**Constrained PRFs for Unbounded Inputs**

*Hamza Abusalah and Georg Fuchsbauer and Krzysztof Pietrzak*

**Abstract: **A constrained pseudorandom function $F: K \times X \to Y$ for a family $T$ of subsets of $X$ is a function where for any key $k \in K$ and set $S \in T$ one can efficiently compute a constrained key $k_S$ which allows to evaluate $F(k,.)$ on all inputs $x\in S$, while even given this key, the outputs on all inputs $x \notin S$ look random. At Asiacrypt'13 Boneh and Waters gave a construction which supports the most general set family so far. Its keys $k_C$ are defined for sets decided by boolean circuits $C$ and enable evaluation of the PRF on any $x \in X$ where $C(x)=1$. In their construction the PRF input length and the size of the circuits $C$ for which constrained keys can be computed must be fixed beforehand during key generation.

We construct a constrained PRF that has an unbounded input length and whose constrained keys can be defined for any set recognized by a Turing machine. The only a priori bound we make is on the description size of the machines. We prove our construction secure assuming public-coin differing-input obfuscation.

As applications of our constrained PRF we build a broadcast encryption scheme where the number of potential receivers need not be fixed at setup (in particular, the length of the keys is independent of the number of parties) and the first identity-based non-interactive key exchange protocol with no bound on the number of parties that can agree on a shared key.

**Category / Keywords: **Constrained PRFs, broadcast encryption, identity-based non-interactive key exchange

**Original Publication**** (with major differences): **CT-RSA 2016

**Date: **received 15 Oct 2014, last revised 18 Nov 2015

**Contact author: **gfuchsbauer at ist ac at

**Available format(s): **PDF | BibTeX Citation

**Note: **We revised the main construction so it only requires *public-coin* differing-input obfuscation.

**Version: **20151118:132638 (All versions of this report)

**Short URL: **ia.cr/2014/840

[ Cryptology ePrint archive ]