---
title: VRF
description: Verifiable random function
theme: gaia
size: 16:9
_class: lead
class: invert
paginate: true
backgroundColor: #000000
marp: true
math: katex
header: IOTA Foundation
---
![bg invert:100% left:40% 80%](https://cryptologos.cc/logos/iota-miota-logo.svg?v=014)
# [VRF](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-vrf-15) #
2022-11-11
---
## API ##
$\texttt{VRF}=(\texttt{KeyGen},\texttt{Prove},\texttt{Hash},\texttt{Verify})$
$\texttt{VRF}.\texttt{KeyGen}() \mapsto (sk, pk)$
$\texttt{VRF}.\texttt{Prove}(sk, \alpha) \mapsto \pi$
$\texttt{VRF}.\texttt{Hash}(\pi) \mapsto rnd$
$\texttt{VRF}.\texttt{Verify}(pk, \alpha, \pi) \mapsto 2$
---
## Security properties* ##
- uniqueness:
$\forall pk, \alpha \;\exists!\pi \implies \texttt{VRF}.\texttt{Verify}(pk, \alpha, \pi)=1$
- collision resistance:
$\forall sk, \alpha_1 \neq \alpha_2 \implies rnd_1 \neq rnd_2$
- pseudorandomness ($\texttt{VRF}.\texttt{Verify}$ -- distinguisher):
fix $sk$ ($sk$ and $\pi$ are **unknown**!), $\forall \alpha \implies rnd$ "looks" random
- unpredictability under malicious key gen (for **leader selection**!):
fix $sk$, $pk$ chosen by attacker, $\alpha \;\text{random} \implies rnd \;\text{random}$
\* hard to compute, in addition to NIZKP properties, non-malleability
---
## ECVRF ##
- $sk, sk\cdot \textcolor{lightgreen}{G}$ -- keypair
- $rnd = H_{rnd}(sk\cdot \textcolor{red}{H_{\alpha}(\alpha)})$
- $\pi = \texttt{DlEq}\{(\textcolor{lightgreen}{G}, \textcolor{red}{H_{\alpha}(\alpha)}, sk\cdot \textcolor{lightgreen}{G}, sk\cdot \textcolor{red}{H_{\alpha}(\alpha)}; sk):\\\quad \texttt{DL}_{\textcolor{lightgreen}{G}}(sk\cdot \textcolor{lightgreen}{G}) = \texttt{DL}_{\textcolor{red}{H_{\alpha}(\alpha)}}(sk\cdot \textcolor{red}{H_{\alpha}(\alpha)})\}$
Variants of $\texttt{DlEq}$ proofs:
- Schnoor preimage proof (eg. ed25519 "compatible")
- pairing-based proof (eg. BLS "compatible")
---
## ECVRF-EDWARDS25519-SHA512-ELL2 ##
- Curve25519, Ristretto subgroup(?)
- Elligator2 for hash-to-curve $H_{\alpha}$
- SHA512 for hash-to-rnd $H_{rnd}$
- nonce_gen, challenge_gen, salt, domain separation
- point/int (de)serialization
- verify: canonical encoding, low-/mixed-order points
- **third-party non-malleability**
- **adversarial prover**
---
## What's next? ##
- Distributed VRF:
- Async network
- Robustness
- Threshold property
- ADKG
- Decentralized Random Beacon: DVRF + state
---
## Thanks ##
Questions?