[Cfrg] new draft specifying VRFs (verifiable random functions)

Sharon Goldberg <sharon.goldbe@gmail.com> Mon, 13 March 2017 14:27 UTC

Return-Path: <sharon.goldbe@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D7A112966D for <cfrg@ietfa.amsl.com>; Mon, 13 Mar 2017 07:27:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aO5FIS46y2z5 for <cfrg@ietfa.amsl.com>; Mon, 13 Mar 2017 07:27:52 -0700 (PDT)
Received: from mail-io0-x22c.google.com (mail-io0-x22c.google.com [IPv6:2607:f8b0:4001:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5218812940B for <cfrg@irtf.org>; Mon, 13 Mar 2017 07:27:52 -0700 (PDT)
Received: by mail-io0-x22c.google.com with SMTP id z13so85141855iof.2 for <cfrg@irtf.org>; Mon, 13 Mar 2017 07:27:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=5z7kurj3lj0P6miHf53M4MzOV4iMmJCPTKXMZteIysQ=; b=afr9gdoQ5PX74j/cNDooxSTtVP+r2SrSwq1T1xMjImlf4v4iXifebNgsn+WIbc5GQX 00OUoqa3LCGCMNTBaxYCeN/gybUVCBfWkh0Lf5jEIWaAOs7SK01WKaAtGQ+RvT9yg/EP ifcl4qmCAGSbhbLEZy044Ij4g2DqPviaMzHTipcdLllYC4Hqem+YqcKGtRyodJSf80HI EHGucZbGmG+7NvXdx5KvVjA36OznhvGkgqnThlsl0xVfJbluDMw0XNwgzgakPPHGC5ia 8mx1AXP8rNNEzqtKoGKgOEvcsfXA8JGmuJCzNfmmnspUMbLaowhBRyNo4IkuQjhgDGMS plKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=5z7kurj3lj0P6miHf53M4MzOV4iMmJCPTKXMZteIysQ=; b=dWHrbU+qLrxjDCD9BDpLkNOvwcrI2gFPN/sOlFjD75n8vTm7YtAtY6UmFb/HyJASEy TeEc9BDq7/rTrISvTPskjy+/e/9C4uyT9jgYwyuXQ3PGjC2CYA1ZLUbWXLtr4v8TM9HB jkoG2Trd61V540w3igViElX+sK7pDxUKIXWL5++8IBLxuhmaDbWV+ctN4KwQ5d00ip8r JJBii0TWFoFXm2LCYlZpMzKIVe97XTUhx3qgN0ZGNUNV5pGpzyB2CmeMsdas9LyQqoCG Wl8qFNKHxfDx34au4s2ib8g8nOInJaLLQqIuQ6mCmbMNVy7jSF+GODa6M4lsKN7zGYpv KKvg==
X-Gm-Message-State: AMke39m9Wsn0J/Y0XsJAv9NVqbGPmB1UVmGNgJrbk5AHqznhQCCMFuiJI9m8KOGXr7hJy1bAh000E6SadfFhgQ==
X-Received: by 10.107.135.136 with SMTP id r8mr27091914ioi.36.1489415271693; Mon, 13 Mar 2017 07:27:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.141.197 with HTTP; Mon, 13 Mar 2017 07:27:11 -0700 (PDT)
From: Sharon Goldberg <sharon.goldbe@gmail.com>
Date: Mon, 13 Mar 2017 10:27:11 -0400
Message-ID: <CAJHGrrRqchHCvTOBmqgshQ5sxZQ-Moy7ai-Vnoe-R6prJkSRAA@mail.gmail.com>
To: cfrg@irtf.org
Content-Type: multipart/alternative; boundary=001a113ec77c314817054a9d841f
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/J-8YlvX2e4Z0NEb2_g3uIRKoj6I>
Subject: [Cfrg] new draft specifying VRFs (verifiable random functions)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 14:27:54 -0000

Several of us have been working a draft specification for Verifiable Random
Functions (VRFs). A VRF is the public-key version of a keyed cryptographic
hash function.  Only the holder of the private VRF key can compute the
hash, but anyone with the corresponding public key can verify the
correctness of the hash.   This draft has one VRF based on RSA, and another
based on elliptic curves.

 https://datatracker.ietf.org/doc/draft-goldbe-vrf/

Our team is using a VRF to prevent zone enumeration with NSEC5 for DNSSEC
[1,2]. The Google Key Transparency project is using a similar VRF to
prevent key enumeration [3,4]. Open Whisper systems has also specified a
similar VRF [5].   We think VRFs will be useful for other applications as
well, so we think it would be helpful to have a standard way to implement
them.

We've requested an agenda slot at SAAG to talk about VRFs.  The chairs have
requested that we send out a note to CFRG ahead of time, so here it is.
Hope to chat in person at IETF and/or on this list.

Thanks,

Sharon
(with Dimitris Papadopoulos, Jan Vcelak, Leonid Reyzin, Shumon Huque, David
C Lawrence)

[1] https://datatracker.ietf.org/doc/draft-vcelak-nsec5/
[2] https://gitlab.labs.nic.cz/knot/nsec5-crypto
[3]
https://security.googleblog.com/2017/01/security-through-transparency.html
[4] https://github.com/google/keytransparency/blob/master/core/vrf/vrf.go
[5] https://whispersystems.org/docs/specifications/xeddsa/

---
Sharon Goldberg
Associate Professor, Computer Science, Boston University
Sloan Research Fellow
http://www.cs.bu.edu/~goldbe