Privately Constrained Testable Pseudorandom Functions

Abstract

Privately Constrained Pseudorandom Functions allow a PRF key to be delegated to some evaluator in a constrained manner, such that the key’s functionality is restricted with respect to some secret predicate. Variants of Privately Constrained Pseudorandom Func- tions have been applied to rich applications such as Broadcast Encryption, and Secret-key Functional Encryption. Recently, this primitive has also been instantiated from standard assumptions. We extend its functionality to a new tool we call Privately Constrained Testable Pseudorandom functions.

For any predicate C, the holder of a secret key sk can produce a delegatable key constrained on C denoted as sk[C]. Evaluations on inputs x produced using the constrained key differ from unconstrained evaluations with respect to the result of C(x). Given an output y evaluated using sk[C], the holder of the unconstrained key sk can verify whether the input x used to produce y satisfied the predicate C. That is, given y, they learn whether C(x) = 1 without needing to evaluate the predicate themselves, and without requiring the original input x.

We define two inequivalent security models for this new primitive, a stronger indistinguishability- based definition, and a weaker simulation-based definition. Under the indistinguishability- based definition, we show the new primitive implies Designated-Verifier Non-Interactive Zero-Knowledge Arguments for NP in a black-box manner. Under the simulation-based definition, we construct a provably secure instantiation of the primitive from lattice as- sumptions. We leave the study of the gap between definitions, and discovering techniques to reconcile it as future work.