 Thanks for the introduction. So in this in this talk, I'll present you a new framework to construct pseudo random functions And we were also interested in understanding how hard it actually is to construct PRF So this is this joint work from Nico Dötling from Aarhus University So this is the outline of the talk. I'll start with a little introduction Then I will talk for a while in the middle and then I will end at some point So as I said this talk is about pseudo random functions So PRF are one of the most fundamental building blocks in cryptography So the definition of PRF basically says You have an efficient distinguisher D that talks to a black box and this black box is either Initialized with a random function. So it's a truly random function or with a pseudo random one Depending on the random bit B that is chosen at the beginning of the game And the distinguish has basically to tell whether it's talking to the one or the other primitive PRF has many may have many many applications out there. The first one, of course, is private key encryption given in PRF we can convert it into a CPA secure scheme and if we add a Mac, we get a CCA secure one Another applications of PRF are our max of course and it's also widely used for de-randomization So our framework basically proceeds in three steps The first one is that we start with a given PRF that only works for small domain. So say for poly size domain And then we convert this the small domain PRF into something that we call the bounded PRF So PRF is bounded or we say it's a bounded PRF if the number of queries that the adversarial ask is bound in advance So you can basically think of a PRF as the computation on our analog work to to always independent functions And giving this bounded PRF we convert it then into a full-fledged PRF where we don't know the number of queries in advance and the very cool thing of our framework is that That that everything will be tied So the first technique that we're looking at is is a technique that we call domain extension and The second one is a technique that we call on the fly adaptation And as I said before going from from a small domain PRF to full-fledged PRF will be tight So tightness here means we don't lose anything. We don't have any loss in the security And our framework has several implications immediately the first one is For the bunjari pike and a rosin PRF if you apply this framework just directly to this PRF You will have a better PRF with the weaker security notion And if we use specific number of theoretic assumptions that hold in certain groups where where DDH or Kaylin is hard we actually get PRFs that are more efficient and and have a tighter proof of security based on DDH and Based on Kaylin. So this is what we would like to do Let's start with looking at the very famous at the famous tree construction of DGM And this is mainly base the basis for most of the PRFs that we know So the construction is well-known actually in an actually extremely elegant It basically converts a length doubling PRG into a PRF and the idea here is that the binary Presentation of the string that you then enter in the PRF defines the path through the tree So how does it work? We will also need it afterwards to understand where the security loss and most of the schemes is So basically it starts by expanding some string By basically doubling the length and that's the property of the PRG You're taking a random string you can double you can expand it in this case You double it and the output will be guaranteed to be pseudo random and this you and you then do recursively down to the tree So you take the left half again you expand it and get to end string and you do it on the right side again So to compute the PRF Basically the binary string defines the path then through the tree Which means if you would like to have the value of the PRF evaluated on zero you start on the top You basically go on the left side again and again The security proof of the scheme then basically involves two hybrids two hybrid arguments The first one goes over the layers of the tree and the second one over the number of queries So let's take a take a look at it So basically the first hybrid the first hybrid allows you to to go to the first layer and you substitute the outputs of The PRG by random value Right, so we are here and by the properties of the PRG it basically says that this modification here Here we have uniformly randomly chosen strings this modification does not change the success probability of the adversary And then you're going to the next layer you're replacing the pseudo random values again And again by the by the by the pseudo randomness of the PRG this modification does not introduce any significant Any significant loss So in summary the proof consists of two hybrid arguments the first one basically goes over the layers and here we have n steps And the second one goes over over the number of queries So in total what we have is n times q steps And this basically means that the security loss that we have there is also n times q So this basically means if you start with an adversary that has an advantage ADV What you have afterwards is a reduction with an advantage ADV over n times q and Our question was can we I mean is this is this basically inherent for the constructions that we know and If you look at the at the schemes that that are out there that we know from from number theoretic assumptions Most of them follow this blueprint So of course the first one now wrangled very elegant very beautiful follows this blueprint as well The lucre waters PRF turns this DDH based scheme into one that is based on Kaylin and follows the scheme as well the same holds for the boundary piker and Rosen PRF based on on LWE they're also very few exceptions one is based on on Surandham synthesizers, which is highly non and on tide and the Dolacian Palski PRF Basically is tied to a very specific number theoretic assumption And this was the motivation of our question of our work. Can we do it? Can we do it a little better? And our starting point is the bounded PRF. So we start from a from a PRF that has only a small domain and we want to convert it into a bounded PRF And the definition looks almost the same as as the one for the real PRF again We have an efficient distinguish ad that interacts with the black box This box either contains a pseudo random function or a real random function depending on a random bit B and It has to guess whether it's talking to a PRF or to the random function But now the difference is that there's an upper bound on the number of queries that you can evaluate this So you can really think of it as being a computational analog on to L wise independent functions Another property that we that we require from the bounded PRF that it can be computed very efficiently Namely logarithmic in the number of queries So how can we go from from from a domain from a PRF that only has a small domain to one that has a large domain? And here. There are also several previous work that I just want to want to show you briefly So our starting point is the small domain PRF and our goal is to get a bounded here F via domain extension So to be more concrete the small domain could be could be anything that has in polynomial input space And we want to have F a PRF with a large input space, but where the number of queries is a priori known And this is our idea for our extension technique It's very very very simple actually we start with the string of of a large domain and what we then do it We basically evaluated on N Universal has five functions Okay, so the universal hash function maps from the large domain to the small small domain and we then feed this input Into our small domain PRF's Okay, and in the end we take all of the inputs and it's all them together It's actually very very simple and let's think about why this could make sense Just an intuitive level of course for the full proof C. Please take a look at the paper But first of all what we can do we know the number of queries in advance So basically we can say okay We have Q queries and we can this is what we show that at least one of the queries will be Will be independent of the others and this means that there's an uncorrelated output that goes into a PRF The output of it will be pseudo-random and therefore the whole output will be pseudo-random as well But in order to make the proof there's a little subtlety at some point We have to go over the PRF and say well we need this property. So start replacing them by random function But if we do this step by step basically we replace the first one the second one until the last one Then we are again running into a hybrid argument and this is this this wouldn't wouldn't yield what we actually want So here again, we're using a very simple a simple trick at the idea is that we extending the domain of the small domain slightly So the small domain is the initial small domain is log l Where else the number of queries and we basically just encode which which on which a path We are and evaluate the PRF afterwards and then we can basically replace the whole thing in one step without running into another hybrid argument So now what we got is basically we started from a small domain PRF and only and we went to bounded PRF And now the next step is to go from the bounded PRF into full-fledged PRF So let me briefly motivate the problem One might one might say well you can always say that the adversary only asked an upper bound on the queries But the problem here is That that well once you use the PRF you have to fix this bound and once you go beyond this bound You just cannot say anything anymore security might be completely gone So now a technique we actually what what we would like to do and that's why we call it on the fly We can choose this value this upper bound on the PRF's on the fly So we have a fixed description on the function and once we're giving an adversary in the proof We can choose this value on the fly and argue that argue that the rain the rest remains then random and Again this this construction I think it's it's it's a it's very simple The idea is basically that we start with the sequence of bounded PRF's and we increase the size Well this upper bound and the number of queries exponentially So the first one only supports two to the one the second two to the two and so on Until the last one handles to to the lock to to the omega of lock and queries and Then we evaluate all of these functions with the input X We X or the output together and that's the final output of our full-fledged PRF And this is also why we need the underlying small domain PRF to be to be super easy to compute in order that the whole scheme remains computable and polynomial time So similar technique has been used in a totally different context by Berman and Heidern to go from non-adaptive PRS to adaptive PRF's I would like to very briefly give you a very high-level idea of the proof Well, the idea is basically that we can choose a certain value on the fly and this is what we are doing Once we're giving an adversary We can basically fix a certain function Replace it by an L-wise independent hash function and of course then the argue is argument is since this since this adversary doesn't go beyond this barrier The the output will remain pseudo random But in this picture you already can see that the that the technique has a certain overhead, right? So basically if you see on the left then these functions are basically Subsumed by the other ones and if you look on the right then you also see that For the security proof in order to to work. I mean they are not necessary anymore, right? We already have substituted this element by random function. So everything what is coming there for this specific adversary that we don't need So our question was well if we if we stick to specific number theoretic assumptions Can we do a little bit better? Can we avoid? Can we avoid this and what we will see if we look at groups? Where DDH is hard then essentially we can avoid the first the first part. So let's take a look at it We I'll I'll just explain the construction based on DDH and and giving this construction You can easily derive the run from Kalin, but it's also written written in the paper So our starting point is the very beautiful now wrangled PRF and since the security reduction depends on On the input space, which means if you have a large input space you have a larger security loss We're using this building block on a small domain So how does now wrangled work? Well the key of the now wrangled PRF Consists of an elements a as 0 to s1 or from zp and what you do is you basically compute this value here So you raise g to the a and depending depending on the input on the binary input of x You choose the value as j So you can basically think of it as a tree where SRR the nodes depending on the path of the tree The the bit basically selects which value is chosen here So this is our starting point The first step is to convert this one into a bounded PRF and this is how our bounded PRF actually looks like So now our input domain are not binary small binary strings anymore, but our input points are our elements from zp and We basically compute Almost the same but now the product is over sj plus x to the 2 to the j and remember here L is the upper bound on the number of queries that the adversary is allowed to ask So first I would like to convince you that this indeed tightly reduces to now wrangled So why is that? Well, we are taking our our Bounded PRF and what we are doing is we are expanding the exponent So basically if you just look at the exponent that is computed as this you basically can also read write it at this So it's basically the sum over over c where here the product is computed again over From j zero to log L minus one of sj one minus cj and so on So if you look at this very closely for a second then then you will see that that here here That's actually an old friend of us. That's now wrangled PRF embedded the exponent embedded into it Okay, but now it's not for for for the value c, but it's the it's the inversion. So it's the inversion of c So let's change this a little bit and say we are running this part for all J zero to two to the L minus one and We are setting C as the binary bit result presentation of J Then we essentially compute the same the same function as follows Basically what we're doing here is exactly what we did before the sum now runs from two to the log L minus one and here inside Yes, the now wrangled PRF based on the inversion of the binary presentation of J So what we can do do that in the proof is basically substitute this thing by By random function and then what we get here is essentially an L wise independent function So that's the idea why our PRF tightly reduces to to now wrangled And now the cool thing is what I promised before we would like to have an on-the-fly adaptation technique that is more efficient And if you look what we what we get is is the following at this point I'm glad that I wrote it I would like to mention that the observation that this function can be computed in log L was previously observed by Navas-Ginarian values for the now wrangled PRF and by Dario and Ginaro for the Luka waters PRF So the last step that we have to take is we basically have to go from the bounded from the bounded PRF into the full-fledged PRF and The only thing that we do is we change We change the product here. We are not running. We are not running to two to the log L minus one But we are now running to a value that is slightly Slightly super logarithmic and why is the secure and the high-level ID here is that we can just take this PRF and slice it into pieces and Basically similar we did and on the fly adaptation technique before we are substituting a very specific bound By our by our bounded PRF basically the one that is slightly bigger than than the number of Of course the address for you to take and then you can see that essentially embedded into the PRF Is our bounded PRF that just runs to log L minus one? And what the main part of the proof basically is is to show is that you basically in order to break the security You have to guess the value here and this happens only with negligible probability So basically to to conclude this talk I would like to to summary what we have seen and I would like to compare our construction With previous schemes First of all I've shown a generic transformation where you start from a small domain PRF You convert it generically into bounded PRF that can efficiently be computed and then you further go into into a full-fledged PRF and If you just take this generic scheme and you apply it to the to the to the PRF based on the LW You already get a better PRF But if you can use specific number theoretic properties the algebraic properties in these group then we can actually improve known schemes So the famous now wrangled scheme Basically the key size is linear and the security loss is linear in the input space In contrast our construction is more more compact That basically the key size is only logarithmic and the proof Well, and then the security loss that we have with our proof only loses a logarithmic factor in the factor in the number of queries Computation-wise is there. They're almost the same. It's it's really just a negligible fraction unfortunately But you can see the full power of reducing it if you look into into the kaolin setting Here we can see that the LW PRF Well the computation consists of n-metrics multiplications and one exponentiation The key size is linear and the security loss as well In contrast our construction only needs a logarithmic many multiplications and an explanation and The key size is just logarithmic and the security loss as well And I would like to thank you for your attention I hope you you cite our paper and I'm happy to take questions and make a few advertisements for other works. Thank you