Re: [Cfrg] new draft specifying VRFs (verifiable random functions)

Tony Arcieri <bascule@gmail.com> Tue, 14 March 2017 21:15 UTC

Return-Path: <bascule@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92222129B40 for <cfrg@ietfa.amsl.com>; Tue, 14 Mar 2017 14:15:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.099
X-Spam-Level:
X-Spam-Status: No, score=-0.099 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OWBcoEtRfIBj for <cfrg@ietfa.amsl.com>; Tue, 14 Mar 2017 14:15:57 -0700 (PDT)
Received: from mail-pg0-x22f.google.com (mail-pg0-x22f.google.com [IPv6:2607:f8b0:400e:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42E42129B46 for <cfrg@irtf.org>; Tue, 14 Mar 2017 14:15:57 -0700 (PDT)
Received: by mail-pg0-x22f.google.com with SMTP id g2so78724936pge.3 for <cfrg@irtf.org>; Tue, 14 Mar 2017 14:15:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=jKlnEDCXGVCUfDHKSDFMs9bdHQaI1ywBtC8vqXfIGDg=; b=GlNEp4GqT8JWedja8f8iUxWzMuY1V3qgoez3KOcSI480OC5TYmH0dfKb3kHGVRYlRY WAvYh/3eH+plHibPNN5Zj/zBAmcMa8U5ynCbFkyiBKdPTQEfeOEXJ4qy3BHnwfNwFTAh nWcr18IbDdiH0UG+MMir5hsbEK/zNCk3MCfiRZo4FDWXMayQUZi7job5bwzdhxKzyWSY pbyl1MbhrrZjEYMW0xyR9dT+xcqdt06A87w2qCseTtHOnKrzrI6kpRl0bUiWysq/Rgjm J9Muu5HBnghDJLrda97/L990l/bqBAd/KgrVfNdL4407XIUtGS12qBvh0rSlv2CJjK/Q IXyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=jKlnEDCXGVCUfDHKSDFMs9bdHQaI1ywBtC8vqXfIGDg=; b=OqLsENuLDqOWcwgx/XKv5nyIOfafXb/4AQAygUKOSSrQXRH5jwhtpCKAVJOvja78Ts UeqS0x3rKXeAcaAv6fAMQHZvxkabA0mvP3qpvFqUsg+4MCg4gurmLKtiQax9fqRonDqn KzKZuvjOK/+hbPgbYolA9ijWLtXSgm7tfQOBZdvypIFMR09FRjeqA/6gCNyqnwPWlW+c 9KrxaEsTXzwmuBHY/Tj7bu2niQXzNxCNI2Zgo/HJMsddmnV4+XcLdlmNTbcXqDoKnHF+ 27ohBEpzp4FQHNyVqTilQei7kEh1XMhu359Fhvp/hR2V2+e+ERd/QE5IozhkNXXNyUTh Yl3Q==
X-Gm-Message-State: AMke39m7Q2eBCnN++X8IEIjVb1KVEaT/EGcl9BgcohxeNbLmEjGbwqglhfyy1AFOpyeLrbxFXxWNECIkRYdhKQ==
X-Received: by 10.84.129.195 with SMTP id b61mr58497343plb.83.1489526156785; Tue, 14 Mar 2017 14:15:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.178.234 with HTTP; Tue, 14 Mar 2017 14:15:36 -0700 (PDT)
In-Reply-To: <CAL02cgR1eL=hQu-vQdAbS=-tyGXxatSZD6zJpPpk+w9UoRJS-w@mail.gmail.com>
References: <CAJHGrrRqchHCvTOBmqgshQ5sxZQ-Moy7ai-Vnoe-R6prJkSRAA@mail.gmail.com> <CAL02cgR1eL=hQu-vQdAbS=-tyGXxatSZD6zJpPpk+w9UoRJS-w@mail.gmail.com>
From: Tony Arcieri <bascule@gmail.com>
Date: Tue, 14 Mar 2017 14:15:36 -0700
Message-ID: <CAHOTMVKy3pmZqwoXZ524njsFwXP-y=FLVd+xTCugrbCNy8M8Qw@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: Sharon Goldberg <sharon.goldbe@gmail.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="94eb2c144968757cd6054ab75514"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/VAU2MnJyPwwZB2Fllqv5jTk67Zs>
Subject: Re: [Cfrg] new draft specifying VRFs (verifiable random functions)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Mar 2017 21:15:58 -0000

On Tue, Mar 14, 2017 at 2:11 PM, Richard Barnes <rlb@ipv.sx> wrote:

> Thanks for writing this up.  One quick, probably trivial question: How do
> these VRFs differ from signature schemes?  From the API point of view, they
> seem very similar, if you view the proof as the signature value.
>

They are similar, however VRFs are not malleable in the same way as
signatures (VRFs guarantee a unique mapping of input to random output), and
specifically designed so the proof can be delivered separately from the
output (so the output can e.g. be recorded in a Merkle tree for
timestamping/transparency purposes). The latter prevents low-entropy inputs
from being preimaged, even if the public key and output are known to the
attacker (but not the proof).

-- 
Tony Arcieri