文摘
A constrained pseudorandom function \(F:\mathcal{K} \times \mathcal{X} \rightarrow \mathcal{Y}\) for a family \(\mathcal{T}\subseteq 2^\mathcal{X}\) of subsets of \(\mathcal X\) is a function where for any key \(k \in \mathcal{K}\) and set \(S\in \mathcal{T}\) one can efficiently compute a constrained key \(k_S\) which allows to evaluate \(F(k,\cdot )\) on all inputs \(x\in S\), while even given this key, the outputs on all inputs \(x \notin S\) look random. At Asiacrypt’13 Boneh and Waters gave a construction which supports the most general set family so far. Its keys \(k_C\) are defined for sets decided by boolean circuits C and enable evaluation of the PRF on any \(x \in \mathcal{X}\) where \(C(x)=1\). In their construction the PRF input length and the size of the circuits C for which constrained keys can be computed must be fixed beforehand during key generation.