Abstract
Verifiable random functions (VRFs) are pseudorandom functions where the owner of the seed, in addition to computing the function’s value y at any point x, can also generate a non-interactive proof \(\pi \) that y is correct, without compromising pseudorandomness at other points. Being a natural primitive with a wide range of applications, considerable efforts have been directed toward the construction of such VRFs. While these efforts have resulted in a variety of algebraic constructions (from bilinear maps or the RSA problem), the relation between VRFs and other general primitives is still not well understood. We present new constructions of VRFs from general primitives, the main one being non-interactive witness-indistinguishable proofs (NIWIs). This includes: (1) a selectively secure VRF assuming NIWIs and non-interactive commitments. As usual, the VRF can be made adaptively secure assuming subexponential hardness of the underlying primitives. (2) An adaptively secure VRF assuming (polynomially hard) NIWIs, non-interactive commitments, and (single-key) constrained pseudorandom functions for a restricted class of constraints. The above primitives can be instantiated under various standard assumptions, which yields corresponding VRF instantiations, under different assumptions than were known so far. One notable example is a non-uniform construction of VRFs from subexponentially hard trapdoor permutations, or more generally, from verifiable pseudorandom generators (the construction can be made uniform under a standard derandomization assumption). This partially answers an open question by Dwork and Naor (FOCS ’00). The construction and its analysis are quite simple. Both draw from ideas commonly used in the context of indistinguishability obfuscation.
Similar content being viewed by others
Notes
The construction based on IO is also limited to either selective security, or reliance on subexponential hardness.
We also give a simpler construction under the stronger d-power DDH assumption.
In the body, we further allow the partition scheme to involve some encoding of the input space X into a more structured input space \(\widehat{X}\) and then consider applying the CPRF and partitioning for encoded inputs in the new space \(\widehat{X}\). See Definition 2.6 and Sect. 3 for more details.
In their construction, verification is probabilistic. Using their construction in our context would accordingly give a VRF with probabilistic verification. For simplicity, in this paper, we shall restrict attention to deterministic verification.
We note that the set S has efficient representation in terms of \(\lambda \) and does not grow with \(Q,\delta ^{-1}\). Indeed, throughout this paper, \(Q,\delta ^{-1}\), will be arbitrary polynomials in \(\lambda \) that depend on the adversary. In our partition schemes, the representation of sets will only scale with \(\min \left\{ \log (Q/\delta ),n(\lambda )\right\} \).
Recall that in a code with (relative) distance c, each two codewords agree on at most a c-fraction of symbols.
The above distribution is not necessarily random over strings. In any natural instantiation of the group, e.g., as a prime order group for a large prime, or a composite group of smooth order, \(g^\beta \) is also random in the group \(\mathbb {G}\). In any case, and as usual, if one insists, on outputting a random string, we can further apply a randomness extractor (see, for example, [44]).
This is a weaker variant of the usual GDDH assumption where d may be polynomial (and the elements are given by an oracle). This weaker variant will be sufficient for us.
The same footnote 7 applies.
For SXDH, DDH holds in the based groups. For DLIN, DDH holds in the target group. We thank Brent Waters for pointing out this last fact.
References
M. Abdalla, D. Catalano, D. Fiore, Verifiable random functions: relations to identity-based key encapsulation and new constructions. J. Cryptol.27(3), 544–593 (2014)
D. Boneh, X. Boyen, Secure identity based encryption without random oracles, in Advances in Cryptology - CRYPTO 2004, 24th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15–19, 2004, Proceedings (2004), pp. 443–459
E. Biham, D. Boneh, O. Reingold, Breaking generalized Diffie–Hellmann modulo a composite is no easier than factoring. Inf. Process. Lett.70(2), 83–87 (1999)
E. Boyle, S. Goldwasser, I. Ivan, Functional signatures and pseudorandom functions, in H. Krawczyk, editor, PKC 2014: 17th International Conference on Theory and Practice of Public Key Cryptography, Volume 8383 of Lecture Notes in Computer Science, Buenos Aires, Argentina, March 26–28 (Springer, Heidelberg, 2014), pp. 501–519
S. Badrinarayanan, V. Goyal, A. Jain, A. Sahai, Verifiable functional encryption, in Advances in Cryptology—ASIACRYPT 2016—22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4–8, 2016, Proceedings, Part II (2016), pp. 557–587
S. Badrinarayanan, V. Goyal, A. Jain, A. Sahai, A note on VRFs from verifiable functional encryption, p. 051 (2017)
Z. Brakerski, S. Goldwasser, G.N. Rothblum, V. Vaikuntanathan, Weak verifiable random functions, in 6th Theory of Cryptography Conference, TCC 2009, San Francisco, CA, USA, March 15–17, 2009. Proceedings (2009), pp. 558–576
M. Blum, Coin flipping by telephone, in Advances in Cryptology: A Report on CRYPTO 81, CRYPTO 81, IEEE Workshop on Communications Security, Santa Barbara, California, USA, August 24–26, 1981 (1981), pp. 11–15
D. Boneh, H.W. Montgomery, A. Raghunathan, Algebraic pseudorandom functions with improved efficiency from the augmented cascade, in Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA, October 4–8, 2010 (2010), pp. 131–140
B. Barak, S.J. Ong, S.P. Vadhan, Derandomization in cryptography. SIAM J. Comput.37(2), 380–400 (2007)
N. Bitansky, O. Paneth, Zaps and non-interactive witness indistinguishability from indistinguishability obfuscation, in Theory of Cryptography—12th Theory of Cryptography Conference, TCC 2015, Warsaw, Poland, March 23–25, 2015, Proceedings, Part II (2015), pp. 401–427
M. Bellare, T. Ristenpart, Simulation without the artificial abort: Simplified proof and improved concrete security for waters’ IBE scheme, in Advances in Cryptology—EUROCRYPT 2009, 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cologne, Germany, April 26–30, 2009. Proceedings (2009), pp. 407–424
M. Blum, A. De Santis, S. Micali, G. Persiano, Noninteractive zero-knowledge. SIAM J. Comput.20(6), 1084–1118 (1991)
Z. Brakerski, V. Vaikuntanathan, Constrained key-homomorphic PRFs from standard lattice assumptions—or: how to secretly embed a circuit in your PRF, in Theory of Cryptography—12th Theory of Cryptography Conference, TCC 2015, Warsaw, Poland, March 23–25, 2015, Proceedings, Part II (2015), pp. 1–30
D. Boneh, B. Waters, Constrained pseudorandom functions and their applications, in K. Sako, P. Sarkar, editors, Advances in Cryptology—ASIACRYPT 2013, Part II, Volume 8270 of Lecture Notes in Computer Science, Bengalore, India, December 1–5 (Springer, Heidelberg, 2013), pp. 280–300
M. Bellare, M. Yung, Certifying permutations: noninteractive zero-knowledge based on any trapdoor permutation. J. Cryptol.9(3), 149–166 (1996)
D. Boneh, M. Zhandry, Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation, in Advances in Cryptology—CRYPTO 2014—34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 17–21, 2014, Proceedings, Part I (2014), pp. 480–499
J. Chen, S. Gorbunov, S. Micali, G. Vlachos, ALGORAND AGREEMENT: super fast and partition resilient byzantine agreement. IACR Cryptology ePrint Archive 2018:377 (2018)
M. Chase, S. Meiklejohn, Déjà Q: using dual systems to revisit q-type assumptions, in Advances in Cryptology—EUROCRYPT 2014—33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11–15, 2014. Proceedings (2014), pp. 622–639
N. Chandran, S. Raghuraman, D. Vinayagamurthy, Constrained pseudorandom functions: verifiable and delegatable. Cryptology ePrint Archive 2014:522
L. Carter, M.N. Wegman, Universal classes of hash functions. J. Comput. Syst. Sci.18(2), 143–154 (1979)
C. Dwork, M. Naor, Zaps and their applications. SIAM J. Comput.36(6), 1513–1543 (2007)
Y. Dodis, Efficient construction of (distributed) verifiable random functions, in Public Key Cryptography—PKC 2003, 6th International Workshop on Theory and Practice in Public Key Cryptography, Miami, FL, USA, January 6–8, 2003, Proceedings (2003), pp. 1–17
Y. Dodis, A. Yampolskiy, A verifiable random function with short proofs and keys, in Public Key Cryptography—PKC 2005, 8th International Workshop on Theory and Practice in Public Key Cryptography, Les Diablerets, Switzerland, January 23–26, 2005, Proceedings (2005), pp. 416–431
U. Feige, D. Lapidot, A. Shamir, Multiple noninteractive zero knowledge proofs under general assumptions. SIAM J. Comput.29(1), 1–28 (1999)
D. Fiore, D. Schröder, Uniqueness is a different story: impossibility of verifiable random functions from trapdoor permutations, in Theory of Cryptography—9th Theory of Cryptography Conference, TCC 2012, Taormina, Sicily, Italy, March 19–21, 2012. Proceedings (2012), pp. 636–653
G. Fuchsbauer, Constrained verifiable random functions, in Security and Cryptography for Networks—9th International Conference, SCN 2014, Amalfi, Italy, September 3–5, 2014. Proceedings (2014), pp. 95–114
O. Goldreich, S. Goldwasser, S. Micali, How to construct random functions. J. ACM33(4), 792–807 (1986)
R. Goyal, S. Hohenberger, V. Koppula, B. Waters, A generic approach to constructing and proving verifiable random functions. Cryptology ePrint Archive 2017:21
S. Goldwasser, R. Ostrovsky, Invariant signatures and non-interactive zero-knowledge proofs are equivalent (extended abstract), in Advances in Cryptology—CRYPTO ’92, 12th Annual International Cryptology Conference, Santa Barbara, California, USA, August 16–20, 1992, Proceedings (1992), pp. 228–245
J. Groth, R. Ostrovsky, A. Sahai, New techniques for noninteractive zero-knowledge. J. ACM59(3), 11 (2012)
O. Goldreich, R.D. Rothblum, Enhancements of trapdoor permutations. J. Cryptol.26(3), 484–512 (2013)
S. Gorbunov, V. Vaikuntanathan, H. Wee, Functional encryption with bounded collusions via multi-party computation, in Advances in Cryptology—CRYPTO 2012—32nd Annual Cryptology Conference, Santa Barbara, CA, USA, August 19–23, 2012. Proceedings (2012), pp. 162–179
D. Hofheinz, T. Jager, Verifiable random functions from standard assumptions, in Theory of Cryptography—13th International Conference, TCC 2016-A, Tel Aviv, Israel, January 10–13, 2016, Proceedings, Part I (2016), pp. 336–362
S. Hohenberger, V. Koppula, B. Waters, Adaptively secure puncturable pseudorandom functions in the standard model, in Advances in Cryptology—ASIACRYPT 2015—21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29–December 3, 2015, Proceedings, Part I (2015), pp. 79–102
S. Hohenberger, B. Waters, Constructing verifiable random functions with large input spaces, in Advances in Cryptology—EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May 30–June 3, 2010. Proceedings (2010), pp. 656–672
T. Jager, Verifiable random functions from weaker assumptions, in Theory of Cryptography—12th Theory of Cryptography Conference, TCC 2015, Warsaw, Poland, March 23–25, 2015, Proceedings, Part II (2015), pp. 121–143
A. Kiayias, S. Papadopoulos, N. Triandopoulos, T. Zacharias, Delegatable pseudorandom functions and applications, in A.-R. Sadeghi, V.D. Gligor, M. Yung, editors, ACM CCS 13: 20th Conference on Computer and Communications Security, November 4–8 (ACM Press, Berlin, 2013), pp. 669–684
A. Lysyanskaya, Unique signatures and verifiable random functions from the DH-DDH separation, in Advances in Cryptology—CRYPTO 2002, 22nd Annual International Cryptology Conference, Santa Barbara, California, USA, August 18–22, 2002, Proceedings (2002), pp. 597–612
S. Micali, M.O. Rabin, S.P. Vadhan, Verifiable random functions, in 40th Annual Symposium on Foundations of Computer Science, FOCS ’99, 17–18 October, 1999, New York, NY, USA (1999), pp. 120–130
P.B. Miltersen, N.V. Vinodchandran, Derandomizing Arthur–Merlin games using hitting sets, in 40th Annual Symposium on Foundations of Computer Science, FOCS ’99, 17–18 October, 1999, New York, NY, USA (1999), pp. 71–80
M. Naor, Bit commitment using pseudorandomness. J. Cryptol.4(2), 151–158 (1991)
M. Naor, O. Reingold, Synthesizers and their application to the parallel construction of pseudo-random functions. J. Comput. Syst. Sci.58(2), 336–375 (1999)
M. Naor, O. Reingold, Number-theoretic constructions of efficient pseudo-random functions. J. ACM51(2), 231–262 (2004)
D. Papadopoulos, D. Wessels, S. Huque, M. Naor, J. Vcelák, L. Reyzin, S. Goldberg, Can NSEC5 be practical for DNSSEC deployments? IACR Cryptology ePrint Archive 2017:99 (2017)
A. Sahai, H. Seyalioglu, Worry-free encryption: functional encryption with public keys, in Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA, October 4–8, 2010 (2010), pp. 463–472
A. Sahai, B. Waters, How to use indistinguishability obfuscation: deniable encryption, and more, in D.B. Shmoys, editor, 46th Annual ACM Symposium on Theory of Computing, May 31–June 3 (ACM Press, New York, 2014), pp. 475–484
B. Waters, Efficient identity-based encryption without random oracles, in Advances in Cryptology—EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22–26, 2005, Proceedings (2005), pp. 114–127
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Serge Fehr
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Member of the Check Point Institute of Information Security. Supported by the Alon Young Faculty Fellowship, and ISF Grant 484/18, and by Len Blavatnik and The Blavatnik Foundation. Part of this research was done while at MIT. Supported by NSF Grants CNS-1350619 and CNS-1414119 and DARPA and ARO under Contract No. W911NF-15-C-0236. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the DARPA and ARO. Part of this research was done while visiting Tel Aviv University and supported by the Leona M. and Harry B. Helmsley Charitable Trust
Rights and permissions
About this article
Cite this article
Bitansky, N. Verifiable Random Functions from Non-interactive Witness-Indistinguishable Proofs. J Cryptol 33, 459–493 (2020). https://doi.org/10.1007/s00145-019-09331-1
Received:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00145-019-09331-1