Instantiating the Hash-then-evaluate paradigm: Strengthening PRFs, PCFs, and OPRFs.

Abstract

We instantiate the hash-then-evaluate paradigm for pseudorandom functions (PRFs), $\mathrm{PRF}(k,x):=\mathrm{wPRF}(k,\mathrm{RO}(x\left)\right)$ , which builds a PRF $\mathrm{PRF}$ from a weak PRF $\mathrm{wPRF}$ via a public pre-processing random oracle $\mathrm{RO}$ . In applications to secure multiparty computation (MPC), only the low-complexity $\mathrm{wPRF}$ performs secret-depending operations. Our construction replaces $\mathrm{RO}$ by $f(k_H,\mathrm{elf}\left(x\right))$ , where f is a non-adaptive PRF and the key $k_H$ is public and thus known to the distinguishing adversary. We show that, perhaps surprisingly, several existing weak PRF candidates are plausibly also secure when their inputs are generated by $f(k_H,\mathrm{elf}(.))$ . Firstly, analogous cryptanalysis applies (because pseudorandomness of f implies good statistical properties) and/or secondly an attack against the weak PRF with such pseudorandom inputs generated by f would imply surprising results such as key agreement from the hardness of the high-noise version of the Learning Parity with Noise (LPN) when implementing both $\mathrm{wPRF}$ and f from this assumption. Our simple transformation of replacing $\mathrm{RO}(·)$ public pre-processing by $f(k_H,\mathrm{elf}\left(x\right))$ public pre-processing applies to the entire family of PRF-style functions. Specifically, we obtain results for oblivious PRFs, which are a core building block for password-based authenticated key exchange (PAKE) and private set intersection (PSI) protocols, and we also obtain results for pseudorandom correlation functions (PCF), which are a key tool for silent oblivious transfer (OT) extension.