On the Real-World Instantiability of Admissible Hash Functions and Efficient Verifiable Random Functions

Abstract

Verifiable random functions (VRFs) are essentially digital signatures with additional properties, namely verifiable uniqueness and pseudorandomness, which make VRFs a useful tool, e.g., to prevent enumeration in DNSSEC Authenticated Denial of Existence and the CONIKS key management system, or in the random committee selection of the Algorand blockchain.

Most standard-model VRFs rely on admissible hash functions (AHFs) to achieve security against adaptive attacks in the standard model. Known AHF constructions are based on error-correcting codes, which yield asymptotically efficient constructions. However, previous works do not clarify how the code should be instantiated concretely in the real world. The rate and the minimal distance of the selected code have significant impact on the efficiency of the resulting cryptosystem, therefore it is unclear if and how the aforementioned constructions can be used in practice.

First, we explain inherent limitations of code-based AHFs. Concretely, we assume that even if we were given codes that achieve the well-known Gilbert-Varshamov or McEliece-Rodemich-Rumsey-Welch bounds, existing AHF-based constructions of verifiable random functions (VRFs) can only be instantiated quite inefficiently. Then we introduce and construct computational AHFs (cAHFs). While classical AHFs are information-theoretic, and therefore work even in presence of computationally unbounded adversaries, cAHFs provide only security against computationally bounded adversaries. However, we show that cAHFs can be instantiated significantly more efficiently. Finally, we use our cAHF to construct the currently most efficient verifiable random function with full adaptive security in the standard model.

Tibor Jager: Supported by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme, grant agreement 802823.

David Niehues: Supported by the German Research Foundation (DFG) within the Collaborative Research Center “On-The-Fly Computing” (SFB 901/3).

Appendices

A Verifiable Random Functions and Their Security

Verifiable random functions are essentially pseudorandom functions, where each function \(V_\mathsf {sk}\) is associated with a secret key \(\mathsf {sk}\) and a corresponding public verification key \(\mathsf {vk}\). Given \(\mathsf {sk}\) and an element X from the domain of \(V_\mathsf {sk}\), one can efficiently compute a non-interactive, publicly verifiable proof \(\pi \) that \(Y = V_\mathsf {sk}(X)\) was computed correctly. For security it is required that for each X only one unique value Y such that the statement “\(Y = V_\mathsf {sk}(X)\)” can be proven may exist (unique provability), and that \(V_\mathsf {sk}(X)\) is indistinguishable from random, if no corresponding proof is given (pseudorandomness).

Syntax of VRFs. Formally, a VRF consists of algorithms \((\mathsf {Gen},\mathsf {Eval},\mathsf {Vfy})\) with the following syntax.

• \((\mathsf {vk},\mathsf {sk}) {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathsf {Gen} (1^k)\) takes as input a security parameter \(k\) and outputs a key pair \((\mathsf {vk},\mathsf {sk})\). We say that \(\mathsf {sk}\) is the secret key and \(\mathsf {vk}\) is the verification key.

• \((Y,\pi ) {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathsf {Eval} (\mathsf {sk},X)\) takes as input a secret key \(\mathsf {sk}\) and \(X \in \{0,1\}^k\), and outputs a function value \(Y \in \mathcal {Y} \), where \(\mathcal {Y} \) is a finite set, and a proof \(\pi \). We write \(V_\mathsf {sk}(X)\) to denote the function value Y computed by \(\mathsf {Eval} \) on input \((\mathsf {sk},X)\).

• \(\mathsf {Vfy} (\mathsf {vk},X,Y,\pi ) \in \{0,1\}\) takes as input a verification key \(\mathsf {vk}\), \(X \in \{0,1\}^k\), \(Y \in \mathcal {Y} \), and proof \(\pi \), and outputs a bit.

Fig. 1.

Procedures defining the VRF security experiment.

Definition 9

\((\mathsf {Gen},\mathsf {Eval},\mathsf {Vfy})\) is a verifiable random function (VRF) if all of the following hold.

• Correctness. For all \((\mathsf {vk},\mathsf {sk}) {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathsf {Gen} (1^k)\) and \(X \in \{0,1\}^k\) holds: if \((Y,\pi ) {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathsf {Eval} (\mathsf {sk},X)\), then \(\mathsf {Vfy} (\mathsf {vk},X,Y,\pi ) = 1\). Algorithms \(\mathsf {Gen} \), \(\mathsf {Eval} \), \(\mathsf {Vfy} \) are polynomial-time.

• Unique Provability. For all \((\mathsf {vk},\mathsf {sk}) {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathsf {Gen} (1^k)\) and all \(X \in \{0,1\}^k\), there does not exist any tuple \((Y_0,\pi _0,Y_1,\pi _1)\) such that \(Y_0 \ne Y_1\) and \(\mathsf {Vfy} (\mathsf {vk},X,Y_0,\pi _0) = \mathsf {Vfy} (\mathsf {vk},X,Y_1,\pi _1) = 1\).

• Pseudorandomness. Consider an attacker \(\mathcal {A}\) with access (via oracle queries) to the procedures defined in Fig. 1. Let \(G_\mathsf {VRF} ^\mathcal {A} \) denote the game where \(\mathcal {A}\) first queries \(\mathsf {Initialize}\), then \(\mathsf {Challenge}\), then \(\mathsf {Finalize} \). The output of \(\mathsf {Finalize} \) is the output of the game. Moreover, \(\mathcal {A}\) may arbitrarily issue \(\mathsf {Evaluate}\)-queries, but only after querying \(\mathsf {Initialize}\) and before querying \(\mathsf {Finalize} \). We say that \(\mathcal {A}\) is legitimate, if \(\mathcal {A}\) never queries \(\mathsf {Evaluate} (X)\) and \(\mathsf {Challenge} (X^*)\) with \(X = X^*\) throughout the game. We define the advantage of \(\mathcal {A}\) in breaking the pseudorandomness as

  $$ \mathsf {Adv}_{\mathcal {A}}^{\mathsf {VRF}} (k) := \Pr \left[ G_\mathsf {VRF} ^\mathcal {A} =1\right] - 1/2 $$

B Proof of Theorem 5

We prove Theorem 5 with a sequence of games. In the sequel let us write \(X_i\) to denote the event that Game i outputs “1” (Fig. 2).

Fig. 2.

Procedures used in the proof of Theorem 5. New or modified statements are highlighted in boxes.

Game 0

This is the original VRF security game, as described in Definition 9. By definition, we have

$$\begin{aligned} \Pr \left[ X_{0}\right] = 1/2 + \mathsf {Adv}_{\mathcal {A}}^{\mathsf {VRF}} (k) \end{aligned}$$

Game 1

Recall that Theorem 5 assumes knowledge of (sufficiently close approximations of) the running time \(t_\mathcal {A} \) and the advantage \(\epsilon _\mathcal {A} \). In this game we replace the \(\mathsf {Finalize} \) procedure with \(\mathsf {Finalize} _{1}\), which additionally uses \(t_\mathcal {A} \) and \(\epsilon _\mathcal {A} \) by running \(K {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}{\mathsf {AdmSmp}}(t_\mathcal {A},\epsilon _\mathcal {A})\), as depicted in Fig. 1. Note that K now defines the function \(F_{K, H}(X)\) from Eq. 6 and events \(\mathsf {coll}\) and \(\mathsf {badchal}\) as

$$\begin{aligned} \mathsf {badchal}\iff&F_{K,H}(X^*) \ne 0 \\ \mathsf {coll}\iff&\exists i,j \text { with } X^{(i)} \ne X^{(j)} \text { s.t. }\\&\;\, \forall \ell \in [n]: H(X^{(i)})_\ell = H(X^{(j)})_\ell \vee K_\ell = \bot \end{aligned}$$

like in Definition 6. Note that we denote with \(X^{(1)}, \ldots , X^{(Q)}\) the values queried by \(\mathcal {A}\) to \(\mathsf {Evaluate} \), and with \(X^*\) the value queried to \(\mathsf {Challenge} \). These modifications are purely conceptual and perfectly hidden from \(\mathcal {A}\), such that we have

$$\begin{aligned} \Pr \left[ X_{1}\right] = \Pr \left[ X_{0}\right] . \end{aligned}$$

Game 2

This game proceeds identically to Game 1, except that we replace \(\mathsf {Finalize} _{1}\) with \(\mathsf {Finalize} _{2}\) from Fig. 1. By applying Shoup’s Difference Lemma [40], we get

$$\begin{aligned} \Pr \left[ X_{2}\right] \ge \Pr \left[ X_{1}\right] - \Pr \left[ \mathsf {coll}\right] . \end{aligned}$$

Game 3

This game proceeds identically to Game 2, except that we replace \(\mathsf {Finalize} _{2}\) with \(\mathsf {Finalize} _{3}\), which outputs a random bit if \(\mathsf {badchal}\) occurs. We have

$$\begin{aligned} \Pr \left[ X_{3}\right]&= \Pr \left[ X_{3}\wedge \mathsf {badchal}\right] + \Pr \left[ X_{3}\wedge \lnot \mathsf {badchal}\right] \\&= \Pr \left[ X_{3}\mid \mathsf {badchal}\right] (1-\Pr \left[ \lnot \mathsf {badchal})\right] ) + \Pr \left[ X_{3}\mid \lnot \mathsf {badchal}\right] \Pr \left[ \lnot \mathsf {badchal}\right] \\&= 1/2 + \Pr \left[ \lnot \mathsf {badchal}\right] \left( \Pr \left[ X_{3}\mid \lnot \mathsf {badchal}\right] -1/2\right) \\&= 1/2 + \Pr \left[ \lnot \mathsf {badchal}\right] \left( \Pr \left[ X_{2}\mid \lnot \mathsf {badchal}\right] -1/2\right) \\&= 1/2 + \Pr \left[ \lnot \mathsf {badchal}\right] \left( \Pr \left[ X_{2}\right] -1/2\right) \end{aligned}$$

The third equality uses that \(\Pr \left[ X_{3}\mid \mathsf {badchal}\right] = 1/2\), since a random bit is returned if \(\mathsf {badchal}\) occurs, the fourth uses that by definition of the games it holds that \(\Pr \left[ X_{3}\mid \lnot \mathsf {badchal}\right] = \Pr \left[ X_{2}\mid \lnot \mathsf {badchal}\right] \), and the last uses \(\Pr \left[ X_{2}\mid \lnot \mathsf {badchal}\right] = \Pr \left[ X_{2}\right] \), since Game 2 is independent of \(\mathsf {badchal}\). This is because K is only sampled after \(\mathcal {A} \) made all its queries and stated its challenge and K is therefore perfectly hidden from \(\mathcal {A} \).

Game 4

We replace events \(\mathsf {badchal}\) and \(\mathsf {coll}\) with an equivalent event, in order to simplify the construction of adversary \(\mathcal {B} \). We let \(\mathsf {bad}\) denote the event that \(\mathsf {coll}\vee \mathsf {badchal}\). In Game 3 the experiment outputs a random bit \(b^*{\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\{0,1\}\) if \((\mathsf {badchal}\vee \mathsf {coll})\) occurs. Now we output a random bit if \(\mathsf {bad}\) occurs, which is equivalent. Formally, we achieve this by replacing \(\mathsf {Finalize} _{3}\) with \(\mathsf {Finalize} _{4}\) as defined in Fig. 1, and get

$$\begin{aligned} \Pr \left[ X_{4}\right] = \Pr \left[ X_{3}\right] \end{aligned}$$

Thus, summing up probabilities from Game 0 to Game 4, we get

$$\begin{aligned} \Pr \left[ X_{4}\right]&\ge 1/2 + \Pr \left[ \lnot \mathsf {badchal}\right] \left( \Pr \left[ X_0\right] -1/2-\Pr \left[ \mathsf {coll}\right] \right) \nonumber \\&=1/2 + \Pr \left[ \lnot \mathsf {badchal}\right] \left( \epsilon _\mathcal {A}-\Pr \left[ \mathsf {coll}\right] \right) \nonumber \\&\ge 1/2 + \tau (k) \end{aligned}$$

(8)

for some non-negligible function \(\tau (k)\), where the last inequality is due to the definition of cAHFs (see Eq. 7).

Reduction From the q-DDH Assumption. Now we are ready to describe our algorithm \(\mathcal {B}\) that solves the q-DDH problem by perfectly simulating Game 4 for adversary \(\mathcal {A}\). When instantiated with the computational AHF from Theorem 4, a \(q \)-DDH instance with \(q = \left\lceil \log (4 t_\mathcal {A}(2t_\mathcal {A}-1)/\epsilon _\mathcal {A} \right\rceil \) is sufficient.

The only minor difference between Game 3 and the simulation by \(\mathcal {B}\) is that \(\mathcal {B}\) aborts “as early as possible”. That is, it samples the AHF key \(K {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}{\mathsf {AdmSmp}}(1^k, t_\mathcal {A},\epsilon _\mathcal {A})\) and random bit \(b^*\) already in the \(\mathsf {Initialize} \) procedure, and checks whether \(\mathsf {bad}\) occurs after each \(\mathsf {Evaluate}\) or \(\mathsf {Challenge}\) query of \(\mathcal {A}\). If \(\mathsf {bad}\) occurs, then it immediately outputs \(b^*\), rather than waiting for the adversary to query \(\mathsf {Finalize} \). Obviously, this does not modify the probability of \(X_{4}\). The proof proceeds now exactly as in [25], as described in Appendix C for completeness.

\(\mathcal {B}\) ’s Running Time. The running time \(t_\mathcal {B} \) of \(\mathcal {B}\) consists essentially of the running time \(t_\mathcal {A} \) of \(\mathcal {A} \) plus a minor number of additional operations, thus we have \(t_\mathcal {B} \approx t_\mathcal {A} \).

\(\mathcal {B}\) ’s Success Probability. Let \(c \in \{0,1\}\) denote the random bit chosen by the \(q \mathsf {DDH}\) challenger. \(\mathcal {B}\) perfectly simulates \(G_\mathsf {VRF} ^\mathcal {A} \) with \(b=c\). Hence, by Eq. 8, we get

$$\begin{aligned} \mathsf {Adv}_{\mathcal {B}}^{{q \mathsf {DDH}}} (k) \ge \Pr \left[ X_{4}\right] \ge 1/2 + \tau (k) \end{aligned}$$

for a non-negligible function \(\tau \). In particular, when instantiated concretely with the computational AHF from Theorem 4, then we have

$$\begin{aligned} \mathsf {Adv}_{\mathcal {B}}^{{q \mathsf {DDH}}} (k) \ge 1/2 + \epsilon _\mathcal {A}^2/(32 t_\mathcal {A}^2 - 16t_\mathcal {A}) \end{aligned}$$

C Full Proof of VRF Security

We proceed by providing the the full proof of security of the VRF. For this purpose, let \(\mathcal {B} \) be the following algorithm. \(\mathcal {B} \) receives as input \((g,g^x, \ldots , g^{x^q},h,T)\). Whenever \(\mathcal {A}\) queries \(\mathsf {Initialize}\), \(\mathsf {Evaluate}\), \(\mathsf {Challenge}\), or \(\mathsf {Finalize}\), \(\mathcal {B}\) executes the corresponding procedure from Fig. 3. Finally, it outputs either the random bit \(b^*\) if event \(\mathsf {bad}\) occurs, or otherwise whatever \(\mathsf {Finalize}\) returns. Note that \(\mathcal {B} \) already outputs the random bit \(b^*\) if \(\mathcal {A} \) makes a query \(X^{(i)}\) with \(F_{K,H}(X^{(i)})=0\) because then either \(\mathsf {coll}\) or \(\mathsf {badchal}\) must occur throughout the experiment.

Fig. 3.

Procedures for the simulation of the VRF pseudorandomness experiment by \(\mathcal {B}\).

Initialization. The values \((g,h,g^x)\) in \(\mathsf {Initialize}\) are from the \(q \mathsf {DDH}\)-challenge. \(\mathcal {B}\) computes the \(g_{i,j}\)-values exactly as in the original \(\mathsf {Gen} \)-algorithm, by choosing \(\alpha _{i,j} {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathbb {Z} _{|\mathbb {G} |}\) and setting \(g_{i,j} := g^{\alpha _{i,j}}\), but with the exception that

$$ g_{i,K_i} := g^{x + \alpha _{i,K_i}}. $$

for all \((i,j) \in [n] \times \{0,1\}\) with \(K_i \ne \bot \). Due to our choice of a computational admissible hash function according to Theorem 5, there are exactly \(q +1\) components \(K_i\) of K which are not equal to \(\bot \). All \(g_{i,K_i}\)-values are distributed correctly.

Helping Definitions. To explain how \(\mathcal {B} \) responds to \(\mathsf {Evaluate}\) and \(\mathsf {Challenge}\) queries made by \(\mathcal {A}\), we define two sets \(I_{K,w,X}\) and \(J_{K,w,X}\), which depend on an AHF key K, a VRF input \(X \in \{0,1\}^k\), and integer \(w \in \mathbb {N} \) with \(1 \le w \le n\), as

$$ I_{K,w,X} := \{i \in [w] : K_i = H(X)_i\} \qquad \text {and}\qquad J_{K,w,X} := [w] \setminus I_{K,w,X} $$

Note that \(I_{K,w,X}\) denotes the set of all indices \(i \in [w] \subseteq [n]\) such that \(K_i = H(X)_i\), and \(J_{K,w,X}\) denotes the set of all indices in [w] which are not contained in \(I_{K,w,X}\). Based on these sets, we define polynomials \(P_{K,w,X}(x)\)

$$ P_{K,w,X}(x) = \prod _{i \in I_{K,w,X}} (x + \alpha _{i,K_i}) \cdot \prod _{i \in J_{K,w,X}} \alpha _{i,K_i} \in \mathbb {Z} _{|\mathbb {G} |}[x]. $$

The following observations were described in [25]:

1. 1.

   For all X with \(F_K(X) = 1\), the set \(I_{K,w,X}\) contains at most \(q \) elements, and thus the polynomial \(P_{K,w,X}(x)\) has degree at most \(q \). This implies that if \(F_K(X) = 1\), then \(\mathcal {B}\) can efficiently compute \(g^{P_{K,w,X}(x)}\) for all \(w \in [n]\). To this end, \(\mathcal {B}\) first computes the coefficients \(\gamma _0, \ldots , \gamma _q \) of the polynomial \(P_{K,w,X}(x) = \sum _{i=0}^{q} \gamma _i x^i\) with degree at most \(q \), and then

   $$ g^{P_{K,w,X}(x)} := g^{\sum _{i=0}^{q} \gamma _i x^i} = \prod _{i=0}^q (g^{x^i})^{\gamma _i} $$

   using the terms \((g,g^x, \ldots , g^{x^q})\) from the \(q \)-DDH challenge.

2. 2.

   If \(F_K(X) = 0\), then \(P_{K,n,X}(x)\) has degree \(q +1\). We do not know how \(\mathcal {B}\) can efficiently compute \(g^{P_{K,n,X}(x)}\) in this case.

Responding to \(\mathsf {Evaluate} \)-Queries. If \(F_K(X) = 1\), then procedure \(\mathsf {Evaluate} \) computes the group elements \(g^{P_{K,w,X}(x)}\) as explained above. Note that in this case the response to the \(\mathsf {Evaluate} (X)\)-query of \(\mathcal {A}\) is correct. If \(F_K(X) = 0\), then \(\mathcal {B}\) outputs the random bit \(b^*\) and aborts.

Responding to the \(\mathsf {Challenge} \)-Query. If \(F_K(X^*) = 0\), then procedure \(\mathsf {Challenge}\) computes

$$ Y^* := T^{\gamma _{q+1}} \cdot \prod _{i=1}^q e((g^{x^i})^{\gamma _i},h) = T^{\gamma _{q+1}} \cdot e(g^{\sum _{i=1}^q \gamma _i x^i},h) $$

where \(\gamma _0, \ldots , \gamma _{q +1}\) are the coefficients of the degree-\((q +1)\)-polynomial \(P_{K,n,X^*}(x) = \sum _{i=0}^{q +1} \gamma _i x^i\). Note that if \(T = e(g,h)^{x^{q+1}}\), then it holds that \(Y^* = V_\mathsf {sk}(X^*)\). Moreover, if T is uniformly random, then so is \(Y^*\). If \(F_K(X) = 1\), then \(\mathcal {B}\) outputs the random bit \(b^*\) and aborts.

D Further comparisons

We provide further comparisons like in Table 2. The results we present are calculated using the formulas stated in Table 1. Compared to Table 2, we provide key and proof sizes for \(k \in \{100, 128, 256\}\) and \(\epsilon \in \{2^{-25}, 2^{-50}\}\). For every combination of k and \(\epsilon \), \(\delta \) is chosen such that the advantages for the instantiation using ECCs and the instantiation using TCRHFs are approximately the same. All variables have the same semantics as in Sect. 4.2. The results show that using the cAHF instantiated with a TCRHF reduces key and proof sizes significantly (Tables 3, 4, 5, 6, 7 and 8).

Table 3. Key and proof sizes for \(k = 100, Q = 2^{25}, t = 2^{50}, \epsilon = 2^{-50}\) and \(\delta = 0.286\). In consequence, we have \(d= 154.\) Puncturing a primitive [4095, 211, 1463] BCH-code 408 times to a [3687, 211, 1055] code yields \(n^{\mathsf {BCH}}= 3687, n^{\mathsf {BCH}}_1 = 61, n^{\mathsf {BCH}}_2 = 61\) and \(\zeta ^{\mathsf {BCH}}= 13.\) If an ECC on the GV bound is used, this implies \(n^{\mathsf {GV}}= 1466, n^{\mathsf {GV}}_1 = 39, n^{\mathsf {GV}}_2 = 39\) and \(\zeta ^{\mathsf {GV}}= 12\). Analogously, if an ECC on the MRRW bound is used, this implies \(n^{\mathsf {MRRW}}= 719, n^{\mathsf {MRRW}}_1 = 27, n^{\mathsf {MRRW}}_2 = 27\) and \(\zeta ^{\mathsf {MRRW}}= 11\). Finally, if the VRFs are instantiated with a cAHF using TCRHFs, we have \(n^{\mathsf {tcrh}}= 203, n^{\mathsf {tcrh}}_1 = 15, n^{\mathsf {tcrh}}_2 = 13, j= 153\) and \(\zeta ^{\mathsf {tcrh}}= 9\).

Table 4. Key and proof sizes for \(k = 100, Q = 2^{25}, t = 2^{50}, \epsilon = 2^{-25}\) and \(\delta = 0.235\). In consequence, we have \(d= 129.\) Puncturing a primitive [2047, 209, 511] BCH-code 39 times to a [2008, 209, 472] code yields \(n^{\mathsf {BCH}}= 2008, n^{\mathsf {BCH}}_1 = 45, n^{\mathsf {BCH}}_2 = 45\) and \(\zeta ^{\mathsf {BCH}}= 12.\) If an ECC on the GV bound is used, this implies \(n^{\mathsf {GV}}= 938, n^{\mathsf {GV}}_1 = 31, n^{\mathsf {GV}}_2 = 31\) and \(\zeta ^{\mathsf {GV}}= 11\). Analogously, if an ECC on the MRRW bound is used, this implies \(n^{\mathsf {MRRW}}= 519, n^{\mathsf {MRRW}}_1 = 23, n^{\mathsf {MRRW}}_2 = 23\) and \(\zeta ^{\mathsf {MRRW}}= 11\). Finally, if the VRFs are instantiated with a cAHF using TCRHFs, we have \(n^{\mathsf {tcrh}}= 203, n^{\mathsf {tcrh}}_1 = 15, n^{\mathsf {tcrh}}_2 = 13, j= 128\) and \(\zeta ^{\mathsf {tcrh}}= 9\).

Table 5. Key and proof sizes for \(k = 128, Q = 2^{25}, t = 2^{50}, \epsilon = 2^{-50}\) and \(\delta = 0.286\). In consequence, we have \(d= 154.\) Puncturing a primitive [4095, 259, 1399] BCH-code 319 times to a [3776, 259, 1080] code yields \(n^{\mathsf {BCH}}= 3776, n^{\mathsf {BCH}}_1 = 62, n^{\mathsf {BCH}}_2 = 62\) and \(\zeta ^{\mathsf {BCH}}= 13.\) If an ECC on the GV bound is used, this implies \(n^{\mathsf {GV}}= 1876, n^{\mathsf {GV}}_1 = 44, n^{\mathsf {GV}}_2 = 44\) and \(\zeta ^{\mathsf {GV}}= 12\). Analogously, if an ECC on the MRRW bound is used, this implies \(n^{\mathsf {MRRW}}= 920, n^{\mathsf {MRRW}}_1 = 31, n^{\mathsf {MRRW}}_2 = 31\) and \(\zeta ^{\mathsf {MRRW}}= 11\). Finally, if the VRFs are instantiated with a cAHF using TCRHFs, we have \(n^{\mathsf {tcrh}}= 259, n^{\mathsf {tcrh}}_1 = 17, n^{\mathsf {tcrh}}_2 = 15, j= 153\) and \(\zeta ^{\mathsf {tcrh}}= 10\).

Table 6. Key and proof sizes for \(k = 128, Q = 2^{25}, t = 2^{50}, \epsilon = 2^{-25}\) and \(\delta = 0.235\). In consequence, we have \(d= 129.\) Puncturing a primitive [2047, 264, 495] BCH-code 18 times to a [2029, 264, 477] code yields \(n^{\mathsf {BCH}}= 2029, n^{\mathsf {BCH}}_1 = 46, n^{\mathsf {BCH}}_2 = 46\) and \(\zeta ^{\mathsf {BCH}}= 12.\) If an ECC on the GV bound is used, this implies \(n^{\mathsf {GV}}= 1200, n^{\mathsf {GV}}_1 = 35, n^{\mathsf {GV}}_2 = 35\) and \(\zeta ^{\mathsf {GV}}= 12\). Analogously, if an ECC on the MRRW bound is used, this implies \(n^{\mathsf {MRRW}}= 664, n^{\mathsf {MRRW}}_1 = 26, n^{\mathsf {MRRW}}_2 = 26\) and \(\zeta ^{\mathsf {MRRW}}= 11\). Finally, if the VRFs are instantiated with a cAHF using TCRHFs, we have \(n^{\mathsf {tcrh}}= 259, n^{\mathsf {tcrh}}_1 = 17, n^{\mathsf {tcrh}}_2 = 15, j= 128\) and \(\zeta ^{\mathsf {tcrh}}= 10\).

Table 7. Key and proof sizes for \(k = 256, Q = 2^{25}, t = 2^{50}, \epsilon = 2^{-50}\) and \(\delta = 0.286\). In consequence, we have \(d= 154.\) Puncturing a primitive [8191, 521, 2731] BCH-code 543 times to a [7648, 521, 2188] code yields \(n^{\mathsf {BCH}}= 7648, n^{\mathsf {BCH}}_1 = 88, n^{\mathsf {BCH}}_2 = 88\) and \(\zeta ^{\mathsf {BCH}}= 14.\) If an ECC on the GV bound is used, this implies \(n^{\mathsf {GV}}= 3751, n^{\mathsf {GV}}_1 = 62, n^{\mathsf {GV}}_2 = 62\) and \(\zeta ^{\mathsf {GV}}= 13\). Analogously, if an ECC on the MRRW bound is used, this implies \(n^{\mathsf {MRRW}}= 1840, n^{\mathsf {MRRW}}_1 = 43, n^{\mathsf {MRRW}}_2 = 43\) and \(\zeta ^{\mathsf {MRRW}}= 12\). Finally, if the VRFs are instantiated with a cAHF using TCRHFs, we have \(n^{\mathsf {tcrh}}= 515, n^{\mathsf {tcrh}}_1 = 23, n^{\mathsf {tcrh}}_2 = 22, j= 153\) and \(\zeta ^{\mathsf {tcrh}}= 11\).

Table 8. Key and proof sizes for \(k = 256, Q = 2^{25}, t = 2^{50}, \epsilon = 2^{-25}\) and \(\delta = 0.235\). In consequence, we have \(d= 129.\) Puncturing a primitive [8191, 520, 2731] BCH-code 1053 times to a [7138, 520, 1678] code yields \(n^{\mathsf {BCH}}= 7138, n^{\mathsf {BCH}}_1 = 85, n^{\mathsf {BCH}}_2 = 85\) and \(\zeta ^{\mathsf {BCH}}= 14.\) If an ECC on the GV bound is used, this implies \(n^{\mathsf {GV}}= 2400, n^{\mathsf {GV}}_1 = 49, n^{\mathsf {GV}}_2 = 49\) and \(\zeta ^{\mathsf {GV}}= 13\). Analogously, if an ECC on the MRRW bound is used, this implies \(n^{\mathsf {MRRW}}= 1328, n^{\mathsf {MRRW}}_1 = 37, n^{\mathsf {MRRW}}_2 = 37\) and \(\zeta ^{\mathsf {MRRW}}= 12\). Finally, if the VRFs are instantiated with a cAHF using TCRHFs, we have \(n^{\mathsf {tcrh}}= 515, n^{\mathsf {tcrh}}_1 = 23, n^{\mathsf {tcrh}}_2 = 22, j= 128\) and \(\zeta ^{\mathsf {tcrh}}= 11\).