Pairing-Based Verifiable Random Functions Yevgeniy Dodis New York University.
52
Pairing-Based Pairing-Based Verifiable Random Verifiable Random Functions Functions Yevgeniy Dodis Yevgeniy Dodis New York New York University University
-
Upload
koby-treadway -
Category
Documents
-
view
234 -
download
10
Transcript of Pairing-Based Verifiable Random Functions Yevgeniy Dodis New York University.
Pairing-Based Pairing-Based Verifiable Random Verifiable Random
FunctionsFunctions
Yevgeniy DodisYevgeniy Dodis
New York New York UniversityUniversity
Random Oracle Model [BeRo92]
OracleOracle
x
H(x)
LauraLaura I trust you, Oracle.Thank you for sending
the correct, truly random value H(x)
Random Oracle Model (cont.)
• Idealized Model of ComputationIdealized Model of Computation• Assumes a truly random function Assumes a truly random function H: {0,1}H: {0,1}**--
>{0,1}>{0,1}kk
– HH is publicly available/verifiable/transferable/random is publicly available/verifiable/transferable/random
• Has found Has found giganticgigantic # of applications, including # of applications, including many where many where no “standard” solution is knownno “standard” solution is known
• ProblemProblem: : random oracles do not existrandom oracles do not exist(disclaimer: not counting SHA1/MD5 and the like)(disclaimer: not counting SHA1/MD5 and the like)– The danger can be formalized [CGH98,…]The danger can be formalized [CGH98,…]
• ChallengeChallenge: Can we : Can we provablyprovably eliminate RO ? eliminate RO ?(to the maximum extent possible)(to the maximum extent possible)
Alternatives
Verifiable Random Verifiable Random FunctionsFunctions ( (VRFVRFs)s)
[MRV99,Lys02,[MRV99,Lys02,Dod03,DY05Dod03,DY05]]
Distributed Distributed PRFsPRFs ( (DPRFDPRFs) s)
[MiSi95,NPR99,Nie02][MiSi95,NPR99,Nie02]
Distributed Distributed VRFsVRFs ( (DVRFDVRFs) s)
[[Dod03,DY05Dod03,DY05]]
Pseudorandom Pseudorandom FunctionsFunctions ( (PRFPRFs) s)
[GGM86,NaRe97][GGM86,NaRe97]
This
talk
Pseudorandom Functions (PRF)
x
FSK(x)
TTTTTT
SecretSK
• Oded is just an efficient and indistinguishable implementation of Phil• F is not (pseudo)random to Oded• Laura can’t check it’s correctness or convince outside parties
LauraLauraYour value FSK(x) looks
random to me. But I’m notsure it’s correct, and can’t
convince anybody else
Current PRFs• Based on block-ciphers (CBC-MAC,HMAC,…)Based on block-ciphers (CBC-MAC,HMAC,…)
Very fast and useful in symmetric-key cryptoVery fast and useful in symmetric-key crypto Ad-hoc securityAd-hoc security Not applicable for protocolsNot applicable for protocols Not applicable for distributed computationNot applicable for distributed computation
• Based on number theory (Naor-Reingold,…)Based on number theory (Naor-Reingold,…) Nicer assumptions, more “elegant”Nicer assumptions, more “elegant” Applicable for protocolsApplicable for protocols Can be distributedCan be distributed Slow and inefficientSlow and inefficient
uses one exponentiation and secret key per input bituses one exponentiation and secret key per input bit
Naor-Reingold PRF• Say, Say, GG is a group of prime order is a group of prime order qq..
NRNRg,a[1],…,a[k]g,a[1],…,a[k](x[1],…,x[k]) = g(x[1],…,x[k]) = g{all a[i] such that x[i]=1}{all a[i] such that x[i]=1}
– xx = path on a binary = path on a binary treetree
– Root is Root is gg– going left = do nothinggoing left = do nothing– going right = raise to going right = raise to
a[i]a[i]
– Here Here g g G G and and a[i]a[i] Z Zqq are random (and secret)are random (and secret)
– TheoremTheorem [NR97]: NR is [NR97]: NR is a PRF under a PRF under DDH DDH in in GG..
– Under DDH, all nodes look random and independent…
Toy example: k=6, x=011011
a[1]
a[2]
a[3]
a[4]
a[5]
a[6]
g
ga[2]
ga[2]a[3]
ga[2]a[3]a[5]
ga[2]a[3]
ga[2]a[3]a[5]a[6]
g
Question 1• Can we build a number-theoretic PRF Can we build a number-theoretic PRF
which does not process the input bit-which does not process the input bit-by-bit?by-bit?– Stay tuned…Stay tuned…
PRFs Give No Verifiability
x
FSK(x)+5
TTTTTT
• George W is trusted to not only keep SK secret, but also to also give the correct function value. • To check the correctness of F(x), need to ask George again (and again).
LauraLaura
"There's a huge trust. I see it all the time when people come up to me
and say, 'I don't want you to let me down again.'"
— Boston, Massachusetts, October 3, 2000
"I think if you know what you believe, it makes it a
lot easier to answer questions. I can't answer
your question"--Reynoldsburg, Ohio,
October 4, 2000
Non-interactive lottery [MR02]
• Lottery organizer has secret function FSK(.)
• Each participant chooses a lottery ticket x and sends it to the organizer
FSK(.)x1 = 3
x2 = 8
x3 = 5 Organizer
Non-interactive lottery (cont.)
• Organizer computes y = FSK(x) for each x he receives
• The value y somehow determines if user wins; e.g., user wins $100 if his y is prime
FSK(.)FSK(3) = 10
FSK(8) = 11
FSK(5) = 15
Organizer
Non-interactive lottery (cont.)
• This scheme almost works except…• Problem 1: We must ensure that
users cannot bias the lottery; i.e., FSK(x) should look random and unpredictable– Regular PRF is enough
• Problem 2: What stops the organizer from lying about the true FSK(x) value? – Need verifiability (and uniqueness!)– Leads to VRFs !
Verifiable Random Functions (VRF)
x
FSK(x), πSK(x)
Semi-TTTSemi-TTT
SecretSK
PublicPK
• Michael is just an efficient and indistinguishable implementation of Phil• F is not (pseudo)random to Michael• However, Laura can check it’s correctness and convince outside parties
LauraLauraUsing PK and proof πSK(x),
I can see that FSK(x) is correct. Without proof,it would look random
SKPK
x1
FSK(x1), πSK(x1)
x2
FSK(x2), πSK(x2)
...
...
z
y
xi
FSK(xi), πSK(xi)
...
...
b’
Secure VRF if Pr[b=b’] ½
y0 := FSK(z)y1 := random
pick random b
y := yb
• PRFs with a special property:– in addition to the secret key SK, there is also PK– the holder of the VRF’s SK can produce a proof
πSK(x) that y = FSK(x) for a unique y – security:
Verifiable Random Functions [MRV99]
PK
Applications• VRFs are unique signatures
– intuitively, “VRF = PRF + sig”
• Lottery application [MR02]• Verifiable KDC, long-term encryption
[NPR99]• A tool in protocol design
– Three-round resettable ZK [MR01]– Verifiable Transaction Escrow [JS04]– Efficient E-Cash [CHL05] (need PRF w./
special properties like having efficient ZK proofs)
Compact e-cash [CHL05]• Offline anonymous e-cash scheme.
– A user can withdraw a wallet of 2l coins from the bank and later spend them.
• In best known schemes, withdraw and spend operations take O(2l¢k) time (k = sec. param.).
• In EuroCrypt ’05, [CHL05] used [DY05] VRF to construct a scheme whose withdraw/spend operations take O(l+k) time.– Also have O(l¢k) scheme using VRF variant of
[Dod03] (more convenient for ZK)
• PRF sufficed, but needed nice algebraic structure to do efficient ZK proofs !
Constructing VRFs
noyes (codes)
yes (codes)
yes (primes)
Mapping of Inputs
nonoyesyesExpensive “VUF-VRF”
yesyesyesnoPairing-Based?
yesno (bit-by-bit)
no (bit-by-bit)
noShort proofs/keys
DY05Dod03Lys02MRV99
Resolves Question 1
VUF to VRF Transformation
• First, get nice and “elegant” VUF construction– Verifiable unpredictable function is just like VRF
except hard to compute any “new” value
• Expensive generic VUF->VRF transform(a) Goldreich-Levin to get VRF: (log n) -> 1 bit
• Also terrible exact security loss…
(b) Several such (a)’s to get |input| |output|(c) Another tree-based construction on (a)+(b) to
get large input and small output(d) Several such (a)+(b)+(c)‘s to get large output
• Results in a very bulky and “inelegant” VRF– Stay tuned for better efficiency with pairings !
Constructing VRFs
yesyesnonoDistributed
noyes (codes)
yes (codes)
yes (primes)
Mapping of Inputs
nonoyesyesExpensive “VUF-VRF”
yesyesyesnoPairing-Based?
yesno (bit-by-bit)
no (bit-by-bit)
noShort proofs/keys
yeshmm…nonoPractical?
yesmaybenonoGood for protocols?
DY05Dod03Lys02MRV99
Roadmap for Constructions• Work in groups where DDH is easy
– VUF under CDH-like assumption [Lys02]
– Full power of pairings not needed yet…
• Two ways of avoiding Goldreich-Levin :– Encoding + decisional assumption [Dod03]
– Use pairings explicitly ! (with new assumption)
Set VRFSK(x) = e ( VUFSK(x) , g )
• Direct Construct with Pairings [DY05]– Simple and Efficient VUF based on [BB04]
– Still set VRFSK(x) = e ( VUFSK(x) , g ), but for more
efficient VUF !
(011011)(011011)
NR(011011)NR(011011)
Using DDH-easy Groups• Recall, Recall, NRNRg,a[1],…,a[k]g,a[1],…,a[k](x[1],…,x[k]) = g(x[1],…,x[k]) = g{all a[i] such that x[i]=1}{all a[i] such that x[i]=1}
• Problem: Problem: nobody nobody can verifycan verify
g
ga[2]
ga[2]a[3]
ga[2]a[3]a[5]
ga[2]a[3]
ga[2]a[3]a[5]a[6]
g
• But assume But assume DDH is easyDDH is easy!!– Publish Publish PK=(g, h, hPK=(g, h, ha[1]a[1],…, ,…, hha[k]a[k]))– (x)(x) = all “children” of = all “children” of NR(x)NR(x)– Use DDH and the public key Use DDH and the public key to to
test all consecutive childrentest all consecutive children
• Get verifiability, but what Get verifiability, but what aaabout about pseudorandomnesspseudorandomness??
– No! Say, No! Say, NR(0NR(0kk)=g)=g, or , or
[NR(x0),NR(x1),NR(z0),NR(z1)][NR(x0),NR(x1),NR(z0),NR(z1)]
form a DDH-tuple for any form a DDH-tuple for any x,zx,z– What do we do?What do we do?
ha[1]
ha[2]
ha[4]
ha[5]
ha[6]
ha[3]
Option 1: settle for VUF [Lys02]
• NR(x) still seems to be hard to NR(x) still seems to be hard to computecompute, , – even if DDH is easy (modulo the triviality even if DDH is easy (modulo the triviality
that append 1 to each input)that append 1 to each input)
• Need “CDH-like” assumption in DDH-Need “CDH-like” assumption in DDH-easy groups (called easy groups (called generalized CDHgeneralized CDH))
• Notation:Notation:– Given Given xx, let , let 11xx = {i | x[i]=1} = {i | x[i]=1}, ,
– Given Given g, a[1],…, a[L],g, a[1],…, a[L], and set and set II in in {1…L}{1…L}, let , let Exp(I) = gExp(I) = g{all a[i] such that i {all a[i] such that i I} I}
– E.g., E.g., NR(x) = Exp(1NR(x) = Exp(1xx) ) (we’ll use (we’ll use Exp(1Exp(1x1x1))))
I1I2 ...J, v
J {I1, …,Im}=1 & Pr[ v = Exp(J) ] = negl
• Adv is given oracle access to Exp(I), for I {1..L}
• G satisfies gCDH of order L if:
Generalized CDH of order L
Exp(I1)Exp(I2)
...
VUF under gCDH [Lys02]• Tautological if set order L = k+1Tautological if set order L = k+1
– Note: [NR] needed gDDH. Luckily, gDDH Note: [NR] needed gDDH. Luckily, gDDH DDH [STW] DDH [STW]
• Most work in [Lys02]: Most work in [Lys02]: – Reduce order to Reduce order to O(log k)O(log k) (note, (note, L=2 L=2 gives CDH)gives CDH)– Force Adv to forge Force Adv to forge J = {1..L}J = {1..L} (full set) (full set)– Reason: allows to make assumption Reason: allows to make assumption non-interactivenon-interactive
• Cleaver use of encoding Cleaver use of encoding C: {0,1}C: {0,1}k k -> {0,1}-> {0,1}LL
– Set Set NRNRCCg,a[1],…,a[L]g,a[1],…,a[L](x[1],…,x[k]) = Exp(1(x[1],…,x[k]) = Exp(1C(x)C(x)))
– Choose special Choose special CC to make this work for to make this work for L=O(k)L=O(k)– Turns our need an error-correcting codeTurns our need an error-correcting code
• Instead, we’ll use encoding for a different reason:Instead, we’ll use encoding for a different reason:– to get direct VRF, without going through VUF ! [Dod03] to get direct VRF, without going through VUF ! [Dod03]
Option 2: Use Encoding [Dod03]
• As before, use encoding As before, use encoding C: {0,1}C: {0,1}k k -> {0,1}-> {0,1}LL and and NRNRCC
g,a[1],…,a[L]g,a[1],…,a[L](x[1],…,x[k]) = Exp(1(x[1],…,x[k]) = Exp(1C(x)C(x)))
• ReasoningReasoning: almost as efficient as : almost as efficient as C=identityC=identity when when LL is close to is close to kk, but a lot of freedom…, but a lot of freedom…– For example,For example, [NR [NRCC (x0), NR(x0), NRCC(x1), NR(x1), NRCC(z0), NR(z0), NRCC(z1)](z1)] do do
not have to form a DDH tuple for a lot of not have to form a DDH tuple for a lot of C,x,zC,x,z……
– In fact, if no DDH-tuples among In fact, if no DDH-tuples among {Exp(1{Exp(1C(x)C(x))})}, for all , for all we know we know NRNRCC might be a PRF despite DDH being might be a PRF despite DDH being false!false!
– And if no DDH-tuples including a leaf even if add the And if no DDH-tuples including a leaf even if add the proofs (root-leaf paths for different leaves), then proofs (root-leaf paths for different leaves), then might get a VRF…might get a VRF…
• Leads to Leads to sum-free DDHsum-free DDH [Dod03] [Dod03]
I1
Exp(I1)
I2
Exp(I2)
...
...
J
y
Ii
Exp(Ii)
...
...
b’
Pr[b=b’] ½ & no J1,J2,J3{I1… Im} exist making [Exp(J), Exp(J1), Exp(J2), Exp(J3)] form a DDH tuple
y0 := Exp(J)y1 := random
pick random b
y := yb
• Adv is given oracle access to Exp(I), for I {1..L}
• G satisfies sf-DDH of order L if:
Sum-Free DDH of order L
Using sf-DDH [Dod03]• Intuitively, says that everything is random Intuitively, says that everything is random
except if a DDH-tuple is foundexcept if a DDH-tuple is found• ChallengeChallenge: build encodings : build encodings CC forcing VRF forcing VRF
attacker to respect sum-free restrictionattacker to respect sum-free restriction• Theorem:[Dod03] (view k-bit x as GF(2k))
– If C(x) = x3 º x, then NRC is a PRF under sf-DDH assumption of order 2k (no need for DDH easy yet)
– If If C(x) = xC(x) = x33 º º x x º º 11 º º x x º º 1 1 and and DDH is easyDDH is easy, then NR, then NRCC is is a a VRFVRF under sf-DDH assumption of order under sf-DDH assumption of order 3k+33k+3
– Both orders can be reduced to O(log k) using ECC’s: allows to get non-interactive assumption this way…
• So far no need to use pairing explicitly…
Option 3: Use Bloody Pairings !• Formula for general VUF -> VRF conversionFormula for general VUF -> VRF conversion
– ’’SKSK(x) = ((x) = (SKSK(x), F(x), FSKSK(x)), (x)),
– F’F’SKSK(x) = H ( F(x) = H ( FSKSK(x) ),(x) ), for “good” for “good” HH. .
• But which But which HH??– If If HH is RO, then trivially works, but “useless” is RO, then trivially works, but “useless”– Standard Standard HH are difficult in general (Goldreich-Levin) are difficult in general (Goldreich-Levin)
• IdeaIdea: so far we have : so far we have FFSKSK(x) = g(x) = gsomethingsomething and use and use pairings only to solve DDH in pairings only to solve DDH in GG (to verify (to verify SKSK(x)(x)) ) – Why not use Why not use H(y) = e(g,y)H(y) = e(g,y) ?!? ?!?
• Hope that if Hope that if yy is hard to compute, then is hard to compute, then reasonable to assume reasonable to assume e(g,y)e(g,y) is pseudorandom ! is pseudorandom !
Option 3: Using Pairings
• Given VUF Given VUF (F,(F,)) with values in with values in GG and and bilinear map bilinear map e: G£G G’ define– ’’SKSK(x) = ((x) = (SKSK(x), F(x), FSKSK(x)), (x)),
– F’F’SKSK(x) = e(g, F(x) = e(g, FSKSK(x))(x)) (now in (now in G’G’))
• Can apply to VUF of [Lys02] and get …Can apply to VUF of [Lys02] and get …– PRFPRF (under reasonable decisional assumption) (under reasonable decisional assumption)– VRFVRF? ? NoNo, proofs spoil everything (DDH easy) , proofs spoil everything (DDH easy) – Still long proofs/keys + bit-by-bit processingStill long proofs/keys + bit-by-bit processing
• Instead, [DY05] follows this option with a Instead, [DY05] follows this option with a new, more efficient VUF where it all works !new, more efficient VUF where it all works !
Simple VUF [DY05, BB04]
• Start from Boneh-Boyen signature [BB04]
• Algorithm Gen(1k): Pick s2R Zp*.The secret
key is SK = s. The public key is PK = gs.
• Algorithm SignSK(x): To sign x, compute y = g1/(x+SK).
• Algorithm VerPK(x, y): Check that e(y, gx¢PK) = e(g, g).
Our VUF (cont.)• Boneh-Boyen signature is secure against non-
adaptive queries (and uses “q-SDH assumption”)
• A VUF must be secure against adaptive queries
adversarychallenger
(PK, SK) PKx1 x2 xk…
y1 y2 yk…
adversarychallenger
(PK, SK) PKxi
yi
Our VUF (cont.)• Solution 1: assume [BB04] is a secure
VUF– Leads to tautological interactive assumption– Although we believe it is reasonable…
• Solution 2: Restrict input size to be small, a(k) = (log s(k)), where s(k) will be the (super-poly) security that we will assume– Allows us to enumerate all possible queries in
less than s(k) time and give answers adaptively– Can make more standard “q-DHI” assumption
(which is weaker than “q-SDH” of [BB04])– Still show get decent and practical parameters
Our VUF (cont.)• Then, Boneh-Boyen signature becomes a
VUF for small inputs
• Can use GL to convert a VUF into a VRF, but this is very inefficient
• Instead, use pairing-based transformation suggested earlier: VRFSK(x) = e(VUFSK(x),g)
– get direct VRF for small inputs (stay tuned)
– use stronger, but still already studied “q-DBDHI” assumption [BB04]
Our VRF
• Instead, we construct a VRF directly:
• Algorithm Gen(1k): Pick s2R Zp*.The
secret key is SK = s. The public key is PK = gs.
• Algorithm ProveSK(x) : Compute (FSK(x), SK(x)) = (e(g,g)1/(x+SK), g1/(x+SK))
• Algorithm VerPK(x,y,): Verify that e(gx¢PK, ) = e(g,g) and y = e(g, ).
our VUF
Complexity Assumptions• We make two assumptions:
– q-DHI assumption: given (g, gx, …, g(xq)), it is hard to compute g1/x [MSK02]• Used for the security of [BB04] VUF
– q-DBDHI assumption: given (g, gx, …, g(xq)), it is hard to distinguish e(g,g)1/x from random [BB04]• Used for the security of [DY05] VRF
• Hard = adversary running for s(k) steps is unlikely to succeed. – s(k) is between (poly(k)) and s(k)=o(2k).
Security Statement• Our VRF/VUF is provably secure for inputs
of small size, a(k) = O (log s(k)).• If there is an algorithm A that breaks the
VRF/VUF in time t, with prob. ,• then there is an algorithm B that solves
the q-DBDHI/q-DHI problem (q=2a(k)) in time ¼ t/(2a(k)¢poly(k)), with prob. /2a(k).
• Big security loss, but– Believe artifact of the assumption/analysis– Using CRHF suffices to support a(k) < 200– Results in pretty good concrete parameters…
Efficiency
Length of proofs and keys
Group size
[DY05] 125 bytes 1,000 bits, elliptic group
[MRV99] 280,000 bytes
14,383 bits,Zn
*
[Dod03], [Lys02]
>3,200 bytes
>160 bits,elliptic group
• Suppose a(k) = 160 bits (length of SHA-1 digests)
• We then have:
Conclusion• Pairings seem very useful for VRF design
– Simple and efficient VRF constructions
• Can be instantiated with elliptic groups of reasonable size
• Can be made distributed and proactive• Can use “algebra” for efficient protocols
– Obtain VRF value on committed values– ZK proof of knowledge of VRF value
• [DY05]: Proofs and keys consist of only one group element regardless of the input size
• Open: get efficient (full-blown) VRF under more established assumptions
Distributing Trust
Not a bad thought, Moti. After I finish my wine, I promise to vigorouslyattack this problem…
Yvo, why should we leta single party know all
the secrets and be asingle point of failure?
Distributing Trust
We have to move towardsa group-oriented society:Threshold cryptography !
Distributed PRFs (DPRF)
• No verifiability yet, only PRF functionalityNo verifiability yet, only PRF functionality• The secret key The secret key SKSK is shared among is shared among nn servers servers• No coalition of up to No coalition of up to tt servers can compute servers can compute
the PRF or distinguish if from a random the PRF or distinguish if from a random functionfunction
• Any Any (t+1)(t+1) servers can evaluate the PRF servers can evaluate the PRF• Two Flavors:Two Flavors:
– Non-interactive Non-interactive [MiSi95,NRP99]: servers do not [MiSi95,NRP99]: servers do not know about each other and only talk to Lauraknow about each other and only talk to Laura
x xx
y 3
y2
y1
FSK(x)
SecretSK1
SecretSK2
SecretSK3
Distributed PRFs (DPRF)
• No verifiability yet, only PRF functionalityNo verifiability yet, only PRF functionality• The secret key The secret key SKSK is shared among is shared among nn servers servers• No coalition of up to No coalition of up to tt servers can compute the servers can compute the
PRF or distinguish if from a random functionPRF or distinguish if from a random function• Any Any (t+1)(t+1) servers can evaluate the PRF servers can evaluate the PRF• Two Flavors:Two Flavors:
– Non-interactive Non-interactive [MiSi95,NPR99]: servers do not know [MiSi95,NPR99]: servers do not know about each other and only talk to Lauraabout each other and only talk to Laura
– Interactive Interactive [NaRe97,Nie02]: much less attractive for [NaRe97,Nie02]: much less attractive for the purposes of eliminating the random oracle…the purposes of eliminating the random oracle…
x
FSK(x)
SecretSK1
SecretSK9
…Well Known GroupWell Known Group
LauraLaura
Same experience as PRF,but let many men argue
before giving me theanswer I can’t check
Applications and Constructions• Applications: distributed KDC’s, threshold Cramer-Applications: distributed KDC’s, threshold Cramer-
Shoup, metering on the web, Byzantine agreement,…Shoup, metering on the web, Byzantine agreement,…• [MiSi95]: only for small [MiSi95]: only for small nn and and tt (complexity ~ (complexity ~ nntt) ) • [NPR99]: several constructions[NPR99]: several constructions
– ““weak” PRF under DDH: weak” PRF under DDH: WWg,ag,a(x)=x(x)=xaa. (secure only for random . (secure only for random xx))– Trivial to distribute (non-interactive + 1 round)Trivial to distribute (non-interactive + 1 round)– Using random oracle, get regular PRF Using random oracle, get regular PRF FFg,ag,a(x) = W(x) = Wg,ag,a(H(x)) = (H(x)) =
H(x)H(x)aa
• [Nie02,NR97]: can distribute Naor-Reingold PRF[Nie02,NR97]: can distribute Naor-Reingold PRF– Highly Highly interactiveinteractive– Need concurrent ZK’sNeed concurrent ZK’s– Many rounds (=|input|)Many rounds (=|input|)– Need honest majority to give the result to LauraNeed honest majority to give the result to Laura
• No non-interactive “regular” DPRF was knownNo non-interactive “regular” DPRF was known
Distributed VRFs (DVRF)
• Distributed computation of Distributed computation of (F(FSKSK(x), (x), SKSK(x))(x))..• Most attractive replacement to the ROMost attractive replacement to the RO
– Distribution of trustDistribution of trust– High Availability (especially non-interactive)High Availability (especially non-interactive)– No bottlenecksNo bottlenecks– Can check the correctness of Can check the correctness of F(x)F(x) using the proof using the proof– Can transfer the proof to the third party without Can transfer the proof to the third party without
further interactionfurther interaction– By themselves give a threshold signature schemeBy themselves give a threshold signature scheme– Already have, and will find more applicationsAlready have, and will find more applications
• Not studied prior to this work…Not studied prior to this work…
My Results (Part II)
• First (and very simple!) DVRF First (and very simple!) DVRF constructionconstruction
• Non-interactiveNon-interactive (albeit multi-round) (albeit multi-round)• More efficient than regular DPRF of More efficient than regular DPRF of
[Nie02] [Nie02] – no interaction, ZK’s, fewer roundsno interaction, ZK’s, fewer rounds– but also verifiablebut also verifiable
• Tolerates any threshold (including Tolerates any threshold (including honest minority)honest minority)
• Not hard at all since our VRF is so simple!Not hard at all since our VRF is so simple!
• Standard Shamir’s secret sharing and Standard Shamir’s secret sharing and Lagrange interpolation tricks Lagrange interpolation tricks – except can do it except can do it non-interactivelynon-interactively
• Punchline:
DDH easy makes it possible to do this very standard computation non-interactively
Step 5: From VRF to DVRF
• Recently, groups where DDH is easy received a lot of attention:– applications to ID-based [BF01], hierarchical [GS02] and other
kinds of encryption, short signatures [BLS01], credential systems [V01], ...
– Candidates proposed [SOK00,JN01] based on certain bilinear (Weil, Tate) pairings on elliptic curves
– No multi-linear variant is known and likely to exist [BoSi02]– For all we know, gabc still looks random given g, ga, gb, gc
– sf-DDH assumption takes this belief one step further: the only way to distinguish gsome power from random is to get a DDH tuple for doing so.
• Most ambitious assumption conceivable when DDH is false
• Why settle for it and not for something less ambitious? – To get the simplest possible construction + target for breaking– Even if false, techniques of this paper seem to generalize…
Step 6: Do We Believe in sf-DDH?
Conclusions, Open Problems• Constructed first simple, efficient and
“direct” VRF and non-interactive DPRF/DVRF• Motivated the study of new sf-DDH
assumption– Can we reduce the assumption?– Relate it to known ones?– Break it?
• One-round DPRFs/DVRFs?• Adaptively secure DPRFs/DVRFs?• More efficient constructions?• More applications?• Practical implementation?
– Well, let’s not get carried away…
