Bi-Homomorphic Lattice-Based PRFs and Unidirectional Updatable Encryption

Abstract

We define a pseudorandom function (PRF) F: K × X → Y to be bi-homomorphic when it is fully Key homomorphic and partially Input Homomorphic (KIH), i.e., given F(k1, x1) and F(k2, x2), there is an efficient algorithm to compute F(k1 k2, x1 x2), where and are (binary) group operations. The homomorphism on the input is restricted to a fixed subset of the input bits, i.e., operates on some pre-decided m-out-of-n bits, where |x1| = |x2| = n, and the remaining n-m bits are identical in both inputs. In addition, the output length, , of the operator is not fixed and is defined as n ≤ ≤ 2n, hence leading to Homomorphically induced Variable input Length (HVL) as n ≤ |x1 x2| ≤ 2n. We present a learning with errors (LWE) based construction for a HVL-KIH-PRF family. Our construction is inspired by the key homomorphic PRF construction due to Banerjee and Peikert (Crypto 2014). An updatable encryption scheme allows rotations of the encryption key, i.e., moving existing ciphertexts from old to new key. These updates are carried out via update tokens, which can be used by an untrusted party since the update procedure does not involve decryption of the ciphertext. We use our novel PRF family to construct an updatable encryption scheme, named QPC-UE-UU, which is quantum-safe, post-compromise secure and supports unidirectional ciphertext updates, i.e., the update tokens can be used to perform ciphertext updates but they cannot be used to undo already completed updates. Our PRF family also leads to the first left/right key homomorphic constrained-PRF family with HVL.