A Transformation Approach from Constrained Pseudo-Random Functions to Constrained Verifiable Random Functions

Abstract

Constrained pseudorandom functions (CPRFs) are fundamental cryptographic primitives used in broadcast encryption and attributed-based encryption. Constrained verifiable random functions (CVRFs) extend CPRFs by incorporating verifiability. A constrained key $s{k}_S$, derived from the master secret key $sk$, restricts computation to a set Sf with correct evaluation. This allows holders of $s{k}_S$ to compute function values only for inputs in S. Prior constructions of CVRFs rely on strong assumptions like multilinear maps or indistinguishability obfuscation, which often suffer from theoretical or practical limitations. In this work, we introduce a simple, generic approach for building CVRFs from basic cryptographic primitives. Specifically, we give a general transformation from any CPRF to a CVRF, achieving provability, uniqueness, and pseudorandomness. We demonstrate that CVRFs can be generically constructed from the following cryptographic primitives: CPRFs, perfectly binding commitment schemes, and non-interactive proof systems. Compared to previous schemes, our approach features a fixed-length public key independent of the circuit depth, improving efficiency and scalability.

1. Introduction

With the advancement of communication technologies, security and privacy concerns in networks have become increasingly prominent. Lightweight encryption mechanisms remain a fundamental approach to safeguarding cyberspace security and data privacy. Goldreich et al. [1] pioneered pseudorandom functions (PRFs), a fundamental primitive that revolutionized cryptographic theory and practice. Pseudorandom functions are widely used in various cryptographic applications, including secure multiparty computation, digital signature schemes, and encryption algorithms.

Micali et al. [2] introduced verifiable random functions (VRFs), an important extension of pseudorandom functions (PRFs) that enables publicly verifiable proofs of correct computation. A VRF system enables the secret key holder to compute both a function value $y=f(sk,x)$ and an accompanying proof $\pi$. Using $\pi$, any party can verify that y was correctly computed from x without requiring interaction with the prover. Meanwhile, the pseudorandomness of the function evaluation on other points should be preserved even if an attacker is given polynomial evaluations along with the corresponding proofs. VRFs are useful primitives that are used to construct a consensus algorithm of the blockchain [3,4,5].

Boneh and Waters [6] proposed constrained pseudorandom functions (CPRFs). A Constrained PRF (CPRF) scheme extends standard PRFs with a constrained key generation algorithm $s{k}_S$. The derived key $s{k}_S$ permits evaluation of the PRF only on inputs $x\in S$ while guaranteeing that the function remains pseudorandom on all $x\in S$ (even when given access to $s{k}_S$). The scheme maintains computational pseudorandomness at $x^{\ast }$: for any adversary, obtaining many polynomial evaluations ${\left\{F(sk,x_i)\right\}}_{x_i\ne x^{\ast }}$ (and potentially constrained keys $s{k}_{S_j}$, where $x^{\ast }\notin S_j$), $F(sk,x^{\ast }))$ remains indistinguishable from a uniformly random value. Constrained PRFs have been widely used for various branches of cryptography, such as broadcast encryption [7,8], multi-party key exchange [9], attribute-based encryption [10,11], and so on.

Fuchsbauer [12] proposed constrained verifiable random functions (CVRFs), combining the properties of VRFs and constrained PRFs. In a CVRF system, the master secret key holder can generate pseudorandom evaluations along with publicly verifiable proofs for any input $x\in \mathcal{X}$ while also supporting constrained key derivation for subsets $S\subset \mathcal{X}$. A constrained key $s{k}_S$ permits computation of the function (with proofs) only on inputs $x\in S$, yet preserves the pseudorandomness of evaluations at all $x^{\ast }\notin S$, even against adversaries who polynomially obtain many constrained keys for sets excluding $x^{\ast }$ and observe valid function outputs (with proofs) at other points.

CVRFs have demonstrated valuable practical applications, with prior work by Liu et al. [13] and Zan et al. [14] exploring their use in micropayment systems. We present a novel application of CVRFs for random leader election in consensus mechanisms. Consider a network of N nodes $N=\{N_1,N_2,\dots ,N_n\}$ with respective stakes $w_1,w_2,\dots ,w_n$ (total stake $W=\sum w_i$) and current round seed r. Using a minimum stake threshold $w_{min}$, we define a constraint set $S=\left\{w_i\right|w_i>w_{min}\}$ to filter out low-stake nodes. The system generates a constrained private key $s{k}_S=\mathsf{Constrain}(sk,S)$, enabling each node to compute $(y_i,{\pi }_i)=\mathsf{Prove}(s{k}_S,x)$, where $x=r\left|round\right|N_i$, $round$ represents the election round. Normalizing $y_i$ yields $p_i\in [0,1)$, and node $N_i$ becomes leader if $p_i<{\displaystyle \frac{w_i}{W}}$, with results verifiable via $\mathsf{Verify}(pk,x,y,\pi )$. This scheme uses constraint set S to enforce participation rules, while x guarantees fairness, with the constrained key embedding stake weights into the random generation process to ensure only qualified nodes produce valid outputs. By leveraging CVRF’s cryptographic properties, we achieve a secure, efficient, and provably fair leader election method that could significantly enhance next-generation blockchain consensus protocols.

Prior works [12,13,14,15,16,17] have proposed various constructions of constrained verifiable random functions, primarily relying on either multilinear maps or indistinguishability obfuscation ($i\mathcal{O}$) [18]. However, these approaches suffer from significant limitations. First, $i\mathcal{O}$ remains an impractical assumption due to its reliance on an exponential number of security assumptions [19], and recent cryptanalytic advances have further undermined confidence in multilinear maps [20]. Second, existing multilinear-map-based constructions [12,15] exhibit inefficient parameter sizes. In particular, the public key size grows linearly with the circuit depth $d_C$, as the construction requires multilinear maps of degree $n+d_C$, where n denotes the input bit length. These shortcomings necessitate more efficient CVRF constructions based on standard assumptions.

1.1. Our Work

We introduce a simple and generic framework for constructing constrained verifiable random functions from basic cryptographic primitives. Our approach is inspired by Bitansky’s construction of standard VRFs [21], which relies on general primitives such as the NIWI proof system and perfectly binding commitments. Building upon these techniques, we propose a universal transformation from any constrained pseudorandom function to a constrained VRF that achieves strong security guarantees while preserving the desired properties of the underlying constrained PRF.

We present a generic construction of constrained verifiable random functions building on constrained PRFs [6], perfectly binding commitments, the NIWI proof system, and the NIZK proof system. Our approach, formally detailed in Section 4, adapts the VRF framework of Goyal et al. [22] to the constrained setting. The setup algorithm generates a key containing a constrained PRF key K along with commitment randomness $(r_1,r_2,r_3)$ and produces a public key consisting of three perfectly binding commitments $(c_1,c_2,c_3)$ to the PRF key K. Evaluations leverage the underlying constrained PRF directly, serving as the VRF output. The proof system employs NIWI proofs to establish that at least two commitments open to keys $K_1,K_2$ producing matching PRF outputs (i.e., $y=\mathsf{CPRF}.\mathsf{Eval}(K,x)$), enabling public verification while maintaining privacy. For constrained key generation, we naturally inherit the constrained PRF’s key derivation mechanism, outputting without additional proof generation—verification of constrained evaluations relies entirely on the same NIWI-based approach as unconstrained outputs. This construction maintains the security guarantees of the base PRF while introducing verifiability via standard cryptographic components. However, the proving algorithm fails to generate validity proofs for evaluations on inputs $x\in S$—a critical limitation that prevents full CVRF functionality.

To address this problem, we enhance our construction through two key modifications: We enhance the base scheme through two fundamental modifications: (1) extending the setup algorithm to generate a common reference string (CRS) included in the system parameters, and (2) augmenting the constrained key generation with non-interactive zero-knowledge (NIZK) proofs to preserve verifiability across constrained evaluations. Specifically, when deriving a constrained key $K_S$ for set S, the algorithm now produces an NIZK proof attesting that at least two of the committed keys, $K,K^{\prime }$ in $(c_1,c_2,c_3)$, would generate the same constrained key $K_S$ when restricted to S. This preserves consistency between the master key and constrained keys while maintaining the zero-knowledge property, ensuring that no additional information about the master key is leaked through the proof. The NIZK proof constitutes a part of the constrained key. In order to compute an evaluation on $x\notin S$, it first runs the evaluation algorithm $y=\mathsf{CPRF}.\mathsf{Eval}(K_S,x)$ of constrained PRF and then generates a NIWI proof because it does not have a witness for the previous statement. So, we modified the NIWI statement to where either it satisfies the previous statement or there exists a witness $(K,K^{\prime },\widehat{\pi },{\pi }^{\prime },S,crs)$ such that $\mathsf{NIZK}.\mathcal{V}(crs,(c_1,c_2,c_3,K,S),\widehat{\pi })=1\wedge \mathsf{NIZK}.\mathcal{V}(crs,(c_1,c_2,c_3,K^{\prime },S),{\pi }^{\prime })=1\wedge \mathsf{CPRF}.\mathsf{Eval}(K,x)=\mathsf{CPRF}.\mathsf{Eval}(K^{\prime },x)=y$. We can find that it does not have a witness for the first sub-statement. However, it can generate a proof for the second sub-statement. This construction enables efficient verification of evaluations through the NIWI verifier, which can be executed non-interactively using only the public parameters and proof. The verification process maintains constant-time complexity regardless of the constraint set S, as it simply checks the NIWI proof’s validity against the committed public values.

The pseudorandomness of our constrained VRF construction can be tightly reduced to the security of the underlying constrained PRF via a standard hybrid argument. Our security proof establishes selective security, where the adversary must commit to its challenge input prior to observing the public parameters. While this can be generically boosted to adaptive security through complexity leveraging techniques [23]—requiring the reduction to predict the adversary’s challenge query—this approach incurs an exponential (in the input length) security loss. Nevertheless, by carefully adjusting the input length parameter, we maintain meaningful polynomial-time security guarantees.

Table 1. Comprehensive comparison between our construction and prior works.

Cite	Public Key Size	Proof Size	Evaluation Complexity	Verification Complexity
Fuchsbauer [12]	$(2n+1)\lambda$	$poly\left(\lambda \right)$	$O\left({\lambda }^n\right)$	$O\left({\lambda }^n\right)+2mul$
Liu et al. [13]	$poly(\lambda ,|C\left|\right)$	$poly\left(\lambda \right)$	$poly(\lambda ,|C\left|\right)$	$poly(\lambda ,|C\left|\right)+2mul$
Zan et al. [14]	$poly(\lambda ,|C\left|\right)$	$poly\left(\lambda \right)$	$poly(\lambda ,|C\left|\right)$	$poly(\lambda ,|C\left|\right)+poly\left(\lambda \right)$
Our construction	$3\lambda$	$poly\left(\lambda \right)$	$poly(\lambda ,|C\left|\right)$	$O\left(1\right)·mul$

provides a comprehensive comparison between our construction and prior works. Fuchsbauer’s constructions [12] are based on leveled multilinear groups, where the public key consists of $2n$ group elements for an input of length n. During the evaluation phase, the scheme performs $2n+1$ multiplication operations, while its verification phase requires n multiplications and 2 multilinear operations. The approaches of Liu et al. [13] and Zan et al. [14] incorporate an obfuscated circuit in the public key, demanding full circuit computation during evaluation. For verification, Liu et al.’s construction [13] involves computing a circuit C along with 2 bilinear group operations, whereas Zan et al.’s scheme [14] requires circuit C computation and a commitment operation. Our construction relies on a CPRF, commitment scheme, NIZK, and NIWI, with the public key comprising three commitments. During the constrained evaluation phase, we employ Groth and Sahai’s bilinear group-based NIWI proof system [24], which requires computing an arithmetic circuit C to generate the proof. The verification process involves checking this NIWI proof through only $O\left(1\right)$ bilinear group operations, making it highly efficient. The proof size scales with the number of constraints in C while maintaining constant-time verification regardless of the circuit’s complexity. This approach achieves both expressiveness through arbitrary constraints encoded in C and practical efficiency, particularly in the verification phase. The arithmetic circuit representation can be further optimized using techniques like R1CS or QAP to improve prover efficiency.

1.2. Related Works

The construction of verifiable random functions has evolved through several important milestones. Lysyanskaya’s pioneering work [25] established the first VRF construction based on bilinear groups, though it suffered from linear-size proofs and keys. A significant efficiency improvement came from Dodis and Yampolskiy [26], who achieved constant-size proofs and keys, but their scheme was limited to polynomially sized input spaces. Subsequent work by Jager [27] demonstrated how to construct efficient VRFs with full adaptive security, though they relied on parameterized q-type assumptions, where security depends on the (potentially large) parameter q. Notably, most VRF constructions offering desirable properties have relied on these progressively stronger q-type assumptions. A major theoretical breakthrough came from Hofheinz and Jager [28], who presented the first VRF construction based on non-interactive, constant-size assumptions while simultaneously supporting exponentially large input spaces and achieving full adaptive security.

Recent advances in constrained pseudorandom functions have made significant progress in both security guarantees and construction paradigms. Fuchsbauer et al. [29] established a breakthrough in adaptive security for the Goldreich–Goldwasser–Micali (GGM) construction, achieving a quasi-polynomial security reduction relative to the adversary’s query complexity. Parallel developments include Hofheinz et al.’s [30] novel constrained PRF construction in the RO model, as well as Hohenberger et al.’s [31] standard-model puncturable PRFs with polynomial security loss. The latter work also demonstrated how indistinguishability obfuscation ($i\mathcal{O}$) can transform standard puncturable PRFs into t-puncturable variants, though requiring polynomially sized constraint sets. Attrapadung et al. [32] contributed traditional group-based constructions, albeit with selective security limitations. Their subsequent work [33] overcame this restriction by achieving adaptive single-key security through a combination of $i\mathcal{O}$ and subgroup hiding assumptions.

Boyle et al. [34] introduced functional pseudorandom functions (F-PRFs) that enable fine-grained access control. In their definition, the holder of secret key $sk$ can evaluate function value over its entire domain. A function-specific key $s{k}_f$ restricts evaluation to outputs within the range of a function f (i.e., values y for which there exists some x such that $f\left(x\right)=y$). A related notion was proposed by Kiayias et al. [35] through delegatable pseudorandom functions (D-PRFs), which enable the controlled delegation of PRF evaluation rights for specific subsets of the domain. These two primitives (F-PRFs and D-PRFs) are fundamentally equivalent to constrained PRFs, differing primarily in their formulation and intended application scenarios. The D-PRF framework particularly emphasizes the delegation aspect, where a proxy can be authorized to evaluate the PRF on precisely defined subsets of inputs.

Fuchsbauer [12] introduced the notion of CVRFs and provided two constructions derived from bit-fixing VRFs and circuit-constrained VRFs. Following this work, numerous other constructions emerged, including those based on multilinear maps [15] and indistinguishability obfuscation (iO) [13,14,17]. While most existing constrained VRF (CVRF) constructions only achieve selective security, recent works have made incremental progress toward stronger security notions. Liu et al. [13] proposed a semi-adaptive secure CVRF where the adversary can make evaluation queries before selecting (but must commit to) the challenge point. In a parallel development, Zan et al. [14] introduced single-key security, requiring the adversary to specify the constraint set before receiving the public key, and provided a construction based on indistinguishability obfuscation. However, the fundamental challenge of achieving full adaptive security based on standard assumptions, where the adversary has complete flexibility in choosing both the challenge point and constraint queries at any stage, remains open. This gap presents several research directions: (1) developing novel proof techniques to bridge semi-adaptive to fully adaptive security without exponential security loss; (2) exploring alternative constructions beyond obfuscation-based approaches that might offer better efficiency. Resolving these challenges would significantly advance the deployability of CVRFs in real-world privacy-preserving systems.

2. Preliminaries

This section formally defines the cryptographic primitives underlying our CVRF construction. We introduce these notions with precise notation to establish a rigorous foundation for both security analysis and protocol design. We assume standard familiarity with the following:

• Commitment schemes $(\mathsf{Com},\mathsf{Ver})$;
• Non-interactive zero-knowledge proofs $(\mathsf{NIWI}.\mathsf{Setup},\mathsf{NIZK}.\mathcal{P},\mathsf{NIZK}.\mathcal{V})$,

and omit their formal definitions for brevity.

2.1. Constrained Pseudorandom Functions (CPRFs)

We formalize the notion of CPRFs as introduced by Boneh and Waters [6]. A CPRF system extends standard pseudorandom functions (PRFs) by enabling the generation of constrained keys that only permit evaluation of authorized inputs while preserving pseudorandomness on all other inputs.

Definition 1. 

($\mathsf{CPRF}$). A CPRF system for a constraint family $\mathcal{S}\subset 2^{\mathcal{X}}$ is defined by a function $\mathsf{CPRF}.F:\mathcal{K}\times \mathcal{X}\to \mathcal{Y}$ and three polynomial-time algorithms $(\mathsf{CPRF}.\mathsf{Setup},$$\mathsf{CPRF}.\mathsf{Constrain},\mathsf{CPRF}.\mathsf{Eval})$.

• $\mathsf{CPRF}.\mathsf{Setup}\left(1^{\lambda }\right)\to K:$ A PPT algorithm that, on input of security parameter λ, outputs a master secret key $K\in \mathcal{K}$.
• $\mathsf{CPRF}.\mathsf{Constrain}(K,S)\to K_S:$ A PPT algorithm that, on input K and constraint set $S\in \mathcal{S}$, outputs a constrained key $K_S\in {\mathcal{K}}^{\prime }$.
• $\mathsf{CPRF}.\mathsf{Eval}(K_S,x)\to y:$ A deterministic algorithm that, on input $K_S$ and $x\in \mathcal{X}$, outputs

  $$y=\left\{\begin{array}{cc}\mathsf{CPRF}.F(K,x)\hfill & \mathit{if}x\in S;\hfill \\ \perp \hfill & otherwise.\hfill \end{array}\right.$$

(Pseudorandomness). Pseudorandomness of CPRF guarantees computational indistinguishability between real function evaluations and random values in the presence of an adversary that can adaptively query a constrained key-generated oracle and evaluation oracle. Formally, this is captured through the following security experiment ${\mathsf{Exp}}_{\mathcal{A}}^{\mathsf{CPRF}}(\lambda ,b)$:

• The challenger runs setup algorithm $K\leftarrow \mathsf{CPRF}.\mathsf{Setup}\left(1^{\lambda }\right)$ and chooses $b\leftarrow \{0,1\}$ randomly.
• The challenger initializes two empty sets:

  −

  Initialize $V\leftarrow \varnothing$ as the set of points derivable through constrained key evaluations;

  −

  Initialize $E\leftarrow \varnothing$, where $E=\{x\in \mathcal{X}|\mathcal{A}\mathrm{made}\mathrm{query}\mathsf{CPRF}.\mathsf{Eval}(·,x)\}$.

• $\mathcal{A}$ interacts with the following oracles:

  −

  Constrain Oracle: Upon input $S\subset \mathcal{S}$, it returns $K_S\leftarrow \mathsf{CPRF}.\mathsf{Constrain}(K,S)$ and updates $V:=V\cup S$, which records constrained domains.

  −

  Evaluation Oracle: Upon input $x\in \mathcal{X}$, it returns $\mathsf{CPRF}.F(K,x)$ and updates $E:=E\cup \left\{x\right\}$, which records evaluation queries.

  −

  Challenge Phase: $\mathcal{A}$ submits challenge point $x^{\ast }\in \mathcal{X}$. If $x^{\ast }\in E\cup V$, it returns ⊥, which implies it is a trivial challenge. Otherwise, it samples $b\leftarrow \{0,1\}$ uniformly. It returns

  $$y^{\ast }\leftarrow \left\{\begin{array}{cc}\mathsf{CPRF}.\mathsf{F}(K,x^{\ast })\hfill & \mathrm{if}b=0,\hfill \\ \mathrm{uniform}\mathrm{sample}\mathrm{from}\mathcal{Y}\hfill & \mathrm{if}b=1.\hfill \end{array}\right.$$

• $\mathcal{A}$ outputs a bit $b^{\prime }\in 0,1$. The experiment outputs 1 if $b=b^{\prime }$, and 0 otherwise.

A CPRF scheme provides pseudorandomness security if, for all probabilistic polynomial-time (PPT) adversaries $\mathcal{A}$, the following advantage is negligible in security parameter $\lambda$:

$$|Pr[{\mathsf{Exp}}_{\mathcal{A}}^{\mathsf{CPRF}}(\lambda ,0)=1]-Pr[{\mathsf{Exp}}_{\mathcal{A}}^{\mathsf{CPRF}}(\lambda ,1)=1]|.$$

2.2. Non-Interactive Witness Indistinguishable Proofs (NIWIs)

Definition 2. 

($\mathsf{NIWI}$). For an NP relation $R\subset {\{0,1\}}^{\ast }\times {\{0,1\}}^{\ast }$, a NIWI proof system consists of two PPT algorithms:

• $\mathsf{NIWI}.\mathcal{P}(x,w)\to \pi :$ Upon input or a statement x and witness w, where $(x,w)\in R$, it outputs a proof π. It requires that for all $(x,w)\in R$.
• $\mathsf{NIWI}.\mathcal{V}(x,\pi )\to 0\mathrm{or}1:$ Upon input x and proof π, it outputs an acceptance bit b.

For an NP relation R with associated language $L\left(R\right)=\{x\mid \exists w:(x,w)\in R\}$, a NIWI proof system $\mathsf{NIWI}.\mathcal{P}(x,w),\mathsf{NIWI}.\mathcal{V}(x,\pi )$ must satisfy the following:

(Perfect completeness). $\forall (x,w)\in R$,

$$Pr[\mathsf{NIWI}.\mathcal{V}(x,\pi )=1|\pi \leftarrow \mathsf{NIWI}.\mathcal{P}(x,w)]=1.$$

(Statistical soundness). $\forall \mathrm{PPT}\mathcal{A},$ there exists a negligible function $\mathrm{negl}\left(\lambda \right)$,

$$Pr\left[\begin{array}{cc}& (x,\pi )\leftarrow \mathcal{A}\left(1^{\lambda }\right),\hfill \\ & x\notin L\left(R\right)\wedge \mathsf{NIWI}.\mathcal{V}(x,\pi )=1\hfill \end{array}\right]\le \mathrm{negl}\left(\lambda \right).$$

(Witness indistinguishability). For all PPT adversaries, $\mathcal{A}$ and all triples, $(x,w_0,w_1)$, where $(x,w_0),(x,w_1)\in R$:

$$\{{\pi }_0\leftarrow \mathsf{NIWI}.\mathcal{P}(x,w_0)\}\stackrel{c}{\approx }\{{\pi }_1\leftarrow \mathsf{NIWI}.\mathcal{P}(x,w_1)\},$$

where $\stackrel{c}{\approx }$ denotes computational indistinguishability.

3. Definition of Constrained Verifiable Random Functions (CVRFs)

Definition 3. 

Let $F:\mathcal{K}\times \mathcal{X}\to \mathcal{Y}$ be a polynomial-time computable function with the following:

• Key space: $\mathcal{K}={\{0,1\}}^{\lambda }$ (parameterized by security parameter λ);
• Domain: $\mathcal{X}={\{0,1\}}^{p\left(\lambda \right)}$ for some polynomial p;
• Range: $\mathcal{Y}={\{0,1\}}^{q\left(\lambda \right)}$ for some polynomial q.

where $F(k,·)$ is computable in time for all $k\in \mathcal{K}$. A function $F:\mathcal{K}\times \mathcal{X}\to \mathcal{Y}$ is called a constrained verifiable random function (CVRF) with respect to a constraint family $\mathcal{S}\subseteq 2^{\mathcal{X}}$ if there exists a constrained key space ${\mathcal{K}}^{\prime }$, a proof space $\mathcal{P}$, and four algorithms.

• $\mathsf{Setup}\left(1^{\lambda }\right)\to (pk,sk):$ Upon input of a security parameter λ, it outputs $(pk,sk)$, where $pk$ denotes the public verification key, and $sk$ denotes the private evaluation key.
• $\mathsf{Constrain}(sk,S)\to s{k}_S$: The constrained key generation algorithm takes as input a private evaluation key $sk$ and a subset $S\subset \mathcal{S}$, then derives a restricted key $s{k}_S\in {\mathcal{K}}^{\prime }$ that retains functionality only for inputs in S.
• $\mathsf{Prove}(s{k}_S,x)\to (y,\pi )$ or $(\perp ,\perp ):$ Upon input $s{k}_S$ and x, it computes an evaluation y associate with a proof π such that $(y,\pi )\in \mathcal{Y}\times \mathcal{P}$ if $x\in S$. Otherwise, it outputs $(\perp ,\perp )$.
• $\mathsf{Verify}(pk,x,y,\pi )\to 0$ or $1:$ Upon input $pk$, x,y and proof π, it outputs an acceptance bit $b\in \{0,1\}$.

Provability. For all security parameters $\lambda \in \mathbb{N},$ key pair $(pk,sk)\leftarrow \mathsf{Setup}\left(1^{\lambda }\right),$ constraint sets $S\subset \mathcal{S},$ and $s{k}_S\leftarrow \mathsf{Constrain}(sk,S)$, the following holds for any input $x\in \mathcal{X}$:

• Membership case $x\in S$: let $(y,\pi )\leftarrow \mathsf{Prove}(s{k}_S,x)$; we require

  −

  Correct output $y=F(sk,x)$;

  −

  Valid proof $\mathsf{Verify}(pk,x,y,\pi )=1$.

• Non-membership case $x\notin S$: the algorithm must satisfy

  −

  Explicit rejection $(y,\pi )=(\perp ,\perp )$.

(Uniqueness). This implies that there are no two valid proofs ${\pi }_0,{\pi }_1$ that can verify distinct outputs $y_0\ne y_1$ for the same x. Specifically, for all security parameters $\lambda \in \mathbb{N}$, the public/secret key pair $(pk,sk)\leftarrow \mathsf{Setup}\left(1^{\lambda }\right),$ and $x\in \mathcal{X}$, the function $F(sk,x)$ is deterministic, i.e., $\forall (y_0,{\pi }_0),(y_1,{\pi }_1)\in \mathcal{Y}\times \mathcal{P}$; if $\mathsf{Verify}(pk,x,y_0,{\pi }_0)=1$ and $\mathsf{Verify}(pk,x,y_1,{\pi }_1)=1$ hold, then $y_0=y_1$.

(Pseudorandomness). A CVRF scheme achieves pseudorandomness if, for all PPT adversaries $\mathcal{A}$, there exists a negligible function $\mathrm{negl}\left(\lambda \right)$ such that

$$|Pr[{\mathsf{Exp}}_{\mathcal{A}}^{\mathsf{CVRF}}(\lambda ,0)=1]-Pr[{\mathsf{Exp}}_{\mathcal{A}}^{\mathsf{CVRF}}(\lambda ,1)=1]|\le \mathrm{negl}\left(\lambda \right),$$

where the security experiment ${\mathsf{Exp}}_{\mathcal{A}}^{\mathsf{CVRF}}(\lambda ,b)$ is defined as follows:

• The challenger begins by generating $(pk,sk)\leftarrow \mathsf{Setup}\left(1^{\lambda }\right)$ and provides $pk$ to $\mathcal{A}$. It selects a bit b uniformly at random from $\{0,1\}$ to start the challenge phase.
• The challenger initializes V and E as empty sets.

  −

  V tracks all points for which the adversary $\mathcal{A}$ can compute evaluations (e.g., via constrained keys or direct queries);

  −

  E records all evaluation oracle queries made by $\mathcal{A}$.

• $\mathcal{A}$ can make the query of the following oracles:

  −

  Constrain(·): For input $S\subset \mathcal{S}$, returns $s{k}_S\leftarrow \mathsf{Constrain}(sk,S)$, and updates $V\leftarrow V\cup S$.

  −

  Evaluation (·): For input $x\in \mathcal{X}$, returns $\mathsf{Prove}(s{k}_S,x)$, and updates $E\leftarrow E\cup \left\{x\right\}$.

  −

  Challenge ($x^{\ast }$): For input $x^{\ast }\in \mathcal{X}$, checks:

  ∗

  If $x^{\ast }\in E\cup V$, it returns ⊥.

  ∗

  Otherwise, it returns $F(sk,x^{\ast })$ if $b=0$, or a uniformly random string $y^{\ast }\leftarrow \mathcal{Y}$ if $b=1$.

• The experiment’s output is the adversary’s guess, $b^{\prime }$.

4. Construction of CVRFs

A CVRF is a tuple $F=(\mathsf{Setup},\mathsf{Constrain},\mathsf{Prove},\mathsf{Verify})$ with domain $\mathcal{X}\leftarrow {\{0,1\}}^{\ell }(\mathcal{X}\leftarrow {\{0,1\}}^{\ell })$, key space $\mathcal{K}$, and output space $\mathcal{Y}$. It allows verifiable computation of pseudorandom outputs while supporting constrained key derivation.

Our construction relies on a NIWI proof system $(\mathsf{NIWI}.\mathcal{P},\mathsf{NIWI}.\mathcal{V})$, an NIZK proof system $(\mathsf{NIWI}.\mathsf{Setup},\mathsf{NIZK}.\mathcal{P},\mathsf{NIZK}.\mathcal{V})$, a perfectly binding commitment scheme $(\mathsf{Com},\mathsf{Ver})$, and a CPRF $\mathsf{CPRF}=(\mathsf{CPRF}.\mathsf{Setup},\mathsf{CPRF}.\mathsf{Constrain},\mathsf{CPRF}.\mathsf{Eval})$.

Definition 4. 

An instance $(c_1,c_2,c_3,x,y)$ belongs to L if there exists a witness $w=(t,j,K,K^{\prime },r,r^{\prime },\widehat{\pi },{\pi }^{\prime },S,crs)$ with $i<j\in \{1,2,3\}$, such that at least one of the following two conditions holds:

• Verification condition:

  −

  $\mathsf{Ver}(K,c_i,r_i)=1$, $\mathsf{Ver}(K^{\prime },c_j,r_j)=1$;

  −

  $\mathsf{CPRF}.\mathsf{Eval}(K,x)=y$ and $\mathsf{CPRF}.\mathsf{Eval}(K^{\prime },x)=y$.

• Proof condition:

  −

  $\mathsf{NIZK}.\mathcal{V}(crs,(c_1,c_2,c_3,K,S),\widehat{\pi })=1$;

  −

  $\mathsf{NIZK}.\mathcal{V}(crs,(c_1,c_2,c_3,K^{\prime },S),{\pi }^{\prime })=1$;

  −

  $\mathsf{CPRF}.\mathsf{Eval}(K,x)=y$ and $\mathsf{CPRF}.\mathsf{Eval}(K^{\prime },x)=y$.

We present our CVRF construction as follows.

• $\mathsf{Setup}\left(1^{\lambda }\right)\to (pk,sk):$

  −

  Generate cryptography parameters: computer $K\leftarrow \mathsf{CPRF}.\mathsf{Setup}\left(1^{\lambda }\right)$ and $crs\leftarrow \mathsf{NIZK}.\mathsf{Setup}\left(1^{\lambda }\right)$;

  −

  Commit the PRF key K: for $i=1,2,3$, $c_i\leftarrow \mathsf{Com}(K;r_i)$, where $r_i$ is the random string;

  −

  Set key pair: $sk=(K,{\{c_i,r_i\}}_{i=1}^3,crs),pk=(c_1,c_2,c_3)$.

  The evaluation algorithm of constrained VRF is defined as follows. Upon input x:

  −

  Compute $y=\mathsf{CPRF}.\mathsf{Eval}(K,x)$;

  −

  Generate NIWI proof $\pi =\mathsf{NIWI}.\mathcal{P}((c_1,c_2,c_3,x,y),w)$ for $(c_1,c_2,c_3,$$x,y)\in L$ using witness $w=(i=1,j=2,K,K,r_1,r_2,0^{|\widehat{\pi }|},0^{|{\pi }^{\prime }|},\varnothing ,0^{\left|crs\right|})$;

  −

  Output $(y,\pi )$.

• $\mathsf{Constrain}(sk,S)\to s{k}_S:$ Upon input $sk=(K,{\{c_i,r_i\}}_{i=1}^3)$ and set $S\subset \mathcal{X}$:

  −

  Generate constrained key: $K_S\leftarrow \mathsf{CPRF}.\mathsf{Constrain}(K,S)$;

  −

  Compute NIZK proof $\widehat{\pi }\leftarrow \mathsf{NIZK}.\mathcal{P}(crs,s_1,w_1)$ for statement $s_1=(c_1,c_2,c_3,K_S,S)$ using witness $w_1=(i,j,K,K^{\prime },r_1,r_2)$ where $i<j\in \{1,2,3\}$, which proves that $K_S$ is properly constrained from committed K;

  −

  Output constrained key $s{k}_S=(K_S,S,\widehat{\pi },crs)$.

• $\mathsf{Prove}(s{k}_S,x)\to (y,\pi )\mathrm{or}(\perp ,\perp ):$ Upon input $s{k}_S=(K_S,S,\widehat{\pi },crs)$ and $x\in \mathcal{X}$:

  −

  If $x\notin S$, output $(\perp ,\perp )$;

  −

  Otherwise, it computes $y\leftarrow \mathsf{CPRF}.\mathsf{Eval}(K_S,x)$ first. Then, it constructs witness $w=(i=1,j=2,K_S,K_S,0^{|r_1|},0^{|r_2|},\widehat{\pi },\widehat{\pi },S,crs)$. Finally, it generates NIWI proof $\pi \leftarrow \mathsf{NIWI}.\mathcal{P}((c_1,c_2,c_3,x,y),w)$;

  −

  Output $(y,\pi )$.

• $\mathsf{Verify}(pk,x,y,\pi )\to \{0,1\}:$ Upon input $pk=(c_1,c_2,c_3)$, x, y, and $\pi$, it verifies the following proof:

  −

  If $\mathsf{NIWI}.\mathcal{V}((c_1,c_2,c_3,x,y),\pi )=1$: it accepts y as valid evaluation of $F(K,x)$, and returns 1;

  −

  Otherwise, it returns 0.

4.1. Properties of Constrained VRFs

Firstly, we describe the property of provability.

Provability. The construction achieves provability by leveraging (1) the perfect correctness of the constrained PRF and (2) the perfect soundness of the NIWI proof system, guaranteeing that valid proofs exist for all properly computed outputs while ensuring only true statements can be verified. According to the description of algorithm $\mathsf{Prove}$, for $(pk,sk)\leftarrow \mathsf{Setup}\left(1^{\lambda }\right),S\subset \mathcal{X},s{k}_S\leftarrow \mathsf{CPRF}.\mathsf{Constrain}(K,S)$, if $x\in S$, $y=\mathsf{CPRF}.\mathsf{Eval}(K_S,x)$, $\pi \leftarrow \mathsf{NIWI}.\mathcal{P}((c_1,c_2,c_3,x,y),w)$. For the language $L=(c_1,c_2,c_3,x,y)$, there exists a witness $w=(1,2,K_S,K_S,0^{\left|r\right|},0^{|r^{\prime }|},\widehat{\pi },\widehat{\pi },S,crs)$ that satisfies the second condition of the statement L. Therefore, we have $\mathsf{Verify}(pk,x,y,\pi )=1$. It outputs $(\perp ,\perp )$ if $x\notin S$.

Next, we describe the property of uniqueness.

Uniqueness. We prove the uniqueness of output by contradiction. Assume there exists an adversary producing $(pk,x,y_1,{\pi }_1,y_2,{\pi }_2)$ such that the following are true:

• $\mathsf{Verify}(pk,x,y_1,{\pi }_1)=1$;
• $\mathsf{Verify}(pk,x,y_2,{\pi }_2)=1$;
• $y_1\ne y_2$.

We exhaustively analyze all possible scenarios below.

Case 1: Both proofs derived from constrained keys.

• The perfectly binding property of the commitment scheme ensures that for each commitment $c_i$, there exists at most one key $K_i$ satisfying such that $\mathsf{Ver}(K_i,c_i,r_i)=1$ hold;
• If $\mathsf{CPRF}.\mathsf{Constrain}(K_1,S)=\mathsf{CPRF}.\mathsf{Constrain}(K_2,S)=K_S$, then

  −

  By constrained PRF correctness: $y_1=\mathsf{CPRF}.\mathsf{Eval}(K_S,x)$,$y_1=\mathsf{CPRF}.\mathsf{Eval}(K_1,x)$, $y_1=\mathsf{CPRF}.\mathsf{Eval}(K_3,x)$;

  −

  For $y_1\ne y_2$ to hold, there must exist $K_3$ with $\mathsf{CPRF}.\mathsf{Constrain}(K_3,S)=K_S^{\prime }$ and $\mathsf{CPRF}.\mathsf{Eval}(K_S^{\prime },x)=y_2$;

  −

  Contradiction: The NIZK statement $(c_1,c_2,c_3,K_S^{\prime },S)$ is false (no two keys in $(K_1,K_2,K_3)$ constrain to $K_S^{\prime }$. Thus, $\widehat{\pi }$ is invalid, violating NIZK soundness.

Case 2: Both proofs derived from the secret key K.

• Let $c_i$ commit to $K_i$. Due to constrained PRF correctness, the following occur:

  −

  If $\mathsf{CPRF}.\mathsf{Eval}(K_1,x)=y_1$ and $\mathsf{CPRF}.\mathsf{Eval}(K_2,x)=y_1$, then $y_1\ne y_2$ requires $\mathsf{CPRF}.\mathsf{Eval}(K_3,x)=y_2$;

  −

  Contradiction: The statement $(c_1,c_2,c_3,x,y_2)$ must be false for the NIWI proof system, as no two distinct keys in $(K_1,K_2,K_3)$ can produce output $y_2$. This contradicts the soundness guarantee of NIWI, rendering proof ${\pi }_2$ invalid.

Case 3: Mixed proofs (one constrained, one secret key).

• Suppose $(y_1,{\pi }_1)$ uses constrained key $K_S$ and $(y_2,{\pi }_2)$ uses K.

  −

  CPRF property: if $\mathsf{CPRF}.\mathsf{Constrain}(K_3,S)=K_S$, then $\mathsf{CPRF}.\mathsf{Eval}(K_S,x)=y_1$ and $\mathsf{CPRF}.\mathsf{Eval}(K_3,x)=y_1$;

  −

  For $y_2\ne y_1$, we must have $\mathsf{CPRF}.\mathsf{Eval}(K_1,x)=y_2$ and $\mathsf{CPRF}.\mathsf{Eval}(K_2,x)=y_2$.

  −

  Contradiction: The NIWI statement $(c_1,c_2,c_3,x,y_2)$ is necessarily false, as there cannot exist two distinct keys that both evaluate $y_1$ on input x. Thus, ${\pi }_1$ is invalid, violating NIWI soundness.

4.2. Proof of Pseudorandomness

Theorem 1. 

Our construction achieves pseudorandomness under the following cryptographic assumptions:

• $(\mathsf{NIWI}.\mathcal{P},\mathsf{NIWI}.\mathcal{V})$ satisfies the property of being witness-indistinguishable;
• $(\mathsf{NIZK}.\mathsf{Setup},\mathsf{NIZK}.\mathcal{P},\mathsf{NIZK}.\mathcal{V})$ satisfies the properties of zero-knowledge and sound;
• $(\mathsf{Com},\mathsf{Ver})$ satisfies the property of perfectly binding;
• $(\mathsf{CPRF}.\mathsf{Setup},\mathsf{CPRF}.\mathsf{Constrain},\mathsf{CPRF}.\mathsf{Eval})$ satisfies the property of pseudorandomness for constrained keys.

Proof. 

We prove security via a sequence of hybrid arguments, where each adjacent experiment differs by at most one cryptographic modification, enabling rigorous analysis of the adversary’s advantage through incremental transitions. The first experiment is an exact emulation of the original pseudorandomness security game. Each subsequent hybrid introduces controlled modifications while maintaining computational indistinguishability from its predecessor for all PPT adversaries. The proof framework maintains two critical restrictions on the adversary $\mathcal{A}$: it cannot request constrained keys for sets containing its chosen challenge point $x^{\ast }$, nor can it directly query the evaluation oracle on $x^{\ast }$. This hybrid argument ultimately shows that any adversary breaking our construction can be converted into an algorithm $\mathcal{B}$ that breaks the underlying CPRF’s pseudorandomness. For clarity, we provide complete specifications only for the initial experiment, with successive hybrids described solely in terms of their incremental differences from previous configurations. This approach ensures rigorous security analysis while efficiently highlighting the essential modifications at each proof stage. The main experimental differences are systematically compared in

Table 2. Comparisons between consecutive experiments.

Previous Experiment	Next Experiment	Assumption
${\mathsf{Exp}}_1$:	${\mathsf{Exp}}_2$:
$crs\leftarrow \mathsf{NIZK}.\mathsf{Setup}\left(1^{\lambda }\right)$	$\widetilde{crs}\leftarrow \mathsf{NIZK}.{\mathsf{Sim}}_1\left(1^{\lambda }\right)$	Zero-knowledge of NIZK
${\widehat{\pi }}_j\leftarrow \mathsf{NIZK}.\mathcal{P}(crs,s_1,w_1)$	${\widehat{\pi }}_j\leftarrow \mathsf{NIZK}.{\mathsf{Sim}}_2\left(s_1\right)$
${\mathsf{Exp}}_2$:	${\mathsf{Exp}}_3$:
$c_3\leftarrow \mathsf{Com}(K;r_3)$	$K_{x^{\ast }}\leftarrow \mathsf{CPRF}.\mathsf{Constrain}(K,\left\{x^{\ast }\right\})$	Hiding property of commitment
	$c_3\leftarrow \mathsf{Com}(K_{x^{\ast }};r_3)$
${\mathsf{Exp}}_3$:	${\mathsf{Exp}}_4$:
$w=(i=1,j=2,K,K,r_1,r_2,$	$w=(i=2,j=3,K,K_{x^{\ast }},r_2,r_3,$	Witness indistinguishability of NIWI
$0^{|\widehat{\pi }|},0^{|{\pi }^{\prime }|},\varnothing ,0^{\left|crs\right|})$	$0^{|\widehat{\pi }|},0^{|{\pi }^{\prime }|},\varnothing ,0^{\left|crs\right|})$
${\mathsf{Exp}}_4$:	${\mathsf{Exp}}_5$:	Hiding property of commitment
$c_1\leftarrow \mathsf{Com}(K;r_1)$	$c_1\leftarrow \mathsf{Com}(K_{x^{\ast }};r_1)$
${\mathsf{Exp}}_5$:	${\mathsf{Exp}}_6$:
$w=(i=2,j=3,K,K_{x^{\ast }},r_2,r_3,$	$w=(i=1,j=3,K_{x^{\ast }},K_{x^{\ast }},r_2,r_3,$	Witness indistinguishability of NIWI
$0^{|\widehat{\pi }|},0^{|{\pi }^{\prime }|},\varnothing ,0^{\left|crs\right|})$	$0^{|\widehat{\pi }|},0^{|{\pi }^{\prime }|},\varnothing ,0^{\left|crs\right|})$
${\mathsf{Exp}}_6$:	${\mathsf{Exp}}_7$:	Hiding property of commitment
$c_2\leftarrow \mathsf{Com}(K;r_2)$	$c_2\leftarrow \mathsf{Com}(K_{x^{\ast }};r_2)$
${\mathsf{Exp}}_7$:	${\mathsf{Exp}}_8$:	Pseudorandomness of CPRF
$y^{\ast }=\mathsf{CPRF}.\mathsf{Eval}(K,x^{\ast })$	$y^{\ast }\leftarrow \mathcal{Y}$

. □

Experiment ${\mathsf{Exp}}_1$: The initial experiment is the original security for our construction with challenge bit $b=0$, which implies $y=F(sk,x^{\ast })$.

• $\mathcal{A}$ selects its challenge point $x^{\ast }\in \mathcal{X}$.
• The challenger generates a fresh CPRF key $K\leftarrow \mathsf{CPRF}.\mathsf{Setup}\left(1^{\lambda }\right)$ and establishes the necessary proof infrastructure by sampling $crs\leftarrow \mathsf{NIZK}.\mathsf{Setup}\left(1^{\lambda }\right)$. Then, the challenger proceeds to generate three perfectly binding commitments to the PRF key K, computing for each $i\in \{1,2,3\}$, $c_i\leftarrow \mathsf{Com}(K;r_i)$, where each $r_i$ is sampled uniformly from the commitment scheme’s randomness space. It sets $sk=(K,{\left\{(c_i,r_i)\right\}}_{i=1}^3,crs),$$pk=(c_1,c_2,c_3)$.
• When adversary $\mathcal{A}$ queries the oracles, it responds as follows:
  • Constrain Queries: Upon input of a set $S_j\in \mathcal{X}$, it computes $K_{S_j}\leftarrow \mathsf{CPRF}.\mathsf{Constrain}$$(K,S_j)$. Then, it computes an NIZK proof ${\widehat{\pi }}_j\leftarrow \mathsf{NIZK}.\mathcal{P}(crs,s_1,w_1)$ for the NP statement $s_1=(c_1,c_2,c_3,K_{S_j},S_j)$, which is defined the same as the constrained algorithm, where $w_1=(1,2,K,K)$. If $x^{\ast }\notin S_j$, it returns $s{k}_{S_j}=(K_{S_j},S_j,{\widehat{\pi }}_j,crs)$. Otherwise, it returns ⊥.
  • Evaluation Queries: Upon input $x_i\in \mathcal{X}$, it evaluates $y=\mathsf{CPRF}.\mathsf{Eval}(K,x_i)$ and ${\pi }_i=\mathsf{NIWI}.\mathcal{P}((c_1,c_2,c_3,x,y),w)$, where $w=(i=1,j=2,K,K,r_1,r_2,0^{|\widehat{\pi }|},0^{|{\pi }^{\prime }|},\varnothing ,$$0^{\left|crs\right|})$. If $x_i\ne x^{\ast }$, it returns $(y_i,{\pi }_i)$. Otherwise, it returns $(\perp ,\perp )$.
• The challenger computes and returns the VRF evaluation at the challenge point $y^{\ast }=\mathsf{CPRF}.\mathsf{Eval}(K,x^{\ast })$.
• Oracle queries:
  • Constrain queries: Answered as specified in the previous protocol description.
  • Evaluation queries: Processed identically to prior interactions (returning $(y,\pi )$ for $x\ne x^{\ast }$, and $(\perp ,\perp )$ for $x^{\ast }$).
• The experiment terminates when $\mathcal{A}$ outputs guess $b^{\prime }$, returning 1 if $b=b^{\prime }$ (indicating a correct guess), and 0 otherwise.

Experiment ${\mathsf{Exp}}_2$: This experiment is the same as the previous one, except that the random string $crs$ and legitimate proof for NIZK are replaced with a simulated random string $\widetilde{crs}$ and a simulated proof. Let $\mathsf{NIZK}.\mathsf{Sim}=(\mathsf{NIZK}.{\mathsf{Sim}}_1,\mathsf{NIZK}.{\mathsf{Sim}}_2)$ be simulators for the NIZK proof system.

• $\mathcal{A}$ generates a fresh CPRF key $K\leftarrow \mathsf{CPRF}.\mathsf{Setup}\left(1^{\lambda }\right)$ and establishes the necessary proof infrastructure by sampling $\widetilde{crs}\leftarrow \mathsf{NIZK}.{\mathsf{Sim}}_1\left(1^{\lambda }\right)$. Then, it generates three commitments to PRF’s key K, $c_i\leftarrow \mathsf{Com}(K;r_i),i=1,2,3$. Sets $sk=(K,{\left\{(c_i,r_i)\right\}}_{i=1}^3,\widetilde{crs})$, $pk=(c_1,c_2,c_3)$.
• Constrain Queries: Upon input of a set $S_j\in \mathcal{X}$, the challenger computes $K_{S_j}\leftarrow$$\mathsf{CPRF}.\mathsf{Constrain}(K,S_j)$. Then, it computes an NIZK proof ${\widehat{\pi }}_j\leftarrow \mathsf{NIZK}.{\mathsf{Sim}}_2\left(s_1\right)$ for the NP statement $s_1=(c_1,c_2,c_3,K_{S_j},S_j)$, which is defined the same as the constrained algorithm, where $w_1=(1,2,K,K)$. If $x^{\ast }\notin S_j$, it returns $s{k}_{S_j}=(K_{S_j},S_j,{\widehat{\pi }}_j,crs)$. Otherwise, it returns ⊥.

Lemma 1. 

If the NIZK scheme satisfies zero-knowledge and soundness, then ${\mathsf{Exp}}_1\stackrel{c}{\approx }{\mathsf{Exp}}_2$.

Proof. 

If there exists a PPT adversary $\mathcal{A}$ capable of distinguishing between ${\mathsf{Exp}}_1$ and ${\mathsf{Exp}}_2$ with non-negligible advantage, we construct a reduction algorithm $\mathcal{B}$ that leverages $\mathcal{A}$ to break security of the NIZK system by perfectly simulating $\mathcal{A}$’s environment while forwarding its constrained queries to the NIZK challenger, ultimately outputting $\mathcal{A}$’s guess to preserve the distinguishing advantage. When $\mathcal{A}$ submits its distinguishing guess, $\mathcal{B}$ uses this to attack the NIZK system’s zero-knowledge property.

• $\mathcal{A}$ selects a challenge point $x^{\ast }\in \mathcal{X}$.
• $\mathcal{B}$ generates a fresh CPRF key $K\leftarrow \mathsf{CPRF}.\mathsf{Setup}\left(1^{\lambda }\right)$ and receives an NIZK proof system’s $crs$. Then, it generates three commitments to PRF’s key, $c_i\leftarrow \mathsf{Com}(K,r_i),i=1,2,3$. Return $pk=(c_1,c_2,c_3)$ to $\mathcal{A}$.
• When $\mathcal{A}$ queries constrained oracle on $S\in \mathcal{X}$, $\mathcal{B}$ computes $K_S\leftarrow \mathsf{CPRF}.\mathsf{Constrain}(K,S)$. Then, it sends $(s=(c_1,c_2,c_3,K_S,S),w=(1,2,K,K,r_1,r_2))$ to the challenger of NIZK and obtains a proof $\widehat{\pi }$. If $x^{\ast }\notin S$, it returns $s{k}_S=(K_S,S,\widehat{\pi },crs)$. Otherwise, it returns ⊥. When $\mathcal{A}$ queries evaluation oracle, $\mathcal{B}$ answers the same as the experiment ${\mathsf{Exp}}_1$.
• $\mathcal{B}$ runs steps 4–5, which are the same as the experiment ${\mathsf{Exp}}_1$, and outputs the $\mathcal{A}$’s result.

The security reduction establishes a perfect correspondence between the following:

• When $\mathcal{B}$ receives authentic NIZK parameters $(crs,\pi )$, this exactly replicates $\mathcal{A}$’s view in ${\mathsf{Exp}}_1$;
• When $\mathcal{B}$ receives simulated parameters $(\widetilde{crs},\pi )$, this perfectly matches $\mathcal{A}$’s view in ${\mathsf{Exp}}_2$.

Consequently, any non-negligible distinguishing advantage $ϵ\left(\lambda \right)$ that $\mathcal{A}$ achieves between ${\mathsf{Exp}}_1$ and ${\mathsf{Exp}}_2$ directly translates to an identical advantage for $\mathcal{B}$ in breaking the NIZK’s zero-knowledge property. This reduction preserves the adversary’s success probability while maintaining perfect simulation fidelity in both operational modes.

If $\mathcal{A}$ makes $Q=Q\left(\lambda \right)$ constrain queries, we can define Q intermediate hybrid experiments ${\mathsf{Exp}}_1^i,i=0,1,\dots ,Q$, where the first one is ${\mathsf{Exp}}_1$, and the last one is ${\mathsf{Exp}}_2$. In the ith intermediate experiment ${\mathsf{Exp}}_1^i$, $\mathcal{B}$ uses the random string and proof returned from the NIZK challenger to answer the constrain query. For $j<i$, $\mathcal{B}$ uses the simulated string and proof to answer the constrained query. For $j>i$, $\mathcal{B}$ uses the real string and proof to answer the constrained query. By recursively applying the aforementioned proof technique to each adjacent pair of hybrid experiments, we establish a chain of computational indistinguishability across all Q intermediate hybrids. This hybrid argument demonstrates that the computational indistinguishability of ${\mathsf{Exp}}_1$ and ${\mathsf{Exp}}_2$, as any non-negligible advantage in distinguishing the initial and final experiments would necessarily violate the security of one underlying cryptographic primitive through this sequence of transformations. □

Experiment ${\mathsf{Exp}}_3$: This experiment is the same as the previous one except that $c_3$ is a commitment of the constrained key $K_{x^{\ast }}$. It can be found that the generated methods of the proofs $\pi$ and the constrained key $s{k}_S$ are the same as the experiment ${\mathsf{Exp}}_2$, because the random strings $r_1,r_2$ satisfy the witness relation.

• The challenger generates a fresh PRF key $K\leftarrow \mathsf{CPRF}.\mathsf{Setup}\left(1^{\lambda }\right)$ and establishes the necessary proof infrastructure by sampling $\widetilde{crs}\leftarrow \mathsf{NIZK}.{\mathsf{Sim}}_1\left(1^{\lambda }\right)$. Then, it generatesconstrained key $K_{x^{\ast }}\leftarrow \mathsf{CPRF}.\mathsf{Constrain}(K,\left\{x^{\ast }\right\})$, and commits the PRF key K, $c_i\leftarrow \mathsf{Com}(K;r_i),i=1,2$ and $c_3\leftarrow \mathsf{Com}(K_{x^{\ast }};r_3)$. Sets $sk=(K,{\left\{(c_i,r_i)\right\}}_{i=1}^3,\widetilde{crs})$, $pk=(c_1,c_2,c_3)$.

Lemma 2. 

If $(\mathsf{Com},\mathsf{Ver})$ is a perfectly binding commitment scheme, then ${\mathsf{Exp}}_2\stackrel{c}{\approx }{\mathsf{Exp}}_3$.

Proof. 

If a PPT adversary $\mathcal{A}$ can distinguish experiments ${\mathsf{Exp}}_2$ from ${\mathsf{Exp}}_3$ with advantage $ϵ\left(\lambda \right)$. We construct a reduction algorithm $\mathcal{B}$ that leverages $\mathcal{A}$ to break the hiding property of the commitment scheme $(\mathsf{Com},\mathsf{Ver})$. $\mathcal{B}$ first runs Step 1 and Step 2 as the experiment ${\mathsf{Exp}}_1$, expect that $c_3$ is evaluated by the challenger of commitment scheme. $\mathcal{B}$ sends $K,K_{x^{\ast }}$ to the commitment challenger. Then, it returns a commitment $c^{\ast }$ to $\mathcal{B}$, where $K_{x^{\ast }}\leftarrow \mathsf{CPRF}.\mathsf{Constrain}(K,\left\{x^{\ast }\right\})$. Set $c_3=c^{\ast }$ and $r_3$ is an empty string. $c_3$ is either a commitment to K, or a commitment $K_{x^{\ast }}$. Because $\mathcal{B}$ does not need to know the random string $r_3$ for the NIWI proofs, $\mathcal{B}$ perfectly simulates the experiment ${\mathsf{Exp}}_2$ if $c_3=\mathsf{Com}(K;r)$. If $c_3=\mathsf{Com}\left(K_{x^{\ast };r}\right)$, $\mathcal{B}$ perfectly simulates the experiment ${\mathsf{Exp}}_3$. Thus, any PPT adversary $\mathcal{A}$ distinguishing the two experiments with advantage $ϵ\left(\lambda \right)$ implies an efficient adversary $\mathcal{B}$ that breaks the commitment scheme’s hiding property with advantage $ϵ\left(\lambda \right)$. □

Experiment ${\mathsf{Exp}}_4$: This experiment retains the same structure as the previous one, with only one modification: the witness selection for NIWI proof generation. Specifically, the challenger now exclusively uses the alternative witness:

$$w=(i=2,j=3,K,K_{x^{\ast }},r_2,r_3,0^{|\widehat{\pi }|},0^{|{\pi }^{\prime }|},\varnothing ,0^{\left|crs\right|})$$

in place of the original witness:

$$w=(i=1,j=2,K,K,r_1,r_2,0^{|\widehat{\pi }|},0^{|{\pi }^{\prime }|},\varnothing ,0^{\left|crs\right|}),$$

for all NIWI proof computations, while keeping all other experiment procedures unchanged.

• Evaluation Queries: Upon input $x_i\in \mathcal{X}$, it computes $y_i=\mathsf{CPRF}.\mathsf{Eval}(K,x_i)$ and ${\pi }_i=\mathsf{NIWI}.\mathcal{P}((c_1,c_2,c_3,x_i,y_i),w)$, where $w=(i=2,j=3,$$K,K_{x^{\ast }},r_2,r_3,0^{|\widehat{\pi }|},0^{|{\pi }^{\prime }|},\varnothing ,0^{\left|crs\right|})$. If $x_i\ne x^{\ast }$, it returns $(y_i,{\pi }_i)$. Otherwise, it returns $(\perp ,\perp )$.

Lemma 3. 

Assume $(\mathcal{P},\mathcal{V})$ is a secure NIWI proof system, then ${\mathsf{Exp}}_3\stackrel{c}{\approx }{\mathsf{Exp}}_4$.

Proof. 

If a PPT adversary $\mathcal{A}$ can distinguish ${\mathsf{Exp}}_3$ from ${\mathsf{Exp}}_4$ with advantage $ϵ\left(\lambda \right)$. An adversary $\mathcal{B}$ can be constructed to break the witness indistinguishability of $(\mathcal{P},\mathcal{V})$. We first consider the restricted case where $\mathcal{A}$ makes a single evaluation query.

• $\mathcal{B}$ runs steps 1–2, which are the same as the experiment ${\mathsf{Exp}}_3$.
• When $\mathcal{A}$ queries constrained oracle, $\mathcal{B}$ answers the same as the experiment ${\mathsf{Exp}}_3$. When $\mathcal{A}$ queries evaluation oracle on $x\ne x^{\ast }$, $\mathcal{B}$ computes $y=\mathsf{CPRF}.\mathsf{Eval}(K,x)$ and sends $(s=(c_1,c_2,c_3,x,y),w_1=(i=1,j=2,K,K,r_1,r_2,0^{|\widehat{\pi }|},0^{|{\pi }^{\prime }|},\varnothing ,0^{\left|crs\right|}),w_2=(i=2,j=3,K,K_{x^{\ast }},r_2,r_3,0^{|\widehat{\pi }|},0^{|{\pi }^{\prime }|},\varnothing ,0^{\left|crs\right|}))$ to the NIWI challenger. The challenger returns a proof $\pi$ to $\mathcal{B}$. $\mathcal{B}$ returns $(y,\pi )$ to $\mathcal{A}$
• $\mathcal{B}$ runs steps 4–5, which are the same as the experiment ${\mathsf{Exp}}_3$, and outputs $\mathcal{A}$’s result.

When the proof $\pi$ is generated by witness $w_1$, the simulation perfectly reconstructs $\mathcal{A}$’s view from experiment ${\mathsf{Exp}}_3$. Conversely, when $\pi$ is generated using $w_2$, $\mathcal{A}$’s view corresponds exactly to experiment ${\mathsf{Exp}}_4$. Thus, any adversary capable of distinguishing between ${\mathsf{Exp}}_3$ and ${\mathsf{Exp}}_4$ with non-negligible advantage immediately implies a PPT adversary that attacks the witness-indistinguishability of NIWI system with the advantage $ϵ\left(\lambda \right)$. This contradicts the fundamental security guarantee of NIWI proofs.

If $\mathcal{A}$ makes $Q_1=Q_1\left(\lambda \right)$ evaluation queries, we can define Q intermediate hybrid experiments ${\mathsf{Exp}}_3^i,i=0,1,\dots ,Q_1$, where the first one is ${\mathsf{Exp}}_3$, and the last one is ${\mathsf{Exp}}_4$. In the ith intermediate experiment ${\mathsf{Exp}}_3^i$, $\mathcal{B}$ uses the proof returned from the NIWI challenger to answer the evaluation query. For $j<i$, $\mathcal{B}$ uses the witness $w_2=(i=2,j=3,K,K_{x^{\ast }},r_2,r_3,0^{|\widehat{\pi }|},0^{|{\pi }^{\prime }|},\varnothing ,0^{\left|crs\right|})$ to answer the evaluation query. For $j>i$, $\mathcal{B}$ uses the witness $w_1=(i=1,j=2,K,K,r_1,r_2,0^{|\widehat{\pi }|},0^{|{\pi }^{\prime }|},\varnothing ,0^{\left|crs\right|})$ to answer the evaluation query. Applying the method mentioned above, this can prove that the outputs of adjacent experiments are indistinguishable. Using the method of hybrid argument with $Q_1$ intermediate experiments, we can prove that the outputs of ${\mathsf{Exp}}_3$ and ${\mathsf{Exp}}_4$ are computationally indistinguishable. □

Experiment ${\mathsf{Exp}}_5$: This experiment is the same as the previous one, except $c_1$ is a commitment of the constrained key $K_{x^{\ast }}$. It can be found that the generated method of the proofs $\pi$ in each evaluation query and the constrained key $s{k}_S$ in each constrain queries is the same as the experiment ${\mathsf{Exp}}_4$, because the random strings $r_2,r_3$ satisfy the witness relation.

• The challenger generates $K\leftarrow \mathsf{CPRF}.\mathsf{Setup}\left(1^{\lambda }\right)$ and establishes the necessary proof infrastructure by sampling $\widetilde{crs}\leftarrow \mathsf{NIZK}.{\mathsf{Sim}}_1\left(1^{\lambda }\right)$. Then, it generates $K_{x^{\ast }}\leftarrow$$\mathsf{CPRF}.\mathsf{Constrain}(K,\left\{x^{\ast }\right\})$, and three commitments to the PRF key K, $c_1\leftarrow \mathsf{Com}(K_{x^{\ast }};r_1)$, $c_2\leftarrow \mathsf{Com}(K;r_2)$ and $c_3\leftarrow \mathsf{Com}(K_{x^{\ast }};r_3)$. It sets $sk=(K,{\left\{(c_i,r_i)\right\}}_{i=1}^3,\widetilde{crs}),$$pk=(c_1,c_2,c_3)$.

Lemma 4. 

Assuming $(\mathsf{Com},\mathsf{Ver})$ is a perfectly binding commitment, then ${\mathsf{Exp}}_4\stackrel{c}{\approx }{\mathsf{Exp}}_5$.

Proof. 

This proof employs an identical reduction strategy to that of Lemma 2. □

Experiment ${\mathsf{Exp}}_6$: This experiment is the same as ${\mathsf{Exp}}_5$, except the challenger uses $(i=1,j=3,K_{x^{\ast }},K_{x^{\ast }},r_2,r_3,0^{|\widehat{\pi }|},0^{|{\pi }^{\prime }|},\varnothing ,0^{\left|crs\right|})$ as the witness instead of $(i=2,j=3,K,K_{x^{\ast }},r_1,r_2,0^{|\widehat{\pi }|},0^{|{\pi }^{\prime }|},\varnothing ,0^{\left|crs\right|})$ for generating all NIWI proofs.

• Evaluation Queries: Given $x_i\in \mathcal{X}$, it computes $y=\mathsf{CPRF}.\mathsf{Eval}(K,x_i)$ and ${\pi }_i=\mathsf{NIWI}.\mathcal{P}((c_1,c_2,c_3,x,y),w)$, where $w=(i=1,j=3,$$K_{x^{\ast }},K_{x^{\ast }},r_2,r_3,0^{|\widehat{\pi }|},0^{|{\pi }^{\prime }|},\varnothing ,0^{\left|crs\right|})$. If $x_i\ne x^{\ast }$, it returns $(y_i,{\pi }_i)$. Otherwise, it returns $(\perp ,\perp )$.

Lemma 5. 

Assume $(\mathcal{P},\mathcal{V})$ a secure NIWI proof system, then ${\mathsf{Exp}}_5\stackrel{c}{\approx }{\mathsf{Exp}}_6$.

Proof. 

This proof employs an identical reduction strategy to that of Lemma 3. □

Experiment ${\mathsf{Exp}}_7$: This experiment is the same as the previous one, except that $c_2$ is a commitment to the constrained key $K_{x^{\ast }}$. It can be found that the generated method of the proofs $\pi$ in each evaluation query and the constrained key $s{k}_S$ in each constrain query is the same as the experiment ${\mathsf{Exp}}_6$, because the random strings $r_1,r_3$ satisfy the witness relation.

• The challenger generates $K\leftarrow \mathsf{CPRF}.\mathsf{Setup}\left(1^{\lambda }\right)$ and establishes the necessary proof infrastructure by sampling $\widetilde{crs}\leftarrow \mathsf{NIZK}.{\mathsf{Sim}}_1\left(1^{\lambda }\right)$. Then, it generates $K_{x^{\ast }}\leftarrow \mathsf{CPRF}.\mathsf{Constrain}(K,\left\{x^{\ast }\right\})$, and three commitments to the PRF key K, $c_1\leftarrow \mathsf{Com}(K_{x^{\ast }};r_1)$, $c_2\leftarrow \mathsf{Com}(K_{x^{\ast }};r_2)$ and $c_3\leftarrow \mathsf{Com}(K_{x^{\ast }};r_3)$. Sets $sk=(K,{\left\{(c_i,r_i)\right\}}_{i=1}^3,\widetilde{crs}),$$pk=(c_1,c_2,c_3)$.

Lemma 6. 

If $(\mathsf{Com},\mathsf{Ver})$ is a perfectly binding commitment scheme, then ${\mathsf{Exp}}_6\stackrel{c}{\approx }{\mathsf{Exp}}_7$.

Proof. 

This proof employs an identical reduction strategy to that of Lemma 2. □

Experiment ${\mathsf{Exp}}_8$: This experiment is the same as the previous one, except the challenger answers the challenge with a random value $y^{\ast }$ from $\mathcal{Y}$.

• The challenger responds with a uniformly random value $y^{\ast }\leftarrow \mathcal{Y}$ replacing the actual value $y^{\ast }=\mathsf{CPRF}.\mathsf{Eval}(k,x^{\ast })$.

Lemma 7. 

Assume that $(\mathsf{CPRF}.\mathsf{Setup},\mathsf{CPRF}.\mathsf{Constrain},$$\mathsf{CPRF}.\mathsf{Eval})$ satisfies pseudorandomness, then ${\mathsf{Exp}}_7\stackrel{c}{\approx }{\mathsf{Exp}}_8$.

Proof. 

Via reduction to the pseudorandomness property of CPRFs, we build a distinguisher $\mathcal{B}$ that, given black-box access to $\mathcal{A}$, attempts to distinguish the CPRF’s output from uniformly random values. $\mathcal{B}$ operates as follows.

• $\mathcal{A}$ first outputs $x^{\ast }\in \mathcal{X}$.
• $\mathcal{B}$ samples $\widetilde{crs}\leftarrow \mathsf{NIZK}.{\mathsf{Sim}}_1\left(1^{\lambda }\right)$. Then, it sends $\left\{x^{\ast }\right\}$ to the constrained PRF challenger and obtains $K_{x^{\ast }}$ with a value $y^{\ast }$. $\mathcal{B}$ generates three commitments to the PRF key, $c_i\leftarrow \mathsf{Com}(K_{x^{\ast }},r_i),i=1,2,3$. It returns $pk=(c_1,c_2,c_3)$ to $\mathcal{A}$. Set is $sk=(k_{x^{\ast }},{\{c_i,r_i\}}_{i=1}^3,\widetilde{crs})$.
• When $\mathcal{A}$ queries constrain the oracle on $S_j\in \mathcal{X}$ for $x\in S_j$, $\mathcal{B}$ sends $S_j$ to the constrain PRF challenger and obtains $K_{S_j}$. Then, it computes an NIZK proof ${\widehat{\pi }}^j\leftarrow \mathsf{NIZK}.\mathsf{Sim}\left(s_j\right)$, where $s_j=(c_1,c_2,c_3,K_{S_j},S_j)$. It returns $s{k}_S=(K_S,S,\widehat{\pi },\widetilde{crs})$. If $x^{\ast }\in S_j$, it returns ⊥. When $\mathcal{A}$ queries the evaluation oracle on $x_j\ne x^{\ast }$, $\mathcal{B}$ computes $y=\mathsf{CPRF}.\mathsf{Eval}(K_{x^{\ast }},x_j)$ and ${\pi }_j=\mathsf{NIWI}.\mathcal{P}((c_1,c_2,c_3,x,y),w)$, where $w=(i=1,j=2,K_{x^{\ast }},K_{x^{\ast }},r_1,r_2,0^{|\widehat{\pi }|},0^{|{\pi }^{\prime }|},\varnothing ,0^{\left|crs\right|})$. It returns $(y_i,{\pi }_i)$ to $\mathcal{A}$.
• $\mathcal{B}$ sends the evaluation $y^{\ast }$ to $\mathcal{A}$.
• $\mathcal{A}$ may adaptively query the constrained key oracle and evaluation oracle throughout the security experiment. $\mathcal{B}$ answers the same as the previous step.
• $\mathcal{B}$ outputs the $\mathcal{A}$’s result.

When $\mathcal{B}$ returns the real CPRF evaluation $y^{\ast }=\mathsf{CPRF}.\mathsf{Eval}(K,x^{\ast })$, adversary $\mathcal{A}$’s view perfectly simulates its view in experiment ${\mathsf{Exp}}_7$. Conversely, the simulation ensures that if $\mathcal{B}$’s output is uniformly random, $\mathcal{A}$’s environment is distributed exactly as in ${\mathsf{Exp}}_8$. Hence, a non-negligible distinguishing advantage $ϵ\left(\lambda \right)$ between and translates directly to $\mathcal{B}$ achieving an advantage $ϵ\left(\lambda \right)$ against the CPRF’s pseudorandomness. □

5. Conclusions

In this study, we present a generic construction for transforming any constrained pseudorandom function into a constrained verifiable random function that simultaneously achieves provability, uniqueness, and pseudorandomness. Our construction relies solely on standard cryptographic primitives—CPRFs, perfectly binding commitments, NIWI proofs, and NIZK—thereby circumventing the need for indistinguishability obfuscation. Our scheme achieves constant-size public keys that do not scale with circuit depth, yielding significant efficiency improvements over obfuscation-based constructions. However, our construction just satisfies selective security, where the adversary must declare the challenge point a priori. Extending this to the adaptive security model—where the adversary selects the challenge point dynamically during the experiment—poses an important open challenge for future work.