 All right, so hello everyone, my name is Sam Kim, and I'll be presenting key homomorphic pseudo-random functions from LWB with a small modulus. So the topic of this talk is a pseudo-random function. So let's begin by discussing what these are. So we're all probably familiar with this concept already, a pseudo-random function or a PRF is an efficiently computable deterministic function that has some associated key space, an input space and an output space. So we say that a pseudo-random function is secure if no efficient adversary can distinguish oracle access to the PRF for a randomly chosen key to an oracle access to a completely randomly generated function. So pseudo-random functions are very useful objects in cryptography, they are of course very fundamental objects in symmetric cryptography and can be used for symmetric encryption or max. So even beyond symmetric crypto, they are often incorporated into many cryptographic constructions and protocols. So when we need to generate random bits, for instance, PRFs are very useful. When we want to de-randomize a randomized algorithm, PRFs are also very useful in these settings. And so due to these useful properties, pseudo-random functions are widely studied in the literature today. So in terms of constructions, block ciphers such as AES are generally modeled as PRFs for analysis. We can also construct provably secure PRFs from specific algebraic assumptions. So using the classical result of Goldwright, Goldwasser and McCauley, we know how to construct PRFs from any one way functions. We also know how to construct PRFs from the DDH assumption by the result of Naur and Reingold from 95. And we also know how to construct PRFs from the learning with errors assumptions or LWE from the result of energy pattern frozen from 2012. So in this talk, we will focus on a lot of space PRFs. So in the world of lattices, there are two main families of PRF constructions. So first there are constructions that follow the GGM construction with a lattice-based one way function. So one way functions based on hard problems like SIS or LWE. So these constructions are very simple and quite elegant, which is a big plus. At the same time though, these constructions are not the most property efficient and they also require evaluation circuits that are inherently sequential. This means that even if we had designated hardware devices for evaluating these PRFs, hardware acceleration will be somewhat limited, which is not ideal for objects like PRFs that are very fundamental. The other family of PRF constructions from lattices are direct constructions from LWE. So these PRFs generally have better concrete efficiency compared to PRFs that follow generically from one way functions and they also have shallow evaluation circuits. And even more, they have many useful algebraic structures like key homomorphism, which has a number of nice applications. So since one of the results in this work is about key homomorphic PRFs, let me define them in a little bit more detail. So the concept of key homomorphic PRFs was introduced by Naur Atel from 1999 and was formalized by Monet Atel in 2013. So we say that a PRF is key homomorphic if it satisfies the following properties. So first we require that the key space and the output space form groups. So the key space and the output space don't necessarily have to be the same group, but let me just denote the group operations with additions for this talk. So then we require that for any two keys, K1 and K2, if we evaluate the PRF on the sum of these keys, then this is equal to the sum of the PRF evaluation on each of these keys on the same input. So key homomorphic PRFs have many useful applications. So they give rise to update of encryption, proxy encryption, distribution of PRFs, and many others. So from LWEE, we can directly construct pseudo-random functions that are efficient, have shallow evaluation circuits, and have useful algebraic structures like key homomorphism, which is very nice. However, all the existing constructions of PRFs in this family have one downside to them. So they all rely on LWEE, where the size of the modulus must be super-pollinally big with respect to the security parameter. To explain the issue with the modulus, let me recall the LWEE assumption. So the LWEE assumption, a problem is parameterized by three parameters, the dimension N, the modulus Q, and a noise distribution that's usually denoted by a chi. So in the LWEE problem, our goal is to distinguish the following two distributions. So in the first distribution, we're given a set of uniformly sampled vectors, A1 through AM in ZQ to the N, and it's noisy inner product with a uniformly sampled LWEE secret vector S. In the second distribution, we're provided with a set of uniformly sampled vectors, A1 through AM, and just uniformly random elements in ZQ. So the LWEE assumption states that these two distributions are computationally indistinguishable. So generally, for most applications, including PRFs that rely on the LWEE assumption, it is always better to set the modulus Q to be as small as possible. So we always want Q to be small. So the first reason for this is related to efficiency. So generally, applications that rely on LWEE operate under the same ring, ZQ. So as Q gets bigger, the keys in these applications also become bigger, and so the operations also become slower. And the second reason is related to the quality of the LWEE assumption. So generally, the hardness of the LWEE assumption is related to what is called the noise to modulus ratio. The greater the size of the modulus is compared to the size of the errors, the easier the LWEE problem becomes. And so we want to set Q to be as small as possible to base our security on the hardest variant of the LWEE assumption. So all non-GGM-based allotus PRFs rely on LWEE with Q that must scale super-polynomially in the security parameter. So a natural open problem in this area has been whether we can construct an LWEE-based PRF that relies on a polynomial-sized modulus Q. And this problem has actually been a big open problem in this area for quite a while, ever since the first direct LWEE-based PRF instruction of Banerjee-Pike-Grid and Rosem from 2012. Given the fact that we know how to construct seemingly more powerful primitives like polymorphic encryption or latch-based encryption on LWEE with only a polynomial-sized modulus Q, the state of affairs has been even more puzzling that we cannot construct PRFs using a polynomial-sized modulus Q. So let me summarize the main results of this work. So we provide two new PRF constructions that relies on a polynomial-sized modulus Q. So in the first construction, we focus on building a low-depth PRF. So we construct a new PRF that can be evaluated by circuits in NC2 and works over a polynomial-sized modulus Q. So in our second PRF construction, we focus on key homomorphism. So we build a PRF that has high depth evaluation circuits but is key homomorphic and works over a polynomial-sized Q. So both of our constructions can be extended to the ring setting as well for better efficiency. So the security of these constructions can be based on the ring LWEE as opposed to LWEE. And I think the most interesting part of this work is actually not on the final result of our paper but actually the technique that we use. So both of our PRF constructions use a technique called chaining, which I will talk about later on in the talk. I think chaining can have more applications even beyond the context of PRFs. So in the remainder of the talk, let me give an overview of our PRF constructions and explain what this chaining technique is. But before I get started, let me briefly comment on the limitation of our first PRF construction, the low depth PRF that we construct. So in order to prove that our construction is secure, we provide a reduction from LWEE. So any adversary that can break our PRF can be translated into an attacker that breaks the LWEE assumption. However, the success probability of our reduction will be quite low. So it will be barely noticeable when the model's Q is set to be a polynomial in the security parameter. So more precisely, what we get is basically a trade-off between the loss in our security reduction and the size of the model's Q. So the bigger the Q is, the smaller the reduction loss becomes. So asymptotically speaking, the parameter settings that we achieve for our first PRF construction is not much better than any GGM-based LWEE PRF. But when we consider the concrete deficiency of our PRF, it will be much better than a GGM-based PRF. So I will refer to our paper for the full discussion on this issue with reduction loss. And let me move on to describing an overview. Let me move on to giving an overview of our PRF construction. All right, the main intermediate abstraction that we're going to use to construct our PRF is a special family of pseudo-random generators called pseudo-random synthesizers, which is a concept that was introduced by Nauri Reingold from 95. So a pseudo-random synthesizer that we will denote by S in this talk is a deterministic two-to-one function that takes in a pair of elements from some domain D and outputs a single element in the same domain. So one can think of this as a pressing function that compresses two elements into just a single element. So we say that a pseudo-random synthesizer is secure if for any polynomial m, if we sample two m-uniform and random elements, a1 through am and b1 through bm and apply the synthesizer to each pair of ai's and bi's, then the result is computationally indistinguishable from m-squared independent uniformly random elements in the same domain. So a pseudo-random synthesizer is basically a PRG that allows us to take two m elements in the domain as a seed and expand it into m-squared elements in the domain. All right, so Nauri Reingold showed that if you have a secure pseudo-random synthesizer, then we can construct a low-dive PRF as follows. So suppose that we want to construct an n-bit PRF where n is a part of two integer. Then the PRF-t is going to consist of two n-random elements from the domain of the synthesizer. And so let's denote these elements as a1-0 all the way through a-n-0 and then a-1-1 all the way through a-n-1, okay? Then we're going to define the PRF evaluation on an input x using a tree structure as follows. So each leaf of the tree is going to be associated with a pair of elements in our key that are associated with each bit of our PRF input. So the first leaf position is going to be associated with a-1-0 and a-1-1. And the second leaf position will be associated with a-2-0 and a-2-1 and so on, okay? And then to evaluate the PRF on a specific input x, we will take either a-1-0 or a-1-1 depending on the first bit of our input. And we will take either a-2-0 or a-2-1 depending on our second bit of our input and so on. And then we will apply the synthesizer to each pair of these elements one by one, okay? So at each level of the tree, we're basically compressing our elements into a half and eventually we will land on a single element in the domain which is going to be our final PRF output. We can argue about the security of this PRF recursively. So it can be rarely checked that at level one of the tree, each synthesizer is basically a secure two-bit PRF simply by the definition of a secure synthesizer. So in this example, the left synthesizer is a secure two-bit PRF and the right synthesizer is a secure two-bit PRF and this means that if you apply the synthesizer on the combined outputs of these two synthesizers, then the result is indistinguishable from an output of a secure four-bit PRF. So we can continue this argument to show that the entire construction is a secure PRF. So in order to construct a synthesizer from the other assumption, we must figure out a way of generating errors in some deterministic fashion. So the work of Banerjee Pack and Rosen from 2012 showed a way to do this in an elegant way. So instead of adding noise to the product of vectors or matrices, A times S, we will instead map them into some small subsets or buckets in ZQ. So here's a picture example of Z mod of 24. And so if the inner product AS lands in this blue subspace then we're going to assign the value zero up to the inner product. If it lands in this green subspace then we're going to assign the value one to the inner product and so on. If it lands in the red, then we're gonna assign the value two. So this way we're rounding a value in Z mod 24 to an assigned partition in the space that represented by the subgroup of Z mod three in this example, okay? So in algebraic form we denote this operation by the rounding location. So we're basically mapping elements in ZQ to elements in Z mod P. So intuitively when we add some noise to the inner product of AS then we're basically masking the lower bits of the result with this noise. So basically what rounding is doing here is it's basically just completely removing the lower bits from the result. So intuitively this rounding and this adding nodes has basically the same effect of completely masking the lower bits from an adversary. So given this intuition Banerjee et al introduced a new computational assumption called the learning with rounding assumption which is parametrized by N and Q as in LWD but instead of the noise distribution it has an associated modulus P. So the LWR assumption states that for uniformly random public matrices A1 through AM and secret matrix S the rounding of the matrix products AIs times S so here we're applying the rounding operation component wise. Then this distribution is computational and distinguishable from the rounding of uniformly random matrices. For using the LWR assumption then it is now straightforward to construct a natural synthesizer that takes in two matrices A and S, multiplies these two matrices and then round the result down. So it is straightforward to show that the synthesizer is indeed secure from the LWR assumption. And here the synthesizer only consists of matrix multiplication and rounding operation. And so the synthesizer can be computed by a low depth circuit. There is a psych-technicality here with the domain of the synthesizer. So the synthesizer takes in a square matrices from ZQ and maps them into square matrices in ZP. So the domain of the synthesizer and the range of the synthesizer is actually different but this is really a minor technicality that can be fixed in a number of ways and I will just refer to the paper for more details on how we can actually do that. All right, so we now know that number one a secure random synthesizer gives us a low depth up here at construction. And number two, the LWR assumption gives us a secure pseudo random synthesizer. So the remaining question is whether the LWR assumption can be shown to hold assuming that the LWR assumption holds. Banerjee et al showed that this is indeed the case via a hybrid argument. So we want to show that given uniformly random matrices, AIs and the rounded matrix products of AIs and S, the resultant distribution is computationally indistinguishable from a bunch of uniformly random matrices. So as an intermediate hybrid distribution, we're going to introduce a distribution that provides the product of AIs with S but with both noise and rounding applied to it. So it provides AI times S plus some noise and then round the result. If the rounding modulus Q is sufficiently greater than the rounding modulus P, then with overwhelming probability, we can show that the added noise goes away with the rounding. The intuition is that if you round away enough the load of bits from the output, then some small noise in the load of bits do not really impact the final outcome. So these two distributions are statistically indistinguishable. So once we have this statistical indistinguishability, we can show that the hybrid distribution is computationally indistinguishable from a uniform distribution. This follows just before we leave from the LWR assumption. And this is how we basically show that the LWR assumption holds as long as the LWR assumption holds. However, the apparent limitation of this reduction is the requirement that the modulus Q must be much greater than the rounding modulus P. So roughly speaking, we can show that for uniformly random matrices, A and S, the probability that the rounding of A times S is equal to A times S plus some noise E is roughly P over Q multiplied by the size of the noise E. So this means that even if we set the noise and the value of P to be very, very small, a Q has to be super polynomial greater than these values for the Z quality to hold with overwhelming probability. So this is where our new idea of chaining comes in. As a thought experiment, let's modify the LW distribution in some funny way. So this distribution is going to be defined with respect to some positive integer, tau, which we will call the chaining parameter. We're also going to make use of an explicit error sampler or a Gaussian sampler that takes in a uniform C at R and deterministically produces a noise matrix E. Then we're going to define an oracle that we will refer to as the hybrid oracle as follows. So the hybrid oracle will take in a uniformly random a square matrix A and a set of uniformly random square matrices S1 through S tau. Then it will produce the following distribution. So first, it will sample a noise matrix E1 from the noise distribution and then compute the matrix A times S1 plus E1 as in an LW sample. Then it will round the result down and feed it into the error sampler to generate the noise for the next iteration of the chain, E2. Next, it will move on to compute the next iteration of the chain. So it will compute A times S2 plus E2 round the result down and use the result as a C to generate the error E3 for the next iteration of the chain. So it'll basically continue on this procedure for tau iterations. And in the tau iteration, it will just return the C of the result. So what we're basically doing is chaining multiple LW distributions with multiple keys together and deriving a new distribution from it. So it is actually not too hard to show that the output distribution of this oracle is computational indistinguishable from Uniform. So by the LW assumption, we can first show that the first iteration of AS1 plus E1 is indistinguishable from Uniform by the LW assumption. So this implies that R1 is uniformly distributed, meaning that E2 is also properly distributed on noise matrix. So this in turn implies that the second iteration of AS2 plus E2 is computationally indistinguishable from Uniform by LW E. And you can basically repeat this process for the entire chain to show that the final output is uniformly random. Okay, so this is all nice and fine, but why are we even defining this oracle in this fashion? This oracle is still a randomized oracle that most samples the noise matrix E1 in a randomized way. So it doesn't really appear to help in building a deterministic synthesizer. But the key observation that we make is that even if this initial noise matrix E1 is said to be zero, the pseudo-randomness of this oracle distribution is still preserved. So to see this, let's define another oracle that we'll refer to as the LWE or LWRE oracle. So this LWRE oracle works in exactly the same way as the hybrid oracle that we defined previously. The only difference is going to be that this first noise matrix E1, we're just going to set this to be a zero matrix. So in the first chain, the oracle computes A times S1 plus zero, so plus zero. And derive a seed for E2 by rounding this result down. That's it, so everything else stays the same. So the first chain here, the rounding of A times S1 is basically an LWRE sample. So we're essentially chaining an LWRE sample with a bunch of LWRE samples. And so this is why we refer to this oracle as the LWRE oracle, which stands for learning with rounding and errors oracle. So we can actually show that the distribution produced by the hybrid oracle is actually statistically indistinguishable from the LWRE oracle, even when the model is Q is said to be small. So recall that the probability that the rounding of the exact product of two uniform random matrices, A and S, is equal to the rounding of their noisy product, AS plus E, is roughly proportional to the size of the noise times P over Q. So let's say that we set the modulus Q to be just big enough so that this product is roughly one half. So then we can actually make the following observation. At each iteration of the chain in the hybrid and LWRE distributions, the probability that the Cs that we use to derive the noise matrices, so these RIs or oracle is going to be one over two. So no matter what noise matrix that we get from the previous iteration, the probability that A times S i plus noise will coincide in the two distributions is basically one over two. By the way, we set the modulus Q. Next, we note that it's at least one of the result of the chain in the two distributions produced the same seed RIs. Then for all the sequence iterations of the chain, the Cs will coincide in the two distributions. And this is just because the Gaussian sampler, the error sampler is deterministic. So there is basically one over two chance that the seed will be different in any iteration of the chain. But if there is one chain for which the seed is the same, then all the sequence iteration will produce exactly the same result. And this means that the probability that the output of these two oracles will differ on any given input will be at most one over two to the tau. So for tau that is super logarithmic, this probability is basically negligible. All right, so this LWRE oracle induces a natural computational problem that we call the learning with rounding and errors problem. So it basically adds an adversary to distinguish the outputs of the LWRE oracle with those of a uniform sampler. So using the same argument that we discussed in the previous slide, we can show that the LWRE problem is hard assuming that the LWRE assumption holds. So for this, we can consider the intermediate distribution that provides the output of the randomized hybrid oracle from the previous slide. So we showed that as long as the parameter tau is big enough compared to the modulus q, the outputs of the LWRE oracle and those of the hybrid oracle are statistically indistinguishable. Then via a standard hybrid argument, we can use the LWRE. We can use LWRE to switch each output of hybrid oracle to uniformly random values, to uniformly random outputs. So then using the LWRE assumption, we can naturally construct a synthesizer in a straightforward way. So the synthesizer takes in a matrix A and a set of matrices, S1 through S tau and return the output of the LWRE oracle on these inputs. So the security of the synthesizer follows very straightforwardly from the hardness of the LWRE problem. And basically the PRF that is implied by the synthesizer is our final low depth PRF. So here there is actually a domain mismatch. So the synthesizer takes in a single square matrix A and tau matrices S1 through S tau, just to produce a single square matrix in ZQ. So this domain mismatch is a slight technicality that can be addressed pretty easily in multiple ways. And so I will just refer to the paper for the details on how we can do that. So one thing to note here is that the depth of the synthesizer is basically determined by the chaining parameter tau for the LWRE problem. So this is where our trade-off between the depth of the PRF and the size of the models comes in. So if tau is large, then we can set Q to be very small and still have a tight reduction. So if Q is a little bit larger, then we can set tau to be much smaller and get a very low depth PRF. All right, so I think my time is almost up. So let me just briefly comment on our second PRF construction. So we achieve our second PRF, which is key homomorphic, by applying the chaining technique on top of already existing key homomorphic PRFs. So chaining existing key homomorphic PRFs allows us to prove their security with much better primer settings. So in particular, if we change the key homomorphic PRF of Banerjee and Piper from 2014, then we can get a key homomorphic PRF whose security can be based entirely on LWRE with a polynomial size modulus of Q. So I will refer to the paper for the full details on how we can do this. All right, so let me wrap up with some open problems. So the first nice open problem is whether we can construct a low depth PRF without the undesirable loss in the security reduction. So can we construct a PRF that can be evaluated by a circuit of poly logarithmic depth and still have a tight security reduction? So I think this is a very nice open problem. Also, can we construct PRFs with additional algebraic properties using just LWRE with a polynomial size Q? So for instance, can we use a chaining to base the security of existing constraint PRFs on LWRE with polynomial amount of SQ? And finally, the method of chaining may have additional applications outside the world of PRFs. So it would be interesting to find other applications where chaining may be useful. Okay, and with that, let me conclude. Thank you very much.