Pairing-Based Verifiable Random Functions Yevgeniy Dodis New York University

Random Oracle Model [BeRo92] Laura I trust you, Oracle. Thank you for sending the correct, truly random value H(x) Oracle x H(x)

Random Oracle Model (cont.) Idealized Model of Computation Assumes a truly random function H: {0,1}*->{0,1}k H is publicly available/verifiable/transferable/random Has found gigantic # of applications, including many where no “standard” solution is known Problem: random oracles do not exist (disclaimer: not counting SHA1/MD5 and the like) The danger can be formalized [CGH98,…] Challenge: Can we provably eliminate RO ? (to the maximum extent possible)

Functions (PRFs) [GGM86,NaRe97] Alternatives Pseudorandom Functions (PRFs) [GGM86,NaRe97] This talk Verifiable Random Functions (VRFs) [MRV99,Lys02,Dod03,DY05] Distributed PRFs (DPRFs) [MiSi95,NPR99,Nie02] Distributed VRFs (DVRFs) [Dod03,DY05]

Pseudorandom Functions (PRF) Your value FSK(x) looks random to me. But I’m not sure it’s correct, and can’t convince anybody else Laura TTT x Secret SK FSK(x) Oded is just an efficient and indistinguishable implementation of Phil F is not (pseudo)random to Oded Laura can’t check it’s correctness or convince outside parties

Current PRFs Based on block-ciphers (CBC-MAC,HMAC,…) Very fast and useful in symmetric-key crypto Ad-hoc security Not applicable for protocols Not applicable for distributed computation Based on number theory (Naor-Reingold,…) Nicer assumptions, more “elegant” Applicable for protocols Can be distributed Slow and inefficient uses one exponentiation and secret key per input bit

NRg,a[1],…,a[k](x[1],…,x[k]) = gP {all a[i] such that x[i]=1} Naor-Reingold PRF Say, G is a group of prime order q. NRg,a[1],…,a[k](x[1],…,x[k]) = gP {all a[i] such that x[i]=1} Toy example: k=6, x=011011 a[1] a[2] a[3] a[4] a[5] a[6] x = path on a binary tree Root is g going left = do nothing going right = raise to a[i] Here g  G and a[i] Zq are random (and secret) Theorem [NR97]: NR is a PRF under DDH in G. Under DDH, all nodes look random and independent… g g ga[2] ga[2]a[3] ga[2]a[3] ga[2]a[3]a[5] ga[2]a[3]a[5]a[6]

Question 1 Can we build a number-theoretic PRF which does not process the input bit-by-bit? Stay tuned…

PRFs Give No Verifiability "There's a huge trust. I see it all the time when people come up to me and say, 'I don't want you to let me down again.'" — Boston, Massachusetts, October 3, 2000 "I think if you know what you believe, it makes it a lot easier to answer questions. I can't answer your question" --Reynoldsburg, Ohio, October 4, 2000 Laura TTT x FSK(x)+5 George W is trusted to not only keep SK secret, but also to also give the correct function value. To check the correctness of F(x), need to ask George again (and again).

Non-interactive lottery [MR02] Lottery organizer has secret function FSK(.) Each participant chooses a lottery ticket x and sends it to the organizer FSK(.) x1 = 3 x2 = 8 Organizer x3 = 5

Non-interactive lottery (cont.) Organizer computes y = FSK(x) for each x he receives The value y somehow determines if user wins; e.g., user wins $100 if his y is prime FSK(.) FSK(3) = 10 FSK(8) = 11 Organizer FSK(5) = 15

Non-interactive lottery (cont.) This scheme almost works except… Problem 1: We must ensure that users cannot bias the lottery; i.e., FSK(x) should look random and unpredictable Regular PRF is enough Problem 2: What stops the organizer from lying about the true FSK(x) value? Need verifiability (and uniqueness!) Leads to VRFs !

Verifiable Random Functions (VRF) Using PK and proof πSK(x), I can see that FSK(x) is correct. Without proof, it would look random Laura Semi-TTT x Public PK Secret SK FSK(x), πSK(x) Michael is just an efficient and indistinguishable implementation of Phil F is not (pseudo)random to Michael However, Laura can check it’s correctness and convince outside parties

Verifiable Random Functions [MRV99] PRFs with a special property: in addition to the secret key SK, there is also PK the holder of the VRF’s SK can produce a proof πSK(x) that y = FSK(x) for a unique y security: SK PK PK y0 := FSK(z) y1 := random pick random b y := yb x1 x2 ... b’ z FSK(x1), πSK(x1) xi FSK(x2), πSK(x2) ... ... y FSK(xi), πSK(xi) ... Secure VRF if Pr[b=b’]  ½

Applications VRFs are unique signatures Lottery application [MR02] intuitively, “VRF = PRF + sig” Lottery application [MR02] Verifiable KDC, long-term encryption [NPR99] A tool in protocol design Three-round resettable ZK [MR01] Verifiable Transaction Escrow [JS04] Efficient E-Cash [CHL05] (need PRF w./ special properties like having efficient ZK proofs)

Compact e-cash [CHL05] Offline anonymous e-cash scheme. A user can withdraw a wallet of 2l coins from the bank and later spend them. In best known schemes, withdraw and spend operations take O(2l¢k) time (k = sec. param.). In EuroCrypt ’05, [CHL05] used [DY05] VRF to construct a scheme whose withdraw/spend operations take O(l+k) time. Also have O(l¢k) scheme using VRF variant of [Dod03] (more convenient for ZK) PRF sufficed, but needed nice algebraic structure to do efficient ZK proofs !

Constructing VRFs MRV99 Lys02 Dod03 DY05 no yes no (bit-by-bit) Pairing-Based? no yes Short proofs/keys no (bit-by-bit) Mapping of Inputs yes (primes) yes (codes) Expensive “VUF-VRF” Distributed Good for protocols? maybe Practical? hmm…

Constructing VRFs MRV99 Lys02 Dod03 DY05 no yes yes yes no Resolves Question 1 MRV99 Lys02 Dod03 DY05 Pairing-Based? no yes yes yes Short proofs/keys no no (bit-by-bit) no (bit-by-bit) yes Mapping of Inputs yes (primes) yes (codes) yes (codes) no Expensive “VUF-VRF” yes yes no no

VUF to VRF Transformation First, get nice and “elegant” VUF construction Verifiable unpredictable function is just like VRF except hard to compute any “new” value Expensive generic VUF->VRF transform (a) Goldreich-Levin to get VRF: w(log n) -> 1 bit Also terrible exact security loss… (b) Several such (a)’s to get |input|  |output| (c) Another tree-based construction on (a)+(b) to get large input and small output (d) Several such (a)+(b)+(c)‘s to get large output Results in a very bulky and “inelegant” VRF Stay tuned for better efficiency with pairings !

Constructing VRFs MRV99 Lys02 Dod03 DY05 no yes yes yes no Pairing-Based? no yes yes yes Short proofs/keys no no (bit-by-bit) no (bit-by-bit) yes Mapping of Inputs yes (primes) yes (codes) yes (codes) no Expensive “VUF-VRF” yes yes no no Distributed no no yes yes Good for protocols? no no maybe yes Practical? no no hmm… yes

Roadmap for Constructions Work in groups where DDH is easy VUF under CDH-like assumption [Lys02] Full power of pairings not needed yet… Two ways of avoiding Goldreich-Levin : Encoding + decisional assumption [Dod03] Use pairings explicitly ! (with new assumption) Set VRFSK(x) = e ( VUFSK(x) , g ) Direct Construct with Pairings [DY05] Simple and Efficient VUF based on [BB04] Still set VRFSK(x) = e ( VUFSK(x) , g ), but for more efficient VUF !

Using DDH-easy Groups Recall, NRg,a[1],…,a[k](x[1],…,x[k]) = gP {all a[i] such that x[i]=1} Problem: nobody can verify p(011011) NR(011011) But assume DDH is easy! Publish PK=(g, h, ha[1],…, ha[k]) p(x) = all “children” of NR(x) Use DDH and the public key to test all consecutive children Get verifiability, but what aaabout pseudorandomness? No! Say, NR(0k)=g, or [NR(x0),NR(x1),NR(z0),NR(z1)] form a DDH-tuple for any x,z What do we do? g ha[1] ha[2] ha[4] ha[5] ha[6] ha[3] g ga[2] ga[2]a[3] ga[2]a[3] ga[2]a[3]a[5] ga[2]a[3]a[5]a[6]

Option 1: settle for VUF [Lys02] NR(x) still seems to be hard to compute, even if DDH is easy (modulo the triviality that append 1 to each input) Need “CDH-like” assumption in DDH-easy groups (called generalized CDH) Notation: Given x, let 1x = {i | x[i]=1}, Given g, a[1],…, a[L], and set I in {1…L}, let Exp(I) = gP {all a[i] such that i  I} E.g., NR(x) = Exp(1x) (we’ll use Exp(1x1))

Generalized CDH of order L Adv is given oracle access to Exp(I), for I  {1..L} G satisfies gCDH of order L if: I1 I2 ... J, v Exp(I1) Exp(I2) ... J  {I1, …,Im}=1 & Pr[ v = Exp(J) ] = negl

VUF under gCDH [Lys02] Tautological if set order L = k+1 Note: [NR] needed gDDH. Luckily, gDDH  DDH [STW] Most work in [Lys02]: Reduce order to O(log k) (note, L=2 gives CDH) Force Adv to forge J = {1..L} (full set) Reason: allows to make assumption non-interactive Cleaver use of encoding C: {0,1}k -> {0,1}L Set NRCg,a[1],…,a[L](x[1],…,x[k]) = Exp(1C(x)) Choose special C to make this work for L=O(k) Turns our need an error-correcting code Instead, we’ll use encoding for a different reason: to get direct VRF, without going through VUF ! [Dod03]

Option 2: Use Encoding [Dod03] As before, use encoding C: {0,1}k -> {0,1}L and NRCg,a[1],…,a[L](x[1],…,x[k]) = Exp(1C(x)) Reasoning: almost as efficient as C=identity when L is close to k, but a lot of freedom… For example, [NRC (x0), NRC(x1), NRC(z0), NRC(z1)] do not have to form a DDH tuple for a lot of C,x,z… In fact, if no DDH-tuples among {Exp(1C(x))}, for all we know NRC might be a PRF despite DDH being false! And if no DDH-tuples including a leaf even if add the proofs (root-leaf paths for different leaves), then might get a VRF… Leads to sum-free DDH [Dod03]

Sum-Free DDH of order L Adv is given oracle access to Exp(I), for I  {1..L} G satisfies sf-DDH of order L if: y0 := Exp(J) y1 := random pick random b y := yb I1 I2 ... b’ J Exp(I1) Ii Exp(I2) ... ... y Exp(Ii) ... Pr[b=b’]  ½ & no J1,J2,J3{I1… Im} exist making [Exp(J), Exp(J1), Exp(J2), Exp(J3)] form a DDH tuple

Using sf-DDH [Dod03] Intuitively, says that everything is random except if a DDH-tuple is found Challenge: build encodings C forcing VRF attacker to respect sum-free restriction Theorem:[Dod03] (view k-bit x as  GF(2k)) If C(x) = x3 º x, then NRC is a PRF under sf-DDH assumption of order 2k (no need for DDH easy yet) If C(x) = x3 º x º 1 º x º 1 and DDH is easy, then NRC is a VRF under sf-DDH assumption of order 3k+3 Both orders can be reduced to O(log k) using ECC’s: allows to get non-interactive assumption this way… So far no need to use pairing explicitly…

Building PRF from sf-DDH Lemma: if C is s.t. “C(x1) + C(x2)  C(x3) + C(x4)”, then NRC is a PRF under sf-DDH of order L Suffices to construct a 4-wise independent C: For no x1, x2, x3, x4, have C(x1)  C(x2)  C(x3)  C(x4) = 0 Such constructions are well known from coding theory (parity matrix for BCH codes of distance 5) and derandomization Example: View {0,1}k as GF(2k). Let L=2k and C(x) = x3 º x. Very simple and efficient encoding Theorem: If C(x) = x3 º x, then NRC is a PRF under sf-DDH assumption of order 2k Problem: Order 2k is too large. Can we get O(log k)? Yes, put an “outer” linear error-correcting code E: C’’(x) = E(C(x)) Similar to [Lys02] for constructing VUF Punchline: simple PRF under sf-DDH of order O(log k) (note, don’t need DDH to be false yet…)

From PRF to VRF Now, assume DDH is false and sf-DDH is true. Publish PK=(g, h, ha[1],…, ha[k]) Let proof p(x) = all “children” of NRC(x) Use DDH and the public key to verify all “neighbors”. Problem: with each Exp(1C(x)), Adv also learns values Exp(I), for all “prefixes” I of 1C(x). Need C s.t. for no x1, x2, x3, x4, prefixes I2 of C(x2), I3 of C(x3) and I4 of C(x4), have C(x1)  I2  I3  I4 = 0 Call it 4-wise “prefix independence”. Lemma: If C(x) is 4-wise independent, then C’’(x) = C(x) º 1 º x º 1 is 4-wise prefix independent. Theorem: If C(x) = x3 º x º 1 º x º 1 and DDH is false, then NRC is a VRF under sf-DDH assumption of order 3k+3. As with PRFs, can reduce order to O(log k) using ECCs.

Option 3: Use Bloody Pairings ! Formula for general VUF -> VRF conversion p’SK(x) = (pSK(x), FSK(x)), F’SK(x) = H ( FSK(x) ), for “good” H. But which H? If H is RO, then trivially works, but “useless” Standard H are difficult in general (Goldreich-Levin) Idea: so far we have FSK(x) = gsomething and use pairings only to solve DDH in G (to verify pSK(x)) Why not use H(y) = e(g,y) ?!? Hope that if y is hard to compute, then reasonable to assume e(g,y) is pseudorandom !

Option 3: Using Pairings Given VUF (F,p) with values in G and bilinear map e: G£G  G’ define p’SK(x) = (pSK(x), FSK(x)), F’SK(x) = e(g, FSK(x)) (now in G’) Can apply to VUF of [Lys02] and get … PRF (under reasonable decisional assumption) VRF? No, proofs spoil everything (DDH easy)  Still long proofs/keys + bit-by-bit processing Instead, [DY05] follows this option with a new, more efficient VUF where it all works !

{ Simple VUF [DY05, BB04] Start from Boneh-Boyen signature [BB04] Algorithm Gen(1k): Pick s2R Zp*.The secret key is SK = s. The public key is PK = gs. Algorithm SignSK(x): To sign x, compute y = g1/(x+SK). Algorithm VerPK(x, y): Check that e(y, gx¢PK) = e(g, g). {

Our VUF (cont.) Boneh-Boyen signature is secure against non-adaptive queries (and uses “q-SDH assumption”) A VUF must be secure against adaptive queries adversary challenger (PK, SK) PK x1 x2 xk … y1 y2 yk adversary challenger (PK, SK) PK xi yi

Our VUF (cont.) Solution 1: assume [BB04] is a secure VUF Leads to tautological interactive assumption Although we believe it is reasonable… Solution 2: Restrict input size to be small, a(k) = O(log s(k)), where s(k) will be the (super-poly) security that we will assume Allows us to enumerate all possible queries in less than s(k) time and give answers adaptively Can make more standard “q-DHI” assumption (which is weaker than “q-SDH” of [BB04]) Still show get decent and practical parameters

Our VUF (cont.) Then, Boneh-Boyen signature becomes a VUF for small inputs Can use GL to convert a VUF into a VRF, but this is very inefficient Instead, use pairing-based transformation suggested earlier: VRFSK(x) = e(VUFSK(x),g) get direct VRF for small inputs (stay tuned) use stronger, but still already studied “q-DBDHI” assumption [BB04]

{ Our VRF Instead, we construct a VRF directly: Algorithm Gen(1k): Pick s2R Zp*.The secret key is SK = s. The public key is PK = gs. Algorithm ProveSK(x) : Compute (FSK(x), SK(x)) = (e(g,g)1/(x+SK), g1/(x+SK)) Algorithm VerPK(x,y,): Verify that e(gx¢PK, ) = e(g,g) and y = e(g, ). { our VUF

Complexity Assumptions We make two assumptions: q-DHI assumption: given (g, gx, …, g(xq)), it is hard to compute g1/x [MSK02] Used for the security of [BB04] VUF q-DBDHI assumption: given (g, gx, …, g(xq)), it is hard to distinguish e(g,g)1/x from random [BB04] Used for the security of [DY05] VRF Hard = adversary running for s(k) steps is unlikely to succeed. s(k) is between w(poly(k)) and s(k)=o(2k).

Security Statement Our VRF/VUF is provably secure for inputs of small size, a(k) = O (log s(k)). If there is an algorithm A that breaks the VRF/VUF in time t, with prob. , then there is an algorithm B that solves the q-DBDHI/q-DHI problem (q=2a(k)) in time ¼ t/(2a(k)¢poly(k)), with prob. /2a(k). Big security loss, but Believe artifact of the assumption/analysis Using CRHF suffices to support a(k) < 200 Results in pretty good concrete parameters…

Proof of Security : big picture Construct reduction algorithm B that answers A’s queries and then uses A’s answers to solve the q-DBDHI instance B VRF game (g, g, …, g(q), ) Challenger A … Is  = e(g,g)1/ ?

Proof of Security : sketch Idea: Want to know if  = e(g,g)1/ ? Guess that A can distinguish VRF value of x* from random. Prepare keys (PK, SK) such that SK =  - x* is unknown, yet we can correctly compute hFSK(x), SK(x)i for any x ≠ x*. We construct * from  such that FSK(x*) = * if  = e(g,g)1/ FSK(x*) = $ if  = $

Efficiency Suppose a(k) = 160 bits (length of SHA-1 digests) We then have: Length of proofs and keys Group size [DY05] 125 bytes 1,000 bits, elliptic group [MRV99] 280,000 bytes 14,383 bits, Zn* [Dod03], [Lys02] >3,200 bytes >160 bits, elliptic group

Practical Application: Compact e-cash [CHL05] Offline anonymous e-cash scheme. A user can withdraw a wallet of 2l coins from the bank and later spend them. In best known schemes, withdraw and spend operations take O(2l¢k) time (k = sec. param.). In EuroCrypt ’05, [CHL05] used [DY05] VRF to construct a scheme whose withdraw/spend operations take O(l+k) time. Also have O(l¢k) scheme using VRF variant of [Dod03] (more convenient for ZK) PRF sufficed, but needed nice algebraic structure to do efficient ZK proofs !

Conclusion Pairings seem very useful for VRF design Simple and efficient VRF constructions Can be instantiated with elliptic groups of reasonable size Can be made distributed and proactive Can use “algebra” for efficient protocols Obtain VRF value on committed values ZK proof of knowledge of VRF value [DY05]: Proofs and keys consist of only one group element regardless of the input size Open: get efficient (full-blown) VRF under more established assumptions

Generalized DDH relative to some R Fix L and let R(J,I1, …) be some relation Adv is given oracle access to Exp(I) G satisfies gDDH of order L relative to R if: y0 := Exp(J) y1 := random pick random b y := yb I1 I2 ... b’ J Exp(I1) Ii Exp(I2) ... ... y Exp(Ii) ... R(J,I1, …,Im)=1 & Pr[b=b’]  ½

Some Observations about gDDH Lemma: if R and C are such that R(C(z),C(x1),…)=1, then NRC is a PRF under gDDH of order L relative to R Proof: trivial, compare definitions Example1: R true iff J  {I1, …, Im} “usual” gDDH assumption. Known [NR97,STW96]: DDH  gDDH (due to RSR) Immediately gives that NRidentity is a PRF under DDH Example2: R is true iff no J1, J2, J3{I1, …, Im} s.t. [Exp(J) , Exp(J1) , Exp(J2) , Exp(J3)] form a DDH tuple Intuitively, can only distinguish if found a DDH tuple Mathematically, “J+ J3 = J1+ J2” (bitwise over integers) Say, “101010+100100 = 201110 = 100100+101010” Call the resulting assumption sum-free-DDH of order L

Step 4: From PRF to VRF Now, assume DDH is false but sf-DDH holds. More hacking needed due to “prefixes”… End Result: If C(x) = x3 º x º 1 º x º 1 and DDH is false, then NRC is a VRF under sf-DDH assumption of order 3k+3. As with PRFs, can reduce order to O(log k) using ECCs.

Distributing Trust Yvo, why should we let a single party know all the secrets and be a single point of failure? Not a bad thought, Moti. After I finish my wine, I promise to vigorously attack this problem…

Distributing Trust We have to move towards a group-oriented society: Threshold cryptography !

Distributed PRFs (DPRF) No verifiability yet, only PRF functionality The secret key SK is shared among n servers No coalition of up to t servers can compute the PRF or distinguish if from a random function Any (t+1) servers can evaluate the PRF Two Flavors: Non-interactive [MiSi95,NRP99]: servers do not know about each other and only talk to Laura

Secret SK1 Secret SK2 Secret SK3 x y3 y2 y1 FSK(x)

Distributed PRFs (DPRF) No verifiability yet, only PRF functionality The secret key SK is shared among n servers No coalition of up to t servers can compute the PRF or distinguish if from a random function Any (t+1) servers can evaluate the PRF Two Flavors: Non-interactive [MiSi95,NPR99]: servers do not know about each other and only talk to Laura Interactive [NaRe97,Nie02]: much less attractive for the purposes of eliminating the random oracle…

… Laura Well Known Group Same experience as PRF, but let many men argue before giving me the answer I can’t check Laura Well Known Group … Secret SK1 Secret SK9 x FSK(x)

Applications and Constructions Applications: distributed KDC’s, threshold Cramer-Shoup, metering on the web, Byzantine agreement,… [MiSi95]: only for small n and t (complexity ~ nt) [NPR99]: several constructions “weak” PRF under DDH: Wg,a(x)=xa. (secure only for random x) Trivial to distribute (non-interactive + 1 round) Using random oracle, get regular PRF Fg,a(x) = Wg,a(H(x)) = H(x)a [Nie02,NR97]: can distribute Naor-Reingold PRF Highly interactive Need concurrent ZK’s Many rounds (=|input|) Need honest majority to give the result to Laura No non-interactive “regular” DPRF was known

Distributed VRFs (DVRF) Distributed computation of (FSK(x), pSK(x)). Most attractive replacement to the RO Distribution of trust High Availability (especially non-interactive) No bottlenecks Can check the correctness of F(x) using the proof Can transfer the proof to the third party without further interaction By themselves give a threshold signature scheme Already have, and will find more applications Not studied prior to this work…

My Results (Part II) First (and very simple!) DVRF construction Non-interactive (albeit multi-round) More efficient than regular DPRF of [Nie02] no interaction, ZK’s, fewer rounds but also verifiable Tolerates any threshold (including honest minority)

Step 5: From VRF to DVRF Not hard at all since our VRF is so simple! Standard Shamir’s secret sharing and Lagrange interpolation tricks except can do it non-interactively Punchline: DDH easy makes it possible to do this very standard computation non-interactively

Step 5: From VRF to DVRF Need to compute Exp(1C(x)) and all its “prefixes” Exp(Ii) Distribute a[i] to n servers via Shamir: server j gets share a[ij] and publishes y[ij] = ha[ij] Proceed in |1C(x)| rounds between Laura & servers: In each such round i where C(x)[i]=1, have value si = Exp(Ii) and need to compute si+1 = sia[i] using h and ha[i]. Trivial with DDH… Each server sends sia[ij] , and Laura checks DDH(si,sia[ij],h,y[ij]) After (t+1) correct answers, interpolate (necessarily) correct si+1 and send it to each server, who checks it using DDH(si,si+1,h,y[i]) Punchline: DDH easy makes it possible to do this very standard computation non-interactively

Step 6: Do We Believe in sf-DDH? Recently, groups where DDH is easy received a lot of attention: applications to ID-based [BF01], hierarchical [GS02] and other kinds of encryption, short signatures [BLS01], credential systems [V01], ... Candidates proposed [SOK00,JN01] based on certain bilinear (Weil, Tate) pairings on elliptic curves No multi-linear variant is known and likely to exist [BoSi02] For all we know, gabc still looks random given g, ga, gb, gc sf-DDH assumption takes this belief one step further: the only way to distinguish gsome power from random is to get a DDH tuple for doing so. Most ambitious assumption conceivable when DDH is false Why settle for it and not for something less ambitious? To get the simplest possible construction + target for breaking Even if false, techniques of this paper seem to generalize…

Conclusions, Open Problems Constructed first simple, efficient and “direct” VRF and non-interactive DPRF/DVRF Motivated the study of new sf-DDH assumption Can we reduce the assumption? Relate it to known ones? Break it? One-round DPRFs/DVRFs? Adaptively secure DPRFs/DVRFs? More efficient constructions? More applications? Practical implementation? Well, let’s not get carried away…