Verifiable random function

This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Verifiable random function" – news · newspapers · books · scholar · JSTOR (July 2007) (Learn how and when to remove this message)

In cryptography, a verifiable random function (VRF) is a public-key analogue of a keyed cryptographic hash.^[1] It is a pseudo-random function that provides publicly verifiable proofs of its outputs' correctness. Given an input value x, the owner of the secret key SK can compute the function value y = F_SK(x) and the proof p_SK(x). Using the proof and the public key ${\displaystyle PK=g^{SK}}$, everyone can check that the value y = F_SK(x) was indeed computed correctly, yet this information cannot be used to find the secret key.^{[1][verification needed]} The concept of a VRF was introduced by Micali, Rabin, and Vadhan in 1999.^[2]

The original construction was rather inefficient.^{[citation needed]}

Later, in 2005, an efficient and practical verifiable random function was proposed by Yevgeniy Dodis and Aleksandr Yampolskiy.^[3][4] The following is only for intuition and is secure only when the input ${\displaystyle x}$ is from a small domain (the authors then extend it to a larger domain):

${\displaystyle F_{SK}(x)=e(g,g)^{1/(x+SK)}\quad {\mbox{and}}\quad p_{SK}(x)=g^{1/(x+SK)},}$

where e(·,·) is a bilinear map. To verify whether ${\displaystyle F_{SK}(x)}$ was computed correctly or not, one can check if ${\displaystyle e(g^{x}PK,p_{SK}(x))=e(g,g)}$ and ${\displaystyle e(g,p_{SK}(x))=F_{SK}(x)}$.^{[citation needed]}

One can also define the Dodis-Yambolskiy random function as a function ${\displaystyle V_{x}:\{1,\dots ,d\}\to \mathbb {G} }$ (where ${\displaystyle \mathbb {G} }$ is a group generated by g with prime order t) given by $${\displaystyle V_{x}:m\mapsto {\begin{cases}g^{\frac {1}{x+m}}{\text{ if }}x+m\neq 0{\pmod {t}}\\1_{\mathbb {G} }{\text{ elsewise}}\end{cases}}.}$$^[4]

Dodis and Yampolskiy showed this is secure if it is hard to break the "decisional bilinear Diffie-Helman inversion assumption" in the group ${\displaystyle \mathbb {G} }$.^[4] The proof of security relies on a new decisional bilinear Diffie-Hellman inversion assumption, which asks given ${\displaystyle (g,g^{x},\ldots ,g^{(x^{q})},R)}$ as input to distinguish ${\displaystyle R=e(g,g)^{1/x}}$ from random.^{[citation needed]}

In 2015, Hofheinz and Jager constructed a VRF which is provably secure given any member of the "(n − 1)-linear assumption family", which includes the decision linear assumption.^{[5][clarification needed]} This is the first such VRF constructed that does not depend on a "Q-type complexity assumption".^[5]

VRFs provide deterministic precommitments which can be revealed at a later time using proofs which can only be generated by a private key. This is useful for providing a 1:1 mapping of low entropy inputs (e.g. names, email addresses, phone numbers) to some random values which can be committed to in advance, e.g. through a timestamping service such as a transparency log.^{[citation needed]}

Unlike traditional digital signature algorithms, VRF outputs can be published publicly without being subject to a preimage attack, even if the verifier knows the public key (but not the proof). This is useful to prevent enumeration of the names/identifiers in a directory which is using a transparency system.^{[1][verification needed]}

The Internet Computer cryptocurrency uses a VRF to produce a decentralized random beacon whose output is unpredictable to anyone until they become available to everyone.^[6] More precisely, its protocol allows clients to agree on a VRF (i.e. a commitment to a deterministic pseudorandom sequence) and to produce one new output thereof every round by using threshold signatures and distributed key generation.^[6]

Algorand uses VRFs to perform cryptographic sortition.^[7][8] In this platform, every block produces a new random selection seed, and a user secretly checks whether they were selected to participate in the consensus protocol by evaluating a VRF with their secret participation key and the selection seed.^[7] (This also produces a proof, which the user can send to anyone to show that they have been selected to participate.^[7]) Thusly, accounts are selected to propose blocks for a given round.^[7] The particular VRF that Algorand uses was originally proposed by Sharon Goldberg, Moni Naor, Dimitris Papadopoulos, Leonid Reyzin, and Jan Včelák and currently^{[needs update]} undergoing standardization;^[8] Algorand's own implementation of this function has been open-source since October 2018.^[8]

In May 2020, Chainlink announced that it launched Chainlink VRF, a service that uses verifiable random functions to generate verifiable randomness on-chain.^[9] To use Chainlink VRF, a smart contract supplies a seed (which should be unpredictable to the oracles to whom it is provided), and the seed in turn is used to generate a random number that is sent back to the contract; this is published on-chain along with a proof and verified using the oracle's public key and the application's seed.^[9] Each oracle, when generating randomness, uses its own secret key.^[9]

This cryptography-related article is a stub. You can help Wikipedia by expanding it.

• v
• t
• e