Abstract
Verifiable random functions (VRF, Micali et al., FOCS’99) allow a key-pair holder to verifiably evaluate a pseudorandom function under that particular key pair. These primitives enable fair and verifiable pseudorandom lotteries, essential in proof-of-stake blockchains such as Algorand and Cardano, and are being used to secure billions of dollars of capital. As a result, there is an ongoing IRTF effort to standardize VRFs, with a proposed ECVRF based on elliptic-curve cryptography appearing as the most promising candidate.
In this paper, towards understanding the general security of VRFs and in particular the ECVRF construction, we provide an ideal functionality in the Universal Composability (UC) framework (Canetti, FOCS’01) that captures VRF security, and show that ECVRF UC-realizes it.
Additionally, we study batch verification in the context of VRFs. We provide a UC-functionality capturing a VRF with batch-verification capability, and propose modifications to ECVRF that allow for this feature. We again prove that our proposal UC-realizes the desired functionality. Finally, we provide a performance analysis showing that verification can yield a factor-two speedup for batches with 1024 proofs, at the cost of increasing the proof size from 80 to 128 bytes.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
As a matter of fact, ed25519 [7] is also a sigma protocol and encodes the announcement instead of the challenge in the non-interactive variant of this sigma-protocol.
References
Badertscher, C., Canetti, R., Hesse, J., Tackmann, B., Zikas, V.: Universal composition with global subroutines: capturing global setup within plain UC. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12552, pp. 1–30. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64381-2_1
Badertscher, C., Gaži, P., Querejeta-Azurmendi, I., Russell, A.: On UC-secure range extension and batch verification for ecvrf. Cryptology ePrint Archive, Report 2022/1045 (2022). https://eprint.iacr.org/2022/1045
Badertscher, C., Gazi, P., Kiayias, A., Russell, A., Zikas, V.: Ouroboros genesis: Composable proof-of-stake blockchains with dynamic availability. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018: 25th Conference on Computer and Communications Security, pp. 913–930, Toronto, ON, Canada, October 15–19, 2018. ACM Press
Bellare, M., Garay, J.A., Rabin, T.: Fast batch verification for modular exponentiation and digital signatures. Cryptology ePrint Archive, Report 1998/007 (1998). http://eprint.iacr.org/1998/007
Bellman, R., Straus, E.G.: 5125. The American Mathematical Monthly, 71(7), 806–808 (1964)
Bernstein, D.J., Doumen, J., Lange, T., Oosterwijk, J.-J.: Faster batch forgery identification. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 454–473. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34931-7_26
Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed high-security signatures. J. Cryptogr. Eng. 2(2), 77–89 (2012)
Camenisch, J., Enderlein, R.R., Krenn, S., Küsters, R., Rausch, D.: Universal composition with responsive environments. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 807–840. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_27
Camenisch, J., Hohenberger, S., Østergaard Pedersen, M.: Batch verification of short signatures. J. Cryptol. 25(4), 723–747 (2012)
Canetti, R.: Universally composable security. J. ACM 67(5) (2020)
Cramer, R., Damgård, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_19
David, B., Gaži, P., Kiayias, A., Russell, A.: Ouroboros praos: an adaptively-secure, semi-synchronous proof-of-stake blockchain. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 66–98. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_3
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Gilad, Y., Hemo, R., Micali, S., Vlachos, G., Zeldovich, N.: Algorand: Scaling byzantine agreements for cryptocurrencies. Cryptology ePrint Archive, Report 2017/454 (2017). http://eprint.iacr.org/2017/454
Goldberg, S., Reyzin, L., Papadopoulos, D., Vcelak, J.: Verifiable random functions (vrfs). Internet-Draft, IRTF (2022). https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-vrf-14
Jarecki, S., Kiayias, A., Krawczyk, H.: Round-optimal password-protected secret sharing and T-PAKE in the password-only model. Cryptology ePrint Archive, Report 2014/650 (2014). http://eprint.iacr.org/2014/650
Lovecruft, I., de Valence, H.: curve25519-dalek (2022). https://github.com/dalek-cryptography/curve25519-dalek
Maurer, U.: Zero-knowledge proofs of knowledge for group homomorphisms. Des. Codes Cryptography 77(2-3), 663–676 (2015)
Micali, S., Rabin, M.O., Vadhan, S.P.: Verifiable random functions. In: 40th Annual Symposium on Foundations of Computer Science, pages 120–130, New York, NY, USA, 17–19 October, 1999. IEEE Computer Society Press (1999)
Naccache, D., M’RaÏhi, D., Vaudenay, S., Raphaeli, D.: Can D.S.A. be improved? — Complexity trade-offs with the digital signature standard —. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 77–85. Springer, Heidelberg (1995). https://doi.org/10.1007/BFb0053426
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system, December 2008. https://bitcoin.org/bitcoin.pdf
Querejeta-Azurmendi, I.: Verifiable random function (2022). https://github.com/input-output-hk/vrf
Reyzin, L.: Vrf standardisation mailing archive (2021). https://mailarchive.ietf.org/arch/msg/cfrg/KJwe92nLEkmJGpBe-OST_ilr<_MQ
Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991). https://doi.org/10.1007/BF00196725
Wuille, P., Nick, J., Ruffing, T.: Schnorr signatures for secp256k1, January 2020. https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A A Brief Overview of Concepts Used in the Security Argument
A A Brief Overview of Concepts Used in the Security Argument
We provide here a sketch of fundamental concepts used in the security argument. The extended version contains a detailed exposition [2].
On \(\varSigma \)-Protocols for Group Homomorphisms. We recall here a general class of zero-knowledge proofs of knowledge, namely the three-round protocols that prove the knowledge of a preimage of a (presumably one-way) group homomorphism [18]. Consider two groups \((\mathbb {H},\circ )\) and \((\mathbb {T}, \star )\) together with a homomorphism \(f: \mathbb {H} \rightarrow \mathbb {T}\), i.e., \(f(x \circ y) = f(x) \star f(y)\).
Let \(R_f\) be the relation defined by \((z, x) \in R_f :\leftrightarrow f(x)=z\). Consider the following three-round protocol between prover P and verifier V for the language \(L_{R_f} := \{z \, | \, \exists x: (z,x) \in R_f\}\). That is, the common input is the proof instance \(z \in \mathbb {T}\) (and the relation \(R_f\)), where the prover is supposed to know a value \(x \in \mathbb {H}\) s.t. \(f(x)=z\).
-
1.
\(P \rightarrow V\): P samples \(k \overset{\$}{\leftarrow }\mathbb {H}\) and sends \(t:=f(k)\) to V.
-
2.
\(V \rightarrow P\): V picks at random an integer \(c \in \mathcal {C} \subset \mathbb {N}\) and sends it to P.
-
3.
\(P \rightarrow V\): P computes \(s:=k \circ x^c\) and sends s to V. V accepts the protocol run if and only if the equality \(f(s) = t \star z^c\) holds.
The security of this protocol follows from the following lemma:
Lemma 1
([18]). Let \(R_f\) a relation as described above relative to a group homomorphism \(f:\mathbb {H} \rightarrow \mathbb {T}\). The above protocol is a \(\varSigma \)-Protocol for the language \(L_{R_f}\) if there are two publicly known values \(\ell \in \mathbb {Z}\) and \(u \in \mathbb {H}\) s.t.
-
1.
\(\forall c,c' \in \mathcal {C}\), \(c \ne c'\): \(\gcd (c-c',\ell )=1\), and
-
2.
\(\forall z \in L_{R_f}, f(u) = z^\ell \).
The Fiat-Shamir Transform turns (in the random-oracle model) any \(\varSigma \)-Protocol into a secure non-interactive zero-knowledge protocol of knowledge. Intuitively, the assumed random oracle is like an honest verifier computing a challenge and thus preserves the above security properties. We refer to [2] for details.
Instantiation for \(\textsf{ECVRF}_{\textsf{bc}}\). We recall that in \(\textsf{ECVRF}_{\textsf{bc}}\) we deal with a prime-order subgroup \(\mathbb {G}\) of order q of an elliptic curve of order \(\textrm{cf}\cdot q\). Let \(B_1\) and \(B_2\) be two generators of this subgroup. Essentially, the \(\varSigma \)-protocol of interest is an equality proof of discrete logarithm, i.e., given two values \(z_1\) and \(z_2\) prove knowledge of x such that \(x*B_1 = z_1 \wedge x*B_2 = z_2\). To instantiate the above generic scheme, we let \(\mathbb {H} := (\mathbb {Z}_q,+)\) and define \((\mathbb {T},\oplus ) := (\mathbb {G},+) \times (\mathbb {G},+)\) as the direct product of \(\mathbb {G}\), where the binary operation \(\oplus \) on \(\mathbb {T}\) is defined component-wise. The homomorphism is given by \( f_{B_1,B_2}: \mathbb {Z}_q \rightarrow \mathbb {T}; \quad x \mapsto (x*B_1, x*B_2)\). Since \(\mathbb {G}\) is of prime order \(q\), we can satisfy the conditions of Lemma 1 by letting \(u = 0\) and \(\ell = q\), and defining the challenge space to be a large subset \(\mathcal {C} \subseteq [0,\dots ,q-1]\).
We therefore conclude that the embedded non-interactive zero-knowledge proof of knowledge in \(\textsf{ECVRF}_{\textsf{bc}}\) has (in the random-oracle model) simulatable executions, and with only negligible probability can a valid proof for a wrong statement be generated.
On Domain Checks and the Canonical Epimorphism. Special care has to be taken in the analysis as \(\textsf{ECVRF}_{\textsf{bc}}\) omits detailed domain checks which in general can impact security in that Lemma 1 cannot be applied directly (we have \(\mathbb {G}\) a subgroup of \(\mathbb {E}\) and the protocol could be run on values \(z_i \in \mathbb {E}\setminus \mathbb {G}\) by a dishonest party as the verifier does not perform a domain check for \(z_i \in \mathbb {G}\) but only for \(\mathbb {E}\)). We leave the general treatment of this to the full version of this work, and describe here a special case based on the canonical epimorphism: For \(\textsf{ECVRF}_{\textsf{bc}}\), we can consider the map \(P \mapsto \textrm{cf}*P\) which is the canonical epimorphism \(\phi _\textrm{cf}: \mathbb {E}\rightarrow \mathbb {G}\) and the corresponding map \(P+\ker (\phi _\textrm{cf}) \mapsto \phi _\textrm{cf}(P)\) which identifies the isomorphism establishing \(\mathbb {E}/\ker (\phi _\textrm{cf}) \cong \mathbb {G}\) by the fundamental theorem on homomorphisms. From this we can deduce by Lagrange’s Theorem that \(|\mathbb {E}| = |\mathbb {G}| \cdot |\ker (\phi _\textrm{cf})|\). Since the choice of the representatives is immaterial one can think of each coset \(P+\ker (\phi _\textrm{cf})\) to be represented by a point \(P \in \mathbb {G}\) (and the kernel consists of the low-order points, i.e., elements of order strictly less than q). Denoting the first round message of the prover by (U, V), the projected verification equation in step 3 of the \(\varSigma \)-Protocol becomes \((O,O) = (\phi _\textrm{cf}(s*B-U-c*z_1), \phi _\textrm{cf}(s*H-V-c*z_2))\) which is an equation in the prime-order group \(\mathbb {G}\) (recall that B and H are generators of \(\mathbb {G}\)). Stated differently, the above equality is satisfied when \((s*B-V-c*z_1) \in \ker (\phi _\textrm{cf})\) and \((s*H-V-c*z_2) \in \ker (\phi _\textrm{cf})\). As we show in the full version [2], the guarantees of Lemma 1 apply to this projected run of the protocol, in particular, we obtain the soundness guarantee for the relation
guaranteed by the above \(\varSigma \)-protocol (where technically speaking, we could relax the checks performed by the verifier to \((s*B-V-c*z_1) \in \ker (\phi _\textrm{cf})\) and \((s*H-V-c*z_2) \in \ker (\phi _\textrm{cf})\) instead of stricter equality checks \((s*B-V-c*z_1) = O\) and \((s*H-V-c*z_2) = O\)).
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Badertscher, C., Gaži, P., Querejeta-Azurmendi, I., Russell, A. (2022). A Composable Security Treatment of ECVRF and Batch Verifications. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13556. Springer, Cham. https://doi.org/10.1007/978-3-031-17143-7_2
Download citation
DOI: https://doi.org/10.1007/978-3-031-17143-7_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17142-0
Online ISBN: 978-3-031-17143-7
eBook Packages: Computer ScienceComputer Science (R0)