Post-Quantum Verifiable Random Function from Symmetric Primitives in PoS Blockchain

Abstract

Verifiable Random Functions (VRFs) play a key role in Proof-of-Stake blockchains such as Algorand to achieve highly scalable consensus, but currently deployed VRFs lack post-quantum security, which is crucial for future-readiness of blockchain systems. This work presents the first quantum-safe VRF scheme based on symmetric primitives. Our main proposal is a practical many-time quantum-safe VRF construction, \(\mathsf {X\hbox {-}VRF}\), based on the \(\textsf{XMSS}\) signature scheme. An innovation of our work is to use the state of the blockchain to counter the undesired stateful nature of \(\textsf{XMSS}\) by constructing a blockchain-empowered VRF. While increasing the usability of \(\textsf{XMSS}\), our technique also enforces honest behavior when creating an \(\mathsf {X\hbox {-}VRF}\) output so as to satisfy the fundamental uniqueness property of VRFs. We show how \(\mathsf {X\hbox {-}VRF}\) can be used in the Algorand setting to extend it to a quantum-safe blockchain and provide four instances of \(\mathsf {X\hbox {-}VRF}\) with different key life-time. Our extensive performance evaluation, analysis and implementation indicate the effectiveness of our proposed constructions in practice. Particularly, we demonstrate that \(\mathsf {X\hbox {-}VRF}\) is the most efficient quantum-safe VRF with a maximum proof size of 3 KB and a possible TPS of 449 for a network of thousand nodes.

A A Appendix

Fig. 1.

\(\textsf{XMSS}\)/\(\mathsf {X\hbox {-}VRF}\) state and Blockchain

Fig. 2.

Pseudorandomness Experiment

1.1 A.1 A.1 Proof of Lemma 1

Proof

Let \(\mathsf {XMSS.pk}\) be a public key and m be a message. Fix an index \(i\in [0,2^h-1]\). Also, let \(\textsf{XMSS}.\sigma _1 =(\mathsf {WOTS^{+}}.\sigma _1,i,\mathsf {XMSS.Auth}^1) \) and \(\textsf{XMSS}.\sigma _2 =(\mathsf {WOTS^{+}}.\sigma _2,i,\mathsf {XMSS.Auth}^2)\) be two valid signatures created by a PPT adversary on m using \(\mathsf {XMSS.pk}\) and i. It is clear that \(\mathsf {XMSS.Auth}^1=\mathsf {XMSS.Auth}^2\) as the leaf index and the tree root is the same if the hash function is collision-resistant. We now just need to show that \(\mathsf {WOTS^{+}}.\sigma _1=\mathsf {WOTS^{+}}.\sigma _2\), which is true for deterministic \(\textsf{XMSS}\) as explained in [6].

1.2 B.2 A.2 Proof of Theorem 1

Proof

We prove the three properties of Definition 1.

Correctness. The correctness of \(\mathsf {X\hbox {-}VRF}\) follows via direct investigation. As long as the underlying \(\textsf{XMSS}\) scheme is correct, \(\mathsf {X\hbox {-}VRF}\) is correct.

Uniqueness. To prove uniqueness of our \(\mathsf {X\hbox {-}VRF}\) scheme by a reduction to the uniqueness property of the underlying \(\textsf{XMSS}\) scheme, we assume \(\mathcal {A}_{\text {unq}}\) being an adversary against uniqueness property of our \(\mathsf {X\hbox {-}VRF}\) scheme. We can construct an adversary \(\mathcal {B}_{\text {unq}}\) against the uniqueness property of the underlying \(\textsf{XMSS}\). Let \(\textsf{y}_{\textsf{VRF}_1},\textsf{y}_{\textsf{VRF}_2}\) be two different outputs and \(\pi _{\textsf{VRF}_1},\pi _{\textsf{VRF}_2}\) the two respective proofs generated by \(\mathcal {A}_{\text {unq}}\) on the same input x. We know that \(\textsf{y}_{\textsf{VRF}_i}=\textsf{H}(\textsf{XMSS}.\sigma _i,x)\) and \(\pi _i=\textsf{XMSS}.\sigma _i\) for \(i\in \{1,2\}\). If \(\textsf{y}_{\textsf{VRF}_1}\ne \textsf{y}_{\textsf{VRF}_2}\), then we must have \(\textsf{XMSS}.\sigma _1\ne \textsf{XMSS}.\sigma _2\). Set \(m=x\) being the input message of the \(\textsf{XMSS}.\textsf{Sign}\) algorithm. Since x is the same in both signatures \(\textsf{XMSS}.\sigma _1\) and \(\textsf{XMSS}.\sigma _2\), it follows that the \(\textsf{XMSS}\) signature scheme is not unique, which contradicts the uniqueness property stated in Lemma 1.

Pseudorandomness. Let \(\mathcal {A}_{\text {pr}}\) be a PPT adversary against the pseudorandomness of our \(\mathsf {X\hbox {-}VRF}\) scheme. Recall that \(\textsf{y}_{\textsf{VRF}}= \textsf{H}(\textsf{XMSS}.\sigma ,x)\) where \(\textsf{H}\) is modelled as a random oracle and \(\textsf{XMSS}.\sigma \) is a signature on x. Also recall that \(\textsf{XMSS}.\sigma \) contains \(\mathsf {WOTS^{+}}.\sigma \) which is the (iterated) hash of some completely random and independent n-bit strings unknown to \(\mathcal {A}_{\text {pr}}\). So, any \(\mathsf {WOTS^{+}}.\sigma \) results in just some random bit string that is contained in \(\textsf{XMSS}.\sigma \). Hence, the only way \(\mathcal {A}_{\text {pr}}\) can distinguish \(\textsf{y}_{\textsf{VRF}}\) from a uniformly random value happens if \(\mathcal {A}_{\text {pr}}\) has queried \(\textsf{H}\) on the input \((\textsf{XMSS}.\sigma ,x)\), which happens with negligible probability since \(\mathcal {A}_{\text {pr}}\) cannot query the signing oracle on x. The pseudorandomness property follows.

1.3 C.3 A.3 XMSS Signature Scheme

We introduce the concept of XMSS signature from which our VRF is constructed. XMSS is based on the idea of Merkle trees (see Fig. 3) which are binary trees where each nodes is the hash of both its children. Each leaf correspond to the key pair of a One-time digital signature named \(\mathsf {WOTS^{+}}\). By definition, a \(\mathsf {WOTS^{+}}\) key pair can be used to sign only one message and therefore, each leaf can be only used once. Each signer keep a state \(\mathsf {XMSS.idx}\) which is incremented after each signature. A \(\textsf{XMSS}\) signature \(\textsf{XMSS}.\sigma \) is composed of a \(\mathsf {WOTS^{+}}\) signature \(\mathsf {WOTS^{+}}.\sigma \), an index i, which indicates the position of the \(\mathsf {WOTS^{+}}\) key pair in the tree and the authentication path \(\mathsf {XMSS.Auth}\), which allows to recompute the Merkle root from the \(\mathsf {WOTS^{+}}\) signature to the root. The root is the \(\textsf{XMSS}\) public key \(\mathsf {XMSS.pk}\). A simple example is given in Fig. 3 which shows the fourth signatures performed with the XMSS scheme.

Definition 2

XMSS is defined by a tuple of three algorithms

• \((\mathsf {XMSS.idx},\mathsf {XMSS.sk},\mathsf {XMSS.sk})\leftarrow \mathsf {\mathsf {XMSS.KeyGen}}(1^\lambda )\): The key generation algorithm on input the security parameter \(\lambda \) outputs a pair consisting of secret and public keys and an index set to 0 which is the sate and indicate which leaf to use for a signature. One part of the public key is the root of the tree \(\mathsf {XMSS.root}\) and the other part is a seed used to compute the bitmask (see Fig. 3).

• \((\textsf{XMSS}.\sigma )\leftarrow \mathsf {XMSS.Sign}(\mathsf {XMSS.sk},m,\mathsf {XMSS.idx}):\) The signing algorithm takes as input the secret key \(\mathsf {XMSS.sk}\), \(\mathsf {XMSS.idx}\) and a message m, and outputs a signature \(\textsf{XMSS}.\sigma =(\mathsf {WOTS^{+}}.\sigma ,i,\mathsf {XMSS.Auth})\) which composed of a \(\mathsf {WOTS^{+}}\) signature, the index i that indicates the position of the \(\mathsf {WOTS^{+}}\) signature in the tree and the authentication path \(\mathsf {XMSS.Auth}\) (the grey nodes in Fig. 3)

• \(Accept/Reject\leftarrow \mathsf {XMSS.Verify}(\mathsf {XMSS.pk},m,\textsf{XMSS}.\sigma ):\) The verification algorithm takes as input the public key \(\mathsf {XMSS.pk}=(\mathsf {XMSS.root},\mathsf {XMSS.seed})\), the message m and the signature \(\textsf{XMSS}.\sigma =(\mathsf {WOTS^{+}}.\sigma ,i,\mathsf {XMSS.Auth})\). It verifies the validity of the \(\mathsf {WOTS^{+}}\) signature and then recompute the merkle root \(r'\) from the \(\mathsf {WOTS^{+}}\) public using the auhtentication path \(\mathsf {XMSS.Auth}\) and following the direction indicated by i. This outputs Accept iff \(r'=\mathsf {XMSS.root}\), Reject otherwise.

Fig. 3.

The \(\textsf{XMSS}\) tree construction.