New and Improved Key-Homomorphic Pseudorandom Functions.

A key-homomorphic pseudorandom function (PRF) family {F-s : D -> R} allows one to efficiently compute the value Fs+t(x) given F-s(x) and F-t(x). Such functions have many applications, such as distributing the operation of a key-distribution center and updatable symmetric encryption. The only known construction of key-homomorphic PRFs without random oracles, due to Boneh et al. (CRYPTO 2013), is based on the learning with errors (LWE) problem and hence on worstcase lattice problems. However, the security proof relies on a very strong LWE assumption (i.e., very large approximation factors), and hence has quite inefficient parameter sizes and runtimes. In this work we give new constructions of key-homomorphic PRFs that are based on much weaker LWE assumptions, are much more efficient in time and space, and are still highly parallel. More specifically, we improve the LWE approximation factor from exponential in the input length to exponential in its logarithm (or less). For input length lambda and 2(lambda) security against known lattice algorithms, we improve the key size from lambda(3) to. bits, the public parameters from lambda(6) to lambda(2) bits, and the runtime from lambda(7) to lambda(omega+1) bit operations (ignoring polylogarithmic factors in lambda), where omega is an element of [2, 2.373] is the exponent of matrix multiplication. In addition, we give even more efficient ring-LWE-based constructions whose key sizes, public parameters, and incremental runtimes on consecutive inputs are all quasi-linear (O) over tilde(lambda), which is optimal up to polylogarithmic factors. To our knowledge, these are the first low-depth PRFs (whether key homomorphic or not) enjoying any of these efficiency measures together with nontrivial proofs of 2(lambda) security under any conventional assumption.