Basing PRFs on Constant-Query Weak PRFs: Minimizing Assumptions for Efficient Symmetric Cryptography

Although it is well known that all basic private-key cryptographic primitives can be built from one-way functions, finding weak assumptions from which practical implementations of such primitives exist remains a challenging task. Towards this goal, this paper introduces the notion of a constant-query weak PRF , a function with a secret key which is computationally indistinguishable from a truly random function when evaluated at a constant number s of known random inputs, where s can be as small as two. We provide iterated constructions of (arbitrary-input-length) PRFs from constant-query weak PRFs that even improve the efficiency of previous constructions based on the stronger assumption of a weak PRF (where polynomially many evaluations are allowed). One of our constructions directly provides a new mode of operation using a constant-query weak PRF for IND-CPA symmetric encryption which is essentially as efficient as conventional PRF-based counter-mode encryption. Furthermore, our constructions yield efficient modes of operation for keying hash functions (such as MD5 and SHA-1) to obtain iterated PRFs (and hence MACs) which rely solely on the assumption that the underlying compression function is a constant-query weak PRF, which is the weakest assumption ever considered in this context.

[1]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[2]  Shoichi Hirose,et al.  A Simple Variant of the Merkle–Damgård Scheme with a Permutation , 2007, Journal of Cryptology.

[3]  Larry Carter,et al.  Universal Classes of Hash Functions , 1979, J. Comput. Syst. Sci..

[4]  Tal Malkin Topics in Cryptology - CT-RSA 2008, The Cryptographers' Track at the RSA Conference 2008, San Francisco, CA, USA, April 8-11, 2008. Proceedings , 2008, CT-RSA.

[5]  Jonathan Katz,et al.  Complete characterization of security notions for probabilistic private-key encryption , 2000, STOC '00.

[6]  Kan Yasuda,et al.  Boosting Merkle-Damgård Hashing for Message Authentication , 2007, ASIACRYPT.

[7]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[8]  Moti Yung,et al.  Advances in Cryptology — CRYPTO 2002 , 2002, Lecture Notes in Computer Science.

[9]  Tatsuaki Okamoto,et al.  Advances in Cryptology — ASIACRYPT 2000 , 2000, Lecture Notes in Computer Science.

[10]  Hugo Krawczyk,et al.  Pseudorandom functions revisited: the cascade construction and its concrete security , 1996, Proceedings of 37th Conference on Foundations of Computer Science.

[11]  Hugo Krawczyk,et al.  UMAC: Fast and Secure Message Authentication , 1999, CRYPTO.

[12]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[13]  S. Micali,et al.  How To Construct Randolli Functions , 1984, FOCS 1984.

[14]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[15]  Moni Naor,et al.  Synthesizers and Their Application to the Parallel Construction of Pseudo-Random Functions , 1999, J. Comput. Syst. Sci..

[16]  Marc Fischlin,et al.  Security of NMACand HMACBased on Non-malleability , 2008, CT-RSA.

[17]  Neal Koblitz,et al.  Advances in Cryptology — CRYPTO ’96 , 2001, Lecture Notes in Computer Science.

[18]  Moni Naor Advances in Cryptology - EUROCRYPT 2007, 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Barcelona, Spain, May 20-24, 2007, Proceedings , 2007, EUROCRYPT.

[19]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[20]  Kaoru Kurosawa,et al.  Advances in Cryptology - ASIACRYPT 2007, 13th International Conference on the Theory and Application of Cryptology and Information Security, Kuching, Malaysia, December 2-6, 2007, Proceedings , 2007, International Conference on the Theory and Application of Cryptology and Information Security.

[21]  Mihir Bellare,et al.  The Security of the Cipher Block Chaining Message Authentication Code , 2000, J. Comput. Syst. Sci..

[22]  Douglas R. Stinson,et al.  Universal hashing and authentication codes , 1991, Des. Codes Cryptogr..

[23]  Ivan Damgård,et al.  Expanding Pseudorandom Functions; or: From Known-Plaintext Security to Chosen-Plaintext Security , 2002, CRYPTO.

[24]  Joan Feigenbaum,et al.  Advances in Cryptology-Crypto 91 , 1992 .

[25]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[26]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[27]  Cynthia Dwork,et al.  Advances in Cryptology – CRYPTO 2020: 40th Annual International Cryptology Conference, CRYPTO 2020, Santa Barbara, CA, USA, August 17–21, 2020, Proceedings, Part III , 2020, Annual International Cryptology Conference.

[28]  Johan Sjödin,et al.  Range Extension for Weak PRFs; The Good, the Bad, and the Ugly , 2007, EUROCRYPT.

[29]  Silvio Micali,et al.  How to Construct Random Functions (Extended Abstract) , 1984, FOCS.

[30]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[31]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[32]  Ueli Maurer,et al.  A Fast and Key-Efficient Reduction of Chosen-Ciphertext to Known-Plaintext Security , 2007, EUROCRYPT.

[33]  Mihir Bellare,et al.  Hash Function Balance and Its Impact on Birthday Attacks , 2004, EUROCRYPT.