Reducing Depth in Constrained PRFs: From BitFixing to \(\mathbf {NC}^{1}\)
 2 Citations
 865 Downloads
Abstract

A constrained PRF for arbitrary circuit predicates based on \((n+\ell _{\mathsf {OR}}1)\)linear maps (where n is the input length and \(\ell _{\mathsf {OR}}\) denotes the ORdepth of the circuit).

For circuits with a specific structure, we also show how to construct such PRFs based on \((n+\ell _{\mathsf {AND}}1)\)linear maps (where \(\ell _{\mathsf {AND}}\) denotes the ANDdepth of the circuit).
We then give a blackbox construction of a constrained PRF for \(\mathbf {NC}^{1}\) predicates, from any bitfixing constrained PRF that fixes only one of the input bits to 1; we only require that the bitfixing PRF have certain key homomorphic properties. This construction is of independent interest as it sheds light on the hardness of constructing constrained PRFs even for “simple” predicates such as bitfixing predicates.
Instantiating this construction with the bitfixing constrained PRF from Boneh and Waters (Asiacrypt 2013) gives us a constrained PRF for \(\mathbf {NC}^{1}\) predicates that is based only on nlinear maps, with no dependence on the predicate. In contrast, the previous constructions of constrained PRFs (Boneh and Waters, Asiacrypt 2013) required \((n+\ell +1)\)linear maps for circuit predicates (where \(\ell \) is the total depth of the circuit) and nlinear maps even for bitfixing predicates.
We also show how to extend our techniques to obtain a similar improvement in the case of ABE and construct ABE for arbitrary circuits based on \((\ell _{\mathsf {OR}}+1)\)linear (respectively \((\ell _{\mathsf {AND}}+1)\)linear) maps.
Keywords
Boolean Circuit Pseudorandom Function Real Game Output Wire Input Wire1 Introduction
The breakthrough work on multilinear maps [GGH13a] has found tremendous applications in various areas of cryptography. It has lead to attributebased encryption (ABE) for all polynomial size circuits [GGH+13c], indistinguishability obfuscation and functional encryption for general circuits [GGH+13b], constrained pseudorandom functions [BW13], and so on. Many of these constructions require \(\kappa \)linear maps for large \(\kappa \). Larger \(\kappa \) leads to more inefficient schemes and stronger hardness assumptions. In this work, we are interested in exploring the reduction of \(\kappa \) in such constructions – specifically, we consider the case of constrained PRFs and ABE.
Constrained Pseudorandom Functions. A pseudorandom function (PRF) is a keyed function, \(F_k(x)\), that is computationally indistinguishable from a truly random function, even to an adversary who has oracle access to the function (but has no knowledge about the key k). Constrained PRFs (introduced in [BW13, BGI14, KPTZ13]), allow the owner of k to give out a constrained key \(k_f\), for a predicate f, such that any user who has \(k_f\) can evaluate \(F_k(x)\) iff \(f(x)=1\). The security requirement on all points x, such that \(f(x)=0\) is the same as that of standard PRFs.
Boneh and Waters [BW13] show how to construct constrained PRFs for bitfixing predicates using an \(n\)linear map (where n is the input length to the PRF), and also how to construct constrained PRFs for arbitrary circuit predicates using an \((n+\ell +1)\)linear map (where \(\ell \) is the total depth of the circuit predicate). Constrained PRFs can be used to construct broadcast encryption with small ciphertext length, identitybased key exchange, and policybased key distribution.
Attribute Based Encryption. Attribute based encryption (ABE) [SW05] allows a more finegrained access policy to be embedded into publickey encryption. In more detail, in ABE schemes, there is a master authority who owns \(sk\) and publishes public parameters as well as a relation R(x, y). A user who encrypts a message m, creates a ciphertext under some string x (that can specify some policy), to obtain \(\mathsf {Enc}_{pk}(m,x)\). The master authority can give a user a secret key \(sk_y\). Now, this user can use \(sk_y\) to decrypt \(\mathsf {Enc}_{pk}(m,x)\) and obtain m iff \(R(x,y)=1\); otherwise, the user obtains no information about m. ABE, for the class of relations \(R \in \mathbf {NC}^{1}\) can be constructed based on bilinear maps [GPSW06]. Recently, the work of [GGH+13c] shows how to construct ABE for arbitrary circuits based on \((\ell +1)\)linear maps (where \(\ell \) is the depth of the relation R when expressed as a boolean circuit), while [GVW13] also show how to construct ABE for arbitrary circuits based on the Learning with Errors (LWE) hardness problem.
1.1 Our Results

We construct constrained PRFs for arbitrary circuit predicates using an \((n+\ell _{\mathsf {OR}}1)\)linear map, where n is the input length to the PRF and \(\ell _{\mathsf {OR}}\) denotes the ORdepth of the constraint f when expressed as a boolean circuit (informally, the ORdepth of a circuit is defined to be the maximum number of OR gates from input wires to the output wire along any path in the circuit). We believe that the reduction in linearity is important even in cases when it is not an asymptotic improvement as lower linearity results in a weaker hardness assumption.

Next, we construct constrained PRFs for circuit predicates using an \((n+\ell _{\mathsf {AND}}1)\)linear map, where \(\ell _{\mathsf {AND}}\) denotes the ANDdepth of the constraint f (informally, the ANDdepth of a circuit is defined to be the maximum number of AND gates from input wires to the output wire along any path in the circuit). Although in this construction, we require the circuit to be of a specific structure, we show that for several circuits, our construction reduces the number of levels of multilinear map needed.

Then, we show (in a blackbox manner) how to convert any bitfixing constrained PRF that fixes only one bit^{1} to 1 into a constrained PRF for \(\mathbf {NC}^{1}\) circuits; we only require that the bitfixing PRF have certain additive keyhomomorphic properties. We believe this construction to be of independent interest as the only known (nontrivial) constructions of constrained PRFs are based on multilinear maps.
By instantiating this construction with the bitfixing constrained PRF of Boneh and Waters [BW13], we obtain a constrained PRF for all predicates \(f \in \mathbf {NC}^{1}\) using an \(n\)linear map. In particular, the number of levels in our construction has no dependence on f.

Finally, we show how to extend our techniques to construct ABE schemes from lesser levels of multilinear maps.
Similar to [BW13], all our constructions are based on the \(\kappa \)Multilinear Decisional DiffieHellman (\(\kappa \)MDDH) assumption and achieve selective security (i.e., the adversary must commit to the challenge query at the beginning of the security game); as in [BW13], we can achieve standard security via complexity leveraging. We remark that our techniques can be extended to the constructions of verifiable constrained PRFs [Fuc14, CRV14], thereby leading to a similar lowering of \(\kappa \).
Other Related Works. The work of [FKPR14] considers the prefixfixing constrained PRF from the classical GGM construction [GGM86], and shows how to avoid an exponential (in n) loss in security when going from selective security to adaptive security. Their work also shows that any “simple” reduction, that proves full security of the bitfixing constrained PRF of [BW13], from a noninteractive hardness assumption, must incur an exponential security loss. The work of [HKKW14] shows how to construct adaptively secure constrained PRFs for circuits from indistinguishability obfuscation in the random oracle model. More recently, keyhomomorphic constrained PRFs were constructed in [BV15, BFP+15]. Similar to us, Banerjee et al. [BFP+15] also observe that [BW13] is “keyhomomorphic”.
Security of Multilinear Maps. After the initial work of Garg et al. [GGH13a], Coron, Lepoint and Tibouchi proposed a multilinear maps construction over the integers [CLT13] also based on ideal lattices. But, Cheon, Han, Lee, Ryu and Stehlé [CHL+15] proposed an attack which completely broke the CLT scheme by recovering the secret parameters of the scheme in polynomial time. Coron et al. [CLT15] proposed another candidate construction. This was broken recently by Cheon et al. [CLR15] and Minaud et al. [MF15]. Hu and Jia [HJ15] also recently showed that the \(\kappa \)MDDH assumption in [GGH13a] does not hold when encodings of zero are provided. Independent of these, Gentry, Gorbunov and Halevi [GGH15] proposed a multilinear maps construction based on random lattices but with the map defined with respect to a directed acyclic graph.
We do not rely on the security of any specific multilinear maps scheme. Since we do not give lowlevel encodings of zero in our construction, any scheme [GGH13a, CLT13, CLT15] which is secure under the \(\kappa \)MDDH assumption can be used to instantiate our constructions.
1.2 Our Techniques
Our starting point is the constrained PRF construction of [BW13] for arbitrary circuit predicates. We first view this construction differently as follows. Let the PRF in [BW13] be denoted by \(\mathsf {PRF}_{n+\ell }(u,x)\), where u is the key of the PRF, x, an nbit string, is the input to the PRF, and \(\mathsf {PRF}_{n+\ell }\) denotes that the PRF output is at the \((n+\ell )\)level of the multilinear map (where \(\ell \) denotes the depth of the constraint f). Now, in order to give out a constrained key for f, we first pick a random value \(r_w\) for every wire w in the circuit. Let j denote the depth of this wire in the circuit. Now, for a given x such that \(f(x)=1\), the idea is to give a key that will enable the user to compute \(\mathsf {PRF}_{n+j}(r_w,x)\) for all wires w in the circuit that evaluate to 1 on x. Doing this inductively will allow the compution of \(\mathsf {PRF}_{n+\ell }(u,x)\). Let w be an output to some gate in the circuit and let A(w), B(w) be the input wires corresponding to this gate. If this gate is an AND (respectively OR) gate, we give a key, that will allow a user to compute \(\mathsf {PRF}_{n+j}(r_w,x)\) from the values \(\mathsf {PRF}_{n+j1}(r_{A(w)},x)\) AND (respectively OR) \(\mathsf {PRF}_{n+j1}(r_{B(w)},x)\).
Free AND Construction. Our first observation is that for AND gates, one must be able to compute the PRF value corresponding to w wire iff one has the PRF values corresponding to both A(w) and B(w). Now, suppose the PRF under consideration is “additively homomorphic” in some sense. Then, we observe that given \(\mathsf {PRF}_{n+j1}(r_{A(w)},x)\) and \(\mathsf {PRF}_{n+j1}(r_{B(w)},x)\), one can compute \(\mathsf {PRF}_{n+j1}(r_w,x)\), without the need for additional keys and without jumping a level in the multilinear map as long as we set \(r_{A(w)}\) and \(r_{B(w)}\) to be random additive shares of \(r_w\). Now, this ensures that AND gates are “free” in the circuit. The OR gates are handled exactly as in the case of [BW13]. This leads to a construction that only makes use of a \((n+\ell _{\mathsf {OR}}1)\)linear map.
While this is the main change made to the construction, the proof of security now requires attention. At a very high level, [BW13] could embed a part of the “hard problem” from the hardness assumption at every layer of the circuit as they give out keys for all gates in the circuits. In our case, we do not have that luxury. In particular, since we do not give any keys for AND gates, the structure of the hard problem may be distorted after multiple evaluations of AND gates. In order to overcome this, we must carefully give out the keys at OR levels to “reset” the problem to be of our preferred form. This enables us to then prove security.
Free OR Construction. Now, suppose we turn our attention towards the OR gates alone. Note, that one must be able to compute the PRF value corresponding to wire w iff one has the PRF values corresponding to either A(w) or B(w). Now, suppose we set \(r_w = r_{A(w)} = r_{B(w)}\), then this enables the computation of \(\mathsf {PRF}_{n+j1}(r_w,x)\) from either \(\mathsf {PRF}_{n+j1}(r_{A(w)},x)\) or \(\mathsf {PRF}_{n+j1}(r_{B(w)},x)\), without the need for additional keys and without jumping a level in the multilinear map. However, doing this naïvely would lead to a similar “backtracking attack” as the attack described by [GGH+13c] in the context of ABE. In more detail, note that if \(A(w) = 0\) and \(B(w)=1\), one can indeed (rightly) compute \(\mathsf {PRF}_{n+j1}(r_w,x)\) from \(\mathsf {PRF}_{n+j1}(r_{B(w)},x)\) as both B(w) and w are 1. However, this also enables the (unauthorized) computation of \(\mathsf {PRF}_{n+j1}(r_{A(w)},x)\), and if this wire had a fanout greater than 1, this would lead to an attack on the security of the PRF. Here, we show that if the circuit had a specific structure, then such a construction can still be made to work. We show that several circuits can be converted to this form (with a polynomial blowup) that results in a reduction in the number of multilinear levels needed. We remark that for the construction (and proof) to succeed, one must carefully select the random key values on the circuit for the constrained key, starting backwards, from the output wire in the circuit.
\(\mathbf {NC}^{1}\) Construction. While we obtain our construction of constrained PRF for \(\mathbf {NC}^{1}\) circuits by combining the above two techniques, we note that the proof of security is tricky and requires the simulator to carefully set the random keys in the simulation. In particular, let \(x^*\) be the challenge input to the PRF. Now, suppose, the simulator must give out a constrained key for a circuit f such that \(f(x^*)=0\). The simulator must choose all the random keys of the PRFs on each wire in such a way that for all wires that evaluate to 1 on \(x^*\), the key is either chosen randomly by the simulator or can be computed from values that are chosen randomly by the simulator. We show that this can be indeed done by the simulator, thus resulting in the proof of security.
We then show how to generalize this construction to obtain a constrained PRF for \(\mathbf {NC}^{1}\) circuits from any constrained PRF for bitfixing predicates that fixes only one bit and has certain additively homomorphic properties. We believe this construction to be of independent interest as till date, constrained PRFs for any nontrivial predicate, are known only based on multilinear maps.
Finally, we show how to extend our Free AND/OR techniques to the case of ABE. This gives an ABE based on \((\ell _{\mathsf {OR}}+1)\)linear and \((\ell _{\mathsf {AND}}+1)\)linear maps respectively, improving upon the \((\ell +1)\)linear map construction of [GGH+13c].
1.3 Organization
In Sect. 2, we define constrained PRFs and ABE as well as state the hardness assumption that we make. We also present circuit notation that is used in the rest of the paper. In Sect. 3, we describe our \((n+\ell _{\mathsf {OR}}1)\)linear map construction of constrained PRF for arbitrary circuits. We outline our \((n+\ell _{\mathsf {AND}}1)\)linear map construction in Sect. 4. We present our \(n\)linear map construction of constrained PRF for \(\mathbf {NC}^{1}\) circuits in Sect. 5 and the blackbox construction of constrained PRF for \(\mathbf {NC}^{1}\) circuits from bitfixing constrained PRFs in Sect. 6. We show how to extend our results to the setting of ABE in the full version of this paper [CRV15].
2 Preliminaries
2.1 Definitions
Constrained Pseudorandom Functions. A pseudorandom function (PRF) \(F: \mathcal {K} \times \mathcal {X} \rightarrow \mathcal {Y}\), is a deterministic polynomial (in security parameter \(\lambda \)) time algorithm, that on input a key \(k \in \mathcal {K}\) and an input \(x \in \mathcal {X}\), outputs \(F(k,x) \in \mathcal {Y}\). F has a setup algorithm \(\textsf {Setup}(1^\lambda )\) that on input \(\lambda \), outputs a key \(k \in \mathcal {K}\).
Definition 1

F.Constrain(k, S) is a randomized polynomial time algorithm that takes as input a PRF key \(k \in \mathcal {K}\) and the description of a set \(S \in \mathcal {S}\). It outputs a constrained key \(k_{S} \in \mathcal {K}_c\) which enables the evaluation of F(k, x) for all \(x \in S\) and no other x;

F.Evaluate \((k_{S}, x)\) is a deterministic polynomial time algorithm that takes as input a constrained key \(k_{S} \in \mathcal {K}_c\) and an input \(x \in \mathcal {X}\). If \(k_{S}\) is the output of F.Constrain(k, S) for some \(k \in \mathcal {K}\), then F.Evaluate \((k_S,x)\) outputs F(k, x) if \(x \in S\) and \(\perp \) otherwise, where \(\perp \not \in \mathcal {Y}\). We will use the shorthand \(F(k_S, x)\) for F.Evaluate \((k_S, x)\).
 1.
First, a random key \(k \in \mathcal {K}\) is chosen, and two sets \(C,V \subseteq \mathcal {X}\) are initialized to \(\emptyset \). C will keep track of points on which the adversary will be challenged and V will keep track of points on which the adversary can compute the PRF himself. The experiments will maintain the invariant that \(C \cap V = \emptyset \).
 2.The adversary is given access to the following oracles:

F.Constrain: Given a set \(S \in \mathcal {S}\), if \(S \cap C = \emptyset \), the oracle returns F.Constrain(k, S) and updates \(V \leftarrow V \cup S\); otherwise, it returns \(\bot \).

F.Evaluate: Given an input \(x \in \mathcal {X}\), if \(x \not \in C\), the oracle returns F(k, x) and updates \(V \leftarrow V \cup {x}\); otherwise, it returns \(\bot \).

Challenge: Given \(x \in \mathcal {X}\) where \(x \not \in V\), if \(b=0\), the oracle returns F(k, x); if \(b=1\), the oracle returns a random (consistent) \(y \in \mathcal {Y}\). C is updated as \(C \leftarrow C \cup {x}\).

 3.
The adversary finally outputs a bit \(b' \in \{0,1\}\).
 4.
For \(b \in \{0,1\}\), define \(W_b\) to be the event that \(b'=1\) in experiment \(\mathsf {Exp}_b\). The adversary’s advantage \(\textsf {Adv}_{\mathcal {A},F,\mathcal {S}}(\lambda )\) is defined to be \(\Pr [W_0]\Pr [W_1]\).
Definition 2
A constrained PRF \(F: \mathcal {K} \times \mathcal {X} \rightarrow \mathcal {Y}\), is said to be secure, if for all PPT adversaries \(\mathcal {A}\), we have that \(\textsf {Adv}_{\mathcal {A},F,\mathcal {S}}(\lambda )\), is negligible in \(\lambda \).
Remark. When constructing constrained pseudorandom functions, it will be more convenient to work with the definition where the adversary is allowed to issue only a single challenge query. A standard hybrid argument shows that this definition is equivalent to the one where an adversary is allowed to issue multiple challenge queries. A constrained PRF is selectively secure if the adversary commits to this single challenge query at the beginning of the experiment.

\(\mathsf {Setup}(1^\lambda ,n,\ell )\): This algorithm takes as input the security parameter \(\lambda \), the length n of input descriptors in the ciphertext, and a bound \(\ell \) on the circuit depth. It outputs the public parameters PP and the master secret key MSK.

\(\mathsf {Encrypt}(PP, x, M)\): This algorithm takes as input the public parameters, \(x\in \{0,1\}^n\) (representing the assignment of boolean variables) and a message M. It outputs a ciphertext CT.

\(\mathsf {KeyGen}(MSK,f)\): This algorithm takes as input the master secret key and a circuit f. It outputs a secret key SK.

\(\mathsf {Decrypt}(SK,CT)\): This algorithm takes as input a secret key and ciphertext and outputs either M or \(\bot \).

Setup. \(\mathsf {Chall}\) runs \(\mathsf {Setup}(1^\lambda ,n,\ell )\) and gives PP to \(\mathsf {Adv}\); it keeps SK to itself.

Phase 1. \(\mathsf {Adv}\) makes any polynomial number of queries for circuit descriptions f of its choice. \(\mathsf {Chall}\) returns \(\mathsf {KeyGen}(MSK,f)\).

Challenge. \(\mathsf {Adv}\) submits two equal length messages \(M_0\) and \(M_1\) as well as an \(x^*\in \{0,1\}\) such that for all f queried in Phase 1, \(f(x^*) = 0\). \(\mathsf {Chall}\) flips a bit b and returns \(CT^* = \mathsf {Encrypt}(PP, x^*, M_b)\) to \(\mathsf {Adv}\).

Phase 2. Phase 1 is repeated with the restriction that \(f(x^*)=0\) for all queried f.

Guess. \(\mathsf {Adv}\) outputs a bit \(b'\).
Definition 3
The advantage of \(\mathsf {Adv}\) in the above game is defined to be \(\Pr [b'=b]\frac{1}{2}\). An ABE for circuits is secure if for all PPT adversaries \(\mathsf {Adv}\), the advantage of \(\mathsf {Adv}\) is negligible in the security parameter \(\lambda \). An ABE scheme is said to be selectively secure, if \(\mathsf {Adv}\) commits to \(x^*\) at the beginning of the security game.
2.2 Assumptions
Leveled Multilinear Groups. We assume the existence of a group generator \(\mathcal {G}\), which takes as input a security paramter \(1^{\lambda }\) and a positive integer \(\kappa \) to indicate the number of levels. \(\mathcal {G}(1^{\lambda }, \kappa )\) outputs a sequence of groups \(\mathbf {\mathbb {G}} = (\mathbb {G}_{1}, \ldots , \mathbb {G}_{\kappa })\) each of large prime order \(p > 2^{\lambda }\). In addition, we let \(g_{i}\) be a canonical generator of \(\mathbb {G}_{i}\) that is known from the group’s description. We let \(g = g_{1}\). We assume the existence of a set of multilinear maps \(\{e_{i, j} : \mathbb {G}_{i} \times \mathbb {G}_{j} \rightarrow \mathbb {G}_{i + j} \vert i, j \ge 1; i + j \le \kappa \}\). The map \(e_{i, j}\) satisfies the following relation: \(e_{i, j}(g_{i}^{a}, g_{j}^{b}) = g_{i + j}^{ab}, \forall a, b \in \mathbb {Z}_{p}.\) When the context is obvious, we will drop the subscripts i, j. For example, we may simply write \(e(g_{i}^{a}, g_{j}^{b}) = g_{i + j}^{ab}\). We define the \(\kappa \)Multilinear Decisional DiffieHellman (\(\kappa \)MDDH) assumption [GGH13a] as follows:
Assumption 21
(\(\kappa \)Multilinear Decisional DiffieHellman: \(\kappa \)MDDH) The \(\kappa \)Multilinear Decisional DiffieHellman (\(\kappa \)MDDH) problem is as follows: A challenger runs \(\mathcal {G}(1^{\lambda }, \kappa )\) to generate groups and generators of order p. Then it picks random \(c_{1}, \ldots , c_{\kappa + 1} \in \mathbb {Z}_{p}\). The assumption states that given \(g = g_{1}, g^{c_{1}}, \ldots , g^{c_{\kappa + 1}}\), it is hard to distinguish the element \(T = g_{\kappa }^{\prod _{j \in [\kappa + 1]} c_{j}}\) from a random group element in \(\mathbb {G}_{\kappa }\) with better than negligible advantage in \(\lambda \).
2.3 Circuit Notation
We will consider layered circuits, where a gate at^{2} depth j will receive both of its inputs from wires at depth \(j  1\). We also assume that all NOT gates are restricted to the input level. Similar to [BW13], we restrict ourselves to monotonic circuits where gates are either AND or OR gates of two inputs.^{3}
Formally, our circuits will be a five tuple \(f = (n, q, A, B, \texttt {GateType})\). We let n be the number of inputs and q be the number of gates. We define \(\textsf {inputs} = [n]\), \(\textsf {Wires} = [n + q]\) and \(\textsf {Gates} = [n + q]\backslash [n]\). The wire \(n + q\) is designated as the output wire, outputwire. \(A : \textsf {Gates} \rightarrow \textsf {Wires}\backslash \{\textsf {outputwire}\}\) is a function where A(w) identifies w’s first incoming wire and \(B : \textsf {Gates} \rightarrow \textsf {Wires}\backslash \{\textsf {outputwire}\}\) is a function where B(w) identifies w’s second incoming wire. Finally, \(\texttt {GateType} : \textsf {Gates} \rightarrow \{\text {AND}, \text {OR}\}\) is a function that identifies a gate as either an AND gate or an OR gate. We let \(w > B(w) > A(w)\). Also, define three functions: \(\texttt {totdepth}(w), \texttt {ANDdepth}(w)\), and \(\texttt {ORdepth}(w)\) that are all 1, when \(w \in \textsf {inputs}\), and in general are equal to the number of gates (respectively AND and OR gates) on the shortest path to an input wire plus one. We let f(x) be the evaluation of f on the input \(x \in \{0, 1\}^{n}\), and \(f_{w}(x)\) be the value of the wire w on the input x.
3 A FreeAND CircuitPredicate Construction
We show how to construct a constrained PRF for arbitrary polynomial size circuit predicates, without giving any keys for AND gates, based on \(\kappa = (n+\ell _{\mathsf {OR}}1)\)linear maps, where \(\ell _{\mathsf {OR}}\) denotes the ORdepth of the circuit. The starting point of our construction is the constrained PRF construction of [BW13] which is based on the ABE for circuits [GGH+13c]. [BW13] works with layered circuits. For ease of exposition, we assume a layered circuit where all gates in a particular layer are of the same type (either AND or OR). Circuits have a single output OR gate. Also a layer of gates is not followed by another layer of the same type. We stress that these are only for the purposes of exposition and can be removed as outlined later on in the section.
3.1 Construction
F.Constrain \((k, f = (n, q, A, B, \texttt {GateType}))\) : The constrain algorithm takes as input the key k and a circuit description f. The circuit has \(n + q\) wires with n input wires, q gates and the wire \(n + q\) designated as the output wire.
To generate a constrained key \(k_{f}\), the key generation algorithm chooses random \(r_{1}, \ldots , r_{n} \in \mathbb {Z}_{p}\), where we think of the random value \(r_{w}\) as being associated with the wire w. For each \(w \in [n + q  1] \backslash [n]\), if \(\texttt {GateType}(w) = \text {AND}\), it sets \(r_{w} = r_{A(w)} + r_{B(w)}\) (where \(+\) denotes addition in the group \(\mathbb {Z}_p\)); otherwise, it chooses \(r_{w} \in \mathbb {Z}_{p}\) at random. Finally, it sets \(r_{n + q} = u\).
The first part of the constrained key is given out as simply all \(D_{i, \beta }\) for \(i \in [n]\) and \(\beta \in \{0, 1\}\). Next, the algorithm generates key components. The structure of the key components depends on whether w is an input wire or an output of an OR gate. For AND gates, we do not need to give out any keys. The key components in each case are described below.

Input wire. By convention, if \(w \in [n]\), then it corresponds to the wth input. The key component is: \(K_{w} = g^{r_{w}d_{w, 1}}\).

OR gate. Let \(j = \texttt {ORdepth}(w)\). The algorithm chooses random \(a_{w}, b_{w} \in \mathbb {Z}_{p}\). Then, the algorithm creates key components:
F.Evaluate \((k_{f}, x)\) : The evaluate algorithm takes as input a constrained key \(k_{f}\) for the circuit f and an input \(x \in \{0, 1\}^{n}\). The algorithm first checks that \(f(x) = 1\), and if not, it aborts. Consider the wire w at ORdepth j. If \(f_{w}(x) =~1\), then, the algorithm computes \(E_{w} = g_{n + j  1}^{r_{w}\prod _{m \in [n]} d_{m, x_{m}}}\). If \(f_{w}(x) = 0\), then nothing is computed for that wire. The algorithm proceeds iteratively starting with computing \(E_{1}\) and proceeds, in order, to compute \(E_{n + q}\). Computing these values in order ensures that the computation on a lowerdepth wire that evaluates to 1 will be defined, before the compution on a higherdepth wire. Since \(r_{n + q} = u\), \(E_{n + q} = g_{n + \ell _{\mathsf {OR}}  1}^{u\prod _{m \in [n]} d_{m, x_{m}}}\). We show how to compute \(E_{w}\) for all w where \(f_{w}(x) = 1\), casewise, according to whether the wire is an input, an OR gate or an AND gate. Define \(D = D(x) = g_{n}^{\prod _{m \in [n]} d_{m, x_{m}}}\), which is computable through pairings.
 Input wire. Suppose \(f_{w}(x) = 1\). Through pairing operations, the algorithm computes \(g_{n  1}^{\prod _{m \in [n]\backslash \{w\}} d_{m, x_{m}}}\). It then computes:$$E_{w} = e\left( K_{w}, g_{n  1}^{\prod _{m \in [n]\backslash \{w\}} d_{m, x_{m}}}\right) = g_{n}^{r_{w}\prod _{m \in [n]} d_{m, x_{m}}}$$
 OR gate. Let \(j = \texttt {ORdepth}(w)\). The computation is performed if \(f_{w}(x) = 1\). Note that in this case, at least one of \(f_{A(w)}(x)\) and \(f_{B(w)}(x)\) must be 1. If \(f_{A(w)}(x) = 1\), the algorithm computes:Otherwise, we have \(f_{B(w)}(x) = 1\) and the algorithm computes \(E_{w}\) from \(E_{B(w)}, K_{w, 2},K_{w, 4}\) in a similar manner.$$\begin{aligned} E_{w}&= e(E_{A(w)}, K_{w, 1}) \cdot e(K_{w, 3}, D) \\&= e\left( g_{n + j  2}^{r_{A(w)}\prod _{m \in [n]} d_{m, x_{m}}}, g^{a_{w}}\right) \cdot e\left( g_{j  1}^{r_{w}  a_{w} \cdot r_{A(w)}}, g_{n}^{\prod _{m \in [n]} d_{m, x_{m}}}\right) \nonumber \\&= g_{n + j  1}^{r_{w}\prod _{m \in [n]} d_{m, x_{m}}} \end{aligned}$$
 AND gate. Let \(j = \texttt {ORdepth}(w)\). The computation is performed if \(f_{w}(x) = 1\). Note that in this case, \(f_{A(w)}(x) = f_{B(w)}(x) = 1\). The algorithm computes:$$\begin{aligned} E_{w}&= E_{A(w)} \cdot E_{B(w)} = g_{n + j  1}^{r_{A(w)}\prod _{m \in [n]} d_{m, x_{m}}} \cdot g_{n + j  1}^{r_{B(w)}\prod _{m \in [n]} d_{m, x_{m}}} = g_{n + j  1}^{r_{w}\prod _{m \in [n]} d_{m, x_{m}}} \end{aligned}$$
The procedures above are evaluated in order for all w for which \(f_{w}(x) = 1\). Thus, the algorithm computes \(E_{n + q} = g_{n + \ell _{\mathsf {OR}}  1}^{u\prod _{m \in [n]} d_{m, x_{m}}} = F(k, x)\).
3.2 Proof of Pseudorandomness
The correctness of the constrained PRF is verifiable in a straightforward manner. The security proof is in the selective security model (where the adversary commits to the challenge input \(x^{*}\) at the beginning of the game). To get full security, the proof will use the standard complexity leveraging technique of guessing the challenge \(x^{*}\); this guess will cause a loss of a \(1/2^{n}\)factor in the reduction.
Theorem 1
If there exists a PPT adversary \(\mathcal {A}\) that breaks the pseudorandomness of our circuitpredicate construction for nbit inputs with advantage \(\epsilon (\lambda )\), then there exists a PPT algorithm \(\mathcal {B}\) that breaks the \(\kappa = (n + \ell _{\mathsf {OR}}  1)\)Multilinear Decisional DiffieHellman assumption with advantage \(\epsilon (\lambda )/2^{n}\).
Proof
The algorithm \(\mathcal {B}\) first receives a \(\kappa = (n + \ell _{\mathsf {OR}}  1)\)MDDH challenge consisting of the group sequence description \(\mathbf {\mathbb {G}}\) and \(g = g_{1}, g^{c_{1}}, \ldots , g^{c_{\kappa + 1}}\) along with T, where T is either \(g_{\kappa }^{\prod _{m \in [\kappa + 1]} c_{m}}\) or a random group element in \(\mathbb {G}_{\kappa }\).
Setup: It chooses an \(x^{*} \in \{0, 1\}^{n}\) uniformly at random. Next, it chooses random \(z_{1}, \ldots , z_{n} \in \mathbb {Z}_{p}\) and sets \(D_{m, \beta } =g^{c_{m}}\) when \(x_{m}^{*} = \beta \) and \(g^{z_{m}}\) otherwise, for \(m \in [n]\) and \(\beta \in \{0, 1\}\). This corresponds to setting \(d_{m, \beta } = c_{m}\) when \(x_{m}^{*} = \beta \) and \(z_{m}\) otherwise. It then implicitly sets \(u = c_{n + 1} \cdot c_{n + 2} \cdot \ldots \cdot c_{n + \ell _{\mathsf {OR}}}\). The setup is executed as in the construction.
Constrain: Suppose a query is made for a secret key for a circuit \(f = (n, q, A, B, \texttt {GateType})\). If \(f(x^{*}) = 1\), then \(\mathcal {B}\) aborts. Otherwise, \(\mathcal {B}\) generates key components for every wire w, casewise, according to whether w is an input wire or an OR gate as described below.
Property 1
For any gate \(w \in \textsf {Gates}\), \(\mathcal {B}\) will be able to compute \(g_{j}^{r_{w}}\), where \(j = \texttt {ORdepth}(w)\).
We will prove the above property through induction on the ORdepth j; doing this will enable us to prove that \(\mathcal {B}\) can compute all the key components required to give out the constrained key. The base case of the input wires (\(j = 1\)) follows as we know that for an input wire w, \(\mathcal {B}\) can compute \(g^{r_{w}}\), where \(r_{w}\) is of the form \(\eta _{w}\) or \(c_{n + 1} + \eta _{w}\). We now proceed to show the computation of the keycomponents. In each case, we show that Property 1 is satisfied.
CASE 2: If \(f_{w}(x^{*}) = 0\), then \(\mathcal {B}\) implicitly sets \(r_{w} = c_{n + 1} \cdot \ldots \cdot c_{n + j} + \eta _{w}\), where \( \eta _{w} \in \mathbb {Z}_{p}\) is a randomly chosen element. Since \(\eta _{w}\) was chosen at random, note that \(g_{j}^{r_{w}}\) can be be computed for this wire (since \(g_{j}^{c_{n + 1} \cdot \ldots \cdot c_{n + j}}\) can be computed using j pairings of \(g^{c_{m}}\), \(n + 1 \le m \le n + j\)), and hence Property 1 holds for this wire as well. For computing the keycomponents, the choices of \(a_{w}\) and \(b_{w}\) are done more carefully.
 1.Suppose the level before the current level consists of the inputs. \(\mathcal {B}\) would know the values of \(\eta _{A(w)}\) and \(\eta _{B(w)}\), since for input wires, these values are always chosen at random. In this case, \(\mathcal {B}\) implicitly sets \(a_{w} = c_{n + j} + \psi _{w}\) and \(b_{w} = c_{n + j} + \phi _{w}\), where \(\psi _{w}, \phi _{w} \in \mathbb {Z}_{p}\) are randomly chosen elements. Then, \(\mathcal {B}\) creates key components:$$K_{w, 1} = g^{c_{n + j} + \psi _{w}} = g^{a_{w}}, K_{w, 2} = g^{c_{n + j} + \phi _{w}} = g^{b_{w}},$$$$K_{w, 3} = g_{j  1}^{\eta _{w}  c_{n + j} \cdot \eta _{A(w)}  \psi _{w}(c_{n + 1} \cdot \ldots \cdot c_{n + j  1} + \eta _{A(w)})} = g_{j  1}^{r_{w}  a_{w} \cdot r_{A(w)}},$$\(\mathcal {B}\) is able to create the last two key components due to a cancellation. Since \(f_{A(w)}(x^{*}) = f_{B(w)}(x^{*}) = 0\), \(\mathcal {B}\) would have set \(r_{A(w)} = c_{n + 1} \cdot \ldots \cdot c_{n + j  1} + \eta _{A(w)}\) and \(r_{B(w)} = c_{n + 1} \cdot \ldots \cdot c_{n + j  1} + \eta _{B(w)}\). Further, \(g_{j  1}^{c_{n + 1} \cdot \ldots \cdot c_{n + j  1}}\) can be computed using \(j  1\) pairings of \(g^{c_{m}}\), \(n + 1 \le m \le n + j  1\).$$K_{w, 4} = g_{j  1}^{\eta _{w}  c_{n + j} \cdot \eta _{B(w)}  \phi _{w}(c_{n + 1} \cdot \ldots \cdot c_{n + j  1} + \eta _{B(w)})} = g_{j  1}^{r_{w}  b_{w} \cdot r_{B(w)}}$$
 2.Suppose the level before the current level consists of AND gates. Since \(f_{A(w)}(x^{*}) = 0\), we have two cases: either one of \(f_{A(A(w))}(x^{*})\) and \(f_{B(A(w))}(x^{*})\) is zero, or both of them are zero. \(\mathcal {B}\) sets \(a_{w} = c_{n + j} + \psi _{w}\) in the former case, and \(a_{w} = \frac{1}{2}c_{n + j} + \psi _{w}\) in the latter case, where \(\psi _{w} \in \mathbb {Z}_{p}\) is a randomly chosen element. Similarly, since \(f_{B(w)}(x^{*}) = 0\), we have two cases: either one of \(f_{A(B(w))}(x^{*})\) and \(f_{B(B(w))}(x^{*})\) must be zero, or both of them must be zero. \(\mathcal {B}\) sets \(b_{w} = c_{n + j} + \phi _{w}\) in the former case, and \(b_{w} = \frac{1}{2}c_{n + j} + \phi _{w}\) in the latter case, where \(\phi _{w} \in \mathbb {Z}_{p}\) is a randomly chosen element. Then, \(\mathcal {B}\) creates key components:We now show that these components can indeed be computed in every case. Note that the first two components can be computed in every case. Consider \(K_{w, 3}\) (a similar argument holds for \(K_{w, 4}\)).$$K_{w, 1} = g^{a_{w}}, K_{w, 2} = g^{b_{w}}, K_{w, 3} = g_{j  1}^{r_{w}  a_{w} \cdot r_{A(w)}}, K_{w, 4} = g_{j  1}^{r_{w}  b_{w} \cdot r_{B(w)}}$$
 (a)Consider the first case, where one of \(f_{A(A(w))}(x^{*})\) and \(f_{B(A(w))}(x^{*})\) is zero. In particular, without loss of generality, assume that \(f_{A(A(w))}(x^{*}) = 0\) and \(f_{B(A(w))}(x^{*}) = 1\). Hence, \(\mathcal {B}\) must have set \(r_{A(A(w))} = c_{n + 1} \cdot \ldots \cdot c_{n + j  1} + \eta _{A(A(w))}\) and \(r_{B(A(w))} = \eta _{B(A(w))}\). Since A(w) is an AND gate, we would have \(r_{A(w)} = r_{A(A(w))} + r_{B(A(w))} = c_{n + 1} \cdot \ldots \cdot c_{n + j  1} + \eta _{A(A(w))} + \eta _{B(A(w))}\). Hence, we have:which can be computed as follows. We know the values of \(\eta _{A(A(w))}\) and \(\eta _{B(A(w))}\). Further, \(g_{j  1}^{c_{n + 1} \cdot \ldots \cdot c_{n + j  1}}\) can be computed using \(j  1\) pairings of \(g^{c_{m}}\), \(n + 1 \le m \le n + j  1\). Hence the key component can be computed.$$\begin{aligned} K_{w, 3}&= g_{j  1}^{\eta _{w}  c_{n + j}(\eta _{A(A(w))} + \eta _{B(A(w))})  \psi _{w}(c_{n + 1} \cdot \ldots \cdot c_{n + j  1} + \eta _{A(A(w))} + \eta _{B(A(w))})}\\&= g_{j  1}^{r_{w}  a_{w} \cdot r_{A(w)}} \end{aligned}$$
 (b)Consider the second case, where \(f_{A(A(w))}(x^{*}) = f_{B(A(w))}(x^{*}) = 0\). Hence, \(\mathcal {B}\) must have set \(r_{A(A(w))} = c_{n + 1} \cdot \ldots \cdot c_{n + j  1} + \eta _{A(A(w))}\) and \(r_{B(A(w))} = c_{n + 1} \cdot \ldots \cdot c_{n + j  1} + \eta _{B(A(w))}\). Since A(w) is an AND gate, we would have \(r_{A(w)} = r_{A(A(w))} + r_{B(A(w))} = 2c_{n + 1} \cdot \ldots \cdot c_{n + j  1} + \eta _{A(A(w))} + \eta _{B(A(w))}\). Hence, we have:which can be computed as outlined in the former case.$$\begin{aligned} K_{w, 3}&= g_{j  1}^{\eta _{w}  \frac{1}{2}c_{n + j}(\eta _{A(A(w))} + \eta _{B(A(w))})  \psi _{w}(2c_{n + 1} \cdot \ldots \cdot c_{n + j  1} + \eta _{A(A(w))} + \eta _{B(A(w))})}\\&= g_{j  1}^{r_{w}  a_{w} \cdot r_{A(w)}} \end{aligned}$$
 (a)
Thus, the four key components can be given out in every case.
AND Gate. We now discuss the case of the AND gate. Suppose that \(w \in \textsf {Gates}\) and that GateType \((w) = \) AND. In addition, let \(j = \texttt {ORdepth}(w)\). \(\mathcal {B}\) implicitly sets \(r_{w} = r_{A(w)} + r_{B(w)}\). Note that we need not choose any \(a_{w}\) or \(b_{w}\). In fact, \(r_{w}\) is being chosen because the key components being given out for the OR gates involve \(r_{A(w)}\), etc., which may potentially be from AND gates. Clearly, Property 1 holds here as well, i.e., \(g_{j}^{r_{w}} = g_{j}^{r_{A(w)}} \cdot g_{j}^{r_{B(w)}}\) can be computed for this wire, since \(g_{j}^{r_{A(w)}}\) and \(g_{j}^{r_{B(w)}}\) can be computed by virtue of Property 1.
Finally, we set, for the output wire \(w = n + q\), \(\eta _{w} = 0\), so that \(r_{w} = u\) in \(\mathcal {B}\)’s internal view. It is easy to see that \(a_{w}\) and \(b_{w}\) have the same distribution in the real game and the game executed by \(\mathcal {B}\). In the real game, they are chosen at random and in the game executed by \(\mathcal {B}\), they are either chosen at random or are values offset by some random values \(\psi _{w}\) and \(\phi _{w}\), respectively. For \(w \in [n + q  1]\), \(r_{w}\) also has the same distribution in the real game and the game executed by \(\mathcal {B}\). This is true, since in the real game, they are chosen so that randomness on the input wires of an AND gate add up to the randomness on its output wire, and they are chosen at random for an OR gate, while in the game executed by \(\mathcal {B}\), they are chosen in the exact same way, where being “chosen at random” is either truly satisfied or are fixed values are offset by random \(\eta _{w}\) values. Now, we look at \(r_{n + q}\). In the real game, it is a fixed value u, and in the game executed by \(\mathcal {B}\), by setting \(\eta _{n + q} = 0\), \(r_{n + q} = c_{n + 1} \cdot c_{n + 2} \cdot \ldots \cdot c_{n + \ell _{\mathsf {OR}}} = u\) internally. Hence, they too have the same distribution. Hence all the parameters in the real game and game executed by \(\mathcal {B}\) have the identical distribution.
Evaluate: Suppose a query is made for a secret key for an input \(x \in \{0, 1\}^{n}\). If \(x = x^{*}\), then \(\mathcal {B}\) aborts. Otherwise, \(\mathcal {B}\) identifies an arbitrary t such that \(x_{t} \ne x_{t}^{*}\). Through \(\ell _{\mathsf {OR}}\) pairings of \(g^{c_{m}}\), \(n + 1 \le m \le n + \ell _{\mathsf {OR}}\), it computes \(H = g_{\ell _{\mathsf {OR}}}^{u} = g_{\ell _{\mathsf {OR}}}^{c_{n + 1} \cdot \ldots \cdot c_{n + \ell _{\mathsf {OR}}}}\). Then, through pairing of \(D_{m, x_{m}} \forall m \in [n] \backslash \{t\}\), it computes \(g_{n  1}^{\prod _{m \in [n]\backslash \{t\}} d_{m, x_{m}}}\) and raises it to \(d_{t, x_{t}} = z_{t}\) to get \(H' = g_{n  1}^{\prod _{m \in [n]} d_{m, x_{m}}}\). Finally, it computes \(H'' = e(H, H') = g_{n + \ell _{\mathsf {OR}}  1}^{u\prod _{m \in [n]} d_{m, x_{m}}} = F(k, x)\) and outputs it. Eventually, \(\mathcal {A}\) will issue a challenge input \(\tilde{x}\). If \(\tilde{x} = x^{*}\), \(\mathcal {B}\) will return the value T and output the same bit as \(\mathcal {A}\) does as its guess. If \(\tilde{x} \ne x^{*}\), \(\mathcal {B}\) outputs a random bit as its guess.
Removing the Restrictions. The restriction that \(\texttt {GateType}(n + q) = \text {OR}\) enables us to set randomness as we do in the scheme above. But this restriction can be easily removed by setting the randomness corresponding to the last level of OR gates (or the input wires in case there is no OR gate in the circuit) appropriately so that \(r_{n+q}\) ends up being u.
The restriction that a layer of gates cannot follow another layer of the same type of gates can also be overcome. The case of several consecutive layers of OR gates poses no threat since we move up one level in the multilinear maps for layers of OR gates and hence the current proof method works as is. The case of several consecutive layers of AND gates can be handled by even more careful choices of the randomness \(a_{w}\) and \(b_{w}\). When we had only one layer of AND gate (before a layer of OR gates), for an OR gate at ORdepth j, we set \(a_w\) to be either \(\mathbf {1} \cdot c_{n+j}+\psi _w\) or \(\mathbf {\frac{1}{2}}\cdot c_{n+j}+\psi _w\) depending on whether \(r_{A(w)}=\mathbf {1}\cdot c_{n + 1} \cdot \ldots \cdot c_{n + j  1} + \eta _{A(A(w))} + \eta _{B(A(w))}\) or \(r_{A(w)}=\mathbf {2}\cdot c_{n + 1} \cdot \ldots \cdot c_{n + j  1} + \eta _{A(A(w))} + \eta _{B(A(w))}\). Similarly, we set \(b_w\) in accordance with \(r_{B(w)}\). Now, when there are more than one layers of AND gates consecutively, for an OR gate at ORdepth j just after these AND gates, we set \(a_w\) (resp. b(w)) to be \(\frac{1}{k}c_{n+j}+\psi _w\) where k is the coefficient of \(c_{n + 1} \cdot \ldots \cdot c_{n + j  1}\) in \(r_{A(w)}\) (resp. \(r_{B(w)}\)). We present an illustration of this technique in the full version [CRV15].
Regarding the first assumption, any layered circuit can be trivially converted into a “homogeneous” layered circuit by “splitting” each layer in the layered circuit into two layers: one with only AND gates and the other with only OR gates. This doubles the depth of the circuit. But if we are a bit more careful and do the splitting such that the odd layers are split into an ANDlayer followed by an ORlayer and the even layers are split into an ORlayer followed by an ANDlayer, the resulting circuit will have layers of the form (ANDOR)(ORAND)(ANDOR)\(\cdots \). Now, we can merge the consecutive OR layers into a single OR layer (because our scheme supports gates with arbitrary fanin) with just a polynomial increase in the number of wires. So, we can convert a layered circuit of depth d into a layered circuit with each layer consisting of only AND or OR gates with depth \(d+1\) but with the ORdepth of the circuit being d/2 now. So even in the worst case we get improvements in parameters using our scheme.
4 A FreeOR CircuitPredicate Construction
In this section, we show how to construct a constrained random function for polynomial size circuit predicates of a specific form, without giving any keys for the OR gates. Once again, we base our construction on multilinear maps and on the \(\kappa \)MDDH assumption; however \(\kappa \) in our construction will only depend on n (the size of the input to the PRF) and now, the ANDdepth of the circuit (informally, this is the maximum number of AND gates from input wires to the output wire along any path). Once again, the starting point of our construction is the constrained PRF construction of Boneh and Waters [BW13] which is based on the attributebased encryption construction for circuits [GGH+13c]. We restrict the class of boolean circuits to be of a specific form. We assume layered circuits and that all gates in a particular layer are of the same type (either AND or OR). We assume that a layer of gates is not followed by another layer of the same type of gates. We also assume that all AND gates have a fanout of 1^{5}.
We introduce here a “gadget” which we call a “FANOUTgate”. This is done in order to deal with OR gates in the circuit that have a fanout greater than 1. To this end, we assume that a FANOUTgate is placed just after the OR gate under consideration. We view such OR gates also to have a fanout of 1 and without loss of generality assume that the FANOUTgate alone has a fanout greater than 1. However, we do not treat the FANOUTgate while calculating the total depth of the circuit, etc. It is merely a construct which allows us to deal only with OR gates having fanout 1.
4.1 Construction
The setup and the PRF construction is identical to the construction in Sect. 3. We now outline the constrain and evaluate algorithms.
F.Constrain \((k, f = (n, q, A, B, \texttt {GateType}))\) : The constrain algorithm takes as input the key k and a circuit description f. The circuit has \(n + q\) wires with n input wires, q gates and the wire \(n + q\) designated as the output wire. Assume that all gates have fanout 1 and that FANOUTgates have been inserted at places where the gates have a fanout greater than 1.
Consider a FANOUTgate placed after wire w, as shown in Fig. 1. We denote by \(r_{w}^{\textsf {L}}\) the randomness on the wire going as input to the FANOUTgate (the actual output wire of the gate under consideration) and by \(r_{w}^{\textsf {R}, i}\) the randomness on the ith fanout wire of the FANOUTgate (there would be as many of these as the fanout of the gate w), where \(i \in [\varDelta ]\) and \(\varDelta \) is the fanout of the wire w.
We now describe how the randomness for each wire is set. For each \(w \in [n + q]\backslash [n]\), if \(\texttt {GateType}(w) = \text {OR}\), it sets \(r_{A(w)} = r_{B(w)} = r_{w}\), otherwise, it chooses \(r_{A(w)}\) and \(r_{B(w)}\) at random. The case of FANOUTgates is handled as follows. Note that the above description already takes care of setting randomness on all the fanout wires of the FANOUTgate. The randomness for the input wire to the FANOUTgate (the output wire of the gate with fanout greater than 1) is chosen at random. Note that this completely describes how randomness on all wires in the circuit are chosen.
The first part of the constrained key is given out as simply all \(D_{i, \beta }\) for \(i \in [n]\) and \(\beta \in \{0, 1\}\). Next, the algorithm generates key components. The structure of the key components depends on whether w is an input wire or an output of an AND gate. For OR gates, we do not need to give out any keys, hence the name FreeOR. But, we also need to give out special key components for the FANOUTgates. The key components in each case are described below.

Input wire
By convention, if \(w \in [n]\), then it corresponds to the wth input. The key component is:$$K_{w} = g^{r_{w}d_{w, 1}}$$ 
AND gate
Suppose that \(w \in \textsf {Gates}\) and that GateType \((w) = \) AND. In addition, let \(j = \texttt {ANDdepth}(w)\). The algorithm chooses random \(a_{w}, b_{w} \in \mathbb {Z}_{p}\). Then, the algorithm creates key components:$$K_{w, 1} = g^{a_{w}}, K_{w, 2} = g^{b_{w}}, K_{w, 3} = g_{j  1}^{r_{w}  a_{w} \cdot r_{A(w)}  b_{w} \cdot r_{B(w)}}$$ 
FANOUTgate
Suppose that \(w \in \textsf {Gates}\), GateType \((w) = \) OR and that the fanout of w is greater than 1. In addition, let \(j = \texttt {ANDdepth}(w)\). In this case, a FANOUTgate would have been placed after w. Let \(r_{w}^{\textsf {L}}\) denote the randomness on the wire going as input to the FANOUTgate (the actual output wire of the gate under consideration) and let \(r_{w}^{\textsf {R}, i}\) denote the randomness on the ith fanout wire of the FANOUTgate (there would be as many of these as the fanout of the gate w). The keys given out are:for all \(i \in [\varDelta ]\), where \(\varDelta \) is the fanout of the gate w.$$K_{w, w', i} = g_{j  1}^{\left( r_{w}^{\textsf {R}, i}  r_{w}^{\textsf {L}}\right) }$$
The constrained key \(k_{f}\) consists of all these key components along with \(\{D_{i, \beta }\}\) for \(i \in [n]\) and \(\beta \in \{0, 1\}\).
F.Evaluate \((k_{f}, x)\) : The evaluate algorithm takes as input a constrained key \(k_{f}\) for the circuit \(f = (n, q, A, B, \texttt {GateType})\) and an input \(x \in \{0, 1\}^{n}\). The algorithm first checks that \(f(x) = 1\), and if not, it aborts.
Consider the wire w at ANDdepth j. If \(f_{w}(x) = 1\), then, the algorithm computes \(E_{w} = g_{n + j  1}^{r_{w}\prod _{m \in [n]} d_{m, x_{m}}}\). If \(f_{w}(x) = 0\), then nothing needs to be computed for that wire. The algorithm proceeds iteratively starting with computing \(E_{1}\) and proceeds, in order, to compute \(E_{n + q}\). Computing these values in order ensures that the computation on a lowerdepth wire that evaluates to 1 will be defined before the computation for a higherdepth wire. Since \(r_{n + q} = u\), \(E_{n + q} = g_{n + \ell _{\mathsf {AND}}  1}^{u\prod _{m \in [n]} d_{m, x_{m}}}\).
We show how to compute \(E_{w}\) for all w where \(f_{w}(x) = 1\), casewise, according to whether the wire is an input, an OR gate, an AND gate or a fanout wire of a FANOUTgate. Define \(D = D(x) = g_{n}^{\prod _{m \in [n]} d_{m, x_{m}}}\), which is computable through n pairing operations.
 Input wire By convention, if \(w \in [n]\), then it corresponds to the wth input. Suppose \(f_{w}(x) = 1\). Through pairing operations, the algorithm computes \(g_{n  1}^{\prod _{m \in [n]\backslash \{w\}} d_{m, x_{m}}}\). It then computes:$$E_{w} = e\left( K_{w}, g_{n  1}^{\prod _{m \in [n]\backslash \{w\}} d_{m, x_{m}}}\right) = g_{n}^{r_{w}\prod _{m \in [n]} d_{m, x_{m}}}$$

OR gate Consider a wire \(w \in \textsf {Gates}\) with GateType \((w) = \) OR. The computation is performed if \(f_{w}(x) = 1\). Note that in this case, at least one of \(f_{A(w)}(x)\) and \(f_{B(w)}(x)\) must be 1. Hence, we must have been able to evaluate at least one of \(E_{A(w)}\) and \(E_{B(w)}\). Since, for an OR gate, \(r_{A(w)} = r_{B(w)} = r_{w}\), we have \(E_{w} = E_{A(w)} = E_{B(w)}\), which can now be computed.
 AND gate Consider a wire \(w \in \textsf {Gates}\) with GateType \((w) = \) AND. In addition, let \(j = \texttt {ANDdepth}(w)\). The computation is performed if \(f_{w}(x) = 1\). Note that in this case, both \(f_{A(w)}(x)\) and \(f_{B(w)}(x)\) must be 1. The algorithm computes:$$\begin{aligned} E_{w}&= e(E_{A(w)}, K_{w, 1}) \cdot e(E_{B(w)}, K_{w, 2}) \cdot e(K_{w, 3}, D) \\&= e\left( g_{n + j  2}^{r_{A(w)}\prod _{m \in [n]} d_{m, x_{m}}}, g^{a_{w}}\right) \cdot e\left( g_{n + j  2}^{r_{B(w)}\prod _{m \in [n]} d_{m, x_{m}}}, g^{b_{w}}\right) \cdot \\&\qquad e\left( g_{j  1}^{r_{A(w)}  a_{w} \cdot r_{A(w)}  b_{w} \cdot r_{B(w)}}, g_{n}^{u\prod _{m \in [n]} d_{m, x_{m}}}\right) \\&= g_{n + j  1}^{r_{w}\prod _{m \in [n]} d_{m, x_{m}}} \end{aligned}$$
 FANOUTgate Let \(r_{w}^{\textsf {L}}\) denote the randomness on the wire going as input to the FANOUTgate (the actual output wire of the gate under consideration) and let \(r_{w}^{\textsf {R}, i}\) denote the randomness on the ith fanout wire of the FANOUTgate (there would be as many of these as the fanout of the gate w). The computation is performed if \(f_{w}(x) = 1\). In coherence with the previous notation, we define the quantities \(E_{w}^{\textsf {L}}\) and \(E_{w}^{\textsf {R}, i}\). Note that the \(E_{w}^{\textsf {L}}\) would have been computed. It then computes:$$E_{w}^{\textsf {R}, i} = e\left( K_{w, w', i}, D\right) \cdot E_{w}^{\textsf {L}} = g_{n + j  1}^{r_{w}^{\textsf {R}, i}\prod _{m \in [n]} d_{m, x_{m}}}$$
The procedures above are evaluated in order for all w for which \(f_{w}(x) = 1\). Thus, the algorithm computes \(E_{n + q} = g_{n + \ell  1}^{u\prod _{m \in [n]} d_{m, x_{m}}} = F(k, x)\).
5 Combining the FreeAND and FreeOR Techniques
In this section, we show that for the case of \(\mathbf {NC}^{1}\), we can indeed combine the FreeAND and FreeOR techniques to obtain a construction that has FreeANDs and FreeORs. While the main reason that the technique works is that for \(\mathbf {NC}^{1}\) circuits we can consider only boolean formulas, proving that our construction is secure is nontrivial (and different from the case of ABE).
5.1 An \(\mathbf {NC}^{1}\)predicate Construction
We construct a constrained PRF for arbitrary \(\mathbf {NC}^{1}\) circuit predicates, without giving any keys for AND as well as OR gates. Again, we base our construction on the \(\kappa \)MDDH assumption; however \(\kappa \) in our construction will only depend on n (the size of the input to the PRF) and not on the circuit in any way. We will be dealing with circuits of the form described in Sect. 2.3.
5.2 Construction
F.Setup \((1^{\lambda }, 1^{n})\) : The setup algorithm that defines the master secret key and the PRF is identical to the setup algorithm from Sect. 3 with \(\kappa =n\) instead of \(n+\ell _{\mathsf {OR}}1\).
F.Constrain \((k, f = (n, q, A, B, \texttt {GateType}))\) : The algorithm sets \(r_{n + q} = u\). For each \(w \in [n + q]\backslash [n]\), if \(\texttt {GateType}(w) = \text {OR}\), it sets \(r_{A(w)} = r_{B(w)} = r_{w}\), otherwise, it chooses \(r_{A(w)}\) at random and sets \(r_{B(w)} = r_{w}  r_{A(w)}\). Since the fanout of all gates is 1, for any wire \(w \in [n + q]\backslash [n]\), \(r_{w}\) would have been uniquely set. However, since the same inputs may be reused in multiple gates, for any wire \(w \in [n]\), \(r_{w}\) may have multiple values (as many as the fanout of the input wire), i.e., different randomness values for each use of the input wire (to different gates). Note that this procedure sets randomness on all wires in the circuit. The first part of the constrained key (\(k_f\)) is given out as simply all \(D_{i, \beta }\) for \(i \in [n]\) and \(\beta \in \{0, 1\}\). The remaining key components are: \(K_{w, i} = g^{r_{w, i}d_{w, 1}}, \forall i \in [\varDelta ]\), where \(\varDelta \) is the fanout of the input wire w.
F.Evaluate \((k_{f}, x)\) : The evaluate algorithm takes as input a constrained key \(k_{f}\) and an input \(x \in \{0, 1\}^{n}\). The algorithm first checks that \(f(x) = 1\), and if not, it aborts. Consider the wire w. If \(f_{w}(x) = 1\), then, we show how to compute^{6} \(E_{w} = g_{n}^{r_{w}\prod _{m \in [n]} d_{m, x_{m}}}\), casewise, according to whether the wire is an input, an OR gate or an AND gate.

Input wire. Through pairing operations, compute \(g_{n  1}^{\prod _{m \in [n]\backslash \{w\}} d_{m, x_{m}}}\). Then compute: \(E_{w, i} = e\left( K_{w, i}, g_{n  1}^{\prod _{m \in [n]\backslash \{w\}} d_{m, x_{m}}}\right) = g_{n}^{r_{w, i}\prod _{m \in [n]} d_{m, x_{m}}} \forall i \in [\varDelta ]\), where \(\varDelta \) is the fanout of the input wire w.

OR gate. In this case, at least one of \(f_{A(w)}(x)\) and \(f_{B(w)}(x)\) must be 1. Hence, we can evaluate at least one of \(E_{A(w)}\) and \(E_{B(w)}\). Since, for an OR gate, \(r_{A(w)} = r_{B(w)} = r_{w}\), \(E_{w} = E_{A(w)} = E_{B(w)}\), can now be computed.
 AND gate. In this case, \(f_{A(w)}(x) = f_{B(w)}(x) = 1\). The algorithm computes:$$\begin{aligned} E_{w}&= E_{A(w)} \cdot E_{B(w)} = g_{n}^{r_{A(w)}\prod _{m \in [n]} d_{m, x_{m}}} \cdot g_{n}^{r_{B(w)}\prod _{m \in [n]} d_{m, x_{m}}} = g_{n}^{r_{w}\prod _{m \in [n]} d_{m, x_{m}}} \end{aligned}$$
The procedures above are evaluated, in order, for all w for which \(f_{w}(x) = 1\). Thus, the algorithm computes \(E_{n + q} = g_{n}^{u\prod _{m \in [n]} d_{m, x_{m}}} = F(k, x)\).
5.3 Proof of Pseudorandomness
The correctness of the constrained PRF is verifiable in a straightforward manner. To show pseudorandomness, given an algorithm \(\mathcal {A}\) that breaks security of the constrained PRF, we will construct algorithm \(\mathcal {B}\) that breaks security of the \(\kappa = n\)MDDH assumption. \(\mathcal {B}\) receives a \(\kappa \)MDDH challenge consisting of the group sequence description \(\mathbf {\mathbb {G}}\) and \(g = g_{1}, g^{c_{1}}, \ldots , g^{c_{\kappa + 1}}\) along with T, where T is either \(g_{\kappa }^{\prod _{m \in [\kappa + 1]} c_{m}}\) or a random group element in \(\mathbb {G}_{\kappa }\). The security proof is in the selective security model (where the adversary commits to the challenge input \(x^*\) at the beginning of the game). To get full security, the proof will use the standard complexity leveraging technique of guessing the challenge \(x^{*}\); this guess will cause a loss of a \(1/2^{n}\)factor in the reduction. We formally show:
Theorem 2
If there exists a PPT adversary \(\mathcal {A}\) that breaks the pseudorandomness property of our \(\mathbf {NC}^{1}\)predicate construction for nbit inputs with advantage \(\epsilon (\lambda )\), then there exists a PPT algorithm \(\mathcal {B}\) that breaks the \(\kappa = n\)Multilinear Decisional DiffieHellman assumption with advantage \(\epsilon (\lambda )/2^{n}\).
Proof
The algorithm \(\mathcal {B}\) first receives a \(\kappa = n\)MDDH challenge consisting of the group sequence description \(\mathbf {\mathbb {G}}\) and \(g = g_{1}, g^{c_{1}}, \ldots , g^{c_{\kappa + 1}}\) along with T, where T is either \(g_{\kappa }^{\prod _{m \in [\kappa + 1]} c_{m}}\) or a random group element in \(\mathbb {G}_{\kappa }\).
Setup. It chooses an \(x^{*} \in \{0, 1\}^{n}\) uniformly at random. Next, it chooses random \(z_{1}, \ldots , z_{n} \in \mathbb {Z}_{p}\) and sets \(D_{m, \beta } = g^{c_{m}}\) if \(x_{m}^{*} = \beta \) and \(g^{z_{m}}\) otherwise, for \(m \in [n]\) and \(\beta \in \{0, 1\}\). It then implicitly sets \(u = c_{n + 1}\). The setup is executed as in the construction.
Constrain. Suppose a query is made for a secret key for a circuit \(f = (n, q, A, B, \texttt {GateType})\). If \(f(x^{*}) = 1\), then \(\mathcal {B}\) aborts.
Otherwise, \(\mathcal {B}\) sets the randomness on each wire in the circuit in the following way. It sets, for the output wire \(w = n + q\), \(r_{w} = u = c_{n + 1}\). For each \(w \in [n + q]\backslash [n]\), if \(\texttt {GateType}(w) = \text {OR}\), it sets \(r_{A(w)} = r_{B(w)} = r_{w}\). Suppose \(\texttt {GateType}(w) = \text {AND}\). If \(f_{w}(x^{*}) = 1\), then \(f_{A(w)}(x^{*}) = f_{B(w)}(x^{*}) = 1\) and \(\mathcal {B}\) chooses \(r_{A(w)}\) at random and sets \(r_{B(w)} = r_{w}  r_{A(w)}\). Suppose \(f_{w}(x^{*}) = 0\). Then we know that at least one of \(f_{A(w)}(x^{*})\) and \(f_{B(w)}(x^{*})\) must be zero. If \(f_{A(w)}(x^{*}) = 0\), it chooses \(r_{B(w)}\) at random and sets \(r_{A(w)} = r_{w}  r_{B(w)}\), while if \(f_{A(w)}(x^{*}) = 1\) and hence \(f_{B(w)}(x^{*}) = 0\), it chooses \(r_{A(w)}\) at random and sets \(r_{B(w)} = r_{w}  r_{A(w)}\). As we shall see later, such a choice of randomness is critical for the security proof. Since the fanout of all gates is 1, for any wire \(w \in [n + q]\backslash [n]\), \(r_{w}\) would have been uniquely set. However, since the same inputs may be reused in multiple gates, for any wire \(w \in [n]\), \(r_{w}\) may have multiple values (as many as the fanout of the input wire), i.e., different randomness values for each use of the input wire (to different gates), which we denote by \(r_{w, i}\) for all \(i \in [\varDelta ]\), where \(\varDelta \) is the fanout of the input wire w. Note that this procedure sets randomness on all wires in the circuit.
To show that \(\mathcal {B}\) can indeed compute all the key components, our proof will follow a similar structure to the FreeOR case (Sect. 4). We shall prove that for all wires in the circuit, \(\mathcal {B}\) can compute \(g^{r_{w}}\). To prove this, we shall prove the above statement, both when the wire w is such that \(f_{w}(x^{*}) = 1\) (Lemma 2), and when the wire w is such that \(f_{w}(x^{*}) = 0\) (Lemma 3). To prove Lemma 2, we shall first prove the following fact (Lemma 1): consider all wires in the circuit that evaluate to 1 on \(x^{*}\) and consider those wires among these that have maximum total depth; then, these wires must all be input wires to AND gates.
Lemma 1

\(S_{1} = \left\{ w : w \in [n + q] \wedge f_{w}(x^{*}) = 1\right\} \)

\(S_{1}^{\textsf {maxtotdepth}} = \left\{ w : w \in S_{1} \wedge \texttt {totdepth}(w) \ge \texttt {totdepth}(w')\ \forall w' \in S_{1}\right\} \)
Then w is an input wire to an AND gate \(\forall w \in S_{1}^{\textsf {maxtotdepth}}\).
Proof
This fact is very easy to easy. Clearly, \(w \ne n + q\), since \(f_{n + q}(x^{*}) = 0\) while \(f_{w}(x^{*}) = 1\). Hence there exist layers of gates after the one containing w. Suppose w is an input wire to an OR gate. Since \(f_{w}(x^{*}) = 1\), for some OR gate \(w'\) in the next layer of gates, \(f_{w'}(x^{*}) = 1\). Hence, \(\exists w' \in S_{1}\) such that \(\texttt {totdepth}(w) < \texttt {totdepth}(w')\) which contradicts the fact that \(w \in S_{1}^{\textsf {maxtotdepth}}\).
Lemma 2
For any wire \(w \in [n + q]\), if \(f_{w}(x^{*}) = 1\), then \(r_{w}\) is known.
Proof
We prove this by observing the randomness we have set on each wire, from the output wire to the input wires. From Lemma 1, we know that the first such wire we would see would be an input to an AND gate. For an input wire A(w), of an AND gate, satisfying \(f_{A(w)}(x^{*}) = 1\), first consider the case when \(f_{w}(x^{*}) = 1\) ^{7}. In this case, \(\mathcal {B}\) explicitly chooses all random values associated with this gate and hence \(\mathcal {B}\) chose \(r_{A(w)}\). When \(f_{w}(x^{*}) = 0\), note that \(\mathcal {B}\) carefully chose the randomness on the input wires which may potentially evaluate to 1 on \(x^{*}\) at random (and set the value on the other input wire B(w) based on this). Hence, if \(f_{A(w)}(x^*)=1\), \(r_{A(w)}\) is known to \(\mathcal {B}\). This forms the base case for the induction. Now, consider any other wire A(w) such that \(f_{A(w)} = 1\). Now, if A(w) were an input to an AND gate, then by the same argument as above, \(r_{A(w)}\) is known to \(\mathcal {B}\). Suppose, A(w) were an input to an OR gate w and \(f_{A(w)}(x^{*}) = 1\), then \(f_{w}(x^{*}) = 1\). By the induction hypothesis, \(r_{w}\) is known. We know that since w is an OR gate, \(r_{A(w)} = r_{w}\) and hence \(r_{A(w)}\) is known. This completes the proof.
Lemma 3
For any wire \(w \in [n + q]\), if \(f_{w}(x^{*}) = 0\), then \(g^{r_{w}}\) is known.
Proof
We can prove this by observing the randomness we have set on each wire, from the output wire to the input wires. The statement is true for the output wire \(w = n + q\), since \(g^{c_{n + 1}}\) is known. This forms the base case. We can now argue inductively.

Case 1: If w is an input to an OR gate \(w'\), then \(r_{w} = r_{w'}\). If \(f_{w'}(x^{*}) = 1\), then by Lemma 2, \(r_{w'}\) is known and hence \(g^{r_{w}}\) is known. If \(f_{w'}(x^{*}) = 0\), then by the induction hypothesis, \(g^{r_{w'}}\) is known and hence \(g^{r_{w}}\) is known.

Case 2: If w is an input to an AND gate \(w'\), then \(f_{w'}(x^{*}) = 0\). Now, by the induction hypothesis, \(g^{r_{w'}}\) is known. If \(w = A(w')\), then \(r_{B(w')}\) was chosen at random and is known, and hence \(g^{r_{w}} = g^{r_{w'}  r_{B(w')}}\) is known. Suppose \(w = B(w')\). If \(f_{A(w')}(x^{*}) = 0\), \(r_{w}\) was chosen at random and is known, and hence \(g^{r_{w}}\) is known. If \(f_{A(w')}(x^{*}) = 1\), then \(r_{A(w')}\) was chosen at random and is known, and hence \(g^{r_{w}} = g^{r_{w'}  r_{A(w')}}\) is known.
Finally, \(\mathcal {B}\) generates key components for input wires \(w \in [n]\). By convention, if \(w \in [n]\), then it corresponds to the wth input. If \(x_{w}^{*} = 1\), then \(r_{w, i}\) is known, from Lemma 2, for all \(i \in [\varDelta ]\), where \(\varDelta \) is the fanout of the input wire w. The key components are: \(K_{w, i} = (D_{w, 1})^{r_{w, i}} = g^{r_{w, i}d_{w, 1}}\), for all \(i \in [\varDelta ]\). If \(x_{w}^{*} = 0\), then \(g^{r_{w, i}}\) is known, from Lemma 3, for all \(i \in [\varDelta ]\). The key components are: \(K_{w, i} = \left( g^{r_{w, i}}\right) ^{z_{w}} = g^{r_{w, i}d_{w, 1}}\), for all \(i \in [\varDelta ]\).
Evaluate. Suppose a query is made for a secret key for an input \(x \in \{0, 1\}^{n}\). If \(x = x^{*}\), then \(\mathcal {B}\) aborts. Otherwise, \(\mathcal {B}\) identifies an arbitrary t such that \(x_{t} \ne x_{t}^{*}\). Through pairing of \(D_{m, x_{m}} \forall m \in [n] \backslash \{t\}\), it computes \(g_{n  1}^{\prod _{m \in [n]\backslash \{t\}} d_{m, x_{m}}}\) and raises it to \(d_{t, x_{t}} = z_{t}\) to get \(H = g_{n  1}^{\prod _{m \in [n]} d_{m, x_{m}}}\). Finally, it computes \(H' = e(U, H) = g_{n}^{u\prod _{m \in [n]} d_{m, x_{m}}} = F(k, x)\) and outputs it. Eventually, \(\mathcal {A}\) will issue a challenge input \(\tilde{x}\). If \(\tilde{x} = x^{*}\), \(\mathcal {B}\) will return the value T and output the same bit as \(\mathcal {A}\) does as its guess. If \(\tilde{x} \ne x^{*}\), \(\mathcal {B}\) outputs a random bit as its guess.
This completes the description of the adversary \(\mathcal {B}\). We first note that in the case where T is part of a MDDH tuple, the real game and game executed by \(\mathcal {B}\) have the identical distribution. Secondly, in both cases (i.e., whether or not T is part of the MDDH tuple), as long as \(\mathcal {B}\) does not abort, once again, the real game and game executed by \(\mathcal {B}\) have the identical distribution, except for the output of \(\mathcal {B}\) on the challenge query \(x^*\). Similar to the analysis in Sect. 3, the probability that \(\mathcal {B}\)’s guess was correct can be shown to be \(\epsilon (\lambda )/2^{n}\).
6 From BitFixing PRFs to \(\mathbf {NC}^{1}\) PRFs
 1.
The PRF must have an additive keyhomomorphism property. In other words, there exists a public algorithm \(\mathsf {F}_{\mathsf {bf}}.\mathsf {KeyEval}\), such that, for all \(k_1,k_2 \in \mathcal {K}\), \(\mathsf {F}_{\mathsf {bf}}.\mathsf {KeyEval}\) outputs \(\mathsf {F}_{\mathsf {bf}}(k_{1} + k_{2}, x)\) on inputs \(\mathsf {F}_{\mathsf {bf}}(k_{1}, x)\) and \(\mathsf {F}_{\mathsf {bf}}(k_{2}, x)\).
 2.Let \(\mathsf {F}_{\mathsf {bf}}.\mathsf {Constrain}(k,i)\) be the constrain algorithm that takes in a key and the position of the bit to be fixed to 1.^{8} An additive keyhomomorphism property should also exist among the constrained keys, that is, there exists a public algorithm, \(\mathsf {F}_{\mathsf {bf}}.\mathsf {AddKeys}\), such that^{9}, for all \(k_1,k_2 \in \mathcal {K}\) and index i,$$\mathsf {F}_{\mathsf {bf}}.\mathsf {AddKeys}(\mathsf {F}_{\mathsf {bf}}.\mathsf {Constrain}(k_{1}, i), \mathsf {F}_{\mathsf {bf}}.\mathsf {Constrain}(k_{2}, i)) = \mathsf {F}_{\mathsf {bf}}.\mathsf {Constrain}(k_{1} + k_{2}, i)$$
6.1 Construction
We follow the same template as in our \(\mathbf {NC}^{1}\)predicate construction in Sect. 5.1. We observe that the component \(K_{w, i}\) at the input level can be replaced with a constrained key from any bitfixing scheme which satisfies the properties mentioned above. \(\mathsf {F}_{\mathsf {bf}}, \mathsf {F}_{\mathsf {NC1}}\) denote the bitfixing and \(\mathbf {NC}^{1}\) schemes respectively.
\(\mathsf {F}_{\mathsf {NC1}}\).Setup \((1^{\lambda }, 1^{n})\) : The setup algorithm runs \(\mathsf {F}_{\mathsf {bf}}\).Setup \((1^\lambda , 1^{n})\) to get the PRF \(\mathsf {F}_{\mathsf {bf}}\) and key k. It sets the key as k. The keyed pseudorandom function is defined as \(\mathsf {F}_{\mathsf {bf}}(k, x)\).
\(\mathsf {F}_{\mathsf {NC1}}\).Constrain \((k, f = (n, q, A, B, \texttt {GateType}))\) : The constrain algorithm sets up randomness on the wires of the circuit using the procedure in the construction in Sect. 5.1 and computes key components for the input wires as \(K_{w} = \mathsf {F}_{\mathsf {bf}}.\mathsf {Constrain}(r_{w}, w)\) ^{10}. The constrained key \(k_{f}\) consists of all these key components.
\(\mathsf {F}_{\mathsf {NC1}}\).Evaluate \((k_{f}, x)\) : The algorithm first checks that \(f(x) = 1\), and if not, it aborts. As in the construction in Sect. 5.1, for every wire w, if \(f_{w}(x) = 1\), then, the algorithm computes \(\mathsf {F}_{\mathsf {bf}}(r_{w}, x)\). The algorithm proceeds iteratively and computes \(\mathsf {F}_{\mathsf {bf}}(r_{n + q}, x) = \mathsf {F}_{\mathsf {bf}}(k, x)\). \(\mathsf {F}_{\mathsf {bf}}(r_{w}, x)\) can be computed, casewise, according to whether the wire is an input, an OR gate or an AND gate.

Input wire If \(f_{w}(x) = 1\), it computes \(\mathsf {F}_{\mathsf {bf}}(r_{w}, x) = \mathsf {F}_{\mathsf {bf}}.\mathsf {Eval}(K_{w}, x)\).

OR gate If \(f_{w}(x) = 1\), at least one of \(f_{A(w)}(x)\) and \(f_{B(w)}(x)\) must be 1. Hence, we must have been able to evaluate at least one of \(\mathsf {F}_{\mathsf {bf}}(r_{A(w)}, x)\) and \(\mathsf {F}_{\mathsf {bf}}(r_{B(w)}, x)\). Since, \(r_{A(w)} = r_{B(w)} = r_{w}\), \(\mathsf {F}_{\mathsf {bf}}(r_{w}, x) = \mathsf {F}_{\mathsf {bf}}(r_{A(w)}, x) = \mathsf {F}_{\mathsf {bf}}(r_{B(w)}, x)\), which can be computed.

AND gate If \(f_{w}(x) = 1\), \(f_{A(w)}(x) = f_{B(w)}(x) = 1\). Hence, we must have been able to evaluate both \(\mathsf {F}_{\mathsf {bf}}(r_{A(w)}, x)\) and \(\mathsf {F}_{\mathsf {bf}}(r_{B(w)}, x)\). The algorithm computes \(\mathsf {F}_{\mathsf {bf}}(r_{w}, x) = \mathsf {F}_{\mathsf {bf}}.\mathsf {KeyEval}(\mathsf {F}_{\mathsf {bf}}(r_{A(w)}, x), \mathsf {F}_{\mathsf {bf}}(r_{B(w)} x))\), since, \(r_{A(w)} + r_{B(w)} = r_{w}\).
The procedures above are evaluated, in order, for all w for which \(f_{w}(x) = 1\). Thus, the algorithm computes \(\mathsf {F}_{\mathsf {bf}}(r_{n + q}, x) = \mathsf {F}_{\mathsf {bf}}(k, x)\).
6.2 Proof of Pseudorandomness
The correctness of the scheme is straightforward from the keyhomomorphism property of the bitfixing PRF scheme. We now prove the security.
Theorem 3
If there exists a PPT adversary \(\mathcal {A}\) that breaks the selective security of our construction for nbit inputs supporting \(\mathbf {NC}^{1}\)predicates with an advantage \(\epsilon (\lambda )\), then there exists a PPT algorithm \(\mathcal {B}\) that breaks the selective security of the underlying bitfixing predicate construction with the same advantage \(\epsilon (\lambda )\).
Proof
Let \(\mathcal {A}\) be the adversary which breaks the selective security of our \(\mathbf {NC}^{1}\) construction. We will construct an adversary \(\mathcal {B}\) which will use \(\mathcal {A}\) to break the selective security of the bitfixing construction \(\mathsf {F}_{\mathsf {bf}}\). Thus, \(\mathcal {B}\) plays a dual role: one as an adversary in the security game breaking the bitfixing construction and also as a challenger in the security game breaking the \(\mathbf {NC}^{1}\) construction.

First \(\mathcal {A}\) provides its challenge \(x^{*}\) to \(\mathcal {B}\) which in turn forwards it to its challenger. \(\mathcal {B}\) receives the public parameters of the bitfixing scheme from its challenger along with either \(\mathsf {F}_{\mathsf {bf}}(k, x^{*})\) or a random value which it forwards to \(\mathcal {A}\). \(\mathcal {B}\) is going to answer queries as though the PRF evaluated by the \(\mathbf {NC}^{1}\) construction is the same as that evaluated by the bitfixing construction \(\mathsf {F}_{\mathsf {bf}}\) used by the challenger. When \(\mathcal {A}\) asks a query f to \(\mathbf {NC}^{1}.\mathsf {Constrain}\) oracle with \(f(x^{*}) = 0\), \(\mathcal {B}\) follows a procedure similar to the one in Sect. 5.1.

\(\mathcal {B}\) carefully sets the randomness on all wires in the circuit as in the proof in Sect. 5.1. By virtue of this careful setting, the same properties hold: for any wire \(w \in [n + q]\), if \(f_{w}(x^{*}) = 1\), then \(r_{w}\) is known, and if \(f_{w}(x^{*}) = 0\), then \(r_{w}\) would either be known or of the form \(k + \sum r\), where each r is known. Note that \(r_{n + q} = k\) which is the key of PRF used by \(\mathcal {B}\) as well as \(\mathcal {B}\)’s challenger.

To give out keys for the input wires, \(\mathcal {B}\) does the following. For those wires w with \(f_{w}(x^{*}) = 1\), \(r_{w}\) is known and hence \(\mathcal {B}\) obtains \(K_{w} = \mathsf {F}_{\mathsf {bf}}.\mathsf {Constrain}(r_{w}, w)\) by running \(\mathsf {F}_{\mathsf {bf}}.\mathsf {Constrain}(r_{w}, w)\) by itself. For wires w with \(f_{w}(x^{*}) = 0\), if \(r_{w}\) is known, then \(\mathcal {B}\) obtains \(K_{w} = \mathsf {F}_{\mathsf {bf}}.\mathsf {Constrain}(r_{w}, w)\) by running \(\mathsf {F}_{\mathsf {bf}}.\mathsf {Constrain}(r_{w}, w)\) by itself. Otherwise, \(r_{w}\) is of the form \(k + \sum r\), where each r is known. For each r, \(\mathcal {B}\) obtains \(K'_{r, w} = \mathsf {F}_{\mathsf {bf}}.\mathsf {Constrain}(r, w)\) by running \(\mathsf {F}_{\mathsf {bf}}.\mathsf {Constrain}(r, w)\) by itself. Through repeated use of \(\mathsf {F}_{\mathsf {bf}}.\mathsf {AddKeys}\), and by virtue of the homomorphism property of the constrained keys, \(\mathcal {B}\) obtains \(K'_{\sum r, w} = \mathsf {F}_{\mathsf {bf}}.\mathsf {Constrain}\left( \sum r, w\right) \). \(\mathcal {B}\) then queries its challenger for the constrained key fixing the wth bit, i.e., it obtains \(K'_{k, w} = \mathsf {F}_{\mathsf {bf}}.\mathsf {Constrain}(k, w)\) by querying its challenger. Finally, through the use of \(\mathsf {F}_{\mathsf {bf}}.\mathsf {AddKeys}\left( K'_{k, w}, K'_{\sum r, w}\right) \), \(\mathcal {B}\) obtains \(K_{w} = \mathsf {F}_{\mathsf {bf}}.\mathsf {Constrain}\left( r_{w}, w\right) \).

When answering \(\mathcal {A}\)’s queries to \(\mathbf {NC}^{1}.\mathsf {Constrain}\), it is important to note that \(\mathcal {B}\) does not query for any predicate that allows it to evaluate \(F(k,x^*)\) by itself. We achieve this because all queries by \(\mathcal {B}\) to the challenger, \(\mathsf {F}_{\mathsf {bf}}.\mathsf {Constrain}(k, w)\), fix the wth bit to 1, while if the query were made, \(f_{w}(x^{*}) = 0\), i.e., the wth bit of \(x^{*}\) is 0.


When \(\mathcal {A}\) outputs a bit \(b'\), \(\mathcal {B}\) outputs the same.
In the above game, if \(\mathcal {A}\) breaks the selective security of the \(\mathbf {NC}^{1}\) construction with an advantage of \(\epsilon (\lambda )\) then \(\mathcal {B}\) breaks the underlying bitfixing construction with the same advantage.
Footnotes
 1.
By symmetry, we can also start with a bitfixing constrained PRF that fixes only one bit to 0.
 2.
When the term depth is used, it is synonymous to the notion of totdepth described ahead.
 3.
These restrictions are mostly useful for exposition and do not impact functionality.
 4.
We can define ORdepth of a circuit which is in our specified form as the number of layers comprising of OR gates, plus 1.
 5.
This can always be ensured for circuits that have alternating AND and OR layers. Suppose there is an AND gate with fanout \(\varDelta > 1\). We simply replace it with \(\varDelta \) AND gates having the same inputs and now we have \(\varDelta \) wires with the required output as before. Note that this process would have forced us to make the fanout of gates driving the AND gate to be \(\varDelta \) times as large, but since a gate driving an AND gate would only be an OR gate by our imposed circuit structure, this blows up the size of the circuit by only a polynomial factor.
 6.
For input wires \(w \in [n]\), we have \(E_{w, i} = g_{n}^{r_{w, i}\prod _{m \in [n]} d_{m, x_{m}}}\) for all \(i \in [\varDelta ]\), where \(\varDelta \) is the fanout of the input wire w. This feature has been present in our FreeOR construction as well. We pay attention to it specifically in this construction because of the absence of fanout for any wire other than the input wires.
 7.
It is true that the first such wire when we go from output to input level would be an AND gate with \(f_{w}(x^{*}) = 0\). However, the discussion on the case of \(f_{w}(x^{*}) = 1\) is more a general one for all AND gates in the circuit.
 8.
By symmetry, the construction also works if the constrain algorithm fixes a bit to 0.
 9.
We note here that \(\mathsf {F}_{\mathsf {bf}}.\mathsf {Constrain}(k,i)\) could, in general, be a randomized algorithm and in this case, we require the distributions on the left and the right of the equality to be computationally indistinguishable. For ease of exposition, we assume that \(\mathsf {F}_{\mathsf {bf}}.\mathsf {Constrain}(k,i)\) is deterministic and state our results accordingly.
 10.
As in Sect. 5.1, the fanout of the input wires can be easily incorporated.
References
 [BFP+15]Banerjee, A., Fuchsbauer, G., Peikert, C., Pietrzak, K., Stevens, S.: Keyhomomorphic constrained pseudorandom functions. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part II. LNCS, vol. 9015, pp. 31–60. Springer, Heidelberg (2015)Google Scholar
 [BGI14]Boyle, E., Goldwasser, S., Ivan, I.: Functional signatures and pseudorandom functions. In: Public Key Cryptography, pp. 501–519 (2014)Google Scholar
 [BV15]Brakerski, Z., Vaikuntanathan, V.: Constrained keyhomomorphic PRFs from standard lattice assumptions. Or: how to secretly embed a circuit in your PRF. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part II. LNCS, vol. 9015, pp. 1–30. Springer, Heidelberg (2015)Google Scholar
 [BW13]Boneh, D., Waters, B.: Constrained pseudorandom functions and their applications. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 280–300. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 [CHL+15]Cheon, J.H., Han, K., Lee, C., Ryu, H., Stehlé, D.: Cryptanalysis of the multilinear map over the integers. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 3–12. Springer, Heidelberg (2015)Google Scholar
 [CLR15]Cheon, J.H., Lee, C., Ryu, H.: Cryptanalysis of the new CLT multilinear maps. Cryptology ePrint Archive, Report 2015/934 (2015)Google Scholar
 [CLT13]Coron, J.S., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 476–493. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 [CLT15]Coron, J.S., Lepoint, T., Tibouchi, M.: New multilinear maps over the integers. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 267–286. Springer, Heidelberg (2015)CrossRefGoogle Scholar
 [CRV14]Chandran, N., Raghuraman, S., Vinayagamurthy, D.: Constrained pseudorandom functions: verifiable and delegatable. IACR Cryptology ePrint Archive, 2014:522 (2014)Google Scholar
 [CRV15]Chandran, N., Raghuraman, S., Vinayagamurthy, D.: Reducing depth in constrained PRFs: from bitfixing to \(\rm NC^{1}\). IACR Cryptology ePrint Archive, 2015:829 (2015)Google Scholar
 [FKPR14]Fuchsbauer, G., Konstantinov, M., Pietrzak, K., Rao, V.: Adaptive security of constrained PRFs. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 82–101. Springer, Heidelberg (2014)Google Scholar
 [Fuc14]Fuchsbauer, G.: Constrained verifiable random functions. In: Abdalla, M., De Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 95–114. Springer, Heidelberg (2014)Google Scholar
 [GGH13a]Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 [GGH+13b]Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2013, 26–29 October, 2013, Berkeley, CA, USA, pp. 40–49 (2013)Google Scholar
 [GGH+13c]Garg, S., Gentry, C., Halevi, S., Sahai, A., Waters, B.: Attributebased encryption for circuits from multilinear maps. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 479–499. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 [GGH15]Gentry, C., Gorbunov, S., Halevi, S.: Graphinduced multilinear maps from lattices. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part II. LNCS, vol. 9015, pp. 498–527. Springer, Heidelberg (2015)Google Scholar
 [GGM86]Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986)CrossRefMathSciNetGoogle Scholar
 [GPSW06]Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attributebased encryption for finegrained access control of encrypted data. In: ACM Conference on Computer and Communications Security, pp. 89–98 (2006)Google Scholar
 [GVW13]Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attributebased encryption for circuits. In: STOC, pp. 545–554 (2013)Google Scholar
 [HJ15]Hu, Y., Jia, H.: Cryptanalysis of GGH map. IACR Cryptology ePrint Archive, 2015:301 (2015)Google Scholar
 [HKKW14]Hofheinz, D., Kamath, A., Koppula, V., Waters, B.: Adaptively secure constrained pseudorandom functions. IACR Cryptology ePrint Archive, 2014:720 (2014)Google Scholar
 [KPTZ13]Kiayias, A., Papadopoulos, S., Triandopoulos, N., Zacharias, T.: Delegatable pseudorandom functions and applications. In: ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, Berlin, Germany, 4–8 November, 2013, pp. 669–684 (2013)Google Scholar
 [MF15]Minaud, B., Fouque, P.A.: Cryptanalysis of the new multilinear map over the integers. Cryptology ePrint Archive, Report 2015/941 (2015)Google Scholar
 [SW05]Sahai, A., Waters, B.: Fuzzy identitybased encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005)CrossRefGoogle Scholar