From Non-adaptive to Adaptive Pseudorandom Functions

Abstract: Unlike the standard notion of pseudorandom functions (PRF), a non-adaptive PRF is only required to be indistinguishable from a random function in the eyes of a non-adaptive distinguisher (i.e., one that prepares its oracle calls in advance). A recent line of research has studied the possibility of a direct construction of adaptive PRFs from non-adaptive ones, where direct means that the constructed adaptive PRF uses only few (ideally, constant number of) calls to the underlying non-adaptive PRF. Unfortunately,… Show more

“…We use this paradigm to present a new PRF domain extension method that requires just two calls to the original PRF, can withstand as many queries as the original domain size, and has a distinguishing probability that is exponentially small in the amount of non-cryptographic work. We also obtain a security-preserving reduction from non-adaptive to adaptive PRFs, an improvement upon the recent result of Berman and Haitner [7].…”

“…On the other hand, almost k-wise independent families 6 are only granted to be resistant against non-adaptive distinguishers. 7 Yet, the result presented in Section 3 yields that, in some cases, the adaptive security of the latter families follows from their non-adaptive security.…”

“…For some of our applications, see Sections 4 to 6, we need to apply Lemma 3.5 with efficient k-wise independent function family ensembles mapping strings of length n to the set [t(n)] {0,1} n , where t is an efficiently computable function. It is easy to see (cf., [7]) that such ensembles exist for any efficiently computable t that is a power of two. By considering t (n) = 2 log(t(n)) , we use these ensembles for our applications, while only causing factor of two loss in the resulting security.…”

“…These constructions, however, make (roughly) n calls to the underlying nonadaptive PRF (where n is the input length). Recently, Berman and Haitner [7] showed how to perform this security uplift at a much lower cost: the adaptive PRF makes only a single call to the non-adaptive PRF. Their construction, however, incurs a significant degradation in the security: assuming the underlying function is a non-adaptive t-PRF, then the resulting function is an (adaptive) O(t 1/3 )-PRF.…”

“…This approach was originally suggested in order to achieve "PRF domain extension" (using a short, e.g., fixed, input length PRF to get a variable-length PRF); more recently, it was used to transform non-adaptive PRFs into adaptive ones [7]. Such reductions, however, are vulnerable to the following "birthday attack": after |U| queries to the resulting PRF, where U is the hash function range, a collision (i.e., two distinct inputs having the same hash value) is very likely to occur.…”

Hardness Preserving Reductions via Cuckoo Hashing

“…We use this paradigm to present a new PRF domain extension method that requires just two calls to the original PRF, can withstand as many queries as the original domain size, and has a distinguishing probability that is exponentially small in the amount of non-cryptographic work. We also obtain a security-preserving reduction from non-adaptive to adaptive PRFs, an improvement upon the recent result of Berman and Haitner [7].…”

“…On the other hand, almost k-wise independent families 6 are only granted to be resistant against non-adaptive distinguishers. 7 Yet, the result presented in Section 3 yields that, in some cases, the adaptive security of the latter families follows from their non-adaptive security.…”

“…For some of our applications, see Sections 4 to 6, we need to apply Lemma 3.5 with efficient k-wise independent function family ensembles mapping strings of length n to the set [t(n)] {0,1} n , where t is an efficiently computable function. It is easy to see (cf., [7]) that such ensembles exist for any efficiently computable t that is a power of two. By considering t (n) = 2 log(t(n)) , we use these ensembles for our applications, while only causing factor of two loss in the resulting security.…”

“…These constructions, however, make (roughly) n calls to the underlying nonadaptive PRF (where n is the input length). Recently, Berman and Haitner [7] showed how to perform this security uplift at a much lower cost: the adaptive PRF makes only a single call to the non-adaptive PRF. Their construction, however, incurs a significant degradation in the security: assuming the underlying function is a non-adaptive t-PRF, then the resulting function is an (adaptive) O(t 1/3 )-PRF.…”

“…This approach was originally suggested in order to achieve "PRF domain extension" (using a short, e.g., fixed, input length PRF to get a variable-length PRF); more recently, it was used to transform non-adaptive PRFs into adaptive ones [7]. Such reductions, however, are vulnerable to the following "birthday attack": after |U| queries to the resulting PRF, where U is the hash function range, a collision (i.e., two distinct inputs having the same hash value) is very likely to occur.…”

Hardness Preserving Reductions via Cuckoo Hashing

Short Digital Signatures and ID-KEMs via Truncation Collision Resistance

On the Query Complexity of Constructing PRFs from Non-adaptive PRFs