 Sam will give the talk, yeah. All right, so hi everyone, I'm Sam, and I'll be talking about private puncturable PRFs today. So there's a joint work with Dan Bonet and Harp Montgomery. Okay, so let me start off the talk by recalling the notion of pseudo-random functions. So pseudo-random functions or PRFs are very basic building blocks in cryptography. So it's just a key function with some associated domain and range such that the following two distributions are indistinguishable. Okay, so in the first distribution, an adversary makes a number of adaptive evaluation queries to the challenger, and the challenger answers the adversary by evaluating the real of PRF function f to each of the adversary's queries. In the second distribution, an adversary makes a number of adaptive evaluation queries, and this time the challenger evaluates a truly random function to each of the adversary's queries. Okay, and PRF security states that these two distributions are indistinguishable. All right, so recently, three independent works, Bonet Waters 13, Boilat et al. 13, and Kayes et al. 13, introduced this notion of constrained PRFs. So constrained PRFs are just like regular PRFs, but they have an additional functionality. They have an additional algorithm called the constraint algorithm. And so what is this constraint algorithm? It basically takes in a regular PRF key k and also a constraint function or a constraint predicate f and generates another PRF key that we know the case of f and we call a constraint key. And this constraint key can be used to evaluate the PRF at all points x in the domain where f of x equals to one. Okay, so it's basically taking a regular PRF key k that can be used to evaluate the PRF at all points in the domain and it's generating a more restricted key that can only evaluate the PRF at only a subset of the domain. All right, so for correctness, we require that the PRF evaluation using the constraint key at points x where f of x equals to one, this should yield the correct PRF, the real PRF evaluation at x. And for security, we require that the PRF evaluation at points x where f of x equals to zero. So this should look indistinguishable for random to an adversary who is given the constraint key. Right, so constrained PRFs are very useful on ocean syncryptography. It has many applications. So for instance, it can be used to construct the identity-based key exchange. It gives rise to optimal broadcast encryption schemes and so on. So for this talk, I'll be talking about a special family of constrained PRFs called puncturable PRFs. And in particular, these family of constrained PRFs have been used quite widely in the punctured programming paradigm of the high-end waters for constructing schemes from indistinguishability obfuscation. All right, so since I'll be talking about puncturable PRFs, let's find these a little bit more specifically. So these are just constrained PRFs where we restrict family of constrained functions to just be point functions or complement of point functions. So a constrained function is defined with respect to a single point in the domain, C in this case. So the constrained function on input x evaluates to one on inputs that are not equal to C and evaluates to zero on inputs that are equal to C. So all this is basically saying is with the puncture key, you can evaluate the PRF at all points except for at the puncture point, except for at the single point. So it turns out that puncturable PRFs can be constructed from standard GGM tree-based construction in a pretty straightforward way. But one thing to note about this construction is that the puncture key must necessarily contain information about the actual puncture point C. Okay, so a natural question that we can actually ask is can we construct a puncturable PRF where the puncture key does not leak any information about the underlying puncture point C? And so more generally, this is, we can ask the question of can we build a constrained PRF where the constrained key does not leak any information about the associated constrained function F? And this is the question that Bonnet et al asked recently. And so how do we actually formalize this notion? So it's pretty simple, right? So we can define it in terms of security game where an adversary first commits to a pair of functions, F0 and F1. These are constrained functions. And in the first game, the challenger generates a constrained key with respect to the function F0. And in the second game, the challenger generates a constrained key with respect to the function F1. Okay, and privacy requirement states that these two distributions should be in this emotional, all right? So for this talk, I'll be focusing mainly on private puncturable PRFs. For in the next talk, you'll hear from Yolei about more general privately constrained PRFs for more general circuit constraints. All right, so okay, so for this talk, we'll be focusing on private puncturing. So this is basically puncturable PRF that satisfies these three properties. So for correctness, we require that if you evaluate the PRF using the punctured key, then this should yield the correct PRF output at all points, X that's not equal to function point C. And it should satisfy sort of randomness. So the PRF evaluation at punctured point should be, can everybody hear me? Sorry about that. Okay, so for sort of randomness, we require that PRF evaluation at the punctured point should look indistinguishable for random to an adversary who is given the punctured key. Yeah, so for privacy, we require that the punctured key to not leak any information about the punctured point C. So what does this privacy give us? So why is this an interesting notion? So there are a number of applications. So many of them are highlighted in the original paper, the BLW paper that introduced the notion. So for this talk, I'll just talk about one particular application. And this is for, this is application to private keyword search in distributed database. So one way of viewing private puncturable PRFs is as an advanced form of distributed point functions. Okay, so distributed point functions or DPFs is a notion that was introduced by Gilbo and Asha in 2014. And the idea is the following, right? So you start off with a point function, P sub C, okay? And we basically secret share this function into two distributed point functions, F zero and F one. So let me put a tilde there just to distinguish it from the PRF. And these two functions have the property that if you evaluate each of these functions separately on an input X and basically sum up the result together, then you should basically get a point function, okay? So on input X that is equal to C. If you sum them up, then you should get a non-zero value. And if you, for inputs that are not equal to C, if you sum them up, then you should basically get zero, right? So you can actually instantiate distributed point functions using private puncturing by defining the first function to just be the regular PRF evaluation function using the regular PRF key K. And you just define the second function to be the PRF evaluation using the puncture key. Okay, and by PRF by correctness of our construction, if you evaluate the first and the second functions separately and just, and I guess in this case, subtract the result, then you should get a non-zero value for inputs X that are equal to C and you should get zero for inputs that are not equal to C. Oh, and I forgot to mention the private security requirement that the security requirement for distributed point functions is that for an adversary who is given only one of the two functions, then the adversary should not learn any information about the underlying point C, right? So one difference between a DPF and a private puncturable PRF is the following, right? So for distributed point function as set up, or once the point function is set, you come up with these two functions, F0 and F1 simultaneously. So you have to generate them together. But for private puncturable PRF, you have this sort of adaptive property where even before, in the offline phase, even before you commit to the point function C, to the point C, you can actually just instantiate the first function by generating just a regular PRF key key. Okay, and at a later point in time, once you decide on the point C, then you can actually instantiate the second function by generating the puncture key. Okay, and this leads to a number of applications. So one application of distributed point functions is in the setting of distributed database in private keyword search. So in this setting, we have two servers holding a database of our keywords. So W1 all the way to WN. And we have a user who wants to check whether a particular keyword is contained in the database. Okay, so W sub j. And the user wants to check whether keyword is contained in the database without revealing what the keyword W sub j is to each of the servers. So one way of doing this is to define a point function with respect to the keyword W sub j, and basically generate two distributed point functions, F0 and F1 with respect to this point function. Okay, and basically sends these two functions to the servers, and the server evaluates these functions to each of the keywords in the database, sums them up, and basically sends them back to the user. And the user can just add these two results up. And if the result is non-zero, then it knows that the keyword W sub j is contained in the database. And if the result is zero, then it knows that the keyword is not contained in the database. All right. And the privacy property of DPFs guarantees that each of the servers do not learn information about the keyword W sub j. Right, so using private punctual PRFs, you can actually emulate this protocol, but this offline, online property of private punctual PRFs translates to the setting. Okay, so in the setting, the user can just, even before knowing which keyword to search the database, it can just generate a real PRF key and just sends it to one of the servers. And the server, to a single server, and the server can follow the protocol by applying the PRF on each of the keywords and just sum the results and sends them back. And the server can actually just go offline. It does not get involved in the protocol. Okay, and at a later point in time when the user wants to query the database on a particular keyword, then the user can just generate a punctual key with respect to the keyword W sub j and just sends it to the other server. Okay, right, and the other server basically just follows the protocol by applying the function to each of the keywords and just summing up the result. Okay, so this has a property that the user actually just has to interact with one of the server, and one of the servers can actually just be offline. All right, so let's talk about one of the constructions. So punctual PRFs prior to this work had a very extreme state of affairs. So to actually get public puncturing, you just require one-way functions using the GGM tree-based construction. To actually get private puncturing, you actually had to go all the way to multi-layer maps or IO. So this construction is due to the original BLW paper. And this work basically, we basically push the minimum assumption that's required for private puncturing to just be LWE. It's just we just constructed from lattices. Okay, and of course the natural open problem is can we actually move it even further? So since we can get public puncturing from one-way functions, there isn't really a reason why we can't get private puncturing from one-way functions. And I think this is a really nice open problem that I just wanted to mention. All right, so let me just give a quick overview of what we do in a construction. So we just work with learning with errors. So for a uniformly generated matrix A and a randomly sampled vector S and E from some low-norm error distribution, LWE just says that the following two distributions are indistinguishable. So in the first distribution, the adversary gets the public matrix A and also this noisy vector matrix product S times A plus E. And in the second distribution, the adversary gets the public matrix A and also this time a uniformly sampled vector U. And LWE just states that these two distributions are indistinguishable. All right, so the basic technique that we just used is this matrix circuit encodings that was first used by Bonnet et al in 2014 in the setting of attribute-based encryption. So this is just an encoding scheme. So you start off, okay, so you have encoding scheme for scalar elements, serving elements or field elements. So to encode an element X of I with respect to a public LWE matrix A sub I, then you just compute this vector S times AI plus Xi times G, where G is this public gadget matrix and you just add some noise to it. And the benefit of encoding and encoding elements this way is that it allows for homomorphic operations on the encodings. And in particular, for a circuit F, we can just homomorphically derive the encoding of the value F of X with respect to the public matrix A sub F. And a nice property of this homomorphic operations is that we have an analogous homomorphic operation on the public matrices, A1 through AL, and we can, and to derive the matrix A sub F. And this public matrix homomorphic operation does not require any information about the underlying encoded values or the encodings. All right, so in particular, if you actually encode our puncture point, the string C of length N, and using this encoding, then we can actually just compute the equality check circuit with a PRF input X hardcoded inside the circuit and get an encoding of the result of the equality check circuit on the puncture point. Okay, in particular, this equality check circuit will output zero if X and C are different and it will evaluate to one if X and C are equal. And the basic idea of our PRF is to just define our puncture key to be these encodings of the puncture point C. Okay, and if we actually define our PRF to be what looks like an elderly sample with respect to the matrix A sub X, so we define our PRF to be S transpose A sub X plus E and then using the puncture key, you can actually just derive the PRF output by running the equality check circuit on the encodings. And so since PRF have to be a determinist function, we basically, instead of adding noise, we just round the result. And it turns out with some small modifications, we can actually prove this PRF to be secure. And this is actually a special case of constraint PRF construction due to Berkersky and by Kuntanathan. And this actually leads to a public puncturable PRF. And the reason why this is public is because to operate on these encodings homomorphically, you actually have to know the information, you actually have to know what the underlying encoded values are. Okay, so to actually get private puncturing, we borrow the ideas from the predicate encryption constructions of Gorbner-Fettel. So before we encoded in this encoding, we just encrypted using a fully homomorphic encryption scheme. And then we just encoded. Yep, and then we basically just compute the equality check circuit inside the FHG homomorphic operations. Right, so a problem with this approach is that the quality, at the end of the day, after you finish the quality check circuit, the result of the quality check is encoded inside the FHG encryption. Okay, so there must be a way to actually extract this information. And we resolve this by just publish, just including as in the puncture key, the encodings of FHG decryption key. And we use the fact that to actually multiply, for these homomorphic operations, to actually multiply two encodings, you actually need just one of the encodings to one of the encoded values and not the other. And this allows us to compute inner products of the FHG, of the encryption of the quality check circuit and the FHG secret key. And we use the property that for FHG decryption is a noisy inner product. And there's some technicalities here that we have to actually take care of the noise that comes out of the FHG decryption. And for this, due to time constraints, I will not be able to actually talk about this. So I'll just refer to the paper. And to conclude, so I want to mention a concurrent work by Kanedi and Chen. So I think you'll hear from Yole in a second in the next talk. So the techniques are actually quite different. So they use instances of GGH-15 multilayer maps that are still reducible to LWE. So we use techniques from attributes encryption and predicate encryption. So I also want to mention some extensions. So we were able to extend these techniques that are used in this work to get watermarkable PRFs from LWE. And this was only previously known from obfuscation. So you'll hear more about this in the run session tomorrow. And so let me just conclude with some open problems. So I guess a nice open problem, like I mentioned, is can we actually get private punctual PRFs from other assumptions like the DH pairings or just even more functions? So are there other applications of privacy in constraint PRFs? And also, so I wasn't able to talk about the new techniques for this talk, but can we actually apply the techniques in this work to the setting of predicate encryption, for instance? I think that these are very nice open problems. Okay, and with that, I will conclude. Okay, so are there any questions? Are private punctual PRFs known to imply anything stronger than one way functions like OT or PKE? Yeah, so for actually constraint PRFs for two keys actually implies IO, but for punctual PRFs, you can actually just publish only a single key, right? So if you actually publish two punctured keys, then you can evaluate the PRF on all points. So you can't actually have a well-defined notion of security in that notion. So does that answer your... No, the question is if the existence of private punctual PRFs is known to imply anything beyond one way functions? Oh, no, I don't think it's not really known, yeah. So the template you described didn't seem to use anything very special about equality. Can you say a little bit about why you would like, you know, restricts you to point puncturing rather than general functions? Well, so yeah, so I was hiding all the details under the rug, but first we weren't able to get the parameters to work out, so the parameters are kind of becomes circular, so we couldn't find the parameter that worked out. And so to actually get, and we thought it was quite, so since we can only publish a single key anyway, so we thought actually private puncturing is actually more natural, so yeah. So did you look at PRFs that have unbounded inputs on to achieve this private puncturing? It seems that these techniques do not extend naturally to unbounded input, right? Because they reveal the size of the input. Right, right, so for punctual PRFs, you actually need the puncture point to be fixed because we need the puncture key to be finite. So the techniques used in this work does not, I'm not sure if it's even well-defined from unbounded inputs. I mean, in the challenge experiment, if I give you two X's of varying length, then depending on the size of the key that I get, I can distinguish easily because the size of the key would be kind of linear in the size of the input. So the PRF has to be a fixed input, no? Right, right, right, yes, I think we're right here, right? Yeah, okay, thanks.