Constrained Pseudorandom Functions: Verifiable and Delegatable

Constrained pseudorandom functions (introduced independently by Boneh and Waters (CCS 2013), Boyle, Goldwasser, and Ivan (PKC 2014), and Kiayias, Papadopoulos, Triandopoulos, and Zacharias (CCS 2013)), are pseudorandom functions (PRFs) that allow the owner of the secret key k to compute a constrained key kf , such that anyone who possesses kf can compute the output of the PRF on any input x such that f(x) = 1 for some predicate f . The security requirement of constrained PRFs state that the PRF output must still look indistinguishable from random for any x such that f(x) = 0. Boneh and Waters show how to construct constrained PRFs for the class of bit-fixing as well as circuit predicates. They explicitly left open the question of constructing constrained PRFs that are delegatable i.e., constrained PRFs where the owner of kf can compute a constrained key kf ′ for a further restrictive predicate f ′. Boyle, Goldwasser, and Ivan left open the question of constructing constrained PRFs that are also verifiable. Verifiable random functions (VRFs), introduced by Micali, Rabin, and Vadhan (FOCS 1999), are PRFs that allow the owner of the secret key k to prove, for any input x, that y indeed is the output of the PRF on x; the security requirement of VRFs state that the PRF output must still look indistinguishable from random, for any x for which a proof is not given. In this work, we solve both the above open questions by constructing constrained pseudorandom functions that are simultaneously verifiable and delegatable.