Verifiable random function

最新推荐文章于 2022-07-06 02:48:00 发布

web3.0前沿技术研究者

最新推荐文章于 2022-07-06 02:48:00 发布

阅读量1.1w

点赞数 4

分类专栏：互联网与区块链

本文链接：https://blog.csdn.net/shangsongwww/article/details/88813431

版权

区块链同时被 3 个专栏收录

800 篇文章 102 订阅

订阅专栏

互联网与区块链

176 篇文章 60 订阅

订阅专栏

VRF

13 篇文章 0 订阅

订阅专栏

From Wikipedia, the free encyclopedia

Jump to navigation Jump to search

This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.
Find sources: "Verifiable random function" – news · newspapers · books · scholar · JSTOR (July 2007) (Learn how and when to remove this template message)

In cryptography, the concept of a verifiable random function (VRF) was introduced by Micali, Rabin, and Vadhan.[1] It is a pseudo-random function that provides publicly verifiable proofs of its outputs' correctness. Given an input value x, the owner of the secret key SK can compute the function value y = FSK(x) and the proof pSK(x). Using the proof and the public key {\displaystyle PK=g^{SK}} $PK=g^{{SK}}$ , everyone can check that the value y = FSK(x) was indeed computed correctly, yet this information cannot be used to find the secret key.

The original construction was rather inefficient. Later, an efficient and practical verifiable random function was proposed by Yevgeniy Dodis and Aleksandr Yampolskiy.[2] The following is only for intuition and is secure only when the input {\displaystyle x} $x$ is from a small domain (the authors then extend it to a larger domain):

{\displaystyle F_{SK}(x)=e(g,g)^{1/(x+SK)}\quad {\mbox{and}}\quad p_{SK}(x)=g^{1/(x+SK)},} $F_{{SK}}(x)=e(g,g)^{{1/(x+SK)}}\quad {\mbox{and}}\quad p_{{SK}}(x)=g^{{1/(x+SK)}},$

where e(·,·) is a bilinear map. To verify whether {\displaystyle F_{SK}(x)} $F_{{SK}}(x)$ was computed correctly or not, one can check if {\displaystyle e(g^{x}PK,p_{SK}(x))=e(g,g)} $e(g^{x}PK,p_{{SK}}(x))=e(g,g)$ and {\displaystyle e(g,p_{SK}(x))=F_{SK}(x)} $e(g,p_{SK}(x))=F_{SK}(x)$ .

The proof of security relies on a new decisional bilinear Diffie-Hellman inversion assumption, which asks given {\displaystyle (g,g^{x},\ldots ,g^{(x^{q})},R)} $(g,g^{{x}},\ldots ,g^{{(x^{q})}},R)$ as input to distinguish {\displaystyle R=e(g,g)^{1/x}} $R=e(g,g)^{{1/x}}$ from random.

Uses[edit]

VRFs provide deterministic precommitments which can be revealed at a later time using proofs which can only be generated by a private key. This is useful for providing a 1:1 mapping of low entropy inputs (e.g. names, email addresses, phone numbers) to some random values which can be committed to in advance, e.g. through a timestamping service such as a transparency log.

Unlike traditional digital signature algorithms, VRF outputs can be published publicly without being subject to a preimage attack, even if the verifier knows the public key (but not the proof). This is useful to prevent enumeration of the names/identifiers in a directory which is using a transparency system.

References[edit]

^ Micali, Silvio; Rabin, Michael O.; Vadhan, Salil P. (1999). "Verifiable random functions". Proceedings of the 40th IEEE Symposium on Foundations of Computer Science. pp. 120–130.
^ Dodis, Yevgeniy; Yampolskiy, Aleksandr. (2005). "A Verifiable Random Function With Short Proofs and Keys". 8th International Workshop on Theory and Practice in Public Key Cryptography. pp. 416–431.

web3.0前沿技术研究者

关注

4
点赞
踩
2

收藏

觉得还不错? 一键收藏
打赏
0
评论
Verifiable random function

From Wikipedia, the free encyclopediaJump to navigationJump to search This articleneeds additional citations forverification.Please helpimprove this articlebyadding citations ...
复制链接

扫一扫