Nir Bitansky

DOI: https://doi.org/10.1007/s00145-019-09331-1

2019-09-04

Journal of Cryptology

Abstract:<span><em class="EmphasisTypeItalic">Verifiable random functions</em> (VRFs) are pseudorandom functions where the owner of the seed, in addition to computing the function's value <em class="EmphasisTypeItalic">y</em> at any point <em class="EmphasisTypeItalic">x</em>, can also generate a non-interactive proof <span class="InlineEquation">\(\pi \)</span> that <em class="EmphasisTypeItalic">y</em> is correct, without compromising pseudorandomness at other points. Being a natural primitive with a wide range of applications, considerable efforts have been directed toward the construction of such VRFs. While these efforts have resulted in a variety of algebraic constructions (from bilinear maps or the RSA problem), the relation between VRFs and other general primitives is still not well understood. We present new constructions of VRFs from general primitives, the main one being <em class="EmphasisTypeItalic">non-interactive witness-indistinguishable proofs</em> (NIWIs). This includes: (1) a selectively secure VRF assuming NIWIs and non-interactive commitments. As usual, the VRF can be made adaptively secure assuming subexponential hardness of the underlying primitives. (2) An adaptively secure VRF assuming (polynomially hard) NIWIs, non-interactive commitments, and (<em class="EmphasisTypeItalic">single-key</em>) <em class="EmphasisTypeItalic">constrained pseudorandom functions</em> for a restricted class of constraints. The above primitives can be instantiated under various standard assumptions, which yields corresponding VRF instantiations, under different assumptions than were known so far. One notable example is a non-uniform construction of VRFs from subexponentially hard trapdoor permutations, or more generally, from <em class="EmphasisTypeItalic">verifiable pseudorandom generators</em> (the construction can be made uniform under a standard derandomization assumption). This partially answers an open question by Dwork and Naor (FOCS '00). The construction and its analysis are quite simple. Both draw from ideas commonly used in the context of <em class="EmphasisTypeItalic">indistinguishability obfuscation</em>.</span>

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Yevgeniy Dodis,Aleksandr Yampolskiy

DOI: https://doi.org/10.1007/978-3-540-30580-4_28

2005-01-01

Abstract:We give a simple and efficient construction of a verifiable random function (VRF) on bilinear groups. Our construction is direct. In contrast to prior VRF constructions [14,15], it avoids using an inefficient Goldreich-Levin transformation, thereby saving several factors in security. Our proofs of security are based on a decisional bilinear Diffie-Hellman inversion assumption, which seems reasonable given current state of knowledge. For small message spaces, our VRF’s proofs and keys have constant size. By utilizing a collision-resistant hash function, our VRF can also be used with arbitrary message spaces. We show that our scheme can be instantiated with an elliptic group of very reasonable size. Furthermore, it can be made distributed and proactive.

Tibor Jager,David Niehues

DOI: https://doi.org/10.1007/978-3-030-38471-5_13

2020-01-01

Abstract:Verifiable random functions (VRFs) are essentially digital signatures with additional properties, namely verifiable uniqueness and pseudorandomness, which make VRFs a useful tool, e.g., to prevent enumeration in DNSSEC Authenticated Denial of Existence and the CONIKS key management system, or in the random committee selection of the Algorand blockchain.Most standard-model VRFs rely on admissible hash functions (AHFs) to achieve security against adaptive attacks in the standard model. Known AHF constructions are based on error-correcting codes, which yield asymptotically efficient constructions. However, previous works do not clarify how the code should be instantiated concretely in the real world. The rate and the minimal distance of the selected code have significant impact on the efficiency of the resulting cryptosystem, therefore it is unclear if and how the aforementioned constructions can be used in practice.First, we explain inherent limitations of code-based AHFs. Concretely, we assume that even if we were given codes that achieve the well-known Gilbert-Varshamov or McEliece-Rodemich-Rumsey-Welch bounds, existing AHF-based constructions of verifiable random functions (VRFs) can only be instantiated quite inefficiently. Then we introduce and construct computational AHFs (cAHFs). While classical AHFs are information-theoretic, and therefore work even in presence of computationally unbounded adversaries, cAHFs provide only security against computationally bounded adversaries. However, we show that cAHFs can be instantiated significantly more efficiently. Finally, we use our cAHF to construct the currently most efficient verifiable random function with full adaptive security in the standard model.

Susan Hohenberger,Brent Waters

DOI: https://doi.org/10.1007/978-3-642-13190-5_33

2010-01-01

Abstract:We present a family of verifiable random functions which are provably secure for exponentially-large input spaces under a noninteractive complexity assumption. Prior constructions required either an interactive complexity assumption or one that could tolerate a factor 2n security loss for n-bit inputs. Our construction is practical and inspired by the pseudorandom functions of Naor and Reingold and the verifiable random functions of Lysyanskaya. Set in a bilinear group, where the Decisional Diffie-Hellman problem is easy to solve, we require the l- Decisional Diffie-Hellman Exponent assumption in the standard model, without a common reference string. Our core idea is to apply a simulation technique where the large space of VRF inputs is collapsed into a small (polynomial-size) input in the view of the reduction algorithm. This view, however, is information-theoretically hidden from the attacker. Since the input space is exponentially large, we can first apply a collision-resistant hash function to handle arbitrarily-large inputs.

Muhua Liu,Ping Zhang,Qingtao Wu

DOI: https://doi.org/10.1155/2019/4187892

IF: 1.968

2019-01-01

Security and Communication Networks

Abstract:Constrained verifiable random functions (VRFs) were introduced by Fuchsbauer. In a constrained VRF, one can drive a constrained key skS from the master secret key sk, where S is a subset of the domain. Using the constrained key skS, one can compute function values at points which are not in the set S. The security of constrained VRFs requires that the VRFs’ output should be indistinguishable from a random value in the range. They showed how to construct constrained VRFs for the bit-fixing class and the circuit constrained class based on multilinear maps. Their construction can only achieve selective security where an attacker must declare which point he will attack at the beginning of experiment. In this work, we propose a novel construction for constrained verifiable random function from bilinear maps and prove that it satisfies a new security definition which is stronger than the selective security. We call it semiadaptive security where the attacker is allowed to make the evaluation queries before it outputs the challenge point. It can immediately get that if a scheme satisfied semiadaptive security, and it must satisfy selective security.

Bong Gon Kim,Dennis Wong,Yoon Seok Yang

DOI: https://doi.org/10.5121/csit.2023.132104

2024-02-07

Abstract:We present a secure and private blockchain-based Verifiable Random Function (VRF) scheme addressing some limitations of classical VRF constructions. Given the imminent quantum computing adversarial scenario, conventional cryptographic methods face vulnerabilities. To enhance our VRF's secure randomness, we adopt post-quantum Ring-LWE encryption for synthesizing pseudo-random sequences. Considering computational costs and resultant on-chain gas costs, we suggest a bifurcated architecture for VRF design, optimizing interactions between on-chain and off-chain. Our approach employs a secure ring signature supported by NIZK proof and a delegated key generation method, inspired by the Chaum-Pedersen equality proof and the Fiat-Shamir Heuristic. Our VRF scheme integrates multi-party computation (MPC) with blockchain-based decentralized identifiers (DID), ensuring both security and randomness. We elucidate the security and privacy aspects of our VRF scheme, analyzing temporal and spatial complexities. We also approximate the entropy of the VRF scheme and detail its implementation in a Solidity contract. Also, we delineate a method for validating the VRF's proof, matching for the contexts requiring both randomness and verification. Conclusively, using the NIST SP800-22 of the statistical randomness test suite, our results exhibit a 98.86% pass rate over 11 test cases, with an average p-value of 0.5459 from 176 total tests.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Yiming Li,Shengli Liu,Shuai Han,Dawu Gu,Jian Weng

DOI: https://doi.org/10.2139/ssrn.4197049

IF: 1.002

2023-03-16

Theoretical Computer Science

Abstract:A verifiable random function (VRF) is a pseudorandom function F that can be publicly verified. A simulatable VRF (sVRF) is an important variant of a VRF, which additionally provides simulatability. Informally, the simulatability of a VRF depicts the ability to simulate a valid proof π that y=F(sk,x) for any input x and any output value y . A (simulatable) VRF can be used in the E-Cash, E-Lottery, blockchain and constructing the multi-theorem non-interactive zero-knowledge (NIZK) proof. However, up to now, the existing constructions of an sVRF either rely on non-standard assumptions (e.g., the Q -type ones), or are built in the random oracle model, or resort to time-consuming techniques like the Cook-Levin reduction. In this paper, we design the first sVRF from the LWE assumption in the standard model (free of a random oracle) without using a Cook-Levin reduction. In our construction of an sVRF, we take as building blocks a pseudorandom function, a trapdoor fully homomorphic commitment (FHC) scheme, and a NIZK proof system for a language specified by FHC. Our trapdoor FHC is the key technical tool, which helps the simplification of the underlying NIZK language, thus making possible an instantiation of a NIZK proof from LWE without a Cook-Levin reduction. Together with an LWE-based PRF, we obtain an sVRF scheme from LWE.

computer science, theory & methods

Bong Gon Kim,Dennis Wong,Yoon Seok Yang

DOI: https://doi.org/10.5121/ijcis.2023.13401

2024-01-30

Abstract:In this study, we present a secure smart contract-based Verifiable Random Function (VRF) model, addressing the shortcomings of existing systems. As quantum computing emerges, conventional public key cryptography faces potential vulnerabilities. To enhance our VRF's robustness, we employ post-quantum Ring-LWE encryption for generating pseudo-random sequences. Given the computational intensity of this approach and associated on-chain gas costs, we propose a hybrid architecture of VRF system where on-chain and off-chain can communicate in a scalable and secure way. To ensure the validity and integrity of the off-chain computations (e.g., Ring-LWE encryption), we employ a quantum-secure linkable ring signature scheme on NTRU lattice and also delegated key generation (DKG) with a secure key encapsulation mechanism (KEM). Our decentralized VRF employs multi-party computation (MPC) with blockchain-based decentralized identifiers (DID), ensuring the collective efforts of enhanced randomness and security. We show the security and privacy advantages of our proposed VRF model with the approximated estimation of overall temporal and spatial complexities. We also evaluate our VRF MPC model's entropy and outline its Solidity smart contract integration. This research also provides a method to produce and verify the VRF output's proof, optimal for scenarios necessitating randomness and validation. Lastly, using NIST SP800-22 test suite for randomness, we demonstrate the commendable result with a 97.73% overall pass rate on 11 standard tests and 0.5459 of average p-value for the total 176 tests.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Muhammed F. Esgin,Veronika Kuchta,Amin Sakzad,Ron Steinfeld,Zhenfei Zhang,Shifeng Sun,Shumo Chu

DOI: https://doi.org/10.1007/978-3-662-64331-0_29

2021-01-01

Abstract:In this work, we introduce the first practical post-quantum verifiable random function (VRF) that relies on well-known (module) lattice problems, namely Module-SIS and Module-LWE. Our construction, named LB-VRF, results in a VRF value of only 84 bytes and a proof of around only 5 KB (in comparison to several MBs in earlier works), and runs in about 3 ms for evaluation and about 1 ms for verification.In order to design a practical scheme, we need to restrict the number of VRF outputs per key pair, which makes our construction few-time. Despite this restriction, we show how our few-time LB-VRF can be used in practice and, in particular, we estimate the performance of Algorand using LB-VRF. We find that, due to the significant increase in the communication size in comparison to classical constructions, which is inherent in all existing lattice-based schemes, the throughput in LB-VRF-based consensus protocol is reduced, but remains practical. In particular, in a medium-sized network with 100 nodes, our platform records a 1.14×$$\times $$ to 3.4×$$\times $$ reduction in throughput, depending on the accompanying signature used. In the case of a large network with 500 nodes, we can still maintain at least 24 transactions per second. This is still much better than Bitcoin, which processes only about 5 transactions per second.

Yi Deng,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-540-72540-4_9

2007-01-01

Abstract:We introduce a notion of instance-dependent verifiable random functions (InstD-VRFs for short). Informally, an InstD-VRF is, in some sense, a verifiable random function [23] with a special public key, which is generated via a (possibly)interactive protocol and contains an instance y ∈ L ∩ {0,1}* for a specific NP language L, but the security requirements on such a function are relaxed: we only require the pseudorandomness property when y ∈ L and only require the uniqueness property when y ∉ L, instead of requiring both pseudorandomness and uniqueness to hold simultaneously. We show that this notion can be realized under standard assumption.Our motivation is the conjecture posed by Barak et al.[2], which states there exist resettably-sound resettable zero knowledge arguments for NP. The instance-dependent verifiable random functions is a powerful tool to tackle this problem. We first use them to obtain two interesting instance-dependent argument systems from the Barak’s public-coin bounded concurrent zero knowledge argument [1], and then, weConstruct the first (constant round) zero knowledge arguments for NP enjoying a certain simultaneous resettability under standard hardness assumptions in the plain model, which we call bounded-class resettable ZK arguments with weak resettable-soundness Though the malicious party (prover or verifier) in such system is limited to a kind of bounded resetting attack, We put NO restrictions on the number of the total resets made by malicious party.show that, under standard assumptions, if there exist public-coin concurrent zero knowledge arguments for NP, there exist the resettably-sound resetable zero knowledge arguments for NP.

Benjamin Wesolowski

DOI: https://doi.org/10.1007/s00145-020-09364-x

2020-09-09

Journal of Cryptology

Abstract:We construct a verifiable delay function (VDF). A VDF is a function whose evaluation requires running a given number of sequential steps, yet the result can be efficiently verified. They have applications in decentralised systems, such as the generation of trustworthy public randomness in a trustless environment, or resource-efficient blockchains. To construct our VDF, we actually build a trapdoor VDF. A trapdoor VDF is essentially a VDF which can be evaluated efficiently by parties who know a secret (the trapdoor). By setting up this scheme in a way that the trapdoor is unknown (not even by the party running the setup, so that there is no need for a trusted setup environment), we obtain a simple VDF. Our construction is based on groups of unknown order such as an RSA group or the class group of an imaginary quadratic field. The output of our construction is very short (the result and the proof of correctness are each a single element of the group), and the verification of correctness is very efficient.

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Rafik Chaabouni,Helger Lipmaa,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-642-32946-3_14

2012-01-01

Abstract:In a range proof, the prover convinces the verifier in zero-knowledge that he has encrypted or committed to a value a ∈ [0, H] where H is a public constant. Most of the previous non-interactive range proofs have been proven secure in the random oracle model. We show that one of the few previous non-interactive range proofs in the common reference string (CRS) model, proposed by Yuen et al. in COCOON 2009, is insecure. We then construct a secure non-interactive range proof that works in the CRS model. The new range proof can have (by different instantiations of the parameters) either very short communication (14 080 bits) and verifier’s computation (81 pairings), short combined CRS length and communication (log1 / 2 + o (1) H group elements), or very efficient prover’s computation (Θ(logH) exponentiations).

Takashi Yamakawa,Mark Zhandry

DOI: https://doi.org/10.1145/3658665

IF: 2.269

2024-04-22

Journal of the ACM

Abstract:We show the following hold, unconditionally unless otherwise stated, relative to a random oracle: • There are NP search problems solvable by quantum polynomial-time machines but not classical probabilistic polynomial-time machines. • There exist functions that are one-way, and even collision resistant, against classical adversaries but are easily inverted quantumly. Similar counterexamples exist for digital signatures and CPA-secure public key encryption (the latter requiring the assumption of a classically CPA-secure encryption scheme). Interestingly, the counterexample does not necessarily extend to the case of other cryptographic objects such as PRGs. • There are unconditional publicly verifiable proofs of quantumness with the minimal rounds of interaction: for uniform adversaries, the proofs are non-interactive, whereas for non-uniform adversaries the proofs are two message public coin. • Our results do not appear to contradict the Aaronson-Ambanis conjecture. Assuming this conjecture, there exist publicly verifiable certifiable randomness, again with the minimal rounds of interaction. By replacing the random oracle with a concrete cryptographic hash function such as SHA2, we obtain plausible Minicrypt instantiations of the above results. Previous analogous results all required substantial structure, either in terms of highly structured oracles and/or algebraic assumptions in Cryptomania and beyond.

computer science, information systems, theory & methods, software engineering, hardware & architecture

Guifang Huang,Lei Hu,Dongdai Lin

2010-01-01

Abstract:In asynchronous network communication, non-malleability is a necessary security requirement to resist against man-in-the-middle attack. In [6], two non-malleable non-interactive zero knowledge proofs were presented, in which the first scheme was obtained by using a specific form of InstD-VRF. In this paper, we present how to construct non-malleable non-interactive zero knowledge proof by using the general InstD-VRF. Our construction is a framework and contains many non-malleable non-interactive zero knowledge proofs. With this framework, the security analysis of some complicated non-malleable non-interactive zero knowledge proofs can be simplified, as long as they are consistent with the framework.

Veronika Kuchta,Amin Sakzad,Damien Stehle,Ron Steinfeld,Shi-Feng Sun

DOI: https://doi.org/10.1007/978-3-030-45727-3_24

2020-01-01

Abstract:We introduce a new technique called `Measure-RewindMeasure' (MRM) to achieve tighter security proofs in the quantum random oracle model (QROM). We first apply our MRM technique to derive a new security proof for a variant of the `double-sided' quantum OneWay to Hiding Lemma (O2H) of Bindel et al. [TCC 2019] which, for the first time, avoids the square-root advantage loss in the security proof. In particular, it bypasses a previous `impossibility result' of Jiang, Zhang and Ma [IACR eprint 2019]. We then apply our new O2H Lemma to give a new tighter security proof for the Fujisaki-Okamoto transform for constructing a strong (IND-CCA) Key Encapsulation Mechanism (KEM) from a weak (IND-CPA) public-key encryption scheme satisfying a mild injectivity assumption.

Nomana Ayesha Majeed,Alex Kemloh Kouyem

DOI: https://doi.org/10.52825/ocp.v2i.133

2022-12-15

Open Conference Proceedings

Abstract:Randomness is a critical issue in peer-to-peer networks because random numbers allow us to fairly select the candidates, resolve the lotteries, select block producers, etc. The difficulty is that each participant wants to verify that the random number was randomly generated, this led to the invention of verifiable random functions (VRF). The VRF is a pseudo-random function that provides a solution to blockchain-based random number generation. This paper focuses on the implementation of an elliptic curve-based VRF introduced by NIST called ECVRF-secp256r1 in Solidity. The algorithm verifies the randomness on-chain, tests the gas consumption at each stage, and compares it to the ECVRF-secp256k1.

Nai-Hui Chia,Honghao Fu,Fang Song,Penghui Yao

2023-10-23

Abstract:In recent years, achieving verifiable quantum advantage on a NISQ device has emerged as an important open problem in quantum information. The sampling-based quantum advantages are not known to have efficient verification methods. This paper investigates the verification of quantum advantage from a cryptographic perspective. We establish a strong connection between the verifiability of quantum advantage and cryptographic and complexity primitives, including efficiently samplable, statistically far but computationally indistinguishable pairs of (mixed) quantum states ($\mathsf{EFI}$), pseudorandom states ($\mathsf{PRS}$), and variants of minimum circuit size problems ($\mathsf{MCSP}$). Specifically, we prove that a) a sampling-based quantum advantage is either verifiable or can be used to build $\mathsf{EFI}$ and even $\mathsf{PRS}$ and b) polynomial-time algorithms for a variant of $\mathsf{MCSP}$ would imply efficient verification of quantum advantages. Our work shows that the quest for verifiable quantum advantages may lead to applications of quantum cryptography, and the construction of quantum primitives can provide new insights into the verifiability of quantum advantages.

Quantum Physics,Cryptography and Security

Rene Allerstorfer,Andreas Bluhm,Harry Buhrman,Matthias Christandl,Llorenç Escolà-Farràs,Florian Speelman,Philip Verduyn Lunel

2023-12-20

Abstract:Signal loss poses a significant threat to the security of quantum cryptography when the chosen protocol lacks loss-tolerance. In quantum position verification (QPV) protocols, even relatively small loss rates can compromise security. The goal is thus to find protocols that remain secure under practically achievable loss rates. In this work, we modify the usual structure of QPV protocols and prove that this modification makes the potentially high transmission loss between the verifiers and the prover security-irrelevant for a class of protocols that includes a practically-interesting candidate protocol inspired by the BB84 protocol ($\mathrm{QPV}_{\mathrm{BB84}}^{f}$). This modification, which involves photon presence detection, a small time delay at the prover, and a commitment to play before proceeding, reduces the overall loss rate to just the prover's laboratory. The adapted protocol c-$\mathrm{QPV}_{\mathrm{BB84}}^{f}$ then becomes a practically feasible QPV protocol with strong security guarantees, even against attackers using adaptive strategies. As the loss rate between the verifiers and prover is mainly dictated by the distance between them, secure QPV over longer distances becomes possible. We also show possible implementations of the required photon presence detection, making c-$\mathrm{QPV}_{\mathrm{BB84}}^{f}$ a protocol that solves all major practical issues in QPV. Finally, we discuss experimental aspects and give parameter estimations.

Quantum Physics