction of a verifiable random function (VRF) with large in-put space and full adaptive security from a static, non-interactive complexity as-sumption, like decisional Diffie-Hellman, has proven to be a challenging task. To date it is not even clear that such a VRF exists. Most known constructions either allow only a small input space of polynomially-bounded size, or do not achieve full adaptive security under a static, non-interactive complexity assumption. The only known constructions without these restrictions are based on non-static, so-called “q-type” assumptions, which are parametrized by an integerq. Since q-type assumptions get stronger with largerq, it is desirable to haveqas small as possible. In current constructions,qis either a polynomial (e.g., Hohenberger and Waters, Eurocrypt 2010) or at least linear (e.g., Bonehet al., CCS 2010) in the security parameter.

We show that it is possible to construct relatively simple and efficient verifiable random functions with full adaptive security and large input space from non-interactiveq-type assumptions, whereqis onlylogarithmicin the security pa-rameter. Interestingly, our VRF is essentially identical to the verifiable unpre-dictablefunction (VUF) by Lysyanskaya (Crypto 2002), but very different from Lysyanskaya’s VRF from the same paper. Thus, our result can also be viewed as a new, direct VRF-security proof for Lysyanskaya’s VUF. As a technical tool, we introduce and constructbalancedadmissible hash functions.

1

Introduction

Verifiable random functions. Verifiable random functions (VRFs) can be seen as the public-key equivalent of pseudorandom functions. Each functionVskis associated with a secret keysk and a corresponding public verification keyvk. Given sk, an element X from the domain ofVsk, andY =Vsk(X), it is possible to create anon-interactive, publicly verifiableproof πthat Y was computed correctly. For security,unique prov-abilityis required. This means that for eachX only one unique valueY such that the statement “Y = Vsk(X)” can be proven may exist. Note that unique provability is a very strong requirement: not even the party that createssk(possibly maliciously) may

?_{cIACR 2015. This article is the final version of a TCC 2015 paper, submitted by the author}

be able to create fake proofs. These additional features should not affect the pseudo-randomness of the function on other inputs. Verifiable random functions are strongly related to verifiable unpredictablefunctions (VUFs), where the weaker notion of un-predictabilityinstead of pseudorandomness is required.

Their strong properties make VRFs useful for applications like resettable zero-knowledge proofs [30], lottery systems [31], transaction escrow schemes [26], updat-able zero-knowledge databases [27], or e-cash [3,4]. VRFs can also be seen as verifiably unique digital signatures (calledinvariant signaturesin [23]), their uniqueness makes themstrongly unforgeable[10,35].

The difficulty of constructing VRFs. In particular theunique provabilityrequirement makes it very difficult to construct verifiable random functions. For instance, the natural attempt of combining a pseudorandom function with a non-interactive zero-knowledge proof system fails, since zero-knowledge proofs are inherently simulatable, which con-tradicts uniqueness. More generally, any reduction which attempts to prove pseudoran-domness of a candidate construction faces the following problem.

– On the one hand, the reductionmustbe able to compute the unique function value Y := Vsk(X)for preimagesX selected by the attacker, along with a proof of correctnessπ. Due to the unique provability, there exists only one unique valueY such that the statement “Y =Vsk(X)” can be proven, thus the reduction is not able to “lie” by outputting false valuesY˜.

Note that this stands in contrast to typical reductions for pseudorandom functions, like the Naor-Reingold construction [33] for instance, where due to the absence of proofs the reduction is be able to output incorrect values.

– On the other hand, the reductionmust notbe able to computeY∗ =Vsk(X∗)for a particularX∗, as it must be able to use an attacker that distinguishesY∗ from random to break a complexity assumption.

Most previous works [29,28,16,17,1] constructed VRFs with only small input spaces of polynomially-bounded size.1 _{The only two exceptions are due to Hohenberger and} Waters [25] and Bonehet al.[9], who constructed verifiable random functions with full adaptive security that allow an input space of exponential size.

VRFs with large input spaces from non-interactive assumptions. Hohenberger and Wa-ters [25] provided the first fully-secure VRF with exponential-size input space whose security is based on a non-interactive complexity assumption. The security proof relies on aq-type assumption, where an algorithm receives as input a list of group elements

(g, h, gx, . . . , gxq−1, gxq+1, . . . , gx2q, T)∈G2q+1×GT

wheree:G×G→GT is a bilinear map. The assumption is that no efficient algorithm

is able to distinguish T = e(g, h)xq _{from a random group element with probability}

significantly better than1/2. The proof given in [25] requires thatq=Θ(Q·k), where 1

kis the security parameter andQis the number of function evaluationsVsk(X)queried by the attacker in the security experiment. Note that in particularQcan be very large, as it is only bounded by a polynomial in the security parameter.

The construction of Bonehet al.[9] is based on the assumption where the algorithm receives as input a list of group elements

(g, h, gx, . . . , gxq, T)∈Gq+2×GT

and the algorithm has to distinguish T = e(g, h)1/x _{from random. The proof in [9]}

requiresq=Θ(k).Is it possible to construct VRFs with large input and full adaptive security from weakerq-type assumptions?

Our contribution. We construct verifiable random functions with exponential-size input space, full adaptive security, and based on aq-type assumption withvery smallq. More precisely,q = O(logk)depends onlylogarithmicallyon the security parameter. The VRF construction essentially corresponds to the verifiable unpredictable function of Lysyanskaya [28], which inspired many very similar VRF constructions with either weaker security or based on stronger assumptions [25,1,16].

As a technical tool, we introduce the notion ofbalancedadmissible hash functions (balanced AHFs), which are standard admissible hash functions [8] with an extra prop-erty (cf. the explanations below and in Section 4), and may be useful for applications beyond VRFs. We show how to construct balanced AHFs from codes with suitable minimal distance.

VRF construction. LetG,GT be groups with bilinear mape: G×G→GT, and let

C :{0,1}k _{→ {0,1}}n _{be a hash function. We construct a VRF with domain{0,1}}k

and rangeGT. The verification key of our VRF consists ofCalong with2n+ 2random

elements of_G

vk= g, h,(gi,j)(i,j)∈[n]×{0,1}

The secret key consists of the discrete logarithmsαi,jsuch thatgαi,j =gi,jfor(i, j)∈

[n]× {0,1}.

The function is evaluated on inputX ∈ {0,1}k_{by first computing}

(C1, . . . , Cn) :=C(X) and αX:= n

Y

i=1 αi,Ci

and finally

Vsk(X) :=e(g, h)αX

A proof thatVsk(X) =e(g, h)αX consists of group elements(π1, . . . , πn)where

πi:=π α_i,Ci i−1

Similarity to Lysyanskaya’s VUF. We note that our VRF construction is nearly identical to a VUF (resp. unique signature) construction of Lysyanskaya [28], but very different from the VRF construction of [28]. To explain this in more detail, recall that Lysyan-skaya [28] followed a much more complex approach:

1. Construct a VUF based on a “computational” complexity assumption (in contrast to a “decisional” complexity assumption)

2. Turn this VUF into a VRF with single-bit output, by using a Goldreich-Levin hard-core predicate [22]. This step is not as simple as it may appear, because Micali et al. [29] show in their initial VRF paper that this only yields a VRF withpolynomially-boundedinput space (due to the fact that the randomness of the Goldreich-Levin hard-core predicate must be public to allow verifiability, which in turn leads to the problems discussed in [34]).

3. Turn this single-bit-VRF into a VRF with many-bit output (still with poly-bounded input space), by applying a generic construction from [29]. Note that this generic construction requires many evaluations of the underlying single-bit VRF.

4. In order to extend the VRF to a larger input space, apply another generic tree-based construction of [29]. Note that again this requires many evaluations of the underlying VRF.

In contrast, our direct VRF security proof of (essentially) the VUF-construction of Lysyanskaya yields directly a – in comparison much more simple and efficient – VRF with exponential-sized input space, adaptive security, and many-bit output. We rely on the new notion ofbalancedadmissible hash functions in our security analysis.

Our security analysis and the need for balanced AHFs. We prove security under the qDDH-assumption, which states that given

(g, h, gx, . . . , gxq, T)

it is hard to distinguishT =e(g, h)xq+1_{from random.}

AqDDH-challenge is embedded into the view of the attacker by setting gi,j :=gx+αi,j

whereαi,j

$

←Z|G|is a random blinding term, butonly forO(logk)carefully selected

indices(i, j). This careful embedding essentiallypartitionsthe domain{0,1}k _{of the}

VRF into two setsX0,X1, such that – For all valuesX ∈ X1we have

Vsk(X) =e(gQiq=0γixi_{, h) and π}

j =g

Qq

i=0γj,ixi _{∀1≤j ≤n (1)}

where theγiandγj,iare integers inZ|G|which are known to the reduction. Note

that the polynomials in the exponent of Equations (1) have degree at mostq, thus Vsk(X)andπ1, . . . , πn can be computed, given the values(g, gx, . . . , gx

q

– For all valuesX∗∈ X0the reduction is able to compute integersγisuch that

Y∗=e(gQqi=0γixi_{, h)·T}γq+1

such that ifT =e(g, h)xq+1 then it holds thatY∗ =Vsk(X∗). Note that ifT is random, then so isY∗.

Let{X(1)_{, . . . , X}(Q)_{}denote the set of inputs on which the VRF-attacker queries the} evaluation of the VRF with corresponding proof, and letX∗_{denote the element such} that the attacker attempts to distinguishVsk(X∗)from random. The reduction will suc-ceed, if it holds that{X(1)_{, . . . , X}(Q)_{} ⊆ X1andX}∗_{∈ X0.}

InstantiatingCwith an admissible hash function ensures that with non-negligible probability it simultaneously holds that{X(1)_{, . . . , X}(Q)_{} ⊆ X1andX}∗ _{∈ X0.} How-ever, unfortunately this is not yet sufficient to make the analysis of the success proba-bility of our reduction go through, due to the incompatiproba-bility of partitioning proofs with “decisional” complexity assumptions, likeqDDH. Intuitively, the problem stems from the fact that two different sequences of queries made by the attacker may cause the simulator to abort with different probabilities. This issue was explained in great detail in [37,5,14].

Therefore we introduce the stronger notion ofbalancedAHFs. Essentially, a bal-anced AHF ensures that the upper boundγmaxand the lower boundγminon the proba-bility in

γmax≥Pr[{X(1)_{, . . . , X}(Q)_{} ⊆ X1 ∧ X}∗_{∈ X0]≥γmin}

are reasonably close. This is a typical requirement for partitioning proofs based on deci-sional complexity assumptions, it occurs both in reductions with and without the “artifi-cial abort” [37,5]. This suggests that the notion of balanced AHFs may find applications beyond the construction of VRFs.

We stress that we achieve a reduction from aq-type assumption withq=O(logk)

only if we instantiate the VRF construction with aspecificAHF, essentially the code-based AHF of [19,28]. The reason is that this is the only construction we are aware of which allows us to embed the givenqDDH-challenge into at mostO(logk)carefully selected public-key elementsgi,jin the way described above. We still have to prove that

their AHF is also abalancedAHF.

Abdalla et al. gave generic constructions of VRFs from so-called VRF-suitable identity-based KEMs[1,2]. While the conference version of this paper [1] considered only selective security, the full version [2] contains proofs that the construction from [1] achieves full security, under either under the complexity assumption from [25] with polynomially-boundedq, or, alternatively, under aq-type assumption withq = O(k)

when combined with an admissible hash function.

Brakerskiet al.[11] introduced the relaxed notion ofweakVRFs, along with sim-ple and efficient constructions, and proofs that neither VRFs, nor weak VRFs can be constructed (in a black-box way) from one-way permutations. Fiore and Schr¨oder [18] proved that verifiable random functions are not even implied (in a black-box sense) by trapdoor permutations. Several works introduced related primitives, like simulatable VRFs [12] and constrained VRFs [21].

At Eurocrypt 2006, Cheon [15] described an algorithm, which computes the discrete logarithmxon input(g, gx_{, . . . , g}xq

). This algorithm is faster by a factor of√qthan generic algorithms for the standard discrete logarithm problem where only (g, gx_)is

given. This shows thatq-type assumptions are particularly problematic whenqis large. The security loss must be compensated with larger group parameters, at the cost of efficiency. We stress that Cheon’s algorithm is only much faster than generic algorithms for the standard discrete logarithm problem ifqis very large (say,q= 240_{). However,} Cheon’s algorithm gives no apparent reason to criticiseq-type assumptions for smallq, likeq≤40.

On avoidingq-Type assumptions altogether. Chase and Meiklejohn [13] present a con-version that allows to replaceq-type assumption in certain applications with a static

(that is, notq-type) subgroup hiding assumption, by leveraging thedual-systems tech-niques of Waters [36]. It is natural to ask whether these techtech-niques can be used to construct verifiable random functions from static assumptions. Unfortunately, the con-version of [13] requires to addrandomization. Thus, when applying it to known VRF constructions like [17], then this contradicts the unique provability requirement. Ac-cordingly, Chase and Meiklejohn were able to prove that the VRF of Dodis and Yam-polski [17] forms a secure pseudorandom function under a static assumption, but not that it is a secure verifiable random function.

We leave the construction of a verifiable random function with large input space and full adaptive security from a static assumption, like Decisional Diffie-Hellman, as an open problem.

2

Preliminaries

For a vectorK ∈ {0,1}n _{we writeK}

i to denote thei-th component ofK. IfAis a

2.1 Verifiable Unpredictable/Random Functions

Let(Gen,Eval,Vfy)be the following algorithms.

– Algorithm(vk,sk)←$ Gen(1k_{)takes as input a security parameterkand outputs a}

key pair(vk,sk). We say thatsk is thesecret keyandvk is theverification key. – Algorithm(Y, π) ←$ Eval(sk, X)takes as input secret keysk andX ∈ {0,1}k_,

and outputs a function valueY ∈ Y, where Y is a finite set, and a proofπ. We writeVsk(X)to denote the function valueY computed byEvalon input(sk, X). – Algorithm Vfy(vk, X, Y, π) ∈ {0,1} takes as input verification key vk, X ∈

{0,1}k_{,Y ∈ Y, and proofπ, and outputs a bit.}

Initialize:

b← {0$ ,1}

(vk,sk)←$ Gen(1k)

Returnvk

Evaluate(X) : (Y, π)←$ Eval(sk, X)

Return(Y, π)

Challenge(X∗) : (Y0, π)

$

←Eval(sk, X∗)

Y1

$ ← Y

ReturnYb

FinalizeVUF_(X∗

, Y∗) : (Y, π)←$ Eval(sk, X∗)

IfY∗=Y then Return1

Else Return0

FinalizeVRF_(b0

) :

Ifb0=bthen Return1

Else Return0

Fig. 1.Procedures defining the security experiments for VUFs and VRFs.

Definition 1. We say that(Gen,Eval,Vfy)is averifiable random function(VRF) if all the following properties hold.

Correctness. Algorithms Gen,Eval,Vfyare polynomial-time algorithms, and for all (vk,sk) ←$ Gen(1k_{)and all X ∈ {0,1}}k _{holds: if(Y, π)} $

← Eval(sk, X), then

Vfy(vk, X, Y, π) = 1.

Unique provability. For all strings(vk,sk)(not necessarily generated byGen) and allX ∈ {0,1}k_{, there does notexistany tuple(Y0, π0, Y1, π1)such thatY06=Y1}

andVfy(vk, X, Y0, π0) =Vfy(vk, X, Y1, π1) = 1.

Pseudorandomness. Consider an attackerAwith access (via oracle queries) to the procedures defined in Figure 1. LetGA_VRF denote the game whereAfirst queries Initialize, thenChallenge, thenFinalizeVRF, where the output ofFinalizeVRF is the output of the game. Moreover,Amay arbitrarily issueEvaluate-queries, but only after queryingInitializeand before queryingFinalizeVRF. We say thatAis

legitimate, ifAnever queriesEvaluate(X)andChallenge(X∗)withX =X∗

We define the advantage ofAin breaking the pseudorandomness as

AdvVRF_A (k) := 2·Pr[GA_VUF= 1]−1

Definition 2. We say that(Gen,Eval,Vfy)is averifiable unpredictable function(VUF) if thecorrectnessandunique provabilityproperties from Definition 1 hold, and we have:

Unpredictability. Consider an attackerAwith access (via oracle queries) to the pro-cedures defined in Figure 1. Let GA_VUF denote the game where A first queries Initialize, then an arbitrary number of Evaluate-queries, thenFinalizeVUF, and the output ofFinalizeVUF is the output of the game. We say that Ais le-gitimate, ifAnever queriesEvaluate(X)andChallenge(X∗)withX =X∗

throughout the game.

We define the advantage ofAin breaking the unpredictability as

AdvVUF_A (k) := Pr[GA_VUF= 1]

2.2 q-Diffie-Hellman Assumptions

In the sequel let_G,_GT begroups of prime order, with bilinear mape:G×G→GT.

InitializeqCDH:

g, h←$ G;x←$ Z|G|

Return(g, gx, . . . , gxq, h)

FinalizeqCDH(T) :

IfT =e(gxq+1, h)then Return1

Else Return0

InitializeqDDH :

g, h←$ G;x←$ Z|G|;b $ ← {0,1}

T0:=e(g, h)x

q+1

, T1

$ ←GT

Return(g, gx, . . . , gxq, h, Tb)

FinalizeqDDH(b0) :

Ifb0=bthen Return1

Else Return0

Fig. 2.Procedures defining theq-Diffie Hellman assumptions.

Definition 3. LetGq_BDDHbe the game withBand the procedures defined in Figure 2, whereBcallsInitializeqDDH, thenFinalizeqDDH, and the output ofFinalizeqDDH is the output of the game. We denote with

Advq_BDDH(k) := 2·PrhGq_BDDH= 1i−1

theadvantageofAin breaking theqDDH-assumption in(_G,_GT).

Definition 4. LetGq_BCDHbe the game withBand the procedures defined in Figure 2, whereBcallsInitializeqCDH, thenFinalizeqCDH, and the output ofFinalizeqCDHis the output of the game. We denote with

Advq_BCDH(k) := PrhGq_BCDH= 1i

3

Main Construction

LetG,GT be groups of prime order with bilinear mape:G×G→GT, such that each

group element has a unique representation, and that group membership can be tested efficiently.

LetVF = (Gen,Eval,Vfy)be the following construction.

Generation. AlgorithmGen(1k_{)chooses an admissible hash functionC :{0,1}}k _→

{0,1}n _{and two random generatorsg, h} $

← G. Then it computes gi,j := gαi,j,

whereαi,j

$

←Z|G|and for(i, j)∈[n]× {0,1}. The keys are defined as

vk := C, g, h,(gi,j)(i,j)∈[n]×{0,1}

and sk := (αi,j)(i,j)∈[n]×{0,1} Evaluation. On inputX ∈ {0,1}k_{, algorithmEval(sk, X)first computesC(X). For}

i ∈ [n] let C(X)i denote the i-th bit of C(X) ∈ {0,1}n. Then the algorithm

determines the function value by computingaX :=Q n

i=1αi,C(X)iand setting

Y :=e(g, h)aX_.

The corresponding proofπ= (π1, . . . , πn)is computed recursively by first

defin-ingπ0:=gand then setting πi:=π

αi,C(X)i

i−1 for all i∈[n] The algorithm outputs(Y, π).

Verification. AlgorithmVfy(vk, X, Y, π)checks the consistency ofπusing the bilin-ear map. It first tests ifX andπcontain only valid group elements. Then it com-putesC(X) = (C(X)1, . . . , C(X)n)∈ {0,1}n, definesπ0:=g, and outputs1if and only if all the following equations are satisfied.

e(πi, g) =e(πi−1, gi,C(X)i) for all i∈[n]

Y =e(πn, h)

It is straightforward to verify that the above construction iscorrectin the sense of Definitions 1 and 2. Furthermore, the unique provability follows from the group structure and the fact that even an unbounded attacker is not able to devise a proofπfor a different group element. It remains to provepseudorandomness.

4

Balanced Admissible Hash Functions

Standard admissible hash functions (AHFs) were introduced by Boneh and Boyen [8], a simplified definition was given by Freire et al. [19]. For our application, we will need AHFs with stronger properties, therefore we have to extend the notion of AHFs tobalancedAHFs. The essential difference between balanced AHFs and the standard definition (e.g. [20, Definition 3]) is that previous works required only a reasonable

Definition 5. Let k ∈ _Nand n = n(k) be a polynomial, and let C : {0,1}k _→

{0,1}n(k)_{be an efficiently computable function. LetF}

K:{0,1}k → {0,1}be defined

as

FK(X) :=

(

0, if∀i:C(X)i=Ki ∨ Ki=⊥

1, else. (2)

We say thatC is a balanced admissible hash function(balanced AHF), if there exists an efficient algorithmAdmSmp(1k_{, Q, δ), which takes as input(Q, δ)whereQ=}

Q(k) ∈ Nis polynomially bounded and δ = δ(k) ∈ (0,1] is non-negligible, and

outputsK ∈ {0,1,⊥}n _{such that for all X}(1)_{, . . . , X}(Q)_{, X}∗ _{∈ {0,1}}k _withX∗ _6∈ {X(1)_{, . . . , X}(Q)_{}holds that}

γmax(k)≥Pr[FK(X(1)) =· · ·=FK(X(Q)) = 1 ∧ FK(X∗) = 0]≥γmin(k) (3)

whereγmax(k)andγmin(k)satisfy that the functionτ(k)defined as

τ(k) := 2·γmin(k)·δ(k)−γmax(k) +γmin(k) (4)

is non-negligible. The probability is taken over the choice ofK.

Remark 1. The definition ofτessentially condenses two requirements, namely (1) that γmin is non-negligible, and (2) that the differenceγmax−γmin is “reasonably” small, where “reasonably” depends onγmin andδ. The definition of functionτ may appear very specific, however, such a term appears typically in security analyses that follow the approach of Bellare and Ristenpart [5]. Therefore we think this is exactly what is needed for typical applications of balanced AHFs. See Lemma 1, for instance.

Instantiating balanced admissible hash functions. Efficientstandardadmissible hash functions are known to exist [28,8,19]. For instance, there is a simple construction from codes with suitable minimal distance [28,19]. In this section we will show that such codes also yield abalancedAHF. In contrast to [28,19], we have to show both upper and lower bounds, and choose certain parameters more carefully to ensure that (4) is a non-negligible function.

Theorem 1. Let (Ck)k∈N withCk : {0,1}k → {0,1}n be a family of codes with

minimal distancencfor a constantc. Then(Ck)k∈Nis a family of balanced admissible hash functions. Moreover,AdmSmp(1k_{, Q, δ)outputs K ∈ {0,1,⊥}}n _{with exactly}

d=jln(2_−ln((1−Q+Q/δ_c)))kcomponents not equal to⊥.

Proof. Consider the algorithmAdmSmpwhich sets d:=

_ln(2Q+Q/δ)

−ln((1−c))

and choosesKuniformly random from({0,1} ∪ {⊥})nwith exactlydcomponents not equal to⊥.2

FixX(1), . . . , X(Q), X∗ ∈ {0,1}k _withX∗ _{6∈ {X}(1)_{, . . . , X}(Q)_{}for the analysis} of this algorithm.

2

Upper bound. Note that we havePr[FK(X∗) = 0] = 2−d, and thus

γmax:= 2−d= Pr[FK(X∗) = 0]

≥Pr[FK(X∗) = 0]·Pr[FK(X(1)) =· · ·=FK(X(Q)) = 1|FK(X∗)]

= Pr[FK(X∗) = 0∧FK(X(1)) =· · ·=FK(X(Q)) = 1].

Lower bound. We first observe that for any two stringsX, X∗∈ {0,1}k_{withX 6=X}∗ holds that

Pr[FK(X) = 0|FK(X∗) = 0]≤(1−c)d.

To see this, consider an experiment where two code wordsC(X)andC(X∗)are given, with X, X∗ ∈ {0,1}k _{andX 6= X}∗_{, and we sample d pairwise distinct positions} i1, . . . , id

$

←[n]. SinceC(X)andC(X∗)differ in at leastncpositions, the probability thatC(X)i1 =C(X

∗₎

i1is at most(n−nc)/n= 1−c. The probability thatC(X)ij =

C(X∗)ij for allj∈[d]is thus at most(1−c)

d_.

A union bound yields that

Pr[FK(X(1)) = 0∨ · · · ∨FK(X(Q)) = 0|FK(X∗) = 0]≤Q(1−c)d

which implies

Pr[FK(X(1)) = 1∧ · · · ∧FK(X(Q)) = 1|FK(X∗) = 0]≥1−Q(1−c)d

This yields the lower bound γmin:=(1−Q(1−c)d)·2−d

≤Pr[FK(X(1)) = 1∧ · · · ∧FK(X(Q)) = 1|FK(X∗) = 0]·Pr[FK(X∗) = 0]

= Pr[FK(X(1)) =· · ·=FK(X(Q)) = 1∧FK(X∗) = 0]

Balancedness of bounds. Finally, it remains to show that for polynomialQand non-negligibleδthe functionτfrom (4) is non-negligible. We first compute (omitting the parameterkfrom functions to simplify notation):

τ:=2·δ·γmin−γmax+γmin

=2·δ·(1−Q(1−c)d)·2−d−2−d+ (1−Q(1−c)d)·2−d

=2−d· 2δ−(2δ+ 1)·Q(1−c)d

Now we will show that ifdis chosen as above, then both2−d_{and2δ−(2δ+1)·Q(1−c)}d

are non-negligible. Thus, their product is non-negligible as well. We have

2−d= 2−b

ln(2Q+Q/δ) −ln((1−c))c ≥₂

ln(2Q+Q/δ) ln((1−c))

and

2δ−(2δ+ 1)·Q(1−c)d= 2δ−(2δ+ 1)·Q(1−c)bln(2−ln((1Q+Q/δ−c)))c

≥2δ−(2δ+ 1)·Q(2Q+Q/δ)−1

= 2δ−(2δQ+Q)(2Q+Q/δ)−1

which both are non-negligible sincec is a constant,Q ∈ _N, and δ ∈ (0,1]is non-negligible.

5

VF

is a Verifiable Random Function

Theorem 2. If VF is instantiated with the balanced admissible hash function from Theorem 1, then for any legitimate attacker Athat breaks thepseudorandomnessof

VF in timetAwith advantageAdvVRFA by making at mostQEval-queries, there exists

an algorithmBthat breaks theq-DDH assumption withq=jln(2_−ln((1−Q+Q/δ_c)))k−1in time

tB≈tAand with advantage

Advq_BDDH(k)≥τ(k)

where2·δis a non-negligible lower bound onAdvVRF_A (k), andτ(k)is a non-negligible function.

Initialize:

bad:= 0

K←$ AdmSmp(1k, Q, δ)

For(i, j)∈[n]× {0,1}do αi,j

$ ←Z|G|

IfKi=jthengi,j:=gx+αi,j

Elsegi,j:=gαi,j

vk:= C, g, h,(gi,j)(i,j)

Returnvk

Evaluate(X) : (Y, π) :=⊥

IfFK(X)6= 1then bad:= 1;

Else

Y :=e(gPK,n,X(x)_{, h)}

Forj∈[n]do πj:=gPK,j,X(x)

π:= (π1, . . . , πn) Return(Y, π)

Challenge(X∗) :

Y∗:=⊥

IfFK(X) = 1then bad:= 1

Else

Computeγ0, . . . , γq+1s.t. PK,n,X∗(x) =Pq+1

i=0γix

i

Y∗:=Tγq+1_·Qq i=1e((g

xi )γi_{, h)}

ReturnY∗

FinalizeVRF(b0) :

Ifbad= 1thenc0← {0$ ,1}

Elsec0:=b0 Returnc0

Fig. 3.Procedures for the simulation of the VRF pseudorandomness experiment byB.

Proof. AlgorithmBreceives as input(g, gx_{, . . . , g}xq_{, h, T)and runs algorithmAas a}

Initialization. The values(g, h, gx_{)inInitializeare from theqDDH-challenge. Recall}

that2·δis a non-negligible lower bound onAdvVRF_A (k), andQis the upper bound on the number ofEvaluate-queries.

Note thatBcomputes thegi,j-values exactly as in the originalGen-algorithm, by

choosingαi,j

$

←Z|G|and settinggi,j :=gαi,j, but with the exception that

gi,Ki :=g

x+α_i,Ki.

for all(i, j) ∈ [n]× {0,1} withKi = j. Due to our choice of an admissible hash

function according to Theorem 1, there areexactlyq+ 1componentsKiofKwhich

are not equal to⊥.

Finally, note that allgi,Ki-values are distributed correctly, and that this set-up

de-fines the secret key implicitly as sk := (log_ggi,j)(i,j)∈[n]×{0,1}. Thus, the function Vsk(X)is well-defined for allX (butBwill not be able to evaluateVsk on all inputs X, as explained below).

Helping definitions. In order to explain howBresponds toEvaluateandChallenge

queries made byA, let us define two setsIK,w,X andJK,w,X, which depend on an

AHF keyK, a VRF inputX∈ {0,1}k_{, and integerw∈}

Nwith1≤w≤n, as IK,w,X:={i∈[w] :Ki=C(X)i} and JK,w,X:= [w]\IK,w,X

Note thatIK,w,X denotes the set of all indicesi ∈[w]⊆[n]such thatKi =C(X)i,

andJK,w,X denotes the set of all indices in [w]which are not contained inIK,w,X.

Based on these sets, we define polynomialsPK,w,X(x)

PK,w,X(x) =

Y

i∈IK,w,X

(x+αi,Ki)· Y

i∈JK,w,X

αi,Ki∈Z|G|[x]

Now we can make the following observations:

1. For allX withFK(X) = 1, the setIK,w,Xcontains at mostqelements, and thus

the polynomialPK,w,X(x)has degree at mostq.

This implies that ifFK(X) = 1, thenBcan efficiently computegPK,w,X(x)for all

w∈[n]. To this end,Bfirst computes the coefficientsγ0, . . . , γqof the polynomial

PK,w,X(x) =P q

i=0γixiwith degree at mostq, and then

gPK,w,X(x)_:=gPqi=0γixi ₌

q

Y

i=0

(gxi)γi

using the terms(g, gx, . . . , gxq)from theq-DDH challenge.

2. IfFK(X) = 0, thenPK,n,X(x)has degreeq+ 1. We do not know howBcan

efficiently computegPK,n,X(x)_{in this case.}

Responding to Evaluate-queries. IfFK(X) = 1, then procedureEvaluate

com-putes the group elementsgPK,w,X(x)_{as explained above. Note that in this case the}

re-sponse to theEvaluate(X)-query ofAis correct. However, ifFK(X) = 0, then the

Responding to the Challenge-query. IfFK(X∗) = 0, then procedureChallenge

computes

Y∗:=Tγq+1_·

q

Y

i=1

e((gxi)γi_{, h) =T}γq+1_·e(gPqi=1γixi_{, h)}

whereγ0, . . . , γq+1are the coefficients of the degree-(q+1)-polynomialPK,n,X∗(x) = Pq+1

i=0γixi. Note that ifT =e(g, h)x

q+1

, then it holds thatY∗=Vsk(X∗). Moreover, ifT is uniformly random, then so isY∗.

Analysis of B’s running time. The running timetB of B consists essentially of the running timetAofAplus a minor number of additional operations, thus we havetB≈ tA.

Analysis of B’s success probability. The simulation of the challenger by B is per-fect, unless bad := 1 is set. This happens only if A queries Evaluate(X) with FK(X) 6= 1, or Challenge(X∗) with FK(X∗) = 1. Since the AHF key K is

information-theoretically hidden invk, the termsγmaxandγminfrom Equation (3) are upper and lower bounds on the probability thatbad:= 1 is never set throughout the experiment.

Lemma 1.

Advq_BCDH(k)≥2·γmin·δ−γmax+γmin

The proof of Lemma 1 follows the approach of Bellare and Ristenpart [5] very closely, therefore it is deferred to Appendix A. This approach allows us to provide an analysis without the “artificial abort” of Waters [37]. The latter has also been used to analyze the VRF of Hohenberger and Waters [24], but leads to a less tight reduction.

Remark 2. Note that the lower bound onAdvq_BCDH(k)in Lemma 1 is only useful, ifδ andγminare non-negligible andγmax andγminare sufficiently close. This is where we need the balancedness of admissible hash functionC.

Observe that since we instantiateCwith a balanced AHF andδis a non-negligible lower bound onAdvVRF_A (k)/2, the function

τ(k) := 2·γmin·δ−γmax+γmin

is non-negligible. This concludes the proof of Theorem 2.

6

VF

is a Verifiable Unpredictable Function

In this section we prove that construction VF also is a secure VUF. Note that this construction is essentially identical to the VUF of Lysyanskaya [28], only the proof is based on a different complexity assumption.

6.1 Admissible Hash Functions

In order to prove thatVF is a VUF, it will suffice to instantiateVF with a standard (that is, not necessarily balanced) admissible hash functionC. We recall the standard definition of admissible hash functions (AHFs) from Freire et al. [19].

Definition 6 ([19]).Letk∈_Nandn=n(k)be a polynomial, and letC:{0,1}k _→

{0,1}n(k)_{be an efficiently computable function. LetF}

K:{0,1}k → {0,1}be defined

as in Equation (2). We say thatCis anadmissible hash function(AHF), if there exists an efficient algorithmAdmSmp(1k_{, Q), which takes as input polynomialQ=Q(k)∈}

N,

and computesK ∈({0,1} ∪ {⊥})n such that for allX(1), . . . , X(Q), X∗ ∈ {0,1}k

withX∗6∈ {X(1)_{, . . . , X}(Q)_{}holds that}

Pr[FK(X(1)) =· · ·=FK(X(Q)) = 1 ∧ FK(X∗) = 0]≥γmin(k) (5)

such thatγmin(k)non-negligible. The probability is taken over the choice ofK.

Instantiating Admissible Hash Functions. A simple and efficient construction of AHFs can be found in [19] (based on [28]), we capture their existence in the following lemma. Lemma 2 ([28,19]).LetSbe a set and(Ck)k∈NwithCk :{0,1}k →Snbe a family

of codes, with minimal distancenc for a constantc and such that|S|is bounded by a polynomial ink. Then(Ck)k∈Nis an admissible hash function, whereAdmSmp(Q) outputsK∈S∪ {⊥}n_{withexactlyd:=b(ln 2Q)/cccomponents not equal to⊥and}

γmin≥(1−Q(1−c)d)·2−d.

Remark 3. Note that even though the last two statements of the above theorem were not made explicit in previous works, they are implicitly contained in the proof of [20, Theorem 2].

6.2 Security Analysis

Theorem 3. If VF is instantiated with the admissible hash function from Lemma 2, then for any legitimate attackerAthat breaks theunpredictabilityofVF in timetA

with advantageAdvVUF_A by making at mostQEval-queries, there exists an algorithmB

that breaks theqCDHassumption withq=b(ln 2Q)/cc −1in timetB≈tAand with

advantage

Advq_BCDH(k)≥AdvVUF_A (k)·(1−Q(1−c)d)·2−d

whered:=b(ln 2Q)/cc=q+ 1.

The proof of this theorem is nearly identical to the proof of Theorem 2, but the analysis of the success probability ofBis much simpler, because we consider unpre-dictabilityinstead ofpseudorandomness. Therefore we only sketch the proof.

Proof. AlgorithmB receives as input(g, gx_{, . . . , g}xq_{, h, T)and runs algorithmAas}

Initialize(X) :

bad:= 0

K←$ AdmSmp(1k_{, Q, δ)}

For(i, j)∈[n]× {0,1}do αi,j

$ ←Z|G|

IfKi=jthenhi,j:=gx+αi,j

Elsehi,j:=gαi,j

vk:= C, g, h,(hi,j)(i,j)

Returnvk

Evaluate(X) : (Y, π) :=⊥

IfFK(X)6= 1then bad:= 1;

Else

Y :=e(gPK,n,X(x)_{, h)}

Forj∈[n]do πj:=gPK,j,X(x)

π:= (π1, . . . , πn) Return(Y, π)

FinalizeVUF_(X∗

, Y∗) :

IfFK(X∗) = 0then

bad:= 1

Ifbad= 1then Return⊥

Computeγ0, . . . , γq+1 s.t.PK,n,X∗_{(x) =}Pq+1

i=0γix

i

T :=Y∗/e(gPqi=1γixi_{, h)}1/γq+1

ReturnT

Fig. 4.Procedures for the simulation of the VUF unpredictability experiment byB.

The running timetBof Bconsists essentially of the running timetAof Aplus a minor number of additional operations, thus we havetB ≈tA. Note thatBsimulates the original VUF security experiment perfectly, ifbad= 0throughout the game. Note also that

Y∗=e(g, h)Pqi=0+1γixi _{=⇒ T =e(g, h)}xq+1

The choice ofKis information-theoretically hidden invk. Thus, Advq_BCDH(k)≥AdvVUF_A (k)·Pr[bad= 0]

≥AdvVUF_A (k)·γmin(k) =AdvVUF_A (k)·(1−Q(1−c)d)·2−d

Acknowledgements. We thank the anonymous reviewers of TCC 2015 for their helpful comments.

References

1. Michel Abdalla, Dario Catalano, and Dario Fiore. Verifiable random functions from identity-based key encapsulation. In Antoine Joux, editor, EUROCRYPT 2009, volume 5479 of LNCS, pages 554–571, Cologne, Germany, April 26–30, 2009. Springer, Berlin, Germany. 2. Michel Abdalla, Dario Catalano, and Dario Fiore. Verifiable random functions: Relations to

3. Man Ho Au, Willy Susilo, and Yi Mu. Practical compact e-cash. In Josef Pieprzyk, Hos-sein Ghodosi, and Ed Dawson, editors,ACISP 07, volume 4586 ofLNCS, pages 431–445, Townsville, Australia, July 2–4, 2007. Springer, Berlin, Germany.

4. Mira Belenkiy, Melissa Chase, Markulf Kohlweiss, and Anna Lysyanskaya. Compact e-cash and simulatable VRFs revisited. In Hovav Shacham and Brent Waters, editors,PAIRING 2009, volume 5671 ofLNCS, pages 114–131, Palo Alto, CA, USA, August 12–14, 2009. Springer, Berlin, Germany.

5. Mihir Bellare and Thomas Ristenpart. Simulation without the artificial abort: Simplified proof and improved concrete security for Waters’ IBE scheme. In Antoine Joux, editor, EUROCRYPT 2009, volume 5479 ofLNCS, pages 407–424, Cologne, Germany, April 26– 30, 2009. Springer, Berlin, Germany.

6. Mihir Bellare and Thomas Ristenpart. Simulation without the artificial abort: Simplified proof and improved concrete security for Waters’ IBE scheme. Cryptology ePrint Archive, Report 2009/084, 2009.http://eprint.iacr.org/.

7. Mihir Bellare and Phillip Rogaway. The security of triple encryption and a framework for code-based game-playing proofs. In Serge Vaudenay, editor,EUROCRYPT 2006, volume 4004 ofLNCS, pages 409–426, St. Petersburg, Russia, May 28 – June 1, 2006. Springer, Berlin, Germany.

8. Dan Boneh and Xavier Boyen. Secure identity based encryption without random oracles. In Matthew Franklin, editor,CRYPTO 2004, volume 3152 ofLNCS, pages 443–459, Santa Barbara, CA, USA, August 15–19, 2004. Springer, Berlin, Germany.

9. Dan Boneh, Hart William Montgomery, and Ananth Raghunathan. Algebraic pseudorandom functions with improved efficiency from the augmented cascade. In Ehab Al-Shaer, Ange-los D. Keromytis, and Vitaly Shmatikov, editors,ACM CCS 10, pages 131–140, Chicago, Illinois, USA, October 4–8, 2010. ACM Press.

10. Dan Boneh, Emily Shen, and Brent Waters. Strongly unforgeable signatures based on com-putational Diffie-Hellman. In Moti Yung, Yevgeniy Dodis, Aggelos Kiayias, and Tal Malkin, editors,PKC 2006, volume 3958 ofLNCS, pages 229–240, New York, NY, USA, April 24– 26, 2006. Springer, Berlin, Germany.

11. Zvika Brakerski, Shafi Goldwasser, Guy N. Rothblum, and Vinod Vaikuntanathan. Weak verifiable random functions. In Omer Reingold, editor,TCC 2009, volume 5444 ofLNCS, pages 558–576. Springer, Berlin, Germany, March 15–17, 2009.

12. Melissa Chase and Anna Lysyanskaya. Simulatable VRFs with applications to multi-theorem NIZK. In Alfred Menezes, editor,CRYPTO 2007, volume 4622 ofLNCS, pages 303–322, Santa Barbara, CA, USA, August 19–23, 2007. Springer, Berlin, Germany.

13. Melissa Chase and Sarah Meiklejohn. D´ej`a Q: Using dual systems to revisit q-type assump-tions. In Phong Q. Nguyen and Elisabeth Oswald, editors,EUROCRYPT 2014, volume 8441 ofLNCS, pages 622–639, Copenhagen, Denmark, May 11–15, 2014. Springer, Berlin, Ger-many.

14. Sanjit Chatterjee and Palash Sarkar. HIBE with short public parameters without random oracle. In Xuejia Lai and Kefei Chen, editors,ASIACRYPT 2006, volume 4284 ofLNCS, pages 145–160, Shanghai, China, December 3–7, 2006. Springer, Berlin, Germany. 15. Jung Hee Cheon. Security analysis of the strong Diffie-Hellman problem. In Serge

Vaude-nay, editor,EUROCRYPT 2006, volume 4004 ofLNCS, pages 1–11, St. Petersburg, Russia, May 28 – June 1, 2006. Springer, Berlin, Germany.

16. Yevgeniy Dodis. Efficient construction of (distributed) verifiable random functions. In Yvo Desmedt, editor,PKC 2003, volume 2567 ofLNCS, pages 1–17, Miami, USA, January 6–8, 2003. Springer, Berlin, Germany.

18. Dario Fiore and Dominique Schr¨oder. Uniqueness is a different story: Impossibility of ver-ifiable random functions from trapdoor permutations. In Ronald Cramer, editor,TCC 2012, volume 7194 ofLNCS, pages 636–653, Taormina, Sicily, Italy, March 19–21, 2012. Springer, Berlin, Germany.

19. Eduarda S. V. Freire, Dennis Hofheinz, Kenneth G. Paterson, and Christoph Striecks. Pro-grammable hash functions in the multilinear setting. In Ran Canetti and Juan A. Garay, editors,CRYPTO 2013, Part I, volume 8042 ofLNCS, pages 513–530, Santa Barbara, CA, USA, August 18–22, 2013. Springer, Berlin, Germany.

20. Eduarda S.V. Freire, Dennis Hofheinz, Kenneth G. Paterson, and Christoph Striecks. Pro-grammable hash functions in the multilinear setting. Cryptology ePrint Archive, Report 2013/354, 2013.http://eprint.iacr.org/.

21. Georg Fuchsbauer. Constrained verifiable random functions. In Michel Abdalla and Roberto De Prisco, editors,Security and Cryptography for Networks - 9th International Con-ference, SCN 2014, Amalfi, Italy, September 3-5, 2014. Proceedings, volume 8642 ofLecture Notes in Computer Science, pages 95–114. Springer, 2014.

22. Oded Goldreich and Leonid A. Levin. A hard-core predicate for all one-way functions. In 21st ACM STOC, pages 25–32, Seattle, Washington, USA, May 15–17, 1989. ACM Press. 23. Shafi Goldwasser and Rafail Ostrovsky. Invariant signatures and non-interactive

zero-knowledge proofs are equivalent (extended abstract). In Ernest F. Brickell, editor, CRYPTO’92, volume 740 ofLNCS, pages 228–245, Santa Barbara, CA, USA, August 16–20, 1992. Springer, Berlin, Germany.

24. Susan Hohenberger and Brent Waters. Realizing hash-and-sign signatures under standard assumptions. In Antoine Joux, editor,EUROCRYPT 2009, volume 5479 ofLNCS, pages 333–350, Cologne, Germany, April 26–30, 2009. Springer, Berlin, Germany.

25. Susan Hohenberger and Brent Waters. Constructing verifiable random functions with large input spaces. In Henri Gilbert, editor,EUROCRYPT 2010, volume 6110 ofLNCS, pages 656–672, French Riviera, May 30 – June 3, 2010. Springer, Berlin, Germany.

26. Stanislaw Jarecki and Vitaly Shmatikov. Handcuffing big brother: an abuse-resilient trans-action escrow scheme. In Christian Cachin and Jan Camenisch, editors,EUROCRYPT 2004, volume 3027 ofLNCS, pages 590–608, Interlaken, Switzerland, May 2–6, 2004. Springer, Berlin, Germany.

27. Moses Liskov. Updatable zero-knowledge databases. In Bimal K. Roy, editor, ASI-ACRYPT 2005, volume 3788 ofLNCS, pages 174–198, Chennai, India, December 4–8, 2005. Springer, Berlin, Germany.

28. Anna Lysyanskaya. Unique signatures and verifiable random functions from the DH-DDH separation. In Moti Yung, editor,CRYPTO 2002, volume 2442 ofLNCS, pages 597–612, Santa Barbara, CA, USA, August 18–22, 2002. Springer, Berlin, Germany.

29. Silvio Micali, Michael O. Rabin, and Salil P. Vadhan. Verifiable random functions. In40th FOCS, pages 120–130, New York, New York, USA, October 17–19, 1999. IEEE Computer Society Press.

30. Silvio Micali and Leonid Reyzin. Soundness in the public-key model. In Joe Kilian, edi-tor,CRYPTO 2001, volume 2139 ofLNCS, pages 542–565, Santa Barbara, CA, USA, Au-gust 19–23, 2001. Springer, Berlin, Germany.

31. Silvio Micali and Ronald L. Rivest. Micropayments revisited. In Bart Preneel, editor, CT-RSA 2002, volume 2271 ofLNCS, pages 149–163, San Jose, CA, USA, February 18–22, 2002. Springer, Berlin, Germany.

33. Moni Naor and Omer Reingold. Number-theoretic constructions of efficient pseudo-random functions. In38th FOCS, pages 458–467, Miami Beach, Florida, October 19–22, 1997. IEEE Computer Society Press.

34. Moni Naor and Omer Reingold. From unpredictability to indistinguishability: A simple con-struction of pseudo-random functions from MACs (extended abstract). In Hugo Krawczyk, editor,CRYPTO’98, volume 1462 ofLNCS, pages 267–282, Santa Barbara, CA, USA, Au-gust 23–27, 1998. Springer, Berlin, Germany.

35. Ron Steinfeld, Josef Pieprzyk, and Huaxiong Wang. How to strengthen any weakly un-forgeable signature into a strongly unun-forgeable signature. In Masayuki Abe, editor, CT-RSA 2007, volume 4377 ofLNCS, pages 357–371, San Francisco, CA, USA, February 5–9, 2007. Springer, Berlin, Germany.

36. Brent Waters. Dual system encryption: Realizing fully secure IBE and HIBE under simple assumptions. In Shai Halevi, editor,CRYPTO 2009, volume 5677 ofLNCS, pages 619–636, Santa Barbara, CA, USA, August 16–20, 2009. Springer, Berlin, Germany.

37. Brent R. Waters. Efficient identity-based encryption without random oracles. In Ronald Cramer, editor,EUROCRYPT 2005, volume 3494 ofLNCS, pages 114–127, Aarhus, Den-mark, May 22–26, 2005. Springer, Berlin, Germany.

A

Proof of Lemma 1

LetGq_B(A)DDHdenote theqDDHsecurity experiment withBrunningAas a subroutine as described above. Letgooddenote the event that variablebadis never set to1. Then, sinceBoutputs a random bit ifbad:= 1is set, it holds that

Pr[Gq_B(A)DDH= 1] = Pr[Gq_B(A)DDH= 1∧good] + Pr[¬good]·Pr[Gq_B(A)DDH= 1| ¬good]

= Pr[Gq_B(A)DDH= 1∧good] + Pr[¬good]·1/2

and therefore

Advq_BDDH(k) = 2·Pr[Gq_B(A)DDH= 1]−1

= 2·Pr[Gq_B(A)DDH= 1∧good]−Pr[good] (6) Thus, it remains to derive suitable bounds onPr[Gq_B(A)DDH= 1∧good]andPr[good]. We will need the following lemma from [5,7].

Lemma 3 ([5,7]).LetGiandGjbe two games which proceed identical untilbad= 1.

Then

– Pr[Gisetsbad= 1] = Pr[Gjsetsbad= 1]

– Pr[Gi =b∧Gidoes not setbad= 1] = Pr[Gj =b∧Gjdoes not setbad= 1]

for anyb.

Procedures for GameG1: Evaluate1(X) :

(Y, π) :=⊥

IfFK(X)6= 1then bad:= 1

Else

(Y, π)←$ Eval(sk, X)

Return(Y, π)

Challenge₁(X∗) :

Y∗:=⊥

IfFK(X) = 1then

bad:= 1

Else

Ifb= 1then

(Y∗, π)←$ Eval(sk, X)

ElseY∗←$ GT

ReturnY∗

Finalize1(b0) :

Ifbad= 1thenc0← {0$ ,1}

Elsec0:=b0

Ifc0=bthen Return1

Else Return0

Initialize1(X) : bad:= 0

(vk,sk)←$ GenC(1k)

b← {0$ ,1}

K←$ AdmSmp(1k, Q, δ)

Returnvk

Procedures for GameG2(new instructions are highlighted in boxes): Evaluate2(X) :

(Y, π) :=⊥

IfFK(X)6= 1then bad:= 1

(Y, π)←$ Eval(sk, X)

Else

(Y, π)←$ Eval(sk, X)

Return(Y, π)

Challenge2(X

∗

) :

Y∗:=⊥

IfFK(X) = 1then

bad:= 1

Ifb= 1then

(Y∗, π)←$ Eval(sk, X)

ElseY∗←$ GT

Else

Ifb= 1then

(Y∗, π)←$ Eval(sk, X)

ElseY∗←$ GT

ReturnY∗

Finalize2(b0) :

Ifbad= 1then c0:=b0 Elsec0:=b0

Ifc0=bthen Return1

Else Return0

Procedures for GameG3(new instructions are highlighted in boxes): Evaluate3(X) :

X:=X∪ {X} (Y, π)←$ Eval(sk, X)

Return(Y, π)

Challenge₃(X∗) :

Ifb= 1then

(Y∗, π)←$ Eval(sk, X)

ElseY∗←$ GT

ReturnY∗

Initialize3(X) : bad:= 0

(vk,sk)←$ GenC(1k)

b← {0$ ,1}

X:=∅

Returnvk

Finalize3(b0) :

K←$ AdmSmp(1k, Q, δ)

ForX∈Xdo

IfFK(X)6= 1thenbad:= 1

IfFK(X∗) = 1thenbad:= 1

c0:=b0

Ifc0=bthen Return1

Else Return0

Game 0. We defineG0:=G

qDDH

B(A), which implies

Pr[Gq_B(A)DDH= 1∧good] = Pr[G0= 1∧good₀] and Pr[good] = Pr[good₀]

Game 1. In this game the procedures Initialize1, Evaluate1, Challenge1, and

Finalize1described in Figure 5 are used. Note thatInitialize1 generates a normal VRF key pair (vk,sk), and Evaluate1 andChallenge1 use the secret key sk to evaluate the VRF and to create the challenge.

However, note thatsk is only used inEvaluate1(X)-queries withFK(X) = 1,

andChallenge1(X∗)-queries withFK(X∗) = 0. This mimics the simulation ofB

perfecty, in particular all outputs computed by these procedures are distributedexactly

like in Game 0. This implies that

Pr[G1= 1∧good₁] = Pr[G0= 1∧good₀] and Pr[good₁] = Pr[good₀]

Game 2. In this game we setInitialize2 := Initialize1, and define Finalize2,

Evaluate2, andChallenge2 as depicted in Figure 5. Note that GamesG2 andG1 proceed identical untilbadis set, thus by Lemma 3 we have

Pr[G2= 1∧good2] = Pr[G1= 1∧good1] and Pr[good2] = Pr[good1]

Game 3. Note that the outputs of proceduresEvaluate2 andChallenge2are inde-pendent ofK, onlyFinalize2depends onK. Therefore we can simplify our descrip-tion of the game, by choosingKonly at the end of the game, and checking only then if badneeds to be set tobad:= 1.

Formally, in GameG3the proceduresInitialize3,Evaluate3,Challenge3, and

Finalize3described in Figure 5 are used. All changes are purely conceptual, thus we have

Pr[G3= 1∧good₃] = Pr[G2= 1∧good₂] and Pr[good₃] = Pr[good₂]

Note also that nowKis chosen onlyafterAasksFinalize3.

Analysis of Game G3. It remains to derive bounds on Pr[G3 = 1∧ good₃] and

Pr[good₃]. LetXdenote the set

X :={(X(1), . . . , X(Q), X∗) :X∗6=X(i),1≤i≤Q}

of all sequences of queries a legitimate attackerAmay ask, and letX∗_{∈ X. Letγ(X}∗₎ denote the probability ofgood₃(over the choice ofK), if the particular sequenceX∗

Lemma 4. For anyX∗as defined above holds that

Pr[G3= 1∧good₃∧Q(X∗)] =γ(X∗)·Pr[G3= 1∧Q(X∗)] Pr[good₃∧Q(X∗)] =γ(X∗)·Pr[Q(X∗)]

The proof of Lemma 4 is nearly identical to the proof of [6, Lemma 3.4], and therefore deferred to Appendix B.

Now we can compute

Adv_BqDDH(k) = 2·Pr[G_B(A)qDDH= 1∧good]−Pr[good] (7)

= 2·Pr[G3= 1∧good₃]−Pr[good₃] (8)

= 2· X

X∗_∈X

Pr[G3= 1∧good₃∧Q(X∗)]− X

X∗_∈X

Pr[good₃∧Q(X∗)]

(9)

= 2· X

X∗_∈X

γ(X∗)·Pr[G3= 1∧Q(X∗)]− X

X∗_∈X

γ(X∗)·Pr[Q(X∗)]

(10) ≥2·γmin·

X

X∗_∈X

Pr[G3= 1∧Q(X∗)]−γmax·

X

X∗_∈X

Pr[Q(X∗)]

= 2·γmin·Pr[G3= 1]−γmax (11)

= 2·γmin·(AdvAVF(k) + 1)/2−γmax

=γmin·AdvVFA (k)−γmax+γmin

≥2·γmin·δ−γmax+γmin (12)

Here, (7) is due to Equation (6), (8) follows from the sequence of games described above, (9) and (11) follow from the fact that we sum over mutually exclusive events Q(X∗)withP

X∗_∈XPr[Q(X∗)] = 1, (10) is by Lemma 4, and (12) by the definition

ofδ≤AdvVF_A (k)/2.

B

Proof of Lemma 4

The execution ofAdmSmpin Game3uses random coins which are independent of the rest of the game. Therefore, the set of random coins underlying Game3can be seen as a cross productΩ=Ω0×RK, where each member is a pair(ω0, rK)∈Ωsuch thatrK

denotes the random coins used by algorithmAdmSmp, andω0 denotes all other coins of the experiment and the attacker.

Note that that any particular choiceX∗of a sequence of queries made byAdepends only on ω0, because in Game 3 algorithm AdmSmp is executed in the Finalize3 -procedure, when the sequence of queries X∗ issued by the attacker is already fixed. Thus, for allX∗∈ X letΩ0(X∗)denote the set of allω0∈Ω0that produce the partic-ular sequence of queriesX∗. Similarly, note that the probability that Game3outputs1

LetΩ₁0 ⊆Ω0denote the set of allω0 ∈Ω0such that the experiment outputs1. Let Rgood(X∗) ⊆RK denote the set of all coins leading to an AHF keyKsuch that for

X∗= (X(1)_{, . . . , X}(Q)_{, X}∗_{)holds that}

FK(X(1)) =· · ·=FK(X(Q)) = 1 ∧ FK(X∗) = 0

Then the set of coins such thatG3 = 1isΩ₁0 ×RK, and the set of coins leading to

good₃∧Q(X∗)isΩ0(X∗)×Rgood(X∗). Now we can compute

Pr[G3= 1∧good₃∧Q(X∗)] =|(Ω

0

1×RK)∩(Ω0(X∗)×Rgood(X∗))| |Ω0_×R

K|

=|(Ω

0

1∩Ω0(X∗))×Rgood(X∗)| |Ω0_×R

K|

=|Ω

0

1∩Ω0(X∗)| · |Rgood(X∗)| |Ω0_{| · |R}

K|

=|Ω

0

1∩Ω0(X∗)| · |RK|

|Ω0_{| · |R}

K|

· |Rgood(X ∗_)|

|RK|

=|(Ω

0

1∩Ω0(X∗))×RK|

|Ω0_×R

K|

· |Rgood(X ∗_)|

|RK|

= Pr[G3= 1∧Q(X∗)]·γ(X∗)

and

Pr[good₃∧Q(X∗)] =|Ω

0_(X∗_)×Rgood(X∗_)|

|Ω0_×R

K|

=|Ω

0_(X∗_{)| · |R}

good(X∗)| |Ω0_{| · |R}

K|

=|Ω

0_(X∗_{)| · |R}

K|

|Ω0_{| · |R}

K|

·|Rgood(X ∗_)|

|RK|

=|Ω

0_(X∗_)×R

K|

|Ω0_×R

K|

·|Rgood(X ∗_)|

|RK|