Skip to main content
SpringerLink
Log in

The Price of Verifiability: Lower Bounds for Verifiable Random Functions

  • Conference paper
  • First Online:
Theory of Cryptography (TCC 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13748))

Included in the following conference series:

  • 346 Accesses

Abstract

Verifiable random functions (VRFs) are a useful extension of pseudorandom functions for which it is possible to generate a proof that a certain image is indeed the correct function value (relative to a public verification key). Due to their strong soundness requirements on such proofs, VRFs are notoriously hard to construct, and existing constructions suffer either from complex proofs (for function images), or rely on complex and non-standard assumptions.

In this work, we attempt to explain this phenomenon. We first propose a framework that captures a large class of pairing-based VRFs. We proceed to show that in our framework, it is not possible to obtain short proofs and a reduction to a simple assumption simultaneously. Since the class of “consecutively verifiable” VRFs we consider contains in particular the VRF of Lysyanskaya and that of Dodis-Yampolskiy, our results explain the large proof size, resp. the complex assumption of these VRFs.

A. Ünal—Work done while all authors were supported by ERC Project PREP-CRYPTO 724307.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 149.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 199.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    With a non-interactive and compact assumption, we mean one in which the adversary gets a constant number of group elements as challenge and is then supposed to output a solution (e.g., a decision bit).

  2. 2.

    A prominent verifiable unpredictable function (VUF, a weaker form of VRF) that does not fall into this class is the one by Brakerski et al. [11]. This VUF takes group elements as input, and hence does not quite fit our framework. We will discuss this particular construction in Sect. 2.1, and argue that this approach is unlikely to yield purely group-based VRFs.

  3. 3.

    We note that our results can easily be transferred to asymmetric pairings, but for simplicity we restrict ourselves to symmetric pairings.

  4. 4.

    We note that the weak VRF by Brakerski et al. [11] does not have this efficiency property, as the inputs are group elements and the pairing equations can only be derived from the discrete logarithm of the inputs.

  5. 5.

    The GL construction uses the bits of the representation of the group elements.

  6. 6.

    Recall that we consider algebraic reductions here, so they have to output a vector of representations with each group element.

  7. 7.

    If all \(\sigma _{x_i}(V)/\rho _{x_i}(V)\) are linearly dependent, then with noticable probability the challenge’s function \(\sigma _{x_0}(V)/\rho _{x_0}(V)\) will be linearly dependent on the other rational functions because all \(x_i\) are independent and identitically distributed.

  8. 8.

    For simplicity assume that all \(f_i\) and hence \(\xi \) are polynomials.

  9. 9.

    For exposition, we assume all group element to be in the source group. Our technique applies as well for assumptions with target group elements.

  10. 10.

    To keep the definitions minimal, we choose to only present the \(0\)-selective pseudorandomness property since it is the security notion considered in our results.

  11. 11.

    Because our weak selective unpredictability is a non-interactive game, there are no concurrency issues.

  12. 12.

    This set indicates which verification key elements are in the target group. Hence, their exponents should only occur linearly, while source group exponents can occur quadratically.

  13. 13.

    Essentially, the first verification key element \(\textbf{h} {:}{=}\textbf{v}_1\) is the new generator relative to which the VRF is evaluated.

References

  1. Abdalla, M., Catalano, D., Fiore, D.: Verifiable random functions from identity-based key encapsulation. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 554–571. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_32

    Chapter  Google Scholar 

  2. Au, M.H., Susilo, W., Mu, Y.: Practical compact e-cash. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 431–445. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73458-1_31

    Chapter  Google Scholar 

  3. Bauer, B., Fuchsbauer, G., Loss, J.: A classification of computational assumptions in the algebraic group model. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 121–151. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_5

    Chapter  MATH  Google Scholar 

  4. Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: Compact e-cash and simulatable VRFs revisited. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 114–131. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03298-1_9

    Chapter  Google Scholar 

  5. Bitansky, N.: Verifiable random functions from non-interactive witness-indistinguishable proofs. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10678, pp. 567–594. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70503-3_19

    Chapter  Google Scholar 

  6. Blum, M., Micali, S.: How to generate cryptographically strong sequences of pseudo random bits. In: 23rd FOCS, pp. 112–117. IEEE Computer Society Press (1982). https://doi.org/10.1109/SFCS.1982.72

  7. Boneh, D., Venkatesan, R.: Breaking RSA may not be equivalent to factoring. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 59–71. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054117

    Chapter  Google Scholar 

  8. Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_26

    Chapter  Google Scholar 

  9. Boneh, D., Montgomery, H.W., Raghunathan, A.: Algebraic pseudorandom functions with improved efficiency from the augmented cascade. In: Al-Shaer, E., Keromytis, A.D., Shmatikov, V. (eds.) ACM CCS 2010, pp. 131–140. ACM Press (2010). https://doi.org/10.1145/1866307.1866323

  10. Boyen, X.: The uber-assumption family. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 39–56. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85538-5_3

    Chapter  Google Scholar 

  11. Brakerski, Z., Goldwasser, S., Rothblum, G.N., Vaikuntanathan, V.: Weak verifiable random functions. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 558–576. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00457-5_33

    Chapter  Google Scholar 

  12. Brandt, N., Hofheinz, D., Kastner, J., Ünal, A.: The price of verifiability: Lower bounds for verifiable random functions. Cryptology ePrint Archive, Paper 2022/762 (2022). https://eprint.iacr.org/2022/762

  13. Coron, J.-S.: On the exact security of full domain hash. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 229–235. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_14

    Chapter  Google Scholar 

  14. Coron, J.-S.: Optimal security proofs for PSS and other signature schemes. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 272–287. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_18

    Chapter  Google Scholar 

  15. Dodis, Y.: Efficient construction of (distributed) verifiable random functions. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 1–17. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_1

    Chapter  Google Scholar 

  16. Dodis, Y., Yampolskiy, A.: A verifiable random function with short proofs and keys. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 416–431. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30580-4_28

    Chapter  Google Scholar 

  17. Fiore, D., Schröder, D.: Uniqueness is a different story: impossibility of verifiable random functions from trapdoor permutations. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 636–653. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28914-9_36

    Chapter  MATH  Google Scholar 

  18. Fleischhacker, N., Jager, T., Schröder, D.: On tight security proofs for Schnorr signatures. J. Cryptol. 32(2), 566–599 (2019). https://doi.org/10.1007/s00145-019-09311-5

    Article  MathSciNet  MATH  Google Scholar 

  19. Fuchsbauer, G., Kiltz, E., Loss, J.: The algebraic group model and its applications. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 33–62. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_2

    Chapter  Google Scholar 

  20. Goldreich, O., Levin, L.A.: A hard-core predicate for all one-way functions. In: 21st ACM STOC, pp. 25–32. ACM Press (1989). https://doi.org/10.1145/73007.73010

  21. Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions (extended abstract). In: 25th FOCS, pp. 464–479. IEEE Computer Society Press (1984). https://doi.org/10.1109/SFCS.1984.715949

  22. Goldwasser, S., Ostrovsky, R.: Invariant signatures and non-interactive zero-knowledge proofs are equivalent. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 228–245. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_16

    Chapter  Google Scholar 

  23. Goyal, R., Hohenberger, S., Koppula, V., Waters, B.: A generic approach to constructing and proving verifiable random functions. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10678, pp. 537–566. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70503-3_18

    Chapter  Google Scholar 

  24. Hofheinz, D., Jager, T.: Verifiable random functions from standard assumptions. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 336–362. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49096-9_14

    Chapter  Google Scholar 

  25. Hohenberger, S., Waters, B.: Constructing verifiable random functions with large input spaces. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 656–672. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_33

    Chapter  Google Scholar 

  26. Jager, T.: Verifiable random functions from weaker assumptions. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 121–143. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_5

    Chapter  Google Scholar 

  27. Jarecki, S., Shmatikov, V.: Handcuffing big brother: an abuse-resilient transaction escrow scheme. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 590–608. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_35

    Chapter  Google Scholar 

  28. Katsumata, S.: On the untapped potential of encoding predicates by arithmetic circuits and their applications. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10626, pp. 95–125. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70700-6_4

    Chapter  Google Scholar 

  29. Katz, J., Zhang, C., Zhou, H.-S.: An analysis of the algebraic group model. Cryptology ePrint Archive, Report 2022/210 (2022). http://eprint.iacr.org/2022/210

  30. Kohl, L.: Hunting and gathering – verifiable random functions from standard assumptions with short proofs. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11443, pp. 408–437. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17259-6_14

    Chapter  Google Scholar 

  31. Kurosawa, K., Nojima, R., Phong, L.T.: Relation between verifiable random functions and convertible undeniable signatures, and new constructions. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 235–246. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31448-3_18

    Chapter  MATH  Google Scholar 

  32. Liang, B., Li, H., Chang, J.: Verifiable random functions from (leveled) multilinear maps. In: Reiter, M., Naccache, D. (eds.) CANS 2015. LNCS, vol. 9476, pp. 129–143. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26823-1_10

    Chapter  Google Scholar 

  33. Liskov, M.: Updatable zero-knowledge databases. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 174–198. Springer, Heidelberg (2005). https://doi.org/10.1007/11593447_10

    Chapter  Google Scholar 

  34. Lysyanskaya, A.: Unique signatures and verifiable random functions from the DH-DDH separation. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 597–612. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_38

    Chapter  Google Scholar 

  35. Maurer, U.: Abstract models of computation in cryptography. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 1–12. Springer, Heidelberg (2005). https://doi.org/10.1007/11586821_1

    Chapter  MATH  Google Scholar 

  36. Micali, S., Reyzin, L.: Soundness in the public-key model. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 542–565. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_32

    Chapter  MATH  Google Scholar 

  37. Micali, S., Rivest, R.L.: Micropayments revisited. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 149–163. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45760-7_11

    Chapter  Google Scholar 

  38. Micali, S., Rabin, M.O., Vadhan, S.P.: Verifiable random functions. In: 40th FOCS, pp. 120–130. IEEE Computer Society Press (1999). https://doi.org/10.1109/SFFCS.1999.814584

  39. Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. In: 38th FOCS, pp. 458–467. IEEE Computer Society Press (1997). https://doi.org/10.1109/SFCS.1997.646134

  40. Nechaev, V.I.: Complexity of a determinate algorithm for the discrete logarithm. Math. Notes 55(2), 165–172 (1994)

    Article  MathSciNet  MATH  Google Scholar 

  41. Niehues, D.: Verifiable random functions with optimal tightness. In: Garay, J.A. (ed.) PKC 2021. LNCS, vol. 12711, pp. 61–91. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-75248-4_3

    Chapter  Google Scholar 

  42. Paillier, P., Vergnaud, D.: Discrete-log-based signatures may not be equivalent to discrete log. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 1–20. Springer, Heidelberg (2005). https://doi.org/10.1007/11593447_1

    Chapter  Google Scholar 

  43. Roşie, R.: Adaptive-secure VRFs with shorter keys from static assumptions. In: Camenisch, J., Papadimitratos, P. (eds.) CANS 2018. LNCS, vol. 11124, pp. 440–459. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00434-7_22

    Chapter  Google Scholar 

  44. Schwartz, J.T.: Fast probabilistic algorithms for verification of polynomial identities. J. ACM 27(4), 701–717 (1980). ISSN 0004–5411. https://doi.org/10.1145/322217.322225.

  45. Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_18

    Chapter  Google Scholar 

  46. Yamada, S.: Asymptotically compact adaptively secure lattice IBEs and verifiable random functions via generalized partitioning techniques. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 161–193. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_6

    Chapter  Google Scholar 

  47. Yao, A.C.C.: Theory and applications of trapdoor functions (extended abstract). In: 23rd FOCS, pp. 80–91. IEEE Computer Society Press (1982). https://doi.org/10.1109/SFCS.1982.45

  48. Zhandry, M.: To label, or not to label (in generic groups). Cryptology ePrint Archive, Report 2022/226 (2022). http://eprint.iacr.org/2022/226

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, ETH Zurich, Zurich, Switzerland

    Nicholas Brandt, Dennis Hofheinz, Julia Kastner & Akin Ünal

Authors
  1. Nicholas Brandt
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dennis Hofheinz
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Julia Kastner
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Akin Ünal
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nicholas Brandt .

Editor information

Editors and Affiliations

  1. Ruhr University Bochum, Bochum, Germany

    Eike Kiltz

  2. Massachusetts Institute of Technology, Cambridge, MA, USA

    Vinod Vaikuntanathan

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Brandt, N., Hofheinz, D., Kastner, J., Ünal, A. (2022). The Price of Verifiability: Lower Bounds for Verifiable Random Functions. In: Kiltz, E., Vaikuntanathan, V. (eds) Theory of Cryptography. TCC 2022. Lecture Notes in Computer Science, vol 13748. Springer, Cham. https://doi.org/10.1007/978-3-031-22365-5_26

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-22365-5_26

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-22364-8

  • Online ISBN: 978-3-031-22365-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation