a verifiable random function with short proofs and keys
DESCRIPTION
TRANSCRIPT
A Verifiable Random Function With Short Proofs and Keys
Yevgeniy Dodis
Aleksandr Yampolskiy
(NYU)
(Yale)
Outline
Motivation Previous work Our constructions Extensions Conclusion
Non-interactive lottery [MR02] Lottery organizer has a secret function FSK(.) Each participant chooses a lottery ticket x and
sends it to the organizer
Organizer
FSK(.)x1 = 3
x2 = 8
x3 = 5
Non-interactive lottery (cont.) Organizer computes y = FSK(x) for each x he
receives. The value y somehow determines if the user
wins; e.g., a user wins $100 if his y is a prime.
FSK(.)FSK(3) = 10
FSK(8) = 11
FSK(5) = 15Organizer
Non-interactive lottery (cont.) This scheme almost works except… Problem 1: We must ensure that users
cannot bias the lottery; i.e., FSK(x) should look random.
Problem 2: What stops the organizer from lying about the true FSK(x) value?
Verifiable Random Function
What we need is a verifiable random function (VRF) [MRV99]
On input x, owner of secret key SK can compute y = FSK(x) together with proof SK(x).
The output y looks random. Yet the proof SK(x) convinces every
verifier that y is correct with respect to public key.
Previous work
VRFs have many useful applications (non-interactive lottery, rZK, e-cash, verifiable transaction escrow).
However, they are not very well studied [MRV99, Lys02, Dod03]
Prior constructions are not very efficient.
Previous work (cont.) Use an inefficient Goldreich-Levin
hardcore bit [MRV99, Lys02] Construct a verifiable unpredictable function
(VUF), whose output is hard to guess but not necessarily random.
Use Goldreich-Levin bit to convert a VUF into a VRF.
Previous work (cont.) Use an inefficient Goldreich-Levin
hardcore bit [MRV99, Lys02] Inputs need to be encoded in a special
way [MRV99, Lys02, Dod03] [MRV99]: inputs are first mapped into primes [Lys02, Dod03]: inputs are mapped to
codewords of an error-correcting code
Previous work (cont.) Use an inefficient Goldreich-Levin
hardcore bit [MRV99, Lys02] Inputs need to be encoded in a special
way [MRV99, Lys02, Dod03] Proofs and keys are long [Lys02, Dod03]
[Lys02, Dod03]: keys (PK, SK) and proofs SK(x) consist of O(|x|) group elements.
Our work
We construct a VRF directly without using the Goldreich-Levin hardcore bit.
Inputs need not be encoded in any special way.
Our proofs and keys consist of O(1) group elements regardless of the input size.
Bilinear groups G, G1 : cyclic groups of prime order p
An admissible bilinear map e: G£G G1
bilinear: 8u,v 2 G and 8x,y 2 Z
e(ux, vy) = e(u, v)xy
non-degenerate: e(g, g) ≠ 1 efficiently computable
Can construct such maps from Weil pairing on elliptic curves [JN01]
Compexity assumptions
We make two assumptions: q-DHI assumption: given (g, gx, …, g(xq)), it is
hard to compute g1/x [MSK02] q-DBDHI assumption: given (g, gx, …, g(xq)),
it is hard to distinguish e(g,g)1/x from random [BB04]
Hard = adversary running for s(k) steps is unlikely to succeed. Here, s(k)=(poly(k)) and s(k)=o(2k).
Our VUF Starting point: Boneh-Boyen signature [BB04]
Algorithm Gen(1k): Pick s2R Zp*.The secret key
is SK = s. The public key is PK = gs. Algorithm SignSK(x): To sign x, compute y
= g1/(x+SK). Algorithm VerPK(x, y): Check that
e(y, gx¢PK) = e(g, g).
Our VUF (cont.) Boneh-Boyen signature is secure against non-
adaptive queries (and uses stronger q-SDH assumption)
A VUF must be secure against adaptive queries
adversarychallenger
(PK, SK) PKx1 x2 xk…
y1 y2 yk…
adversarychallenger
(PK, SK) PKxi
yi
Our VUF (cont.) Trick: Restrict input size to be small,
a(k) = (log s(k)) (s(k) is the security) Then, we can enumerate all possible
queries in less than s(k) time and give answers adaptively.
Our VUF (cont.)
Boneh-Boyen signature becomes a verifiable unpredictable function (VUF) for small inputs
We can use Goldreich-Levin bit to convert a VUF into a VRF, but this is very inefficient
Our VRF Instead, we construct a VRF directly:
Algorithm Gen(1k): Pick s2R Zp*.The secret
key is SK = s. The public key is PK = gs. Algorithm ProveSK(x) : Compute
(FSK(x), SK(x)) = (e(g,g)1/(x+SK), g1/(x+SK))
Algorithm VerPK(x,y,): Verify that e(gx¢PK, ) = e(g,g) and y = e(g, ).
our VUF
Proof of security : big picture Our VRF is provably secure for inputs of
small size, a(k) = O (log s(k)). If there is an algorithm A that breaks the
VRF in time t, with probability , then there is an algorithm B that solves
the q-DBDHI problem (q=2a(k)) in time ¼ t/(2a(k)¢poly(k)), with probability /2a(k).
Proof of security : big picture
B
A
Construct reduction algorithm B that answers A’s queries and then uses A’s answers to solve the q-DBDHI instance
(g, g, …, g(q), )
Is = e(g,g)1/Challenger
VRF game
…
Proof of security : sketch Idea:
1. Want to know if = e(g,g)1/ ?
2. Guess that A can distinguish VRF value of x* from random.
3. Prepare keys (PK, SK) such that SK = - x* is unknown, yet we can correctly compute hFSK(x), SK(x)i for any x ≠ x*.
4. We construct * from such that FSK(x*) = * if = e(g,g)1/
FSK(x*) = $ if = $
Proof of security : sketch
B
A(g, g, …, g(q), )
Challenger
We can then use A to distinguish the original from random.
(PK, SK) PK
is not e(g,g)1/ not randomx*
Extending the input size
Our VRF is secure for small inputs, a(k)=(log s(k)).
Inputs of arbitrary size are no problem! Just use a collision-resistant hash
function H(¢): {0,1}* {0,1}a(k). Trivially, composition FSK(H(¢)) is secure.
Extending the input size (cont.) Alternatively, we can truncate basic VRF’s
output to a(k)-1 bits and use [MRV99] tree construction:
0a-1
y=F(0a) z=F(0a-11)
F(z0) F(z1)F(y0) F(y1)
F(F(y1)1)F(F(y1)0)
0 1
0 1 0 1
0 1
VRF value for x = 011
Efficiency
Length of proofs and keys
Group size
Our VRF 125 bytes 1,000 bits, elliptic group
[MRV99] 280,000 bytes 14,383 bits,
Zn*
[Dod03], [Lys02] >3,200 bytes 160 bits,
elliptic group
Suppose a(k) = 160 bits, the length of SHA-1 digests.
We then have:
Compact e-cash [CHL05]
Offline anonymous e-cash scheme. A user can withdraw a wallet of 2l coins from the
bank and later spend them. In best known schemes, withdraw and spend
operations take O(2l¢k) time (k is the security parameter).
In EuroCrypt ’05, [CHL05] used our VRF to construct a scheme whose withdraw/spend operations take O(l+k) time.
Conclusion
We give a simple and efficient VRF construction. It can be instantiated with elliptic groups of
reasonable size. Proofs and keys consist of only one group
element regardless of the input size. Can obtain a VRF value on committed values. Our VRF can be made distributed and proactive.
