The standard Learning with Errors (LWE) problem is associated with a polynomial modulus, which implies exponential hardness against quantum or classical algorithms. However, most of the existing LWE-based PRF schemes need super-polynomial or even exponential modulus. The very recent works due to Kim (Eurocrypt 2020) and Lai et al. (PKC 2020) present PRFs from the standard LWE (i.e., LWE with polynomial modulus) assumptions. However, their PRFs cannot be implemented in NC circuits. With the help of the Döttling-Schröder (DS) paradigm (Crypto 2015), Lai et al.’s PRF circuit can be compressed to \(NC^{2+\delta }\) with \(\delta > 0\). In this paper, we focus on constructing PRFs with shallower circuit implementations from the standard LWE assumption. To this end, we present three PRF schemes. The first two schemes are constructed from the generalized pseudorandom synthesizer (gSYN) and pseudorandom generators (PRGs) and can be implemented in \(NC^3\) and \(NC^2\) respectively. Meanwhile, the security of the two PRFs are based on the standard LWE assumptions, but only allow bounded queries from the adversary. Then we apply the DS paradigm to our PRFs to obtain the third PRF scheme in circuit class \(NC^{1+\epsilon }\) with \(\epsilon \in (0,1)\), which not only relies on the standard LWE assumption, but also supports unbounded queries. Compared with the existing PRFs from standard LWE, our third PRF has the shallowest circuit.

标准的错误学习 (LWE) 问题与多项式模数相关，这意味着对抗量子或经典算法的指数硬度。然而，现有的大多数基于 LWE 的 PRF 方案都需要超多项式甚至指数模。Kim (Eurocrypt 2020) 和 Lai 等人的最新作品。(PKC 2020) 根据标准 LWE（即具有多项式模数的 LWE）假设呈现 PRF。然而，它们的 PRF 不能在 NC 电路中实现。在 Döttling-Schröder (DS) 范式 (Crypto 2015) 的帮助下，Lai 等人的 PRF 电路可以压缩为\(NC^{2+\delta }\)和\(\delta > 0\). 在本文中，我们专注于根据标准 LWE 假设构建具有较浅电路实现的 PRF。为此，我们提出了三种 PRF 方案。前两种方案由广义伪随机合成器 (gSYN) 和伪随机生成器 (PRG) 构成，可以分别在\(NC^3\)和\(NC^2\) 中实现。同时，两个 PRF 的安全性基于标准的 LWE 假设，但只允许来自对手的有界查询。然后我们将 DS 范式应用于我们的 PRF 以获得电路类\(NC^{1+\epsilon }\) 中的第三个 PRF 方案，其中\(\epsilon \in (0,1)\)，它不仅依赖于标准的 LWE 假设，而且还支持无界查询。与来自标准 LWE 的现有 PRF 相比，我们的第三个 PRF 具有最浅的电路。