Verifiable random function

This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Verifiable random function" – news · newspapers · books · scholar · JSTOR (July 2007) (Learn how and when to remove this message)

In cryptography, a verifiable random function (VRF) is a pseudo-random function that provides publicly verifiable proofs of its outputs' correctness. Given an input value x, the owner of the secret key SK can compute the function value y = F_SK(x) and the proof p_SK(x). Using the proof and the public key PK (sometimes known as a verification key and denoted VK^[1]), everyone can check that the value y = F_SK(x) was indeed computed correctly, yet this information cannot be used to find the secret key.^[2] A verifiable random function can be viewed as a public-key analogue of a keyed cryptographic hash^[2] and as a cryptographic commitment to an exponentisally large number of seemingly random bits.^[3] The concept of a verifiable random function is closely related to that of a verifiable unpredictable function (VUF), whose outputs are hard to predict but do not necessarily seem random.^[3][4]

The concept of a VRF was introduced by Micali, Rabin, and Vadhan in 1999.^[4] Since then, verifiable random functions have found widespread use in cryptocurrencies, as well as for proposals in protocol design and cybersecurity^[5].

In 1999, Micali, Rabin, and Vadhan introduced the concept of a VRF and proposed the first such one.^[4] The original construction was rather inefficient: it first produces a verifiable unpredictable function, then uses a hard-core bit to transform it into a VRF; moreover, the inputs have to be mapped to primes in a complicated manner: namely, by using a prime sequence generator that generates primes with overwhelming probability.^[3][4] The verifiable unpredictable function thus proposed, which is provably secure if a variant of the RSA problem is hard, is defined as follows: The public key PK is ${\displaystyle (m,r,Q,coins)}$, where m is the product of two random primes, r is a number randomly selected from ${\displaystyle \mathbb {Z} _{r}^{*}}$, coins is a randomly selected set of bits, and Q a function selected randomly from all polynomials of degree ${\displaystyle 2k^{2}-1}$ over the field ${\displaystyle GF(2^{k})}$. The secret key is ${\displaystyle (PK,\phi (m))}$. Given an input x and a secret key SK, the VUF uses the prime sequence generator to pick a corresponding prime ${\displaystyle p_{x}}$ (the generator requires auxiliary inputs Q and coins), and then computes and outputs ${\displaystyle r^{1/p_{x}}{\pmod {m}}}$, which is easily done by knowledge of ${\displaystyle \phi (m)}$.^[4]

Later, in 2005, an efficient and practical verifiable random function was proposed by Dodis and Yampolskiy.^[3][6] When the input ${\displaystyle x}$ is from a small domain (the authors then extend it to a larger domain), the function can be defined as follows:

${\displaystyle F_{SK}(x)=e(g,g)^{1/(x+SK)}\quad {\mbox{and}}\quad p_{SK}(x)=g^{1/(x+SK)},}$

where e(·,·) is a bilinear map. To verify whether ${\displaystyle F_{SK}(x)}$ was computed correctly or not, one can check if ${\displaystyle e(g^{x}PK,p_{SK}(x))=e(g,g)}$ and ${\displaystyle e(g,p_{SK}(x))=F_{SK}(x)}$.^[3][6] To extend this to a larger domain, the authors use a tree construction and a universal hash function.^[3] This is secure if it is hard to break the "q-Diffie-Helman inversion assumption", which states that no algorithm given ${\displaystyle (g,g^{x},\dots ,g^{x^{q}})}$ can compute ${\displaystyle g^{1/x}}$, and the "q-decisional bilinear Diffie-Helman inversion assumption", which states that it is impossible for an efficient algorithm given ${\displaystyle (g,g^{x},\ldots ,g^{(x^{q})},R)}$ as input to distinguish ${\displaystyle R=e(g,g)^{1/x}}$ from random, in the group ${\displaystyle \mathbb {G} }$.^[3][6]

In 2015, Hofheinz and Jager constructed a VRF which is provably secure given any member of the "(n − 1)-linear assumption family", which includes the decision linear assumption.^[7] This is the first such VRF constructed that does not depend on a "Q-type complexity assumption".^[7]

In 2019, Bitansky showed that VRFs exist if non-interactive witness-indistinguishable proofs (that is, weaker versions of non-interactive zero-knowledge proofs for NP problems that only hide the witness that the prover uses^[1][8]), non-interactive cryptographic commitments, and single-key constrained pseudorandom functions (that is, pseudorandom functions that only allow the user to evaluate the function with a preset constrained subset of possible inputs^[9]) also do.^[1]

In 2020, Esgin et al. proposed a post-quantum secure VRF based on lattice-based cryptography.^[10]

VRFs provide deterministic precommitments which can be revealed at a later time using proofs which can only be generated by a private key. This is useful for providing a 1:1 mapping of low entropy inputs (e.g. names, email addresses, phone numbers) to some random values which can be committed to in advance, e.g. through a timestamping service such as a transparency log.^{[11][verification needed][better source needed]}

Unlike traditional digital signature algorithms, VRF outputs can be published publicly without being subject to a preimage attack, even if the verifier knows the public key (but not the proof). This is useful to prevent enumeration of the names/identifiers in a directory which is using a transparency system.^{[2][verification needed]}

VRFs have been used to make:

• Resettable zero-knowledge proofs with three rounds (in the bare model)^{[3][clarification needed]}
• A non-interactive lottery system^[3]
• A verifiable transaction escrow scheme^[3]

DNSSEC is a system that prevents attackers from tampering with Domain Name System messages, but also suffers from the vulnerability of zone enumeration. The proposed NSEC5 system, which uses VRFs^[how?], provably prevents this kind of attack.^{[12][importance?]}

Cardano and Polkadot implement VRFs for block production.^[13][14]

The Internet Computer cryptocurrency uses a VRF to produce a decentralized random beacon whose output is unpredictable to anyone until they become available to everyone.^[15] More precisely, its protocol allows clients to agree on a VRF (i.e. a commitment to a deterministic pseudorandom sequence) and to produce one new output thereof every round by using threshold signatures and distributed key generation.^[15]

Algorand uses VRFs to perform cryptographic sortition.^[16][17] In this platform, every block produces a new random selection seed, and a user secretly checks whether they were selected to participate in the consensus protocol by evaluating a VRF with their secret participation key and the selection seed.^[16] (This also produces a proof, which the user can send to anyone to show that they have been selected to participate.^[16]) Thusly, accounts are selected to propose blocks for a given round.^[16] The particular VRF that Algorand uses is based on elliptic-curve cryptography, specifically Curve25519;^[10] proposed by Sharon Goldberg, Moni Naor, Dimitris Papadopoulos, Leonid Reyzin, and Jan Včelák, the function is currently undergoing standardization.^[17][18] Algorand's own implementation of this function has been open-source since October 2018.^[17]

VRFs based on elliptic curve cryptography have been implemented in the programming language Solidity.^{[19][importance?]}

In May 2020, Chainlink announced that it launched Chainlink VRF, a service that uses verifiable random functions to generate verifiable randomness on-chain.^[20] To use Chainlink VRF, a smart contract supplies a seed (which should be unpredictable to the oracles to whom it is provided), and the seed in turn is used to generate a random number that is sent back to the contract; this is published on-chain along with a proof and verified using the oracle's public key and the application's seed.^[20] Each oracle, when generating randomness, uses its own secret key.^[20]

In July 2021, Harmony, a cryptocurrency project that bridges between blockchains^[how?], announced that it had introduced VRFs^[how?].^[21] The same month, Oraichain, a cryptocurrency project involving [[Artificial intelligence|artificial intelligence^[how?]]], made the same kind of announcement.^[22]

This cryptography-related article is a stub. You can help Wikipedia by expanding it.

• v
• t
• e