Paper 2013/401

Functional Signatures and Pseudorandom Functions

Elette Boyle, Shafi Goldwasser, and Ioana Ivan

Abstract

In this paper, we introduce two new cryptographic primitives: \emph{functional digital signatures} and \emph{functional pseudorandom functions}. In a functional signature scheme, in addition to a master signing key that can be used to sign any message, there are \emph{signing keys for a function} $f$, which allow one to sign any message in the range of $f$. As a special case, this implies the ability to generate keys for predicates $P$, which allow one to sign any message $m$, for which $P(m)=1$. We show applications of functional signatures to constructing succinct non-interactive arguments and delegation schemes. We give several general constructions for this primitive based on different computational hardness assumptions, and describe the trade-offs between them in terms of the assumptions they require and the size of the signatures. In a functional pseudorandom function, in addition to a master secret key that can be used to evaluate the pseudorandom function $$ on any point in the domain, there are additional \emph{secret keys for a function} $$, which allow one to evaluate $$ on any $$ for which there exists an $$ such that $$. As a special case, this implies \emph{pseudorandom functions with selective access}, where one can delegate the ability to evaluate the pseudorandom function on inputs $$ for which a predicate $$ holds. We define and provide a sample construction of a functional pseudorandom function family for prefix-fixing functions.