#### DMCA

## Constrained Pseudorandom Functions and Their Applications

Citations: | 69 - 11 self |

### Citations

1642 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ... w , p (R) w : w ∈ X } Constructing left/right constrained PRFs. We next show that secure PRFs that are constrained with respect to PLR can be constructed straightforwardly in the random oracle model =-=[3]-=-. Constructing left/right constrained PRFs without random oracles is a far more challenging problem. We do so, and more, in the next section. To construct a left/right constrained PRF in the random or... |

747 |
How to Construct Random Functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...nstruct constrained PRFs for several natural set systems needed for these applications. We conclude with several open problems relating to this new concept. 1 Introduction Pseudorandom functions(PRF) =-=[19]-=- are a fundamental concept in modern cryptography. A PRF is a function F : K × X → Y that can be computed by a deterministic polynomial time algorithm: on input (k, x) ∈ K × X the algorithm outputs F ... |

522 | Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data,”
- Goyal, Pandey, et al.
- 2006
(Show Context)
Citation Context ...the key kp will be indistinguishable from random. This kp can then be used for secure communication among the group members. This functionality is related to the concept of Attribute-Based Encryption =-=[28, 21]-=-. We implement policy-based key agreement using a constrained PRF F : K × {0, 1} m → Y for circuit predicates. To do so, let U(·, ·) denote a universal circuit that takes two inputs: an identity id ∈ ... |

377 | Fuzzy Identity-Based Encryption
- Sahai, Waters
- 2005
(Show Context)
Citation Context ...the key kp will be indistinguishable from random. This kp can then be used for secure communication among the group members. This functionality is related to the concept of Attribute-Based Encryption =-=[28, 21]-=-. We implement policy-based key agreement using a constrained PRF F : K × {0, 1} m → Y for circuit predicates. To do so, let U(·, ·) denote a universal circuit that takes two inputs: an identity id ∈ ... |

363 | On lattices, learning with errors, random linear codes, and cryptography
- Regev
- 2005
(Show Context)
Citation Context ...ers require κ-linear maps [7, 16, 10] for κ > 2. It would be quite interesting and useful to develop constructions for these constrained PRFs from other assumptions such as Learning With Errors (LWE) =-=[27]-=-. This will give new key exchange and broadcast encryption systems from the LWE problem. In defining security for a constrained PRF in Section 3 we allow the adversary to adaptively request constraine... |

331 | Broadcast encryption
- Fiat, Naor
- 1994
(Show Context)
Citation Context ...constrained key ks that enables the evaluation of F (k0, x) at x ∈ S and nowhere else. We show that such a constrained PRF can be used to construct an optimal secret-key 1 broadcast encryption system =-=[14]-=-. In particular, the length of the private key and the broadcast ciphertext are all independent of the number of users. We compare these constructions to existing broadcast systems in Section 6.1. • C... |

257 | Hierarchical ID-Based Cryptography
- Gentry, Silverberg
- 2002
(Show Context)
Citation Context ...trained key ks for some set S ⊂ X . That key ks can be used in turn to derive a further constrained key k ′ s for some subset S ′ ⊂ S, and so on. This concept is in similar spirit to Hierarchical IBE =-=[22, 18, 9]-=- or delegation in ABE [21]. For the GGM prefix system, this is straightforward. Some of our constructions, such as the bit fixing PRF, extend naturally to support more than one level of delegation whi... |

251 | A forward-secure public-key encryption scheme
- Canetti, Halevi, et al.
- 2003
(Show Context)
Citation Context ...trained key ks for some set S ⊂ X . That key ks can be used in turn to derive a further constrained key k ′ s for some subset S ′ ⊂ S, and so on. This concept is in similar spirit to Hierarchical IBE =-=[22, 18, 9]-=- or delegation in ABE [21]. For the GGM prefix system, this is straightforward. Some of our constructions, such as the bit fixing PRF, extend naturally to support more than one level of delegation whi... |

250 | Revocation and tracing schemes for stateless receivers”,
- Naor, Naor, et al.
- 2001
(Show Context)
Citation Context ...rly this key enables the evaluation of F (k, v‖x) for any x ∈ {0, 1} n−|v| . A similar construction, in a very different context, was used by Fiat and Naor [14] and later by Naor, Naor, and Lotspiech =-=[24]-=- to construct combinatorial broadcast encryption systems. The security proof for this GGM-based prefix constrained PRF is straight forward if the adversary commits to his challenge point ahead of time... |

235 |
Cryptosysytems based on pairing
- Sakai, Ohgishi, et al.
- 2000
(Show Context)
Citation Context ...f points {(x, w) : x ∈ X } (i.e. at all points where the right side is w). We show that such a constrained PRF can be used to construct an identity-based non-interactive key exchange (ID-NIKE) system =-=[30, 13, 26, 15]-=-. 1• Bit-fixing PRFs: Let X = {0, 1} n be the domain of the PRF. For a vector v ∈ {0, 1, ?} n let Sv ⊆ X be the set of n-bit strings that match v at all the coordinates where v is not ’?’. We say tha... |

221 | Efficient Selective-ID Secure Identity-Based Encryption Without Random Oracles. In: Cachin - Boneh, Boyen - 2004 |

197 | Collusion resistant broadcast encryption with short ciphertexts and private keys”,
- Boneh, Gentry, et al.
- 2005
(Show Context)
Citation Context ... encryption. The length efficiency of a broadcast encryption system is measured in the length of the header hdr. The shorter the header the more efficient the system. Remarkably, some systems such as =-=[6, 12, 11, 7, 29]-=- achieve a fixed size header that depends only on the security parameter and is independent of the size of the recipient set S. As usual, we require that the system be correct, namely that for all sub... |

180 | Number-theoretic constructions of efficient pseudo-random functions
- Naor, Reingold
- 1997
(Show Context)
Citation Context ...We will present our construction in terms of three algorithms which include a setup algorithm F.setup in addition to F.constrain and F.eval. Our construction builds on the Naor-Reingold DDH-based PRF =-=[25]-=-. 4.1 Construction F.setup(1 λ , 1 n ): The setup algorithm takes as input the security parameter λ and the bit length, n, of PRF inputs. The algorithm runs G(1 λ , κ = n + 1) and outputs a sequence o... |

156 | Candidate multilinear maps from ideal lattices
- Garg, Gentry, et al.
- 2013
(Show Context)
Citation Context ... In the coming sections we present constructions for all the constrained PRFs discussed above as well as several others. Some of our constructions use bilinear maps while others require κ-linear maps =-=[7, 16, 10]-=- for κ > 2. It would be quite interesting and useful to develop constructions for these constrained PRFs from other assumptions such as Learning With Errors (LWE) [27]. This will give new key exchange... |

141 | Toward Hierarchical Identity-Based Encryption - Horwitz, Lynn - 2002 |

103 | Applications of multilinear forms to cryptography
- Boneh, Silverberg
(Show Context)
Citation Context ... In the coming sections we present constructions for all the constrained PRFs discussed above as well as several others. Some of our constructions use bilinear maps while others require κ-linear maps =-=[7, 16, 10]-=- for κ > 2. It would be quite interesting and useful to develop constructions for these constrained PRFs from other assumptions such as Learning With Errors (LWE) [27]. This will give new key exchange... |

69 | Functional signatures and pseudorandom functions.
- Boyle, Goldwasser, et al.
- 2014
(Show Context)
Citation Context ... time reduction. Related work. Concurrently with this paper, similar notions to constrained PRFs were recently proposed by Kiayias et al. [23] where they were called delegatable PRFs and Boyle et al. =-=[8]-=- where they were called functional PRFs. Both papers give constructions for prefix constraints discussed in Section 3.3. A related concept applied to digital signatures was explored by Bellare and Fuc... |

56 | Practical multilinear maps over the integers
- Coron, Lepoint, et al.
(Show Context)
Citation Context ... In the coming sections we present constructions for all the constrained PRFs discussed above as well as several others. Some of our constructions use bilinear maps while others require κ-linear maps =-=[7, 16, 10]-=- for κ > 2. It would be quite interesting and useful to develop constructions for these constrained PRFs from other assumptions such as Learning With Errors (LWE) [27]. This will give new key exchange... |

56 | Attributebased encryption for circuits from multilinear maps
- Garg, Gentry, et al.
(Show Context)
Citation Context ... set for a key can be described by a polynomial size circuit. Our construction utilizes the structure used in a recent Attribute-Based Encryption scheme due to Garg, Gentry, Halevi, Sahai, and Waters =-=[17]-=-. We present our circuit construction for constrained PRFs in terms of three algorithms which include a setup algorithm F.setup in addition to F.constrain and F.eval. The setup algorithm will take an ... |

55 | Delegatable pseudorandom functions and applications.
- Kiayias, Papadopoulos, et al.
- 2013
(Show Context)
Citation Context ...constrained PRFs that are adaptively secure under a polynomial time reduction. Related work. Concurrently with this paper, similar notions to constrained PRFs were recently proposed by Kiayias et al. =-=[23]-=- where they were called delegatable PRFs and Boyle et al. [8] where they were called functional PRFs. Both papers give constructions for prefix constraints discussed in Section 3.3. A related concept ... |

50 | Foundations of garbled circuits - Bellare, Hoang, et al. - 2012 |

48 | Fully Collusion Secure Dynamic Broadcast Encryption with Constant-Size Ciphertexts or Decryption Keys,”
- Delerablee, Paillier, et al.
- 2007
(Show Context)
Citation Context ... encryption. The length efficiency of a broadcast encryption system is measured in the length of the header hdr. The shorter the header the more efficient the system. Remarkably, some systems such as =-=[6, 12, 11, 7, 29]-=- achieve a fixed size header that depends only on the security parameter and is independent of the size of the recipient set S. As usual, we require that the system be correct, namely that for all sub... |

36 | Identity-based broadcast encryption with constant size ciphertexts and private keys,”
- Delerablee
- 2007
(Show Context)
Citation Context ... encryption. The length efficiency of a broadcast encryption system is measured in the length of the header hdr. The shorter the header the more efficient the system. Remarkably, some systems such as =-=[6, 12, 11, 7, 29]-=- achieve a fixed size header that depends only on the security parameter and is independent of the size of the recipient set S. As usual, we require that the system be correct, namely that for all sub... |

24 |
Provably secure non-interactive key distribution based on pairings,”
- Dupont, Enge
- 2006
(Show Context)
Citation Context ...f points {(x, w) : x ∈ X } (i.e. at all points where the right side is w). We show that such a constrained PRF can be used to construct an identity-based non-interactive key exchange (ID-NIKE) system =-=[30, 13, 26, 15]-=-. 1• Bit-fixing PRFs: Let X = {0, 1} n be the domain of the PRF. For a vector v ∈ {0, 1, ?} n let Sv ⊆ X be the set of n-bit strings that match v at all the coordinates where v is not ’?’. We say tha... |

18 | On the relations between noninteractive key distribution, identity-based encryption and trapdoor discrete log groups,
- Paterson, Srinivasan
- 2009
(Show Context)
Citation Context ...f points {(x, w) : x ∈ X } (i.e. at all points where the right side is w). We show that such a constrained PRF can be used to construct an identity-based non-interactive key exchange (ID-NIKE) system =-=[30, 13, 26, 15]-=-. 1• Bit-fixing PRFs: Let X = {0, 1} n be the domain of the PRF. For a vector v ∈ {0, 1, ?} n let Sv ⊆ X be the set of n-bit strings that match v at all the coordinates where v is not ’?’. We say tha... |

17 | Programmable hash functions in the multilinear setting
- Freire, Hofheinz, et al.
(Show Context)
Citation Context |

8 |
Identity-based broadcast encryption,” Cryptology ePrint Archive,
- Sakai, Furukawa
- 2007
(Show Context)
Citation Context |

3 | Attribute-based authenticated key exchange
- Gorantla, Boyd, et al.
(Show Context)
Citation Context ...lex policy (encoded as a circuit) can non-interactively setup a secret group key that they can then use for secure communications among group members. A related concept was studied by Gorantla et al. =-=[20]-=-, but the schemes presented are interactive, analyzed in the generic group model, and only apply to policies represented as polynomial size formulas. In the coming sections we present constructions fo... |

2 |
Policy-based signatures,” Cryptology ePrint Archive,
- Bellare, Fuschbauer
- 2013
(Show Context)
Citation Context ...hey were called functional PRFs. Both papers give constructions for prefix constraints discussed in Section 3.3. A related concept applied to digital signatures was explored by Bellare and Fuchsbauer =-=[1]-=- where it was called policy-based signatures and by Boyle et al. [8] where it was called functional signatures. 1 Secret-key broadcast encryption refers to the fact that the broadcaster’s key is known... |