Re: [Cfrg] draft-goldbe-vrf: Verifiable Random Functions

Sharon Goldberg <> Sun, 23 July 2017 05:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 20E52127B73 for <>; Sat, 22 Jul 2017 22:11:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zuxxYiHAQr1S for <>; Sat, 22 Jul 2017 22:11:21 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c0b::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6822E1201F2 for <>; Sat, 22 Jul 2017 22:11:21 -0700 (PDT)
Received: by with SMTP id v205so6783371itf.1 for <>; Sat, 22 Jul 2017 22:11:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=rduRgvu4H1BNBRfLEkk7f2Jz2cc0Q0PApjzVm4jfQiw=; b=jEOltisDFAarvGjAkF3/vQ9MgLuiEHsCs+Ip5O78EruEVG5bjosWb5+3zZUR0QFfHM JHZot05+HurHc+RpydA0k4xACKJVyW+FVI4oU8+U2SQ6dfyJ7GkOcu9EINoVmJHyaQT6 FcHdZhXp0FVi8XSmiNdDgE6ojrYocIH7Nar5Bce6xubPTDRRKS4cAppx619CiXI9kgjQ cXsNEy0FtQRP/z83zwXsx9nz5xkruMSoxMr3rxsFAJ4o3NggEiVnjdA559zpObkkrXNj LRs6CzKaRTLg1pcqUytss+ZrYfx4orJ7yBymcmIjB/smIZ8I7Gkm02TiPz/bxPtferJL c+2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=rduRgvu4H1BNBRfLEkk7f2Jz2cc0Q0PApjzVm4jfQiw=; b=DrrXIZE8LYy4Jv+7pyk7orzE4+lA0j3CcJHHnZFJY5+XLWImXknsE+8jnozeU4aMZ+ sk6sYk5mfuHrCUIaRV0VR3K8DowAyYDfetqJF817rSOJxCQMSjRQUAdkVuafgucgpIgw 4EDskV1deiDPAoD2PEBzRfre5aDAGS7WIwKu13T3TgppJTZrh5t578y5kKlvzPdW+ZrP sTQb59m8BMFOoT2VOFUQdjfi6zBwltSAsnigEGBiwoe92Al6eiVRKXJ9ZmYSNRQrkBQl ztLkFfQqIoKaHqrpFVzCYmwTS1PGLaQ8sxMGym7SsIU94joTc70/YCaXdxQ9TIsiYdL3 B8EA==
X-Gm-Message-State: AIVw113jAKdeTAZSpm1bEi+b9MljNoHXHeT8g30qpHCPRREzpQV2Q/eT Yolg/5x0Sa0J+X6rQP3oxCPQs+jfigBn
X-Received: by with SMTP id u62mr3572624itc.27.1500786680626; Sat, 22 Jul 2017 22:11:20 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Sat, 22 Jul 2017 22:10:40 -0700 (PDT)
In-Reply-To: <>
References: <> <> <>
From: Sharon Goldberg <>
Date: Sun, 23 Jul 2017 08:10:40 +0300
Message-ID: <>
To: Dan Brown <>
Cc: "" <>, "" <>, Leonid Reyzin <>, Dimitrios Papadopoulos <>
Content-Type: multipart/alternative; boundary="001a114ac81cfb80fa0554f520d4"
Archived-At: <>
Subject: Re: [Cfrg] draft-goldbe-vrf: Verifiable Random Functions
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 23 Jul 2017 05:11:24 -0000

Hi Dan,

Thank you for your comments. Indeed, VRFs have been around since 1999. They
are really "verifiable PRFs" but the name is by now standard in the crypto
literature, and changing it will cause more confusion than keeping it.

In terms of the VRF's security properties, there are three:  uniqueness,
collision resistance, and pseudorandomness. These are defined in our draft (

How VRFs prevent dictionary attacks: a public hash is subject to a
dictionary attack because, given the output, an adversary can evaluate the
hash on different inputs and see what hits the outputs. In a VRF, the
adversary can't evaluate the hash on different inputs.

You say it's not surprising that "random oracle model proof can prove the
output of a hash to be random". But actually, the output of a hash is NOT
random if the input and the hash function are known. This is because the
output of a hash is deterministic (every input maps to a unique output).
That's exactly what enables dictionary attacks. This is in contrast to a
VRF, where the output is (pseudo)random even given knowledge of the input.
Only once the VRF proof is given, does the VRF output stop looking random.
Note that random oracles are not essential for VRFs, and non-random-oracles
constructions exist (but are less efficient than what we propose to

As far as use cases, here are a few:

In the NSEC5 use case for DNSSEC, you have sensitive data (domain names)
and you sign consecutive pairs of hashes of domain names in order to be
able to prove absence of a name. If you just use standard hashing, whenever
signed hash values are disclosed, your sensitive data is subject to
dictionary attacks. VRFs solve that problem, and sensitive names don't have
to be disclosed at all. More details are in

In CONIKS (also Google Key Transparency, Signal secure messaging, Yahoo!
Coname) you also have some sensitive data (user names) that are put into a
Merkle-like authenticated data structure. If you just use standard hashing,
whenever hash values are disclosed, sensitive data is subject to dictionary
attacks. If you use VRFs, sensitive data again can be disclosed only on an
as-needed basis. More details are in

In a cryptocurrency use case, you wish perform a coin flip that is
deterministic and provably correct, but cannot be done by just anyone.
More details are in
u/nickolai/papers/gilad-algorand-eprint.pdf and possibly other
cryptocurrency papers.

Bryan Ford mentioned an additional usecase at the mic on Tuesday:
distributed password protection protocols

Many of these use case are already putting VRFs into production use (esp.
the CONIKS one).  You can see a list of the various implementations we have
found in the "implementation status" section of our draft.  One of the
reasons we think this spec is so important is that we found flaws in
several of the implementations that can be used to trivially break
uniqueness.  (See eg:


On Fri, Jul 21, 2017 at 7:32 PM, Dan Brown <> wrote:

> Answering myself below: VRFs have been around since 1999, so are not so
> new.  ‎Still don't like the name, and still have trouble seeing the value.
> *From: *Dan Brown
> *Sent: *Tuesday, July 18, 2017 2:29 PM
> *To: *Sharon Goldberg;
> *Cc: *; Leonid Reyzin; Dimitrios Papadopoulos
> *Subject: *Re: [Cfrg] draft-goldbe-vrf: Verifiable Random Functions
> Hi Sharon and CFRG,
> On VRFs, my uncertain comments to consider at your leisure:
> Is it fair to say VRFs are relatively new?  If so, then maybe a little
> more caution is needed about their use.  It seems a tad hasty that it is
> being used already.
> To me, it seems that VRFs are basically signatures, with an extra
> feature.  My concern is that this extra feature might get overused, before
> it is thoroughly reviewed.
> It is unsurprising to me that random oracle model proof can prove the
> output of a hash to be random.  My intuitive concern is that at least
> informally, this is kind of circular.  Hashes often have some
> non-random-ish properties that might affect the extra security (over
> signatures) that VRFs are aiming for.  I guess I would much prefer a proof
> saying if the hash has (well-studied) properties XYZ, then your
> construction are VRFs.  (Maybe you have this already?  If so, then tell me
> so.)
> Since, VRFs require sending the “proofs” on the wire, I find it hard to
> see how it could be used to prevent dictionary attacks.  I assume that you
> are saying the proofs must be encrypted when one needs to avoid dictionary
> models?  I suppose all the details are there in I-D and papers, but for
> now, I am confused about the threat model (which parties have keys, etc.,
> if they require a secure channel and mutual trust, why just use plain old
> hash,…). To resist dictionary attacks, were already have PAKEs and
> PBHashing.  Now this?
> Finally, on a bikeshed-coloring note, I object to the name “verifiable
> random function”, on several grounds.
>    1. It is not a function.  It is at least four functions, keygen, sign,
>    verify, and hashify.
>    2. If you make it into a keyed function F_sk(m), as in
>    prooftohash(sign_sk(m)), it is not verifiable.
>    3. Verification requires the intermediate proof, which is certainly
>    not even pseudorandom (it is easy to distinguish valid signatures from
>    random).
>    4. It is pseudorandom, not random.  (The keys are random, but many
>    crypto has keys, without having “random” in its name: encryption, MAC,
>    signatures, key exchange, …, they also don’t verifiable or random in their
>    names either.)
>    5. The similar phrase “verifiably random”, albeit as a misnomer, has
>    past precedents, see NIST P-256 and Brainpool, etc.  When I see VRF, I
>    think a function, that aims to VR in that sense, and great, now we can
>    improve on Brainpool, etc.
>    6. “Random function” should be reserved for the ideal random mapping
>    concept, for example, as studied by Flajolet-Odlyzko (ok they only studied
>    the case of equal size domain and range).  The random oracle model, is the
>    idea of approximating this ideal, etc.  An actual approximation should not
>    be name as the ideal (sorry, I’m kind of repeating my point 4).
> Please forgive the fact that my comments above are not very constructive
> (or if the tone is wrong).  This is a new topic for me, so I am reluctant
> too many suggestions.  Nonetheless, I suggest (0) waiting a little, (1) a
> non-random-oracle security proof (if you don’t have it yet), (2) re-naming
> the scheme to something like re-hashable (or digestible) signatures (and
> re-name the various parts, i.e. proof -> signature, etc.).
> Best regards,
> Dan
> *From:* Cfrg [] *On Behalf Of *Sharon Goldberg
> *Sent:* Wednesday, July 12, 2017 5:42 AM
> *To:*
> *Cc:*; Dimitrios Papadopoulos <>; Leonid
> Reyzin <>
> *Subject:* [Cfrg] draft-goldbe-vrf: Verifiable Random Functions
> Dear CFRG,
> I'm presenting at next week's meeting on Verifiable Random Functions. A
> VRF is the public-key version of keyed cryptographic hash. Only the holder
> of the VRF secret key can compute the hash, but anyone with the public key
> can verify it.  VRFs can be used to prevent dictionary attacks on
> hash-based data structures, and have applications to key transparency
> (CONIKS), DNSSEC (NSEC5), and cryptocurrencies (Algorand).
> In advance of the meeting, please see:
> 1) Our substantially updated -01 draft:
> 2) Our project page, with links to various VRF implementations:
> Comments welcome.  Thanks,
> Sharon
> --
> Sharon Goldberg
> Computer Science, Boston University

Sharon Goldberg
Computer Science, Boston University