In distributed pseudorandom functions (DPRFs), a PRF secret key SK is secret shared among N servers so that each server can locally compute a partial evaluation of the PRF on some input X. A combiner that collects t partial evaluations can then reconstruct the evaluation F(SK, X) of the PRF under the initial secret key. So far, all non-interactive constructions in the standard model are based on lattice assumptions. One caveat is that they are only known to be secure in the static corruption setting, where the adversary chooses the servers to corrupt at the very beginning of the game, before any evaluation query. In this work, we construct the first fully non-interactive adaptively secure DPRF in the standard model. Our construction is proved secure under the \(\textsf {LWE}\) assumption against adversaries that may adaptively decide which servers they want to corrupt. We also extend our construction in order to achieve robustness against malicious adversaries.
We note that this use of lossy trapdoor functions is somewhat unusual since their injective mode is usually used to handle adversarial queries while the lossy mode comes into play in the challenge phase.
We use a “find-then-guess” security game where the adversary obtains correct evaluation for inputs of its choice before trying to distinguish a real function evaluation from a random element of the range.
Except in some cases in which all players always correctly provide their contribution to the computation.
Note that a threshold-t function can be obtained from the majority function by fixing the desired number of input bits, so that we need a majority function of size \(\le 2N\) to construct a threshold function \(T_{t,N}\).
Note that conditioned on \((L_{{\mathcal {C}}^\star } , L_{{\mathcal {C}}^\star } \cdot {\varvec{\varGamma }})\), the rows of \({\varvec{\varGamma }}^\top \) are Gaussian on affine lines, but a column of \({\varvec{\varGamma }}^\top \) is an inner product of unit vector with all these rows.
The proof of Yamada’s IBE [68] requires to have \(P_\textsf {T}'(x^\star )=0\) in the challenge phase and \(P_\textsf {T}'(x)=1\) in all adversarial queries while we need the opposite. This is not a problem here since we can just evaluate the logical NOT of his partitioning function \(P_\textsf {T}'\).
Without this assumption, an adaptive adversary could distinguish the two games by corrupting a server after having obtained a partial evaluation from it.
We thank Javier Herranz for his suggestion to use linear integer secret sharing schemes. Part of this research was funded by the French ANR ALAMBIC project (ANR-16-CE39-0006) and by BPI-France in the context of the national project RISQ (P141580). This work was also supported in part by the European Union PROMETHEUS project (Horizon 2020 Research and Innovation Program, grant 780701). The second author was supported by ERC Starting Grant ERC-2013-StG-335086-LATTAC.
This is the full version of a paper published in the proceedings of TCC 2018. It contains all the proofs that were omitted from the proceedings version.
