---
title: VRF
description: Verifiable random function
theme: gaia
size: 16:9
_class: lead
class: invert
paginate: true
backgroundColor: #000000
marp: true
math: katex
header: IOTA Foundation
---
![bg invert:100% left:40% 80%](https://cryptologos.cc/logos/iota-miota-logo.svg?v=014)
# [VRF](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-vrf-15) #
2022-11-11
---
## API ##
$\texttt{VRF}=(\texttt{KeyGen},\texttt{Prove},\texttt{Hash},\texttt{Verify})$
$\texttt{VRF}.\texttt{KeyGen}() \mapsto (sk, pk)$
$\texttt{VRF}.\texttt{Prove}(sk, \alpha) \mapsto \pi$
$\texttt{VRF}.\texttt{Hash}(\pi) \mapsto rnd$
$\texttt{VRF}.\texttt{Verify}(pk, \alpha, \pi) \mapsto 2$
---
## Security properties* ##
- uniqueness:
$\forall pk, \alpha \;\exists!\pi \implies \texttt{VRF}.\texttt{Verify}(pk, \alpha, \pi)=1$
- collision resistance:
$\forall sk, \alpha_1 \neq \alpha_2 \implies rnd_1 \neq rnd_2$
- pseudorandomness ($\texttt{VRF}.\texttt{Verify}$ -- distinguisher):
fix $sk$ ($sk$ and $\pi$ are **unknown**!), $\forall \alpha \implies rnd$ "looks" random
- unpredictability under malicious key gen (for **leader selection**!):
fix $sk$, $pk$ chosen by attacker, $\alpha \;\text{random} \implies rnd \;\text{random}$
\* hard to compute, in addition to NIZKP properties, non-malleability
---
## ECVRF ##
- $sk, sk\cdot \textcolor{lightgreen}{G}$ -- keypair
- $rnd = H_{rnd}(sk\cdot \textcolor{red}{H_{\alpha}(\alpha)})$
- $\pi = \texttt{DlEq}\{(\textcolor{lightgreen}{G}, \textcolor{red}{H_{\alpha}(\alpha)}, sk\cdot \textcolor{lightgreen}{G}, sk\cdot \textcolor{red}{H_{\alpha}(\alpha)}; sk):\\\quad \texttt{DL}_{\textcolor{lightgreen}{G}}(sk\cdot \textcolor{lightgreen}{G}) = \texttt{DL}_{\textcolor{red}{H_{\alpha}(\alpha)}}(sk\cdot \textcolor{red}{H_{\alpha}(\alpha)})\}$
Variants of $\texttt{DlEq}$ proofs:
- Schnoor preimage proof (eg. ed25519 "compatible")
- pairing-based proof (eg. BLS "compatible")
---
## ECVRF-EDWARDS25519-SHA512-ELL2 ##
- Curve25519, Ristretto subgroup(?)
- Elligator2 for hash-to-curve $H_{\alpha}$
- SHA512 for hash-to-rnd $H_{rnd}$
- nonce_gen, challenge_gen, salt, domain separation
- point/int (de)serialization
- verify: canonical encoding, low-/mixed-order points
- **third-party non-malleability**
- **adversarial prover**
---
## What's next? ##
- Distributed VRF:
- Async network
- Robustness
- Threshold property
- ADKG
- Decentralized Random Beacon: DVRF + state
---
## Thanks ##
Questions?

VRF verifiable random function for random sortitioning medium on algorand ietf draft VRF algorand impl BLS signature for VRF? VRF RFC draft-15 API

11/7/2022Introduction Public key encryption (PKE) is a standard tool used in many protocols with two parties -- sender and receiver. Sender uses receiver's public key to encrypt a secret message and receiver uses her private key to decrypt it. In modern (decentralized) protocols there's a third party -- verifier. Verifier acts as an arbiter, she verifies that both parties (sender and receiver) follow the protocol correctly. When there's a need for privacy a PKE scheme does not offer the verifier to do her job -- to get access to the encrypted message privacy property must be sacrificed. To overcome this issue there's publicly verifiable public key encryption (PVPKE). In such a scheme the sender encrypts a message and proves certain useful properties about it such that the verifier can verify the proof (ie. that the properties do actually hold for the encrypted message without decrypting it) and the receiver can decrypt the message as usual. Some useful properties about encrypted text might include the following: proof of decryptability, ie. that the receiver can indeed decrypt the message (and not claim that she can't, without revealing her private decryption key); proof of correct encryption, ie. that the sender has encrypted a valid message (and not some garbage).

6/30/2022How to aggregate PVSS proofs nicely

2/3/2022
Published on ** HackMD**

or

By clicking below, you agree to our terms of service.

Sign in via Facebook
Sign in via Twitter
Sign in via GitHub
Sign in via Dropbox
Sign in with Wallet

Wallet
(
)

Connect another wallet
New to HackMD? Sign up