Verifiable random function

This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Verifiable random function" – news · newspapers · books · scholar · JSTOR (July 2007) (Learn how and when to remove this message)

In cryptography, the concept of a verifiable random function was introduced by Micali, Rabin, and Vadhan.^[1] It is a pseudo-random function that provides publicly verifiable proofs of its outputs' correctness. Given an input value x, the owner of the secret key SK can compute the function value y = F_SK(x) and the proof p_SK(x). Using the proof and the public key ${\displaystyle PK=g^{SK}}$, everyone can check that the value y = F_SK(x) was indeed computed correctly, yet this information cannot be used to find the secret key.

The original construction was rather inefficient. Recently, an efficient and practical verifiable random function was proposed by Yevgeniy Dodis and Aleksandr Yampolskiy.^[2] In their construction,

${\displaystyle F_{SK}(x)=e(g,g)^{1/(x+SK)}\quad {\mbox{and}}\quad p_{SK}(x)=g^{1/(x+SK)},}$

where e(·,·) is a bilinear map. To verify whether ${\displaystyle F_{SK}(x)}$ was computed correctly or not, one can check if ${\displaystyle e(g^{x}PK,p_{SK}(x))=e(g,g)}$.

The proof of security relies on a new decisional bilinear Diffie-Hellman inversion assumption, which asks given ${\displaystyle (g,g^{x},\ldots ,g^{(x^{q})},R)}$ as input to distinguish ${\displaystyle R=e(g,g)^{1/x}}$ from random.

This cryptography-related article is a stub. You can help Wikipedia by expanding it.

• v
• t
• e