Abstract
Verifiable random functions (VRFs) are essentially digital signatures with additional properties, namely verifiable uniqueness and pseudorandomness, which make VRFs a useful tool, e.g., to prevent enumeration in DNSSEC Authenticated Denial of Existence and the CONIKS key management system, or in the random committee selection of the Algorand blockchain.
Most standard-model VRFs rely on admissible hash functions (AHFs) to achieve security against adaptive attacks in the standard model. Known AHF constructions are based on error-correcting codes, which yield asymptotically efficient constructions. However, previous works do not clarify how the code should be instantiated concretely in the real world. The rate and the minimal distance of the selected code have significant impact on the efficiency of the resulting cryptosystem, therefore it is unclear if and how the aforementioned constructions can be used in practice.
First, we explain inherent limitations of code-based AHFs. Concretely, we assume that even if we were given codes that achieve the well-known Gilbert-Varshamov or McEliece-Rodemich-Rumsey-Welch bounds, existing AHF-based constructions of verifiable random functions (VRFs) can only be instantiated quite inefficiently. Then we introduce and construct computational AHFs (cAHFs). While classical AHFs are information-theoretic, and therefore work even in presence of computationally unbounded adversaries, cAHFs provide only security against computationally bounded adversaries. However, we show that cAHFs can be instantiated significantly more efficiently. Finally, we use our cAHF to construct the currently most efficient verifiable random function with full adaptive security in the standard model.
Tibor Jager: Supported by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme, grant agreement 802823.
David Niehues: Supported by the German Research Foundation (DFG) within the Collaborative Research Center “On-The-Fly Computing” (SFB 901/3).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
That is, digital signatures where for any given (public key, message)-pair there exists only one unique string that is accepted as a signature by the verification algorithm.
- 2.
Codes based on expander graphs can get close to this bound, while not achieving it [43].
- 3.
- 4.
A detailed dicussion of keyed hash functions can be found in [28].
- 5.
One could tighten the upper bound \(t_\mathcal {B} \) to \(t_\mathcal {A} + Q\). However, it would at most save a factor of two in the run time of \(\mathcal {B} \) and would complicate the analysis. We therefore use the slightly less tight bound.
- 6.
References
Abdalla, M., Fiore, D., Lyubashevsky, V.: From selective to full security: semi-generic transformations in the standard model. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 316–333. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_19
Attrapadung, N., Matsuda, T., Nishimaki, R., Yamada, S., Yamakawa, T.: Adaptively single-key secure constrained PRFs for NC1. IACR Cryptol. ePrint Arch. 2018, 1000 (2018)
Attrapadung, N., Matsuda, T., Nishimaki, R., Yamada, S., Yamakawa, T.: Constrained PRFs for \(\rm NC^1\) in traditional groups. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 543–574. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_19
Bellare, M., Ristenpart, T.: Simulation without the artificial abort: simplified proof and improved concrete security for waters’ IBE scheme. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 407–424. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_24
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) ACM CCS 93, pp. 62–73. ACM Press (November 1993)
Bellare, M., Rogaway, P.: The exact security of digital signatures-how to sign with RSA and Rabin. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_34
Bitansky, N.: Verifiable random functions from non-interactive witness-indistinguishable proofs. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10678, pp. 567–594. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70503-3_19
Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_14
Boneh, D., Boyen, X.: Secure identity based encryption without random oracles. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 443–459. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_27
Boneh, D., Franklin, M.K.: Identity based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003)
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. J. Cryptol. 17(4), 297–319 (2004)
Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004)
Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. J. Cryptol. 25(4), 601–639 (2012)
Chen, Y., Huang, Q., Zhang, Z.: Sakai-Ohgishi-kasahara identity-based non-interactive key exchange revisited and more. Int. J. Inf. Secur. 15(1), 15–33 (2016)
Cheon, J.H.: Security analysis of the strong Diffie-Hellman problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 1–11. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_1
Dumer, I., Micciancio, D., Sudan, M.: Hardness of approximating the minimum distance of a linear code. In: 40th Annual Symposium on Foundations of Computer Science, FOCS 1999, 17–18 October, 1999, New York, NY, USA, pp. 475–485. IEEE Computer Society (1999)
Freire, E.S.V., Hofheinz, D., Paterson, K.G., Striecks, C.: Programmable hash functions in the multilinear setting. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 513–530. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_28
Gilad, Y., Hemo, R., Micali, S., Vlachos, G., Zeldovich, N.: Algorand: scaling byzantine agreements for cryptocurrencies. In: Proceedings of the 26th Symposium on Operating Systems Principles, Shanghai, China, October 28–31, 2017, pp. 51–68. ACM (2017)
Gilbert, E.N.: A comparison of signalling alphabets. Bell Syst. Tech. J. 31, 504–522 (1952)
Goldberg, S., Reyzin, L., Papadopoulos, D., Vcelak, J.: Verifiable random functions (VRFs). Internet-Draft draft-irtf-cfrg-vrf-04, IETF Secretariat, February 2019. http://www.ietf.org/internet-drafts/draft-irtf-cfrg-vrf-04.txt
Grassl, M.: Bounds on the minimum distance of linear codes and quantum codes (2007). http://www.codetables.de. Accessed 20 Jan 2019
Hofheinz, D., Jager, T.: Verifiable random functions from standard assumptions. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 336–362. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49096-9_14
Hofheinz, D., Jager, T., Kiltz, E.: Short signatures from weaker assumptions. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 647–666. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_35
Hofheinz, D., Kiltz, E.: Programmable hash functions and their applications. J. Cryptol. 25(3), 484–527 (2012)
Jager, T.: Verifiable random functions from weaker assumptions. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 121–143. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_5
Jager, T., Kurek, R.: Short digital signatures and ID-KEMs via truncation collision resistance. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11273, pp. 221–250. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03329-3_8
Katsumata, S.: On the untapped potential of encoding predicates by arithmetic circuits and their applications. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10626, pp. 95–125. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70700-6_4
Katz, J., Lindell, Y.: Introduction to Modern Cryptography. Chapman and Hall/CRC Press, Boca Raton (2007)
Kohl, L.: Hunting and gathering – verifiable random functions from standard assumptions with short proofs. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11443, pp. 408–437. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17259-6_14
Libert, B., Stehlé, D., Titiu, R.: Adaptively secure distributed PRFs from \(\sf LWE\). In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11240, pp. 391–421. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6_15
Lysyanskaya, A.: Unique signatures and verifiable random functions from the DH-DDH separation. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 597–612. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_38
MacWilliams, F.J., Sloane, N.J.A.: The Theory of Error Correcting Codes, 10th edn. North Holland Mathematical Library, Amsterdam (1998)
McEliece, R.J., Rodemich, E.R., Rumsey Jr., H., Welch, L.R.: New upper bounds on the rate of a code via the Delsarte-MacWilliams inequalities. IEEE Trans. Inf. Theory 23(2), 157–166 (1977)
Melara, M.S., Blankstein, A., Bonneau, J., Felten, E.W., Freedman, M.J.: CONIKS: bringing key transparency to end users. In: Jung, J., Holz, T. (eds.) USENIX Security 2015, pp. 383–398. USENIX Association (August 2015)
Micali, S., Rabin, M.O., Vadhan, S.P.: Verifiable random functions. In: 40th FOCS, pp. 120–130. IEEE Computer Society Press (October 1999)
National Institute of Standards and Technology. FIPS PUB 180–4: Secure hash standard, August 2015. https://doi.org/10.6028/NIST.FIPS.180-4
National Institute of Standards and Technology. FIPS PUB 202: SHA-3 standard: permutation-based hash and extendable-output functions, August 2015. https://doi.org/10.6028/NIST.FIPS.202
Papadopoulos, D., et al.: Making NSEC5 practical for DNSSEC. Cryptol. ePrint Arch. Rep. 2017, 099 (2017). http://eprint.iacr.org/2017/099
Peterson, W.W., Weldon, E.J.: Error-Correcting Codes, 2nd edn. MIT Press, Cambridge (1988). 9 print edition
Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. Cryptol. ePrint Arch. Rep. 2004, 332 (2004). http://eprint.iacr.org/2004/332
Shum, K.W., Aleshnikov, I., Kumar, P.V., Stichtenoth, H., Deolalikar, V.: A low-complexity algorithm for the construction of algebraic-geometric codes better than the Gilbert-Varshamov bound. IEEE Trans. Inf. Theory 47(6), 2225–2241 (2001)
Sipser, M., Spielman, D.A.: Expander codes. IEEE Trans. Inf. Theory 42(6), 1710–1722 (1996)
Ta-Shma, A.: Explicit, almost optimal, epsilon-balanced codes. In: Hatami, H., McKenzie, P., King, V. (eds.) Proceedings of the 49th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2017, Montreal, QC, Canada, June 19–23, 2017, pp. 238–251. ACM (2017)
Vardy, A.: The intractability of computing the minimum distance of a code. IEEE Trans. Inf. Theory 43(6), 1757–1766 (1997)
Varshamov, R.R.: Estimate of the number of signals in error correcting codes. Docklady Acad. Nauk SSSR 117(5), 739–741 (1957)
Vcelak, J., Goldberg, S., Papadopoulos, D., Huque, S., Lawrence, D.: NSEC5, DNSSEC authenticated denial of existence. Internet-Draft draft-vcelak-nsec5-08, IETF Secretariat, December 2018. http://www.ietf.org/internet-drafts/draft-vcelak-nsec5-08.txt
Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_7
Yamada, S.: Asymptotically compact adaptively secure lattice IBEs and verifiable random functions via generalized partitioning techniques. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 161–193. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_6
Zémor, G.: On expander codes. IEEE Trans. Inf. Theory 47(2), 835–837 (2001)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Verifiable Random Functions and Their Security
Verifiable random functions are essentially pseudorandom functions, where each function \(V_\mathsf {sk}\) is associated with a secret key \(\mathsf {sk}\) and a corresponding public verification key \(\mathsf {vk}\). Given \(\mathsf {sk}\) and an element X from the domain of \(V_\mathsf {sk}\), one can efficiently compute a non-interactive, publicly verifiable proof \(\pi \) that \(Y = V_\mathsf {sk}(X)\) was computed correctly. For security it is required that for each X only one unique value Y such that the statement “\(Y = V_\mathsf {sk}(X)\)” can be proven may exist (unique provability), and that \(V_\mathsf {sk}(X)\) is indistinguishable from random, if no corresponding proof is given (pseudorandomness).
Syntax of VRFs. Formally, a VRF consists of algorithms \((\mathsf {Gen},\mathsf {Eval},\mathsf {Vfy})\) with the following syntax.
-
\((\mathsf {vk},\mathsf {sk}) {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathsf {Gen} (1^k)\) takes as input a security parameter \(k\) and outputs a key pair \((\mathsf {vk},\mathsf {sk})\). We say that \(\mathsf {sk}\) is the secret key and \(\mathsf {vk}\) is the verification key.
-
\((Y,\pi ) {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathsf {Eval} (\mathsf {sk},X)\) takes as input a secret key \(\mathsf {sk}\) and \(X \in \{0,1\}^k\), and outputs a function value \(Y \in \mathcal {Y} \), where \(\mathcal {Y} \) is a finite set, and a proof \(\pi \). We write \(V_\mathsf {sk}(X)\) to denote the function value Y computed by \(\mathsf {Eval} \) on input \((\mathsf {sk},X)\).
-
\(\mathsf {Vfy} (\mathsf {vk},X,Y,\pi ) \in \{0,1\}\) takes as input a verification key \(\mathsf {vk}\), \(X \in \{0,1\}^k\), \(Y \in \mathcal {Y} \), and proof \(\pi \), and outputs a bit.
Definition 9
\((\mathsf {Gen},\mathsf {Eval},\mathsf {Vfy})\) is a verifiable random function (VRF) if all of the following hold.
-
Correctness. For all \((\mathsf {vk},\mathsf {sk}) {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathsf {Gen} (1^k)\) and \(X \in \{0,1\}^k\) holds: if \((Y,\pi ) {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathsf {Eval} (\mathsf {sk},X)\), then \(\mathsf {Vfy} (\mathsf {vk},X,Y,\pi ) = 1\). Algorithms \(\mathsf {Gen} \), \(\mathsf {Eval} \), \(\mathsf {Vfy} \) are polynomial-time.
-
Unique Provability. For all \((\mathsf {vk},\mathsf {sk}) {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathsf {Gen} (1^k)\) and all \(X \in \{0,1\}^k\), there does not exist any tuple \((Y_0,\pi _0,Y_1,\pi _1)\) such that \(Y_0 \ne Y_1\) and \(\mathsf {Vfy} (\mathsf {vk},X,Y_0,\pi _0) = \mathsf {Vfy} (\mathsf {vk},X,Y_1,\pi _1) = 1\).
-
Pseudorandomness. Consider an attacker \(\mathcal {A}\) with access (via oracle queries) to the procedures defined in Fig. 1. Let \(G_\mathsf {VRF} ^\mathcal {A} \) denote the game where \(\mathcal {A}\) first queries \(\mathsf {Initialize}\), then \(\mathsf {Challenge}\), then \(\mathsf {Finalize} \). The output of \(\mathsf {Finalize} \) is the output of the game. Moreover, \(\mathcal {A}\) may arbitrarily issue \(\mathsf {Evaluate}\)-queries, but only after querying \(\mathsf {Initialize}\) and before querying \(\mathsf {Finalize} \). We say that \(\mathcal {A}\) is legitimate, if \(\mathcal {A}\) never queries \(\mathsf {Evaluate} (X)\) and \(\mathsf {Challenge} (X^*)\) with \(X = X^*\) throughout the game. We define the advantage of \(\mathcal {A}\) in breaking the pseudorandomness as
$$ \mathsf {Adv}_{\mathcal {A}}^{\mathsf {VRF}} (k) := \Pr \left[ G_\mathsf {VRF} ^\mathcal {A} =1\right] - 1/2 $$
B Proof of Theorem 5
We prove Theorem 5 with a sequence of games. In the sequel let us write \(X_i\) to denote the event that Game i outputs “1” (Fig. 2).
Game 0
This is the original VRF security game, as described in Definition 9. By definition, we have
Game 1
Recall that Theorem 5 assumes knowledge of (sufficiently close approximations of) the running time \(t_\mathcal {A} \) and the advantage \(\epsilon _\mathcal {A} \). In this game we replace the \(\mathsf {Finalize} \) procedure with \(\mathsf {Finalize} _{1}\), which additionally uses \(t_\mathcal {A} \) and \(\epsilon _\mathcal {A} \) by running \(K {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}{\mathsf {AdmSmp}}(t_\mathcal {A},\epsilon _\mathcal {A})\), as depicted in Fig. 1. Note that K now defines the function \(F_{K, H}(X)\) from Eq. 6 and events \(\mathsf {coll}\) and \(\mathsf {badchal}\) as
like in Definition 6. Note that we denote with \(X^{(1)}, \ldots , X^{(Q)}\) the values queried by \(\mathcal {A}\) to \(\mathsf {Evaluate} \), and with \(X^*\) the value queried to \(\mathsf {Challenge} \). These modifications are purely conceptual and perfectly hidden from \(\mathcal {A}\), such that we have
Game 2
This game proceeds identically to Game 1, except that we replace \(\mathsf {Finalize} _{1}\) with \(\mathsf {Finalize} _{2}\) from Fig. 1. By applying Shoup’s Difference Lemma [40], we get
Game 3
This game proceeds identically to Game 2, except that we replace \(\mathsf {Finalize} _{2}\) with \(\mathsf {Finalize} _{3}\), which outputs a random bit if \(\mathsf {badchal}\) occurs. We have
The third equality uses that \(\Pr \left[ X_{3}\mid \mathsf {badchal}\right] = 1/2\), since a random bit is returned if \(\mathsf {badchal}\) occurs, the fourth uses that by definition of the games it holds that \(\Pr \left[ X_{3}\mid \lnot \mathsf {badchal}\right] = \Pr \left[ X_{2}\mid \lnot \mathsf {badchal}\right] \), and the last uses \(\Pr \left[ X_{2}\mid \lnot \mathsf {badchal}\right] = \Pr \left[ X_{2}\right] \), since Game 2 is independent of \(\mathsf {badchal}\). This is because K is only sampled after \(\mathcal {A} \) made all its queries and stated its challenge and K is therefore perfectly hidden from \(\mathcal {A} \).
Game 4
We replace events \(\mathsf {badchal}\) and \(\mathsf {coll}\) with an equivalent event, in order to simplify the construction of adversary \(\mathcal {B} \). We let \(\mathsf {bad}\) denote the event that \(\mathsf {coll}\vee \mathsf {badchal}\). In Game 3 the experiment outputs a random bit \(b^*{\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\{0,1\}\) if \((\mathsf {badchal}\vee \mathsf {coll})\) occurs. Now we output a random bit if \(\mathsf {bad}\) occurs, which is equivalent. Formally, we achieve this by replacing \(\mathsf {Finalize} _{3}\) with \(\mathsf {Finalize} _{4}\) as defined in Fig. 1, and get
Thus, summing up probabilities from Game 0 to Game 4, we get
for some non-negligible function \(\tau (k)\), where the last inequality is due to the definition of cAHFs (see Eq. 7).
Reduction From the q-DDH Assumption. Now we are ready to describe our algorithm \(\mathcal {B}\) that solves the q-DDH problem by perfectly simulating Game 4 for adversary \(\mathcal {A}\). When instantiated with the computational AHF from Theorem 4, a \(q \)-DDH instance with \(q = \left\lceil \log (4 t_\mathcal {A}(2t_\mathcal {A}-1)/\epsilon _\mathcal {A} \right\rceil \) is sufficient.
The only minor difference between Game 3 and the simulation by \(\mathcal {B}\) is that \(\mathcal {B}\) aborts “as early as possible”. That is, it samples the AHF key \(K {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}{\mathsf {AdmSmp}}(1^k, t_\mathcal {A},\epsilon _\mathcal {A})\) and random bit \(b^*\) already in the \(\mathsf {Initialize} \) procedure, and checks whether \(\mathsf {bad}\) occurs after each \(\mathsf {Evaluate}\) or \(\mathsf {Challenge}\) query of \(\mathcal {A}\). If \(\mathsf {bad}\) occurs, then it immediately outputs \(b^*\), rather than waiting for the adversary to query \(\mathsf {Finalize} \). Obviously, this does not modify the probability of \(X_{4}\). The proof proceeds now exactly as in [25], as described in Appendix C for completeness.
\(\mathcal {B}\) ’s Running Time. The running time \(t_\mathcal {B} \) of \(\mathcal {B}\) consists essentially of the running time \(t_\mathcal {A} \) of \(\mathcal {A} \) plus a minor number of additional operations, thus we have \(t_\mathcal {B} \approx t_\mathcal {A} \).
\(\mathcal {B}\) ’s Success Probability. Let \(c \in \{0,1\}\) denote the random bit chosen by the \(q \mathsf {DDH}\) challenger. \(\mathcal {B}\) perfectly simulates \(G_\mathsf {VRF} ^\mathcal {A} \) with \(b=c\). Hence, by Eq. 8, we get
for a non-negligible function \(\tau \). In particular, when instantiated concretely with the computational AHF from Theorem 4, then we have
C Full Proof of VRF Security
We proceed by providing the the full proof of security of the VRF. For this purpose, let \(\mathcal {B} \) be the following algorithm. \(\mathcal {B} \) receives as input \((g,g^x, \ldots , g^{x^q},h,T)\). Whenever \(\mathcal {A}\) queries \(\mathsf {Initialize}\), \(\mathsf {Evaluate}\), \(\mathsf {Challenge}\), or \(\mathsf {Finalize}\), \(\mathcal {B}\) executes the corresponding procedure from Fig. 3. Finally, it outputs either the random bit \(b^*\) if event \(\mathsf {bad}\) occurs, or otherwise whatever \(\mathsf {Finalize}\) returns. Note that \(\mathcal {B} \) already outputs the random bit \(b^*\) if \(\mathcal {A} \) makes a query \(X^{(i)}\) with \(F_{K,H}(X^{(i)})=0\) because then either \(\mathsf {coll}\) or \(\mathsf {badchal}\) must occur throughout the experiment.
Initialization. The values \((g,h,g^x)\) in \(\mathsf {Initialize}\) are from the \(q \mathsf {DDH}\)-challenge. \(\mathcal {B}\) computes the \(g_{i,j}\)-values exactly as in the original \(\mathsf {Gen} \)-algorithm, by choosing \(\alpha _{i,j} {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathbb {Z} _{|\mathbb {G} |}\) and setting \(g_{i,j} := g^{\alpha _{i,j}}\), but with the exception that
for all \((i,j) \in [n] \times \{0,1\}\) with \(K_i \ne \bot \). Due to our choice of a computational admissible hash function according to Theorem 5, there are exactly \(q +1\) components \(K_i\) of K which are not equal to \(\bot \). All \(g_{i,K_i}\)-values are distributed correctly.
Helping Definitions. To explain how \(\mathcal {B} \) responds to \(\mathsf {Evaluate}\) and \(\mathsf {Challenge}\) queries made by \(\mathcal {A}\), we define two sets \(I_{K,w,X}\) and \(J_{K,w,X}\), which depend on an AHF key K, a VRF input \(X \in \{0,1\}^k\), and integer \(w \in \mathbb {N} \) with \(1 \le w \le n\), as
Note that \(I_{K,w,X}\) denotes the set of all indices \(i \in [w] \subseteq [n]\) such that \(K_i = H(X)_i\), and \(J_{K,w,X}\) denotes the set of all indices in [w] which are not contained in \(I_{K,w,X}\). Based on these sets, we define polynomials \(P_{K,w,X}(x)\)
The following observations were described in [25]:
-
1.
For all X with \(F_K(X) = 1\), the set \(I_{K,w,X}\) contains at most \(q \) elements, and thus the polynomial \(P_{K,w,X}(x)\) has degree at most \(q \). This implies that if \(F_K(X) = 1\), then \(\mathcal {B}\) can efficiently compute \(g^{P_{K,w,X}(x)}\) for all \(w \in [n]\). To this end, \(\mathcal {B}\) first computes the coefficients \(\gamma _0, \ldots , \gamma _q \) of the polynomial \(P_{K,w,X}(x) = \sum _{i=0}^{q} \gamma _i x^i\) with degree at most \(q \), and then
$$ g^{P_{K,w,X}(x)} := g^{\sum _{i=0}^{q} \gamma _i x^i} = \prod _{i=0}^q (g^{x^i})^{\gamma _i} $$using the terms \((g,g^x, \ldots , g^{x^q})\) from the \(q \)-DDH challenge.
-
2.
If \(F_K(X) = 0\), then \(P_{K,n,X}(x)\) has degree \(q +1\). We do not know how \(\mathcal {B}\) can efficiently compute \(g^{P_{K,n,X}(x)}\) in this case.
Responding to \(\mathsf {Evaluate} \)-Queries. If \(F_K(X) = 1\), then procedure \(\mathsf {Evaluate} \) computes the group elements \(g^{P_{K,w,X}(x)}\) as explained above. Note that in this case the response to the \(\mathsf {Evaluate} (X)\)-query of \(\mathcal {A}\) is correct. If \(F_K(X) = 0\), then \(\mathcal {B}\) outputs the random bit \(b^*\) and aborts.
Responding to the \(\mathsf {Challenge} \)-Query. If \(F_K(X^*) = 0\), then procedure \(\mathsf {Challenge}\) computes
where \(\gamma _0, \ldots , \gamma _{q +1}\) are the coefficients of the degree-\((q +1)\)-polynomial \(P_{K,n,X^*}(x) = \sum _{i=0}^{q +1} \gamma _i x^i\). Note that if \(T = e(g,h)^{x^{q+1}}\), then it holds that \(Y^* = V_\mathsf {sk}(X^*)\). Moreover, if T is uniformly random, then so is \(Y^*\). If \(F_K(X) = 1\), then \(\mathcal {B}\) outputs the random bit \(b^*\) and aborts.
D Further comparisons
We provide further comparisons like in Table 2. The results we present are calculated using the formulas stated in Table 1. Compared to Table 2, we provide key and proof sizes for \(k \in \{100, 128, 256\}\) and \(\epsilon \in \{2^{-25}, 2^{-50}\}\). For every combination of k and \(\epsilon \), \(\delta \) is chosen such that the advantages for the instantiation using ECCs and the instantiation using TCRHFs are approximately the same. All variables have the same semantics as in Sect. 4.2. The results show that using the cAHF instantiated with a TCRHF reduces key and proof sizes significantly (Tables 3, 4, 5, 6, 7 and 8).
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Jager, T., Niehues, D. (2020). On the Real-World Instantiability of Admissible Hash Functions and Efficient Verifiable Random Functions. In: Paterson, K., Stebila, D. (eds) Selected Areas in Cryptography – SAC 2019. SAC 2019. Lecture Notes in Computer Science(), vol 11959. Springer, Cham. https://doi.org/10.1007/978-3-030-38471-5_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-38471-5_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-38470-8
Online ISBN: 978-3-030-38471-5
eBook Packages: Computer ScienceComputer Science (R0)