International Association for Cryptologic Research (IACR)
Abstract
Constrained pseudorandom functions (CPRF) are a fundamental extension of the notion
of traditional pseudorandom functions (PRF). A CPRF enables a master PRF key holder to
issue constrained keys corresponding to specific constraint predicates over the input domain. A
constrained key can be used to evaluate the PRF only on those inputs which are accepted by the
associated constraint predicate. However, the PRF outputs on the rest of the inputs still remain
computationally indistinguishable from uniformly random values. A constrained verifiable pseudorandom
function (CVPRF) enhances a CPRF with a non-interactive public verification mechanism
for checking the correctness of PRF evaluations. A delegatable constrained pseudorandom function
(DCPRF) is another extension which augments a CPRF to empower constrained key holders to delegate
further constrained keys that allow PRF evaluations on inputs accepted by more restricted
constraint predicates compared to ones embedded in their own constrained keys. Until recently,
all the proposed constructions of CPRF’s and their extensions(i) either could handle only bounded
length inputs, (ii) or were based on risky knowledge-type assumptions. In EUROCRYPT 2016,
Deshpande et al. have presented a CPRF construction supporting inputs of unconstrained polynomial
length based on indistinguishability obfuscation and injective pseudorandom generators, which
they have claimed to be selectively secure. In this paper, we first identify a flaw in their security
argument and resolve this by carefully modifying their construction and suitably redesigning the
security proof. Our alteration does not involve any additional heavy duty cryptographic tools. Next,
employing only standard public key encryption (PKE), we extend our CPRF construction, presenting
the first ever CVPRF and DCPRF constructions that can handle inputs of unbounded polynomial
length. Finally, we apply our ideas to demonstrate the first known attribute-based signature (ABS)
scheme for general signing policies supporting signing attributes of arbitrary polynomial length