Invertible PRF (iPRF)

From Cryptology City
Jump to navigation Jump to search


An Invertible Pseudorandom Function (iPRF) is a strengthening of the traditional Pseudorandom Function (PRF). An iPRF allows a user to succinctly represent and evaluate a function that is indistinguishable from a random function, but also to invert the random function! A user generates a key, which it can use to evaluate a function both forward and backward. This introduces a natural stronger security notion as well; however, the standard security definitions of PRFs can also be applied to an iPRF.

PRFs were originally defined by [HPPY24] and are a building block for the PIR with client pre-processing scheme that they build.

Formal Definition

Syntax

An Invertible Pseudorandom Function (iPRF) is a tuple of efficient functions , with respect to a keyspace , domain , and range , such that:

  • , is a randomized algorithm that takes a security parameter, and outputs a key ,
  • , is a deterministic algorithm that takes a key and input , and outputs an element ,
  • , is a deterministic algorithm that takes a key and input , and outputs a preimage set of element .

For iPRF efficiency and security, it is important to consider the sizes of the domain and range (both small and large domains). For domains that are much larger than ranges, the inversion function may not be efficient in its inputs, as the preimage could be very large. Also, there exists a construction for any domain and range due to [HPPY24] which satisfies a strong security notion.

Correctness

An iPRF is correct if for all , , and , . This just implies that the pre-image function works as we would expect it to.

Security

An iPRF is secure if for all efficient , there exists a negligible function , such that

where , is a random function from to , and denotes the preimage functino for .

Relationship to other primitives

Other Notes

The construction in [HPPY24] does not have to enumerate the inverse function. If one instead just wanted to sample from the preimage, this could be done efficiently for any domain and range.