Constrained Pseudorandom Functions for Unconstrained Inputs Revisited: Achieving Verifiability and Key Delegation

Datta, Pratish; Dutta, Ratna; Mukhopadhyay, Sourav

doi:10.1007/978-3-662-54388-7_16

Pratish Datta¹⁴,
Ratna Dutta¹⁴ &
Sourav Mukhopadhyay¹⁴

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10175))

Included in the following conference series:

IACR International Workshop on Public Key Cryptography

1919 Accesses
6 Citations

Abstract

In EUROCRYPT 2016, Deshpande et al. presented a construction of constrained pseudorandom function (CPRF) supporting inputs of unconstrained polynomial length based on indistinguishability obfuscation and injective pseudorandom generators. Their construction was claimed to be selectively secure. We demonstrate in this paper that their CPRF construction can actually be proven secure not in the selective model, rather in a significantly weaker security model where the adversary is forbidden to query constrained keys adaptively. We also show how to allow adaptive constrained key queries in their construction by innovating new technical ideas. We suitably redesign the security proof. We emphasize that our modification does not involve any additional heavy duty cryptographic tool. Our improved CPRF is further enhanced to present the first constructions of constrained verifiable pseudorandom function (CVPRF) and delegatable constrained pseudorandom function (DCPRF) supporting inputs of unconstrained polynomial length, employing only standard public key encryption (PKE).

You have full access to this open access chapter, Download conference paper PDF

Constrained Pseudorandom Functions for Turing Machines Revisited: How to Achieve Verifiability and Key Delegation

Article 17 May 2019

Constrained (Verifiable) Pseudorandom Function from Functional Encryption

Adaptively Secure Constrained Verifiable Random Function

Keywords

1 Introduction

Constrained Pseudorandom Functions: Constrained pseudorandom functions (CPRF), concurrently introduced by Boneh and Waters [6], Boyle et al. [7], as well as Kiayias et al. [19], are promising extension of the notion of standard pseudorandom functions (PRF) [15]. PRF is a fundamental primitive in modern cryptography. A PRF is a deterministic keyed function with the following property: Given a key, the function can be computed in polynomial time at all points of its input domain. But, without the key it is computationally hard to distinguish the PRF output at any arbitrary input from a uniformly random value, even after seeing the PRF evaluations on a polynomial number of inputs. A CPRF is an augmentation of a PRF with an additional constrain algorithm which enables a party holding a master PRF key to derive constrained keys that allow the evaluation of the PRF over certain subsets of the input domain. However, PRF evaluations on the rest of the inputs still remain computationally indistinguishable from random.

Since their inception, CPRF’s have found countless applications in various branches of cryptography ranging from broadcast encryption, attribute-based encryption to policy-based key distribution, multi-party on-interactive key exchange. Even the simplest class of CPRF’s, known as puncturable pseudorandom functions (PPRF) [23], have turned out to be a powerful tool in conjunction with indistinguishability obfuscation [14]. In fact, the combination of these two primitives have led to solutions of longstanding open problems including deniable encryption, full domain hash, adaptively secure functional encryption for general functionalities, and functional encryption for randomized functionalities through the classic punctured programming technique introduced in [23].

Over the last few years there has been a significant progress in the field of CPRF’s. In terms of expressiveness of the constraint predicates, starting with the most basic type of constraints such as prefix constraints [6, 7, 19] (which also encompass puncturing constraints) and bit fixing constraints [6, 13], CPRF’s have been constructed for highly rich constraint families such as circuit constraints [4, 6, 8, 16] employing diverse cryptographic tools and based on various complexity assumptions. In terms of security, most of the existing CPRF constructions are only selectively secure. The stronger and more realistic notion of adaptive security seems to be rather challenging to achieve without complexity leveraging. In fact, the best known results so far on adaptive security of CPRF’s require super-polynomial security loss [13], or work for very restricted form of constraints [17], or attain the security in non-collusion mode [8], or accomplish security in the random oracle model [16].

Constrained Verifiable Pseudorandom Functions: An interesting enhancement of the usual CPRF’s is verifiability. A verifiable constrained pseudorandom function (CVPRF), independently introduced by Fuchsbauer [12] and Chandran et al. [9], is the unification of the notions of a verifiable random function (VRF) [21] and a standard CPRF. In a CVPRF system, a public verification key is set similar to a traditional VRF, along with the master PRF key. Besides enabling the evaluation of the PRF, the master PRF key can be utilized to generate a non-interactive proof of correctness of the evaluation. This proof can be verified by any party using only the public verification key. On the other hand, as in the case of a CPRF, here also the master PRF key holder can give out constrained keys for specific constraint predicates. A constrained key corresponding to some constraint predicate p allows the evaluation of the PRF together with the generation of a non-interactive proof of correct evaluation for only those inputs x for which $p(x)=1$. In essence, CVPRF’s resolve the issue of trust on a CPRF evaluator for the correctness of the received PRF output. In [9, 12], the authors have shown that the CPRF constructions of [6] for the bit fixing and circuit constraints can be augmented with the verifiability feature without incurring any significant additional cost.

Delegatable Constrained Pseudorandom Functions: Key delegation is another interesting enrichment of standard CPRF’s. This feature empowers the holder of a constrained key, corresponding to some constraint predicate $p\in \mathbb {P}$ with the ability to distribute further restricted keys corresponding to the joint predicates $p \wedge \widetilde{p}$, for constraints $\widetilde{p}\in \mathbb {P}$, where $\mathbb {P}$ is certain constraint family over the input domain of the PRF. Such a delegated key can be utilized to evaluate the PRF on only those inputs x for which $[p(x)=1] \wedge [\widetilde{p}(x)=1]$, whereas, the PRF outputs on the rest of the inputs are computationally indistinguishable from random values. The concept of key delegation in the context of CPRF’s has been recently introduced by Chandran et al. [9], who have shown how to extend the bit fixing and circuit-based CPRF constructions of [6] to support key delegation.

CPRF ’s for Unconstrained Inputs: Until recently, the research on CPRF’s has been confined to inputs of apriori bounded length. In fact, all the CPRF constructions mentioned above could handle only bounded length inputs. Abusalah et al. [2] have taken a first step forward towards overcoming the barrier of bounded input length. They have also demonstrated highly motivating applications of CPRF’s supporting apriori unconstrained length inputs such as broadcast encryption with an unbounded number of recipients and multi-party identity-based non-interactive key exchange with no pre-determined bound on the number of parties. They presented a selectively secure CPRF for unconstrained length inputs by viewing the constraint predicates as Turing machines (TM) that can handle inputs of arbitrary polynomial length. In a more recent work, Abusalah and Fuchsbauer [1] have made progress towards efficiency improvements by constructing TM-based CPRF’s with much shorter constrained keys compared to the CPRF construction of [2].

However, both the aforementioned CPRF constructions rely on the existence of public-coin differing-input obfuscators and succinct non-interactive arguments of knowledge, which are believed to be risky assumptions due to their inherent extractability nature. In EUROCRYPT 2016, Deshpande et al. [10] presented a CPRF for TM constraints, supporting inputs of unconstrained polynomial length, which they claimed to be selectively secure. Their CPRF construction utilizes indistinguishability obfuscators (IO) for circuits and injective pseudorandom generators. Currently, there is no known impossibility or implausibility result on IO and, moreover, in the last few years, there has been a significant progress towards constructing IO based on standard complexity assumptions.

Our Contributions: Unfortunately, the CPRF construction of [10] can not be proven secure in the selective model, as will be shown in this paper, rather the construction actually derives its security in a significantly weaker model. Further, as per as we know, there is no existing construction of CVPRF’s or delegatable CPRF’s (DCPRF) supporting inputs of unconstrained length. Our work in this paper is two-fold:

Firstly, we identify a flaw in the security argument of the CPRF construction of [10], by a thorough analysis of the construction and its security proof. Selective security is a security notion for CPRF’s where the adversary is bound to declare upfront the challenge input, on which it wishes to distinguish the PRF output from random, but is allowed to query the legitimate constrained keys and PRF values adaptively. We observe that the CPRF construction of [10] can be proven secure only if the adversary is not just forced to declare the challenge input, but also is bound to make all the constrained key queries prior to setting up the system. To address the security limitation of the CPRF construction of [10], we carefully modify their construction by innovating new technical ideas, which might be useful elsewhere, and suitably redesign the security proof. For building our improved CPRF system, we additionally use a somewhere statistically binding (SSB) hash function [18, 22] beyond the cryptographic tools used in [10]. Currently, efficient constructions of SSB hash based on standard number theoretic assumptions exist [22]. In effect, our modified CPRF stands out to be the first IO-based provably selectively secure CPRF for TM constraints that can handle inputs of arbitrary polynomial length.
Secondly, we enhance our construction of CPRF with verifiability and key delegation features, thereby, developing the first IO-based selectively secure constructions of CVPRF and DCPRF supporting inputs of unconstrained polynomial length. Towards achieving these two augmentations of our CPRF, we only assume the existence of a perfectly correct and chosen plaintext attack (CPA) secure public key encryption scheme, which is evidently a minimal assumption. Finally, we note that following [9, 12], our CVPRF construction would imply the first selectively unforgeable policy-based signature (PBS) scheme [5] where policies are represented as Turing machines.

2 Preliminaries

Here we give the necessary background on various cryptographic primitives we will be using throughout this paper. Let $\lambda \in \mathbb {N}$ denotes the security parameter. For $n\in \mathbb {N}$ and $a,b\in \mathbb {N}\cup \{0\}$ (with $a<b$), we let $[n]=\{1,\ldots ,n\}$ and $[a,b]=\{a,\ldots ,b\}$. For any set S, $\upsilon \xleftarrow {\$} S$ represents the uniform random variable on S. For a randomized algorithm $\mathcal {R}$, we denote by $\psi = \mathcal {R}(\upsilon ;\rho )$ the random variable defined by the output of $\mathcal {R}$ on input $\upsilon $ and randomness $\rho $, while $\psi \xleftarrow {\$} \mathcal {R}(\upsilon )$ has the same meaning with the randomness suppressed. Also, if $\mathcal {R}$ is a deterministic algorithm $\psi =\mathcal {R}(\upsilon )$ denotes the output of $\mathcal {R}$ on input $\upsilon $. We will use the alternative notation $\mathcal {R}(\upsilon )\rightarrow \psi $ as well to represent the output of the algorithm $\mathcal {R}$, whether randomized or deterministic, on input $\upsilon $. For any string $s\in \{0,1\}^*$, |s| represents the length of the string s. For any two strings $s, s'\in \{0,1\}^*$, $s\Vert s'$ represents the concatenation of s and $s'$.

2.1 Turing Machines

A Turing machine (TM) M is a 7-tuple $M=\langle Q,\varSigma _{\textsf {\textsc {inp}}},\varSigma _{\textsf {\textsc {tape}}},\delta ,q_0,q_{\textsf {\textsc {ac}}},q_{\textsf {\textsc {rej}}}\rangle $ with the following semantics:

Q: The finite set of possible states of M.
$\varSigma _{\textsf {\textsc {inp}}}$: The finite set of input symbols.
$\varSigma _{\textsf {\textsc {tape}}}$: The finite set of tape symbols such that $\varSigma _{\textsf {\textsc {inp}}}\subset \varSigma _{\textsf {\textsc {tape}}}$ and there exists a special blank symbol ‘$\_$’ $\in \varSigma _{\textsf {\textsc {tape}}}\backslash \varSigma _{\textsf {\textsc {inp}}}$.
$\delta :Q\times \varSigma _{\textsf {\textsc {tape}}}\rightarrow Q\times \varSigma _{\textsf {\textsc {tape}}}\times \{+1,-1\}$: The transition function of M.
$q_0\in Q$: The designated start state.
$q_{\textsf {\textsc {ac}}}\in Q$: The designated accept state.
$q_{\textsf {\textsc {rej}}}(\ne q_{\textsf {\textsc {ac}}})\in Q$: The distinguished reject state.

For any $t\in [T=2^\lambda ]$, we define the following variables for M, while running on some input (without the explicit mention of the input in the notations):

$\textsf {\textsc {pos}}_{M,t}$: An integer which denotes the position of the header of M after the t ^th step. Initially, $\textsf {\textsc {pos}}_{M,0}=0$.
$\textsf {\textsc {sym}}_{M,t}\in \varSigma _{\textsf {\textsc {tape}}}$: The symbol stored on the tape at the $\textsf {\textsc {pos}}_{M,t}$ ^th location.
$\textsf {\textsc {sym}}_{M,t}^{(\textsf {\textsc {write}})}\in \varSigma _{\textsf {\textsc {tape}}}$: The symbol to be written at the $\textsf {\textsc {pos}}_{M,t-1}$ ^th location during the t ^th step.
$\textsf {\textsc {st}}_{M,t}\in Q$: The state of M after the t ^th step. Initially, $\textsf {\textsc {st}}_{M,0}=q_0$.

At each time step, theTM M reads the tape at the header position and based on the current state, computes what needs to be written on the tape at the current header location, the next state, and whether the header must move left or right. More formally, let $(q,\zeta ,\beta \in \{+1,-1\})=\delta (\textsf {\textsc {st}}_{M,t-1},\textsf {\textsc {sym}}_{M,t-1})$. Then, $\textsf {\textsc {st}}_{M,t}=q, \textsf {\textsc {sym}}_{M,t}^{(\textsf {\textsc {write}})}=\zeta $, and $\textsf {\textsc {pos}}_{M,t}=\textsf {\textsc {pos}}_{M,t-1}+\beta $. M accepts at time t if $\textsf {\textsc {st}}_{M,t}=q_{\textsf {\textsc {ac}}}$. In this paper we consider $\varSigma _{\textsf {\textsc {inp}}}=\{0,1\}$ and $\varSigma _{\textsf {\textsc {tape}}}=\{0,1,\_\}$. Given any TM M and string $x\in \{0,1\}^*$, we define $M(x)=1$, if M accepts x within T steps, and 0, otherwise.

2.2 Indistinguishability Obfuscation

Definition 2.1

(Indistinguishability Obfuscation: IO [14]). An indistinguishability obfuscator (IO) $\mathcal {IO}$ for a certain circuit class $\{\mathbb {C}_\lambda \}_\lambda $ is a probabilistic polynomial-time (PPT) uniform algorithm satisfying the following conditions:

$\blacktriangleright $ Correctness: $\mathcal {IO}(\textsf {1}^\lambda ,C)$ preserves the functionality of the input circuit C, i.e., for any $C\in \mathbb {C}_\lambda $, if we compute $C'=\mathcal {IO}(\textsf {1}^\lambda ,C)$, then $C'(\upsilon )=C(\upsilon )$ for all inputs $\upsilon $.
$\blacktriangleright $ Indistinguishability: For any security parameter $\lambda $ and any two circuits $C_0,C_1\in \mathbb {C}_\lambda $ with same functionality, the circuits $\mathcal {IO}(\textsf {1}^\lambda ,C_0)$ and $\mathcal {IO}(\textsf {1}^\lambda ,C_1)$ are computationally indistinguishable. More precisely, for all (not necessarily uniform) PPT adversaries $\mathcal {D}=(\mathcal {D}_1,\mathcal {D}_2)$, there exists a negligible function $\textsf {negl} $ such that, if
$$\begin{aligned}&\textsf {Pr} \big [(C_0,C_1,\xi )\xleftarrow {\$} \mathcal {D}_1(\textsf {1}^\lambda )~:~\forall \,\upsilon ,C_0(\upsilon )=C_1(\upsilon )\big ]\ge 1-\textsf {negl} (\lambda ),\\ \text {then}~ \big |&\textsf {Pr} \big [\mathcal {D}_2(\xi ,\mathcal {IO}(\textsf {1}^\lambda ,C_0))=1\big ]-\textsf {Pr} \big [\mathcal {D}_2(\xi ,\mathcal {IO}(\textsf {1}^\lambda ,C_1))=1\big ]\big |\le \textsf {negl} (\lambda ). \end{aligned}$$

When clear from the context, we will drop $\textsf {1}^\lambda $ as an input to $\mathcal {IO}$ and $\lambda $ as a subscript of $\mathbb {C}$.

2.3 IO-Compatible Cryptographic Primitives

In this section, we present the syntax and correctness requirement of certain IO-friendly cryptographic tools which we will be using in the sequel. The security properties of these primitives can be found in the full version of this paper or in the references provided in the respective subsections below.

2.3.1 Puncturable Pseudorandom Function

Definition 2.2

(Puncturable Pseudorandom Function: PPRF [23]). A puncturable pseudorandom function (PPRF) $\mathcal {F}:\mathcal {K}_{\textsf {\textsc {pprf}}}\times \mathcal {X}_{\textsf {\textsc {pprf}}}\rightarrow \mathcal {Y}_{\textsf {\textsc {pprf}}}$ consists of an additional punctured key space $\mathcal {K}_{\textsf {\textsc {pprf-punc}}}$ other than the usual key space $\mathcal {K}_{\textsf {\textsc {pprf}}}$ and PPT algorithms $(\mathcal {F}.\textsf {Setup} ,\mathcal {F}.\textsf {Eval} , \mathcal {F}.\textsf {Puncture} , \mathcal {F}.\textsf {Eval-Punctured} )$ described below. Here, $\mathcal {X}_{\textsf {\textsc {pprf}}}=\{0,1\}^{\ell _{\textsf {\textsc {pprf-inp}}}}$ and $\mathcal {Y}_{\textsf {\textsc {pprf}}}=\{0,1\}^{\ell _{\textsf {\textsc {pprf-out}}}}$, where $\ell _{\textsf {\textsc {pprf-inp}}}$ and $\ell _{\textsf {\textsc {pprf-out}}}$ are polynomials in the security parameter $\lambda $,

$\mathcal {F}.\textsf {Setup} (\textsf {1}^\lambda )\rightarrow K:$ The setup authority takes as input the security parameter $\textsf {1}^\lambda $ and uniformly samples a PPRF key $K\in \mathcal {K}_{\textsf {\textsc {pprf}}}$.
$\mathcal {F}.\textsf {Eval} (K,x)\rightarrow r:$ The setup authority takes as input a PPRF key $K\in \mathcal {K}_{\textsf {\textsc {pprf}}}$ along with an input $x\in \mathcal {X}_{\textsf {\textsc {pprf}}}$. It outputs the PPRF value $r\in \mathcal {Y}_{\textsf {\textsc {pprf}}}$ on x. For simplicity, we will represent by $\mathcal {F}(K,x)$ the output of this algorithm.
$\mathcal {F}.\textsf {Puncture} (K,x)\rightarrow K\{x\}:$ Taking as input a PPRF key $K\in \mathcal {K}_{\textsf {\textsc {pprf}}}$ along with an element $x\in \mathcal {X}_{\textsf {\textsc {pprf}}}$, the setup authority outputs a punctured key $K\{x\}\in \mathcal {K}_{\textsf {\textsc {pprf-punc}}}$.
$\mathcal {F}.\textsf {Eval-Puncured} (K\{x\},x')\rightarrow r~\text {or}~\bot :$ An evaluator takes as input a punctured key $K\{x\}\in \mathcal {K}_{\textsf {\textsc {pprf-punc}}}$ along with an input $x'\in \mathcal {X}_{\textsf {\textsc {pprf}}}$. It outputs either a value $r\in \mathcal {Y}_{\textsf {\textsc {pprf}}}$ or a distinguished symbol $\bot $ indicating failure. For simplicity, we will represent by $\mathcal {F}(K\{x\},x')$ the output of this algorithm.

The algorithms $\mathcal {F}.\textsf {Setup} $ and $\mathcal {F}.\textsf {Puncture} $ are randomized, whereas, the algorithms $\mathcal {F}.\textsf {Eval} $ and $\mathcal {F}.\textsf {Eval-Punctured} $ are deterministic.

$\blacktriangleright $ Correctness Under Puncturing: Consider any security parameter $\lambda $, $K\in \mathcal {K}_{\textsf {\textsc {pprf}}}$, $x\in \mathcal {X}_{\textsf {\textsc {pprf}}}$, and $K\{x\}\xleftarrow {\$}\mathcal {F}.\textsf {Puncture} (K,x)$. Then it must hold that

$$\begin{aligned} \mathcal {F}(K\{x\},x')=\left\{ \begin{array}{ll} \mathcal {F}(K,x'), &{}\hbox {if} \,\, x'\ne x \\ \bot , &{}\hbox {otherwise} \end{array} \right. \end{aligned}$$

2.3.2 Somewhere Statistically Binding Hash Function

Definition 2.3

(Somewhere Statistically Binding Hash Function: SSB [18, 22]). A somewhere statistically binding (SSB) hash consists of PPT algorithms $(\textsf {SSB.Gen} , \mathcal {H}, \textsf {SSB.Open},\textsf {SSB.Verify} )$ along with a block alphabet $\varSigma _{\textsf {\textsc {ssb-blk}}}$ $=\{0,1\}^{\ell _{\textsf {\textsc {ssb-blk}}}}$, output size $\ell _{\textsf {\textsc {ssb-hash}}}$, and opening space $\varPi _{\textsf {\textsc {ssb}}}=\{0,1\}^{\ell _{\textsf {\textsc {ssb-open}}}}$, where $\ell _{\textsf {\textsc {ssb-blk}}},\ell _{\textsf {\textsc {ssb-hash}}},\ell _{\textsf {\textsc {ssb-open}}}$ are some polynomials in the security parameter $\lambda $. The algorithms have the following syntax:

$\textsf {SSB.Gen} (\textsf {1}^\lambda ,n_{\textsf {\textsc {ssb-blk}}},i^*)\rightarrow \textsf {\textsc {hk}}:$ The setup authority takes as input the security parameter $\textsf {1}^\lambda $, an integer $n_{\textsf {\textsc {ssb-blk}}}\le 2^\lambda $ representing the maximum number of blocks that can be hashed, and an index $i^*\in [0,n_{\textsf {\textsc {ssb-blk}}}-1]$ and publishes a public hashing key $\textsf {\textsc {hk}}$.
$\mathcal {H}_{\textsf {\textsc {hk}}}:x\in \varSigma _{\textsf {\textsc {ssb-blk}}}^{n_{\textsf {\textsc {ssb-blk}}}}\rightarrow h\in \{0,1\}^{\ell _{\textsf {\textsc {ssb-hash}}}}:$ This is a deterministic function that has the hash key $\textsf {\textsc {hk}}$ hardwired. A user runs this function on input $x=x_0\Vert \ldots \Vert x_{n_{\textsf {\textsc {ssb-blk}}}-1}\in \varSigma _{\textsf {\textsc {ssb-blk}}}^{n_{\textsf {\textsc {ssb-blk}}}}$ to obtain as output $h=\mathcal {H}_{\textsf {\textsc {hk}}}(x)\in \{0,1\}^{\ell _{\textsf {\textsc {ssb-hash}}}}$.
$\textsf {SSB.Open} (\textsf {\textsc {hk}},x,i)\rightarrow \pi _{\textsf {\textsc {ssb}}}:$ Taking as input the hash key $\textsf {\textsc {hk}}$, input $x\in \varSigma _{\textsf {\textsc {ssb-blk}}}^{n_{\textsf {\textsc {ssb-blk}}}}$, and an index $i\in [0,n_{\textsf {\textsc {ssb-blk}}}-1]$, a user creates an opening $\pi _{\textsf {\textsc {ssb}}}\in \varPi _{\textsf {\textsc {ssb}}}$.
$\textsf {SSB.Verify} (\textsf {\textsc {hk}},h,i,u,\pi _{\textsf {\textsc {ssb}}})\rightarrow \hat{\beta }\in \{0,1\}:$ On input a hash key $\textsf {\textsc {hk}}$, a hash value $h\in \{0,1\}^{\ell _{\textsf {\textsc {ssb-hash}}}}$, an index $i\in [0,n_{\textsf {\textsc {ssb-blk}}}-1]$, a value $u\in \varSigma _{\textsf {\textsc {ssb-blk}}}$, and an opening $\pi _{\textsf {\textsc {ssb}}}\in \varPi _{\textsf {\textsc {ssb}}}$, a verifier outputs a bit $\hat{\beta }\in \{0,1\}$.

The algorithms $\textsf {SSB.Gen}$ and $\textsf {SSB.Open}$ are randomized, while the algorithm $\textsf {SSB.Verify}$ is deterministic.

$\blacktriangleright $ Correctness: For any security parameter $\lambda $, integer $n_{\textsf {\textsc {ssb-blk}}}\le 2^\lambda $, $i,i^*\in [0,n_{\textsf {\textsc {ssb-blk}}}-1]$, $\textsf {\textsc {hk}}\xleftarrow {\$}\textsf {SSB.Gen} (\textsf {1}^\lambda ,n_{\textsf {\textsc {ssb-blk}}},i^*)$, $x\in \varSigma _{\textsf {\textsc {ssb-blk}}}^{n_{\textsf {\textsc {ssb-blk}}}}$, and $\pi _{\textsf {\textsc {ssb}}}\xleftarrow {\$}\textsf {SSB.Open} (\textsf {\textsc {hk}},x,i)$, we have $\textsf {SSB.Verify} (\textsf {\textsc {hk}}, \mathcal {H}_{\textsf {\textsc {hk}}}(x),i,x_i,\pi _{\textsf {\textsc {ssb}}})=1$.

2.3.3 Positional Accumulator

Definition 2.4

(Positional Accumulator [20, 22]). A positional accumulator consists of PPT algorithms $(\textsf {ACC.Setup}, \textsf {ACC.Setup-Enforce-Read}, \textsf {ACC.Setup-} $ $\textsf {Enforce-Write}, \textsf {ACC.Prep-Read}, \textsf {ACC.Prep-Write}, \textsf {ACC.Verify-Read}, \textsf {ACC.Write-} \textsf {Store}, $ $\textsf {ACC.Update} )$ along with a block alphabet $\varSigma _{\textsf {\textsc {acc-blk}}}=\{0,1\}^{\ell _{\textsf {\textsc {acc-blk}}}}$, accumulator size $\ell _{\textsf {\textsc {acc-accumulate}}}$, proof space $\varPi _{\textsf {\textsc {acc}}}=\{0,1\}^{\ell _{\textsf {\textsc {acc-proof}}}}$ where $\ell _{\textsf {\textsc {acc-blk}}},\ell _{\textsf {\textsc {acc-accumulate}}},$ $\ell _{\textsf {\textsc {acc-proof}}}$ are some polynomials in the security parameter $\lambda $. The algorithms have the following syntax:

$\textsf {ACC.Setup} (\textsf {1}^\lambda ,n_{\textsf {\textsc {acc-blk}}})\rightarrow (\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},w_0,\textsf {\textsc {store}}_0):$ The setup authority takes as input the security parameter $\textsf {1}^\lambda $ and an integer $n_{\textsf {\textsc {acc-blk}}}\le 2^\lambda $ representing the maximum number of blocks that can be accumulated. It outputs the public parameters $\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}$, an initial accumulator value $w_0$, and an initial storage value $\textsf {\textsc {store}}_0$.
$\textsf {ACC.Setup-Enforce-Read} (\textsf {1}^\lambda ,n_{\textsf {\textsc {acc-blk}}},((x_1,i_1),\ldots ,(x_\kappa ,i_\kappa )),i^*)~\rightarrow ~(\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},w_0,$ $\textsf {\textsc {store}}_0):$ Taking as input the security parameter $\textsf {1}^\lambda $, an integer $n_{\textsf {\textsc {acc-blk}}}\le 2^\lambda $ representing the maximum number of blocks that can be accumulated, a sequence of symbol-index pairs $((x_1,i_1),\ldots ,(x_\kappa ,i_\kappa )) \in (\varSigma _{\textsf {\textsc {acc-blk}}}\times [0,n_{\textsf {\textsc {acc-blk}}}-1])^\kappa $, and an additional index $i^*\in [0,n_{\textsf {\textsc {acc-blk}}}-1]$, the setup authority publishes the public parameters $\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}$, an initial accumulator value $w_0$, together with an initial storage value $\textsf {\textsc {store}}_0$.
$\textsf {ACC.Setup-Enforce-Write} (\textsf {1}^\lambda ,~n_{\textsf {\textsc {acc-blk}}},~((x_1,i_1),\ldots ,x_\kappa ,i_\kappa )))~\rightarrow ~(\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},~w_0,$ $\textsf {\textsc {store}}_0):$ On input the security parameter $\textsf {1}^\lambda $, an integer $n_{\textsf {\textsc {acc-blk}}}\le 2^\lambda $ denoting the maximum number of blocks that can be accumulated, and a sequence of symbol-index pairs $((x_1,i_1),\ldots ,(x_\kappa ,i_\kappa ))\in (\varSigma _{\textsf {\textsc {acc-blk}}}\times [0,n_{\textsf {\textsc {acc-blk}}}-1])^\kappa $, the setup authority publishes the public parameters $\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}$, an initial accumulator value $w_0$, as well as, an initial storage value $\textsf {\textsc {store}}_0$.
$\textsf {ACC.Prep-Read} (\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},\textsf {\textsc {store}}_{\textsf {\textsc {in}}}, i_{\textsf {\textsc {in}}})\rightarrow (x_{\textsf {\textsc {out}}},\pi _{\textsf {\textsc {acc}}}):$ A storage-maintaining party takes as input the public parameter $\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}$, a storage value $\textsf {\textsc {store}}_{\textsf {\textsc {in}}}$, and an index $i_{\textsf {\textsc {in}}}\in [0,n_{\textsf {\textsc {acc-blk}}}-1]$. It outputs a symbol $x_{\textsf {\textsc {out}}}\in \varSigma _{\textsf {\textsc {acc-blk}}}\cup \{\epsilon \}$ ($\epsilon $ being the empty string) and a proof $\pi _{\textsf {\textsc {acc}}}\in \varPi _{\textsf {\textsc {acc}}}$.
$\textsf {ACC.Prep-Write} (\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}, \textsf {\textsc {store}}_{\textsf {\textsc {in}}}, i_{\textsf {\textsc {in}}})\rightarrow \textsf {\textsc {aux}}:$ Taking as input the public parameter $\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}$, a storage value $\textsf {\textsc {store}}_{\textsf {\textsc {in}}}$, together with an index $i_{\textsf {\textsc {in}}}\in [0,n_{\textsf {\textsc {acc-blk}}}-1]$, a storage-maintaining party outputs an auxiliary value $\textsf {\textsc {aux}}$.
$\textsf {ACC.Verify-Read} (\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}, w_{\textsf {\textsc {in}}},x_{\textsf {\textsc {in}}}, i_{\textsf {\textsc {in}}}, \pi _{\textsf {\textsc {acc}}})\rightarrow \hat{\beta }\in \{0,1\}:$ A verifier takes as input the public parameter $\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}$, an accumulator value $w_{\textsf {\textsc {in}}}\in \{0,1\}^{\ell _{\textsf {\textsc {acc-accumulate}}}}$, a symbol $x_{\textsf {\textsc {in}}}\in \varSigma _{\textsf {\textsc {acc-blk}}}\cup \{\epsilon \}$, an index $i_{\textsf {\textsc {in}}}\in [0,n_{\textsf {\textsc {acc-blk}}}-1]$, and a proof $\pi _{\textsf {\textsc {acc}}}\in \varPi _{\textsf {\textsc {acc}}}$. It outputs a bit $\hat{\beta }\in \{0,1\}$.
$\textsf {ACC.Write-Store} (\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},\textsf {\textsc {store}}_{\textsf {\textsc {in}}}, i_{\textsf {\textsc {in}}},x_{\textsf {\textsc {in}}})\rightarrow \textsf {\textsc {store}}_{\textsf {\textsc {out}}}:$ On input the public parameters $\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}$, a storage value $\textsf {\textsc {store}}_{\textsf {\textsc {in}}}$, an index $i_{\textsf {\textsc {in}}}\in [0,n_{\textsf {\textsc {acc-blk}}}-1]$, and a symbol $x_{\textsf {\textsc {in}}}\in \varSigma _{\textsf {\textsc {acc-blk}}}$, a storage-maintaining party computes a new storage value $\textsf {\textsc {store}}_{\textsf {\textsc {out}}}$.
$\textsf {ACC.Update} (\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},w_{\textsf {\textsc {in}}},x_{\textsf {\textsc {in}}}, i_{\textsf {\textsc {in}}},\textsf {\textsc {aux}})\rightarrow w_{\textsf {\textsc {out}}}~\text {or}~\bot :$ An accumulator-updating party takes as input the public parameters $\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}$, an accumulator value $w_{\textsf {\textsc {in}}}\in \{0,1\}^{\ell _{\textsf {\textsc {acc-accumulate}}}}$, a symbol $x_{\textsf {\textsc {in}}}\in \varSigma _{\textsf {\textsc {acc-blk}}}$, an index $i_{\textsf {\textsc {in}}}\in [0,n_{\textsf {\textsc {acc-blk}}}-1]$, and an auxiliary value $\textsf {\textsc {aux}}$. It outputs the updated accumulator value $w_{\textsf {\textsc {out}}}\in \{0,1\}^{\ell _{\textsf {\textsc {acc-accumulate}}}}$ or the designated reject string $\bot $.

Following [10, 20], in this paper we will consider the algorithms $\textsf {ACC.Setup} ,$ $\textsf {ACC.Setup-Enforce-Read} $, and $\textsf {ACC.Setup-Enforce-Write} $ as randomized while all other algorithms as deterministic.

$\blacktriangleright $ Correctness: Consider any symbol-index pair sequence $((x_1,i_1),\ldots ,(x_\kappa ,i_\kappa )) \in (\varSigma _{\textsf {\textsc {acc-blk}}}\times [0,n_{\textsf {\textsc {acc-blk}}}-1])^\kappa $. Fix any $(\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},w_0, \textsf {\textsc {store}}_0)~\xleftarrow {\$}~\textsf {ACC.Setup} (\textsf {1}^\lambda , n_{\textsf {\textsc {acc-blk}}})$. For $j=1,\ldots ,\kappa $, iteratively define the following:

$\textsf {\textsc {store}}_j=\textsf {ACC.Write-Store} (\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}, \textsf {\textsc {store}}_{j-1},i_j,x_j)$
$\textsf {\textsc {aux}}_j=\textsf {ACC.Prep-Write} (\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}, \textsf {\textsc {store}}_{j-1},i_j)$
$w_j=\textsf {ACC.Update} (\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},w_{j-1},x_j,i_j,\textsf {\textsc {aux}}_j)$

The following correctness properties are required to be satisfied:

(i)
For any security parameter $\lambda $, $n_{\textsf {\textsc {acc-blk}}}\le 2^\lambda $, index $i^*\in [0,n_{\textsf {\textsc {acc-blk}}}-1]$, sequence of symbol-index pairs $((x_1,i_1),\ldots ,(x_\kappa ,i_\kappa ))\in (\varSigma _{\textsf {\textsc {acc-blk}}}\times [0,n_{\textsf {\textsc {acc-blk}}}-1])^\kappa $, and $(\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},w_0, \textsf {\textsc {store}}_0)~\xleftarrow {\$}~\textsf {ACC.Setup} (\textsf {1}^\lambda ,n_{\textsf {\textsc {acc-blk}}})$, if $\textsf {\textsc {store}}_\kappa $ is computed as above, then $\textsf {ACC.Prep-Read} (\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},\textsf {\textsc {store}}_\kappa ,i^*)$ returns $(x_j,\pi _{\textsf {\textsc {acc}}})$ where j is the largest value in $[\kappa ]$ such that $i_j=i^*$.
(ii)
For any security parameter $\lambda $, $n_{\textsf {\textsc {acc-blk}}}\le 2^\lambda $, sequence of symbol-index pairs $((x_1,i_1),\ldots ,(x_\kappa ,i_\kappa ))\in (\varSigma _{\textsf {\textsc {acc-blk}}}\times [0,n_{\textsf {\textsc {acc-blk}}}-1])^\kappa $, $i^*\in [0,n_{\textsf {\textsc {acc-blk}}}-1]$, and $(\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},w_0, \textsf {\textsc {store}}_0)\xleftarrow {\$}\textsf {ACC.Setup} (\textsf {1}^\lambda ,n_{\textsf {\textsc {acc-blk}}})$, if $\textsf {\textsc {store}}_\kappa $ and $w_\kappa $ are computed as above and $(x_{\textsf {\textsc {out}}},\pi _{\textsf {\textsc {acc}}})= \textsf {ACC.Prep-Read} (\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}, \textsf {\textsc {store}}_\kappa ,i^*)$, then $\textsf {ACC.Verify-Read} (\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},w_\kappa ,x_{\textsf {\textsc {out}}},i^*,\pi _{\textsf {\textsc {acc}}})=1$

2.3.4 Iterator

Definition 2.5

(Iterator [20]). A cryptographic iterator consists of PPT algorithms $(\textsf {ITR.Setup}, \textsf {ITR.Set-Enforce}, \textsf {ITR.Iterate} )$ along with a message space $\mathcal {M}_{\textsf {\textsc {itr}}}$ $=\{0,1\}^{\ell _{\textsf {\textsc {itr-msg}}}}$ and iterator state size $\ell _{\textsf {\textsc {itr-st}}}$, where $\ell _{\textsf {\textsc {itr-msg}}},\ell _{\textsf {\textsc {itr-st}}}$ are some polynomials in the security parameter $\lambda $. Algorithms have the following syntax:

$\textsf {ITR.Setup} (\textsf {1}^\lambda ,n_{\textsf {\textsc {itr}}})\rightarrow (\textsf {\textsc {pp}}_{\textsf {\textsc {itr}}},v_0):$ The setup authority takes as input the security parameter $\textsf {1}^\lambda $ along with an integer bound $n_{\textsf {\textsc {itr}}}\le 2^\lambda $ on the number of iterations. It outputs the public parameters $\textsf {\textsc {pp}}_{\textsf {\textsc {itr}}}$ and an initial state $v_0\in \{0,1\}^{\ell _{\textsf {\textsc {itr-st}}}}$.
$\textsf {ITR.Setup-Enforce} (\textsf {1}^\lambda ,n_{\textsf {\textsc {itr}}},(\mu _1,\ldots ,\mu _\kappa ))\rightarrow (\textsf {\textsc {pp}}_{\textsf {\textsc {itr}}},v_0):$ Taking as input the security parameter $\textsf {1}^\lambda $, an integer bound $n_{\textsf {\textsc {itr}}}\le 2^\lambda $, together with a sequence of $\kappa $ messages $(\mu _1,\ldots ,\mu _\kappa )\in \mathcal {M}_{\textsf {\textsc {itr}}}^\kappa $, where $\kappa \le n_{\textsf {\textsc {itr}}}$, the setup authority publishes the public parameters $\textsf {\textsc {pp}}_{\textsf {\textsc {itr}}}$ and an initial state $v_0\in \{0,1\}^{\ell _{\textsf {\textsc {itr-st}}}}$.
$\textsf {ITR.Iterate} (\textsf {\textsc {pp}}_{\textsf {\textsc {itr}}}, v_{\textsf {\textsc {in}}}\in \{0,1\}^{\ell _{\textsf {\textsc {itr-st}}}},\mu )\rightarrow v_{\textsf {\textsc {out}}}:$ On input the public parameters $\textsf {\textsc {pp}}_{\textsf {\textsc {itr}}}$, a state $v_{\textsf {\textsc {in}}}$, and a message $\mu \in \mathcal {M}_{\textsf {\textsc {itr}}}$, an iterator outputs an updated state $v_{\textsf {\textsc {out}}}\in \{0,1\}^{\ell _{\textsf {\textsc {itr-st}}}}$. For any integer $\kappa \le n_{\textsf {\textsc {itr}}}$, we will write $\textsf {ITR.Iterate} ^\kappa (\textsf {\textsc {pp}}_{\textsf {\textsc {itr}}},$ $v_0,(\mu _1,\ldots ,\mu _\kappa ))$ to denote $\textsf {ITR.Iterate} (\textsf {\textsc {pp}}_{\textsf {\textsc {itr}}},v_{\kappa -1},\mu _\kappa )$, where $v_j$ is defined iteratively as $v_j=\textsf {ITR.Iterate} (\textsf {\textsc {pp}}_{\textsf {\textsc {itr}}},v_{j-1},\mu _j)$ for all $j=1,\ldots ,\kappa -1$.

The algorithm $\textsf {ITR.Iterate} $ is deterministic, while the other two are randomized.

2.3.5 Splittable Signature

Definition 2.6

(Splittable Signature: SPS [20]). A splittable signature scheme (SPS) for message space $\mathcal {M}_{\textsf {\textsc {sps}}}=\{0,1\}^{\ell _{\textsf {\textsc {sps-msg}}}}$ and signature space $\mathcal {S}_{\textsf {\textsc {sps}}}=\{0,1\}^{\ell _{\textsf {\textsc {sps-sig}}}}$, where $\ell _{\textsf {\textsc {sps-msg}}},\ell _{\textsf {\textsc {sps-sig}}}$ are some polynomials in the security parameter $\lambda $, consists of PPT algorithms $(\textsf {SPS.Setup}, \textsf {SPS.Sign}, \textsf {SPS.Verify}, \textsf {SPS.Split}, $ $\textsf {SPS.Sign-ABO} )$ which are described below:

$\textsf {SPS.Setup} (\textsf {1}^\lambda )\rightarrow (\textsf {\textsc {sk}}_{\textsf {\textsc {sps}}},\textsf {\textsc {vk}}_{\textsf {\textsc {sps}}}, \textsf {\textsc {vk}}_{\textsf {\textsc {sps-rej}}}):$ The setup authority takes as input the security parameter $\textsf {1}^\lambda $ and generates a signing key $\textsf {\textsc {sk}}_{\textsf {\textsc {sps}}}$, a verification key $\textsf {\textsc {vk}}_{\textsf {\textsc {sps}}}$, together with a reject verification key $\textsf {\textsc {vk}}_{\textsf {\textsc {sps-rej}}}$.
$\textsf {SPS.Sign} (\textsf {\textsc {sk}}_{\textsf {\textsc {sps}}},m)\rightarrow \sigma _{\textsf {\textsc {sps}}}:$ A signer given a signing key $\textsf {\textsc {sk}}_{\textsf {\textsc {sps}}}$ along with a message $m\in \mathcal {M}_{\textsf {\textsc {sps}}}$, produces a signature $\sigma _{\textsf {\textsc {sps}}}\in \mathcal {S}_{\textsf {\textsc {sps}}}$.
$\textsf {SPS.Verify} (\textsf {\textsc {vk}}_{\textsf {\textsc {sps}}},m,\sigma _{\textsf {\textsc {sps}}})\rightarrow \hat{\beta }\in \{0,1\}:$ A verifier takes as input a verification key $\textsf {\textsc {vk}}_{\textsf {\textsc {sps}}}$, a message $m\in \mathcal {M}_{\textsf {\textsc {sps}}}$, and a signature $\sigma _{\textsf {\textsc {sps}}}\in \mathcal {S}_{\textsf {\textsc {sps}}}$. It outputs a bit $\hat{\beta }\in \{0,1\}$.
$\textsf {SPS.Split} (\textsf {\textsc {sk}}_{\textsf {\textsc {sps}}},m^*)\rightarrow (\sigma _{\textsf {\textsc {sps-one}},m^*},\textsf {\textsc {vk}}_{\textsf {\textsc {sps-one}}}, \textsf {\textsc {sk}}_{\textsf {\textsc {sps-abo}}},\textsf {\textsc {vk}}_{\textsf {\textsc {sps-abo}}}):$ On input a signing key $\textsf {\textsc {sk}}_{\textsf {\textsc {sps}}}$ along with a message $m^*\in \mathcal {M}_{\textsf {\textsc {sps}}}$, the setup authority generates a signature $\sigma _{\textsf {\textsc {sps-one}},m^*}=\textsf {SPS.Sign} (\textsf {\textsc {sk}}_{\textsf {\textsc {sps}}},m^*)$, a one-message verification key $\textsf {\textsc {vk}}_{\textsf {\textsc {sps-one}}}$, and all-but-one signing-verification key pair $(\textsf {\textsc {sk}}_{\textsf {\textsc {sps-abo}}},\textsf {\textsc {vk}}_{\textsf {\textsc {sps-abo}}})$.
$\textsf {SPS.Sign-ABO} (\textsf {\textsc {sk}}_{\textsf {\textsc {sps-abo}}},m)\rightarrow \sigma _{\textsf {\textsc {sps}}}~\text {or}~\bot :$ An all-but-one signer given an all-but-one signing key $\textsf {\textsc {sk}}_{\textsf {\textsc {sps-abo}}}$ and a message $m\in \mathcal {M}_{\textsf {\textsc {sps}}}$, outputs a signature $\sigma _{\textsf {\textsc {sps}}}\in \mathcal {S}_{\textsf {\textsc {sps}}}$ or a distinguished string $\bot $ to indicate failure. For simplicity of notation, we will often use $\textsf {SPS.Sign} (\textsf {\textsc {sk}}_{\textsf {\textsc {sps-abo}}},m)$ to represent the output of this algorithm.

We note that among the algorithms described above, $\textsf {SPS.Setup} $ and $\textsf {SPS.Split} $ are randomized while all the others are deterministic.

$\blacktriangleright $ Correctness: For any security parameter $\lambda $, message $m^*\in \mathcal {M}_{\textsf {\textsc {sps}}}$, $(\textsf {\textsc {sk}}_{\textsf {\textsc {sps}}},\textsf {\textsc {vk}}_{\textsf {\textsc {sps}}}, \textsf {\textsc {vk}}_{\textsf {\textsc {sps-rej}}})\xleftarrow {\$}\textsf {SPS.Setup} (\textsf {1}^\lambda )$, and $(\sigma _{\textsf {\textsc {sps-one}},m^*},\textsf {\textsc {vk}}_{\textsf {\textsc {sps-one}}},\textsf {\textsc {sk}}_{\textsf {\textsc {sps-abo}}}, \textsf {\textsc {vk}}_{\textsf {\textsc {sps-abo}}})\xleftarrow {\$} \textsf {SPS.Split} (\textsf {\textsc {sk}}_{\textsf {\textsc {sps}}},m^*)$ the following correctness conditions hold:

(i)
$\forall \, m\in \mathcal {M}_{\textsf {\textsc {sps}}}, \textsf {SPS.Verify} (\textsf {\textsc {vk}}_{\textsf {\textsc {sps}}},m, \textsf {SPS.Sign} (\textsf {\textsc {sk}}_{\textsf {\textsc {sps}}},m))=1$.
(ii)
$\forall \, m\ne m^*\in \mathcal {M}_{\textsf {\textsc {sps}}}, \textsf {SPS.Sign} (\textsf {\textsc {sk}}_{\textsf {\textsc {sps}}},m)= \textsf {SPS.Sign-ABO} (\textsf {\textsc {sk}}_{\textsf {\textsc {sps-abo}}},m)$.
(iii)
$\forall \,\sigma _{\textsf {\textsc {sps}}}\in \mathcal {S}_{\textsf {\textsc {sps}}}, \textsf {SPS.Verify} (\textsf {\textsc {vk}}_{\textsf {\textsc {sps-one}}},m^*,\sigma _{\textsf {\textsc {sps}}})=\textsf {SPS.Verify} (\textsf {\textsc {vk}}_{\textsf {\textsc {sps}}},m^*,\sigma _{\textsf {\textsc {sps}}})$.
(iv)
$\forall \, m\ne m^*\in \mathcal {M}_{\textsf {\textsc {sps}}}, \sigma _{\textsf {\textsc {sps}}}\in \mathcal {S}_{\textsf {\textsc {sps}}}, \textsf {SPS.Verify} (\textsf {\textsc {vk}}_{\textsf {\textsc {sps-abo}}},m, \sigma _{\textsf {\textsc {sps}}})=\textsf {SPS.Verify} (\textsf {\textsc {vk}}_{\textsf {\textsc {sps}}},m, \sigma _{\textsf {\textsc {sps}}})$.
(v)
$\forall \, m\ne m^*\in \mathcal {M}_{\textsf {\textsc {sps}}},~\sigma _{\textsf {\textsc {sps}}}\in \mathcal {S}_{\textsf {\textsc {sps}}}, \textsf {SPS.Verify} (\textsf {\textsc {vk}}_{\textsf {\textsc {sps-one}}},m,\sigma _{\textsf {\textsc {sps}}})=0$.
(vi)
$\forall \, \sigma _{\textsf {\textsc {sps}}}\in \mathcal {S}_{\textsf {\textsc {sps}}}, ~\textsf {SPS.Verify} (\textsf {\textsc {vk}}_{\textsf {\textsc {sps-abo}}}, m^*,\sigma _{\textsf {\textsc {sps}}})=0$.
(vii)
$\forall \, m\in \mathcal {M}_{\textsf {\textsc {sps}}},~\sigma _{\textsf {\textsc {sps}}}\in \mathcal {S}_{\textsf {\textsc {sps}}}, \textsf {SPS.Verify} (\textsf {\textsc {vk}}_{\textsf {\textsc {sps-rej}}},m,\sigma _{\textsf {\textsc {sps}}})=0$.

3 Our CPRF for Turing Machines

3.1 Notion

Definition 3.1

(Constrained Pseudorandom Function for Turing Machines: CPRF [10]). Let $\mathbb {M}_\lambda $ be a family of TM’s with (worst case) running time bounded by $T=2^\lambda $. A constrained pseudorandom function (CPRF) with key space $\mathcal {K}_{\textsf {\textsc {cprf}}}$, input domain $\mathcal {X}_{\textsf {\textsc {cprf}}}\subset \{0,1\}^*$, and output space $\mathcal {Y}_{\textsf {\textsc {cprf}}}\subset \{0,1\}^*$ for the TM family $\mathbb {M}_\lambda $ consists of an additional key space $\mathcal {K}_{\textsf {\textsc {cprf-const}}}$ and PPT algorithms $(\textsf {CPRF.Setup}, \textsf {CPRF.Eval}, \textsf {CPRF.Constrain} , \textsf {CPRF.Eval-} \textsf {Constrained} )$ described as follows:

$\textsf {CPRF.Setup} (\textsf {1}^\lambda )\rightarrow \textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}}:$ The setup authority takes as input the security parameter $\textsf {1}^\lambda $ and generates the master CPRF key $\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}}\in \mathcal {K}_{\textsf {\textsc {cprf}}}$.
$\textsf {CPRF.Eval} (\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}},x)\rightarrow y:$ On input the master CPRF key $\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}}$ along with an input $x\in \mathcal {X}_{\textsf {\textsc {cprf}}}$, the setup authority computes the value of the CPRF $y\in \mathcal {Y}_{\textsf {\textsc {cprf}}}$. For simplicity of notation, we will use $\textsf {CPRF} (\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}},x)$ to indicate the output of this algorithm.
$\textsf {CPRF.Constrain} (\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}},M)\rightarrow \textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}}\{M\}:$ Taking as input the master CPRF key $\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}}$ and a TM $M\in \mathbb {M}_\lambda $, the setup authority provides a constrained key $\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}}\{M\}\in \mathcal {K}_{\textsf {\textsc {cprf-const}}}$ to a legitimate user.
$\textsf {CPRF.Eval-Constrained} (\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}}\{M\},x)\rightarrow y~\text {or}~\bot :$ A user takes as input a constrained key $\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}}\{M\}\in \mathcal {K}_{\textsf {\textsc {cprf-const}}}$, corresponding to a legitimate TM $M\in \mathbb {M}_\lambda $, along with an input $x\in \mathcal {X}_{\textsf {\textsc {cprf}}}$. It outputs either a value $y\in \mathcal {Y}_{\textsf {\textsc {cprf}}}$ or $\bot $ indicating failure.

The algorithms $\textsf {CPRF.Setup} $ and $\textsf {CPRF.Constrain} $ are randomized, whereas, the other two are deterministic.

$\blacktriangleright $ Correctness Under Constraining: Consider any security parameter $\lambda $, $\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}}\in \mathcal {K}_{\textsf {\textsc {cprf}}}$, $M\in \mathbb {M}_\lambda $, and $\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}}\{M\}\xleftarrow {\$} \textsf {CPRF.Constrain} (\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}},M)$. The following must hold:

$$\begin{aligned} \textsf {CPRF.Eval-Constrained} (\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}}\{M\},x)=\left\{ \begin{array}{l l} \textsf {CPRF} (\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}},x), &{}\hbox {if}\,\,\, M(x)=1\\ \bot , &{}\hbox {otherwise} \end{array} \right. \end{aligned}$$

$\blacktriangleright $ Selective Pseudorandomness: This property of a CPRF is defined through the following experiment between an adversary $\mathcal {A}$ and a challenger $\mathcal {B}$:

$\mathcal {A}$ submits a challenge input $x^*\in \mathcal {X}_{\textsf {\textsc {cprf}}}$ to $\mathcal {B}$.
$\mathcal {B}$ generates a master CPRF key $\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}}\xleftarrow {\$}\textsf {CPRF.Setup} (\textsf {1}^\lambda )$. Next it selects a random bit $b\xleftarrow {\$}\{0,1\}$. If $b=0$, it computes $y^*=\textsf {CPRF} (\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}},x^*)$. Otherwise, it chooses a random $y^*\xleftarrow {\$}\mathcal {Y}_{\textsf {\textsc {cprf}}}$. It returns $y^*$ to $\mathcal {A}$.
$\mathcal {A}$ may adaptively make a polynomial number of queries of the following kinds to $\mathcal {B}$:

Evaluation query: $\mathcal {A}$ queries the CPRF value at some input $x\in \mathcal {X}_{\textsf {\textsc {cprf}}}$ such that $x\ne x^*$. $\mathcal {B}$ provides the CPRF value $\textsf {CPRF} (\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}},x)$ to $\mathcal {A}$.
Key query: $\mathcal {A}$ queries a constrained key corresponding to TM $M\in \mathbb {M}_\lambda $ subject to the constraint that $M(x^*)=0$. $\mathcal {B}$ gives the constrained key $\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}}\{M\}\xleftarrow {\$} \textsf {CPRF.Constrain} (\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}},M)$ to $\mathcal {A}$

$\mathcal {A}$ eventually outputs a guess bit $b'\in \{0,1\}$.

The $\textsf {CPRF} $ is said to be selectively pseudorandom if for any PPT adversary $\mathcal {A}$, for any security parameter $\lambda $,

$$\begin{aligned} \textsf {Adv} _\mathcal {A}^{\textsf {\textsc {cprf,sel-pr}}}(\lambda )=|\textsf {Pr} [b=b']-1/2|\le \textsf {negl} (\lambda ) \end{aligned}$$

for some negligible function $\textsf {negl} $.

Remark 3.1

As pointed out in [9, 16], note that in the above selective pseudorandomness experiment, without loss of generality we may assume that the adversary $\mathcal {A}$ only makes constrained key queries and no evaluation query. This is because any evaluation query at input $x\in \mathcal {X}_{\textsf {\textsc {cprf}}}$ can be replaced by constrained key query for a TM $M_x\in \mathbb {M}_\lambda $ that accepts only x. Since, the restriction on the evaluation queries is that $x\ne x^*$, $M_x(x^*)=0$, and thus $M_x$ is a valid constrained key query. We will use this simplification in our proof.

3.2 The CPRF Construction of Deshpande et al.

In EUROCRYPT 2016, Deshpande et al. [10] presented a CPRF construction supporting inputs of unconstrained polynomial length based on indistinguishability obfuscation and injective pseudorandom generators, which they claimed to be selectively secure. Unfortunately, their security argument has a flaw. In this section, we give an informal description of their CPRF construction and point out the flaw in their security argument.

Overview of the CPRF Construction of [10]: The principle ideas behind the CPRF construction of [10] are as follows: To produce the CPRF output their construction uses a PPRF $\mathcal {F}$ and a positional accumulator. A master CPRF key consists of a key K for the PPRF $\mathcal {F}$ and a set of public parameters $\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}$ of the positional accumulator. The CPRF evaluation on some input $x=x_0\ldots x_{\ell _x-1}\in \mathcal {X}_{\textsf {\textsc {cprf}}}\subset \{0,1\}^*$ is simply $\mathcal {F}(K,w_{\textsf {\textsc {inp}}})$, where $w_{\textsf {\textsc {inp}}}$ is the accumulation of the bits of x using $\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}$.

A constrained key of the CPRF, corresponding to some TM M, comprises of $\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}$ along with two programs $\mathcal {P}_1$ and $\mathcal {P}_{\textsf {\textsc {cprf}}}$, which are obfuscated using IO. The first program $\mathcal {P}_1$, also known as the initial signing program, takes as input an accumulator value and outputs a signature on it together with the initial state and header position of the TM M. The second program $\mathcal {P}_{\textsf {\textsc {cprf}}}$, also called the next step program, takes as input a state and header position of M along with an input symbol and an accumulator value. It essentially computes the next step function of M on the input state-symbol pair, and eventually outputs the proper PRF value, if M reaches the accepting state. The program $\mathcal {P}_{\textsf {\textsc {cprf}}}$ also performs certain authenticity checks before computing the next step function of M in order to prevent illegal inputs. For this purpose, $\mathcal {P}_{\textsf {\textsc {cprf}}}$ additionally takes as input a signature on the input state, header position, and accumulator value, together with a proof for the positional accumulator. The program $\mathcal {P}_{\textsf {\textsc {cprf}}}$ verifies the signature as well as checks the accumulator proof to get convinced that the input symbol is indeed the one placed at the input header position of the underlying storage of the input accumulator value. If all these verifications pass, then $\mathcal {P}_{\textsf {\textsc {cprf}}}$ determines the next state and header position of M, as well as, the new symbol that needs to be written to the input header position. The program $\mathcal {P}_{\textsf {\textsc {cprf}}}$ then updates the accumulator value by placing the new symbol at the input header position as well as signs the updated accumulator value along with the computed next state and header position of M. The signature scheme used by the two programs is a splittable signature. In order to deal with the positional accumulator related verifications and updations, the program $\mathcal {P}_{\textsf {\textsc {cprf}}}$ has $\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}$ hardwired.

Evaluating the CPRF on some input x using a constrained key, corresponding to some TM M, consists of two steps. In the first step, the evaluator computes the accumulation $w_{\textsf {\textsc {inp}}}$ of the bits of x using $\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}$, which are also included in the constrained key, and then obtains a signature on $w_{\textsf {\textsc {inp}}}$ together with the initial state and header position of M by running the program $\mathcal {P}_1$. The second step is to repeatedly run the program $\mathcal {P}_{\textsf {\textsc {cprf}}}$, each time on input the current accumulator value, current state and header position of M, along with the signature on them. Additionally, in each iteration the evaluator also feeds $w_{\textsf {\textsc {inp}}}$ to $\mathcal {P}_{\textsf {\textsc {cprf}}}$. The iteration is continued until the program $\mathcal {P}_{\textsf {\textsc {cprf}}}$ either outputs the PRF evaluation or the designated null string $\bot $ indicating failure.

The Flaw: In order to prove selective pseudorandomness of the above CPRF construction, the authors of [10] extends the techniques introduced in [20] in the context of proving security of message-hiding encoding scheme for TM’s. More precisely, the authors of [10] proceed as follows: During the course of the proof, the authors aim to modify the constrained keys given to the adversary $\mathcal {A}$ in the selective pseudorandomness experiment, discussed in Sect. 3.1, to embed the punctured PPRF key $K\{w_{\textsf {\textsc {inp}}}^*\}$ punctured at $w_{\textsf {\textsc {inp}}}^*$ instead of the full PPRF key K, which is part of the master CPRF key sampled by the challenger $\mathcal {B}$. Here, $w_{\textsf {\textsc {inp}}}^*$ is the accumulation of the bits of the challenge input $x^*$, submitted by the adversary $\mathcal {A}$, using $\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}$, included within the master CPRF key generated by the challenger $\mathcal {B}$. In order to make this substitution, it is to be ensured that the obfuscated next step programs included in the constrained keys never outputs the PRF evaluation for inputs corresponding to $w_{\textsf {\textsc {inp}}}^*$ even if reaching the accepting state. The proof transforms the constrained keys one at a time through multiple hybrid steps. Suppose that the total number of constrained keys queried by $\mathcal {A}$ be $\hat{q}$. Consider the transformation of the $\nu $ ^th constrained key ($1\le \nu \le \hat{q}$) corresponding to the TM $M^{(\nu )}$ that runs on the challenge input $x^*$ for $t^{*(\nu )}$ steps and reaches the rejecting state. In the course of transformation, the obfuscated next step program $\mathcal {P}_{\textsf {\textsc {cprf}}}^{(\nu )}$ of the $\nu $ ^th constrained key is first altered to one that never outputs the PRF evaluation for inputs corresponding to $w_{\textsf {\textsc {inp}}}^*$ within the first $t^{*(\nu )}$ steps. Towards accomplishing this transition, the challenger $\mathcal {B}$ at various stages needs to generate $\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}$ in read/write enforcing mode where the enforcing property should be tailored to the steps of execution of the specific TM $M^{(\nu )}$ on $x^*$. For instance, at some point of transformation of the $\nu $ ^th constrained key, $\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}$ needs to be set in the read enforcing mode by $\mathcal {B}$ on input (i) the entire sequence of symbol-position pairs arising from iteratively running $M^{(\nu )}$ on $x^*$ upto the t ^th step and (ii) the enforcing index corresponding to the header position of $M^{(\nu )}$ at the t ^th step while running on $x^*$, where $1<t\le t^{*(\nu )}$. Evidently, if $\mathcal {A}$ makes the constrained key queries adaptively, which it is allowed to do in the selective pseudorandomness experiment, then $\mathcal {B}$ can determine those symbol-position pairs only after receiving the $\nu $ ^th queried TM $M^{(\nu )}$ from $\mathcal {A}$. However, $\mathcal {B}$ would also require $\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}$ while creating the constrained keys queried by $\mathcal {A}$ before making the $\nu $ ^th constrained key query and even possibly for preparing the challenge value for $\mathcal {A}$. Thus, it is immediate that $\mathcal {B}$ must generate $\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}$ prior to receiving the $\nu $ ^th query from $\mathcal {A}$. This is impossible as setting $\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}$ in read enforcing mode requires the knowledge of the TM $M^{(\nu )}$, which is not available before the $\nu $ ^th constrained key query of $\mathcal {A}$. A similar conflict also arises when $\mathcal {B}$ attempts to setup $\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}$ in the write enforcing mode tailored to $M^{(\nu )}$. This serious flaw renders the proof of selective pseudorandomness of the CPRF construction of [10] invalid. Ofcourse, this problem would clearly not arise if the pseudorandomness of the CPRF construction of [10] is analysed in a weaker model in which the adversary $\mathcal {A}$ is forced to submit all the constrained key queries along with the challenge input at the beginning of the experiment, i.e., before the challenger $\mathcal {B}$ performs the setup. However, this weaker model is rather unrealistic as it renders the adversary $\mathcal {A}$ completely static.

3.3 Our Techniques to Fix the Flaw of [10]

Observe that a set of public parameters of the positional accumulator must be included within each constrained key. This is mandatory due to the required updatability feature of positional accumulator, which is indispensable to keep track of the current situation while running the obfuscated next step program $\mathcal {P}_{\textsf {\textsc {cprf}}}$ iteratively in the course of evaluating the CPRF on some input. The root cause of the problem in the selective security argument of [10] is the use of a single set of public parameters $\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}$ of the positional accumulator throughout the system. Therefore, as a first step, we attempt to assign a fresh set of public parameters of the positional accumulator to each constrained key. However, for compressing the PRF input to a fixed length, on which $\mathcal {F}$ can be applied producing the PRF output, we need a system-wide compressing tool. We employ SSB hash for this purpose. The idea is that while evaluating the CPRF on some input x using a constrained key, corresponding to some TM M, the evaluator first computes the hash value h by hashing x using the system wide SSB hash key, which is part of the master key. The evaluator also computes the accumulator value $w_{\textsf {\textsc {inp}}}$ by accumulating the bits of x using the public parameters of positional accumulator included in the constrained key. Then, using the obfuscated initial signing program $\mathcal {P}_1$, included in the constrained key, the evaluator will obtain a signature on $w_{\textsf {\textsc {inp}}}$ along with the initial state and header position of M. Finally, the evaluator will repeatedly run the obfuscated next step program $\mathcal {P}_{\textsf {\textsc {cprf}}}$, included in the constrained key, each time giving as input all the quantities as in the evaluation algorithm of [10], except that it now feeds the SSB hash value h in place of $w_{\textsf {\textsc {inp}}}$ in each iteration. This is because, in case $\mathcal {P}_{\textsf {\textsc {cprf}}}$ reaches the accepting state, it would require h to apply $\mathcal {F}$ for producing the PRF output.

However, this approach is not completely sound yet. Observe that, a possibly malicious evaluator can compute the SSB hash value h on the input x, on which it wishes to evaluate the CPRF although M does not accepts it, and initiates the evaluation by accumulating the bits of only a substring of x or some entirely different input, which is accepted by M. To prevent such malicious behavior, we include another IO-obfuscated program $\mathcal {P}_2$ within the constrained key, known as the accumulating program, whose purpose is to restrict the evaluator from accumulating the bits of a different input rather than the hashed one. The program $\mathcal {P}_2$ takes as input an SSB hash value h, an index i, a symbol, an accumulator value, a signature on the input accumulator value (along with the initial state and header position of M), and an opening value for SSB. The program $\mathcal {P}_2$ verifies the signature and also checks whether the input symbol is indeed present at the index i of the string that has been hashed to form h, using the input opening value. If all of these verifications pass, then $\mathcal {P}_2$ updates the input accumulator value by writing the input symbol at the i ^th position of the accumulator storage. We also modify the obfuscated initial signing program $\mathcal {P}_1$, included in the constrained key, to take as input a hash value and output a signature on the accumulator value corresponding to the empty accumulator storage, along with the initial state and header position of M.

Moreover, for forbidding the evaluator from performing the evaluation by accumulating an M-accepted substring of the hashed input, we define our PRF output as the evaluation of $\mathcal {F}$ on the pair (hash value, length) of the input in stead of just the hash value of the input. Note that, without loss of generality, we can set the upper bound of the length of PRF inputs to be $2^\lambda $, where $\lambda $ is the underlying security parameter in view of the fact that by suitably choosing $\lambda $ we can accommodate inputs of any polynomial length. This setting of upper bound on the input length is implicitly considered in [10]. Now, as the input length is bounded by $2^\lambda $, the input length can be expressed as a bit strings of length $\lambda $. Thus, the PRF input length can be safely fed along with the SSB hash value of PRF input to $\mathcal {F}$, which can handle only inputs of apriori bounded length. Hence, the obfuscated next step programs $\mathcal {P}_{\textsf {\textsc {cprf}}}$ included in our constrained keys must also take as input the length of the PRF input for producing the PRF value if reaching to the accepting state.

Therefore, to evaluate the CPRF on some input using a constrained key, corresponding to some TM M, an evaluator first hash the PRF input. The evaluator also obtains a signature on the empty accumulator value included in the constrained key, by running the obfuscated initial signing program $\mathcal {P}_1$ on input the computed hash value. Next, it repeatedly runs the obfuscated accumulating program $\mathcal {P}_2$ to accumulate the bits of the PRF input. Finally, it runs the obfuscated next step program $\mathcal {P}_{\textsf {\textsc {cprf}}}$ iteratively on the current accumulator value along with other legitimate inputs until it obtains either the PRF output or $\bot $.

Regarding the proof of security, notice that the problem with enforcing the public parameters of the positional accumulator while transforming the queried constrained keys will not appear in our case as we have assigned a separate set of public parameters of positional accumulator to each constrained key. However, our actual security proof involves many subtleties that are difficult to describe with this high level description and is provided in full details in the sequel. We would only like to mention here that to cope up with certain issues in the proof we further include another IO-obfuscated program $\mathcal {P}_3$ in the constrained keys, known as the signature changing program, that changes the signature on the accumulation of the bits of the PRF input before starting the iterative computation with the obfuscated next step program $\mathcal {P}_{\textsf {\textsc {cprf}}}$.

We follow the same novel technique introduced in [10] for handling the tail hybrids in the final stage of transformation of the constrained keys. Note that as in [10], we are also considering TM’s which run for at most $T=2^\lambda $ steps on any input. Unlike [20], the authors of [10] have devised a beautiful approach to obtain an end to end polynomial reduction to the security of IO for the tail hybrids by means of an injective pseudorandom generator (PRG). We directly adopt that technique to deal with the tail hybrids in our security proof. A high level overview of the approach is sketched below. Let us call the time step $2^\tau $ as the $\tau $ ^th landmark and the interval $[2^\tau ,2^{\tau +1}-1]$ as the $\tau $ ^th interval. Like [10], our obfuscated next step programs $\mathcal {P}_{\textsf {\textsc {cprf}}}$ included within the constrained keys take an additional PRG seed as input at each time step, and perform some additional checks on the input PRG seed. At time steps just before a landmark, the programs output a new pseudorandomly generated PRG seed, which is then used in the next interval. Using standard IO techniques, it can be shown that for inputs corresponding to $(h^*,\ell ^*)$, if the program $\mathcal {P}_{\textsf {\textsc {cprf}}}$ outputs $\bot $, for all time steps upto the one just before a landmark, then we can alter the program indistinguishably so that it outputs $\bot $ at all time steps in the next interval. Here $h^*$ and $\ell ^*$ are respectively the SSB hash value and length of the challenge input $x^*$ submitted by the adversary $\mathcal {A}$ in the selective pseudorandomness experiment. Employing this technique, we can move across an exponential number of time steps at a single switch of the next step program $\mathcal {P}_{\textsf {\textsc {cprf}}}$.

3.4 Formal Description of Our CPRF

Now we will formally present our CPRF construction where the constrained keys are associated with TM’s. Let $\lambda $ be the underlying security parameter. Consider the family $\mathbb {M}_\lambda $ of TM’s, the members of which have (worst-case) running time bounded by $T=2^\lambda $, input alphabet $\varSigma _{\textsf {\textsc {inp}}}=\{0,1\}$, and tape alphabet $\varSigma _{\textsf {\textsc {tape}}}=\{0,1,\_\}$. Our CPRF construction utilizes the following cryptographic building blocks:

(i)
$\mathcal {IO}$: An indistinguishability obfuscator for general polynomial-size circuits.
(ii)
$\textsf {SSB}=(\textsf {SSB.Gen}, \mathcal {H}, \textsf {SSB.Open}, \textsf {SSB.Verify})$: A somewhere statistically binding hash function with $\varSigma _{\textsf {\textsc {ssb-blk}}}=\{0,1\}$.
(iii)
$\textsf {ACC}~=~(\textsf {ACC.Setup}, \textsf {ACC.Setup-Enforce-Read}, \textsf {ACC.Setup-Enforce-Write}, $ $\textsf {ACC.Prep-Read}, \textsf {ACC.Prep-Write}, \textsf {ACC.Verify-Read}, \textsf {ACC.Write-Store}, $ $\textsf {ACC.Update})$: A positional accumulator with $\varSigma _{\textsf {\textsc {acc-blk}}}=\{0,1,\_\}$.
(iv)
$\textsf {ITR}=(\textsf {ITR.Setup}, \textsf {ITR.Setup-Enforce}, \textsf {ITR.Iterate})$: A cryptographic iterator with an appropriate message space $\mathcal {M}_{\textsf {\textsc {itr}}}$.
(v)
$\textsf {SPS}~=~(\textsf {SPS.Setup}, \textsf {SPS.Sign}, \textsf {SPS.Verify}, \textsf {SPS.Split}, \textsf {SPS.Sign-ABO})$: A splittable signature scheme with an appropriate message space $\mathcal {M}_{\textsf {\textsc {sps}}}$.
(vi)
$\textsf {PRG}:\{0,1\}^\lambda \rightarrow \{0,1\}^{2\lambda }$: A length-doubling pseudorandom generator.
(vii)
$\mathcal {F}=(\mathcal {F}.\textsf {Setup}, \mathcal {F}.\textsf {Puncture}, \mathcal {F}.\textsf {Eval})$: A puncturable pseudorandom function whose domain and range are chosen appropriately. For simplicity, we assume that $\mathcal {F}$ has inputs and outputs of bounded length instead of fixed length inputs and outputs. This assumption can be easily removed by using different PPRF’s for different input and output lengths.

Our CPRF construction is described below:

$\textsf {CPRF.Setup}(\textsf {1}^\lambda )\rightarrow \textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}}=(K,\textsf {\textsc {hk}})$: The setup authority takes as input the security parameter $\textsf {1}^\lambda $ and proceeds as follows:
1. 1.
  It first chooses a PPRF key $K\xleftarrow {\$}\mathcal {F}.\textsf {Setup}(\textsf {1}^\lambda )$.
2. 2.
  Next it generates $\textsf {\textsc {hk}}\xleftarrow {\$}\textsf {SSB.Gen}(\textsf {1}^\lambda ,n_{\textsf {\textsc {ssb-blk}}}=2^\lambda ,i^*=0)$.
3. 3.
  It sets the master CPRF key as $\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}}=(K,\textsf {\textsc {hk}})$.
$\textsf {CPRF.Eval}(\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}},x)\rightarrow y=\mathcal {F}(K,(h,\ell _x))$: Taking as input the master CPRF key $\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}}=(K,\textsf {\textsc {hk}})$ along with an input $x=x_0\ldots x_{\ell _x-1}\in \mathcal {X}_{\textsf {\textsc {cprf}}}$, where $|x|=\ell _x$, the setup authority executes the following steps:
1. 1.
  It computes $h=\mathcal {H}_{\textsf {\textsc {hk}}}(x)$.
2. 2.
  It outputs the CPRF value on input x to be $y=\mathcal {F}(K,(h,\ell _x))$.
$\textsf {CPRF.Constrain}(\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}},M)\rightarrow \textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}}\{M\}=(\textsf {\textsc {hk}},\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},w_0,\textsf {\textsc {store}}_0,\textsf {\textsc {pp}}_{\textsf {\textsc {itr}}},v_0,\, \mathcal {P}_1,\mathcal {P}_2,\mathcal {P}_3,\mathcal {P}_{\textsf {\textsc {cprf}}})$: On input the master CPRF key $\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}}=(K,\textsf {\textsc {hk}})$ and a TM $M=\langle Q,\varSigma _{\textsf {\textsc {inp}}},\varSigma _{\textsf {\textsc {tape}}},\delta ,q_0,q_{\textsf {\textsc {ac}}},q_{\textsf {\textsc {rej}}}\rangle \in \mathbb {M}_\lambda $, the setup authority performs the following steps:
1. 1.
  At first, it selects PPRF keys $K_1,\ldots ,K_\lambda ,K_{\textsf {\textsc {sps}},A},K_{\textsf {\textsc {sps}},E}\xleftarrow {\$}\mathcal {F}.\textsf {Setup}(\textsf {1}^\lambda )$.
2. 2.
  Next, it generates $(\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},w_0,\textsf {\textsc {store}}_0)\xleftarrow {\$}\textsf {ACC.Setup}(\textsf {1}^\lambda ,n_{\textsf {\textsc {acc-blk}}}=2^\lambda )$ and $(\textsf {\textsc {pp}}_{\textsf {\textsc {itr}}},v_0)\xleftarrow {\$}\textsf {ITR.Setup}(\textsf {1}^\lambda ,n_{\textsf {\textsc {itr}}}=2^\lambda )$.
3. 3.
  Then, it constructs the following obfuscated programs:
  - $\mathcal {P}_1=\mathcal {IO}(\textsf {Init-SPS.Prog}[q_0,w_0,v_0,K_{\textsf {\textsc {sps}},E}])$,
  - $\mathcal {P}_2=\mathcal {IO}(\textsf {Accumulate.Prog}[n_{\textsf {\textsc {ssb-blk}}}=2^\lambda ,\textsf {\textsc {hk}},\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},\textsf {\textsc {pp}}_{\textsf {\textsc {itr}}}, K_{\textsf {\textsc {sps}},E}])$,
  - $\mathcal {P}_3=\mathcal {IO}(\textsf {Change-SPS.Prog}[K_{\textsf {\textsc {sps}},A},K_{\textsf {\textsc {sps}},E}])$,
  - $\mathcal {P}_{\textsf {\textsc {cprf}}}~=~\mathcal {IO}(\textsf {Constrained-Key.Prog}_{\textsf {\textsc {cprf}}}[M,~T=2^\lambda ,~\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},~\textsf {\textsc {pp}}_{\textsf {\textsc {itr}}},~K,~~~~~~~~~~~~~~K_1,\ldots , K_\lambda ,K_{\textsf {\textsc {sps}},A}])$,
where the programs $\textsf {Init-SPS.Prog}, \textsf {Accumulate.Prog}, \textsf {Change-SPS.Prog}$, and $\textsf {Constrained-Key.Prog}_{\textsf {\textsc {cprf}}}$ are depicted respectively in Figs. 1, 2, 3 and 4.
1. 4.
  It Provides the constrained key $\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}}\{M\}=(\textsf {\textsc {hk}},\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},w_0, \textsf {\textsc {store}}_0,$ $ \textsf {\textsc {pp}}_{\textsf {\textsc {itr}}},v_0,\mathcal {P}_1,\mathcal {P}_2,\mathcal {P}_3, \mathcal {P}_{\textsf {\textsc {cprf}}})\in \mathcal {K}_{\textsf {\textsc {cprf-const}}}$ to a legitimate user.
$\textsf {CPRF.Eval-Constrained}(\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}}\{M\},x)\rightarrow y=\mathcal {F}(K,(h,\ell _x))~\text {or}~\bot $: A user takes as input its constrained key $\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}}\{M\}=(\textsf {\textsc {hk}},\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},w_0, \textsf {\textsc {store}}_0, \textsf {\textsc {pp}}_{\textsf {\textsc {itr}}},v_0,$ $\mathcal {P}_1,\mathcal {P}_2,\mathcal {P}_3, \mathcal {P}_{\textsf {\textsc {cprf}}})\in \mathcal {K}_{\textsf {\textsc {cprf-const}}}$ corresponding to some legitimate TM $M=\langle Q, \varSigma _{\textsf {\textsc {inp}}}, \varSigma _{\textsf {\textsc {tape}}}, \delta ,q_0,q_{\textsf {\textsc {ac}}},q_{\textsf {\textsc {rej}}}\rangle $ and an input $x=x_0\ldots x_{\ell _x-1}\in \mathcal {X}_{\textsf {\textsc {cprf}}}$ with $|x|=\ell _x$. It proceeds as follows:

1.
It first computes $h=\mathcal {H}_{\textsf {\textsc {hk}}}(x)$.
2.
Next, it computes $\breve{\sigma }_{\textsf {\textsc {sps}},0}=\mathcal {P}_1(h)$.
3.
Then for $j=1,\ldots ,\ell _x$, it iteratively performs the following:
1. (a)
  It computes $\pi _{\textsf {\textsc {ssb}},j-1}\xleftarrow {\$}\textsf {SSB.Open}(\textsf {\textsc {hk}},x,j-1)$.
2. (b)
  It computes $\textsf {\textsc {aux}}_j=\textsf {ACC.Prep-Write}(\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}, \textsf {\textsc {store}}_{j-1},j-1)$.
3. (c)
  It computes $\textsf {\textsc {out}}=\mathcal {P}_2(j-1,x_{j-1},q_0,w_{j-1},\textsf {\textsc {aux}}_j,v_{j-1}, \breve{\sigma }_{\textsf {\textsc {sps}},j-1},h,$ $ \pi _{\textsf {\textsc {ssb}},j-1})$.
4. (d)
  If $\textsf {\textsc {out}}=\bot $, it outputs $\textsf {\textsc {out}}$. Else, it parses $\textsf {\textsc {out}}$ as $\textsf {\textsc {out}}=(w_j,v_j,\breve{\sigma }_{\textsf {\textsc {sps}},j})$.
5. (e)
  It computes $\textsf {\textsc {store}}_j=\textsf {ACC.Write-Store}(\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}, \textsf {\textsc {store}}_{j-1},j-1,x_{j-1})$.
4.
It computes $\sigma _{\textsf {\textsc {sps}},0}=\mathcal {P}_3(q_0,w_{\ell _x},v_{\ell _x},h,\ell _x, \breve{\sigma }_{\textsf {\textsc {sps}},\ell _x})$.
5.
It sets $\textsf {\textsc {pos}}_{M,0}=0$ and $\textsf {\textsc {seed}}_0=\epsilon $.
6.
Suppose, M runs for $t_x$ steps on input x. For $t=1,\ldots ,t_x$, it iteratively performs the following steps:
1. (a)
  It computes $(\textsf {\textsc {sym}}_{M,t-1},\pi _{\textsf {\textsc {acc}},t-1})=\textsf {ACC.Prep-Read}(\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}, \textsf {\textsc {store}}_{\ell _x+t-1},$ $\textsf {\textsc {pos}}_{M,t-1})$.
2. (b)
  It computes $\textsf {\textsc {aux}}_{\ell _x+t}=\textsf {ACC.Prep-Write}(\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}, \textsf {\textsc {store}}_{\ell _x+t-1}, \textsf {\textsc {pos}}_{M,t-1})$.
3. (c)
  It computes $\textsf {\textsc {out}}=\mathcal {P}_{\textsf {\textsc {cprf}}}(t,\textsf {\textsc {seed}}_{t-1}, \textsf {\textsc {pos}}_{M,t-1},\textsf {\textsc {sym}}_{M,t-1}, \textsf {\textsc {st}}_{M,t-1},$ $w_{\ell _x+t-1},\pi _{\textsf {\textsc {acc}},t-1},\textsf {\textsc {aux}}_{\ell _x+t},v_{\ell _x+t-1},h,\ell _x, \sigma _{\textsf {\textsc {sps}},t-1})$.
4. (d)
  If $t=t_x$, it outputs $\textsf {\textsc {out}}$. Otherwise, it parses $\textsf {\textsc {out}}$ as $\textsf {\textsc {out}}=(\textsf {\textsc {pos}}_{M,t},$ $\textsf {\textsc {sym}}_{M,t}^{(\textsf {\textsc {write}})},\textsf {\textsc {st}}_{M,t}, w_{\ell _x+t},v_{\ell _x+t},\sigma _{\textsf {\textsc {sps}},t},\textsf {\textsc {seed}}_t)$.
5. (e)
  It computes $\textsf {\textsc {store}}_{\ell _x+t}=~\textsf {ACC.Write-Store}(\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}, \textsf {\textsc {store}}_{\ell _x+t-1},$ $\textsf {\textsc {pos}}_{M,t-1},\textsf {\textsc {sym}}_{M,t}^{(\textsf {\textsc {write}})})$.

Theorem 3.1

Assuming $\mathcal {IO}$ is a secure indistinguishability obfuscator for $\textsf {P/poly} $, $\mathcal {F}$ is a secure puncturable pseudorandom function, $\textsf {SSB} $ is a somewhere statistically binding hash function, $\textsf {ACC} $ is a secure positional accumulator, $\textsf {ITR} $ is a secure cryptographic iterator, $\textsf {SPS} $ is a secure splittable signature scheme, and PRG is a secure injective pseudorandom generator, our CPRF construction satisfies correctness under constraining and selective pseudorandomness properties.

The proof of Theorem 3.1 is provided in the full version of this paper.

Remark 3.2

We note that concurrently and independently of our work, Deshpande et al. [11] have recently provided an alternative fix to the flaw in [10] discussed in Sect. 3.2, by replacing the standard positional accumulators used in the CPRF construction of [10] with an advanced variant of positional accumulators, namely, history-less positional accumulators [3]. Unlike standard positional accumulators, in case of history-less positional accumulators, setting up the public parameters in read/write enforcing mode does not require any history of symbol-index pairs as input. Consequently, the problem in the simulation of [10] discussed in Sect. 3.2, resulting from the use of standard positional accumulators, would clearly not arise if history-less positional accumulators are utilized in the CPRF construction of [10] instead. However, we emphasize that our approach towards resolving the flaw of [10] brings about some new subtle technical ideas which might be useful elsewhere as well.

4 Our CVPRF for Turing Machines

4.1 Notion

Definition 4.1

(Constrained Verifiable Pseudorandom Function for Turing Machines: CVPRF ). Let $\mathbb {M}_\lambda $ be a family of TM’s with (worst-case) running time bounded by $T=2^\lambda $. A constrained verifiable pseudorandom function (CVPRF) for $\mathbb {M}_\lambda $ with key space $\mathcal {K}_{\textsf {\textsc {cvprf}}}$, input domain $\mathcal {X}_{\textsf {\textsc {cvprf}}}\subset \{0,1\}^*$, and output space $\mathcal {Y}_{\textsf {\textsc {cvprf}}}\subset \{0,1\}^*$ consists of a constrained key space $\mathcal {K}_{\textsf {\textsc {cvprf-const}}}$, a proof space $\varPi _{\textsf {\textsc {cvprf}}}$, along with PPT algorithms $(\textsf {CVPRF.Setup}, \textsf {CVPRF.Eval} ,$ $ \textsf {CVPRF.Prove}, \textsf {CVPRF.Constrain}, \textsf {CVPRF.Prove-Constrained}, \textsf {CVPRF.Verify} )$ which are described below:

$\textsf {CVPRF.Setup} (\textsf {1}^\lambda )\rightarrow (\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}}, \textsf {\textsc {vk}}_{\textsf {\textsc {cvprf}}}):$ The setup authority takes as input the security parameter $\textsf {1}^\lambda $ and generates a master CVPRF key $\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}}$ along with a public verification key $\textsf {\textsc {vk}}_{\textsf {\textsc {cvprf}}}$.
$\textsf {CVPRF.Eval} (\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}},x)\rightarrow y:$ Taking as input the master CVPRF key $\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}}$ and an input $x\in \mathcal {X}_{\textsf {\textsc {cvprf}}}$, the trusted authority outputs the value of the function $y\in \mathcal {Y}_{\textsf {\textsc {cvprf}}}$. For simplicity of notation, we will denote by $\textsf {CVPRF} (\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}},$ x) the output of this algorithm.
$\textsf {CVPRF.Prove} (\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}},x)\rightarrow \pi _{\textsf {\textsc {cvprf}}}:$ Taking as input the master CVPRF key $\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}}$ and an input $x\in \mathcal {X}_{\textsf {\textsc {cvprf}}}$, the trusted authority outputs a proof $\pi _{\textsf {\textsc {cvprf}}}\in \varPi _{\textsf {\textsc {cvprf}}}$.
$\textsf {CVPRF.Constrain} (\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}},M)\rightarrow \textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}}\{M\}:$ On input the master CVPRF key $\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}}$ and a TM $M\in \mathbb {M}_\lambda $, the setup authority provides a constrained key $\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}}\{M\}$ to a legitimate user.
$\textsf {CVPRF.Prove-Constrained} (\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}}\{M\},x)\rightarrow (y,\pi _{\textsf {\textsc {cvprf}}})~\text {or}~\bot :$ A user takes as input its constrained key $\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}}\{M\}$ corresponding to a legitimate TM $M\in \mathbb {M}_\lambda $ and an input $x\in \mathcal {X}_{\textsf {\textsc {cvprf}}}$. It outputs either a value-proof pair $(y,\pi _{\textsf {\textsc {cvprf}}})\in \mathcal {Y}_{\textsf {\textsc {cvprf}}}\times \varPi _{\textsf {\textsc {cvprf}}}$ or $(\bot ,\bot )$ indicating failure.
$\textsf {CVPRF.Verify} (\textsf {\textsc {vk}}_{\textsf {\textsc {cvprf}}},x,y,\pi _{\textsf {\textsc {cvprf}}})\rightarrow \hat{\beta }\in \{0,1\}:$ A verifier takes as input the public verification key $\textsf {\textsc {vk}}_{\textsf {\textsc {cvprf}}}$, an input $x\in \mathcal {X}_{\textsf {\textsc {cvprf}}}$, a value $y\in \mathcal {Y}_{\textsf {\textsc {cvprf}}}$, together with a proof $\pi _{\textsf {\textsc {cvprf}}}\in \varPi _{\textsf {\textsc {cvprf}}}$. It outputs a bit $\hat{beta}\in \{0,1\}$.

The algorithms $\textsf {CVPRF.Setup} ,$ $\textsf {CVPRF.Prove} ,$ $\textsf {CVPRF.Constrain} $ and $\textsf {CVPRF.} $ $\textsf {Prove-Constrained} $ are randomized, while the other two algorithms are deterministic.

$\blacktriangleright $ Provability: For any security parameter $\lambda $, $(\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}}, \textsf {\textsc {vk}}_{\textsf {\textsc {cvprf}}})~\xleftarrow {\$}\textsf {CVPRF.} \textsf {Setup} (\textsf {1}^\lambda )$, $M\in \mathbb {M}_\lambda $, $\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}}\{M\}\xleftarrow {\$} \textsf {CVPRF.Constrain} (\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}},M)$, $x\in \mathcal {X}_{\textsf {\textsc {cvprf}}}$, and $(y,\pi _{\textsf {\textsc {cvprf}}})\xleftarrow {\$} \textsf {CVPRF.Prove-Constrained} (\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}}\{M\},x)$, the following holds:

If $M(x)=1$, then $y=\textsf {CVPRF} (\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}},x)$ and $\textsf {CVPRF.Verify} (\textsf {\textsc {vk}}_{\textsf {\textsc {cvprf}}},x,y,$ $\pi _{\textsf {\textsc {cvprf}}})=1$.
If $M(x)=0$, then $(y,\pi _{\textsf {\textsc {cvprf}}})=(\bot ,\bot )$.

The security requirements of a CVPRF are formally defined in the full version of this paper.

4.2 Techniques Adapted in Our CVPRF Construction

Let us now sketch our technical ideas to extend our CPRF construction to incorporate the verifiability feature. The additional tool that we use for this enhancement is a public key encryption (PKE) scheme which is perfectly correct and chosen plaintext attack (CPA) secure. Besides the PPRF key K, used to generate the PRF output, and the SSB hash key, we include within the master key another PPRF key $K_{\textsf {\textsc {pke}}}$ to generate randomness for the setup and encryption algorithms of PKE. As earlier, the PRF output on some input x is $\mathcal {F}(K,(h,\ell _x))$, where h and $\ell _x$ are respectively the SSB hash value and length of x. The non-interactive proof of correctness consists of a PKE public key $\textsf {\textsc {pk}}_{\textsf {\textsc {pke}}}$ together with a pseudorandom string $r_{\textsf {\textsc {pke}},2}$. The randomness $r_{\textsf {\textsc {pke}},1}$ for setting up the PKE public key $\textsf {\textsc {pk}}_{\textsf {\textsc {pke}}}$ along with the pseudorandom string $r_{\textsf {\textsc {pke}},2}$ are formed as $r_{\textsf {\textsc {pke}},1}\Vert r_{\textsf {\textsc {pke}},2}=\mathcal {F}(K_{\textsf {\textsc {pke}}},(h,\ell _x))$.

The public verification key comprises of the same SSB hash key as included in the master PRF key, together with an IO-obfuscated program $\mathcal {V}_{\textsf {\textsc {cvprf}}}$, known as the verifying program. The verifying program $\mathcal {V}_{\textsf {\textsc {cvprf}}}$ has the PPRF keys K and $K_{\textsf {\textsc {pke}}}$ hardwired in it. It takes as input an SSB hash value h and PRF input length $\ell _{\textsf {\textsc {inp}}}$. It first computes the concatenated pseudorandom strings $\hat{r}_{\textsf {\textsc {pke}},1}\Vert \hat{r}_{\textsf {\textsc {pke}},2}= \mathcal {F}(K_{\textsf {\textsc {pke}}},(h,\ell _{\textsf {\textsc {inp}}}))$. Next, it runs the PKE setup algorithm using the generated randomness $\hat{r}_{\textsf {\textsc {pke}},1}$ and creates a PKE public key $\widehat{\textsf {\textsc {pk}}}_{\textsf {\textsc {pke}}}$. The program outputs $\widehat{\textsf {\textsc {pk}}}_{\textsf {\textsc {pke}}}$ together with the ciphertext $\widehat{\textsf {\textsc {ct}}}_{\textsf {\textsc {pke}}}$ encrypting the PRF value $\mathcal {F}(K,(h,\ell _{\textsf {\textsc {inp}}}))$ under $\widehat{\textsf {\textsc {pk}}}_{\textsf {\textsc {pke}}}$ utilizing the randomness $\hat{r}_{\textsf {\textsc {pke}},2}$.

To verify a purported PRF value-proof pair $(y,\pi _{\textsf {\textsc {cvprf}}}=(\textsf {\textsc {pk}}_{\textsf {\textsc {pke}}},r))$ for some input x using the public verification key, a verifier first hashes x using the SSB hash key and then obtains a PKE public key-ciphertext pair $(\widehat{\textsf {\textsc {pk}}}_{\textsf {\textsc {pke}}},\widehat{\textsf {\textsc {ct}}}_{\textsf {\textsc {pke}}})$ by running the obfuscated verifying program $\mathcal {V}_{\textsf {\textsc {cvprf}}}$ on input the computed hash value and length of the input x. The verifier accepts the proof if $\widehat{\textsf {\textsc {pk}}}_{\textsf {\textsc {pke}}}$ matches with $\textsf {\textsc {pk}}_{\textsf {\textsc {pke}}}$, as well as $\widehat{\textsf {\textsc {ct}}}_{\textsf {\textsc {pke}}}$ matches with the ciphertext formed by encrypting the purported PRF value y under $\textsf {\textsc {pk}}_{\textsf {\textsc {pke}}}$ using the string r included within the proof. Observe that the soundness of verification follows directly from the perfect correctness property of the underlying PKE scheme. Specifically, due to the perfect correctness of PKE, it is guaranteed that two different values cannot map to the same ciphertext under the same public key.

Finally, to enable the generation of the proof along with the PRF value using a constrained key, we modify the obfuscated next step program, which we denote as $\mathcal {P}_{\textsf {\textsc {cvprf}}}$, included in the constrained key to output the proof together with the PRF value when it reaches the accepting state.

4.3 Formal Description of Our CVPRF

Here we will provide our CVPRF for TM’s. This construction is obtained by extending our CPRF construction described in Sect. 3.4. Let $\lambda $ be the underlying security parameter. Let $\mathbb {M}_\lambda $ be a class of TM’s, the members of which have (worst-case) running time bounded by $T=2^\lambda $, input alphabet $\varSigma _{\textsf {\textsc {inp}}}=\{0,1\}$, and tape alphabet $\varSigma _{\textsf {\textsc {tape}}}=\{0,1,\_\}$. Our CVPRF construction for TM family $\mathbb {M}_\lambda $ will employ all the building blocks utilized in our CPRF construction. Additionally, we will use a perfectly correct and chosen plaintext attack (CPA) secure public key encryption scheme $\textsf {PKE}=(\textsf {PKE.Setup}, \textsf {PKE.Encrypt}, \textsf {PKE.Decrypt})$ with an appropriate message space. The formal description of our CVPRF construction follows:

$\textsf {CVPRF.Setup}(\textsf {1}^\lambda )\rightarrow (\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}}=(K,K_{\textsf {\textsc {pke}}},\textsf {\textsc {hk}}), \textsf {\textsc {vk}}_{\textsf {\textsc {cvprf}}}=(\textsf {\textsc {hk}},\mathcal {V}_{\textsf {\textsc {cvprf}}}))$: The setup authority takes as input the security parameter $\textsf {1}^\lambda $ and proceeds as follows:
1. 1.
  It first chooses PPRF keys $K,K_{\textsf {\textsc {pke}}}\xleftarrow {\$}\mathcal {F}.\textsf {Setup}(\textsf {1}^\lambda )$.
2. 2.
  Next it generates $\textsf {\textsc {hk}}\xleftarrow {\$}\textsf {SSB.Gen}(\textsf {1}^\lambda ,n_{\textsf {\textsc {ssb-blk}}}=2^\lambda ,i^*=0)$.
3. 3.
  Then, it creates the obfuscated program $\mathcal {V}_{\textsf {\textsc {cvprf}}}=\mathcal {IO}(\textsf {Verify.Prog}_{\textsf {\textsc {cvprf}}}[K,$ $K_{\textsf {\textsc {pke}}}])$, where the program $\textsf {Verify.Prog}_{\textsf {\textsc {cvprf}}}$ is described in Fig. 5.
4. 4.
  It sets the master CVPRF key as $\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}}=(K,K_{\textsf {\textsc {pke}}},\textsf {\textsc {hk}})$ and publishes the public verification key $\textsf {\textsc {vk}}_{\textsf {\textsc {cvprf}}}=(\textsf {\textsc {hk}},\mathcal {V}_{\textsf {\textsc {cvprf}}})$.
$\textsf {CVPRF.Eval}(\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}},x)\rightarrow y=\mathcal {F}(K,(h,\ell _x))$: Taking as input the master CVPRF key $\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}}=(K,K_{\textsf {\textsc {pke}}},\textsf {\textsc {hk}})$ along with an input $x=x_0\ldots x_{\ell _x-1}\in \mathcal {X}_{\textsf {\textsc {cvprf}}}$, where $|x|=\ell _x$, the setup authority proceeds in an identical fashion to $\textsf {CPRF.Eval}(\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}},x)$ described in Sect. 3.4.
$\textsf {CVPRF.Prove}(\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}},x)\rightarrow \pi _{\textsf {\textsc {cvprf}}}=(\textsf {\textsc {pk}}_{\textsf {\textsc {pke}}},r_{\textsf {\textsc {pke}},2})$: The setup authority takes as input the master CVPRF key $\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}}=(K,K_{\textsf {\textsc {pke}}},\textsf {\textsc {hk}})$ along with an input $x=x_0\ldots x_{\ell _x-1}\in \mathcal {X}_{\textsf {\textsc {cvprf}}}$, where $|x|=\ell _x$. It proceeds as follows:
1. 1.
  At first, it computes $h=\mathcal {H}_{\textsf {\textsc {hk}}}(x)$.
2. 2.
  Then, it computes $r_{\textsf {\textsc {pke}},1}\Vert r_{\textsf {\textsc {pke}},2}~=~\mathcal {F}(K_{\textsf {\textsc {pke}}},(h,\ell _x)), (\textsf {\textsc {pk}}_{\textsf {\textsc {pke}}},\textsf {\textsc {sk}}_{\textsf {\textsc {pke}}})~= \textsf {PKE.Setup}(\textsf {1}^\lambda ;~r_{\textsf {\textsc {pke}},1})$.
3. 3.
  It outputs $\pi _{\textsf {\textsc {cvprf}}}=(\textsf {\textsc {pk}}_{\textsf {\textsc {pke}}},r_{\textsf {\textsc {pke}},2})$.
$\textsf {CVPRF.Constrain}(\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}},M)\rightarrow \textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}}\{M\}=(\textsf {\textsc {hk}},\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},w_0,\textsf {\textsc {store}}_0,$ $\textsf {\textsc {pp}}_{\textsf {\textsc {itr}}},$ $v_0,\mathcal {P}_1,\mathcal {P}_2,\mathcal {P}_3,\mathcal {P}_{\textsf {\textsc {cvprf}}})$: On input the master CVPRF key $\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}}=(K,$ $K_{\textsf {\textsc {pke}}},$ $\textsf {\textsc {hk}})$ and a TM $M=\langle Q,\varSigma _{\textsf {\textsc {inp}}},\varSigma _{\textsf {\textsc {tape}}},\delta ,q_0,q_{\textsf {\textsc {ac}}},q_{\textsf {\textsc {rej}}}\rangle \in \mathbb {M}_\lambda $, the setup authority proceeds identically to $\textsf {CPRF.Constrain}(\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}},M)$ with the only difference that in place of $\mathcal {P}_{\textsf {\textsc {cprf}}}$ it includes $\mathcal {P}_{\textsf {\textsc {cvprf}}}=\mathcal {IO}(\textsf {Constrained-Key.Prog}_{\textsf {\textsc {cvprf}}}[M,$ $T=2^\lambda , \textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},\textsf {\textsc {pp}}_{\textsf {\textsc {itr}}},K,K_{\textsf {\textsc {pke}}},K_1,\ldots ,K_\lambda ,K_{\textsf {\textsc {sps}},A}])$ within the constrained key $\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}}\{M\}$, where the program $\textsf {Constrained-Key.Prog}_{\textsf {\textsc {cvprf}}}$ is depicted in Fig. 6.
$\textsf {CVPRF.Prove-Constrained}(\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}}\{M\},x)~\rightarrow ~(y~=~\mathcal {F}(K,(h,\ell _x)),~\pi _{\textsf {\textsc {cvprf}}}=$ $(\textsf {\textsc {pk}}_{\textsf {\textsc {pke}}},r_{\textsf {\textsc {pke}},2}))~\text {or}~\bot $: A user takes as input its constrained key $\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}}\{M\}=(\textsf {\textsc {hk}},\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},w_0, \textsf {\textsc {store}}_0,\textsf {\textsc {pp}}_{\textsf {\textsc {itr}}},v_0,\mathcal {P}_1,\mathcal {P}_2,\mathcal {P}_3,\mathcal {P}_{\textsf {\textsc {cvprf}}})$ corresponding to some legitimate TM $M=\langle Q,\varSigma _{\textsf {\textsc {inp}}},\varSigma _{\textsf {\textsc {tape}}},\delta ,q_0,q_{\textsf {\textsc {ac}}},q_{\textsf {\textsc {rej}}}\rangle $ and an input $x=x_0\ldots x_{\ell _x-1}$ $\in \mathcal {X}_{\textsf {\textsc {cvprf}}}$ with $|x|=\ell _x$. It proceeds in the exact same manner as the algorithm $\textsf {CPRF.Eval-Constrained}(\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}}\{M\},x)$ described in Sect. 3.4. However, note that now the constrained key $\textsf {\textsc {sk}}_{\textsf {\textsc {cvprf}}}\{M\}$ of the user contains the obfuscated program $\mathcal {P}_{\textsf {\textsc {cvprf}}}$ instead of $\mathcal {P}_{\textsf {\textsc {cprf}}}$. Thus, it utilizes the program $\mathcal {P}_{\textsf {\textsc {cvprf}}}$ in place of $\mathcal {P}_{\textsf {\textsc {cprf}}}$ in the course of execution.
$\textsf {CVPRF.Verify}(\textsf {\textsc {vk}}_{\textsf {\textsc {cvprf}}},x,y,\pi _{\textsf {\textsc {cvprf}}})\rightarrow \hat{\beta }\in \{0,1\}$: A verifier takes as input the public verification key $\textsf {\textsc {vk}}_{\textsf {\textsc {cvprf}}}=(\textsf {\textsc {hk}},\mathcal {V}_{\textsf {\textsc {cvprf}}})$, an input $x=x_0\ldots x_{\ell _x-1}\in \mathcal {X}_{\textsf {\textsc {cvprf}}}$, where $|x|=\ell _x$, a value $y\in \mathcal {Y}_{\textsf {\textsc {cvprf}}}$, and a proof $\pi _{\textsf {\textsc {cvprf}}}=(\textsf {\textsc {pk}}_{\textsf {\textsc {pke}}},r)\in \varPi _{\textsf {\textsc {cvprf}}}$. It executes the following:

1.
It first computes $h=\mathcal {H}_{\textsf {\textsc {hk}}}(x)$.
2.
Next, it computes $(\widehat{\textsf {\textsc {pk}}}_{\textsf {\textsc {pke}}}, \widehat{\textsf {\textsc {ct}}}_{\textsf {\textsc {pke}}})=\mathcal {V}_{\textsf {\textsc {cvprf}}}(h,\ell _x)$.
3.
If $[\textsf {\textsc {pk}}_{\textsf {\textsc {pke}}}=\widehat{\textsf {\textsc {pk}}}_{\textsf {\textsc {pke}}}]~\wedge ~[\textsf {PKE.Encrypt}(\textsf {\textsc {pk}}_{\textsf {\textsc {pke}}},y;r)= \widehat{\textsf {\textsc {ct}}}_{\textsf {\textsc {pke}}}]$, it outputs 1. Otherwise, it outputs 0.

Theorem 4.1

Assuming $\mathcal {IO}$ is a secure indistinguishability obfuscator for $\textsf {P/poly} $, $\mathcal {F}$ is a secure puncturable pseudorandom function, $\textsf {SSB} $ is a somewhere statistically binding hash function, $\textsf {ACC} $ is a secure positional accumulator, $\textsf {ITR} $ is a secure cryptographic iterator, $\textsf {SPS} $ is a secure splittable signature scheme, PRG is a secure injective pseudorandom generator, and $\textsf {PKE} $ is a perfectly correct CPA secure public key encryption scheme, our CVPRF construction satisfies all the properties of a secure CVPRF.

The proof of Theorem 4.1 is given in the full version of this paper.

5 Our DCPRF for Turing Machines

5.1 Notion

Definition 5.1

(Delegatable Constrained Pseudorandom Function for Turing Machines: DCPRF ). Let $\mathbb {M}_\lambda $ be a family of TM’s with (worst-case) running time bounded by $T=2^\lambda $. A delegatable constrained pseudorandom function (DCPRF) with key space $\mathcal {K}_{\textsf {\textsc {dcprf}}}$, input domain $\mathcal {X}_{\textsf {\textsc {dcprf}}}\subset \{0,1\}^*$, and output space $\mathcal {Y}_{\textsf {\textsc {dcprf}}}\subset \{0,1\}^*$ for the TM family $\mathbb {M}_\lambda $ consists of an additional key space $\mathcal {K}_{\textsf {\textsc {dcprf-const}}}$ and PPT algorithms $(\textsf {DCPRF.Setup}, \textsf {DCPRF.Eval}, \textsf {DCPRF.Constrain} $, $\textsf {DCPRF.Delegate}, \textsf {DCPRF.Eval-} $ $\textsf {Constrained} )$ described as follows:

$\textsf {DCPRF.Setup} (\textsf {1}^\lambda )\rightarrow \textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}:$ The setup authority takes as input the security parameter $\textsf {1}^\lambda $ and generates the master DCPRF key $\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\in \mathcal {K}_{\textsf {\textsc {dcprf}}}$.
$\textsf {DCPRF.Eval} (\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}},x)\rightarrow y:$ On input the master DCPRF key $\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}$ along with an input $x\in \mathcal {X}_{\textsf {\textsc {dcprf}}}$, the setup authority computes the value of the DCPRF $y\in \mathcal {Y}_{\textsf {\textsc {dcprf}}}$. For simplicity of notation, we will use $\textsf {DCPRF} (\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}},x)$ to indicate the output of this algorithm.
$\textsf {DCPRF.Constrain} (\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}},M)\rightarrow \textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M\}:$ Taking as input the master DCPRF key $\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\in \mathcal {K}_{\textsf {\textsc {dcprf}}}$ and a TM $M\in \mathbb {M}_\lambda $, the setup authority provides a constrained key $\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M\}\in \mathcal {K}_{\textsf {\textsc {dcprf-const}}}$ to a legitimate user.
$\textsf {DCPRF.Delegate} (\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M\},\widetilde{M})\rightarrow \textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M~\wedge \widetilde{M}\}:$ Taking as input a constrained key $\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M\}\in \mathcal {K}_{\textsf {\textsc {dcprf-const}}}$ corresponding to a legitimate TM $M\in \mathbb {M}_\lambda $ along with another TM $\widetilde{M}\in \mathbb {M}_\lambda $, a user gives a delegated constrained key $\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M~\wedge \widetilde{M}\}\in \mathcal {K}_{\textsf {\textsc {dcprf-const}}}$ to a legitimate delegate.
$\textsf {DCPRF.Eval-Constrained} (\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M\}/ \textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M~\wedge \widetilde{M}\},x)\rightarrow y~\text {or}~\bot :$ A user takes as input a constrained key $\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M\}\in \mathcal {K}_{\textsf {\textsc {dcprf-const}}}$ obtained from the setup authority, corresponding to TM $M\in \mathbb {M}_\lambda $, or a delegated constrained key $\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M~\wedge \widetilde{M}\}\in \mathcal {K}_{\textsf {\textsc {dcprf-const}}}$ delegated by a constrained key holder holding the constrained key $\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M\}\in \mathcal {K}_{\textsf {\textsc {dcprf-const}}}$, corresponding to TM $\widetilde{M}\in \mathbb {M}_\lambda $, along with an input $x\in \mathcal {X}_{\textsf {\textsc {dcprf}}}$. It outputs either a value $y\in \mathcal {Y}_{\textsf {\textsc {dcprf}}}$ or $\bot $ indicating failure.

The algorithms $\textsf {DCPRF.Eval} $ and $\textsf {DCPRF.Eval-Constrained} $ are deterministic, while, all the others are randomized.

$\blacktriangleright $ Correctness under Constraining/Delegation: Let us consider any security parameter $\lambda $, $x\in \mathcal {X}_{\textsf {\textsc {dcprf}}}$, $\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\xleftarrow {\$}\textsf {DCPRF.Setup} (\textsf {1}^\lambda )$, $M,\widetilde{M}\in \mathbb {M}_\lambda $, $\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M\}~\xleftarrow {\$} \textsf {DCPRF.Constrain} (\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}},M)$ and $\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M~~\wedge \widetilde{M}\}~\xleftarrow {\$}$ $\textsf {DCPRF.Delegate} (\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M\},\widetilde{M})$. The following must hold:

$$\begin{aligned} \textsf {DCPRF.Eval-}&\textsf {Constrained} (\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M\}/ \textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M~\wedge \widetilde{M}\},x)=\\&\left\{ \begin{array}{ll} \textsf {DCPRF} (\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}},x), &{}\hbox {if}\,\, M(x)=1/[M(x)=1]~\wedge [\widetilde{M}(x)=1] \\ \bot , &{}\hbox {otherwise} \end{array} \right. \end{aligned}$$

The security notion of a DCPRF, namely, the pseudorandomness property is formally defined in the full version of this paper.

5.2 Techniques Adapted in Our DCPRF Construction

Here again our starting point is our CPRF construction. We again use a perfectly correct and CPA secure PKE scheme for accomplishing key delegation. Precisely, while generating a constrained key corresponding to some TM M, we create a PPRF key $K'$ specific to that constrained key. We then modify the output of the next step program, which we refer to as $\mathcal {P}_{\textsf {\textsc {dcprf}}}$, when it reaches the accepting state. In stead of outputting the PRF value, the program $\mathcal {P}_{\textsf {\textsc {dcprf}}}$ outputs an encryption of the PRF value. For performing this encryption it generates a PKE public key $\textsf {\textsc {pk}}_{\textsf {\textsc {pke}}}$. The program computes the randomness $r_{\textsf {\textsc {pke}},1}$ for generating the PKE public key $\textsf {\textsc {pk}}_{\textsf {\textsc {pke}}}$ as well as the randomness $r_{\textsf {\textsc {pke}},2}$ for the encryption as $r_{\textsf {\textsc {pke}},1}\Vert r_{\textsf {\textsc {pke}},2}=\mathcal {F}(K',(h,\ell _{\textsf {\textsc {inp}}}))$, where h and $\ell _{\textsf {\textsc {inp}}}$ denote respectively the SSB hash value and length of the PRF input. We also include the PPRF key $K'$ in the clear within the constrained key. Thus, while evaluating the PRF on some input using the constrained key, the evaluator will be able to recompute the pseudorandom string $r_{\textsf {\textsc {pke}},1}$ using $K'$ and then can generate the necessary PKE secret key $\textsf {\textsc {sk}}_{\textsf {\textsc {pke}}}$ by running the setup algorithm using the randomness $r_{\textsf {\textsc {pke}},1}$ on its own. Once the secret key $\textsf {\textsc {sk}}_{\textsf {\textsc {pke}}}$ is obtained, the evaluator can simply decrypt the ciphertext obtained from the next step program $\mathcal {P}_{\textsf {\textsc {dcprf}}}$ to uncover the PRF value. However, if a party does not have the key $K'$ or the randomness that would have to be used for creating the required PKE secret key, then it cannot derive the PRF value from the ciphertext obtained from the next step program $\mathcal {P}_{\textsf {\textsc {dcprf}}}$. We encash this idea to design the key delegation functionality.

The structure of our delegated key is as follows: Suppose a party holding a constrained key, corresponding to some TM M, wishes to construct a delegated key for $M \wedge \widetilde{M}$, where $\widetilde{M}$ is some other TM. The party generates all the components and obfuscated programs as those formed while constructing a constrained key for $\widetilde{M}$ with the only exception that it embeds the PPRF key $K'$, included in its constrained key, inside the obfuscated next step program for $\widetilde{M}$ in place of the PPRF key K, which is part of the master PRF key and provides the PRF output. In fact, since the party only has a constrained key and not the master key, it does not possess the key K in the clear and hence cannot embed it within the obfuscated programs that it generates. The delegated key, corresponding to $M \wedge \widetilde{M}$ consists of all the generated components and obfuscated programs for $\widetilde{M}$ together with all the components and obfuscated programs included in the constrained key for M possessed by the delegator except the PPRF key $K'$.

The idea is that, while evaluating the PRF on some input x using the delegated key for $M \wedge \widetilde{M}$, the evaluator proceeds in three steps. In the first step, provided $\widetilde{M}(x)=1$, the evaluator computes the output of $\mathcal {F}$ with key $K'$ on the SSB hash value and length of x by making use of the delegated key components pertaining to $\widetilde{M}$. Next, using the obtained PPRF output, the evaluator runs the PKE setup algorithm to obtain the necessary PKE secret key. In the second step, utilizing the delegated key components associated to M, the evaluator obtains a ciphertext encrypting the PRF output on x, provided $M(x)=1$. Finally, the evaluator decrypts the ciphertext using the computed PKE secret key to reveal the PRF output.

5.3 Formal Description of Our DCPRF

In this section, we will present our DCPRF for TM’s. The construction presented here considers only one level of delegation, however, it can readily be generalized to support multiple delegation levels. Let $\lambda $ be the underlying security parameter. Consider the class $\mathbb {M}_\lambda $ of TM’s, the members of which have (worst-case) running time bounded by $T=2^\lambda $, input alphabet $\varSigma _{\textsf {\textsc {inp}}}=\{0,1\}$, and tape alphabet $\varSigma _{\textsf {\textsc {tape}}}=\{0,1,\_\}$. Our DCPRF construction is an augmentation of our CPRF construction with a delegation functionality and employs all the cryptographic building blocks utilized by our CPRF construction. In addition, we use a perfectly correct and CPA secure public key encryption scheme $\textsf {PKE} =(\textsf {PKE.Setup}, \textsf {PKE.Encrypt}, \textsf {PKE.Decrypt})$ with an appropriate message space. The formal description of our DCPRF follows:

$\textsf {DCPRF.Setup}(\textsf {1}^\lambda )\rightarrow \textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}=(K,\textsf {\textsc {hk}})$: The setup authority takes as input the security parameter $\textsf {1}^\lambda $ and proceeds the same way as $\textsf {CPRF.Setup}(\textsf {1}^\lambda )$ described in Sect. 3.4.
$\textsf {DCPRF.Eval}(\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}},x)\rightarrow y=\mathcal {F}(K,(h,\ell _x))$: Taking as input the master DCPRF key $\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}=(K,\textsf {\textsc {hk}})$ and an input $x=x_0\ldots x_{\ell _x-1}\in \mathcal {X}_{\textsf {\textsc {dcprf}}}$, where $|x|=\ell _x$, the setup authority executes identical steps as $\textsf {CPRF.Eval}(\textsf {\textsc {sk}}_{\textsf {\textsc {cprf}}},x)$ described in Sect. 3.4.
$\textsf {DCPRF.Constrain}(\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}},M)\rightarrow \textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M\}=(K',\textsf {\textsc {hk}},\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},w_0, \textsf {\textsc {store}}_0,$ $ \textsf {\textsc {pp}}_{\textsf {\textsc {itr}}},v_0,\mathcal {P}_1,\mathcal {P}_2,\mathcal {P}_3,\mathcal {P}_{\textsf {\textsc {dcprf}}})$: On input the master DCPRF key $\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}=(K,\textsf {\textsc {hk}})$ and a TM $M=\langle Q,\varSigma _{\textsf {\textsc {inp}}},\varSigma _{\textsf {\textsc {tape}}},\delta ,q_0,q_{\textsf {\textsc {ac}}},q_{\textsf {\textsc {rej}}}\rangle \in \mathbb {M}_\lambda $, the setup authority performs the following steps:

1.
At first, it selects PPRF keys $K',K_1,\ldots ,K_\lambda ,K_{\textsf {\textsc {sps}},A},K_{\textsf {\textsc {sps}},E}\xleftarrow {\$}\mathcal {F}.\textsf {Setup}(\textsf {1}^\lambda )$.
2.
Next, it generates $(\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},w_0,\textsf {\textsc {store}}_0)\xleftarrow {\$}\textsf {ACC.Setup}(\textsf {1}^\lambda ,n_{\textsf {\textsc {acc-blk}}}=2^\lambda )$ and $(\textsf {\textsc {pp}}_{\textsf {\textsc {itr}}},v_0)\xleftarrow {\$}\textsf {ITR.Setup}(\textsf {1}^\lambda ,n_{\textsf {\textsc {itr}}}=2^\lambda )$.
3.
Then, it constructs the obfuscated programs
- $\mathcal {P}_1=\mathcal {IO}(\textsf {Init-SPS.Prog}[q_0,w_0,v_0,K_{\textsf {\textsc {sps}},E}])$,
- $\mathcal {P}_2=\mathcal {IO}(\textsf {Accumulate.Prog}[n_{\textsf {\textsc {ssb-blk}}}=2^\lambda ,\textsf {\textsc {hk}},\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},\textsf {\textsc {pp}}_{\textsf {\textsc {itr}}}, K_{\textsf {\textsc {sps}},E}])$,
- $\mathcal {P}_3=\mathcal {IO}(\textsf {Change-SPS.Prog}[K_{\textsf {\textsc {sps}},A},K_{\textsf {\textsc {sps}},E}])$,
- $\mathcal {P}_{\textsf {\textsc {dcprf}}}=\mathcal {IO}(\textsf {Constrained-Key.Prog}_{\textsf {\textsc {dcprf}}}[M,T=2^\lambda ,\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},\textsf {\textsc {pp}}_{\textsf {\textsc {itr}}},K,K',~~~~~~~~~~~~~~K_1,\ldots ,K_\lambda ,K_{\textsf {\textsc {sps}},A}])$,
where the programs $\textsf {Init-SPS.Prog}, \textsf {Accumulate.Prog}$, and $\textsf {Change-SPS.Prog}$ are depicted respectively in Figs. 1, 2 and 3 in Sect. 3.4, while the program $\textsf {Constrained-Key.Prog}_{\textsf {\textsc {dcprf}}}$ is described in Fig. 7.
4.
It provides the constrained key $\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M\}=(K',\textsf {\textsc {hk}},\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},w_0, \textsf {\textsc {store}}_0,$ $ \textsf {\textsc {pp}}_{\textsf {\textsc {itr}}},v_0,\mathcal {P}_1,\mathcal {P}_2,\mathcal {P}_3,\mathcal {P}_{\textsf {\textsc {dcprf}}})$ to a legitimate user.

$\textsf {DCPRF.Delegate}(\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M\},\widetilde{M})\rightarrow \textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M~\wedge ~\widetilde{M}\}=(\widetilde{K}',\textsf {\textsc {hk}},\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}, \widetilde{\textsf {\textsc {pp}}}_{\textsf {\textsc {acc}}},$ $w_0,~\widetilde{w}_0,~\textsf {\textsc {store}}_0,~\widetilde{\textsf {\textsc {store}}}_0, ~\textsf {\textsc {pp}}_{\textsf {\textsc {itr}}},~\widetilde{\textsf {\textsc {pp}}}_{\textsf {\textsc {itr}}},~v_0, ~\widetilde{v}_0,~\mathcal {P}_1, ~\widetilde{\mathcal {P}}_1,~\mathcal {P}_2,~\widetilde{\mathcal {P}}_2,~\mathcal {P}_3,~\widetilde{\mathcal {P}}_3,$ $ \mathcal {P}_{\textsf {\textsc {dcprf}}}, \widetilde{\mathcal {P}}_{\textsf {\textsc {dcprf}}})$: A user takes as input a constrained key $\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M\}=(K',$ $\textsf {\textsc {hk}},\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},w_0, \textsf {\textsc {store}}_0,\textsf {\textsc {pp}}_{\textsf {\textsc {itr}}},v_0,\mathcal {P}_1,\mathcal {P}_2,\mathcal {P}_3, \mathcal {P}_{\textsf {\textsc {dcprf}}})$, corresponding to a legitimate TM $M\in \mathbb {M}_\lambda $ and another TM $\widetilde{M}=\langle \widetilde{Q},\varSigma _{\textsf {\textsc {inp}}},\varSigma _{\textsf {\textsc {tape}}},$ $\widetilde{\delta },\widetilde{q}_0,\widetilde{q}_{\textsf {\textsc {ac}}}, \widetilde{q}_{\textsf {\textsc {rej}}}\rangle \in \mathbb {M}_\lambda $. It proceeds as follows:

1.
It first picks fresh PPRF keys $\widetilde{K}',\widetilde{K}_1,\ldots ,\widetilde{K}_\lambda ,\widetilde{K}_{\textsf {\textsc {sps}},A},\widetilde{K}_{\textsf {\textsc {sps}},E}\xleftarrow {\$} \mathcal {F}.\textsf {Setup}(\textsf {1}^\lambda )$.
2.
Next it generates $(\widetilde{\textsf {\textsc {pp}}}_{\textsf {\textsc {acc}}},\widetilde{w}_0, \widetilde{\textsf {\textsc {store}}}_0)\xleftarrow {\$}\textsf {ACC.Setup}(\textsf {1}^\lambda ,n_{\textsf {\textsc {acc-blk}}}=2^\lambda )$ and $(\widetilde{\textsf {\textsc {pp}}}_{\textsf {\textsc {itr}}},\widetilde{v}_0)\xleftarrow {\$}\textsf {ITR.Setup}(\textsf {1}^\lambda ,n_{\textsf {\textsc {itr}}}=2^\lambda )$ afresh.
3.
Then, it constructs the obfuscated programs
- $\widetilde{\mathcal {P}}_1=\mathcal {IO}(\textsf {Init-SPS.Prog}[\widetilde{q}_0,\widetilde{w}_0,\widetilde{v}_0, \widetilde{K}_{\textsf {\textsc {sps}},E}])$,
- $\widetilde{\mathcal {P}}_2=\mathcal {IO}(\textsf {Accumulate.Prog}[n_{\textsf {\textsc {ssb-blk}}}=2^\lambda ,\textsf {\textsc {hk}},\widetilde{\textsf {\textsc {pp}}}_{\textsf {\textsc {acc}}}, \widetilde{\textsf {\textsc {pp}}}_{\textsf {\textsc {itr}}}, \widetilde{K}_{\textsf {\textsc {sps}},E}])$,
- $\widetilde{\mathcal {P}}_3=\mathcal {IO}(\textsf {Change-SPS.Prog}[\widetilde{K}_{\textsf {\textsc {sps}},A}, \widetilde{K}_{\textsf {\textsc {sps}},E}])$,
- $\widetilde{\mathcal {P}}_{\textsf {\textsc {dcprf}}}= \mathcal {IO}(\textsf {Constrained-Key.Prog}_{\textsf {\textsc {dcprf}}}[\widetilde{M},T=2^\lambda ,\widetilde{\textsf {\textsc {pp}}}_{\textsf {\textsc {acc}}},\widetilde{\textsf {\textsc {pp}}}_{\textsf {\textsc {itr}}},K',$ $~~~~~~~~~~~~~~~\widetilde{K}',\widetilde{K}_1,\ldots ,\widetilde{K}_\lambda ,\widetilde{K}_{\textsf {\textsc {sps}},A}])$,
where the programs $\textsf {Init-SPS.Prog}, \textsf {Accumulate.Prog}$, and $\textsf {Change-SPS.Prog}$ are depicted respectively in Figs. 1, 2 and 3 in Sect. 3.4, while the program $\textsf {Constrained-Key.Prog}_{\textsf {\textsc {dcprf}}}$ is described in Fig. 7.
4.
It gives the delegated key $\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M~\wedge ~\widetilde{M}\}=(\widetilde{K}',\textsf {\textsc {hk}},\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}, \widetilde{\textsf {\textsc {pp}}}_{\textsf {\textsc {acc}}},w_0,\widetilde{w}_0, \textsf {\textsc {store}}_0,\widetilde{\textsf {\textsc {store}}}_0, \textsf {\textsc {pp}}_{\textsf {\textsc {itr}}},\widetilde{\textsf {\textsc {pp}}}_{\textsf {\textsc {itr}}},v_0, \widetilde{v}_0,\mathcal {P}_1, \widetilde{\mathcal {P}}_1,\mathcal {P}_2,\widetilde{\mathcal {P}}_2,\mathcal {P}_3,\widetilde{\mathcal {P}}_3, \mathcal {P}_{\textsf {\textsc {dcprf}}}, \widetilde{\mathcal {P}}_{\textsf {\textsc {dcprf}}})$ to a legitimate delegate.

$\textsf {DCPRF.Eval-Constrained}(\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M\}/ \textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M~\wedge ~\widetilde{M}\},x)\rightarrow y=\mathcal {F}(K,(h,\ell _x))~$ $\text {or}~\bot $: A user takes as input a constrained key $\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M\}=(K',\textsf {\textsc {hk}},\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},$ $w_0, \textsf {\textsc {store}}_0, \textsf {\textsc {pp}}_{\textsf {\textsc {itr}}},v_0,$ $\mathcal {P}_1,\mathcal {P}_2,\mathcal {P}_3,\mathcal {P}_{\textsf {\textsc {dcprf}}})$ obtained from the setup authority, corresponding to some legitimate TM $M=\langle Q, \varSigma _{\textsf {\textsc {inp}}}, \varSigma _{\textsf {\textsc {tape}}}, \delta ,q_0,q_{\textsf {\textsc {ac}}},q_{\textsf {\textsc {rej}}}\rangle \in \mathbb {M}_\lambda $, or a delegated key $\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M~\wedge ~\widetilde{M}\}=(\widetilde{K}',\textsf {\textsc {hk}},\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}, \widetilde{\textsf {\textsc {pp}}}_{\textsf {\textsc {acc}}},w_0,\widetilde{w}_0,$ $\textsf {\textsc {store}}_0, \widetilde{\textsf {\textsc {store}}}_0, \textsf {\textsc {pp}}_{\textsf {\textsc {itr}}},$ $\widetilde{\textsf {\textsc {pp}}}_{\textsf {\textsc {itr}}},v_0, \widetilde{v}_0,\mathcal {P}_1, \widetilde{\mathcal {P}}_1,\mathcal {P}_2,\widetilde{\mathcal {P}}_2,\mathcal {P}_3,\widetilde{\mathcal {P}}_3, \mathcal {P}_{\textsf {\textsc {dcprf}}}, \widetilde{\mathcal {P}}_{\textsf {\textsc {dcprf}}})$ obtained from the holder of the constrained key $\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M\}$, corresponding to TM $\widetilde{M}=\langle \widetilde{Q},\varSigma _{\textsf {\textsc {inp}}},\varSigma _{\textsf {\textsc {tape}}},$ $\widetilde{\delta },\widetilde{q}_0, \widetilde{q}_{\textsf {\textsc {ac}}}, \widetilde{q}_{\textsf {\textsc {rej}}}\rangle \in \mathbb {M}_\lambda $, along with an input $x=x_0\ldots x_{\ell _x-1}\in \mathcal {X}_{\textsf {\textsc {dcprf}}}$ with $|x|=\ell _x$. It proceeds as follows:

(A)
If $M(x)=0$, it outputs $\bot $. Otherwise, it performs the following steps:
1. 1.
  It first computes $h=\mathcal {H}_{\textsf {\textsc {hk}}}(x)$.
2. 2.
  Next, it computes $\breve{\sigma }_{\textsf {\textsc {sps}},0}=\mathcal {P}_1(h)$.
3. 3.
  Then for $j=1,\ldots ,\ell _x$, it iteratively performs the following:
  1. (a)
    It computes $\pi _{\textsf {\textsc {ssb}},j-1}\xleftarrow {\$}\textsf {SSB.Open}(\textsf {\textsc {hk}},x,j-1)$.
  2. (b)
    It computes $\textsf {\textsc {aux}}_j=\textsf {ACC.Prep-Write}(\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}, \textsf {\textsc {store}}_{j-1},j-1)$.
  3. (c)
    It computes $\textsf {\textsc {out}}=\mathcal {P}_2(j-1,x_{j-1},q_0,w_{j-1},\textsf {\textsc {aux}}_j,v_{j-1}, \breve{\sigma }_{\textsf {\textsc {sps}},j-1},h,$ $ \pi _{\textsf {\textsc {ssb}},j-1})$.
  4. (d)
    If $\textsf {\textsc {out}}=\bot $, it outputs $\textsf {\textsc {out}}$. Else, it parses $\textsf {\textsc {out}}$ as $\textsf {\textsc {out}}=(w_j,v_j,$ $\breve{\sigma }_{\textsf {\textsc {sps}},j})$.
  5. (e)
    It computes $\textsf {\textsc {store}}_j=\textsf {ACC.Write-Store}(\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}, \textsf {\textsc {store}}_{j-1},j-1,$ $x_{j-1})$.
4. 4.
  It computes $\sigma _{\textsf {\textsc {sps}},0}=\mathcal {P}_3(q_0,w_{\ell _x},v_{\ell _x},h,\ell _x, \breve{\sigma }_{\textsf {\textsc {sps}},\ell _x})$.
5. 5.
  It sets $\textsf {\textsc {pos}}_{M,0}=0$ and $\textsf {\textsc {seed}}_0=\epsilon $.
6. 6.
  Suppose, M accepts x in $t_x$ steps. For $t=1,\ldots ,t_x$, it iteratively performs the following steps:
  1. (a)
    It computes $(\textsf {\textsc {sym}}_{M,t-1},\pi _{\textsf {\textsc {acc}},t-1})= \textsf {ACC.Prep-Read}(\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}},$ $ \textsf {\textsc {store}}_{\ell _x+t-1},\textsf {\textsc {pos}}_{M,t-1})$.
  2. (b)
    It computes $\textsf {\textsc {aux}}_{\ell _x+t}~=~\textsf {ACC.Prep-Write}(\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}, \textsf {\textsc {store}}_{\ell _x+t-1},$ $ \textsf {\textsc {pos}}_{M,t-1})$.
  3. (c)
    It computes $\textsf {\textsc {out}}=\mathcal {P}_{\textsf {\textsc {dcprf}}}(t,\textsf {\textsc {seed}}_{t-1},\textsf {\textsc {pos}}_{M,t-1}, \textsf {\textsc {sym}}_{M,t-1}, \textsf {\textsc {st}}_{M,t-1}, w_{\ell _x+t-1},\pi _{\textsf {\textsc {acc}},t-1},\textsf {\textsc {aux}}_{\ell _x+t},v_{\ell _x+t-1},h,\ell _x, \sigma _{\textsf {\textsc {sps}},t-1})$.
  4. (d)
    If $t=t_x$, it sets $\textsf {\textsc {ct}}_{\textsf {\textsc {pke}}}=\textsf {\textsc {out}}$. Otherwise, it parses $\textsf {\textsc {out}}$ as $\textsf {\textsc {out}}=(\textsf {\textsc {pos}}_{M,t},\textsf {\textsc {sym}}_{M,t}^{(\textsf {\textsc {write}})}, \textsf {\textsc {st}}_{M,t}, w_{\ell _x+t},v_{\ell _x+t},\sigma _{\textsf {\textsc {sps}},t},\textsf {\textsc {seed}}_t)$.
  5. (e)
    It computes $\textsf {\textsc {store}}_{\ell _x+t}=\textsf {ACC.Write-Store}(\textsf {\textsc {pp}}_{\textsf {\textsc {acc}}}, \textsf {\textsc {store}}_{\ell _x+t-1},$ $ \textsf {\textsc {pos}}_{M,t-1},\textsf {\textsc {sym}}_{M,t}^{(\textsf {\textsc {write}})})$.
(B)
If the user is using the constrained key $\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M\}$, then it computes $r_{\textsf {\textsc {pke}},1}\Vert r_{\textsf {\textsc {pke}},2}=\mathcal {F}(K',(h,\ell _x)), (\textsf {\textsc {pk}}_{\textsf {\textsc {pke}}},\textsf {\textsc {sk}}_{\textsf {\textsc {pke}}})=\textsf {PKE.Setup}(\textsf {1}^\lambda ;~r_{\textsf {\textsc {pke}},1})$, and outputs $\textsf {PKE.Decrypt}(\textsf {\textsc {sk}}_{\textsf {\textsc {pke}}},\textsf {\textsc {ct}}_{\textsf {\textsc {pke}}})$. On the other hand, if the user is using the delegated key $\textsf {\textsc {sk}}_{\textsf {\textsc {dcprf}}}\{M~\wedge ~\widetilde{M}\}$ and $\widetilde{M}(x)=0$, then it outputs $\bot $, while if $\widetilde{M}(x)=1$, it further executes the following steps:
1. 1.
  It computes $\widetilde{\breve{\sigma }}_{\textsf {\textsc {sps}},0}=\widetilde{\mathcal {P}}_1(h)$.
2. 2.
  Then for $j=1,\ldots ,\ell _x$, it iteratively performs the following:
  1. (a)
    It computes $\widetilde{\pi }_{\textsf {\textsc {ssb}},j-1}\xleftarrow {\$}\textsf {SSB.Open}(\textsf {\textsc {hk}},x,j-1)$.
  2. (b)
    It computes $\widetilde{\textsf {\textsc {aux}}}_j=\textsf {ACC.Prep-Write}(\widetilde{\textsf {\textsc {pp}}}_{\textsf {\textsc {acc}}}, \widetilde{\textsf {\textsc {store}}}_{j-1},j-1)$.
  3. (c)
    It computes $\widetilde{\textsf {\textsc {out}}}=\widetilde{\mathcal {P}}_2(j-1,x_{j-1},\widetilde{q}_0,\widetilde{w}_{j-1}, \widetilde{\textsf {\textsc {aux}}}_j, \widetilde{v}_{j-1},\widetilde{\breve{\sigma }}_{\textsf {\textsc {sps}},j-1},h,$ $ \widetilde{\pi }_{\textsf {\textsc {ssb}},j-1})$.
  4. (d)
    If $\widetilde{\textsf {\textsc {out}}}=\bot $, it outputs $\widetilde{\textsf {\textsc {out}}}$. Else, it parses $\widetilde{\textsf {\textsc {out}}}$ as $\widetilde{\textsf {\textsc {out}}}=(\widetilde{w}_j,\widetilde{v}_j,$ $\widetilde{\breve{\sigma }}_{\textsf {\textsc {sps}},j})$.
  5. (e)
    It computes $\widetilde{\textsf {\textsc {store}}}_j=\textsf {ACC.Write-Store}(\widetilde{\textsf {\textsc {pp}}}_{\textsf {\textsc {acc}}}, \widetilde{\textsf {\textsc {store}}}_{j-1},j-1,$ $x_{j-1})$.
3. 3.
  It computes $\widetilde{\sigma }_{\textsf {\textsc {sps}},0}=\widetilde{\mathcal {P}}_3(\widetilde{q}_0,\widetilde{w}_{\ell _x}, \widetilde{v}_{\ell _x},h,\ell _x,\widetilde{\breve{\sigma }}_{\textsf {\textsc {sps}},\ell _x})$.
4. 4.
  It sets $\textsf {\textsc {pos}}_{\widetilde{M},0}=0$ and $\widetilde{\textsf {\textsc {seed}}}_0=\epsilon $.
5. 5.
  Suppose, $\widetilde{M}$ accepts x in $\widetilde{t}_x$ steps. For $t=1,\ldots ,\widetilde{t}_x$, it iteratively performs the following steps:
  1. (a)
    It computes $(\textsf {\textsc {sym}}_{\widetilde{M},t-1},\widetilde{\pi }_{\textsf {\textsc {acc}},t-1})~=~ \textsf {ACC.Prep-Read}(\widetilde{\textsf {\textsc {pp}}}_{\textsf {\textsc {acc}}},$ $ \widetilde{\textsf {\textsc {store}}}_{\ell _x+t-1},\textsf {\textsc {pos}}_{\widetilde{M},t-1})$.
  2. (b)
    It computes $\widetilde{\textsf {\textsc {aux}}}_{\ell _x+t}~=~\textsf {ACC.Prep-Write}(\widetilde{\textsf {\textsc {pp}}}_{\textsf {\textsc {acc}}}, \widetilde{\textsf {\textsc {store}}}_{\ell _x+t-1},$ $ \textsf {\textsc {pos}}_{\widetilde{M},t-1})$.
  3. (c)
    It computes $\widetilde{\textsf {\textsc {out}}}=\widetilde{\mathcal {P}}_{\textsf {\textsc {dcprf}}}(t,\widetilde{\textsf {\textsc {seed}}}_{t-1}, \textsf {\textsc {pos}}_{\widetilde{M},t-1},\textsf {\textsc {sym}}_{\widetilde{M},t-1}, \textsf {\textsc {st}}_{\widetilde{M},t-1}, \widetilde{w}_{\ell _x+t-1},\widetilde{\pi }_{\textsf {\textsc {acc}},t-1}, \widetilde{\textsf {\textsc {aux}}}_{\ell _x+t},\widetilde{v}_{\ell _x+t-1},h,\ell _x, \widetilde{\sigma }_{\textsf {\textsc {sps}},t-1})$.
  4. (d)
    If $t=\widetilde{t}_x$, it sets $\widetilde{\textsf {\textsc {ct}}}_{\textsf {\textsc {pke}}}=\widetilde{\textsf {\textsc {out}}}$. Otherwise, it parses $\widetilde{\textsf {\textsc {out}}}$ as $\widetilde{\textsf {\textsc {out}}}=(\textsf {\textsc {pos}}_{\widetilde{M},t}, \textsf {\textsc {sym}}_{\widetilde{M},t}^{(\textsf {\textsc {write}})}, \textsf {\textsc {st}}_{\widetilde{M},t}, \widetilde{w}_{\ell _x+t},\widetilde{v}_{\ell _x+t},\widetilde{\sigma }_{\textsf {\textsc {sps}},t}, \widetilde{\textsf {\textsc {seed}}}_t)$.
  5. (e)
    It computes $\widetilde{\textsf {\textsc {store}}}_{\ell _x+t}= \textsf {ACC.Write-Store}(\widetilde{\textsf {\textsc {pp}}}_{\textsf {\textsc {acc}}}, \widetilde{\textsf {\textsc {store}}}_{\ell _x+t-1},$ $\textsf {\textsc {pos}}_{\widetilde{M},t-1}, \textsf {\textsc {sym}}_{\widetilde{M},t}^{(\textsf {\textsc {write}})})$.
(C)
Finally, it computes
- $\widetilde{r}_{\textsf {\textsc {pke}},1}\Vert \widetilde{r}_{\textsf {\textsc {pke}},2}=\mathcal {F}(\widetilde{K}',(h,\ell _x))$,
- $(\widetilde{\textsf {\textsc {pk}}}_{\textsf {\textsc {pke}}},\widetilde{\textsf {\textsc {sk}}}_{\textsf {\textsc {pke}}})= \textsf {PKE.Setup}(\textsf {1}^\lambda ;~\widetilde{r}_{\textsf {\textsc {pke}},1})$,
- $r_{\textsf {\textsc {pke}},1}\Vert r_{\textsf {\textsc {pke}},2}= \textsf {PKE.Decrypt}(\widetilde{\textsf {\textsc {sk}}}_{\textsf {\textsc {pke}}}, \widetilde{\textsf {\textsc {ct}}}_{\textsf {\textsc {pke}}})$,
- $(\textsf {\textsc {pk}}_{\textsf {\textsc {pke}}},\textsf {\textsc {sk}}_{\textsf {\textsc {pke}}})= \textsf {PKE.Setup}(\textsf {1}^\lambda ;~r_{\textsf {\textsc {pke}},1})$,
and outputs $\textsf {PKE.Decrypt}(\textsf {\textsc {sk}}_{\textsf {\textsc {pke}}},\textsf {\textsc {ct}}_{\textsf {\textsc {pke}}})$.

Theorem 5.1

Assuming $\mathcal {IO}$ is a secure indistinguishability obfuscator for $\textsf {P/poly} $, $\mathcal {F}$ is a secure puncturable pseudorandom function, $\textsf {SSB} $ is a somewhere statistically binding hash function, $\textsf {ACC} $ is a secure positional accumulator, $\textsf {ITR} $ is a secure cryptographic iterator, $\textsf {SPS} $ is a secure splittable signature scheme, PRG is a secure injective pseudorandom generator, and PKE is CPA secure, our DCPRF construction satisfies the correctness and selective pseudorandomness properties.

The proof of Theorem 5.1 is given in the full version of this paper.

References

Abusalah, H., Fuchsbauer, G.: Constrained PRFs for unbounded inputs with short keys. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 445–463. Springer, Heidelberg (2016). doi:10.1007/978-3-319-39555-5_24
Chapter Google Scholar
Abusalah, H., Fuchsbauer, G., Pietrzak, K.: Constrained PRFs for unbounded inputs. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 413–428. Springer, Heidelberg (2016). doi:10.1007/978-3-319-29485-8_24
Chapter Google Scholar
Ananth, P., Chen, Y.-C., Chung, K.-M., Lin, H., Lin, W.-K.: Delegating RAM computations with adaptive soundness and privacy. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 3–30. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53644-5_1
Chapter Google Scholar
Banerjee, A., Fuchsbauer, G., Peikert, C., Pietrzak, K., Stevens, S.: Key-homomorphic constrained pseudorandom functions. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 31–60. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46497-7_2
Chapter Google Scholar
Bellare, M., Fuchsbauer, G.: Policy-based signatures. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 520–537. Springer, Heidelberg (2014). doi:10.1007/978-3-642-54631-0_30
Chapter Google Scholar
Boneh, D., Waters, B.: Constrained pseudorandom functions and their applications. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 280–300. Springer, Heidelberg (2013). doi:10.1007/978-3-642-42045-0_15
Chapter Google Scholar
Boyle, E., Goldwasser, S., Ivan, I.: Functional signatures and pseudorandom functions. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 501–519. Springer, Heidelberg (2014). doi:10.1007/978-3-642-54631-0_29
Chapter Google Scholar
Brakerski, Z., Vaikuntanathan, V.: Constrained key-homomorphic PRFs from standard lattice assumptions. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 1–30. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46497-7_1
Chapter Google Scholar
Chandran, N., Raghuraman, S., Vinayagamurthy, D.: Constrained pseudorandom functions: verifiable and delegatable. Cryptology ePrint Archive, Report 2014/522 (2014)
Google Scholar
Deshpande, A., Koppula, V., Waters, B.: Constrained pseudorandom functions for unconstrained inputs. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 124–153. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49896-5_5
Chapter Google Scholar
Deshpande, A., Koppula, V., Waters, B.: Constrained pseudorandom functions for unconstrained inputs. Cryptology ePrint Archive, Report 2016/301, Version 20160819:153952 (2016)
Google Scholar
Fuchsbauer, G.: Constrained verifiable random functions. In: Abdalla, M., Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 95–114. Springer, Heidelberg (2014). doi:10.1007/978-3-319-10879-7_7
Google Scholar
Fuchsbauer, G., Konstantinov, M., Pietrzak, K., Rao, V.: Adaptive security of constrained PRFs. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 82–101. Springer, Heidelberg (2014). doi:10.1007/978-3-662-45608-8_5
Google Scholar
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 2013 IEEE 54th Annual Symposium on Foundations of Computer Science (FOCS), pp. 40–49. IEEE (2013)
Google Scholar
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM (JACM) 33(4), 792–807 (1986)
Article MathSciNet MATH Google Scholar
Hofheinz, D., Kamath, A., Koppula, V., Waters, B.: Adaptively secure constrained pseudorandom functions. Cryptology ePrint Archive, Report 2014/720 (2014)
Google Scholar
Hohenberger, S., Koppula, V., Waters, B.: Adaptively secure puncturable pseudorandom functions in the standard model. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 79–102. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48797-6_4
Chapter Google Scholar
Hubacek, P., Wichs, D.: On the communication complexity of secure function evaluation with long output. In: The 2015 Conference on Innovations in Theoretical Computer Science, pp. 163–172. ACM (2015)
Google Scholar
Kiayias, A., Papadopoulos, S., Triandopoulos, N., Zacharias, T.: Delegatable pseudorandom functions and applications. In: The 2013 ACM SIGSAC Conference on Computer Communications Security, pp. 669–684. ACM (2013)
Google Scholar
Koppula, V., Lewko, A.B., Waters, B.: Indistinguishability obfuscation for turing machines with unbounded memory. In: The 47th Annual ACM on Symposium on Theory of Computing, pp. 419–428. ACM (2015)
Google Scholar
Micali, S., Rabin, M., Vadhan, S.: Verifiable random functions. In: 40th Annual Symposium on Foundations of Computer Science, pp. 120–130. IEEE (1999)
Google Scholar
Okamoto, T., Pietrzak, K., Waters, B., Wichs, D.: New realizations of somewhere statistically binding hashing and positional accumulators. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 121–145. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48797-6_6
Chapter Google Scholar
Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: The 46th Annual ACM Symposium on Theory of Computing, pp. 475–484. ACM (2014)
Google Scholar

Download references

Author information

Authors and Affiliations

Department of Mathematics, Indian Institute of Technology Kharagpur, Kharagpur, 721302, India
Pratish Datta, Ratna Dutta & Sourav Mukhopadhyay

Authors

Pratish Datta
View author publications
You can also search for this author in PubMed Google Scholar
Ratna Dutta
View author publications
You can also search for this author in PubMed Google Scholar
Sourav Mukhopadhyay
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Pratish Datta .

Editor information

Editors and Affiliations

CWI , Amsterdam, Noord-Holland, The Netherlands
Serge Fehr

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Datta, P., Dutta, R., Mukhopadhyay, S. (2017). Constrained Pseudorandom Functions for Unconstrained Inputs Revisited: Achieving Verifiability and Key Delegation. In: Fehr, S. (eds) Public-Key Cryptography – PKC 2017. PKC 2017. Lecture Notes in Computer Science(), vol 10175. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-54388-7_16

Download citation

DOI: https://doi.org/10.1007/978-3-662-54388-7_16
Published: 26 February 2017
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-54387-0
Online ISBN: 978-3-662-54388-7
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)