Skip to main content
SpringerLink
Log in

Classical and Quantum Security of Elliptic Curve VRF, via Relative Indifferentiability

  • Conference paper
  • First Online:
Topics in Cryptology – CT-RSA 2023 (CT-RSA 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13871))

Included in the following conference series:

  • 445 Accesses

Abstract

Verifiable random functions ( VRFs )  are essentially pseudorandom functions for which selected outputs can be proved correct and unique, without compromising the security of other outputs. VRFs have numerous applications across cryptography, and in particular they have recently been used to implement committee selection in the Algorand protocol.

Elliptic Curve VRF (ECVRF) is an elegant construction, originally due to Papadopoulos et al., that is now under consideration by the Internet Research Task Force. Prior work proved that ECVRF possesses the main desired security properties of a VRF, under suitable assumptions. However, several recent versions of ECVRF include changes that make some of these proofs inapplicable. Moreover, the prior analysis holds only for classical attackers, in the random-oracle model (ROM); it says nothing about whether any of the desired properties hold against quantum attacks, in the quantumly accessible ROM. We note that certain important properties of ECVRF, like uniqueness, do not rely on assumptions that are known to be broken by quantum computers, so it is plausible that these properties could hold even in the quantum setting.

This work provides a multi-faceted security analysis of recent versions of ECVRF, in both the classical and quantum settings. First, we motivate and formally define new security properties for VRFs, like non-malleability and binding, and prove that recent versions of ECVRF satisfy them (under standard assumptions). Second, we identify a subtle obstruction in proving that recent versions of ECVRF have uniqueness via prior indifferentiability definitions and theorems, even in the classical setting. Third, we fill this gap by defining a stronger notion called relative indifferentiability, and extend prior work to show that a standard domain extender used in ECVRF satisfies this notion, in both the classical and quantum settings. This final contribution is of independent interest and we believe it should be applicable elsewhere.

C. Peikert and J. Xu—Most of this work was done while at Algorand.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We caution that while uniqueness is a critical property for secure sortition, it alone does not suffice to prevent a malicious party from improperly including itself in committees. Specifically, it does not preclude the generation of a malformed public key that induces a constant function (whose outputs are always in the relevant range). Sortition protocols include additional measures to ensure that even maliciously generated public keys do not result in biases like this.

  2. 2.

    We stress that this is only a hypothetical scenario, and we do not know of any proposed protocol that actually has this issue. However, future applications might implicitly assume non-malleability of VRF proofs, for reasons like the ones described above.

  3. 3.

    Version 10 was updated at our suggestion to achieve non-malleability; previous versions were trivially malleable.

  4. 4.

    In response to our observations, version 11 of [GRPV22] introduced a change to restore a more straightforward proof of (classical) soundness using standard techniques. However, it is still useful to formally support the approach taken in earlier versions, which may be used elsewhere, and to investigate post-quantum security.

  5. 5.

    Another slight difference is that in [GRPV22], the input to \(\textsf{HTC}\) is more general: it consists of a ‘salt’ value together with \(\alpha \), where the salt is determined by the specific choice of ciphersuite (see [GRPV22, Section 7.9]). In every ECVRF ciphersuite defined in [GRPV22], the salt is simply the public key X, which matches our presentation.

  6. 6.

    See Remark 2 below for a simpler alternative formulation that suffices for information-theoretic results.

  7. 7.

    This definition of \(\textsf{FindInput}\) has some minor syntactic differences from the one given in [Zha19, Section 5.3], where the input is a pair \((y,x_{2})\), and the output is \((1,(x,x_{2}))\) when the search succeeds, and \((0,\textbf{0})\) otherwise. Either version can trivially be constructed from the other, so they are equivalent. Our version is better suited to the definition of find-input oracles, because it does not involve any inputs to other oracles (namely, \(x_{2}\)).

  8. 8.

    Recall that the character group \(\widehat{\mathcal {X}'}\) is isomorphic to \(\mathcal {X}'\), but non-canonically. The equivalence of \(\textsf{FI}_{\textsf{G}}\)’s standard and phase interfaces follows by applying the (inverse) quantum Fourier transform before and after each query.

  9. 9.

    The component \(P_{1}\) represents a ‘continuation’ of \(P_{0}\), and implicitly has access to all of its inputs and random choices.

  10. 10.

    We remark that Unruh [Unr17, Corollary 36] proved a similar result for the QROM. However, Unruh’s reduction does not attack the soundness of the underlying \(\varSigma \)-protocol, but instead solves a kind of search problem on the QRO, in a manner that for technical reasons is not suitable for our setting. In brief, we need a reduction that ‘relativizes’ in the presence of an auxiliary stateful oracle, without making any additional queries to it (only the ones made by the adversary itself). This is the case for the reduction from [DFMS19], but not for the one from [Unr17] in our context. Furthermore, the concrete security bound in [Unr17] is slightly worse than that in [DFMS19].

  11. 11.

    Note that because \(B, X, H, Z \in \mathbb {E}\), these checks implicitly guarantee that \(R_{B}, R_{H} \in \mathbb {E}\) as well.

References

  1. Abraham, I., Malkhi, D., Nayak, K., Ren, L.: Dfinity consensus, explored. Cryptology ePrint Archive, Paper 2018/1153 (2018). https://eprint.iacr.org/2018/1153

  2. Brendel, J., Cremers, C., Jackson, D., Zhao, M.: The provable security of Ed25519: theory and practice. In: IEEE Symposium on Security and Privacy, pp. 1659–1676 (2021)

    Google Scholar 

  3. Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: Compact E-cash and simulatable VRFs revisited. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 114–131. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03298-1_9

    Chapter  Google Scholar 

  4. Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3

    Chapter  MATH  Google Scholar 

  5. Badertscher, C., Gazi, P., Kiayias, A., Russell, A., Zikas, V.: Ouroboros genesis: composable proof-of-stake blockchains with dynamic availability. In: CCS, pp. 913–930 (2018)

    Google Scholar 

  6. Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: CCS, pp. 390–399 (2006)

    Google Scholar 

  7. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security, pp. 62–73 (1993)

    Google Scholar 

  8. Cremers, C., Düzlü, S., Fiedler, R., Fischlin, M., Janson, C.: BUFFing signature schemes beyond unforgeability and the case of post-quantum signatures. In: IEEE Symposium on Security and Privacy, pp. 1696–1714 (2021)

    Google Scholar 

  9. Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård revisited: how to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_26

    Chapter  Google Scholar 

  10. Chalkias, K., Garillot, F., Nikolaenko, V.: Taming the many EdDSAs. In: Security Standardisation Research, pp. 67–90 (2020)

    Google Scholar 

  11. Chen, J., Micali, S.: Algorand: a secure and efficient distributed ledger. Theor. Comput. Sci. 777, 155–183 (2019)

    Article  MathSciNet  MATH  Google Scholar 

  12. Chaum, D., Pedersen, T.P.: Wallet databases with observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_7

    Chapter  Google Scholar 

  13. Don, J., Fehr, S., Majenz, C.: The measure-and-reprogram technique 2.0: multi-round Fiat-Shamir and more. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 602–631. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_21

    Chapter  Google Scholar 

  14. Don, J., Fehr, S., Majenz, C., Schaffner, C.: Security of the Fiat-Shamir transformation in the quantum random-oracle model. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 356–383. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_13

    Chapter  MATH  Google Scholar 

  15. David, B., Gaži, P., Kiayias, A., Russell, A.: Ouroboros praos: an adaptively-secure, semi-synchronous proof-of-stake blockchain. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 66–98. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_3

    Chapter  Google Scholar 

  16. Esgin, M.F., Steinfeld, R., Liu, D., Ruj, S.: Efficient hybrid exact/relaxed lattice proofs and applications to rounding and VRFs. Cryptology ePrint Archive, Report 2022/141 (2022). https://eprint.iacr.org/2022/141

  17. Faz-Hernández, A., Scott, S., Sullivan, N., Wahby, R.S., Wood, C.A.: Hashing to Elliptic Curves. Internet-Draft draft-irtf-cfrg-hash-to-curve, IETF Secretariat (2022). Working Draft. https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve

  18. Fuchsbauer, G., Plouviez, A., Seurin, Y.: Blind Schnorr signatures and signed ElGamal encryption in the algebraic group model. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 63–95. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_3

    Chapter  MATH  Google Scholar 

  19. Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12

    Chapter  Google Scholar 

  20. Gilad, Y., Hemo, R., Micali, S., Vlachos, G., Zeldovich, N.: Algorand: scaling Byzantine agreements for cryptocurrencies. In: SOSP, pp. 51–68 (2017)

    Google Scholar 

  21. Goldberg, S., Reyzin, L., Papadopoulos, D., Včelák, J.: Verifiable Random Functions (VRFs). Internet-Draft draft-irtf-cfrg-vrf, IETF Secretariat (2022). Working Draft. https://datatracker.ietf.org/doc/draft-irtf-cfrg-vrf

  22. Micali, S., Reyzin, L.: Soundness in the public-key model. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 542–565. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_32

    Chapter  MATH  Google Scholar 

  23. Micali, S., Rivest, R.L.: Micropayments revisited. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 149–163. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45760-7_11

    Chapter  Google Scholar 

  24. Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_2

    Chapter  Google Scholar 

  25. Micali, S., Rabin, M.O., Vadhan, S.P.: Verifiable random functions. In: FOCS, pp. 120–130 (1999)

    Google Scholar 

  26. Papadopoulos, D., et al.: Making NSEC5 practical for DNSSEC. Cryptology ePrint Archive, Report 2017/099 (2017). https://eprint.iacr.org/2017/099

  27. Rotem, L., Segev, G.: Tighter security for Schnorr identification and signatures: a high-moment forking lemma for \(\varsigma \)-protocols. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 222–250. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_9

    Chapter  Google Scholar 

  28. Schnorr, C.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991). Preliminary version in CRYPTO 1989

    Google Scholar 

  29. Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997). Preliminary version in FOCS 1994

    Google Scholar 

  30. Unruh, D.: Post-quantum security of Fiat-Shamir. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 65–95. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_3

    Chapter  Google Scholar 

  31. Unruh, D.: Compressed permutation oracles (and the collision-resistance of sponge/SHA3). Cryptology ePrint Archive, Paper 2021/062 (2021). https://eprint.iacr.org/2021/062

  32. Vx̌elák, J., Goldberg, S., Papadopoulos, D., Huque, S., Lawrence, D.C.: NSEC5, DNSSEC Authenticated Denial of Existence. Internet-Draft draft-vcelak-nsec5, IETF Secretariat (2018). Working Draft. https://datatracker.ietf.org/doc/draft-vcelak-nsec5/

  33. Zhandry, M.: How to record quantum queries, and applications to quantum indifferentiability. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 239–268. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_9

    Chapter  Google Scholar 

Download references

Acknowledgments

We thank Mark Zhandry and Dominique Unruh for very helpful discussions about compressed oracles and our ‘find-input’ variation thereof, Leo Reyzin for helpful discussions about ECVRF and its variants, and Iñigo Azurmendi, Peter Gǎzi, and Romain Pellerin for initial observations about the malleability of early versions of ECVRF.

Author information

Authors and Affiliations

  1. Computer Science and Engineering, University of Michigan, Ann Arbor, USA

    Chris Peikert

  2. Electrical Engineering and Computer Science, Oregon State University, Corvallis, USA

    Jiayu Xu

  3. Algorand, Inc., Boston, USA

    Chris Peikert & Jiayu Xu

Authors
  1. Chris Peikert
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jiayu Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Chris Peikert .

Editor information

Editors and Affiliations

  1. Oregon State University, Corvallis, OR, USA

    Mike Rosulek

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Peikert, C., Xu, J. (2023). Classical and Quantum Security of Elliptic Curve VRF, via Relative Indifferentiability. In: Rosulek, M. (eds) Topics in Cryptology – CT-RSA 2023. CT-RSA 2023. Lecture Notes in Computer Science, vol 13871. Springer, Cham. https://doi.org/10.1007/978-3-031-30872-7_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-30872-7_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-30871-0

  • Online ISBN: 978-3-031-30872-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation