Score:2

Questions regarding the pseudorandom function construction of Banerjee, Peikert, and Rosen

sy flag

I am trying to understand the following pseudorandom function constructed by Banerjee, Peikert, and Rosen in this paper, assuming the hardness of LWE. Consider the following LWE/LWR based pseudorandom function:

$$F_{A, S_1,\dots, S_k}(x_1,\dots,x_k) = \left\lfloor A\prod_{i =1}^k S_i^{x_i}\right\rceil_p,$$

where $A \in \mathbb{Z}_q^{m\times n}$ and each $S_i \in \mathbb{Z}_q^{n\times n}$.

I had some questions about this construction.

  1. What is the relation between $k$, $n$ and $m$? How large does $p$ and $q$ have to be?
  2. How would the time taken by the best known algorithm to break the security of this function scale with $k$, $n$, and $m$?
  3. In the linked paper, on page 22, it is mentioned that,

To avoid an efficient attack (as outlined in the introduction), the distribution $\psi$ should be chosen such that the product of many $S_i \rightarrow \psi$ does not significantly reduce the entropy of \begin{equation} A\prod_{i =1}^k S_i. \end{equation}

The output of $F$ is a matrix. What does entropy of a matrix mean? And, does this statement indicate that $F$ is a one to one function?

Score:3
ng flag

First, there has been followup work to BPR, including a practical PRF and PRG. Here "practical" means extremely fast --- ~5 cycles per byte, (and as small as ~3 for the PRG iirc). This is well within a factor 10 of AES using AES-NI. There are a few caveats to this though:

  1. The keys are very large
  2. I believe AVX instructions are used, so some hardware acceleration is used
  3. Very small parameters are chosen.

These small parameters are such that the LWR/LWE equivalence is no longer known to hold [1], and moreover there's not really any meaningful reduction to a hard lattice problem. Therefore, security/parameters are chosen concretely by analyzing a handful of known attacks. This sounds like it would be of interest to you.

  1. What is the relation between k, n and m? How large does p and q have to be?

It depends on if you want it to be provably secure or heuristically secure. For provable security, theorem 5.2 of the paper you link seems to give you precisely the relationship that you want. For heuristic security (using smaller parameters), the relevant things to look at are:

  • section 4 of the PRF paper, and
  • section 3 of the PRG paper.

but they don't give nice inequalities that you might want, because such inequalities aren't known. Instead, they evaluate a handful of known attacks for particular choices of parameters.

  1. How would the time taken by the best known algorithm to break the security of this function scale with k, n, and m?

See section 4 of the PRF paper, and section 3 of the PRG paper, where several relevant computations are done.

3.a The output of F is a matrix. What does entropy of a matrix mean?

Strictly speaking, nothing. Entropy is a property of a probability distribution, so the claim would only make sense if one views $F$ not as a matrix, but as a distribution over matrices. To get some idea of what the authors mean, let $q = p_0 p_1$ be a semiprime. Then, if $A, S_1,\dots S_k$ are distributed such that (with probability 1):

  1. $A\bmod p_0 \equiv 0$, and
  2. $S_i\bmod p_1\equiv 0$ for all $i$,

then $F(A, S_1,\dots, S_k) \equiv 0\bmod q$ constantly, so the PRF will be predictable. The restriction to $A, S_i$ being invertible $\bmod q$ stops this particular (potential) issue (and perhaps more).

3.b And, does this statement indicate that F is a one to one function?

No, but it isn't expected to be. We want $F$ to be indistinguishable from a random function. Note that random functions are not 1-1 (you can quantify this via a technique called "PRP-PRF switching", but this isn't particularly relevant).


[1] Note that for most "practical" lattice-based primitives, this is already the case --- for example SABER bases itself on the concrete security of small-moduli MLWR, although its moduli of $2^{13}\approx 8k$ is much larger than the moduli of $q = 257$ that these PRF/PRGs use. This is somewhat relevant, as it has been recently discussed that small-moduli LWR has not been cryptanalyzed particularly well. See this NIST PQC google group thread. Since this thread in ~December people have run some experiments (and not found anything unexpected), but from the thread it seems like people hadn't tried directly cryptanalyzing small-moduli LWR until a month or two ago.

There are some sitautions one can use practical LWR-based primitives and get provably security based on lattice problems, but the only "standard" one I know of this is Sam Kim's (Key Homomorphic) Lattice-based PRF. Hart Montgomery also has a Non-standard version of LWR he can prove security for.

BlackHat18 avatar
sy flag
How much is the entropy of the function $F$ then, if not maximal? Do you have any intuition?
Mark avatar
ng flag
@BlackHat18 The intuition is that it should be high, if suitably restricted (such as $S_i$'s being invertible). If there were some "natural" distribution over $S_i$ such that the entropy were unexpectedly low, it would lead to an attack. This of course isn't impossible, but it isn't currently known how to do, and would be worth writing up.
Chris Peikert avatar
in flag
Excellent answer! Some nits: the “LWE/LWE” connection isn’t an “equivalence” because it doesn’t go both ways, at least not without a major loss in parameters in the round-trip. And “reduction *to* a hard lattice problem” should be *from*. We do of course have a reduction to a lattice problem, in that we can break the PRF/PRG using a (very strong) lattice-solving oracle.
Chris Peikert avatar
in flag
Typo: *LWR*/LWE equivalence.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.