A Composable Security Treatment of ECVRF and Batch Verifications

Abstract

Verifiable random functions (VRF, Micali et al., FOCS’99) allow a key-pair holder to verifiably evaluate a pseudorandom function under that particular key pair. These primitives enable fair and verifiable pseudorandom lotteries, essential in proof-of-stake blockchains such as Algorand and Cardano, and are being used to secure billions of dollars of capital. As a result, there is an ongoing IRTF effort to standardize VRFs, with a proposed ECVRF based on elliptic-curve cryptography appearing as the most promising candidate.

In this paper, towards understanding the general security of VRFs and in particular the ECVRF construction, we provide an ideal functionality in the Universal Composability (UC) framework (Canetti, FOCS’01) that captures VRF security, and show that ECVRF UC-realizes it.

Additionally, we study batch verification in the context of VRFs. We provide a UC-functionality capturing a VRF with batch-verification capability, and propose modifications to ECVRF that allow for this feature. We again prove that our proposal UC-realizes the desired functionality. Finally, we provide a performance analysis showing that verification can yield a factor-two speedup for batches with 1024 proofs, at the cost of increasing the proof size from 80 to 128 bytes.

A A Brief Overview of Concepts Used in the Security Argument

We provide here a sketch of fundamental concepts used in the security argument. The extended version contains a detailed exposition [2].

On \(\varSigma \)-Protocols for Group Homomorphisms. We recall here a general class of zero-knowledge proofs of knowledge, namely the three-round protocols that prove the knowledge of a preimage of a (presumably one-way) group homomorphism [18]. Consider two groups \((\mathbb {H},\circ )\) and \((\mathbb {T}, \star )\) together with a homomorphism \(f: \mathbb {H} \rightarrow \mathbb {T}\), i.e., \(f(x \circ y) = f(x) \star f(y)\).

Let \(R_f\) be the relation defined by \((z, x) \in R_f :\leftrightarrow f(x)=z\). Consider the following three-round protocol between prover P and verifier V for the language \(L_{R_f} := \{z \, | \, \exists x: (z,x) \in R_f\}\). That is, the common input is the proof instance \(z \in \mathbb {T}\) (and the relation \(R_f\)), where the prover is supposed to know a value \(x \in \mathbb {H}\) s.t. \(f(x)=z\).

1. 1.

   \(P \rightarrow V\): P samples \(k \overset{\$}{\leftarrow }\mathbb {H}\) and sends \(t:=f(k)\) to V.

2. 2.

   \(V \rightarrow P\): V picks at random an integer \(c \in \mathcal {C} \subset \mathbb {N}\) and sends it to P.

3. 3.

   \(P \rightarrow V\): P computes \(s:=k \circ x^c\) and sends s to V. V accepts the protocol run if and only if the equality \(f(s) = t \star z^c\) holds.

The security of this protocol follows from the following lemma:

Lemma 1

([18]). Let \(R_f\) a relation as described above relative to a group homomorphism \(f:\mathbb {H} \rightarrow \mathbb {T}\). The above protocol is a \(\varSigma \)-Protocol for the language \(L_{R_f}\) if there are two publicly known values \(\ell \in \mathbb {Z}\) and \(u \in \mathbb {H}\) s.t.

1. 1.

   \(\forall c,c' \in \mathcal {C}\), \(c \ne c'\): \(\gcd (c-c',\ell )=1\), and

2. 2.

   \(\forall z \in L_{R_f}, f(u) = z^\ell \).

The Fiat-Shamir Transform turns (in the random-oracle model) any \(\varSigma \)-Protocol into a secure non-interactive zero-knowledge protocol of knowledge. Intuitively, the assumed random oracle is like an honest verifier computing a challenge and thus preserves the above security properties. We refer to [2] for details.

Instantiation for \(\textsf{ECVRF}_{\textsf{bc}}\). We recall that in \(\textsf{ECVRF}_{\textsf{bc}}\) we deal with a prime-order subgroup \(\mathbb {G}\) of order q of an elliptic curve of order \(\textrm{cf}\cdot q\). Let \(B_1\) and \(B_2\) be two generators of this subgroup. Essentially, the \(\varSigma \)-protocol of interest is an equality proof of discrete logarithm, i.e., given two values \(z_1\) and \(z_2\) prove knowledge of x such that \(x*B_1 = z_1 \wedge x*B_2 = z_2\). To instantiate the above generic scheme, we let \(\mathbb {H} := (\mathbb {Z}_q,+)\) and define \((\mathbb {T},\oplus ) := (\mathbb {G},+) \times (\mathbb {G},+)\) as the direct product of \(\mathbb {G}\), where the binary operation \(\oplus \) on \(\mathbb {T}\) is defined component-wise. The homomorphism is given by \( f_{B_1,B_2}: \mathbb {Z}_q \rightarrow \mathbb {T}; \quad x \mapsto (x*B_1, x*B_2)\). Since \(\mathbb {G}\) is of prime order \(q\), we can satisfy the conditions of Lemma 1 by letting \(u = 0\) and \(\ell = q\), and defining the challenge space to be a large subset \(\mathcal {C} \subseteq [0,\dots ,q-1]\).

We therefore conclude that the embedded non-interactive zero-knowledge proof of knowledge in \(\textsf{ECVRF}_{\textsf{bc}}\) has (in the random-oracle model) simulatable executions, and with only negligible probability can a valid proof for a wrong statement be generated.

On Domain Checks and the Canonical Epimorphism. Special care has to be taken in the analysis as \(\textsf{ECVRF}_{\textsf{bc}}\) omits detailed domain checks which in general can impact security in that Lemma 1 cannot be applied directly (we have \(\mathbb {G}\) a subgroup of \(\mathbb {E}\) and the protocol could be run on values \(z_i \in \mathbb {E}\setminus \mathbb {G}\) by a dishonest party as the verifier does not perform a domain check for \(z_i \in \mathbb {G}\) but only for \(\mathbb {E}\)). We leave the general treatment of this to the full version of this work, and describe here a special case based on the canonical epimorphism: For \(\textsf{ECVRF}_{\textsf{bc}}\), we can consider the map \(P \mapsto \textrm{cf}*P\) which is the canonical epimorphism \(\phi _\textrm{cf}: \mathbb {E}\rightarrow \mathbb {G}\) and the corresponding map \(P+\ker (\phi _\textrm{cf}) \mapsto \phi _\textrm{cf}(P)\) which identifies the isomorphism establishing \(\mathbb {E}/\ker (\phi _\textrm{cf}) \cong \mathbb {G}\) by the fundamental theorem on homomorphisms. From this we can deduce by Lagrange’s Theorem that \(|\mathbb {E}| = |\mathbb {G}| \cdot |\ker (\phi _\textrm{cf})|\). Since the choice of the representatives is immaterial one can think of each coset \(P+\ker (\phi _\textrm{cf})\) to be represented by a point \(P \in \mathbb {G}\) (and the kernel consists of the low-order points, i.e., elements of order strictly less than q). Denoting the first round message of the prover by (U, V), the projected verification equation in step 3 of the \(\varSigma \)-Protocol becomes \((O,O) = (\phi _\textrm{cf}(s*B-U-c*z_1), \phi _\textrm{cf}(s*H-V-c*z_2))\) which is an equation in the prime-order group \(\mathbb {G}\) (recall that B and H are generators of \(\mathbb {G}\)). Stated differently, the above equality is satisfied when \((s*B-V-c*z_1) \in \ker (\phi _\textrm{cf})\) and \((s*H-V-c*z_2) \in \ker (\phi _\textrm{cf})\). As we show in the full version [2], the guarantees of Lemma 1 apply to this projected run of the protocol, in particular, we obtain the soundness guarantee for the relation

$$\begin{aligned} (z_1,z_2) \in R^\textrm{cf}_{B,H} :\leftrightarrow x*B = \phi _\textrm{cf}(z_1) \wedge x*H = \phi _\textrm{cf}(z_2) \end{aligned}$$

(2)

guaranteed by the above \(\varSigma \)-protocol (where technically speaking, we could relax the checks performed by the verifier to \((s*B-V-c*z_1) \in \ker (\phi _\textrm{cf})\) and \((s*H-V-c*z_2) \in \ker (\phi _\textrm{cf})\) instead of stricter equality checks \((s*B-V-c*z_1) = O\) and \((s*H-V-c*z_2) = O\)).