Re: [Cfrg] I-D Action: draft-irtf-cfrg-vrf-06.txt

Jeff Burdges <> Wed, 26 February 2020 11:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 19C483A0832 for <>; Wed, 26 Feb 2020 03:31:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.954
X-Spam-Status: No, score=-0.954 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FILL_THIS_FORM_SHORT=0.001, KHOP_HELO_FCRDNS=0.276, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id S8yAqmyCLhUb for <>; Wed, 26 Feb 2020 03:31:43 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4DBFB3A082C for <>; Wed, 26 Feb 2020 03:31:42 -0800 (PST)
Received: from [] ( [IPv6:2001:4ca0:2001:42:225:90ff:fe6b:d60]) by (Postfix) with ESMTP id AA67C1C00D2; Wed, 26 Feb 2020 12:35:31 +0100 (CET)
From: Jeff Burdges <>
Message-Id: <>
Content-Type: multipart/signed; boundary="Apple-Mail=_707BB47E-53CD-437C-BEA2-A276F184DAC3"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Wed, 26 Feb 2020 12:31:32 +0100
In-Reply-To: <>
To: Manu Sporny <>
References: <> <> <>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-vrf-06.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 26 Feb 2020 11:31:46 -0000

Almost all proof-of-staake blockchain protocols require VRFs for various purposes, including driving random beacons, leading block production or BFT agreement processes, or selecting validation assignments in sharding situations.

Identity schemes come in many flavours, but they should be built on ring or group VRFs, or maybe similar constructions like linkable ring signatures, whenever they must (1) prevent Sibel attacks, and (2) be useable for a wide variety of purposes, and (3) do not trust some issuer with user privacy.

In essence, Sibel protections require some uniqueness per key holder, but being general purpose means that uniqueness must differ across domains to whom the key holder identifies themselves, so that unique amounts to a VRF output, and you need ring or group to hide what key generates it.

There are SNARK constructions that drop (3) and maybe avoid key pairs, making them not "VRF signatures” like described in this draft, but they still possess roughly the same sort of uniqueness, etc. definitions from section 3 of this craft.


> On 11 Feb 2020, at 22:50, Manu Sporny <> wrote:
> On 2/11/20 12:31 PM, Leonid Reyzin wrote:
>> This most recent update to the VRF draft consists of minor clarifications.
> Hi Leo, Sharon, Jan, and Dimitris,
> I've been following this work for years now and I still don't know why
> VRFs are useful. Every time you publish a new draft, I got out and scour
> the Web for an easily readable description of a use case that is solved
> by the use of a VRF and end up reading things like:
> "It is a pseudo-random function that provides publicly verifiable proofs
> of its outputs' correctness."
> "VRFs are useful for preventing enumeration of hash-based data structures."
> "VRFs ... useful for providing a 1:1 mapping of low entropy inputs (e.g.
> names, email addresses, phone numbers) to some random values which can
> be committed to in advance, e.g. through a timestamping service such as
> a transparency log."
> I say this as someone that spends quite a bit of time reading IETF
> cryptography specs and writing specifications that directly utilize
> IETF/CFRG cryptography specs (at IETF and W3C).
> Can you please add a few real world use cases where one would use a VRF?
> Are they useful for committing values on a public blockchain in a
> privacy preserving manner? If so, what sorts of values? Are they useful
> when voting? Are they useful for distributed gaming scenarios? Some
> concrete uses would be more helpful than the overly general text in the
> current spec.
> -- manu