Constrained Pseudorandom Functions for Turing Machines Revisited: How to Achieve Verifiability and Key Delegation

Abstract

Constrained pseudorandom functions (CPRF) are an enriched variant of traditional pseudorandom functions (PRF)—a fundamental tool of modern cryptography. A CPRF enables a master PRF key holder to issue constrained keys corresponding to specific constraint predicates over the input domain. A constrained key can be used to evaluate the PRF on inputs accepted by the associated constraint predicate, while the PRF outputs on the rest of the inputs still remain computationally indistinguishable from uniformly random values. A constrained verifiable pseudorandom function (CVPRF) enhances a CPRF by adding a non-interactive public verification mechanism for checking the correctness of PRF evaluations. On the other hand, a delegatable constrained pseudorandom function (DCPRF) augments a CPRF with the ability to empower constrained key holders to delegate further constrained keys that allow PRF evaluations on inputs accepted by more restricted constraint predicates compared to ones embedded in their own constrained keys. Until recently, all the proposed constructions of CPRFs and their extensions (i) either could handle constraint predicates representable as circuits or (ii) were based on risky knowledge-type assumptions. In EUROCRYPT 2016, Deshpande et al. presented a CPRF supporting constraint predicates realizable by Turing machines (TM) based on indistinguishability obfuscation and injective pseudorandom generators. Their construction was claimed to be selectively secure. The first contribution of this paper is demonstrating that their claim is not valid. In fact, their CPRF construction can actually be proven secure not in the selective model, rather in a significantly weaker one where the adversary is completely static. We then modify their construction with innovative techniques so as to make the resulting CPRF selectively secure. Towards our goal, we suitably redesign the security proof as well. Most significantly, our modification does not involve any additional heavy duty cryptographic tool. Next, employing only standard public key encryption, we extend our improved CPRF construction to present the first ever CVPRF and DCPRF constructions that can handle constraints expressible as TMs.