Nir Bitansky

DOI: https://doi.org/10.1007/s00145-019-09331-1

2019-09-04

Journal of Cryptology

Abstract:<span><em class="EmphasisTypeItalic">Verifiable random functions</em> (VRFs) are pseudorandom functions where the owner of the seed, in addition to computing the function's value <em class="EmphasisTypeItalic">y</em> at any point <em class="EmphasisTypeItalic">x</em>, can also generate a non-interactive proof <span class="InlineEquation">\(\pi \)</span> that <em class="EmphasisTypeItalic">y</em> is correct, without compromising pseudorandomness at other points. Being a natural primitive with a wide range of applications, considerable efforts have been directed toward the construction of such VRFs. While these efforts have resulted in a variety of algebraic constructions (from bilinear maps or the RSA problem), the relation between VRFs and other general primitives is still not well understood. We present new constructions of VRFs from general primitives, the main one being <em class="EmphasisTypeItalic">non-interactive witness-indistinguishable proofs</em> (NIWIs). This includes: (1) a selectively secure VRF assuming NIWIs and non-interactive commitments. As usual, the VRF can be made adaptively secure assuming subexponential hardness of the underlying primitives. (2) An adaptively secure VRF assuming (polynomially hard) NIWIs, non-interactive commitments, and (<em class="EmphasisTypeItalic">single-key</em>) <em class="EmphasisTypeItalic">constrained pseudorandom functions</em> for a restricted class of constraints. The above primitives can be instantiated under various standard assumptions, which yields corresponding VRF instantiations, under different assumptions than were known so far. One notable example is a non-uniform construction of VRFs from subexponentially hard trapdoor permutations, or more generally, from <em class="EmphasisTypeItalic">verifiable pseudorandom generators</em> (the construction can be made uniform under a standard derandomization assumption). This partially answers an open question by Dwork and Naor (FOCS '00). The construction and its analysis are quite simple. Both draw from ideas commonly used in the context of <em class="EmphasisTypeItalic">indistinguishability obfuscation</em>.</span>

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Yevgeniy Dodis,Aleksandr Yampolskiy

DOI: https://doi.org/10.1007/978-3-540-30580-4_28

2005-01-01

Abstract:We give a simple and efficient construction of a verifiable random function (VRF) on bilinear groups. Our construction is direct. In contrast to prior VRF constructions [14,15], it avoids using an inefficient Goldreich-Levin transformation, thereby saving several factors in security. Our proofs of security are based on a decisional bilinear Diffie-Hellman inversion assumption, which seems reasonable given current state of knowledge. For small message spaces, our VRF’s proofs and keys have constant size. By utilizing a collision-resistant hash function, our VRF can also be used with arbitrary message spaces. We show that our scheme can be instantiated with an elliptic group of very reasonable size. Furthermore, it can be made distributed and proactive.

Susan Hohenberger,Brent Waters

DOI: https://doi.org/10.1007/978-3-642-13190-5_33

2010-01-01

Abstract:We present a family of verifiable random functions which are provably secure for exponentially-large input spaces under a noninteractive complexity assumption. Prior constructions required either an interactive complexity assumption or one that could tolerate a factor 2n security loss for n-bit inputs. Our construction is practical and inspired by the pseudorandom functions of Naor and Reingold and the verifiable random functions of Lysyanskaya. Set in a bilinear group, where the Decisional Diffie-Hellman problem is easy to solve, we require the l- Decisional Diffie-Hellman Exponent assumption in the standard model, without a common reference string. Our core idea is to apply a simulation technique where the large space of VRF inputs is collapsed into a small (polynomial-size) input in the view of the reduction algorithm. This view, however, is information-theoretically hidden from the attacker. Since the input space is exponentially large, we can first apply a collision-resistant hash function to handle arbitrarily-large inputs.

David Niehues

DOI: https://doi.org/10.1007/978-3-030-75248-4_3

2021-01-01

Abstract:Verifiable random functions (VRFs), introduced by Micali, Rabin and Vadhan (FOCS’99), are the public-key equivalent of pseudorandom functions. A public verification key and proofs accompanying the output enable all parties to verify the correctness of the output. However, all known standard model VRFs have a reduction loss that is much worse than what one would expect from known optimal constructions of closely related primitives like unique signatures. We show that: Every security proof for a VRF that relies on a non-interactive assumption has to lose a factor of Q, where Q is the number of adversarial queries. To that end, we extend the meta-reduction technique of Bader et al. (EUROCRYPT’16) to also cover VRFs.This raises the question: Is this bound optimal? We answer this question in the affirmative by presenting the first VRF with a reduction from the non-interactive qDBDHI assumption to the security of VRF that achieves this optimal loss.We thus paint a complete picture of the achievability of tight verifiable random functions: We show that a security loss of Q is unavoidable and present the first construction that achieves this bound.

Yiming Li,Shengli Liu,Shuai Han,Dawu Gu,Jian Weng

DOI: https://doi.org/10.2139/ssrn.4197049

IF: 1.002

2023-03-16

Theoretical Computer Science

Abstract:A verifiable random function (VRF) is a pseudorandom function F that can be publicly verified. A simulatable VRF (sVRF) is an important variant of a VRF, which additionally provides simulatability. Informally, the simulatability of a VRF depicts the ability to simulate a valid proof π that y=F(sk,x) for any input x and any output value y . A (simulatable) VRF can be used in the E-Cash, E-Lottery, blockchain and constructing the multi-theorem non-interactive zero-knowledge (NIZK) proof. However, up to now, the existing constructions of an sVRF either rely on non-standard assumptions (e.g., the Q -type ones), or are built in the random oracle model, or resort to time-consuming techniques like the Cook-Levin reduction. In this paper, we design the first sVRF from the LWE assumption in the standard model (free of a random oracle) without using a Cook-Levin reduction. In our construction of an sVRF, we take as building blocks a pseudorandom function, a trapdoor fully homomorphic commitment (FHC) scheme, and a NIZK proof system for a language specified by FHC. Our trapdoor FHC is the key technical tool, which helps the simplification of the underlying NIZK language, thus making possible an instantiation of a NIZK proof from LWE without a Cook-Levin reduction. Together with an LWE-based PRF, we obtain an sVRF scheme from LWE.

computer science, theory & methods

Tibor Jager,David Niehues

DOI: https://doi.org/10.1007/978-3-030-38471-5_13

2020-01-01

Abstract:Verifiable random functions (VRFs) are essentially digital signatures with additional properties, namely verifiable uniqueness and pseudorandomness, which make VRFs a useful tool, e.g., to prevent enumeration in DNSSEC Authenticated Denial of Existence and the CONIKS key management system, or in the random committee selection of the Algorand blockchain.Most standard-model VRFs rely on admissible hash functions (AHFs) to achieve security against adaptive attacks in the standard model. Known AHF constructions are based on error-correcting codes, which yield asymptotically efficient constructions. However, previous works do not clarify how the code should be instantiated concretely in the real world. The rate and the minimal distance of the selected code have significant impact on the efficiency of the resulting cryptosystem, therefore it is unclear if and how the aforementioned constructions can be used in practice.First, we explain inherent limitations of code-based AHFs. Concretely, we assume that even if we were given codes that achieve the well-known Gilbert-Varshamov or McEliece-Rodemich-Rumsey-Welch bounds, existing AHF-based constructions of verifiable random functions (VRFs) can only be instantiated quite inefficiently. Then we introduce and construct computational AHFs (cAHFs). While classical AHFs are information-theoretic, and therefore work even in presence of computationally unbounded adversaries, cAHFs provide only security against computationally bounded adversaries. However, we show that cAHFs can be instantiated significantly more efficiently. Finally, we use our cAHF to construct the currently most efficient verifiable random function with full adaptive security in the standard model.

Bong Gon Kim,Dennis Wong,Yoon Seok Yang

DOI: https://doi.org/10.5121/csit.2023.132104

2024-02-07

Abstract:We present a secure and private blockchain-based Verifiable Random Function (VRF) scheme addressing some limitations of classical VRF constructions. Given the imminent quantum computing adversarial scenario, conventional cryptographic methods face vulnerabilities. To enhance our VRF's secure randomness, we adopt post-quantum Ring-LWE encryption for synthesizing pseudo-random sequences. Considering computational costs and resultant on-chain gas costs, we suggest a bifurcated architecture for VRF design, optimizing interactions between on-chain and off-chain. Our approach employs a secure ring signature supported by NIZK proof and a delegated key generation method, inspired by the Chaum-Pedersen equality proof and the Fiat-Shamir Heuristic. Our VRF scheme integrates multi-party computation (MPC) with blockchain-based decentralized identifiers (DID), ensuring both security and randomness. We elucidate the security and privacy aspects of our VRF scheme, analyzing temporal and spatial complexities. We also approximate the entropy of the VRF scheme and detail its implementation in a Solidity contract. Also, we delineate a method for validating the VRF's proof, matching for the contexts requiring both randomness and verification. Conclusively, using the NIST SP800-22 of the statistical randomness test suite, our results exhibit a 98.86% pass rate over 11 test cases, with an average p-value of 0.5459 from 176 total tests.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Muhua Liu,Ping Zhang

DOI: https://doi.org/10.1093/comjnl/bxz154

2020-01-01

Abstract:Functional encryption (FE) can provide a fine-grained access control on the encrypted message. Therefore, it has been applied widely in security business. The previous works about functional encryptions most focused on the deterministic functions. The randomized algorithm has wide application, such as securely encryption algorithms against chosen ciphertext attack, privacy-aware auditing. Based on this, FE for randomized functions was proposed. The existing constructions are provided in a weaker selective security model, where the adversary is forced to output the challenge message before the start of experiment. This security is not enough in some scenes. In this work, we present a novel construction for FE, which supports the randomized functionalities. We use the technology of key encapsulated mechanism to achieve adaptive security under the simulated environment, where the adversary is allowed to adaptively choose the challenge message at any point in time. Our construction is built based on indistinguishability obfuscation, non-interactive witness indistinguishable proofs and perfectly binding commitment scheme.

Yi Deng,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-540-72540-4_9

2007-01-01

Abstract:We introduce a notion of instance-dependent verifiable random functions (InstD-VRFs for short). Informally, an InstD-VRF is, in some sense, a verifiable random function [23] with a special public key, which is generated via a (possibly)interactive protocol and contains an instance y ∈ L ∩ {0,1}* for a specific NP language L, but the security requirements on such a function are relaxed: we only require the pseudorandomness property when y ∈ L and only require the uniqueness property when y ∉ L, instead of requiring both pseudorandomness and uniqueness to hold simultaneously. We show that this notion can be realized under standard assumption.Our motivation is the conjecture posed by Barak et al.[2], which states there exist resettably-sound resettable zero knowledge arguments for NP. The instance-dependent verifiable random functions is a powerful tool to tackle this problem. We first use them to obtain two interesting instance-dependent argument systems from the Barak’s public-coin bounded concurrent zero knowledge argument [1], and then, weConstruct the first (constant round) zero knowledge arguments for NP enjoying a certain simultaneous resettability under standard hardness assumptions in the plain model, which we call bounded-class resettable ZK arguments with weak resettable-soundness Though the malicious party (prover or verifier) in such system is limited to a kind of bounded resetting attack, We put NO restrictions on the number of the total resets made by malicious party.show that, under standard assumptions, if there exist public-coin concurrent zero knowledge arguments for NP, there exist the resettably-sound resetable zero knowledge arguments for NP.

Bong Gon Kim,Dennis Wong,Yoon Seok Yang

DOI: https://doi.org/10.5121/ijcis.2023.13401

2024-01-30

Abstract:In this study, we present a secure smart contract-based Verifiable Random Function (VRF) model, addressing the shortcomings of existing systems. As quantum computing emerges, conventional public key cryptography faces potential vulnerabilities. To enhance our VRF's robustness, we employ post-quantum Ring-LWE encryption for generating pseudo-random sequences. Given the computational intensity of this approach and associated on-chain gas costs, we propose a hybrid architecture of VRF system where on-chain and off-chain can communicate in a scalable and secure way. To ensure the validity and integrity of the off-chain computations (e.g., Ring-LWE encryption), we employ a quantum-secure linkable ring signature scheme on NTRU lattice and also delegated key generation (DKG) with a secure key encapsulation mechanism (KEM). Our decentralized VRF employs multi-party computation (MPC) with blockchain-based decentralized identifiers (DID), ensuring the collective efforts of enhanced randomness and security. We show the security and privacy advantages of our proposed VRF model with the approximated estimation of overall temporal and spatial complexities. We also evaluate our VRF MPC model's entropy and outline its Solidity smart contract integration. This research also provides a method to produce and verify the VRF output's proof, optimal for scenarios necessitating randomness and validation. Lastly, using NIST SP800-22 test suite for randomness, we demonstrate the commendable result with a 97.73% overall pass rate on 11 standard tests and 0.5459 of average p-value for the total 176 tests.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Muhammed F. Esgin,Veronika Kuchta,Amin Sakzad,Ron Steinfeld,Zhenfei Zhang,Shifeng Sun,Shumo Chu

DOI: https://doi.org/10.1007/978-3-662-64331-0_29

2021-01-01

Abstract:In this work, we introduce the first practical post-quantum verifiable random function (VRF) that relies on well-known (module) lattice problems, namely Module-SIS and Module-LWE. Our construction, named LB-VRF, results in a VRF value of only 84 bytes and a proof of around only 5 KB (in comparison to several MBs in earlier works), and runs in about 3 ms for evaluation and about 1 ms for verification.In order to design a practical scheme, we need to restrict the number of VRF outputs per key pair, which makes our construction few-time. Despite this restriction, we show how our few-time LB-VRF can be used in practice and, in particular, we estimate the performance of Algorand using LB-VRF. We find that, due to the significant increase in the communication size in comparison to classical constructions, which is inherent in all existing lattice-based schemes, the throughput in LB-VRF-based consensus protocol is reduced, but remains practical. In particular, in a medium-sized network with 100 nodes, our platform records a 1.14×$$\times $$ to 3.4×$$\times $$ reduction in throughput, depending on the accompanying signature used. In the case of a large network with 500 nodes, we can still maintain at least 24 transactions per second. This is still much better than Bitcoin, which processes only about 5 transactions per second.

Guifang Huang,Lei Hu,Dongdai Lin

2010-01-01

Abstract:In asynchronous network communication, non-malleability is a necessary security requirement to resist against man-in-the-middle attack. In [6], two non-malleable non-interactive zero knowledge proofs were presented, in which the first scheme was obtained by using a specific form of InstD-VRF. In this paper, we present how to construct non-malleable non-interactive zero knowledge proof by using the general InstD-VRF. Our construction is a framework and contains many non-malleable non-interactive zero knowledge proofs. With this framework, the security analysis of some complicated non-malleable non-interactive zero knowledge proofs can be simplified, as long as they are consistent with the framework.

Benjamin Wesolowski

DOI: https://doi.org/10.1007/s00145-020-09364-x

2020-09-09

Journal of Cryptology

Abstract:We construct a verifiable delay function (VDF). A VDF is a function whose evaluation requires running a given number of sequential steps, yet the result can be efficiently verified. They have applications in decentralised systems, such as the generation of trustworthy public randomness in a trustless environment, or resource-efficient blockchains. To construct our VDF, we actually build a trapdoor VDF. A trapdoor VDF is essentially a VDF which can be evaluated efficiently by parties who know a secret (the trapdoor). By setting up this scheme in a way that the trapdoor is unknown (not even by the party running the setup, so that there is no need for a trusted setup environment), we obtain a simple VDF. Our construction is based on groups of unknown order such as an RSA group or the class group of an imaginary quadratic field. The output of our construction is very short (the result and the proof of correctness are each a single element of the group), and the verification of correctness is very efficient.

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Matthieu R. Bloch,Joerg Kliewer

DOI: https://doi.org/10.48550/arXiv.1202.5529

2012-02-25

Abstract:In this paper, we investigate how constraints on the randomization in the encoding process affect the secrecy rates achievable over wiretap channels. In particular, we characterize the secrecy capacity with a rate-limited local source of randomness and a less capable eavesdropper's channel, which shows that limited rate incurs a secrecy rate penalty but does not preclude secrecy. We also discuss a more practical aspect of rate-limited randomization in the context of cooperative jamming. Finally, we show that secure communication is possible with a non-uniform source for randomness; this suggests the possibility of designing robust coding schemes.

Information Theory

Rafik Chaabouni,Helger Lipmaa,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-642-32946-3_14

2012-01-01

Abstract:In a range proof, the prover convinces the verifier in zero-knowledge that he has encrypted or committed to a value a ∈ [0, H] where H is a public constant. Most of the previous non-interactive range proofs have been proven secure in the random oracle model. We show that one of the few previous non-interactive range proofs in the common reference string (CRS) model, proposed by Yuen et al. in COCOON 2009, is insecure. We then construct a secure non-interactive range proof that works in the CRS model. The new range proof can have (by different instantiations of the parameters) either very short communication (14 080 bits) and verifier’s computation (81 pairings), short combined CRS length and communication (log1 / 2 + o (1) H group elements), or very efficient prover’s computation (Θ(logH) exponentiations).

Huige Wang,Kefei Chen,Yu Long,Junyao Ye,Liangliang Wang

DOI: https://doi.org/10.1007/s12083-016-0488-6

IF: 3.488

2016-01-01

Peer-to-Peer Networking and Applications

Abstract:In this paper, we propose a new construction for randomized message-locked encryption (MLE) with privacy chosen-distribution attacks (PRV-CDA) and strong tag consistency (STC) securities in the standard model via UCEs. The new construction is based on \(\mathsf {UCE}[\mathsf {S}^{sup}\cap \mathsf {S}^{q\text {-}query}]\) secure family of hash functions, adaptively secure non-interactive zero knowledge proof system (NIZK) and indistinguishable chosen-plaintext attacks (IND-CPA) secure symmetric encryption (SE). Compared with existing randomized MLE schemes such as Bellare et al.’s XtESPKE scheme (Eurocrypt 2013), our scheme gives concrete instantiation and detailed security proofs. Although Abadi et al.’s construction for randomized MLE (Crypto 2013) achieves STC and PRV-CDA2, but their construction is designed in the random oracle model and cannot be instantiated, while our scheme can be instantiated in the standard model and achieves both STC and PRV-CDA securities.

Jiayu Zhang

2024-11-09

Abstract:Remote state preparation with verifiability (RSPV) is an important quantum cryptographic primitive [GV19,Zha22]. In this primitive, a client would like to prepare a quantum state (sampled or chosen from a state family) on the server side, such that ideally the client knows its full description, while the server holds and only holds the state itself. In this work we make several contributions on its formulations, constructions and applications. In more detail: - We first work on the definitions and abstract properties of the RSPV problem. We select and compare different variants of definitions [GV19,GMP22,Zha22], and study their basic properties (like composability and amplification). - We also study a closely related question of how to certify the server's operations (instead of solely the states). We introduce a new notion named remote operator application with verifiability (ROAV). We compare this notion with related existing definitions [SW87,MY04,MV21,NZ23] and study its abstract properties. - Building on the abstract properties and existing results [BGKPV23], we construct a series of new RSPV protocols. Our constructions not only simplify existing results [GV19] but also cover new state families, for example, states in the form of $\frac{1}{\sqrt{2}}(|0\rangle|x_0\rangle+|1\rangle|x_1\rangle)$. All these constructions rely only on the existence of weak NTCF [BKVV,AMR22], without additional requirements like the adaptive hardcore bit property [BCMVV,AMR22]. - As a further application, we show that the classical verification of quantum computations (CVQC) problem [ABEM,Mah18] could be constructed from assumptions on group actions [ADMP20]. This is achieved by combining our results on RSPV with group-action-based instantiation of weak NTCF [AMR22], and then with the quantum-gadget-assisted quantum verification protocol [FKD18].

Quantum Physics

Geng Wang,Ming Wan,Dawu Gu

DOI: https://doi.org/10.1007/978-3-031-20917-8_3

2022-01-01

Abstract:Functional encryption (FE for short) can be used to calculate a function output of a message when given the corresponding function key, without revealing other information about the message. However, the original FE does not guarantee the unforgeability of either ciphertexts or function keys. In 2016, Badrinarayanan et al. provide a new primitive called verifiable functional encryption (VFE for short), and give a generic transformation from FE to VFE using non-interactive witness-indistinguishable proof (NIWI proof). In their construction, each VFE ciphertext (resp. function key) consists of 4 FE ciphertexts (resp. function keys) generated from independent FE public keys (resp. secret keys) and a NIWI proof on the correctness. In this paper, we show that there is redundancy in their construction. Concretely, we give a new construction for VFE which uses only 3 FE ciphertexts and function keys, and prove the verifiability and security of the construction. Since the NIWI proof is also simpler in our scheme, our construction may lead to an about 25% decrease in both ciphertext/key size and encryption/decryption cost.