We construct a constrained PRF that has an unbounded input length and whose constrained keys can be defined for any set recognized by a Turing machine. The only a priori bound we make is on the description size of the machines. We prove our construction secure assuming public-coin differing-input obfuscation.
As applications of our constrained PRF we build a broadcast encryption scheme where the number of potential receivers need not be fixed at setup (in particular, the length of the keys is independent of the number of parties) and the first identity-based non-interactive key exchange protocol with no bound on the number of parties that can agree on a shared key.Category / Keywords: Constrained PRFs, broadcast encryption, identity-based non-interactive key exchange Original Publication (with major differences): CT-RSA 2016 Date: received 15 Oct 2014, last revised 18 Nov 2015 Contact author: gfuchsbauer at ist ac at Available format(s): PDF | BibTeX Citation Note: We revised the main construction so it only requires *public-coin* differing-input obfuscation. Version: 20151118:132638 (All versions of this report) Short URL: ia.cr/2014/840 Discussion forum: Show discussion | Start new discussion