Abstract
A weak pseudorandom function (weak PRF) is one of the most important cryptographic primitives for its efficiency although it has lower security than a standard PRF.
Recently, Boneh et al. (TCC’18) introduced two types of new weak PRF candidates, which are called a basic Mod-2/Mod-3 and alternative Mod-2/Mod-3 weak PRF. Both use the mixture of linear computations defined on different small moduli to satisfy conceptual simplicity, low complexity (depth-2 \(\mathsf{ACC^0}\)) and MPC friendliness. In fact, the new candidates are conjectured to be exponentially secure against any adversary that allows exponentially many samples, and a basic Mod-2/Mod-3 weak PRF is the only candidate that satisfies all features above. However, none of the direct attacks which focus on basic and alternative Mod-2/Mod-3 weak PRFs use their own structures.
In this paper, we investigate weak PRFs from two perspectives; attacks, fixes. We first propose direct attacks for an alternative Mod-2/Mod-3 weak PRF and a basic Mod-2/Mod-3 weak PRF when a circulant matrix is used as a secret key.
For an alternative Mod-2/Mod-3 weak PRF, we prove that the adversary’s advantage is at least \(2^{-0.105n}\), where n is the size of the input space of the weak PRF. Similarly, we show that the advantage of our heuristic attack to the weak PRF with a circulant matrix key is larger than \(2^{-0.21n}\), which is contrary to the previous expectation that ‘structured secret key’ does not affect the security of a weak PRF. Thus, for an optimistic parameter choice \(n = 2\lambda \) for the security parameter \(\lambda \), parameters should be increased to preserve \(\lambda \)-bit security when an adversary obtains exponentially many samples.
Next, we suggest a simple method for repairing two weak PRFs affected by our attack while preserving the parameters.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
For well-definedness, \(\mathbf{A}\cdot \mathbf{x}\) is interpreted as a binary vector.
- 2.
In the original paper [BIP+18], they used a Toeplitz matrix or a block-circulant matrix as a secret key of weak PRF for its efficiency. However, in this paper, we only deal with the case that a secret key of weak PRF is a circulant matrix which is the same as block-circulant matrix in the original paper. Indeed, they said that block-circulant matrix can be represented by a single vector’.
- 3.
In the original paper, the authors mentioned that a ‘block-circulant matrix’ can be represented by a single vector. Thus, a block-circulant matrix is the same as a circulant matrix in this paper.
- 4.
- 5.
We call \(\mathbf{a}\) a base vector.
References
Akavia, A., Bogdanov, A., Guo, S., Kamath, A., Rosen, A.: Candidate weak pseudorandom functions in ac0\(\bigcirc \) mod2. In: Proceedings of the 5th conference on Innovations in Theoretical Computer Science, pp. 251–260 (2014)
Ananth, P., Brakerski, Z., Segev, G., Vaikuntanathan, V.: From selective to adaptive security in functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part II. LNCS, vol. 9216, pp. 657–677. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_32
Applebaum, B.: Bootstrapping obfuscators via fast pseudorandom functions. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 162–172. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_9
Alperin-Sheriff, J., Apon, D.: Weak is better: Tightly secure short signatures from weak PRFs. IACR Cryptol. ePrint Arch. (2017)
Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_1
Bellare, M.: New proofs for NMAC and HMAC: security without collision resistance. J. Cryptol. 28(4), 844–878 (2015)
Ball, M., Holmgren, J., Ishai, Y., Liu, T., Malkin, T.: On the complexity of decomposable randomized encodings, or: how friendly can a garbling-friendly PRF be? In: 11th Innovations in Theoretical Computer Science Conference, ITCS 2020. Schloss Dagstuhl-Leibniz-Zentrum für Informatik (2020)
Boneh, D., Ishai, Y., Passelègue, A., Sahai, A., Wu, D.J.: Exploring crypto dark matter. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11240, pp. 699–729. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6_25
Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM (JACM) 50(4), 506–519 (2003)
Bogdanov, A., Rosen, A.: Pseudorandom functions: three decades later. In: Lindell, Y. (ed.) Tutorials on the Foundations of Cryptography. ISC, pp. 79–158. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-57048-8_3
Bogos, S., Tramer, F., Vaudenay, S.: On solving LPN using BKW and variants. Crypt. Commun. 8(3), 331–369 (2016). https://doi.org/10.1007/s12095-015-0149-2
Chen, Y., Hhan, M., Vaikuntanathan, V., Wee, H.: Matrix PRFs: constructions, attacks, and applications to obfuscation. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019, Part I. LNCS, vol. 11891, pp. 55–80. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36030-6_3
Chen, Y., Vaikuntanathan, V., Wee, H.: GGH15 beyond permutation branching programs: proofs, attacks, and candidates. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part II. LNCS, vol. 10992, pp. 577–607. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_20
Dodis, Y., Kiltz, E., Pietrzak, K., Wichs, D.: Message authentication, revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 355–374. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_22
Damgåard, I., Nielsen, J.B.: Expanding pseudorandom functions; or: from known-plaintext security to chosen-plaintext security. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 449–464. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_29
Dodis, Y., Steinberger, J.: Message authentication codes from unpredictable block ciphers. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 267–285. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_16
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM (JACM) 33(4), 792–807 (1986)
Goldreich, O.: Two remarks concerning the Goldwasser-Micali-Rivest signature scheme. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 104–110. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_8
Lyubashevsky, V., Masny, D.: Man-in-the-middle secure authentication schemes from LPN and Weak PRFs. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 308–325. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_18
Maurer, U., Sjödin, J.: A fast and key-efficient reduction of chosen-ciphertext to known-plaintext security. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 498–516. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72540-4_29
Micciancio, D., Walter, M.: On the bit security of cryptographic primitives. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part I. LNCS, vol. 10820, pp. 3–28. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_1
Pietrzak, K.: A leakage-resilient mode of operation. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 462–482. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_27
Acknowledgments
We thank anonymous reviewers of PKC 2021 for insightful and helpful comments. In particular, we thank Venkata Koppula to shepherd our paper. Also, we would like to thank Minki Hhan for helpful discussions. The authors of Seoul National University were supported by Institute for Information & communication Technology Promotion (IITP) grant funded by the Korea government (MSIT) (No. 2016-6-00598, The mathematical structure of functional encryption and its analysis). Jeong Han Kim was partially supported by National Research Foundation of Korea (NRF) Grants funded by the Korean Government (MSIP) (NRF-2012R1A2A2A01018585 & 2017R1E1A1A03070701) and by a KIAS Individual Grant(CG046001) at Korea Institute of Advanced Study. Jiseung Kim was supported by a KIAS Individual Grant CG078201 at Korea Institute for Advanced Study.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Definitions about Circuit Class
In this section, we deal with definitions about the circuit class in [BIP+18].
Definition A.1
(in [BIP+18]). For any integer m, the \(\mathsf{MOD}_{m}\) gate outputs 1 if m divides the sum of its inputs, and 0 otherwise.
Definition A.2
(Circuit Class \(\mathsf{ACC}^0\) in [BIP+18]). For integers \(m_1, \cdots , m_k >1\), \(\mathsf{ACC}^0[m_1,\cdots ,m_k]\) is the set of languages \(\mathcal {L}\) decided by some circuit family \(\{C_n\}_{n \in \mathbb {N}}\) with constant depth, polynomial size, and consisting of unbounded fan-in AND, OR, NOT and \({\mathsf{MOD}_{m_1},\cdots ,\mathsf{MOD}_{m_k}}\) gates. Moreover, \(\mathsf{ACC}^0\) is denoted by the class of all languages that is in \(\mathsf{ACC}^0[m_1,\cdots ,m_k]\) for some \(k\ge 0\) and integers \(m_1, \cdots , m_k >1\).
B Simple Non-adaptive Attack
In this section, we provide a simple non-adaptive attack of a basic Mod-2/Mod-3 weak PRF, which runs in polynomial time n. The attack is motivated by rank attack [CVW18, CHVW19].
Assume that adversary has exponentially many samples \((\mathbf{z}_i,v_i)\). The goal is to determine whether \(v_i\) is uniformly sampled from \({\mathbb Z}_3\) or sampled from a Mod-2/Mod-3weak PRF.
Let s be an integer \(> \max \{m,n\}\). Then, our attack is:
-
1.
Find \(s^2\) pairs of vectors \(\{(\mathbf{x}_i,\mathbf{y}_j)\}_{i,j \in [s]}\) such that \(\mathbf{z}_{i,j} = \mathbf{x}_i+ \mathbf{y}_j\) for some \(\mathbf{z}_{i,j}\) in a list of samples.
-
2.
Construct a matrix \(\mathbf{M}= (v_{i,j})\), where \(v_{i,j}\) is a sample corresponding to a vector \(\mathbf{z}_{i,j}\).
-
3.
Compute a rank of \(\mathbf{M}\).
For an analysis, we borrow a polynomial representation of \(\mathcal {F}_{\mathbf{A}}(\mathbf{x})\) in [BIP+18].
where a matrix \(\mathbf{A}=(a_{i,j}) \in \{0.1\}^{m \times n}\) and a vector \(\mathbf{x}=(x_i) \in \{ {0,1} \}^n\). Note that since \(a_{i,j}\) is 0 or 1, the following lemma is trivial.
Lemma B.1
Mod-2/Mod-3 weak PRF is interpreted as a product of matrices. More precisely, for a key \(\mathbf{A}= (a_{i,j}) \in \{ {0,1} \}^{m \times n}\) and a vector \(\mathbf{x}=(x_i) \in \{ {0,1} \}^n\),
where \(\mathbf{A}_i\) is the i-th column of \(\mathbf{A}\), and \(f_i (\mathbf{x}) = \prod _{j=1}^n (1+a_{i,j}x_j)\), and \(\mathsf{diag}(x_i\mathbf{A}_i)\) is a diagonal matrix whose j-th diagonal entry is the same as j-th component of a vector \(x_i\mathbf{A}_i\).
Based on the above lemma, we complete the non-adaptive attack. When \(v_{i,j}\)’s are truly random, a rank of \(\mathbf{M}\) is s with high probability. However, if it is of the form \(\mathsf{map}(\mathbf{A}\cdot ([\mathbf{x}_i+\mathbf{y}_j)]_2)\), then a matrix \(\mathbf{M}\) is divided into a product of two matrices using Lemma B.1.
Hence, a rank of \(\mathbf{M}\) is bounded by \(\min (m,n)\) with high probability. The attack runs in O(n) time and space.
The rank attack only succeeds when an adversary is possible to use an oracle access to input queries. However, in the setting of weak PRF, inputs are selected randomly from \(\{ {0,1} \}^n\), our attack does not work anymore.
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Cheon, J.H., Cho, W., Kim, J.H., Kim, J. (2021). Adventures in Crypto Dark Matter: Attacks and Fixes for Weak Pseudorandom Functions. In: Garay, J.A. (eds) Public-Key Cryptography – PKC 2021. PKC 2021. Lecture Notes in Computer Science(), vol 12711. Springer, Cham. https://doi.org/10.1007/978-3-030-75248-4_26
Download citation
DOI: https://doi.org/10.1007/978-3-030-75248-4_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-75247-7
Online ISBN: 978-3-030-75248-4
eBook Packages: Computer ScienceComputer Science (R0)