Delegatable pseudorandom functions and applications

We put forth the problem of delegating the evaluation of a pseudorandom function (PRF) to an untrusted proxy and introduce a novel cryptographic primitive called delegatable pseudorandom functions, or DPRFs for short: A DPRF enables a proxy to evaluate a pseudorandom function on a strict subset of its domain using a trapdoor derived from the DPRF secret key. The trapdoor is constructed with respect to a certain policy predicate that determines the subset of input values which the proxy is allowed to compute. The main challenge in constructing DPRFs is to achieve bandwidth efficiency (which mandates that the trapdoor is smaller than the precomputed sequence of the PRF values conforming to the predicate), while maintaining the pseudorandomness of unknown values against an attacker that adaptively controls the proxy. A DPRF may be optionally equipped with an additional property we call policy privacy, where any two delegation predicates remain indistinguishable in the view of a DPRF-querying proxy: achieving this raises new design challenges as policy privacy and bandwidth efficiency are seemingly conflicting goals. For the important class of policy predicates described as (1-dimensional) ranges, we devise two DPRF constructions and rigorously prove their security. Built upon the well-known tree-based GGM PRF family, our constructions are generic and feature only logarithmic delegation size in the number of values conforming to the policy predicate. At only a constant-factor efficiency reduction, we show that our second construction is also policy private. Finally, we describe that their new security and efficiency properties render our DPRF schemes particularly useful in numerous security applications, including RFID, symmetric searchable encryption, and broadcast encryption.

[1]  Kenneth G. Paterson,et al.  Anonymous Broadcast Encryption: Adaptive Security and Efficient Constructions in the Standard Model , 2012, Public Key Cryptography.

[2]  Matthew Green,et al.  Identity-Based Proxy Re-encryption , 2007, ACNS.

[3]  Charalampos Papamanthou,et al.  Dynamic searchable symmetric encryption , 2012, IACR Cryptol. ePrint Arch..

[4]  Matt Blaze,et al.  Divertible Protocols and Atomic Proxy Cryptography , 1998, EUROCRYPT.

[5]  Vinod Vaikuntanathan,et al.  How to Delegate and Verify in Public: Verifiable Computation from Attribute-based Encryption , 2012, IACR Cryptol. ePrint Arch..

[6]  Benny Pinkas,et al.  Keyword Search and Oblivious Pseudorandom Functions , 2005, TCC.

[7]  Yevgeniy Dodis,et al.  Proxy Cryptography Revisited , 2003, NDSS.

[8]  Nelly Fazio,et al.  Outsider-Anonymous Broadcast Encryption with Sublinear Ciphertexts , 2012, Public Key Cryptography.

[9]  Anna Lysyanskaya,et al.  Unique Signatures and Verifiable Random Functions from the DH-DDH Separation , 2002, CRYPTO.

[10]  Amos Fiat,et al.  Broadcast Encryption , 1993, CRYPTO.

[11]  Yevgeniy Vahlis,et al.  Verifiable Delegation of Computation over Large Datasets , 2011, IACR Cryptol. ePrint Arch..

[12]  Moni Naor,et al.  Revocation and Tracing Schemes for Stateless Receivers , 2001, CRYPTO.

[13]  Brent Waters,et al.  Privacy in Encrypted Content Distribution Using Private Broadcast Encryption , 2006, Financial Cryptography.

[14]  Brent Waters,et al.  Constrained Pseudorandom Functions and Their Applications , 2013, ASIACRYPT.

[15]  Hossein Bidgoli Handbook of Information Security , 2005 .

[16]  Matthew Green,et al.  Improved proxy re-encryption schemes with applications to secure distributed storage , 2006, TSEC.

[17]  Moni Naor,et al.  Efficient trace and revoke schemes , 2000, International Journal of Information Security.

[18]  Yevgeniy Dodis,et al.  A Verifiable Random Function with Short Proofs and Keys , 2005, Public Key Cryptography.

[19]  Corporate,et al.  The handbook of information security , 1991 .

[20]  Anna Lysyanskaya,et al.  How to Securely Outsource Cryptographic Computations , 2005, TCC.

[21]  Xiaomin Liu,et al.  Efficient Oblivious Pseudorandom Function with Applications to Adaptive OT and Secure Computation of Set Intersection , 2009, TCC.

[22]  Ran Canetti,et al.  Practical delegation of computation using multiple servers , 2011, CCS '11.

[23]  Yael Tauman Kalai,et al.  Improved Delegation of Computation using Fully Homomorphic Encryption , 2010, IACR Cryptol. ePrint Arch..

[24]  Rafail Ostrovsky,et al.  Searchable symmetric encryption: improved definitions and efficient constructions , 2006, CCS '06.

[25]  David A. Wagner,et al.  A Scalable, Delegatable Pseudonym Protocol Enabling Ownership Transfer of RFID Tags , 2005, IACR Cryptol. ePrint Arch..

[26]  Bogdan Warinschi,et al.  Secure Proxy Signature Schemes for Delegation of Signing Rights , 2010, Journal of Cryptology.

[27]  Shafi Goldwasser,et al.  Functional Signatures and Pseudorandom Functions , 2014, Public Key Cryptography.

[28]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[29]  Mikhail J. Atallah,et al.  Securely outsourcing linear algebra computations , 2010, ASIACCS '10.

[30]  Jessica Staddon,et al.  Combinatorial Bounds for Broadcast Encryption , 1998, EUROCRYPT.

[31]  Rosario Gennaro,et al.  Publicly verifiable delegation of large polynomials and matrix computations, with applications , 2012, IACR Cryptol. ePrint Arch..

[32]  Silvio Micali,et al.  Verifiable random functions , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[33]  Yevgeniy Dodis,et al.  Proxy cryptography revisted , 2003 .

[34]  Eiji Okamoto,et al.  Proxy signatures for delegating signing operation , 1996, CCS '96.

[35]  Yael Tauman Kalai,et al.  Delegating computation: interactive proofs for muggles , 2008, STOC.