Skip to main content
SpringerLink
Log in

Verifiable Random Functions from Non-interactive Witness-Indistinguishable Proofs

  • Published:
Journal of Cryptology Aims and scope Submit manuscript

Abstract

Verifiable random functions (VRFs) are pseudorandom functions where the owner of the seed, in addition to computing the function’s value y at any point x, can also generate a non-interactive proof \(\pi \) that y is correct, without compromising pseudorandomness at other points. Being a natural primitive with a wide range of applications, considerable efforts have been directed toward the construction of such VRFs. While these efforts have resulted in a variety of algebraic constructions (from bilinear maps or the RSA problem), the relation between VRFs and other general primitives is still not well understood. We present new constructions of VRFs from general primitives, the main one being non-interactive witness-indistinguishable proofs (NIWIs). This includes: (1) a selectively secure VRF assuming NIWIs and non-interactive commitments. As usual, the VRF can be made adaptively secure assuming subexponential hardness of the underlying primitives. (2) An adaptively secure VRF assuming (polynomially hard) NIWIs, non-interactive commitments, and (single-key) constrained pseudorandom functions for a restricted class of constraints. The above primitives can be instantiated under various standard assumptions, which yields corresponding VRF instantiations, under different assumptions than were known so far. One notable example is a non-uniform construction of VRFs from subexponentially hard trapdoor permutations, or more generally, from verifiable pseudorandom generators (the construction can be made uniform under a standard derandomization assumption). This partially answers an open question by Dwork and Naor (FOCS ’00). The construction and its analysis are quite simple. Both draw from ideas commonly used in the context of indistinguishability obfuscation.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Notes

  1. The construction based on IO is also limited to either selective security, or reliance on subexponential hardness.

  2. We also give a simpler construction under the stronger d-power DDH assumption.

  3. In the body, we further allow the partition scheme to involve some encoding of the input space X into a more structured input space \(\widehat{X}\) and then consider applying the CPRF and partitioning for encoded inputs in the new space \(\widehat{X}\). See Definition 2.6 and Sect. 3 for more details.

  4. In their construction, verification is probabilistic. Using their construction in our context would accordingly give a VRF with probabilistic verification. For simplicity, in this paper, we shall restrict attention to deterministic verification.

  5. We note that the set S has efficient representation in terms of \(\lambda \) and does not grow with \(Q,\delta ^{-1}\). Indeed, throughout this paper, \(Q,\delta ^{-1}\), will be arbitrary polynomials in \(\lambda \) that depend on the adversary. In our partition schemes, the representation of sets will only scale with \(\min \left\{ \log (Q/\delta ),n(\lambda )\right\} \).

  6. Recall that in a code with (relative) distance c, each two codewords agree on at most a c-fraction of symbols.

  7. The above distribution is not necessarily random over strings. In any natural instantiation of the group, e.g., as a prime order group for a large prime, or a composite group of smooth order, \(g^\beta \) is also random in the group \(\mathbb {G}\). In any case, and as usual, if one insists, on outputting a random string, we can further apply a randomness extractor (see, for example, [44]).

  8. This is a weaker variant of the usual GDDH assumption where d may be polynomial (and the elements are given by an oracle). This weaker variant will be sufficient for us.

  9. The same footnote 7 applies.

  10. For SXDH, DDH holds in the based groups. For DLIN, DDH holds in the target group. We thank Brent Waters for pointing out this last fact.

References

  1. M. Abdalla, D. Catalano, D. Fiore, Verifiable random functions: relations to identity-based key encapsulation and new constructions. J. Cryptol.27(3), 544–593 (2014)

    Article  MathSciNet  Google Scholar 

  2. D. Boneh, X. Boyen, Secure identity based encryption without random oracles, in Advances in Cryptology - CRYPTO 2004, 24th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15–19, 2004, Proceedings (2004), pp. 443–459

  3. E. Biham, D. Boneh, O. Reingold, Breaking generalized Diffie–Hellmann modulo a composite is no easier than factoring. Inf. Process. Lett.70(2), 83–87 (1999)

    Article  Google Scholar 

  4. E. Boyle, S. Goldwasser, I. Ivan, Functional signatures and pseudorandom functions, in H. Krawczyk, editor, PKC 2014: 17th International Conference on Theory and Practice of Public Key Cryptography, Volume 8383 of Lecture Notes in Computer Science, Buenos Aires, Argentina, March 26–28 (Springer, Heidelberg, 2014), pp. 501–519

  5. S. Badrinarayanan, V. Goyal, A. Jain, A. Sahai, Verifiable functional encryption, in Advances in Cryptology—ASIACRYPT 2016—22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4–8, 2016, Proceedings, Part II (2016), pp. 557–587

  6. S. Badrinarayanan, V. Goyal, A. Jain, A. Sahai, A note on VRFs from verifiable functional encryption, p. 051 (2017)

  7. Z. Brakerski, S. Goldwasser, G.N. Rothblum, V. Vaikuntanathan, Weak verifiable random functions, in 6th Theory of Cryptography Conference, TCC 2009, San Francisco, CA, USA, March 15–17, 2009. Proceedings (2009), pp. 558–576

  8. M. Blum, Coin flipping by telephone, in Advances in Cryptology: A Report on CRYPTO 81, CRYPTO 81, IEEE Workshop on Communications Security, Santa Barbara, California, USA, August 24–26, 1981 (1981), pp. 11–15

  9. D. Boneh, H.W. Montgomery, A. Raghunathan, Algebraic pseudorandom functions with improved efficiency from the augmented cascade, in Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA, October 4–8, 2010 (2010), pp. 131–140

  10. B. Barak, S.J. Ong, S.P. Vadhan, Derandomization in cryptography. SIAM J. Comput.37(2), 380–400 (2007)

    Article  MathSciNet  Google Scholar 

  11. N. Bitansky, O. Paneth, Zaps and non-interactive witness indistinguishability from indistinguishability obfuscation, in Theory of Cryptography—12th Theory of Cryptography Conference, TCC 2015, Warsaw, Poland, March 23–25, 2015, Proceedings, Part II (2015), pp. 401–427

  12. M. Bellare, T. Ristenpart, Simulation without the artificial abort: Simplified proof and improved concrete security for waters’ IBE scheme, in Advances in Cryptology—EUROCRYPT 2009, 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cologne, Germany, April 26–30, 2009. Proceedings (2009), pp. 407–424

  13. M. Blum, A. De Santis, S. Micali, G. Persiano, Noninteractive zero-knowledge. SIAM J. Comput.20(6), 1084–1118 (1991)

    Article  MathSciNet  Google Scholar 

  14. Z. Brakerski, V. Vaikuntanathan, Constrained key-homomorphic PRFs from standard lattice assumptions—or: how to secretly embed a circuit in your PRF, in Theory of Cryptography—12th Theory of Cryptography Conference, TCC 2015, Warsaw, Poland, March 23–25, 2015, Proceedings, Part II (2015), pp. 1–30

  15. D. Boneh, B. Waters, Constrained pseudorandom functions and their applications, in K. Sako, P. Sarkar, editors, Advances in Cryptology—ASIACRYPT 2013, Part II, Volume 8270 of Lecture Notes in Computer Science, Bengalore, India, December 1–5 (Springer, Heidelberg, 2013), pp. 280–300

  16. M. Bellare, M. Yung, Certifying permutations: noninteractive zero-knowledge based on any trapdoor permutation. J. Cryptol.9(3), 149–166 (1996)

    Article  MathSciNet  Google Scholar 

  17. D. Boneh, M. Zhandry, Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation, in Advances in Cryptology—CRYPTO 2014—34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 17–21, 2014, Proceedings, Part I (2014), pp. 480–499

  18. J. Chen, S. Gorbunov, S. Micali, G. Vlachos, ALGORAND AGREEMENT: super fast and partition resilient byzantine agreement. IACR Cryptology ePrint Archive 2018:377 (2018)

  19. M. Chase, S. Meiklejohn, Déjà Q: using dual systems to revisit q-type assumptions, in Advances in Cryptology—EUROCRYPT 2014—33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11–15, 2014. Proceedings (2014), pp. 622–639

  20. N. Chandran, S. Raghuraman, D. Vinayagamurthy, Constrained pseudorandom functions: verifiable and delegatable. Cryptology ePrint Archive 2014:522

  21. L. Carter, M.N. Wegman, Universal classes of hash functions. J. Comput. Syst. Sci.18(2), 143–154 (1979)

    Article  MathSciNet  Google Scholar 

  22. C. Dwork, M. Naor, Zaps and their applications. SIAM J. Comput.36(6), 1513–1543 (2007)

    Article  MathSciNet  Google Scholar 

  23. Y. Dodis, Efficient construction of (distributed) verifiable random functions, in Public Key Cryptography—PKC 2003, 6th International Workshop on Theory and Practice in Public Key Cryptography, Miami, FL, USA, January 6–8, 2003, Proceedings (2003), pp. 1–17

  24. Y. Dodis, A. Yampolskiy, A verifiable random function with short proofs and keys, in Public Key Cryptography—PKC 2005, 8th International Workshop on Theory and Practice in Public Key Cryptography, Les Diablerets, Switzerland, January 23–26, 2005, Proceedings (2005), pp. 416–431

  25. U. Feige, D. Lapidot, A. Shamir, Multiple noninteractive zero knowledge proofs under general assumptions. SIAM J. Comput.29(1), 1–28 (1999)

    Article  MathSciNet  Google Scholar 

  26. D. Fiore, D. Schröder, Uniqueness is a different story: impossibility of verifiable random functions from trapdoor permutations, in Theory of Cryptography—9th Theory of Cryptography Conference, TCC 2012, Taormina, Sicily, Italy, March 19–21, 2012. Proceedings (2012), pp. 636–653

  27. G. Fuchsbauer, Constrained verifiable random functions, in Security and Cryptography for Networks—9th International Conference, SCN 2014, Amalfi, Italy, September 3–5, 2014. Proceedings (2014), pp. 95–114

  28. O. Goldreich, S. Goldwasser, S. Micali, How to construct random functions. J. ACM33(4), 792–807 (1986)

    Article  MathSciNet  Google Scholar 

  29. R. Goyal, S. Hohenberger, V. Koppula, B. Waters, A generic approach to constructing and proving verifiable random functions. Cryptology ePrint Archive 2017:21

  30. S. Goldwasser, R. Ostrovsky, Invariant signatures and non-interactive zero-knowledge proofs are equivalent (extended abstract), in Advances in Cryptology—CRYPTO ’92, 12th Annual International Cryptology Conference, Santa Barbara, California, USA, August 16–20, 1992, Proceedings (1992), pp. 228–245

  31. J. Groth, R. Ostrovsky, A. Sahai, New techniques for noninteractive zero-knowledge. J. ACM59(3), 11 (2012)

    Article  MathSciNet  Google Scholar 

  32. O. Goldreich, R.D. Rothblum, Enhancements of trapdoor permutations. J. Cryptol.26(3), 484–512 (2013)

    Article  MathSciNet  Google Scholar 

  33. S. Gorbunov, V. Vaikuntanathan, H. Wee, Functional encryption with bounded collusions via multi-party computation, in Advances in Cryptology—CRYPTO 2012—32nd Annual Cryptology Conference, Santa Barbara, CA, USA, August 19–23, 2012. Proceedings (2012), pp. 162–179

  34. D. Hofheinz, T. Jager, Verifiable random functions from standard assumptions, in Theory of Cryptography—13th International Conference, TCC 2016-A, Tel Aviv, Israel, January 10–13, 2016, Proceedings, Part I (2016), pp. 336–362

  35. S. Hohenberger, V. Koppula, B. Waters, Adaptively secure puncturable pseudorandom functions in the standard model, in Advances in Cryptology—ASIACRYPT 2015—21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29–December 3, 2015, Proceedings, Part I (2015), pp. 79–102

  36. S. Hohenberger, B. Waters, Constructing verifiable random functions with large input spaces, in Advances in Cryptology—EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May 30–June 3, 2010. Proceedings (2010), pp. 656–672

  37. T. Jager, Verifiable random functions from weaker assumptions, in Theory of Cryptography—12th Theory of Cryptography Conference, TCC 2015, Warsaw, Poland, March 23–25, 2015, Proceedings, Part II (2015), pp. 121–143

  38. A. Kiayias, S. Papadopoulos, N. Triandopoulos, T. Zacharias, Delegatable pseudorandom functions and applications, in A.-R. Sadeghi, V.D. Gligor, M. Yung, editors, ACM CCS 13: 20th Conference on Computer and Communications Security, November 4–8 (ACM Press, Berlin, 2013), pp. 669–684

  39. A. Lysyanskaya, Unique signatures and verifiable random functions from the DH-DDH separation, in Advances in Cryptology—CRYPTO 2002, 22nd Annual International Cryptology Conference, Santa Barbara, California, USA, August 18–22, 2002, Proceedings (2002), pp. 597–612

  40. S. Micali, M.O. Rabin, S.P. Vadhan, Verifiable random functions, in 40th Annual Symposium on Foundations of Computer Science, FOCS ’99, 17–18 October, 1999, New York, NY, USA (1999), pp. 120–130

  41. P.B. Miltersen, N.V. Vinodchandran, Derandomizing Arthur–Merlin games using hitting sets, in 40th Annual Symposium on Foundations of Computer Science, FOCS ’99, 17–18 October, 1999, New York, NY, USA (1999), pp. 71–80

  42. M. Naor, Bit commitment using pseudorandomness. J. Cryptol.4(2), 151–158 (1991)

    Article  Google Scholar 

  43. M. Naor, O. Reingold, Synthesizers and their application to the parallel construction of pseudo-random functions. J. Comput. Syst. Sci.58(2), 336–375 (1999)

    Article  MathSciNet  Google Scholar 

  44. M. Naor, O. Reingold, Number-theoretic constructions of efficient pseudo-random functions. J. ACM51(2), 231–262 (2004)

    Article  MathSciNet  Google Scholar 

  45. D. Papadopoulos, D. Wessels, S. Huque, M. Naor, J. Vcelák, L. Reyzin, S. Goldberg, Can NSEC5 be practical for DNSSEC deployments? IACR Cryptology ePrint Archive 2017:99 (2017)

  46. A. Sahai, H. Seyalioglu, Worry-free encryption: functional encryption with public keys, in Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA, October 4–8, 2010 (2010), pp. 463–472

  47. A. Sahai, B. Waters, How to use indistinguishability obfuscation: deniable encryption, and more, in D.B. Shmoys, editor, 46th Annual ACM Symposium on Theory of Computing, May 31–June 3 (ACM Press, New York, 2014), pp. 475–484

  48. B. Waters, Efficient identity-based encryption without random oracles, in Advances in Cryptology—EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22–26, 2005, Proceedings (2005), pp. 114–127

Download references

Author information

Authors and Affiliations

  1. Tel Aviv University, Tel Aviv, Israel

    Nir Bitansky

Authors
  1. Nir Bitansky
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nir Bitansky.

Additional information

Communicated by Serge Fehr

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Member of the Check Point Institute of Information Security. Supported by the Alon Young Faculty Fellowship, and ISF Grant 484/18, and by Len Blavatnik and The Blavatnik Foundation. Part of this research was done while at MIT. Supported by NSF Grants CNS-1350619 and CNS-1414119 and DARPA and ARO under Contract No. W911NF-15-C-0236. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the DARPA and ARO. Part of this research was done while visiting Tel Aviv University and supported by the Leona M. and Harry B. Helmsley Charitable Trust

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Bitansky, N. Verifiable Random Functions from Non-interactive Witness-Indistinguishable Proofs. J Cryptol 33, 459–493 (2020). https://doi.org/10.1007/s00145-019-09331-1

Download citation

  • Received:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00145-019-09331-1

Keywords

Search

Navigation