Cryptology ePrint Archive: Report 2014/840

Constrained PRFs for Unbounded Inputs

Hamza Abusalah and Georg Fuchsbauer and Krzysztof Pietrzak

Abstract: A constrained pseudorandom function $F: K \times X \to Y$ for a family $T$ of subsets of $X$ is a function where for any key $k \in K$ and set $S \in T$ one can efficiently compute a constrained key $k_S$ which allows to evaluate $F(k,.)$ on all inputs $x\in S$, while even given this key, the outputs on all inputs $x \notin S$ look random. At Asiacrypt'13 Boneh and Waters gave a construction which supports the most general set family so far. Its keys $k_C$ are defined for sets decided by boolean circuits $C$ and enable evaluation of the PRF on any $x \in X$ where $C(x)=1$. In their construction the PRF input length and the size of the circuits $C$ for which constrained keys can be computed must be fixed beforehand during key generation.

We construct a constrained PRF that has an unbounded input length and whose constrained keys can be defined for any set recognized by a Turing machine. The only a priori bound we make is on the description size of the machines. We prove our construction secure assuming public-coin differing-input obfuscation.

As applications of our constrained PRF we build a broadcast encryption scheme where the number of potential receivers need not be fixed at setup (in particular, the length of the keys is independent of the number of parties) and the first identity-based non-interactive key exchange protocol with no bound on the number of parties that can agree on a shared key.

Category / Keywords: Constrained PRFs, broadcast encryption, identity-based non-interactive key exchange

Original Publication (with major differences): CT-RSA 2016

Date: received 15 Oct 2014, last revised 18 Nov 2015

Contact author: gfuchsbauer at ist ac at

Available format(s): PDF | BibTeX Citation

Note: We revised the main construction so it only requires *public-coin* differing-input obfuscation.

Version: 20151118:132638 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]