More efficient lattice PRFs from keyed pseudorandom synthesizers

Abstract

We develop new constructions of lattice-based PRFs using keyed pseudorandom synthesizers. We generalize all of the known ‘basic’ parallel lattice-based PRFs–those of [BPR12], [BLMR13], and [BP14]–to build highly parallel lattice-based PRFs with smaller modulus (and thus better reductions from worst-case lattice problems) while still maintaining computational efficiency asymptotically equal to the fastest known lattice-based PRFs at only the cost of larger key sizes. In particular, we build several parallel (in NC 2 ) lattice-based PRFs with modulus independent of the number of PRF input bits based on both standard LWE and ring LWE. Our modulus for these PRFs is just O (m f(m) ) for lattice dimension m and any function f(m)∈ω(1). The only known parallel construction of a lattice-based PRF with such a small modulus is a construction from Banerjee’s thesis [Ban15], and some of our parallel PRFs with equivalently small modulus have smaller key sizes and are very slightly faster (when using FFT multiplication). These PRFs also asymptotically match the computational efficiency of the most efficient PRFs built from any LWE- or ring LWE-based assumptions known today, respectively, and concretely require less computation per output than any known parallel lattice-based PRFs (again when using FFT multiplication). We additionally use our techniques to build other efficient PRFs with very low circuit complexity (but higher modulus) which improve known results on highly parallel lattice PRFs. For instance, for input length λ, we show that there exists a ring LWE-based PRF in NC 1 with modulus proportional to (Formula Presented) for any c ∈(0, 1). Constructions from lattices with this circuit depth were only previously known from larger moduli.