Paper 2024/1459

Verifiable Oblivious Pseudorandom Functions from Lattices: Practical-ish and Thresholdisable

Abstract

We revisit the lattice-based verifiable oblivious PRF construction from PKC'21 and remove or mitigate its central three sources of inefficiency. First, applying Rényi divergence arguments, we eliminate one superpolynomial factor from the ciphertext modulus $q$, allowing us to reduce the overall bandwidth consumed by RLWE samples by about a factor of four. This necessitates us introducing intermediate unpredictability notions to argue PRF security of the final output in the Random Oracle model. Second, we remove the reliance on the $\mathsf{1}\mathsf{D}\mathsf{-}\mathsf{SIS}$ assumption, which reduces another superpolynomial factor, albeit to a factor that is still superpolynomial. Third, by applying the state-of-the-art in zero-knowledge proofs for lattice statements, we achieve a reduction in bandwidth of several orders of magnitude for this material. Finally, we give a $$-out-of-$$ threshold variant of the VOPRF for constant $$ and with trusted setup, based on a $$-out-of-$$ distributed variant of the VOPRF (and without trusted setup).

Note: Full version following ASIACRYPT 2024 acceptance.