Symmetric and Dual PRFs from Standard Assumptions: A Generic Validation of a Prevailing Assumption

A two-input function is a dual PRF if it is a PRF when keyed by either of its inputs. Dual PRFs are assumed in the design and analysis of numerous primitives and protocols including HMAC, AMAC, TLS 1.3 and MLS. But, not only do we not know whether particular functions on which the assumption is made really are dual PRFs; we do not know if dual PRFs even exist. What if the goal is impossible? This paper addresses this with a foundational treatment of dual PRFs, giving constructions based on standard assumptions. This provides what we call a generic validation of the dual PRF assumption. Our approach is to introduce and construct symmetric PRFs, which imply dual PRFs and may be of independent interest. We give a general construction of a symmetric PRF based on a function having a weak form of collision resistance coupled with a leakage hardcore function, a strengthening of the usual notion of hardcore functions we introduce. We instantiate this general construction in two ways to obtain two speciﬁc symmetric and dual PRFs, the ﬁrst assuming any collision-resistant hash function, and the second assuming any one-way permutation. A construction based on any one-way function evades us and is left as an intriguing open problem.


Introduction
A function family is a dual PRF [6] if it is a PRF and also remains so when its key and input are switched.This property was used as an assumption on the compression function in order to prove security of two hash-function based PRFs, namely the widely-used HMAC [8] and the newer AMAC [7].Dual PRFs are also now being assumed in TLS 1.3 [22,19] and other Internet security protocols [15,32,28,1,18].
We have, however, no constructions of dual PRFs under standard assumptions, and thus little idea how strong is the assumption, or if it is even valid.We address this with a foundational treatment of dual PRFs, giving constructions based on standard assumptions.This is the first theoretical evidence that dual PRFs exist, and provides what we call a generic validation of the dual PRF assumption.Tools that we introduce and use for our construction include leakage hardcore functions and symmetric PRFs.
PRFs.Let F : F.Keys × F.Inp → F.Out be a function family taking a key fk ∈ F.Keys and an input x ∈ F.Inp to (deterministically) return the output y = F(fk, x) ∈ F.Out.We recall that F is a PRF [24] if an efficient adversary has negligible advantage in distinguishing whether its oracle is F(fk, •) or a random function, where fk is chosen at random from F.Keys.This well-known notion has seen an enormous number of applications in both theoretical and applied cryptography.
Dual PRFs.Let S : S 0 × S 1 → S.Out be a function family.Let S swap : S 1 × S 0 → S.Out be defined by S swap (a 0 , a 1 ) = S(a 1 , a 0 ).That is, the key for S swap is the input for S and the input for S swap is the key for S. Both S and S swap are legitimate function families and we can ask if they are PRFs.We say that S is a dual PRF [6] if both S and S swap are PRFs.That is (1) an oracle for S(a 0 , •) is indistinguishable from an oracle for a random function when a 0 is chosen at random and, separately but also, (2) an oracle for S(•, a 1 ) is indistinguishable from an oracle for a random function when a 1 is chosen at random.The question we consider in this paper is, do dual PRFs exist, and, if so, under what assumptions?
Context.Dual PRFs were introduced by Bellare [6] in the context of HMAC.Recall that HMAC [8] is a cryptographic-hash-function-based PRF implemented in TLS and many other places.From the proof perspective, the underlying primitive is the compression function h of the hash function, and this is assumed in [6] to be a dual PRF in order to conclude PRF-security of HMAC.(In a little more detail, one starts with a related and simpler design, NMAC [8], that is PRF-secure assuming h is a PRF [6,23,3].The dual PRF assumption on h arises in stepping from NMAC to HMAC [6].) AMAC is a hash-function based PRF used in the widely deployed Ed25519 signature scheme [13], and its analysis also assumes the compression function is a dual PRF [7].And since then, the use of dual PRFs has widened even further.Dual PRFs are now invoked in the design and analysis of many Internet security protocols, including TLS 1.3 [22,19], hybrid key-exchange [15,32], post-quantum versions of WireGuard [28] and Noise [1], and Message Layer Security (MLS) [18].

Generic validation.
The assumption that a function h is a dual PRF could fail for two reasons.One is generic, namely that nothing can be a dual PRF.Dual PRFs may simply not exist.The second reason is specific, namely that, although some functions may be dual PRFs, the particular h used in some particular application isn't.
Generic failure can be ruled out by showing that the security goal is achievable under standard assumptions.We call this generic validation.It has value because generic failure is not an idle fear.It has happened for several (attractive) goals, for example virtual blackbox obfuscation [26,5] and commitment secure against selective opening [10] to name just a few.
Generic validation won't show that a particular candidate practical construct satisfies the as-sumption.This needs dedicated validation, meaning either a dedicated proof or cryptanalysis.But generic validation is the first step.In its absence, the goal may be just wishful thinking, and the candidate construct doomed.In its presence, the candidate is at least in principle plausible, and successful dedicated validation is a possibility.Generic validation is thus desirable for the security goal underlying any new assumption.For (standard) PRFs, we have strong generic validation: classical foundational results say that PRFs exist assuming only that one-way functions exist.(OWFs imply PRGs [27] which imply PRFs [24].)We also have constructions from many particular assumptions [30,29,4].Dual PRFs, in contrast, have at this point no generic validation.Despite their having been introduced ten years ago [6], and despite their use as an assumption in supporting the security of the widely-used HMAC [6], there has been no construction under any (standard or not) assumption.This is the gap we fill.
Negative results.One's first thought may be that every PRF S is also a dual PRF.It is easy to see that this is not true.For example suppose S : {0, 1} k × {0, 1} k → {0, 1} k is a PRF with the property that S(0 k , a) = a for all a.This will not contradict PRF security of S because 0 k has negligible probability of being chosen as the key in the PRF game.However S swap is clearly not a PRF because S swap (a, 0 k ) = S(0 k , a) = a so an adversary can query its oracle at 0 k and it will get back the key a, using which it can easily violate PRF security.
Thus we need special constructions.The next natural question is whether known constructions of PRFs are dual PRFs.But they are not.For example, take the classic GGM construction [24] of a PRF from a PRG.We show in Section 3 that there is a choice of the PRG under which the constructed PRF is not a dual PRF.Or take the Naor-Reingold PRF.We give in Section 3 a direct attack violating dual PRF security.The Dodis-Yampolskiy PRF [21] is promising because the formula adds the key and input, thereby seeming to give them symmetric roles, but security requires that the input comes from a much smaller space than the key, and this precludes being a symmetric PRF as per our definition.See Section 3 for more information.
Symmetric PRFs.Our approach to construct dual PRFs is based on the notion we introduce of a symmetric PRF.Let S : S × S → S.Out be a function family whose keyspace and input space are the same set, call it S.We say that S is symmetric if S(a 0 , a 1 ) = S(a 1 , a 0 ) for all a 0 , a 1 ∈ S. That is, S is unchanged if the order of its inputs is swapped.Then we make the following observation.Suppose S is (1) A PRF, and (2) is symmetric.Then it is a dual PRF.This is easy to see because the symmetry implies that S swap = S, namely S swap is in fact identical to S. So its PRF security follows directly from the fact that S is a PRF.We will construct symmetric PRFs.

SPRF.
In Section 5 we give a general construction of a symmetric (hence dual) PRF S : D × D → {0, 1} k .It is defined in terms of three other functions E, H, R as follows: Function family S(a 0 , a 1 ) Here R is a PRF with range {0, 1} k and D is some appropriate domain.The functions E, H can be thought of roughly as "extract" and "hash," and they will be instantiated in different ways.The idea is that r 0 , z 0 depend on the input a 0 while r 1 , z 1 depend on the input a 1 , and only in the application of R are the inputs "mixed."Two applications of R are used, the key being an r-value and the input the opposing z-value.Note that the use of this high-level structure with the xor already guarantees that S is symmetric, regardless of the choices of R, E, H. Now we need to find choices of E, H under which S is a PRF.Intuitively, a difficulty in using the PRF security of R is that the construction does not use a key for R in a blackbox way.If we think of r 0 as the key, then z 0 is related information that is needed to simulate an attacker against S.
Very roughly, we want E to extract hardcore bits, and we want H to provide some kind of collision resistance (CR).In the proof that S is a PRF we would first use the security of E to move to a game in which r 0 is random.Then we would use the PRF security of R to replace R(r 0 , •) with a random function R. Finally we would use the CR-security of H to say that the z 1 values do not repeat, which means in each xor the first component, and hence the whole, is random.
However getting this to work requires some care.We strive to make the conditions on E, H as weak and general as possible so as to allow the maximum flexibility in instantiation and the ability to instantiate under assumptions as weak as possible.In this spirit one choice we make is to allow both E and H to be keyed.Both the key and the input would be derived from the single input a i above.Now the main difficulty is that no standard notion of hardcore function security suffices for E. Instead we introduce the notion of E being a leakage hardcore function for H. Roughly -the formal definition is in Section 4-this means that E with a target key applied to a hidden x 0 continues to look random even given an oracle that can get the results of H at x 0 under other, different keys of its choice.For H, we ask that it be computationally almost universal (CAU) [6].This is a weak form of collision resistance in which the adversary must produce its collision without knowing the key.See Section 5 for the full construction and Theorem 5.2 for the formal claim and proof of PRF security.
Instantiations.To obtain constructions of symmetric (and hence dual) PRFs under specific, standard assumptions, we instantiate the primitives in our general SPRF construction under the assumption in question.In Section 6 we give two corresponding results, one under one-way permutations (OWPs) and the other under collision-resistant (CR) hash functions, meaning either of these assumptions now yield symmetric and dual PRFs.The OWP instantiation uses the Blum-Micali-Yao (BMY) PRG [16,33] to instantiate the leakage hardcore function E and an iterated OWP to instantiate H.The CR hash function instantiation uses CR hash to instantiate H and uses a strong randomness extractor to instantiate E.
Discussion and open questions.The main open question that evades us is a construction of a symmetric and dual PRF from any one-way function (OWF).The first question is whether one can instantiate our SPRF construction under a OWF.If not, the next question is whether there is some other, different construction.
We note that while our result about SPRF has striven to make as general and weak-as-possible assumptions on the component E, H functions, we have not, in our instantiations, found a way to take full advantage of this.The only way we have found to get a leakage hardcore function E for H is to make H a keyless CR function, in which case Lemma 4.1 says that E being a standard hardcore function for H suffices.But there may, potentially, exist choices of keyed, CAU functions H for which a leakage hardcore function E exists, and this may then be a direction towards a OWF-based dual PRF.
Subsequent work.The motivation for our new constructions of dual PRFs was primarily theoretical, namely to give a generic validation for the dual PRF assumption on the compression function used in the proof of PRF security of HMAC [6].Following the posting of our paper on the Cryptology ePrint Archive [11], however, Aviram, Dowling, Komargodski, Paterson, Ronen and Yogev (ADKPRY) [2] revisit the problem of constructing dual PRFs with a more practical motivation, namely the use of dual PRFs as key combiners in the TLS 1.3 key schedule.They extend our general construction above to apply, at the end, an output function G, meaning their dual PRF returns G(S(a 0 , a 1 )) where S(a 0 , a 1 ) is defined via R, E, H as above.They then instantiate R, E, H, G via HMAC to obtain an efficient dual PRF.
The assumption made in TLS 1.3 [22,19] and the other above-mentioned Internet security protocols [15,32,28,1,18] is that HMAC itself is a dual PRF.This assumption has been validated by Backendal, Bellare, Günther and Scarlata (BBGS) [3] via a proof of dual PRF security of HMAC based on certain assumptions on the underlying compression function h.We note that these assumptions include that h is itself a dual PRF.

Basic definitions
Our treatment is concrete rather than asymptotic.For any security goal for a primitive, for example PRF security of a function family, we define an advantage metric, in this case the PRF advantage of an adversary against the function family, which is a number.There is no explicit security parameter; one way of thinking about it is to consider that the security parameter has been fixed.For a function family to be a PRF typically means, informally, that "efficient" adversaries have "negligible" PRF advantage; in the absence of a security parameter, this is defined in quantitative, rather than asymptotic, terms.Theorems are made formal by giving the concrete security of reductions.Discussion surrounding theorems will clarify what they mean qualitatively.The concrete treatment makes notation somewhat simpler, allows us to see the quantitative security of reductions, and is more in keeping with the motivating setting of HMAC, where there are no asymptotics.
Notation and conventions.We let ε denote the empty string.If y is a string then |y| denotes its length and y[i] denotes its i-th coordinate for 1 ≤ i ≤ |y|.If X is a finite set, we let x ←$ X denote picking an element of X uniformly at random and assigning it to x. Algorithms may be randomized unless otherwise indicated.Running time is worst case.If A is an algorithm, we let y ← A(x 1 , . . .; r) denote running A with random coins r on inputs x 1 , . . .and assigning the output to y.We let y ←$ A(x 1 , . ..) be the result of picking r at random and letting y ← A(x 1 , . . .; r).We let [A(x 1 , . ..)] denote the set of all possible outputs of A when invoked with inputs x 1 , . ... We use the code based game playing framework of [12].(See Fig. 1 for an example.)By Pr[G] we denote the event that the execution of game G results in the game returning true.We adopt the convention that the running time of an adversary refers to the worst-case execution time of the game with the adversary, so that the time for the execution of oracles to compute replies to oracle queries is included.This means that usually in reductions, adversary running time is roughly maintained.In writing a game, we assume boolean variables (e.g.bad) are automatically initialized to false.Function families.A function family F : F.Keys × F.Inp → F.Out is a 2-argument function taking a key fk in the keyspace F.Keys and an input x in the input space F.Inp to return an output F(fk, x) in the output space F.Out.For fk ∈ F.Keys we let F fk : F.Inp → F.Out be defined by F fk (x) = F(fk, x) for all x ∈ F.Inp.We say that F is a permutation family if F.Inp = F.Out and F fk is a permutation for every fk ∈ F.Keys.We say that F is keyless if F.Keys = {ε} consists only of the empty string.(It is tempting in this case to just drop the key in the notation but it makes it harder to pattern-match with the definitions and so, somewhat pedantically, we tend to explicitly write ε as the key when dealing with keyless families.)The reason to consider such families is that some notions of security, such as one-wayness, hold just as well for them.(For others, like PRF-security, keying is crucial.) The first equation is the definition, while the second is an alternative representation known to be equal by a standard conditioning argument.
One-way functions.The security of function family F as a OWF is defined via game G ow F (A) of Fig. 1 associated to F and adversary A. The point x returned by the latter is required to be in F.Inp.The owf advantage of A is defined as In this case, F may or may not be keyed.A one-way permutation (OWP) is simply a family of permutations that is a OWF.
Universal and CAU functions.Consider game G cau H (A) of Fig. 1 associated to H and adversary A. The points x 0 , x 1 returned by the latter are required to be in H.Inp.The CAU-advantage of A is defined as Out| for all adversaries A, regardless of their computing time.Computational almost universal functions, introduced by Bellare [6], are a relaxation of universal functions in which the advantage is treated as a computational metric in the usual way and adversaries may be computationally bounded.

CR functions. The security of function family H as a collision-resistant (CR) function is defined via game G cr
H (A) of Fig. 1 associated to H and adversary A. The points x 0 , x 1 returned by the latter are required to be in H.Inp.The cr advantage of A is defined as Practical CR hash functions such as SHA-256 are keyless.A CR function family is CAU, giving an easy way to get the latter.
Extractors.Let X, Y be random variables.We define SD(X, Y ), the statistical distance between X and Y ; H ∞ (X), the min-entropy of X; and H ∞ (X|Y ), the min-entropy of X given Y , via: Recall, paraphrasing the definition above, that a function family Symmetric PRFs.Let S : S 0 × S 1 → S.Out be a function family.Let S swap : S 1 × S 0 → S.Out be defined by S swap (a 0 , a 1 ) = S(a 1 , a 0 ).We say that S is a dual PRF if both S and S swap are PRFs.We say that S is symmetric if S 0 = S 1 and S(a 0 , a 1 ) = S(a 1 , a 0 ) for every a 0 , a 1 ∈ S 1 .If S is symmetric then S swap = S. Thus if S is symmetric and a PRF, it is automatically a dual PRF.We will accordingly target the stronger notion of a symmetric PRF and obtain a dual PRF as a consequence.

Dual PRF security of existing PRF constructions
If we seek dual PRFs, the first and natural question is whether existing constructions of PRFs might happen to already be dual.Here we look at a few popular ones and show this is not the case.
Function family GGM(x, y) Suppose F 1 has the property that F 1 (0 k , 0) = F 1 (0 k , 1) = 0 k .It could still be a PRF and in particular if PRFs exist we can easily build a PRF F 1 with this property.But then GGM swap (y, 0 k ) = GGM(0 k , y) = 0 k so GGM swap is certainly not a PRF.Thus GGM is not a dual PRF.This shows that the GGM construction does not in general yield a dual PRF.
Naor Reingold.Let G be prime-order group in which the DDH problem is hard, and let g ∈ G be a generator of G. Let q = |G|.The Naor-Reingold PRF [30] NR : Here the key a is a (n + 1)-vector over G and its i-th component is denoted a[i] ∈ G, with the components indexed from 0 to n.Let 1 G denote the identity element of G and let 0 = (0, . . ., 0) ∈ G n+1 denote the (n + 1)-vector all of whose components equal 0. Then NR swap (x, 0) = NR(0, x) = g 0 = 1 G for all x ∈ {0, 1} n .Thus NR swap cannot be a PRF and NR is not a dual PRF.This is true for all choices of G, g.Some variants of NR [9] restrict the keyspace to (Z * q ) n+1 , which would preclude the above attack on NR swap .However, NR swap is still subject to attack by setting a to all 1s.Dodis Yampolskiy.Let e : G × G → G T be a non-degenerate bilinear map, where groups G, G T have prime order p.Let g be a generator of G and S ⊆ Z p a set of size N .Then the Dodis Yampolskiy PRF [21] This construction is promising because the roles of a and x are symmetric, so we may think we can swap them and have a symmetric PRF.The difficulty is that for security the input x must come from a much smaller space than the key, meaning N = |S| is much less than p.This is because security is based on the q-BDHI assumption, and as per [21, Theorem 2], security of the PRF requires q = N and security of q-BDHI for adversaries with running time more than N .In particular, the construction is not shown secure when S = Z p .But to meet our definition of a symmetric PRF from Section 2, the key-space and domain must be the same set.This asymmetry in the key and input for DY, and how it precludes some applications, has been pointed out before in several contexts, including in BC [9] for security against related-key attack.
Finally we note that if S = Z p then DY is symmetric.Hence, if it is a PRF then it is also a dual PRF.So is it a PRF when S = Z p ?To the best of our knowledge, this is an open question; we are aware of neither a proof nor an attack.
Discussion.Although this should be obvious, we should nonetheless clarify that the above attacks do not represent any bugs or critiques.These constructions were not designed or claimed to be dual PRFs.But the first question one should ask in seeking dual PRFs is whether existing constructions of PRFs happen to be dual PRFs.The above indicates that this is not the case and one must seek new constructions.

Leakage hardcore functions
For our construction we will introduce an extension of the standard notion of a hardcore function.We call it a leakage hardcore function.To understand it, it is useful to begin by recalling the usual notion.
Hardcore functions.Suppose H is a function family.A hardcore function for H is a function family HC : HC.Keys × (H.Keys × H.Inp) → HC.Out, so that an input is a pair (hk, x) consisting of a key for H and an input for H.We say that HC is a hardcore predicate for H if HC.Out = {0, 1}.
Game G hc H,HC (A) hk 0 ←$ H.Keys hck 0 ←$ HC.Keys x 0 ←$ H.Inp w 0 ← H(hk 0 , x 0 ) s 1 ← HC(hck 0 , (hk 0 , x 0 )) (Some hardcore functions are unkeyed; in fact both the RSA and the DL function families have unkeyed hardcore functions.On the other hand, the Goldreich-Levin hardcore predicate has a key that is a randomly chosen string.)Recall that security considers an adversary given a key hk 0 defining the function H(hk 0 , •), a key hck 0 for the hardcore function, and the result w ← H(hk 0 , x 0 ) of evaluating the function at x 0 ←$ H.Inp. Now the adversary gets s c for a challenge bit c where s 1 = HC(hck 0 , (hk 0 , x 0 )) is the output of the hardcore function on x 0 and s 0 is a random string of the same length.The adversary should have a hard time figuring out c. Formally the security of HC as a hardcore function for H is defined via game G hc H,HC (A) of Fig. 2 associated to H, HC and adversary A. The hcf advantage of A is defined as Adv hc H,HC (A) = 2 Pr[G hc H (A)] − 1. Leakage hardcore functions.A leakage hardcore (LHC) function for H is again a function family HC : HC.Keys × (H.Keys × H.Inp) → HC.Out, so that an input is a pair (hk, x) consisting of a key for H and an input for H. Again we say that HC is a leakage hardcore predicate for H if HC.Out = {0, 1}.The new element in a leakage hardcore function is that the adversary has an oracle Lk via which it can obtain "leakage" about x 0 .This leakage has a very particular form (although one could define LHC functions more generally, allowing other leakage as well), namely the adversary can obtain the value of the same function family H on x 0 under any key hk ∈ H.Keys of its choice.Thus Lk takes input hk and returns H(hk, x 0 ), the result of evaluating H on the given key under the hidden input x 0 .The requirement is that figuring out the challenge bit remains hard.The formalization uses game G lhc H,HC (A) of Fig. 2 associated to H, HC and adversary A. The lhc advantage of A is defined as Adv lhc H,HC (A) = 2 Pr[G lhc H (A)] − 1.Since A could in particular call its oracle on hk 0 , we omit giving it H(hk 0 , x 0 ) as input as in the standard game.
Adversary A 0 has about the same running time as adversary A.
Proof of of Lemma 4.1: Adversary A 0 gets inputs hk 0 , hck 0 , w 0 , s c and runs A on inputs hk 0 , hck 0 , s c .Since H.Keys = {ε}, the Lk oracle is intuitively useless to A. Formally, if a query hk is made by A to Lk then it must be that hk = ε, and thus A 1 can simulate the oracle, returning w 0 as the response.Eventually A outputs a bit c , and A 1 outputs the same bit.
Our construction of a symmetric PRF will need a CAU function family that has a leakage hardcore function which outputs lots of bits.In Section 5 we will assume it.Later we will give various constructions from various assumptions.

The SPRF construction
We provide our general SPRF construction of a symmetric, and hence dual, PRF.
Ingredients.Our construction of a symmetric PRF has the following ingredients: We refer to a triple (H, HC, R) of function families satisfying the above conditions as a suite.The simplest case for the group is that R.Out = {0, 1} R.ol is the set of all strings of some length R.ol, and y 1 * y 2 = y 1 ⊕y 2 , but the existence of efficient PRFs with algebraic ranges [30] motivates being more general.Proof of Proposition 5.1: The first condition, that the keyspace and input space of S are the same set, is met by definition.For a 0 , a 1 in this common set we now need to show that S(a 0 , a 1 ) = S(a 1 , a 0 ).This follows from the symmetry in the description of S and the assumption that the group R.Out is commutative.
PRF security of SPRF.To show S is a dual PRF, it suffices by Proposition 5.1 to show that S is a PRF.This is the claim of the following theorem.
Theorem 5.2 Let (H, HC, R) be a suite of function families.Let S = SPRF[H, HC, R] be the (symmetric) function family associated to them as above.Let A be an adversary making at most q queries to its Fn oracle.Then the proof constructs adversaries A H , A HC , A R such that The running times of the constructed adversaries are about the same as that of the original.
Proof of Theorem 5.2: Consider games G 0 -G 4 of Fig. 4. In the code for games G 0 , G 1 , if a line is followed by the name of a game, then that line is included only in the named game.Unmarked lines are included in both games.Game G 2 includes the boxed code while game G 3 does not.
We assume wlog that the oracle queries of A are always all distinct.This means the "If T [x] = ⊥" test in game G prf S (A) of Fig. 1 will always return true and so we can drop it.The c = 1 case of G prf S (A) is thus captured by game G 0 .On the other hand, game G 4 captures the c = 0 case of game G prf S (A) except that it returns true iff the latter returns false.From Equation (1) we thus have where for i ∈ {0, 1, 2, 3} we have let We will build adversaries A H , A HC , A R such that We will also observe that Putting together Equations ( 4), ( 5), ( 6), ( 7) and ( 8) we get Equation (3).We now justify the above claims.
In game G 1 , the key r 0 for the first application of R is chosen at random rather than obtained as HC(hck 0 , (hk 0 , x 0 )).Consider adversary A HC shown in Fig. 5.It is playing game G lhc H,HC (A HC ), so it has input hk 0 , hck 0 , s.It runs A, simulating the latter's Fn oracle via a procedure FnSim that is shown in the code.The key point is that A HC invokes its Lk oracle to compute w 0 .Letting c be the challenge bit in game G lhc H,HC (A HC ) we have that is initially everywhere ⊥.It optimistically picks y 0 at random and sets R[z 1 ] to this value.However, in between these two steps, it first checks whether R[z 1 ] was already defined, and if so, sets the flag bad to true.This means that the setting of R[z 1 ] to the newly-chosen y 0 was wrong.Accordingly (via the boxed code which is included in game G 2 ) a correction is made, resetting y 0 back to R[z 1 ], so that in this game, R[z 1 ] is the result of a random function on z 1 .Now consider adversary A R shown in Fig. 5.It has an Fn oracle, and runs A.
In the simulation of A's oracle, it applies Fn to z 1 to get y 0 .With c the challenge bit in game which establishes Equation (6).
In game G 3 , we may set bad, but, since the boxed code is absent, y 0 is always a fresh, random value.Games G 2 , G 3 are identical until bad (differ only in code following the setting of bad to true) so by the Fundamental Lemma of Game Playing [12], Adversary A Lk HC (hk 0 , hck 0 , s) We now design A H so that Adversary A H is shown in Fig. 5.The integer i is the number of Fn queries made by A, and we consider two cases.The first is if i ≤ 1.Then the probability that bad is set in G 3 is zero, so Equation ( 10) is true no matter what A H returns. So, as a default, we just have A H return a pair (u 1 , u 2 ) of random inputs.Now assume i ≥ 2. This permits the choices of j 1 , j 2 as shown.Now we note that for game G 3 to set bad, a z 1 value must repeat across queries.By assumption the queries are distinct, so the only way this could happen is if there were queries j 1 < j 2 such that the w 1 , hk 1 , hck 1 values in these queries were the same but the x 1 values were different.This would be a collision for H(hk 0 , •).Now we have to argue that such a collision can be found by a CAU-adversary A H .This adversary does not know hk 0 , so how can it simulate A? In game G 3 , the point y 0 is always random.Since R.Out is a group, y is also random.So A H can simulate A's oracle by just returning random values.It does this, collecting all the x 1 values in the queries.
In the end it picks at random two of these values and returns them.This justifies Equation (10), which, combined with Equation ( 9), justifies Equation ( 7).
As we have just said, in game G 3 , the point y 0 is always random and independent of anything else.Since R.Out is a group, y is also random.This justifies Equation ( 8) and completes the proof.

Instantiations
We instantiate our SPRF construction to get symmetric and dual PRFs under specific assumptions.

Construction from (keyless) CR hash functions
We give a construction from any keyless collision-resistant hash function.It itself will play the role of H.The following lemma says that for suitable choices of parameters, an extractor (see Section 2 for background) will provide a leakage hardcore function.
Proof of of Lemma 6.1: Let random variable X be uniformly distributed over {0, 1} n .Let U s , U m be random variables distributed uniformly over {0, 1} s and {0, 1} m , respectively, and let Y = H(ε, X).The following chain of inequalities, which establishes the lemma, is justified below: Let X and U s represent, respectively, the randomly chosen x 0 and hck in game G lhc H,HC (A) of Fig. 2. Then Ext(U s , X) represents s 1 while U m represents s 0 .Since H is keyless, the only information A can get from its Lk oracle is Y = H(ε, X).The statistical distance of Equation (12) then represents the maximum possible advantage that A can obtain.The three random variables (X, Y ), U s , U m are independent so we can apply Lemma 2.1 to get Equation (13).Since |Y | = r we have H ∞ (X|Y ) ≥ n − r, which, together with some simplification, yields Equation (14).
• Finally we select a PRF R : {0, 1} m × R.Inp → R.Out such that {0, 1} r × {ε} × {0, 1} s ⊆ R.Inp, and also R.Out is a commutative group, for simplicity {0, 1} l for some l with the group operation being bitwise xor.As we explain below, this can ultimately be built from a CR hash function, making the latter the only assumption.
Theorem 6.2 Let m, r ≥ 1 be integers, and select n, Ext, H, HC, R as above to define the (symmetric) function family S m,r also as above.Let A be an adversary.Then the proof constructs adversaries A H , A R such that The running times of the constructed adversaries are about the same as that of the original.
The above Theorem assumes that H is CR and R is a a PRF.Our ultimate claim is to rely only on the CR assumption.This is possible because (compressing) CR functions imply OWFs, which in turn imply PRGs [27] which in turn imply PRFs [24].(A direct construction of a PRG from a CR function is also possible [17] but assumes regularity and exponential hardness of the CR function, which we do not want to assume.)We do not give a formal result encompassing the final claim of a dual PRF from just a CR function because, in our concrete-security framework, the statement would need concrete bounds, and we do not know these bounds for the chain of just-mentioned reductions from prior work.Instead we leave this final theoretical result (CR hash functions imply dual PRFs) as understood asymptotically.
Proof of Theorem 6.2: Theorem 5.2 yields adversaries A H , A HC , A R such that where q is the number of queries A makes to its Fn oracle.Lemma 6.1 together with the choice of n made above imply that explaining the first term in Equation ( 15).Now we perform a small optimization.Cau-Adversary A H in the proof of Theorem 5.2 guessed a colliding pair of inputs for H, but our H is keyless and we assume CR.A CR-adversary A H can instead try all candidate pairs and return one (if any) that works.So we can replace q(q − 1)/2 • Adv cau H (A H ) by Adv cr H (A H ).This justifies Equation (15).Remark 6.3While unkeyed hash functions assumed to be CR are a practical reality (SHA-256 is an example), their formal treatment involves some subtleties.In the asymptotic setting, they cannot exist if we allow non-uniform adversaries.(Such an adversary could hardwire a collision for each choice of the security parameter.)If adversaries are assumed uniform, however, this anomaly goes away, and the assumption of the existence of such a family is meaningful.The concrete setting is inherently non uniform [14] but results (like ours) are still meaningful because they give explicit reductions (adversary constructions).Further elaboration can be found in [31].

Construction from any OWP
We show that the existence of one-way permutations (OWPs) implies the existence of dual PRFs.We do this by instantiating our SPRF construction using an iterated OWP for H and a leakage hardcore function obtained via the BMY PRG [16,33].Let F : {ε} × X → X be a keyless one-way family of permutations with domain and range a set X. (The standard definition of a OWP is indeed keyless.)For i ≥ 1 let F (i) : {ε} × X → X be the i-th iterate of F, defined inductively by F (0) (ε, x) = x and F (i) (ε, x) = F(ε, F (i−1) (ε, x)) for i ≥ 1 .
Our symmetric and dual PRF S m is parameterized by an integer m.Let R : {0, 1} m ×R.Inp → R.Out be a PRF such that X × {ε} × {ε} ⊆ R.Inp, and also R.Out is a commutative group, for simplicity {0, 1} l for some l with the group operation being bitwise xor.This is not an extra assumption because OWPs imply PRGs [16,33,25] which in turn imply PRFs [24].Let H = F (m) be the m-fold iterate of F. We assume a hardcore predicate HC 1 : {ε} × ({ε} × H.Inp) → {0, 1} for F. (Any OWP can be modified to one that has a keyless hardcore predicate, making this assumption wlog.)Let HC : {ε} × ({ε} × H.Inp) → {0, 1} m be defined by Then HC is a hardcore function for H = F (m) assuming only one-wayness of F. Now we have two observations.First, since F, and hence H, is keyless, and we know that HC is a hardcore function for H, Lemma 4.1 implies that it is also a leakage hardcore function for H. Second, H is trivially CAU, because it is a permutation family, so there simply do not exist collisions.We can thus apply our SPRF transform to the suite (H, HC, R) to get a symmetric function family S m that, by Theorem 5.2, is a PRF.
The following says that S m is a PRF.Since it is symmetric, it is also a dual PRF.
Theorem 6.4 Let m ≥ 1 be an integer, and select F, H, HC, R as above to define the (symmetric) function family S m also as above.Let A be an adversary.Then the proof constructs adversaries A HC , A R such that Adv prf Sm (A) ≤ Adv hc H,HC (A HC ) + Adv prf R (A R ) .
The running times of the constructed adversaries are about the same as that of the original.
As with Theorem 6.2, we stop short of a formal statement encompassing the final theoretical claim that OWPs alone imply dual PRFs, due to the challenges of casting this in a concrete framework.We have however already discussed above how it is obtained asymptotically.Briefly, OWPs imply PRFs and, if OWPs exist, so do OWPs with keyless hardcore predicates as assumed above.
Proof of Theorem 6.4: Theorem 5.2 yields adversaries A H , A HC , A R such that Adv prf Sm,r (A) ≤ Adv lhc H,HC (A HC ) + Adv prf R (A R ) + q(q − 1) 2 where q is the number of queries A makes to its Fn oracle.However Adv cau H (A H ) = 0 since H is a permutation, so this term disappears.Also since H is keyless, the lhc-advantage is the same as the hc-advantage.This justifies Equation (16).

Ending remarks
A construction of a dual PRF from any OWF eludes us, and we see this as an interesting open question.Since PRFs are known to exist given a OWF [27,24], Theorem 5.2 reduces the task of building a dual PRF from a OWF to the task of building, from a OWF, a CAU function family H with a leakage hardcore function HC with long-enough output.However at present we do not know a way to do this.
One may ask what is the conclusion for HMAC.As discussed in Section 1, our intent was to give a generic validation of the dual PRF assumption made in various places including on HMAC's compression function h in [6].We have successfully done this through constructions of dual PRFs under standard assumptions.We could, in principle, plug one of our dual PRFs in as the choice of h for HMAC.Then the results of [6] combined with ours would imply PRF security of this alternative HMAC, the assumptions being (only) the ones in our results.However, we are not aware of any practical utility, or value, of this alternative HMAC.

Figure 1 :
Figure 1: Games for defining PRF and OWF security of a function family F, CAUsecurity of a function family H and HC being a hardcore function family for H.

Figure 2 :
Figure 2: Games for defining security of HC as a standard and leakage hardcore function for H.

Lemma 4 . 1
Suppose H is a keyless function family and HC : HC.Inp × ({ε} × H.Inp) → HC.Out is a function family.Let A be a lhc-adversary.Then the proof constructs a hc-adversary A 0 such that Adv lhc H,HC (A) ≤ Adv hc H,HC (A) .

SPRF construction. 3 .
Our construction associates to any suite (H, HC, R) as above the function family S = SPRF[H, HC, R] defined as follows.It has S.Keys = S.Inp = H.Inp × H.Keys × HC.Keys, meaning a key or input is a triple a = (x, hk, hck) consisting of a point x ∈ H.Inp, a key hk for the CAU family H and a key hck for the hardcore function family HC.It has range the group S.Out = R.Out.The function family is then defined as shown in Fig. Proposition 5.1 Let (H, HC, R) be a suite of function families.Let S = SPRF[H, HC, R] be the function family associated to them as above.Then S is symmetric.

Figure 4 :
Figure 4: Games for proof of Theorem 5.2.
Lemma 2.1 Let Ext : {0, 1} s × {0, 1} n → {0, 1} m be a function family that is universal.Let X be a random variable over {0, 1} n .Let U s , U m be random variables distributed uniformly over {0, 1} s and {0, 1} m , respectively, and let Y be a random variable.Assume the three random variables