CFRG S. Goldberg
Internet-Draft L. Reyzin
Intended status: Standards Track Boston University
Expires: December 30, 2018 D. Papadopoulos
Hong Kong University of Science and Techology
J. Vcelak
NS1
June 28, 2018
Verifiable Random Functions (VRFs)
draft-irtf-cfrg-vrf-02
Abstract
A Verifiable Random Function (VRF) is the public-key version of a
keyed cryptographic hash. Only the holder of the private key can
compute the hash, but anyone with public key can verify the
correctness of the hash. VRFs are useful for preventing enumeration
of hash-based data structures. This document specifies several VRF
constructions that are secure in the cryptographic random oracle
model. One VRF uses RSA and the other VRF uses Eliptic Curves (EC).
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 30, 2018.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
Goldberg, et al. Expires December 30, 2018 [Page 1]
Internet-Draft VRF June 2018
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Rationale . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Requirements . . . . . . . . . . . . . . . . . . . . . . 3
1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. VRF Algorithms . . . . . . . . . . . . . . . . . . . . . . . 4
3. VRF Security Properties . . . . . . . . . . . . . . . . . . . 4
3.1. Full Uniqueness or Trusted Uniqueness . . . . . . . . . . 5
3.2. Full Collison Resistance or Trusted Collision Resistance 5
3.3. Full Pseudorandomness or Selective Pseudorandomness . . . 5
3.4. An additional pseudorandomness property . . . . . . . . . 6
4. RSA Full Domain Hash VRF (RSA-FDH-VRF) . . . . . . . . . . . 7
4.1. RSA-FDH-VRF Proving . . . . . . . . . . . . . . . . . . . 8
4.2. RSA-FDH-VRF Proof To Hash . . . . . . . . . . . . . . . . 8
4.3. RSA-FDH-VRF Verifying . . . . . . . . . . . . . . . . . . 9
5. Elliptic Curve VRF (ECVRF) . . . . . . . . . . . . . . . . . 9
5.1. ECVRF Proving . . . . . . . . . . . . . . . . . . . . . . 11
5.2. ECVRF Proof To Hash . . . . . . . . . . . . . . . . . . . 12
5.3. ECVRF Verifying . . . . . . . . . . . . . . . . . . . . . 13
5.4. ECVRF Auxiliary Functions . . . . . . . . . . . . . . . . 13
5.4.1. ECVRF Hash To Curve . . . . . . . . . . . . . . . . . 13
5.4.2. ECVRF Hash Points . . . . . . . . . . . . . . . . . . 17
5.4.3. ECVRF Decode Proof . . . . . . . . . . . . . . . . . 17
5.5. ECVRF Ciphersuites . . . . . . . . . . . . . . . . . . . 18
5.6. When the ECVRF Keys are Untrusted . . . . . . . . . . . . 19
5.6.1. ECVRF Validate Key . . . . . . . . . . . . . . . . . 20
6. Implementation Status . . . . . . . . . . . . . . . . . . . . 20
7. Security Considerations . . . . . . . . . . . . . . . . . . . 21
7.1. Key Generation . . . . . . . . . . . . . . . . . . . . . 21
7.1.1. Uniqueness and collision resistance with untrusted
keys . . . . . . . . . . . . . . . . . . . . . . . . 21
7.1.2. Pseudorandomness with untrusted keys . . . . . . . . 22
7.2. Selective vs Full Pseudorandomness . . . . . . . . . . . 22
7.3. Proper pseudorandom nonce for ECVRF . . . . . . . . . . . 22
7.4. Timing attacks . . . . . . . . . . . . . . . . . . . . . 23
7.5. Proofs Provide No Secrecy for VRF Input . . . . . . . . . 23
7.6. Prehashing . . . . . . . . . . . . . . . . . . . . . . . 23
7.7. Hash function domain separation and future-proofing . . . 24
8. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 24
9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 25
Goldberg, et al. Expires December 30, 2018 [Page 2]
Internet-Draft VRF June 2018
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 25
10.1. Normative References . . . . . . . . . . . . . . . . . . 25
10.2. Informative References . . . . . . . . . . . . . . . . . 26
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27
1. Introduction
1.1. Rationale
A Verifiable Random Function (VRF) [MRV99] is the public-key version
of a keyed cryptographic hash. Only the holder of the private VRF
key can compute the hash, but anyone with corresponding public key
can verify the correctness of the hash.
A key application of the VRF is to provide privacy against offline
enumeration (e.g. dictionary attacks) on data stored in a hash-based
data structure. In this application, a Prover holds the VRF private
key and uses the VRF hashing to construct a hash-based data structure
on the input data. Due to the nature of the VRF, only the Prover can
answer queries about whether or not some data is stored in the data
structure. Anyone who knows the public VRF key can verify that the
Prover has answered the queries correctly. However no offline
inferences (i.e. inferences without querying the Prover) can be made
about the data stored in the data strucuture.
1.2. Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
1.3. Terminology
The following terminology is used through this document:
SK: The private key for the VRF.
PK: The public key for the VRF.
alpha: The input to be hashed by the VRF.
beta: The VRF hash output.
pi: The VRF proof.
Prover: The Prover holds the private VRF key SK and public VRF key
PK.
Goldberg, et al. Expires December 30, 2018 [Page 3]
Internet-Draft VRF June 2018
Verifier: The Verifier holds the public VRF key PK.
2. VRF Algorithms
A VRF comes with a key generation algorithm that generates a public
VRF key PK and private VRF key SK.
The prover hashes an input alpha using the private VRF key SK to
obtain a VRF hash output beta
beta = VRF_hash(SK, alpha)
The VRF_hash algorithm is deterministic, in the sense that it always
produces the same output beta given a pair of inputs (SK, alpha).
The prover also uses the private key SK to construct a proof pi that
beta is the correct hash output
pi = VRF_prove(SK, alpha)
The VRFs defined in this document allow anyone to deterministically
obtain the VRF hash output beta directly from the proof value pi as
beta = VRF_proof2hash(pi)
Notice that this means that
VRF_hash(SK, alpha) = VRF_proof2hash(VRF_prove(SK, alpha))
and thus this document will specify VRF_prove and VRF_proof2hash
rather than VRF_hash.
The proof pi allows a Verifier holding the public key PK to verify
that beta is the correct VRF hash of input alpha under key PK. Thus,
the VRF also comes with an algorithm
VRF_verify(PK, alpha, pi)
that outputs VALID if beta=VRF_proof2hash(pi) is the correct VRF hash
of alpha under key PK, and outputs INVALID otherwise.
3. VRF Security Properties
VRFs are designed to ensure the following security properties.
Goldberg, et al. Expires December 30, 2018 [Page 4]
Internet-Draft VRF June 2018
3.1. Full Uniqueness or Trusted Uniqueness
Uniqueness means that, for any fixed public VRF key and for any input
alpha, there is a unique VRF output beta that can be proved to be
valid. Uniqueness must hold even for an adversarial Prover that
knows the VRF private key SK.
More percisely, "full uniqueness" states that a computationally-
bounded adversary cannot choose a VRF public key PK, a VRF input
alpha, two different VRF hash outputs beta1 and beta2, and two proofs
pi1 and pi2 such that VRF_verify(PK, alpha, pi1) and VRF_verify(PK,
alpha, pi2) both output VALID.
A slightly weaker security property called "trusted uniquness"
sufficies for many applications. Trusted uniqueness is the same as
full uniqueness, but it must hold only if the VRF keys PK and SK were
generated in a trustworthy manner. In other words, uniqueness might
not hold if keys were generated in an invalid manner or with bad
randomness.
3.2. Full Collison Resistance or Trusted Collision Resistance
Like any cryprographic hash function, VRFs need to be collision
resistant. Collison resistance must hold even for an adversarial
Prover that knows the VRF private key SK.
More percisely, "full collision resistance" states that it should be
computationally infeasible for an adversary to find two distinct VRF
inputs alpha1 and alpha2 that have the same VRF hash beta, even if
that adversary knows the private VRF key SK.
For most applications, a slightly weaker security property called
"trusted collision resistance" suffices. Trusted collision
resistance is the same as collision resistance, but it holds only if
PK and SK were generated in a trustworthy manner.
3.3. Full Pseudorandomness or Selective Pseudorandomness
Pseudorandomness ensures that when an adversarial Verifier sees a VRF
hash output beta without its corresponding VRF proof pi, then beta is
indistinguishable from a random value.
More percisely, suppose the public and private VRF keys (PK, SK) were
generated in a trustworthy manner. Pseudorandomness ensures that the
VRF hash output beta (without its corresponding VRF proof pi) on any
adversarially-chosen "target" VRF input alpha looks indistinguishable
from random for any computationally bounded adversary who does not
know the private VRF key SK. This holds even if the adversary also
Goldberg, et al. Expires December 30, 2018 [Page 5]
Internet-Draft VRF June 2018
gets to choose other VRF inputs alpha' and observe their
corresponding VRF hash outputs beta' and proofs pi'.
With "full pseudorandomness", the adversary is allowed to choose the
"target" VRF input alpha at any time, even after it observes VRF
outputs beta' and proofs pi' on a variety of chosen inputs alpha'.
"Selective pseudorandomness" is a weaker security property which
suffices in many applications. Here, the adversary must choose the
target VRF input alpha independently of the public VRF key PK, and
before it observes VRF outputs beta' and proofs pi' on inputs alpha'
of its choice.
It is important to remember that the VRF output beta does not look
random to the Prover, or to any other party that knows the private
VRF key SK! Such a party can easily distinguish beta from a random
value by comparing beta to the result of VRF_hash(SK, alpha).
Also, the VRF output beta does not look random to any party that
knows valid VRF proof pi corresponding to the VRF input alpha, even
if this party does not know the private VRF key SK. Such a party can
easily distinguish beta from a random value by checking whether
VRF_verify(PK, alpha, pi) returns "VALID" and beta =
VRF_proof2hash(pi).
Also, the VRF output beta may not look random if VRF key generation
was not done in a trustworthy fashion. (For example, if VRF keys
were generated with bad randomness.)
3.4. An additional pseudorandomness property
[TODO: This property is not needed for applications that use VRFs to
prevent enumeration of hash-based data structures. However, we
noticed that some other applications of VRF (e.g. Algorand,
Oroborus) rely on this property. We are waiting on a formal
definition of this property in the literature, and a proof that our
ECVRF scheme can satisfy this property. Preliminary analysis
suggests that acheiving this property requires ECVRF verifiers to run
an VRF_validate_key() key function upon receipt of VRF public keys
and the proof2hash function to be modified to take in (gamma, beta,
pk) rather than just gamma.]
Pseudorandomness, as defined in Section 3.3, does not hold if the VRF
keys were generated adversarially.
There is, however, a different type of pseudorandomness that could
hold even if the VRF keys are generated adversarially, as long as the
VRF input alpha is unpredictable. This property is similar to the
Goldberg, et al. Expires December 30, 2018 [Page 6]
Internet-Draft VRF June 2018
pseudorandomness achieved by an (ordinary, unkeyed) cryptographic
hash function.
[TODO: Formal definition here.]
4. RSA Full Domain Hash VRF (RSA-FDH-VRF)
The RSA Full Domain Hash VRF (RSA-FDH-VRF) is a VRF that satisfies
the "trusted uniqueness", "trusted collision resistance", and "full
pseudorandomness" properties defined in Section 3. Its security
follows from the standard RSA assumption in the random oracle model.
Formal security proofs are in [nsec5ecc].
The VRF computes the proof pi as a deterministic RSA signature on
input alpha using the RSA Full Domain Hash Algorithm [RFC8017]
parametrized with the selected hash algorithm. RSA signature
verification is used to verify the correctness of the proof. The VRF
hash output beta is simply obtained by hashing the proof pi with the
selected hash algorithm.
The key pair for RSA-FDH-VRF MUST be generated in a way that it
satisfies the conditions specified in Section 3 of [RFC8017].
In this document, the notation from [RFC8017] is used.
Parameters used:
(n, e) - RSA public key
K - RSA private key
k - length in octets of the RSA modulus n
Fixed options:
Hash - cryptographic hash function
hLen - output length in octets of hash function Hash
Constraints on options:
Cryptographic security of Hash is at least as high as the
cryptographic security level of the RSA key.
Primitives used:
I2OSP - Coversion of a nonnegative integer to an octet string as
defined in Section 4.1 of [RFC8017]
Goldberg, et al. Expires December 30, 2018 [Page 7]
Internet-Draft VRF June 2018
OS2IP - Coversion of an octet string to a nonnegative integer as
defined in Section 4.2 of [RFC8017]
RSASP1 - RSA signature primitive as defined in Section 5.2.1 of
[RFC8017]
RSAVP1 - RSA verification primitive as defined in Section 5.2.2 of
[RFC8017]
MGF1 - Mask Generation Function based on a hash function as
defined in Section B.2.1 of [RFC8017]
4.1. RSA-FDH-VRF Proving
RSAFDHVRF_prove(K, alpha)
Input:
K - RSA private key
alpha - VRF hash input, an octet string
Output:
pi - proof, an octet string of length k
Steps:
1. EM = MGF1(alpha, k - 1)
2. m = OS2IP(EM)
3. s = RSASP1(K, m)
4. pi = I2OSP(s, k)
5. Output pi
4.2. RSA-FDH-VRF Proof To Hash
RSAFDHVRF_proof2hash(pi)
Input:
pi - proof, an octet string of length k
Output:
Goldberg, et al. Expires December 30, 2018 [Page 8]
Internet-Draft VRF June 2018
beta - VRF hash output, an octet string of length hLen
Steps:
1. beta = Hash(pi)
2. Output beta
4.3. RSA-FDH-VRF Verifying
RSAFDHVRF_verify((n, e), alpha, pi)
Input:
(n, e) - RSA public key
alpha - VRF hash input, an octet string
pi - proof to be verified, an octet string of length n
Output:
"VALID" or "INVALID"
Steps:
1. s = OS2IP(pi)
2. m = RSAVP1((n, e), s)
3. EM = I2OSP(m, k - 1)
4. EM' = MGF1(alpha, k - 1)
5. If EM and EM' are equal, output "VALID"; else output "INVALID".
5. Elliptic Curve VRF (ECVRF)
The Elliptic Curve Verifiable Random Function (ECVRF) is a VRF that
satisfies the trusted uniqueness, trusted collision resistance, and
full pseudorandomness properties defined in Section 3. The security
of this VRF follows from the decisional Diffie-Hellman (DDH)
assumption in the random oracle model. Formal security proofs are in
[nsec5ecc].
To additionally satisfy "full uniqueness" and "full collision
resistance", the Verifier MUST additionally perform the validation
Goldberg, et al. Expires December 30, 2018 [Page 9]
Internet-Draft VRF June 2018
procedure specified in Section 5.6 upon receipt of the public VRF
key.
Fixed options (specified in Section 5.5):
F - finite field
2n - length, in octets, of a field element in F; must be even
E - elliptic curve (EC) defined over F
m - length, in octets, of an EC point encoded as an octet string
G - subgroup of E of large prime order
q - prime order of group G; must be less than 2^{2n}
cofactor - number of points on E divided by q
g - generator of group G
Hash - cryptographic hash function
hLen - output length in octets of Hash; must be at least 2n
suite - a single nonzero octet specifying the ECVRF ciphersuite,
which determines the above options
Notation and primitives used:
p^k - When p is an EC point: point multiplication, i.e. k
repetitions of the EC group operation applied to the EC point p.
When p is an integer: exponentiation
|| - octet string concatenation
I2OSP - nonnegative integer conversion to octet string as defined
in Section 4.1 of [RFC8017]
OS2IP - Coversion of an octet string to a nonnegative integer as
defined in Section 4.2 of [RFC8017]
EC2OSP - conversion of EC point to an m-octet string as specified
in Section 5.5
OS2ECP - conversion of an m-octet string to EC point as specified
in Section 5.5. OS2ECP returns INVALID if the octet string does
not convert to a valid EC point.
Goldberg, et al. Expires December 30, 2018 [Page 10]
Internet-Draft VRF June 2018
RS2ECP - conversion of a random 2n-octet string to an EC point as
specified in Section 5.5
ECVRF_hash_to_curve - collision resistant hash of strings to an EC
point; options described in Section 5.4.1 and specified in
Section 5.5.
ECVRF_nonce_generation - derives a pseudorandom nonce from SK and
the input as part of ECVRF proving. Specified in Section 5.5
ECVRF_hash_points - collision resistant hash of EC points to an
n-octet string. Specified in Section 5.4.2.
Parameters used (the generation of these parameters is specified in
Section 5.5):
SK - VRF private key
x - VRF secret scalar, an integer
Note: depending on the ciphersuite used, the VRF secret scalar
may be equal to SK; else, it is derived from SK
y = g^x - VRF public key, an EC point
5.1. ECVRF Proving
Note: this function must have the VRF private key SK as input. Below
we make it more efficient by supplying it also with the secret scalar
x and the public key y as additional inputs; however, each of these
can be computed from SK if desired.
ECVRF_prove(y, x, alpha)
Input:
SK - VRF private key
x - VRF secret scalar
y = g^x - VRF public key
Output:
pi - VRF proof, octet string of length m+3n
Steps:
Goldberg, et al. Expires December 30, 2018 [Page 11]
Internet-Draft VRF June 2018
1. h = ECVRF_hash_to_curve(suite, y, alpha)
2. h1 = EC2OSP(h)
3. gamma = h^x
4. k = ECVRF_nonce_generation(SK, h1)
5. c = ECVRF_hash_points(h, gamma, g^k, h^k)
6. s = (k + c*x) mod q (where * denotes integer multiplication)
7. pi = EC2OSP(gamma) || I2OSP(c, n) || I2OSP(s, 2n)
8. Output pi
5.2. ECVRF Proof To Hash
ECVRF_proof2hash(pi)
Input:
pi - VRF proof, octet string of length m+3n
Output:
"INVALID", or
beta - VRF hash output, octet string of length 2n
Steps:
1. D = ECVRF_decode_proof(pi)
2. If D is "INVALID", output "INVALID" and stop
3. (gamma, c, s) = D
4. three = 0x03 = I2OSP(3, 1), a single octet with value 3
5. preBeta = Hash(suite || three || EC2OSP(gamma^cofactor))
6. beta = first 2n octets of preBeta
7. Output beta
Goldberg, et al. Expires December 30, 2018 [Page 12]
Internet-Draft VRF June 2018
5.3. ECVRF Verifying
ECVRF_verify(y, pi, alpha)
Input:
y - public key, an EC point
pi - VRF proof, octet string of length 5n+1
alpha - VRF input, octet string
Output:
"VALID" or "INVALID"
Steps:
1. D = ECVRF_decode_proof(pi)
2. If D is "INVALID", output "INVALID" and stop
3. (gamma, c, s) = D
4. u = g^s / y^c (where / denotes EC point subtraction, i.e. the
group operation applied to g^s and the inverse of y^c)
5. h = ECVRF_hash_to_curve(suite, y, alpha)
6. v = h^s / gamma^c (where / again denotes EC point subtraction)
7. c' = ECVRF_hash_points(h, gamma, u, v)
8. If c and c' are equal, output "VALID"; else output "INVALID"
5.4. ECVRF Auxiliary Functions
5.4.1. ECVRF Hash To Curve
The ECVRF_hash_to_curve algorithm takes in the VRF input alpha and
converts it to h, an EC point in G. This algorithm is the only place
alpha is used in the proving and verfying. See Section 7.6 for
further discussion.
The algorithms in this section are not compatible with each other;
the choice of algorithm is made in Section 5.5.
Goldberg, et al. Expires December 30, 2018 [Page 13]
Internet-Draft VRF June 2018
5.4.1.1. ECVRF_hash_to_curve_try_and_increment
The following ECVRF_hash_to_curve_try_and_increment(suite, y, alpha)
algorithm implements ECVRF_hash_to_curve in a simple and generic way
that works for any elliptic curve.
The running time of this algorithm depends on alpha. For the
ciphersuites specified in Section 5.5, this algorithm is expected to
find a valid curve point after approximately two attempts (i.e., when
ctr=1) on average. See also [Icart09].
However, because the running time of algorithm depends on alpha, this
algorithm SHOULD be avoided in applications where it is important
that the VRF input alpha remain secret.
ECVRF_hash_to_try_and_increment(suite, y, alpha)
Input:
suite - a single octet specifying ECVRF ciphersuite.
y - public key, an EC point
alpha - value to be hashed, an octet string
Output:
h - hashed value, a finite EC point in G
Steps:
1. ctr = 0
2. pk = EC2OSP(y)
3. one = 0x01 = I2OSP(1, 1), a single octet with value 1
4. h = "INVALID"
5. While h is "INVALID" or h is EC point at infinity:
A. CTR = I2OSP(ctr, 4)
B. ctr = ctr + 1
C. hash = Hash(suite || one || pk || alpha || CTR)
D. attempted_hash = first 2n bits of hash
Goldberg, et al. Expires December 30, 2018 [Page 14]
Internet-Draft VRF June 2018
E. h = RS2ECP(attempted_hash)
F. If h is not "INVALID" and cofactor > 1, set h = h^cofactor
6. Output h
5.4.1.2. ECVRF_hash_to_curve_elligator2_25519
The following ECVRF__hash_to_curve_elligator2_25519(suite, y, alpha)
algorithm implements ECVRF_hash_to_curve using the elligator2
algorithm exclusively for Curve25519.
ECVRF_hash_to_curve_elligator2_25519(y, alpha)
Input:
alpha - value to be hashed, an octet string
y - public key, an EC point
suite = a single octet specifying ECVRF ciphersuite.
Output:
h - hashed value, a finite EC point in G per the encoding in
RFC8032 Section 5.1.2 [RFC8032]
Fixed options:
p = 2^255-19, the size of the finite field F, a prime, for
Curve25519
A = 486662, Montgomery curve constant for Curve25519
cofactor = 8 , the cofactor for Curve25519
* denotes integer multiplication
Constraints on options:
output length of Hash is at least 16n + 1 bits (i.e. greater than
2n octets)
Steps:
1. pk = EC2OSP(y)
2. one = 0x01 = I2OSP(1, 1), a single octet with value 1
Goldberg, et al. Expires December 30, 2018 [Page 15]
Internet-Draft VRF June 2018
3. hash = Hash(suite || one || pk || alpha )
4. r = first 2n octets of hash
5. x_0 = next unused bit of hash
6. u = - A / (1 + 2*(r^2) ) mod p
7. v = u * (u^2 + A*u + 1) mod p
8. Let e equal the Legendre symbol of v modulo p
9. If e is equal to 1 then finalu = u; else finalu = (-A - u) mod p
10. y = (finalu - 1) / (finalu + 1) mod p
11. let h = (x_0,y), an EC point per the encoding in Section 5.1.2
of [RFC8032]
12. h = h^cofactor
In order to make this algorithm run in time that is (almost)
independent of the input (so-called "constant-time"), implementers
should pay particular attention to Steps 7 and 8 above. These steps
can be implemented using the following approach:
e = v ^ ((p-1)/2) mod p
finalu = (e*u + (e-1) * (A/2)) mod p
The first step will produce a value e that is either 1 or p-1. The
second step is so fast compared to the first that that its dependence
on e is likely to not matter; implementers can also ensure that it
runs in the same amount of time regardless of e.
If having this algorithm run in constant time is not important, then
there are much faster algorithms to compute the Legendre symbol
(which is the same as the Jacobi symbol because p is a prime). See,
for example, Section 12.3 of [ntb].
5.4.1.3. ECVRF_hash_to_curve_other?
[TODO: In addition to Elligator, it would be nice to have a generic
ECVRF_hash_to_curve algorithm that runs in constant time and provides
a generic way to hash an octet string onto any elliptic curve. There
is an an upcoming draft that deals with this [SW18]. Some other
useful algorithms include [Icart09], and Shallue-Woestijne-Ulas
algorithm from [BCIMRT10].]
Goldberg, et al. Expires December 30, 2018 [Page 16]
Internet-Draft VRF June 2018
5.4.2. ECVRF Hash Points
ECVRF_hash_points(p_1, p_2, ..., p_j)
Input:
p_i - EC point in G
Output:
c - hash value, integer between 0 and 2^(8n)-1
Steps:
1. two = 0x02 = I2OSP(2, 1), a single octet with value 2
2. Initialize str = suite || two
3. for p_i in [p_1, p_2, ... p_j]:
str = str || EC2OSP(p_i)
4. c1 = Hash(str)
5. c2 = first n octets of c1
6. c = OS2IP(c2)
7. Output c
5.4.3. ECVRF Decode Proof
ECVRF_decode_proof(pi)
Input:
pi - VRF proof, octet string (m+3n octets)
Output:
"INVALID", or
gamma - EC point
c - integer between 0 and 2^(8n)-1
s - integer between 0 and 2^(16n)-1
Steps:
Goldberg, et al. Expires December 30, 2018 [Page 17]
Internet-Draft VRF June 2018
1. let gamma', c', s' be pi split after m-th and m+n-th octet
2. gamma = OS2ECP(gamma')
3. if gamma = "INVALID" output "INVALID" and stop.
4. c = OS2IP(c')
5. s = OS2IP(s')
6. Output gamma, c, and s
5.5. ECVRF Ciphersuites
This document defines ECVRF-P256-SHA256 as follows:
o suite = 0x01 = I2OSP(1, 1).
o The EC group G is the NIST-P256 elliptic curve, with curve
parameters as specified in [FIPS-186-3] (Section D.1.2.3) and
[RFC5114] (Section 2.6). For this group, 2n = 32 and cofactor =
1.
o The key pair generation primitive is specified in Section 3.2.1 of
[SECG1] (q, g, SK, and PK in this document correspond to in n, G,
d, and Q in Section 3.2.1 of [SECG1]). In this ciphersuite, the
secret scalar x is equal to the private key SK.
o The ECVRF_nonce_generation function is as specified in [RFC6979]
Section 3.2 Steps b-h (omitting Step a and using h1 that is
provided as input to ECVRF_nonce_generation), with the hash
function SHA-256 as specified in [RFC6234]
o EC2OSP is specified in Section 2.3.3 of [SECG1] with point
compression on. This implies m = 2n + 1 = 33.
o OS2ECP is specified in Section 2.3.4 of [SECG1].
o RS2ECP(h) = OS2ECP(0x02 || h) (where 0x02 is a single octet with
value 2, 0x02=I2OSP(2, 1)). The input h is a 32-octet string and
the output is either an EC point or "INVALID".
o The hash function Hash is SHA-256 as specified in [RFC6234].
o The ECVRF_hash_to_curve function is as specified in
Section 5.4.1.1.
This document defines ECVRF-ED25519-SHA512 as follows:
Goldberg, et al. Expires December 30, 2018 [Page 18]
Internet-Draft VRF June 2018
o suite = 0x02 = I2OSP(2, 1).
o The EC group G is the Ed25519 elliptic curve with parameters
defined in Table 1 of [RFC8032]. For this group, 2n = 32 and
cofactor = 8.
o The private key and generation of the secret scalar and the public
key are specified in Section 5.1.5 of [RFC8032]
o The ECVRF_nonce_generation function is as specified in [RFC8032]
Section 5.1.6 Steps 1-2, with dom2(F, C) equal to the empty string
and PH(M) equal to h1.
o EC2OSP is specified in Section 5.1.2 of [RFC8032]. This implies m
= 2n = 32.
o OS2ECP is specified in Section 5.1.3 of [RFC8032].
o RS2ECP is equivalent to OS2ECP.
o The hash function Hash is SHA-512 as specified in [RFC6234].
o The ECVRF_hash_to_curve function is as specified in
Section 5.4.1.1.
This document defines ECVRF-ED25519-SHA512-Elligator2 as follows:
o This ciphersuite is identical to ECVRF-ED25519-SHA512 except that
the ECVRF_hash_to_curve function is as specified in
Section 5.4.1.2 and suite = 0x03 = I2OSP(3, 1).
5.6. When the ECVRF Keys are Untrusted
The ECVRF as specified above is a VRF that satisfies the "trusted
uniqueness", "trusted collision resistance", and "full
pseudorandomness" properties defined in Section 3. In order to
obtain "full uniqueness" and "full collision resistance" (which
provide protection against a malicious VRF public key), the Verifier
MUST perform the following additional validation procedure upon
receipt of the public VRF key. The public VRF key MUST NOT be used
if this procedure returns "INVALID".
Note that this procedure is not sufficient if the elliptic curve E or
the point g, the generator of group G, is untrusted. If the prover
is untrusted, the Verifier MUST obtain E and g from a trusted source,
such as a ciphersuite specification, rather than from the prover.
Goldberg, et al. Expires December 30, 2018 [Page 19]
Internet-Draft VRF June 2018
This procedure supposes that the public key provided to the Verifier
is an octet string. The procedure returns "INVALID" if the public
key in invalid. Otherwise, it returns y, the public key as an EC
point.
5.6.1. ECVRF Validate Key
ECVRF_validate_key(PK)
Input:
PK - public key, an octet string
Output:
"INVALID", or
y - public key, an EC point
Steps:
1. y = OS2ECP(PK)
2. If y is "INVALID", output "INVALID" and stop
3. If y^cofactor is the EC point at infinty, output "INVALID" and
stop
4. Output y
6. Implementation Status
An implementation of the RSA-FDH-VRF (SHA-256) and ECVRF-P256-SHA256
was first developed as a part of the NSEC5 project [I-D.vcelak-nsec5]
and is available at . The
ECVRF implementation may be out of date as this spec has evolved.
The Key Transparency project at Google uses a VRF implemention that
is similar to the ECVRF-P256-SHA256, with a few minor changes
including the use of SHA-512 instead of SHA-256. Its implementation
is available
An implementation by Yahoo! similar to the ECVRF is available at
.
Goldberg, et al. Expires December 30, 2018 [Page 20]
Internet-Draft VRF June 2018
An implementation similar to ECVRF is available as part of the CONIKS
implementation in Golang at .
Open Whisper Systems also uses a VRF very similar to ECVRF-
ED25519-SHA512-Elligator, called VXEdDSA, and specified here:
7. Security Considerations
7.1. Key Generation
Applications that use the VRFs defined in this document MUST ensure
that that the VRF key is generated correctly, using good randomness.
7.1.1. Uniqueness and collision resistance with untrusted keys
The ECVRF as specified in Section 5.1-Section 5.5 statisfies the
"trusted uniqueness" and "trusted collision resistance" properties as
long as the VRF keys are generated correctly, with good randomness.
If the Verifier trusts the VRF keys are generated correctly, it MAY
use the public key y as is.
However, if the ECVRF uses keys that could be generated
adversarially, then the the Verfier MUST first perform the validation
procedure ECVRF_validate_key(PK) (specified in Section 5.6) upon
receipt of the public key PK as an octet string. If the validation
procedure outputs "INVALID", then the public key MUST not be used.
Otherwise, the procedure will output a valid public key y, and the
ECVRF with public key y satisfies the "full uniqueness" and "full
collision resistance" properties.
The RSA-FDH-VRF statisfies the "trusted uniqueness" and "trusted
collision resistance" properties as long as the VRF keys are
generated correctly, with good randomness. These properties may not
hold if the keys are generated adversarially (e.g., if RSA is not
permutation). Meanwhile, the "full uniqueness" and "full collision
resistance" are properties that hold even if VRF keys are generated
by an adversary. The RSA-FDH-VRF defined in this document does not
have these properties. However, if adversarial key generation is a
concern, the RSA-FDH-VRF may be modifed to have these properties by
adding additional cryptographic checks that its public key has the
right form. These modifications are left for future specification.
Goldberg, et al. Expires December 30, 2018 [Page 21]
Internet-Draft VRF June 2018
7.1.2. Pseudorandomness with untrusted keys
Without good randomness, the "pseudorandomness" properties of the VRF
may not hold. Note that it is not possible to guarantee
pseudorandomness in the face of adversarially generated VRF keys.
This is because an adversary can always use bad randomness to
generate the VRF keys, and thus, the VRF output may not be
pseudorandom.
7.2. Selective vs Full Pseudorandomness
[nsec5ecc] presents cryptographic reductions to an underlying hard
problem (e.g. Decisional Diffie Hellman for the ECVRF, or the
standard RSA assumption for RSA-FDH-VRF) that prove the VRFs
specificied in this document possess full pseudorandomness as well as
selective pseudorandomness. However, the cryptographic reductions
are tighter for selective pseudorandomness than for full
pseudorandomness. This means the the VRFs have quantitavely stronger
security guarentees for selective pseudorandomness.
Applications that are concerned about tightness of cryptographic
reductions therefore have two options.
o They may choose to ensure that selective pseudorandomness is
sufficient for the application. That is, that pseudorandomness of
outputs matters only for inputs that are chosen independently of
the VRF key.
o If full pseudorandomness is required for the application, the
application may increase security parameters to make up for the
loose security reduction. For RSA-FDH-VRF, this means increasing
the RSA key length. For ECVRF, this means increasing the
cryptographic strength of the EC group G. For both RSA-FDH-VRF
and ECVRF the cryptographic strength of the hash function Hash may
also potentially need to be increased.
7.3. Proper pseudorandom nonce for ECVRF
The security of the ECVRF defined in this document relies on the fact
that nonce k used in the ECVRF_prove algorithm is chosen uniformly
and pseudorandomly modulo q, and is unknown to the advesrary.
Otherwise, an adversary may be able to recover the private VRF key x
(and thus break pseudorandomness of the VRF) after observing several
valid VRF proofs pi. The nonce generation methods specified in the
ECVRF ciphersuites of Section 5.5 are designed with this requirement
in mind.
Goldberg, et al. Expires December 30, 2018 [Page 22]
Internet-Draft VRF June 2018
7.4. Timing attacks
The ECVRF_hash_to_curve_try_and_increment algorithm defined in
Section 5.4.1.1 SHOULD NOT be used in applications where the VRF
input alpha is secret and is hashed by the VRF on-the-fly. This is
because the algorithm's running time depends on the VRF input alpha,
and thus creates a timing channel that can be used to learn
information about alpha. That said, for most inputs the amount of
information obtained from such a timing attack is likely to be small
(1 bit, on average), since the algorithm is expected to find a valid
curve point after only two attempts. However, there might be inputs
which cause the algorithm to make many attempts before it finds a
valid curve point; for such inputs, the information leaked in a
timing attack will be more than 1 bit.
Meanwhile, ECVRF-ED25519-SHA512-Elligator2 runs in constant time if
the implementation of the ECVRF_hash_to_curve function specified in
Section 5.4.1.2 also runs in constant time.
7.5. Proofs Provide No Secrecy for VRF Input
The VRF proof pi is not designed to provide secrecy and, in general,
may reveal the VRF input alpha. Anyone who knows PK and pi is able
to perform an offline dictionary attack to search for alpha, by
verifying guesses for alpha using VRF_verify. This is in contrast to
the VRF hash output beta which, without the proof, is pseudorandom
and thus is designed to reveal no information about alpha.
7.6. Prehashing
The VRFs specified in this document allow for read-once access to the
input alpha for both signing and verifying. Thus, additional
prehashing of alpha (as specified, for example, in [RFC8032] for
EdDSA signatures) is not needed, even for applications that need to
handle long alpha or to support the Initialized-Update-Finalize (IUF)
interface (in such an interface, alpha is not supplied all at once,
but rather in pieces by a sequence of calls to Update). The ECVRF,
in particular, uses alpha only in ECVRF_hash_to_curve. The curve
point h becomes the representative of alpha thereafter. Note that
the suite octet and the public key are hashed together with alpha in
ECVRF_hash_to_curve, which ensures that the curve (including the
generator g) and the public key are included indirectly into
subsequent hashes.
Goldberg, et al. Expires December 30, 2018 [Page 23]
Internet-Draft VRF June 2018
7.7. Hash function domain separation and future-proofing
Hashing is used for four different purposes in ECVRF (namely, in
hash_to_curve, nonce_generation, hash_points, and proof2hash). The
theoretical analysis assumes each of these four functions is a
separate random oracle. This analysis still holds even if the same
hash function is used, as long as the four queries made to the hash
function for a given SK and alpha are overwhelmingly unlikely to
equal each other or to any queries made to the hash function for the
same SK and different alpha. This is indeed the case for the ECVRF
ciphersuites defined in this document, because:
o inputs to the hash function used during nonce_generation are
unlikely to equal to inputs given to hash_to_curve, proof2hash,
and hash_points. This follows since nonce_generation inputs a
secret to the hash function that is not used by honest parties as
input to any other hash function, and is not available to the
adversary
o the second octet of the input to the hash function used in
hash_to_curve, proof2hash, and hash_points are all different
If future designs need to specify variants (e.g., additional
ciphersuites) of the design in this document, then, to avoid the
possibility that an adversary can obtain a VRF output under one
variant, and then claim it was obtained under another variant, they
should specify a different suite constant. This way, the inputs to
the hash_to_curve hash function used in producing h are guaranteed to
be different; since all the other hashing done by the prover depends
on h, inputs all the hash functions used by the prover will also be
different as long as hash_to_curve is collision resistant.
8. Change Log
Note to RFC Editor: if this document does not obsolete an existing
RFC, please remove this appendix before publication as an RFC.
00 - Forked this document from draft-goldbe-vrf-01.
01 - Minor updates, mostly highlighting TODO items.
02 - Added specification of elligator2 for Curve25519, along with
ciphersuites for ECVRF-ED25519-SHA512-Elligator. Changed ECVRF-
ED25519-SHA256 suite to ECVRF-ED25519-SHA512. (This change made
because Ed25519 in [RFC8032] signatures use SHA512 and not
SHA256.) Made ECVRF nonce generation a separate component, so
that nonces are determinsitic. In ECVRF proving, changed + to -
(and made corresponding verification changes) in order to be
Goldberg, et al. Expires December 30, 2018 [Page 24]
Internet-Draft VRF June 2018
consistent with EdDSA and ECDSA. Highlighted that
ECVRF_hash_to_curve acts like a prehash. Added "suites" variable
to ECVRF for future-proofing. Ensured domain separation for hash
functions by modifying hash_points and added discussion about
domain separation. Updated todos in the "additional
pseudorandomness property" section. Added an discussion of
secrecy into security considerations. Removed g and PK=y from
ECVRF_hash_points because they are already present via h, which is
computed via hash_to_curve using the suite (which identifies g)
and y.
9. Contributors
This document also would not be possible without the work of Moni
Naor (Weizmann Institute), Sachin Vasant (Cisco Systems), and Asaf
Ziv (Facebook). Shumon Huque (Salesforce), David C. Lawerence
(Akamai), and Trevor Perrin provided valuable input to this draft.
10. References
10.1. Normative References
[FIPS-186-3]
National Institute for Standards and Technology, "Digital
Signature Standard (DSS)", FIPS PUB 186-3, June 2009.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
.
[RFC5114] Lepinski, M. and S. Kent, "Additional Diffie-Hellman
Groups for Use with IETF Standards", RFC 5114,
DOI 10.17487/RFC5114, January 2008,
.
[RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)", RFC 6234,
DOI 10.17487/RFC6234, May 2011,
.
[RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature
Algorithm (DSA) and Elliptic Curve Digital Signature
Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August
2013, .
Goldberg, et al. Expires December 30, 2018 [Page 25]
Internet-Draft VRF June 2018
[RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch,
"PKCS #1: RSA Cryptography Specifications Version 2.2",
RFC 8017, DOI 10.17487/RFC8017, November 2016,
.
[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
Signature Algorithm (EdDSA)", RFC 8032,
DOI 10.17487/RFC8032, January 2017,
.
[SECG1] Standards for Efficient Cryptography Group (SECG), "SEC 1:
Elliptic Curve Cryptography", Version 2.0, May 2009,
.
10.2. Informative References
[BCIMRT10]
Brier, E., Coron, J., Icart, T., Madore, D., Randriam, H.,
and M. Tibouchi, "Efficient Indifferentiable Hashing into
Ordinary Elliptic Curves", in CRYPTO, 2010.
[I-D.vcelak-nsec5]
Vcelak, J., Goldberg, S., Papadopoulos, D., Huque, S., and
D. Lawrence, "NSEC5, DNSSEC Authenticated Denial of
Existence", draft-vcelak-nsec5-07 (work in progress), June
2018.
[Icart09] Icart, T., "How to Hash into Elliptic Curves", in CRYPTO,
2009.
[MRV99] Michali, S., Rabin, M., and S. Vadhan, "Verifiable Random
Functions", in FOCS, 1999.
[nsec5ecc]
Papadopoulos, D., Wessels, D., Huque, S., Vcelak, J.,
Naor, M., Reyzin, L., and S. Goldberg, "Making NSEC5
Practical for DNSSEC", in ePrint Cryptology Archive
2017/099, February 2017,
.
[ntb] Shoup, V., "A Computational Introduction to Number Theory
and Algebra", 2008, .
[SW18] Sullivan, E. and C. Wood, "Hashing to Elliptic Curves",
2018.
Goldberg, et al. Expires December 30, 2018 [Page 26]
Internet-Draft VRF June 2018
Authors' Addresses
Sharon Goldberg
Boston University
111 Cummington St, MCS135
Boston, MA 02215
USA
EMail: goldbe@cs.bu.edu
Leonid Reyzin
Boston University
111 Cummington St, MCS135
Boston, MA 02215
USA
EMail: reyzin@bu.edu
Dimitrios Papadopoulos
Hong Kong University of Science and Techology
Clearwater Bay
Hong Kong
EMail: dipapado@cse.ust.hkbu.edu
Jan Vcelak
NS1
16 Beaver St
New York, NY 10004
USA
EMail: jvcelak@ns1.com
Goldberg, et al. Expires December 30, 2018 [Page 27]