A Generic Approach for Constructing Verifiable Random Functions Rishab Goyal Susan Hohenberger Venkata Koppula Brent Waters Nir Bitansky Title of talk Joint talk on two closely related papers First one by Rishab, Susan, Brent and myself, and the second one by Nir Thanks to Nir for the slides. Thanks to Nir for the slides.
Verifiable Random Functions (VRFs) [Micali-Rabin-Vadhan 99] 𝑠𝑘 𝑣𝑘 𝐹 𝑠𝑘 (𝑥) 𝜋 , 𝑉 We all know what pseudorandom functions are. In a general setting where PRFs are used, we have an owner that has a PRF key, and the owner can produce PRF evaluations to different parties on inputs of their choice. While that suffices for a lot of applications, there are scenarios where the parties might want a proof that the evaluation was computed correctly, without any interaction or setup assumptions. To address this problem, Micali, Rabin and Vadhan introduced the notion of verifiable random functions. In this setting, the secret key owner can produce the PRF evaluation, as well as a proof that the evaluation is correct. There is also a verification key that is a commitment to the secret key. This verification key is public, and together with the proof, can be used to verify that the evaluation is correct. For now, I will informally describe the properties required for a secure VRF. First, we require that the verification key uniquely determines the PRF evaluation on all points. In particular, even for a maliciously generated verification key, it should not be possible to prove two different evaluations on some input. Secondly, we require that even if an adversary sees evaluations and proofs at many points, PRF evaluation on a fresh point must look uniformly random. Usually in a PRF, owner of the seed can compute the function Owner of sk also generates proof of correctness What does correctness mean? The function is generated with a vk and correctness means consistency with the key vk can be thought of as a commitment to the function that is binding in the sense that… In terms of security, and for now very informally, you don’t have to completely open the commitment and reveal the function… maybe you reveal some values and proofs, and you want the function to remain PR at other points. We’ll define this more formally later on. Binding: 𝑣𝑘 uniquely determines function Pseudorandomness
. . . VRFs Pretty Useful unique signatures NIZKs O(1)-round [Goldwasser-Ostrovsky 92] NIZKs [Feige-Lapidot-Shamir 90, GO 92] O(1)-round resettable ZK [Micali-Reyzin 01] VRFs . . . VRFs are a powerful primitive, and have proven to be quite useful. They can be used to build non interactive zero knowledge proofs, constant round resettable zero knowledge protocols, public ledgers and so on. What do we know about constructions of VRFs? Owner of sk also generates proof of correctness What does correctness mean. The function is generated with a vk. Correctness is consistency public ledgers [Micali 16, Pass-Shi 16] verifiable lotteries [Micali-Rivest 02]
Existing Constructions RSA [Micali-Rabin-Vadhan 99] Bilinear Maps [Lysyanskaya 02] [Dodis 03] [Boneh-Boyen 04] Adventure Time Finn & Jake (CN) [Dodis-Yampolskiy 05] [Abdalla-Catalano-Fiore 10] IO [Sahai-Waters 14] [Hohenberger-Waters 10] Two types of constructions. One from the RSA assumption, shown by Micali, Rabin and Vadhan. Another type is constructions from Bilinear maps, and here there’s been considerable work in weakening the concrete assumptions on bilinear maps that are needed. By now it is known from simple assumptions like Decision-Linear, and this is actually quite recent. In any case, the constructions that we have are algebraic in nature. They’re not really general, but rather tailored around specific algebraic problems. [Boneh-Montgomery-Raghunathan 10] [Jager 15] [Hofeinz-Jager 16] DLIN [
VRFs from General Assumptions? OWFs? NIZKs from OWFs… Trapdoor permutations? Not via Black-Box Reductions… [Fiore-Schroder 12] A very basic and natural question here: can we come up with constructions from general assumptions. We know that one can construct PRFs, commitments, verifiable creatures like signatures, from general assumptions like one-way functions. Maybe we should be able to do the same with VRFs. However, that would imply NIZKs from OWFs, which would be very interesting, and seems like a hard problem at the moment. What about TDPs? We know how to construct NIZKs from doubly enhanced trapdoor permutations, so maybe we can get VRFs also from TDPs? Unfortunately, Fiore and Schroder showed that it is not possible via black box reductions. Let me mentioned though that you can construct certain weak forms of VRFs from TDPs, like in the CRS model, or weak VRFs where you can see evaluations on random inputs. Yes in weaker models (CRS, weak-VRF) [Goldwasser-Ostrovsky 92, Brakerski-Goldwasser-Rothblum-Vaikuntanathan 09]
This Work: General Construction Result 1: VRFs NIWIs Commitments Puncturable PRFs selective That brings me to our results. We show a generic construction of VRFs from commitments, non-interactive witness indistinguishability proof systems and puncturable PRFs. This construction achieves a weaker notion of security called selective security.
This Work: General Construction Result 2: VRFs adaptive Commitments NIWIs Constrained PRFs (simple constraints) We also show how to achieve full security. This construction is similar to the selective one, except we use constrained PRFs instead of puncturable PRFs. I would like to point out that other than NIWIs, the other primitives are fairly simply primitives. Simple in the sense that we know constructions from many different assumptions. Puncturable PRFs can be constructed from OWFs, the constrained PRFs we require in this work can be constructed from DDH, LWE and the Phi Hiding assumption. The commitment schemes we require in this work can be constructed from injective OWFs, and we also show LWE and LPN based constructions. Inj. OWF [Blum 81] LWE/LPN [GHKW17] Phi-hiding DDH LWE TDP/OWF? [ Brakerski - Vaikuntanathan 15 ] [GHKW17] [B17]
This Work: General Construction Result 2: VRFs adaptive Commitments NIWIs Constrained PRFs (simple constraints) Additionally, all of these primitives can be constructed using bilinear groups under the decision linear assumption. And as a result, this gives us a construction of VRFs from the decision linear assumption. DLIN [Groth-Ostrovsky-Sahai 06] TDP/OWF?
Matching the State-of-Art [Lysyanskaya 02] VRFs DLIN [Dodis 03] [Boneh-Boyen 04] [Dodis-Yampolskiy 05] [Abdalla-Catalano-Fiore 10] [Hohenberger-Waters 10] This matches the state of the art as far as bilinear group based constructions are concerned. [Boneh-Montgomery-Raghunathan 10] [Jager 15] [Hofeinz-Jager 16] DLIN TDP/OWF?
REST OF THE TALK selective VRFs NIWIs adaptive VRFs Commitments Puncturable PRFs So that was a high level overview of our results. The rest of the talk is roughly organized as follows. I will first formally define selectively secure VRFs. Next, I will define the three ingredients required for our construction. Finally, I will briefly talk about adaptively secure VRFs. adaptive VRFs
VRFs : A Closer Look (F, P, V) (𝑠𝑘,𝑣𝑘)←𝐺𝑒𝑛( 1 𝑛 ) 𝑦=𝐹 𝑠𝑘 (𝑥) 𝜋= 𝑃 𝑠𝑘 (𝑥) 𝑉 𝑣𝑘 𝑥,𝑦,𝜋 =1 Completeness: First, a closer look at VRFs. A VRF scheme consists of the following algorithms. It has a function F which defines the actual PRF function, a prover function P, a verifier V and a key generation algorithm that chooses the public/secret keys. Function evaluation uses the secret key, prover uses the secret key to compute a proof, and the verifier uses the verification key to check the validity of a proof on input x and output y. For completeness, we require that if y is the PRF output on input x, and pi is the corresponding proof, then the verification algorithm must accept this proof for x,y. The binding property states that for any verification key vk* and any input x*, there is at most one output y* that the verification algorithm will accept. Note, this should hold even for maliciously generated verification keys. Owner of sk also generates proof of correctness What does correctness mean. The function is generated with a vk. Correctness is consistency Binding: for any (malicious) 𝑣 𝑘 ∗ , 𝑥 ∗ : at most single 𝑦 ∗ accepted
𝐴 𝐴 ≈ 𝐹 𝑠𝑘 , 𝑃 𝑠𝑘 𝐹 𝑠𝑘 , 𝑃 𝑠𝑘 𝐹 𝑠𝑘 $ (𝑣𝑘) (𝑣𝑘) VRFs : A Closer Look Pseudorandomness 𝐴 𝐹 𝑠𝑘 , 𝑃 𝑠𝑘 𝐹 𝑠𝑘 (𝑣𝑘) 𝐴 ≈ 𝐹 𝑠𝑘 , 𝑃 𝑠𝑘 $ (𝑣𝑘) Next, we have the pseudorandomness property. This is captured by the following security game. The adversary is given the verification key and access to two oracles. The first oracle, shown in white, is the query oracle. The adversary can send queries, and for each query, it receives the PRF evaluation on that query, together with a proof that the evaluation is correct. The next oracle is the challenge oracle, which, in this scenario, takes challenge inputs, and outputs the PRF evaluation on the challenge input. In the second scenario, the adversary is again given the verification key and access to two oracles. The query oracle is same as before, the challenge oracle now is a uniformly random function. For each challenge input, it outputs a uniformly random string. Clearly, the adversary is not allowed to send the same input as query and challenge. We say that the VRF is secure if no polynomial time adversary can distinguish between these two scenarios.
𝐴 ≈ 𝐹 𝑠𝑘 , 𝑃 𝑠𝑘 (𝑣𝑘, $) VRFs : A Closer Look (𝑣𝑘, 𝐹 𝑠𝑘 ( 𝑥 ∗ )) Selective Security 𝐴 𝐹 𝑠𝑘 , 𝑃 𝑠𝑘 ≈ (𝑣𝑘, 𝐹 𝑠𝑘 ( 𝑥 ∗ )) (𝑣𝑘, $) 𝑥 ∗ chosen upfront queries 𝑥≠ 𝑥 ∗ A weaker notion of security is that of selective security. Here, the adversary must specify its challenge input upfront. The adversary sends its challenge input x*, receives the verification key, together with either the PRF evaluation on x* or a uniformly random string. It is then allowed to make queries to the query oracle, and after polynomially many queries, it must be able to distinguish between the two scenarios. Now that we have the formal definition of VRF, let us quickly look at the primitives required for our construction.
(𝑃, 𝑉) 𝜋←𝑃(𝑥,𝑤) 𝑉 𝑥, 𝜋 =0/1 TDP + derand. DLIN iO+OWPs Non-Interactive Witness-Indistinguishable Proofs [Feige-Shamir 90, Barak-Ong-Vadhan 03] (𝑃, 𝑉) 𝜋←𝑃(𝑥,𝑤) 𝑉 𝑥, 𝜋 =0/1 Completeness: If 𝑥∈𝐿, then 𝑉 accepts 𝜋 Soundness: no accepting proofs for 𝑥∉𝐿 WI: 𝑃 𝑥, 𝑤 0 ≈𝑃(𝑥, 𝑤 1 ) for any two wit’s TDP + derand. [BOV 03] DLIN [GOS 06] iO+OWPs [ Bitansky- Paneth 15 ]
PERFECTLY BINDING COMMITMENTS Perfect binding: com cannot be opened to two different messages Finally, we have the third ingredient : perfectly binding commitment schemes. Here, we have an algorithm called ‘commit’ that takes as input a message m, and outputs a commitment. Hiding: m m' ≈ Injective OWFs Blum 81
K Construction K ; 𝑟 1 𝑣𝑘: K ; 𝑟 2 𝑠𝑘=𝑣𝑘, 𝐾, 𝑟 1 , 𝑟 2 K ; 𝑟 3 com 𝑠𝑘=𝑣𝑘, 𝐾, 𝑟 1 , 𝑟 2 𝑣𝑘: K VRF eval : 𝑦 = 𝐹 𝐾 (𝑥)
Construction 𝑣𝑘: 𝑠𝑘=𝑣𝑘, 𝐾, 𝑟 1 , 𝑟 2 Prove 𝑦 is correct eval on 𝑥 𝑁𝐼𝑊𝐼: “𝑥,𝑦 𝑐𝑜𝑛𝑠𝑖𝑠𝑡𝑒𝑛𝑡 𝑤𝑖𝑡ℎ 𝑎𝑡 𝑙𝑒𝑎𝑠𝑡 2 𝑐𝑜𝑚′𝑠”
Construction 𝑣𝑘: 𝑠𝑘=𝑣𝑘, 𝐾, 𝑟 1 , 𝑟 2 Prove 𝑦 is correct eval on 𝑥 𝑁𝐼𝑊𝐼: “𝑥,𝑦 𝑐𝑜𝑛𝑠𝑖𝑠𝑡𝑒𝑛𝑡 𝑤𝑖𝑡ℎ 𝑎𝑡 𝑙𝑒𝑎𝑠𝑡 2 𝑐𝑜𝑚′𝑠” 𝐹 𝐾 𝑥 = 𝐹 𝐾 ′ 𝑥 =𝑦 K; r K’; r’ Prove 𝑦= 𝐹 𝐾 (𝑥) is correct eval on 𝑥 Witness = ((1,2), (K, K), ( 𝑟 1 , 𝑟 2 ))
BINDING PROPERTY 𝑣 𝑘 ∗ 𝑥 ∗ (𝑦 1 , 𝜋 1 ) (𝑦 2 , 𝜋 2 )
BINDING PROPERTY 𝑣 𝑘 ∗ 𝑥 ∗ (𝑦 1 , 𝜋 1 ) (𝑦 2 , 𝜋 2 ) 𝐾 1 𝐾 2 𝐾 3 , 𝜋 1 ) (𝑦 2 , 𝜋 2 ) com : perfectly binding NIWI : statistically sound Contradiction if 𝑦 1 ≠ 𝑦 2
PSEUDORANDOMNESS Step 1: Replace PRF key in com’s with punctured PRF key Step 2: Use PRF security
≈ 𝐹 𝑠𝑘 , 𝑃 𝑠𝑘 𝐴 AFTER STEP 1 (𝑣𝑘, 𝐹 𝑠𝑘 ( 𝑥 ∗ )) (𝑣𝑘, $) Use punctured key 𝐴 𝐹 𝑠𝑘 , 𝑃 𝑠𝑘 ≈ (𝑣𝑘, 𝐹 𝑠𝑘 ( 𝑥 ∗ )) (𝑣𝑘, $) 𝑥 ∗ chosen upfront queries 𝑥≠ 𝑥 ∗ Has punctured key
"𝑥,𝑦 𝑐𝑜𝑛𝑠𝑖𝑠𝑡𝑒𝑛𝑡 𝑤𝑖𝑡ℎ 𝑎𝑡 𝑙𝑒𝑎𝑠𝑡 2 𝑐𝑜𝑚′𝑠“ Hybrids FOR STEP 1 HYBRID 0 𝑣 𝑘 ∗ K ; 𝑟 1 K ; 𝑟 2 K ; 𝑟 3 𝜋 𝑥,𝑦 =𝑁𝐼𝑊𝐼 "𝑥,𝑦 𝑐𝑜𝑛𝑠𝑖𝑠𝑡𝑒𝑛𝑡 𝑤𝑖𝑡ℎ 𝑎𝑡 𝑙𝑒𝑎𝑠𝑡 2 𝑐𝑜𝑚′𝑠“ 𝑤𝑖𝑡𝑛𝑒𝑠𝑠 ( 1,2 , 𝐾,𝐾 , 𝑟 1 , 𝑟 2 )
"𝑥,𝑦 𝑐𝑜𝑛𝑠𝑖𝑠𝑡𝑒𝑛𝑡 𝑤𝑖𝑡ℎ 𝑎𝑡 𝑙𝑒𝑎𝑠𝑡 2 𝑐𝑜𝑚′𝑠“ Hybrids FOR STEP 1 HYBRID 1 𝑣 𝑘 ∗ K ; 𝑟 1 K ; 𝑟 2 K{ 𝑥 ∗ } ; 𝑟 3 𝜋 𝑥,𝑦 =𝑁𝐼𝑊𝐼 "𝑥,𝑦 𝑐𝑜𝑛𝑠𝑖𝑠𝑡𝑒𝑛𝑡 𝑤𝑖𝑡ℎ 𝑎𝑡 𝑙𝑒𝑎𝑠𝑡 2 𝑐𝑜𝑚′𝑠“ 𝑤𝑖𝑡𝑛𝑒𝑠𝑠 ( 1,2 , 𝐾,𝐾 , 𝑟 1 , 𝑟 2 ) 𝑐𝑜𝑚 is hiding
"𝑥,𝑦 𝑐𝑜𝑛𝑠𝑖𝑠𝑡𝑒𝑛𝑡 𝑤𝑖𝑡ℎ 𝑎𝑡 𝑙𝑒𝑎𝑠𝑡 2 𝑐𝑜𝑚′𝑠“ Hybrids FOR STEP 1 HYBRID 2 𝑣 𝑘 ∗ K ; 𝑟 1 K ; 𝑟 2 K{ 𝑥 ∗ } ; 𝑟 3 𝜋 𝑥,𝑦 =𝑁𝐼𝑊𝐼 "𝑥,𝑦 𝑐𝑜𝑛𝑠𝑖𝑠𝑡𝑒𝑛𝑡 𝑤𝑖𝑡ℎ 𝑎𝑡 𝑙𝑒𝑎𝑠𝑡 2 𝑐𝑜𝑚′𝑠“ 𝑤𝑖𝑡𝑛𝑒𝑠𝑠 (1,3 , 𝐾,𝐾 𝑥 ∗ , 𝑟 1 , 𝑟 3 ) Witness ind. For queries, PRF evals using 𝐾, 𝐾 𝑥 ∗ are equal
"𝑥,𝑦 𝑐𝑜𝑛𝑠𝑖𝑠𝑡𝑒𝑛𝑡 𝑤𝑖𝑡ℎ 𝑎𝑡 𝑙𝑒𝑎𝑠𝑡 2 𝑐𝑜𝑚′𝑠“ Hybrids FOR STEP 1 HYBRID 3 𝑣 𝑘 ∗ K ; 𝑟 1 K{ 𝑥 ∗ } ; 𝑟 2 K{ 𝑥 ∗ } ; 𝑟 3 𝜋 𝑥,𝑦 =𝑁𝐼𝑊𝐼 "𝑥,𝑦 𝑐𝑜𝑛𝑠𝑖𝑠𝑡𝑒𝑛𝑡 𝑤𝑖𝑡ℎ 𝑎𝑡 𝑙𝑒𝑎𝑠𝑡 2 𝑐𝑜𝑚′𝑠“ 𝑤𝑖𝑡𝑛𝑒𝑠𝑠 (1,3 , 𝐾,𝐾 𝑥 ∗ , 𝑟 1 , 𝑟 3 ) …. 𝑐𝑜𝑚 is hiding
From Selective to Adaptive Partitioning strategy
PARTITIONING STRATEGY [Boneh-Boyen 04, Waters 05] Introduced in the context of IBE Input Space
PARTITIONING STRATEGY [Boneh-Boyen 04, Waters 05] Introduced in the context of IBE Query Partition ~ (1-1/q) fraction Challenge Partition ~ 1/q fraction Input Space
From Selective to Adaptive Partitioning strategy Constrained PRF for `partitioning’ constraints LWE DDH Phi-hiding [BV15] [GHKW17] [B17]
Follow up : VRFs from Verifiable FE [Badrinarayanan-Goyal-Jain-Sahai 17] Constrained PRFs Injective OWFs NIWIs
THANKS! CONCLUSIONS Generic construction of VRFs from NIWIs, commitments and constrained PRF New constructions for commitments and constrained PRFs NIWIs – the bottleneck Perfectly Binding commitments from LPN? Techniques from Obfustopia THANKS!