Adventures in Crypto Dark Matter: Attacks and Fixes for Weak Pseudorandom Functions

Abstract

A weak pseudorandom function (weak PRF) is one of the most important cryptographic primitives for its efficiency although it has lower security than a standard PRF.

Recently, Boneh et al. (TCC’18) introduced two types of new weak PRF candidates, which are called a basic Mod-2/Mod-3 and alternative Mod-2/Mod-3 weak PRF. Both use the mixture of linear computations defined on different small moduli to satisfy conceptual simplicity, low complexity (depth-2 \(\mathsf{ACC^0}\)) and MPC friendliness. In fact, the new candidates are conjectured to be exponentially secure against any adversary that allows exponentially many samples, and a basic Mod-2/Mod-3 weak PRF is the only candidate that satisfies all features above. However, none of the direct attacks which focus on basic and alternative Mod-2/Mod-3 weak PRFs use their own structures.

In this paper, we investigate weak PRFs from two perspectives; attacks, fixes. We first propose direct attacks for an alternative Mod-2/Mod-3 weak PRF and a basic Mod-2/Mod-3 weak PRF when a circulant matrix is used as a secret key.

For an alternative Mod-2/Mod-3 weak PRF, we prove that the adversary’s advantage is at least \(2^{-0.105n}\), where n is the size of the input space of the weak PRF. Similarly, we show that the advantage of our heuristic attack to the weak PRF with a circulant matrix key is larger than \(2^{-0.21n}\), which is contrary to the previous expectation that ‘structured secret key’ does not affect the security of a weak PRF. Thus, for an optimistic parameter choice \(n = 2\lambda \) for the security parameter \(\lambda \), parameters should be increased to preserve \(\lambda \)-bit security when an adversary obtains exponentially many samples.

Next, we suggest a simple method for repairing two weak PRFs affected by our attack while preserving the parameters.

Appendices

A Definitions about Circuit Class

In this section, we deal with definitions about the circuit class in [BIP+18].

Definition A.1

(in [BIP+18]). For any integer m, the \(\mathsf{MOD}_{m}\) gate outputs 1 if m divides the sum of its inputs, and 0 otherwise.

Definition A.2

(Circuit Class \(\mathsf{ACC}^0\) in [BIP+18]). For integers \(m_1, \cdots , m_k >1\), \(\mathsf{ACC}^0[m_1,\cdots ,m_k]\) is the set of languages \(\mathcal {L}\) decided by some circuit family \(\{C_n\}_{n \in \mathbb {N}}\) with constant depth, polynomial size, and consisting of unbounded fan-in AND, OR, NOT and \({\mathsf{MOD}_{m_1},\cdots ,\mathsf{MOD}_{m_k}}\) gates. Moreover, \(\mathsf{ACC}^0\) is denoted by the class of all languages that is in \(\mathsf{ACC}^0[m_1,\cdots ,m_k]\) for some \(k\ge 0\) and integers \(m_1, \cdots , m_k >1\).

B Simple Non-adaptive Attack

In this section, we provide a simple non-adaptive attack of a basic Mod-2/Mod-3 weak PRF, which runs in polynomial time n. The attack is motivated by rank attack [CVW18, CHVW19].

Assume that adversary has exponentially many samples \((\mathbf{z}_i,v_i)\). The goal is to determine whether \(v_i\) is uniformly sampled from \({\mathbb Z}_3\) or sampled from a Mod-2/Mod-3weak PRF.

Let s be an integer \(> \max \{m,n\}\). Then, our attack is:

1. 1.

   Find \(s^2\) pairs of vectors \(\{(\mathbf{x}_i,\mathbf{y}_j)\}_{i,j \in [s]}\) such that \(\mathbf{z}_{i,j} = \mathbf{x}_i+ \mathbf{y}_j\) for some \(\mathbf{z}_{i,j}\) in a list of samples.

2. 2.

   Construct a matrix \(\mathbf{M}= (v_{i,j})\), where \(v_{i,j}\) is a sample corresponding to a vector \(\mathbf{z}_{i,j}\).

3. 3.

   Compute a rank of \(\mathbf{M}\).

For an analysis, we borrow a polynomial representation of \(\mathcal {F}_{\mathbf{A}}(\mathbf{x})\) in [BIP+18].

$$ \mathcal {F}_{\mathbf{A}}(\mathbf{x}) = \sum _{i=1}^m \left( \prod _{j=1}^n (1+x_j)^{a_{i,j}} - 1\right) , $$

where a matrix \(\mathbf{A}=(a_{i,j}) \in \{0.1\}^{m \times n}\) and a vector \(\mathbf{x}=(x_i) \in \{ {0,1} \}^n\). Note that since \(a_{i,j}\) is 0 or 1, the following lemma is trivial.

Lemma B.1

Mod-2/Mod-3 weak PRF is interpreted as a product of matrices. More precisely, for a key \(\mathbf{A}= (a_{i,j}) \in \{ {0,1} \}^{m \times n}\) and a vector \(\mathbf{x}=(x_i) \in \{ {0,1} \}^n\),

$$ \mathcal {F}_{\mathbf{A}}(\mathbf{x}) +n = \sum _{i=1}^n f_i(\mathbf{x}) = \mathbf{1}^T \cdot \prod _{i=1}^n (\mathbf{I}+ \mathsf{diag}(x_i\mathbf{A}_i)) \cdot \mathbf{1}$$

where \(\mathbf{A}_i\) is the i-th column of \(\mathbf{A}\), and \(f_i (\mathbf{x}) = \prod _{j=1}^n (1+a_{i,j}x_j)\), and \(\mathsf{diag}(x_i\mathbf{A}_i)\) is a diagonal matrix whose j-th diagonal entry is the same as j-th component of a vector \(x_i\mathbf{A}_i\).

Based on the above lemma, we complete the non-adaptive attack. When \(v_{i,j}\)’s are truly random, a rank of \(\mathbf{M}\) is s with high probability. However, if it is of the form \(\mathsf{map}(\mathbf{A}\cdot ([\mathbf{x}_i+\mathbf{y}_j)]_2)\), then a matrix \(\mathbf{M}\) is divided into a product of two matrices using Lemma B.1.

$$ \mathbf{M}= \begin{pmatrix} \mathbf{1}^T\cdot \mathbf{H}(\mathbf{x}_1) \\ \mathbf{1}^T\cdot \mathbf{H}(\mathbf{x}_2) \\ \mathbf{1}^T\cdot \mathbf{H}(\mathbf{x}_3) \\ \vdots \\ \mathbf{1}^T\cdot \mathbf{H}(\mathbf{x}_\rho ) \end{pmatrix} \cdot \begin{pmatrix} \mathbf{H}(\mathbf{y}_1)\cdot \mathbf{1},&\mathbf{H}(\mathbf{y}_2)\cdot \mathbf{1},&\mathbf{H}(\mathbf{y}_3)\cdot \mathbf{1},&\cdots ,&\mathbf{H}(\mathbf{y}_{\rho })\cdot \mathbf{1}\end{pmatrix} $$

Hence, a rank of \(\mathbf{M}\) is bounded by \(\min (m,n)\) with high probability. The attack runs in O(n) time and space.

The rank attack only succeeds when an adversary is possible to use an oracle access to input queries. However, in the setting of weak PRF, inputs are selected randomly from \(\{ {0,1} \}^n\), our attack does not work anymore.