VRF

2022-11-11

API

VRF = (KeyGen, Prove, Hash, Verify)

VRF . KeyGen () \mapsto (s k, p k)

VRF . Prove (s k, α) \mapsto π

VRF . Hash (π) \mapsto r n d

VRF . Verify (p k, α, π) \mapsto 2

uniqueness:

$\forall p k, α \exists! π ⟹ VRF . Verify (p k, α, π) = 1$
collision resistance:

$\forall s k, α_{1} \neq α_{2} ⟹ r n d_{1} \neq r n d_{2}$
pseudorandomness (
$VRF . Verify$ – distinguisher):
fix
$s k$ (
$s k$ and
$π$ are unknown!),
$\forall α ⟹ r n d$ "looks" random
unpredictability under malicious key gen (for leader selection!):
fix
$s k$ ,
$p k$ chosen by attacker,
$α random ⟹ r n d random$

* hard to compute, in addition to NIZKP properties, non-malleability

$s k, s k \cdot \textcolor l i g h t g r e e n G$ – keypair
$r n d = H_{r n d} (s k \cdot \textcolor r e d H_{α} (α))$
$π = DlEq {(\textcolor l i g h t g r e e n G, \textcolor r e d H_{α} (α), s k \cdot \textcolor l i g h t g r e e n G, s k \cdot \textcolor r e d H_{α} (α); s k) : {DL}_{\textcolor l i g h t g r e e n G} (s k \cdot \textcolor l i g h t g r e e n G) = {DL}_{\textcolor r e d H_{α} (α)} (s k \cdot \textcolor r e d H_{α} (α))}$

Variants of

DlEq

proofs:

Questions?