idnits 2.17.1 draft-irtf-cfrg-vrf-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: However, if the ECVRF uses keys that could be generated adversarially, then the the Verfier MUST first perform the validation procedure ECVRF_validate_key(PK) (specified in Section 5.6) upon receipt of the public key PK as an octet string. If the validation procedure outputs "INVALID", then the public key MUST not be used. Otherwise, the procedure will output a valid public key Y, and the ECVRF with public key Y satisfies the "full uniqueness" and "full collision resistance" properties. -- The document date (August 11, 2019) is 1713 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0' on line 1284 -- Looks like a reference, but probably isn't: '31' on line 1254 -- Looks like a reference, but probably isn't: '32' on line 1011 -- Looks like a reference, but probably isn't: '63' on line 1011 -- Looks like a reference, but probably isn't: '1' on line 1284 -- Looks like a reference, but probably isn't: '2' on line 1279 -- Looks like a reference, but probably isn't: '3' on line 1279 -- Looks like a reference, but probably isn't: '4' on line 1282 -- Looks like a reference, but probably isn't: '5' on line 1283 -- Looks like a reference, but probably isn't: '6' on line 1283 -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS-186-4' ** Downref: Normative reference to an Informational RFC: RFC 5114 ** Downref: Normative reference to an Informational RFC: RFC 6234 ** Downref: Normative reference to an Informational RFC: RFC 6979 ** Downref: Normative reference to an Informational RFC: RFC 8017 ** Downref: Normative reference to an Informational RFC: RFC 8032 -- Possible downref: Non-RFC (?) normative reference: ref. 'SECG1' == Outdated reference: A later version (-16) exists of draft-irtf-cfrg-hash-to-curve-01 Summary: 6 errors (**), 0 flaws (~~), 3 warnings (==), 13 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 CFRG S. Goldberg 3 Internet-Draft L. Reyzin 4 Intended status: Standards Track Boston University 5 Expires: February 12, 2020 D. Papadopoulos 6 Hong Kong University of Science and Techology 7 J. Vcelak 8 NS1 9 August 11, 2019 11 Verifiable Random Functions (VRFs) 12 draft-irtf-cfrg-vrf-05 14 Abstract 16 A Verifiable Random Function (VRF) is the public-key version of a 17 keyed cryptographic hash. Only the holder of the private key can 18 compute the hash, but anyone with public key can verify the 19 correctness of the hash. VRFs are useful for preventing enumeration 20 of hash-based data structures. This document specifies several VRF 21 constructions that are secure in the cryptographic random oracle 22 model. One VRF uses RSA and the other VRF uses Eliptic Curves (EC). 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on February 12, 2020. 41 Copyright Notice 43 Copyright (c) 2019 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (https://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 59 1.1. Rationale . . . . . . . . . . . . . . . . . . . . . . . . 3 60 1.2. Requirements . . . . . . . . . . . . . . . . . . . . . . 3 61 1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 62 2. VRF Algorithms . . . . . . . . . . . . . . . . . . . . . . . 4 63 3. VRF Security Properties . . . . . . . . . . . . . . . . . . . 5 64 3.1. Full Uniqueness or Trusted Uniqueness . . . . . . . . . . 5 65 3.2. Full Collison Resistance or Trusted Collision Resistance 5 66 3.3. Full Pseudorandomness or Selective Pseudorandomness . . . 5 67 3.4. A random-oracle-like unpredictability property . . . . . 6 68 4. RSA Full Domain Hash VRF (RSA-FDH-VRF) . . . . . . . . . . . 7 69 4.1. RSA-FDH-VRF Proving . . . . . . . . . . . . . . . . . . . 8 70 4.2. RSA-FDH-VRF Proof To Hash . . . . . . . . . . . . . . . . 8 71 4.3. RSA-FDH-VRF Verifying . . . . . . . . . . . . . . . . . . 9 72 5. Elliptic Curve VRF (ECVRF) . . . . . . . . . . . . . . . . . 10 73 5.1. ECVRF Proving . . . . . . . . . . . . . . . . . . . . . . 12 74 5.2. ECVRF Proof To Hash . . . . . . . . . . . . . . . . . . . 13 75 5.3. ECVRF Verifying . . . . . . . . . . . . . . . . . . . . . 13 76 5.4. ECVRF Auxiliary Functions . . . . . . . . . . . . . . . . 14 77 5.4.1. ECVRF Hash To Curve . . . . . . . . . . . . . . . . . 14 78 5.4.2. ECVRF Nonce Generation . . . . . . . . . . . . . . . 21 79 5.4.3. ECVRF Hash Points . . . . . . . . . . . . . . . . . . 22 80 5.4.4. ECVRF Decode Proof . . . . . . . . . . . . . . . . . 23 81 5.5. ECVRF Ciphersuites . . . . . . . . . . . . . . . . . . . 23 82 5.6. When the ECVRF Keys are Untrusted . . . . . . . . . . . . 26 83 5.6.1. ECVRF Validate Key . . . . . . . . . . . . . . . . . 26 84 6. Implementation Status . . . . . . . . . . . . . . . . . . . . 28 85 7. Security Considerations . . . . . . . . . . . . . . . . . . . 29 86 7.1. Key Generation . . . . . . . . . . . . . . . . . . . . . 29 87 7.1.1. Uniqueness and collision resistance with untrusted 88 keys . . . . . . . . . . . . . . . . . . . . . . . . 29 89 7.1.2. Pseudorandomness with untrusted keys . . . . . . . . 29 90 7.2. Selective vs Full Pseudorandomness . . . . . . . . . . . 30 91 7.3. Proper pseudorandom nonce for ECVRF . . . . . . . . . . . 30 92 7.4. Side-channel attacks . . . . . . . . . . . . . . . . . . 30 93 7.5. Proofs Provide No Secrecy for VRF Input . . . . . . . . . 31 94 7.6. Prehashing . . . . . . . . . . . . . . . . . . . . . . . 31 95 7.7. Hash function domain separation and future-proofing . . . 31 96 8. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 32 97 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 33 98 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 34 99 10.1. Normative References . . . . . . . . . . . . . . . . . . 34 100 10.2. Informative References . . . . . . . . . . . . . . . . . 35 101 Appendix A. Test Vectors for the ECVRFs . . . . . . . . . . . . 37 102 A.1. ECVRF-P256-SHA256-TAI . . . . . . . . . . . . . . . . . . 37 103 A.2. ECVRF-P256-SHA256-SWU . . . . . . . . . . . . . . . . . . 38 104 A.3. ECVRF-EDWARDS25519-SHA512-TAI . . . . . . . . . . . . . . 40 105 A.4. ECVRF-EDWARDS25519-SHA512-Elligator2 . . . . . . . . . . 41 106 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 43 108 1. Introduction 110 1.1. Rationale 112 A Verifiable Random Function (VRF) [MRV99] is the public-key version 113 of a keyed cryptographic hash. Only the holder of the private VRF 114 key can compute the hash, but anyone with corresponding public key 115 can verify the correctness of the hash. 117 A key application of the VRF is to provide privacy against offline 118 enumeration (e.g. dictionary attacks) on data stored in a hash-based 119 data structure. In this application, a Prover holds the VRF private 120 key and uses the VRF hashing to construct a hash-based data structure 121 on the input data. Due to the nature of the VRF, only the Prover can 122 answer queries about whether or not some data is stored in the data 123 structure. Anyone who knows the public VRF key can verify that the 124 Prover has answered the queries correctly. However no offline 125 inferences (i.e. inferences without querying the Prover) can be made 126 about the data stored in the data strucuture. 128 1.2. Requirements 130 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 131 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 132 document are to be interpreted as described in [RFC2119]. 134 1.3. Terminology 136 The following terminology is used through this document: 138 SK: The private key for the VRF. 140 PK: The public key for the VRF. 142 alpha or alpha_string: The input to be hashed by the VRF. 144 beta or beta_string: The VRF hash output. 146 pi or pi_string: The VRF proof. 148 Prover: The Prover holds the private VRF key SK and public VRF key 149 PK. 151 Verifier: The Verifier holds the public VRF key PK. 153 2. VRF Algorithms 155 A VRF comes with a key generation algorithm that generates a public 156 VRF key PK and private VRF key SK. 158 The prover hashes an input alpha using the private VRF key SK to 159 obtain a VRF hash output beta 161 beta = VRF_hash(SK, alpha) 163 The VRF_hash algorithm is deterministic, in the sense that it always 164 produces the same output beta given a pair of inputs (SK, alpha). 165 The prover also uses the private key SK to construct a proof pi that 166 beta is the correct hash output 168 pi = VRF_prove(SK, alpha) 170 The VRFs defined in this document allow anyone to deterministically 171 obtain the VRF hash output beta directly from the proof value pi as 173 beta = VRF_proof_to_hash(pi) 175 Notice that this means that 177 VRF_hash(SK, alpha) = VRF_proof_to_hash(VRF_prove(SK, alpha)) 179 and thus this document will specify VRF_prove and VRF_proof_to_hash 180 rather than VRF_hash. 182 The proof pi allows a Verifier holding the public key PK to verify 183 that beta is the correct VRF hash of input alpha under key PK. Thus, 184 the VRF also comes with an algorithm 186 VRF_verify(PK, alpha, pi) 188 that outputs (VALID, beta = VRF_proof_to_hash(pi)) if pi is valid, 189 and INVALID otherwise. 191 3. VRF Security Properties 193 VRFs are designed to ensure the following security properties. 195 3.1. Full Uniqueness or Trusted Uniqueness 197 Uniqueness means that, for any fixed public VRF key and for any input 198 alpha, there is a unique VRF output beta that can be proved to be 199 valid. Uniqueness must hold even for an adversarial Prover that 200 knows the VRF private key SK. 202 More precisely, "full uniqueness" states that a computationally- 203 bounded adversary cannot choose a VRF public key PK, a VRF input 204 alpha, and two proofs pi1 and pi2 such that VRF_verify(PK, alpha, 205 pi1) outputs (VALID, beta1), VRF_verify(PK, alpha, pi2) outputs 206 (VALID, beta2), and beta1 is not equal to beta2. 208 A slightly weaker security property called "trusted uniqueness" 209 sufficies for many applications. Trusted uniqueness is the same as 210 full uniqueness, but it must hold only if the VRF keys PK and SK were 211 generated in a trustworthy manner. In other words, uniqueness might 212 not hold if keys were generated in an invalid manner or with bad 213 randomness. 215 3.2. Full Collison Resistance or Trusted Collision Resistance 217 Like any cryprographic hash function, VRFs need to be collision 218 resistant. Collison resistance must hold even for an adversarial 219 Prover that knows the VRF private key SK. 221 More precisely, "full collision resistance" states that it should be 222 computationally infeasible for an adversary to find two distinct VRF 223 inputs alpha1 and alpha2 that have the same VRF hash beta, even if 224 that adversary knows the private VRF key SK. 226 For most applications, a slightly weaker security property called 227 "trusted collision resistance" suffices. Trusted collision 228 resistance is the same as collision resistance, but it holds only if 229 PK and SK were generated in a trustworthy manner. 231 3.3. Full Pseudorandomness or Selective Pseudorandomness 233 Pseudorandomness ensures that when an adversarial Verifier sees a VRF 234 hash output beta without its corresponding VRF proof pi, then beta is 235 indistinguishable from a random value. 237 More precisely, suppose the public and private VRF keys (PK, SK) were 238 generated in a trustworthy manner. Pseudorandomness ensures that the 239 VRF hash output beta (without its corresponding VRF proof pi) on any 240 adversarially-chosen "target" VRF input alpha looks indistinguishable 241 from random for any computationally bounded adversary who does not 242 know the private VRF key SK. This holds even if the adversary also 243 gets to choose other VRF inputs alpha' and observe their 244 corresponding VRF hash outputs beta' and proofs pi'. 246 With "full pseudorandomness", the adversary is allowed to choose the 247 "target" VRF input alpha at any time, even after it observes VRF 248 outputs beta' and proofs pi' on a variety of chosen inputs alpha'. 250 "Selective pseudorandomness" is a weaker security property which 251 suffices in many applications. Here, the adversary must choose the 252 target VRF input alpha independently of the public VRF key PK, and 253 before it observes VRF outputs beta' and proofs pi' on inputs alpha' 254 of its choice. 256 It is important to remember that the VRF output beta does not look 257 random to the Prover, or to any other party that knows the private 258 VRF key SK! Such a party can easily distinguish beta from a random 259 value by comparing beta to the result of VRF_hash(SK, alpha). 261 Also, the VRF output beta does not look random to any party that 262 knows valid VRF proof pi corresponding to the VRF input alpha, even 263 if this party does not know the private VRF key SK. Such a party can 264 easily distinguish beta from a random value by checking whether 265 VRF_verify(PK, alpha, pi) returns (VALID, beta). 267 Also, the VRF output beta may not look random if VRF key generation 268 was not done in a trustworthy fashion. (For example, if VRF keys 269 were generated with bad randomness.) 271 3.4. A random-oracle-like unpredictability property 273 Pseudorandomness, as defined in Section 3.3, does not hold if the VRF 274 keys were generated adversarially. For instance, if an adversary 275 outputs VRF keys that are deterministically generated (or hard-coded 276 and publicly known), then the outputs are easily derived by anyone. 278 There is, however, a different type of unpredictability that is 279 desirable in certain VRF applications (such as [GHMVZ17] and 280 [KRDO17]). This property is similar to the unpredictability achieved 281 by an (ordinary, unkeyed) cryptographic hash function: if the input 282 has enough entropy (i.e., cannot be predicted), then the correct 283 output is indistinguishable from uniform. 285 Although neither formal definitions nor proofs of this property have 286 appeared in cryptographic literature, the VRF schemes presented in 287 this specification are believed to satisfy this property if the 288 public key was generated in a trustworthy manner. Additionally, the 289 ECVRF also satisifies this property even if the public key was not 290 generated in a trustworthy manner, as long as the public key 291 satisfies the key validation procedure in Section 5.6. 293 4. RSA Full Domain Hash VRF (RSA-FDH-VRF) 295 The RSA Full Domain Hash VRF (RSA-FDH-VRF) is a VRF that satisfies 296 the "trusted uniqueness", "trusted collision resistance", and "full 297 pseudorandomness" properties defined in Section 3. Its security 298 follows from the standard RSA assumption in the random oracle model. 299 Formal security proofs are in [PWHVNRG17]. 301 The VRF computes the proof pi as a deterministic RSA signature on 302 input alpha using the RSA Full Domain Hash Algorithm [RFC8017] 303 parametrized with the selected hash algorithm. RSA signature 304 verification is used to verify the correctness of the proof. The VRF 305 hash output beta is simply obtained by hashing the proof pi with the 306 selected hash algorithm. 308 The key pair for RSA-FDH-VRF MUST be generated in a way that it 309 satisfies the conditions specified in Section 3 of [RFC8017]. 311 In this document, the notation from [RFC8017] is used. 313 Parameters used: 315 (n, e) - RSA public key 317 K - RSA private key 319 k - length in octets of the RSA modulus n (k must be less than 320 2^32) 322 Fixed options: 324 Hash - cryptographic hash function 326 hLen - output length in octets of hash function Hash 328 Primitives used: 330 I2OSP - Conversion of a nonnegative integer to an octet string as 331 defined in Section 4.1 of [RFC8017] 333 OS2IP - Conversion of an octet string to a nonnegative integer as 334 defined in Section 4.2 of [RFC8017] 335 RSASP1 - RSA signature primitive as defined in Section 5.2.1 of 336 [RFC8017] 338 RSAVP1 - RSA verification primitive as defined in Section 5.2.2 of 339 [RFC8017] 341 MGF1 - Mask Generation Function based on the hash function Hash as 342 defined in Section B.2.1 of [RFC8017] 344 || - octet string concatenation 346 4.1. RSA-FDH-VRF Proving 348 RSAFDHVRF_prove(K, alpha_string) 350 Input: 352 K - RSA private key 354 alpha_string - VRF hash input, an octet string 356 Output: 358 pi_string - proof, an octet string of length k 360 Steps: 362 1. one_string = 0x01 = I2OSP(1, 1), a single octet with value 1 364 2. EM = MGF1(one_string || I2OSP(k, 4) || I2OSP(n, k) || 365 alpha_string, k - 1) 367 3. m = OS2IP(EM) 369 4. s = RSASP1(K, m) 371 5. pi_string = I2OSP(s, k) 373 6. Output pi_string 375 4.2. RSA-FDH-VRF Proof To Hash 377 RSAFDHVRF_proof_to_hash(pi_string) 379 Input: 381 pi_string - proof, an octet string of length k 383 Output: 385 beta_string - VRF hash output, an octet string of length hLen 387 Important note: 389 RSAFDHVRF_proof_to_hash should be run only on pi_string that is 390 known to have been produced by RSAFDHVRF_prove, or from within 391 RSAFDHVRF_verify as specified in Section 4.3. 393 Steps: 395 1. two_string = 0x02 = I2OSP(2, 1), a single octet with value 2 397 2. beta_string = Hash(two_string || pi_string) 399 3. Output beta_string 401 4.3. RSA-FDH-VRF Verifying 403 RSAFDHVRF_verify((n, e), alpha_string, pi_string) 405 Input: 407 (n, e) - RSA public key 409 alpha_string - VRF hash input, an octet string 411 pi_string - proof to be verified, an octet string of length n 413 Output: 415 ("VALID", beta_string), where beta_string is the VRF hash output, 416 an octet string of length hLen; or 417 "INVALID" 419 Steps: 421 1. s = OS2IP(pi_string) 423 2. m = RSAVP1((n, e), s) 425 3. EM = I2OSP(m, k - 1) 427 4. one_string = 0x01 = I2OSP(1, 1), a single octet with value 1 429 5. EM' = MGF1(one_string || I2OSP(k, 4) || I2OSP(n, k) || 430 alpha_string, k - 1) 432 6. If EM and EM' are equal, output ("VALID", 433 RSAFDHVRF_proof_to_hash(pi_string)); else output "INVALID". 435 5. Elliptic Curve VRF (ECVRF) 437 The Elliptic Curve Verifiable Random Function (ECVRF) is a VRF that 438 satisfies the trusted uniqueness, trusted collision resistance, and 439 full pseudorandomness properties defined in Section 3. The security 440 of this VRF follows from the decisional Diffie-Hellman (DDH) 441 assumption in the random oracle model. Formal security proofs are in 442 [PWHVNRG17]. 444 To additionally satisfy "full uniqueness" and "full collision 445 resistance", the Verifier MUST additionally perform the validation 446 procedure specified in Section 5.6 upon receipt of the public VRF 447 key. 449 Fixed options (specified in Section 5.5): 451 F - finite field 453 2n - length, in octets, of a field element in F, rounded up to the 454 nearest even integer 456 E - elliptic curve (EC) defined over F 458 ptLen - length, in octets, of an EC point encoded as an octet 459 string 461 G - subgroup of E of large prime order 463 q - prime order of group G 465 qLen - length of q in octets, i.e., smallest integer such that 466 2^(8qLen)>q (note that in the typical case, qLen equals 2n or is 467 close to 2n) 469 cofactor - number of points on E divided by q 471 B - generator of group G 473 Hash - cryptographic hash function 475 hLen - output length in octets of Hash; must be at least 2n 477 suite_string - a single nonzero octet specifying the ECVRF 478 ciphersuite, which determines the above options 480 Notation and primitives used: 482 Elliptic curve operations are written in additive notation, with 483 P+Q denoting point addition and x*P denoting scalar multiplication 484 of a point P by a scalar x 486 x^y - a raised to the power b 488 x*y - a multiplied by b 490 || - octet string concatenation 492 ECVRF_hash_to_curve - collision resistant hash of strings to an EC 493 point; options described in Section 5.4.1 and specified in 494 Section 5.5. 496 ECVRF_nonce_generation - derives a pseudorandom nonce from SK and 497 the input as part of ECVRF proving. Specified in Section 5.5 499 ECVRF_hash_points - collision resistant hash of EC points to an 500 integer. Specified in Section 5.4.3. 502 Type conversions: 504 int_to_string(a, len) - conversion of nonnegative integer a to to 505 octet string of length len as specified in Section 5.5. 507 string_to_int(a_string) - conversion of an octet string a_string 508 to a nonnegative integer as specified in Section 5.5. 510 point_to_string - conversion of EC point to an ptLen-octet string 511 as specified in Section 5.5 513 string_to_point - conversion of an ptLen-octet string to EC point 514 as specified in Section 5.5. string_to_point returns INVALID if 515 the octet string does not convert to a valid EC point. 517 arbitrary_string_to_point - conversion of an arbitrary octet 518 string to an EC point as specified in Section 5.5 520 Note that with certain software libraries (for big integer and 521 elliptic curve arithmetic), the int_to_string and point_to_string 522 conversions are not needed. For example, in some implementations, 523 EC point operations will take octet strings as inputs and produce 524 octet strings as outputs, without introducing a separate elliptic 525 curve point type. 527 Parameters used (the generation of these parameters is specified in 528 Section 5.5): 530 SK - VRF private key 532 x - VRF secret scalar, an integer 534 Note: depending on the ciphersuite used, the VRF secret scalar 535 may be equal to SK; else, it is derived from SK 537 Y = x*B - VRF public key, an EC point 539 5.1. ECVRF Proving 541 ECVRF_prove(SK, alpha_string) 543 Input: 545 SK - VRF private key 547 alpha_string = input alpha, an octet string 549 Output: 551 pi_string - VRF proof, octet string of length ptLen+n+qLen 553 Steps: 555 1. Use SK to derive the VRF secret scalar x and the VRF public key Y 556 = x*B 557 (this derivation depends on the ciphersuite, as per Section 5.5; 558 these values can be cached, for example, after key generation, 559 and need not be rederived each time) 561 2. H = ECVRF_hash_to_curve(suite_string, Y, alpha_string) 563 3. h_string = point_to_string(H) 565 4. Gamma = x*H 567 5. k = ECVRF_nonce_generation(SK, h_string) 569 6. c = ECVRF_hash_points(H, Gamma, k*B, k*H) 571 7. s = (k + c*x) mod q 573 8. pi_string = point_to_string(Gamma) || int_to_string(c, n) || 574 int_to_string(s, qLen) 576 9. Output pi_string 578 5.2. ECVRF Proof To Hash 580 ECVRF_proof_to_hash(pi_string) 582 Input: 584 pi_string - VRF proof, octet string of length ptLen+n+qLen 586 Output: 588 "INVALID", or 590 beta_string - VRF hash output, octet string of length hLen 592 Important note: 594 ECVRF_proof_to_hash should be run only on pi_string that is known 595 to have been produced by ECVRF_prove, or from within ECVRF_verify 596 as specified in Section 5.3. 598 Steps: 600 1. D = ECVRF_decode_proof(pi_string) 602 2. If D is "INVALID", output "INVALID" and stop 604 3. (Gamma, c, s) = D 606 4. three_string = 0x03 = int_to_string(3, 1), a single octet with 607 value 3 609 5. beta_string = Hash(suite_string || three_string || 610 point_to_string(cofactor * Gamma)) 612 6. Output beta_string 614 5.3. ECVRF Verifying 616 ECVRF_verify(Y, pi_string, alpha_string) 618 Input: 620 Y - public key, an EC point 622 pi_string - VRF proof, octet string of length ptLen+n+qLen 623 alpha_string - VRF input, octet string 625 Output: 627 ("VALID", beta_string), where beta_string is the VRF hash output, 628 octet string of length hLen; or 629 "INVALID" 631 Steps: 633 1. D = ECVRF_decode_proof(pi_string) 635 2. If D is "INVALID", output "INVALID" and stop 637 3. (Gamma, c, s) = D 639 4. H = ECVRF_hash_to_curve(suite_string, Y, alpha_string) 641 5. U = s*B - c*Y 643 6. V = s*H - c*Gamma 645 7. c' = ECVRF_hash_points(H, Gamma, U, V) 647 8. If c and c' are equal, output ("VALID", 648 ECVRF_proof_to_hash(pi_string)); else output "INVALID" 650 5.4. ECVRF Auxiliary Functions 652 5.4.1. ECVRF Hash To Curve 654 The ECVRF_hash_to_curve algorithm takes in the VRF input alpha and 655 converts it to H, an EC point in G. This algorithm is the only place 656 the VRF input alpha is used in for proving and verfying. See 657 Section 7.6 for further discussion. 659 The algorithms in this section are not compatible with each other; 660 the choice of algorithm is made in Section 5.5. 662 5.4.1.1. ECVRF_hash_to_curve_try_and_increment 664 The following ECVRF_hash_to_curve_try_and_increment(suite_string, Y, 665 alpha_string) algorithm implements ECVRF_hash_to_curve in a simple 666 and generic way that works for any elliptic curve. 668 The running time of this algorithm depends on alpha_string. For the 669 ciphersuites specified in Section 5.5, this algorithm is expected to 670 find a valid curve point after approximately two attempts (i.e., when 671 ctr=1) on average. 673 However, because the running time of algorithm depends on 674 alpha_string, this algorithm SHOULD be avoided in applications where 675 it is important that the VRF input alpha remain secret. 677 ECVRF_hash_to_try_and_increment(suite_string, Y, alpha_string) 679 Input: 681 suite_string - a single octet specifying ECVRF ciphersuite. 683 Y - public key, an EC point 685 alpha_string - value to be hashed, an octet string 687 Output: 689 H - hashed value, a finite EC point in G 691 Steps: 693 1. ctr = 0 695 2. PK_string = point_to_string(Y) 697 3. one_string = 0x01 = int_to_string(1, 1), a single octet with 698 value 1 700 4. H = "INVALID" 702 5. While H is "INVALID" or H is EC point at infinity: 704 A. ctr_string = int_to_string(ctr, 1) 706 B. hash_string = Hash(suite_string || one_string || PK_string || 707 alpha_string || ctr_string) 709 C. H = arbitrary_string_to_point(hash_string) 711 D. If H is not "INVALID" and cofactor > 1, set H = cofactor * H 713 E. ctr = ctr + 1 715 6. Output H 717 5.4.1.2. ECVRF_hash_to_curve_elligator2_25519 719 The following ECVRF_hash_to_curve_elligator2_25519(suite_string, Y, 720 alpha_string) algorithm implements ECVRF_hash_to_curve using the 721 elligator2 algorithm from Section 5 of [BHKT13] (see also 722 [I-D.irtf-cfrg-hash-to-curve]) exclusively for the edwards25519 723 elliptic curve. It can be implemented with running time that is 724 independent of the input alpha (so-called "constant-time"). 726 ECVRF_hash_to_curve_elligator2_25519(suite_string, Y, alpha_string) 728 Input: 730 suite_string - a single octet specifying ECVRF ciphersuite. 732 alpha_string - value to be hashed, an octet string 734 Y - public key, an EC point 736 Output: 738 H - hashed value, a finite EC point in G 740 Fixed options: 742 p = 2^255-19, the size of the finite field F, a prime, for 743 edwards25519 and curve25519 curves 745 A = 486662, Montgomery curve constant for curve25519 747 cofactor = 8, the cofactor for edwards25519 and curve25519 curves 749 Constraints on options: 751 output length of Hash is at least 16n (i.e., 256) bits 753 Steps: 755 1. PK_string = point_to_string(Y) 757 2. one_string = 0x01 = int_to_string(1, 1) 758 (a single octet with value 1) 760 3. hash_string = Hash(suite_string || one_string || PK_string || 761 alpha_string ) 763 4. truncated_h_string = hash_string[0]...hash_string[31] 764 5. oneTwentySeven_string = 0x7F = int_to_string(127, 1) 765 (a single octet with value 127) 767 6. truncated_h_string[31] = truncated_h_string[31] & 768 oneTwentySeven_string 769 (this step clears the high-order bit of octet 31) 771 7. r = string_to_int(truncated_h_string) 773 8. u = - A / (1 + 2*(r^2) ) mod p 774 (note: the inverse of (1+2*(r^2)) modulo p is guaranteed to 775 exist) 777 9. w = u * (u^2 + A*u + 1) mod p 778 (this step evaluates the Montgomery equation for Curve25519) 780 10. Let e equal the Legendre symbol of w and p 781 (see note below on how to compute e) 783 11. If e is equal to 1 then final_u = u; else final_u = (-A - u) mod 784 p 785 (note: final_u is the Montgomery u-coordinate of the output; see 786 note below on how to compute it) 788 12. y_coordinate = (final_u - 1) / (final_u + 1) mod p 789 (note 1: y_coordinate is the Edwards coordinate corresponding to 790 final_u) 791 (note 2: the inverse of (final_u + 1) modulo p is guaranteed to 792 exist) 794 13. h_string = int_to_string (y_coordinate, 32) 796 14. H_prelim = string_to_point(h_string) 797 (note: string_to_point will not return INVALID by correctness of 798 Elligator2) 800 15. Set H = cofactor * H_prelim 802 16. Output H 804 In order to make this algorithm run in time that is (almost) 805 independent of the input alpha_string (so-called "constant-time"), 806 implementers should pay particular attention to Steps 10 and 11 807 above. These steps can be implemented using the following approach: 809 e = w ^ ((p-1)/2) mod p 811 final_u = (e*u + (e-1) * (A/2)) mod p 813 The first step will produce a value e that is either 1 or p-1 (it is 814 guaranteed not to be any other value, because w is guaranteed to be 815 nonzero). Implementers should also ensure that the second step runs 816 in the same amount of time regardless of e by ensuring that 817 arithmetic in constant time. 819 Alternatively, let CMOV(result_if_1, result_if_0, selector) be the 820 function that returns result_if_1 when selector is 1 and result_if_0 821 when selector is 0. If CMOV is implemented in constant time, then 822 steps 12 and 13 above can be implemented as follows: 824 e = (w^((p-1)/2))+1 mod p 826 b = e/2 828 other_u = (-A-u) mod p 830 final_u = CMOV(u, other_u, b) 832 (Note that after the first step, e is either 0 or 2, and only the 833 least significant byte of e is needed in the second step). CMOV can 834 be implemented in constant time a variety of ways; for example, by 835 expanding b from a single bit to an all-0 or all-1 string 836 (accomplished by negating b in standard two's-complement arithmetic) 837 and then applying bitwise XOR and AND operations as follows: other_x 838 XOR ((x XOR other_x) AND b) 840 If having this algorithm run in constant time is not important, then 841 there are much faster algorithms to compute the Legendre symbol 842 (which is the same as the Jacobi symbol because p is a prime). See, 843 for example, Section 12.3 of [ntb]. 845 5.4.1.3. ECVRF_hash_to_curve_Simplified_SWU 847 The following ECVRF_hash_to_curve_Simplified_SWU(suite_string, Y, 848 alpha_string) algorithm implements ECVRF_hash_to_curve using the 849 simplified Shallue-Woestijne [SW06] and Ulas [Ulas07] algorithm from 850 Section 7 of [BCIMRT10] (see also [I-D.irtf-cfrg-hash-to-curve]). It 851 can be implemented with running time that is independent of the input 852 alpha (so-called "constant-time"). Generally, this method can be 853 used for any curve with prime p that is congruent to 3 modulo 4; 854 however, the (very unlikely) case of d=0 in step 6 below may need to 855 be handled differently depending on the curve equation, to ensure 856 that the result is a point on the curve. 858 ECVRF_hash_to_curve_Simplified_SWU(suite_string, Y, alpha_string) 860 Input: 862 suite_string - a single octet specifying ECVRF ciphersuite. 864 alpha_string - value to be hashed, an octet string 866 Y - public key, an EC point 868 Output: 870 H - hashed value, a finite EC point in G 872 Fixed options: 874 a and b, constants for the Weierstrass form elliptic curve 875 equation y^2 = x^3 + ax +b for the curve E 877 Steps: 879 1. PK_string = EC2OSP(Y) 881 2. one_string = 0x01 = I2OSP(1, 1), a single octet with value 1 883 3. h_string = Hash(suite_string || one_string || PK_string || 884 alpha_string) 886 4. t = string_to_int(h_string) mod p 888 5. r = -(t^2) mod p 890 6. d = (r^2 + r) mod p 891 (d is t^4-t^2 mod p) 893 7. If d = 0 then d_inverse = 0; else d_inverse = 1/d mod p 894 (as long as Hash is secure, the case of d = 0 is an utterly 895 improbably occurrence; 896 the two cases can be combined into one by computing d_inverse = 897 d^(p-2) mod p) 899 8. x = ((-b/a) * (1 + d_inverse)) mod p 901 9. w = (x^3 + a*x + b) mod p 902 (this step evaluates the curve equation) 904 10. Let e equal the Legendre symbol of w and p 905 (see note below on how to compute e) 907 11. If e is equal to 0 or 1 then final_x = x; else final_x = r * x 908 mod p 909 (final_x is the x-coordinate of the output; see note below on 910 how to compute it) 912 12. H_prelim = arbitrary_string_to_point(int_to_string(final_x, 2n)) 913 (note: arbitrary_string_to_point will not return INVALID by 914 correctness of Simple SWU) 916 13. If cofactor > 1, set H = cofactor * H; else set H = H_prelim 918 14. Output H 920 In order to make this algorithm run in time that is (almost) 921 independent of the input (so-called "constant-time"), implementers 922 should pay particular attention to Steps 10 and 11 above. These 923 steps can be implemented using the following approach. Let 924 CMOV(result_if_1, result_if_0, selector) be the function that returns 925 result_if_1 when selector is 1 and result_if_0 when selector is 0. 926 If arithmetic and CMOV are implemented in constant time, then steps 9 927 and 10 above can be implemented as follows: 929 e = (w ^ ((p-1)/2))+1 mod p 930 (At this point, e is 0, 1, or 2, as an integer.) 932 Let b = (e+1) / 2, where / denotes integer division with rounding 933 down. 934 (Note carefully that this step is integer, not modular, division. 935 Only the last byte of e is needed for this step. This step 936 converts 0, 1, or 2 to 0 or 1.) 938 other_x = r * x mod p 940 final_x = CMOV(x, other_x, b) 942 CMOV can be implemented in constant time a variety of ways; for 943 example, by expanding b from a single bit to an all-0 or all-1 string 944 (accomplished by negating b in standard two's-complement arithmetic) 945 and then applying bitwise XOR and AND operations as follows: other_x 946 XOR ((x XOR other_x) AND b) 948 If having this algorithm run in constant time is not important, then 949 there are much faster algorithms to compute the Legendre symbol 950 (which is the same as the Jacobi symbol because p is a prime). See, 951 for example, Section 12.3 of [ntb]. 953 5.4.2. ECVRF Nonce Generation 955 The following subroutines generate the nonce value k in a 956 deterministic pseudorandom fashion. 958 5.4.2.1. ECVRF Nonce Generation From RFC 6979 960 ECVRF_nonce_generation_RFC6979(SK, h_string) 962 Input: 964 SK - an ECVRF secret key 966 h_string - an octet string 968 Output: 970 k - an integer between 1 and q-1 972 The ECVRF_nonce_generation function is as specified in [RFC6979] 973 Section 3.2 where 975 Input m is set equal to h_string 977 The "suitable for DSA or ECDSA" check in step h.3 is omitted 979 The hash function H is Hash and its output length hlen is set as 980 hLen*8 982 The secret key x is set equal to the VRF secret scalar x 984 The prime q is the same as in this specification 986 qlen is the binary length of q, i.e., the smallest integer such 987 that 2^qlen > q 989 All the other values and primitives as defined in [RFC6979] 991 5.4.2.2. ECVRF Nonce Generation From RFC 8032 993 The following is from Steps 2-3 of Section 5.1.6 in [RFC8032]. 995 ECVRF_nonce_generation_RFC8032(SK, h_string) 997 Input: 999 SK - an ECVRF secret key 1000 h_string - an octet string 1002 Output: 1004 k - an integer between 0 and q-1 1006 Steps: 1008 1. hashed_sk_string = Hash (SK) 1010 2. truncated_hashed_sk_string = 1011 hashed_sk_string[32]...hashed_sk_string[63] 1013 3. k_string = Hash(truncated_hashed_sk_string || h_string) 1015 4. k = string_to_int(k_string) mod q 1017 5.4.3. ECVRF Hash Points 1019 ECVRF_hash_points(P1, P2, ..., PM) 1021 Input: 1023 P1...PM - EC points in G 1025 Output: 1027 c - hash value, integer between 0 and 2^(8n)-1 1029 Steps: 1031 1. two_string = 0x02 = int_to_string(2, 1), a single octet with 1032 value 2 1034 2. Initialize str = suite_string || two_string 1036 3. for PJ in [P1, P2, ... PM]: 1037 str = str || point_to_string(PJ) 1039 4. c_string = Hash(str) 1041 5. truncated_c_string = c_string[0]...c_string[n-1] 1043 6. c = string_to_int(truncated_c_string) 1045 7. Output c 1047 5.4.4. ECVRF Decode Proof 1049 ECVRF_decode_proof(pi_string) 1051 Input: 1053 pi_string - VRF proof, octet string (ptLen+n+qLen octets) 1055 Output: 1057 "INVALID", or 1059 Gamma - EC point 1061 c - integer between 0 and 2^(8n)-1 1063 s - integer between 0 and 2^(8qLen)-1 1065 Steps: 1067 1. let gamma_string = pi_string[0]...p_string[ptLen-1] 1069 2. let c_string = pi_string[ptLen]...pi_string[ptLen+n-1] 1071 3. let s_string =pi_string[ptLen+n]...pi_string[ptLen+n+qLen-1] 1073 4. Gamma = string_to_point(gamma_string) 1075 5. if Gamma = "INVALID" output "INVALID" and stop. 1077 6. c = string_to_int(c_string) 1079 7. s = string_to_int(s_string) 1081 8. Output Gamma, c, and s 1083 5.5. ECVRF Ciphersuites 1085 This document defines ECVRF-P256-SHA256-TAI as follows: 1087 o suite_string = 0x01 = int_to_string(1, 1). 1089 o The EC group G is the NIST P-256 elliptic curve, with curve 1090 parameters as specified in [FIPS-186-4] (Section D.1.2.3) and 1091 [RFC5114] (Section 2.6). For this group, 2n = qLen = 32 and 1092 cofactor = 1. 1094 o The key pair generation primitive is specified in Section 3.2.1 of 1095 [SECG1] (q, B, SK, and PK in this document correspond to in n, G, 1096 d, and Q in Section 3.2.1 of [SECG1]). In this ciphersuite, the 1097 secret scalar x is equal to the private key SK. 1099 o The ECVRF_nonce_generation function is as specified in 1100 Section 5.4.2.1. 1102 o The int_to_string function is the I2OSP function specified in 1103 Section 4.1 of [RFC8017]. (This is big endian representation.) 1105 o The string_to_int function is the OS2IP function specified in 1106 Section 4.2 of [RFC8017]. (This is big endian representation.) 1108 o The point_to_string function converts an EC point to an octet 1109 string according to the encoding specified in Section 2.3.3 of 1110 [SECG1] with point compression on. This implies ptLen = 2n + 1 = 1111 33. (Note that certain software implementations do not introduce 1112 a separate elliptic curve point type and instead directly treat 1113 the EC point as an octet string per above encoding. When using 1114 such an implementation, the point_to_string function can be 1115 treated as the identity function.) 1117 o The string_to_point function converts an octet string to an EC 1118 point according to the encoding specified in Section 2.3.4 of 1119 [SECG1]. This function MUST output INVALID if the octet string 1120 does not decode to an EC point. 1122 o arbitrary_string_to_point(h_string) = string_to_point(0x02 || 1123 h_string) (where 0x02 is a single octet with value 2, 1124 0x02=int_to_string(2, 1)). The input h_string is a 32-octet 1125 string and the output is either an EC point or "INVALID". 1127 o The hash function Hash is SHA-256 as specified in [RFC6234], with 1128 hLen = 32. 1130 o The ECVRF_hash_to_curve function is as specified in 1131 Section 5.4.1.1. 1133 This document defines ECVRF-P256-SHA256-SWU as follows: 1135 o This ciphersuite is identical to ECVRF-P256-SHA256-TAI except that 1136 the ECVRF_hash_to_curve function is as specified in 1137 Section 5.4.1.3 and suite_string = 0x02 = int_to_string(2, 1). 1139 This document defines ECVRF-EDWARDS25519-SHA512-TAI as follows: 1141 o suite_string = 0x03 = int_to_string(3, 1). 1143 o The EC group G is the edwards25519 elliptic curve with parameters 1144 defined in Table 1 of [RFC8032]. For this group, 2n = qLen = 32 1145 and cofactor = 8. 1147 o The private key and generation of the secret scalar and the public 1148 key are specified in Section 5.1.5 of [RFC8032] 1150 o The ECVRF_nonce_generation function is as specified in 1151 Section 5.4.2.2. 1153 o The int_to_string function as specified in the first paragraph of 1154 Section 5.1.2 of [RFC8032]. (This is little endian 1155 representation.) 1157 o The string_to_int function interprets the string as an integer in 1158 little-endian representation. 1160 o The point_to_string function converts an EC point to an octect 1161 string according to the encoding specified in Section 5.1.2 of 1162 [RFC8032]. This implies ptLen = 2n = 32. (Note that certain 1163 software implementations do not introduce a separate elliptic 1164 curve point type and instead directly treat the EC point as an 1165 octet string per above encoding. When using such and 1166 implementation, the point_to_string function can be treated as the 1167 identity function.) 1169 o The string_to_point function converts an octet string to an EC 1170 point according to the encoding specified in Section 5.1.3 of 1171 [RFC8032]. This function MUST output INVALID if the octet string 1172 does not decode to an EC point. 1174 o arbitrary_string_to_point(h_string) = 1175 string_to_point(h_string[0]...h_string[31]) 1177 o The hash function Hash is SHA-512 as specified in [RFC6234], with 1178 hLen = 64. 1180 o The ECVRF_hash_to_curve function is as specified in 1181 Section 5.4.1.1. 1183 This document defines ECVRF-EDWARDS25519-SHA512-Elligator2 as 1184 follows: 1186 o This ciphersuite is identical to ECVRF-EDWARDS25519-SHA512-TAI 1187 except that the ECVRF_hash_to_curve function is as specified in 1188 Section 5.4.1.2 and suite_string = 0x04 = int_to_string(4, 1). 1190 5.6. When the ECVRF Keys are Untrusted 1192 The ECVRF as specified above is a VRF that satisfies the "trusted 1193 uniqueness", "trusted collision resistance", and "full 1194 pseudorandomness" properties defined in Section 3. In order to 1195 obtain "full uniqueness" and "full collision resistance" (which 1196 provide protection against a malicious VRF public key), the Verifier 1197 MUST perform the following additional validation procedure upon 1198 receipt of the public VRF key. The public VRF key MUST NOT be used 1199 if this procedure returns "INVALID". 1201 Note that this procedure is not sufficient if the elliptic curve E or 1202 the point B, the generator of group G, is untrusted. If the prover 1203 is untrusted, the Verifier MUST obtain E and B from a trusted source, 1204 such as a ciphersuite specification, rather than from the prover. 1206 This procedure supposes that the public key provided to the Verifier 1207 is an octet string. The procedure returns "INVALID" if the public 1208 key in invalid. Otherwise, it returns Y, the public key as an EC 1209 point. 1211 5.6.1. ECVRF Validate Key 1213 ECVRF_validate_key(PK_string) 1215 Input: 1217 PK_string - public key, an octet string 1219 Output: 1221 "INVALID", or 1223 Y - public key, an EC point 1225 Steps: 1227 1. Y = string_to_point(PK_string) 1229 2. If Y is "INVALID", output "INVALID" and stop 1231 3. If cofactor*Y is the EC point at infinty, output "INVALID" and 1232 stop 1234 4. Output Y 1236 Note that if the cofactor = 1, then Step 3 need not multiply Y by the 1237 cofactor; instead, it suffices to output "INVALID" if Y is the point 1238 at infinity. Moreover, when cofactor>1, it is not necessary to 1239 verify that Y is in the subgroup G; Step 3 suffices. Therefore, if 1240 the cofactor is small, the total number of points that could cause 1241 Step 3 to output "INVALID" may be small, and it may be more efficient 1242 to simply check Y against a fixed list of such points. For example, 1243 the following algorithm can be used for the edwards25519 curve: 1245 1. Y = string_to_point(PK_string) 1247 2. If Y is "INVALID", output "INVALID" and stop 1249 3. y_string = PK_string 1251 4. oneTwentySeven_string = 0x7F = int_to_string(127, 1) 1252 (a single octet with value 127) 1254 5. y_string[31] = y_string[31] & oneTwentySeven_string 1255 (this step clears the high-order bit of octet 31) 1257 6. bad_pk[0] = int_to_string(0, 32) 1259 7. bad_pk[1] = int_to_string(1, 32) 1261 8. bad_y2 = 2707385501144840649318225287225658788936804267575313519 1262 463743609750303402022 1264 9. bad_pk[2] = int_to_string(bad_y2, 32) 1266 10. bad_pk[3] = int_to_string(p-bad_y2, 32) 1268 11. bad_pk[4] = int_to_string(p-1, 32) 1270 12. bad_pk[5] = int_to_string(p, 32) 1272 13. bad_pk[6] = int_to_string(p+1, 32) 1274 14. If y_string is in bad_pk[0]...bad_pk[6], output "INVALID" and 1275 stop 1277 15. Output Y 1279 (bad_pk[0], bad_pk[2], bad_pk[3] each match two bad public keys, 1280 depending on the sign of the x-coordinate, which was cleared in step 1281 5, in order to make sure that it does not affect the comparison. 1282 bad_pk[1] and bad_pk[4] each match one bad public key, because 1283 x-coordinate is 0 for these two public keys. bad_pk[5] and bad_pk[6] 1284 are simply bad_pk[0] and bad_pk[1] shifted by p, in case the 1285 y-coordinate had not been modular reduced by p. There is no need to 1286 shift the other bad_pk values by p, because they will exceed 2^255. 1287 These bad keys, which represent all points of order 1, 2, 4, and 8, 1288 have been obtained by converting the points specified in [X25519] to 1289 Edwards coordinates.) 1291 6. Implementation Status 1293 A reference implementation of ECVRF-P256-SHA256-TAI, ECVRF- 1294 P256-SHA256-SWU, ECVRF-EDWARDS25519-SHA512-TAI, ECVRF- 1295 EDWARDS25519-SHA512-Elligator2 is available at 1296 . This implementation is neither 1297 secure nor especially effecient, but can be used to generate test 1298 vectors. 1300 An implementation of ECVRF-EDWARDS25519-SHA512-Elligator2 is 1301 available at . 1304 An implemention of ECVRF-P256-SHA256-TAI, as well as variants for the 1305 sect163k1 and secp256k1 curves, is available at 1306 . 1308 An implementation of an earlier, slightly different, version of RSA- 1309 FDH-VRF (SHA-256) and ECVRF-P256-SHA256-TAI was first developed as a 1310 part of the NSEC5 project [I-D.vcelak-nsec5] and is available at 1311 . 1313 The Key Transparency project at Google uses a VRF implemention that 1314 is similar to the ECVRF-P256-SHA256-TAI, with a few minor changes 1315 including the use of SHA-512 instead of SHA-256. Its implementation 1316 is available at 1317 1320 An implementation by Yahoo! similar to the ECVRF is available at 1321 . 1323 An implementation similar to ECVRF is available as part of the CONIKS 1324 implementation in Golang at . 1327 Open Whisper Systems also uses a VRF very similar to ECVRF- 1328 EDWARDS25519-SHA512-Elligator, called VXEdDSA, and specified here: 1329 1331 7. Security Considerations 1333 7.1. Key Generation 1335 Applications that use the VRFs defined in this document MUST ensure 1336 that that the VRF key is generated correctly, using good randomness. 1338 7.1.1. Uniqueness and collision resistance with untrusted keys 1340 The ECVRF as specified in Section 5.1-Section 5.5 statisfies the 1341 "trusted uniqueness" and "trusted collision resistance" properties as 1342 long as the VRF keys are generated correctly, with good randomness. 1343 If the Verifier trusts the VRF keys are generated correctly, it MAY 1344 use the public key Y as is. 1346 However, if the ECVRF uses keys that could be generated 1347 adversarially, then the the Verfier MUST first perform the validation 1348 procedure ECVRF_validate_key(PK) (specified in Section 5.6) upon 1349 receipt of the public key PK as an octet string. If the validation 1350 procedure outputs "INVALID", then the public key MUST not be used. 1351 Otherwise, the procedure will output a valid public key Y, and the 1352 ECVRF with public key Y satisfies the "full uniqueness" and "full 1353 collision resistance" properties. 1355 The RSA-FDH-VRF statisfies the "trusted uniqueness" and "trusted 1356 collision resistance" properties as long as the VRF keys are 1357 generated correctly, with good randomness. These properties may not 1358 hold if the keys are generated adversarially (e.g., if RSA is not 1359 permutation). Meanwhile, the "full uniqueness" and "full collision 1360 resistance" are properties that hold even if VRF keys are generated 1361 by an adversary. The RSA-FDH-VRF defined in this document does not 1362 have these properties. However, if adversarial key generation is a 1363 concern, the RSA-FDH-VRF may be modifed to have these properties by 1364 adding additional cryptographic checks that its public key has the 1365 right form. These modifications are left for future specification. 1367 7.1.2. Pseudorandomness with untrusted keys 1369 Without good randomness, the "pseudorandomness" properties of the VRF 1370 may not hold. Note that it is not possible to guarantee 1371 pseudorandomness in the face of adversarially generated VRF keys. 1372 This is because an adversary can always use bad randomness to 1373 generate the VRF keys, and thus, the VRF output may not be 1374 pseudorandom. 1376 7.2. Selective vs Full Pseudorandomness 1378 [PWHVNRG17] presents cryptographic reductions to an underlying hard 1379 problem (e.g. Decisional Diffie Hellman for the ECVRF, or the 1380 standard RSA assumption for RSA-FDH-VRF) that prove the VRFs 1381 specificied in this document possess full pseudorandomness as well as 1382 selective pseudorandomness. However, the cryptographic reductions 1383 are tighter for selective pseudorandomness than for full 1384 pseudorandomness. This means the the VRFs have quantitavely stronger 1385 security guarentees for selective pseudorandomness. 1387 Applications that are concerned about tightness of cryptographic 1388 reductions therefore have two options. 1390 o They may choose to ensure that selective pseudorandomness is 1391 sufficient for the application. That is, that pseudorandomness of 1392 outputs matters only for inputs that are chosen independently of 1393 the VRF key. 1395 o If full pseudorandomness is required for the application, the 1396 application may increase security parameters to make up for the 1397 loose security reduction. For RSA-FDH-VRF, this means increasing 1398 the RSA key length. For ECVRF, this means increasing the 1399 cryptographic strength of the EC group G. For both RSA-FDH-VRF 1400 and ECVRF the cryptographic strength of the hash function Hash may 1401 also potentially need to be increased. 1403 7.3. Proper pseudorandom nonce for ECVRF 1405 The security of the ECVRF defined in this document relies on the fact 1406 that nonce k used in the ECVRF_prove algorithm is chosen uniformly 1407 and pseudorandomly modulo q, and is unknown to the advesrary. 1408 Otherwise, an adversary may be able to recover the private VRF key x 1409 (and thus break pseudorandomness of the VRF) after observing several 1410 valid VRF proofs pi. The nonce generation methods specified in the 1411 ECVRF ciphersuites of Section 5.5 are designed with this requirement 1412 in mind. 1414 7.4. Side-channel attacks 1416 Side channel attacks on cryptographic primatives are an important 1417 issue. Here we discuss only one such side channel: timing attacks 1418 that can be used to leak information about the VRF input alpha. 1419 Implementers should take care to avoid side-channel attacks that leak 1420 information about the VRF private key SK (and the nonce k used in the 1421 ECVRF). 1423 The ECVRF_hash_to_curve_try_and_increment algorithm defined in 1424 Section 5.4.1.1 SHOULD NOT be used in applications where the VRF 1425 input alpha is secret and is hashed by the VRF on-the-fly. This is 1426 because the algorithm's running time depends on the VRF input alpha, 1427 and thus creates a timing channel that can be used to learn 1428 information about alpha. That said, for most inputs the amount of 1429 information obtained from such a timing attack is likely to be small 1430 (1 bit, on average), since the algorithm is expected to find a valid 1431 curve point after only two attempts. However, there might be inputs 1432 which cause the algorithm to make many attempts before it finds a 1433 valid curve point; for such inputs, the information leaked in a 1434 timing attack will be more than 1 bit. 1436 Meanwhile, ECVRF-P256-SHA256-SWU and ECVRF- 1437 EDWARDS25519-SHA512-Elligator2 can be made to run in time constant in 1438 alpha. 1440 7.5. Proofs Provide No Secrecy for VRF Input 1442 The VRF proof pi is not designed to provide secrecy and, in general, 1443 may reveal the VRF input alpha. Anyone who knows PK and pi is able 1444 to perform an offline dictionary attack to search for alpha, by 1445 verifying guesses for alpha using VRF_verify. This is in contrast to 1446 the VRF hash output beta which, without the proof, is pseudorandom 1447 and thus is designed to reveal no information about alpha. 1449 7.6. Prehashing 1451 The VRFs specified in this document allow for read-once access to the 1452 input alpha for both signing and verifying. Thus, additional 1453 prehashing of alpha (as specified, for example, in [RFC8032] for 1454 EdDSA signatures) is not needed, even for applications that need to 1455 handle long alpha or to support the Initialized-Update-Finalize (IUF) 1456 interface (in such an interface, alpha is not supplied all at once, 1457 but rather in pieces by a sequence of calls to Update). The ECVRF, 1458 in particular, uses alpha only in ECVRF_hash_to_curve. The curve 1459 point H becomes the representative of alpha thereafter. Note that 1460 the suite_string octet and the public key are hashed together with 1461 alpha in ECVRF_hash_to_curve, which ensures that the curve (including 1462 the generator B) and the public key are included indirectly into 1463 subsequent hashes. 1465 7.7. Hash function domain separation and future-proofing 1467 Hashing is used for different purposes in the two VRFs (namely, in 1468 the RSA-FDH-VRF, in MGF1 and in proof_to_hash; in the ECVRF, in 1469 hash_to_curve, nonce_generation, hash_points, and proof_to_hash). 1470 The theoretical analysis assumes each of these functions is a 1471 separate random oracle. This analysis still holds even if the same 1472 hash function is used, as long as the four queries made to the hash 1473 function for a given SK and alpha are overwhelmingly unlikely to 1474 equal each other or to any queries made to the hash function for the 1475 same SK and different alpha. This is indeed the case for the RSA- 1476 FDH-VRF defined in this document, because the first octets of the 1477 input to the hash function used in MGF1 and in proof_to_hash are 1478 different. This is also the case for the ECVRF ciphersuites defined 1479 in this document, because: 1481 o inputs to the hash function used during nonce_generation are 1482 unlikely to equal to inputs given to hash_to_curve, proof_to_hash, 1483 and hash_points. This follows since nonce_generation inputs a 1484 secret to the hash function that is not used by honest parties as 1485 input to any other hash function, and is not available to the 1486 adversary 1488 o the second octet of the input to the hash function used in 1489 hash_to_curve, proof_to_hash, and hash_points are all different 1491 For the RSA VRF, if future designs need to specify variants of the 1492 design in this document, such variants should use different first 1493 octets in inputs to MGF1 and to the hash funciton used in 1494 proof_to_hash, in order to avoid the possibility that an adversary 1495 can obtain a VRF output under one variant, and then claim it was 1496 obtained under another variant 1498 For the elliptic curve VRF, if future designs need to specify 1499 variants (e.g., additional ciphersuites) of the design in this 1500 document, then, to avoid the possibility that an adversary can obtain 1501 a VRF output under one variant, and then claim it was obtained under 1502 another variant, they should specify a different suite_string 1503 constant. This way, the inputs to the hash_to_curve hash function 1504 used in producing H are guaranteed to be different; since all the 1505 other hashing done by the prover depends on H, inputs all the hash 1506 functions used by the prover will also be different as long as 1507 hash_to_curve is collision resistant. 1509 8. Change Log 1511 Note to RFC Editor: if this document does not obsolete an existing 1512 RFC, please remove this appendix before publication as an RFC. 1514 00 - Forked this document from draft-goldbe-vrf-01. 1516 01 - Minor updates, mostly highlighting TODO items. 1518 02 - Added specification of elligator2 for Curve25519, along with 1519 ciphersuites for ECVRF-ED25519-SHA512-Elligator. Changed ECVRF- 1520 ED25519-SHA256 suite_string to ECVRF-ED25519-SHA512. (This change 1521 made because Ed25519 in [RFC8032] signatures use SHA512 and not 1522 SHA256.) Made ECVRF nonce generation a separate component, so 1523 that nonces are determinsitic. In ECVRF proving, changed + to - 1524 (and made corresponding verification changes) in order to be 1525 consistent with EdDSA and ECDSA. Highlighted that 1526 ECVRF_hash_to_curve acts like a prehash. Added "suites" variable 1527 to ECVRF for future-proofing. Ensured domain separation for hash 1528 functions by modifying hash_points and added discussion about 1529 domain separation. Updated todos in the "additional 1530 pseudorandomness property" section. Added an discussion of 1531 secrecy into security considerations. Removed B and PK=Y from 1532 ECVRF_hash_points because they are already present via H, which is 1533 computed via hash_to_curve using the suite_string (which 1534 identifies B) and Y. 1536 03 - Changed Ed25519 conversions to little-endian, to match RFC 1537 8032; added simple key validation for Ed25519; added Simple SWU 1538 cipher suite; clarified Elligator and removed the extra x0 bit, to 1539 make Montgomery and Edwards Elligator the same; added domain 1540 separation for RSA VRF; improved notation throughout; added nonce 1541 generation as a section; changed counter in try-and-increment from 1542 four bytes to one, to avoid endian issues; renamed try-and- 1543 increment ciphersuites to -TAI; added qLen as a separate 1544 paremeter; changed output length to hLen for ECVRF, to match 1545 RSAVRF; made Verify return beta so unverified proofs don't end up 1546 in proof_to_hash; added test vectors. 1548 04 - Clarified handling of optional arguments x and PK in 1549 ECVRF_prove. Edited implementation status to bring it up to date. 1551 05 - Renamed ed25519 into the more commonly used edwards25519. 1552 Corrected ECVRF_nonce_generation_RFC6979 (thanks to Gorka Irazoqui 1553 Apecechea and Mario Cao Cueto for finding the problem) and 1554 corresponding test vectors for the P256 suites. Added a reference 1555 to the Rust implementation. 1557 9. Contributors 1559 This document also would not be possible without the work of Moni 1560 Naor (Weizmann Institute), Sachin Vasant (Cisco Systems), and Asaf 1561 Ziv (Facebook). Shumon Huque, David C. Lawerence, Trevor Perrin, 1562 Annie Yousar, Stanislav Smyshlyaev, Liliya Akhmetzyanova, Tony 1563 Arcieri, Sergey Gorbunov, Sam Scott, Nick Sullivan, Christopher Wood, 1564 Marek Jankowski, Derek Ting-Haye Leung, Adam Suhl, Gary Belvinm, 1565 Piotr Nojszewski, Gorka Irazoqui Apecechea, and Mario Cao Cueto 1566 provided valuable input to this draft. 1568 10. References 1570 10.1. Normative References 1572 [FIPS-186-4] 1573 National Institute for Standards and Technology, "Digital 1574 Signature Standard (DSS)", FIPS PUB 186-4, July 2013, 1575 . 1578 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1579 Requirement Levels", BCP 14, RFC 2119, 1580 DOI 10.17487/RFC2119, March 1997, 1581 . 1583 [RFC5114] Lepinski, M. and S. Kent, "Additional Diffie-Hellman 1584 Groups for Use with IETF Standards", RFC 5114, 1585 DOI 10.17487/RFC5114, January 2008, 1586 . 1588 [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms 1589 (SHA and SHA-based HMAC and HKDF)", RFC 6234, 1590 DOI 10.17487/RFC6234, May 2011, 1591 . 1593 [RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature 1594 Algorithm (DSA) and Elliptic Curve Digital Signature 1595 Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August 1596 2013, . 1598 [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, 1599 "PKCS #1: RSA Cryptography Specifications Version 2.2", 1600 RFC 8017, DOI 10.17487/RFC8017, November 2016, 1601 . 1603 [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital 1604 Signature Algorithm (EdDSA)", RFC 8032, 1605 DOI 10.17487/RFC8032, January 2017, 1606 . 1608 [SECG1] Standards for Efficient Cryptography Group (SECG), "SEC 1: 1609 Elliptic Curve Cryptography", Version 2.0, May 2009, 1610 . 1612 10.2. Informative References 1614 [ANSI.X9-62-2005] 1615 "Public Key Cryptography for the Financial Services 1616 Industry: The Elliptic Curve Digital Signature Algorithm 1617 (ECDSA)", ANSI X9.62, 2005. 1619 [BCIMRT10] 1620 Brier, E., Coron, J., Icart, T., Madore, D., Randriam, H., 1621 and M. Tibouchi, "Efficient Indifferentiable Hashing into 1622 Ordinary Elliptic Curves", in Advances in Cryptology - 1623 CRYPTO, 2010, . 1625 [BHKT13] Bernstein, D., Hamburg, M., Krasnova, A., and T. Lange, 1626 "Elligator: elliptic-curve points indistinguishable from 1627 uniform random strings", in ACM SIGSAC Conference on 1628 Computer and Communications Security (CCS), 2013, 1629 . 1631 [GHMVZ17] Gilad, Y., Hemo, R., Micali, Y., Vlachos, Y., and Y. 1632 Zeldovich, "Algorand: Scaling Byzantine Agreements for 1633 Cryptocurrencies", in Proceedings of the 26th Symposium on 1634 Operating Systems Principles (SOSP), 2017, 1635 . 1637 [I-D.irtf-cfrg-hash-to-curve] 1638 Scott, S., Sullivan, N., and C. Wood, "Hashing to Elliptic 1639 Curves", draft-irtf-cfrg-hash-to-curve-01 (work in 1640 progress), July 2018. 1642 [I-D.vcelak-nsec5] 1643 Vcelak, J., Goldberg, S., Papadopoulos, D., Huque, S., and 1644 D. Lawrence, "NSEC5, DNSSEC Authenticated Denial of 1645 Existence", draft-vcelak-nsec5-08 (work in progress), 1646 December 2018. 1648 [KRDO17] Kiayias, A., Russell, A., David, B., and R. Oliynykov, 1649 "Ouroboros: A Provably Secure Proof-of-Stake Blockchain 1650 Protocol", in Advances in Cryptology - CRYPTO, 2017, 1651 . 1653 [MRV99] Michali, S., Rabin, M., and S. Vadhan, "Verifiable Random 1654 Functions", in FOCS, 1999, 1655 . 1657 [ntb] Shoup, V., "A Computational Introduction to Number Theory 1658 and Algebra", 2008, . 1660 [PWHVNRG17] 1661 Papadopoulos, D., Wessels, D., Huque, S., Vcelak, J., 1662 Naor, M., Reyzin, L., and S. Goldberg, "Making NSEC5 1663 Practical for DNSSEC", in ePrint Cryptology Archive 1664 2017/099, February 2017, 1665 . 1667 [SW06] Shallue, A. and C. van de Woestijne, "Construction of 1668 rational points on elliptic curves over finite fields", 1669 in Algorithmic Number Theory - ANTS, 2006, 1670 . 1672 [Ulas07] Ulas, M., "Rational points on certain hyperelliptic curves 1673 over finite fields", in Bull. Polish Acad. Sci. Math., 1674 2007, . 1676 [X25519] Bernstein, D., "How do I validate Curve25519 public 1677 keys?", 2006, . 1679 Appendix A. Test Vectors for the ECVRFs 1681 The test vectors in this section were genereated using the reference 1682 implementation at . 1684 A.1. ECVRF-P256-SHA256-TAI 1686 These two example secret keys and messages are taken from 1687 Appendix A.2.5 of [RFC6979]. 1689 SK = x = 1690 c9afa9d845ba75166b5c215767b1d6934e50c3db36e89b127b8a622b120f6721 1691 PK = 1692 0360fed4ba255a9d31c961eb74c6356d68c049b8923b61fa6ce669622e60f29fb6 1693 alpha = 73616d706c65 (ASCII "sample") 1694 try_and_increment succeded on ctr = 0 1695 H = 1696 02e2e1ab1b9f5a8a68fa4aad597e7493095648d3473b213bba120fe42d1a595f3e 1697 k = b7de5757b28c349da738409dfba70763ace31a6b15be8216991715fbc833e5fa 1698 U = k*B = 1699 030286d82c95d54feef4d39c000f8659a5ce00a5f71d3a888bd1b8e8bf07449a50 1700 V = k*H = 1701 03e4258b4a5f772ed29830050712fa09ea8840715493f78e5aaaf7b27248efc216 1702 pi = 029bdca4cc39e57d97e2f42f88bcf0ecb1120fb67eb408a856050dbfbcbf57c5 1703 24347fc46ccd87843ec0a9fdc090a407c6fbae8ac1480e240c58854897eabbc3a7bb6 1704 1b201059f89186e7175af796d65e7 1705 beta = 1706 59ca3801ad3e981a88e36880a3aee1df38a0472d5be52d6e39663ea0314e594c 1708 SK = x = 1709 c9afa9d845ba75166b5c215767b1d6934e50c3db36e89b127b8a622b120f6721 1710 PK = 1711 0360fed4ba255a9d31c961eb74c6356d68c049b8923b61fa6ce669622e60f29fb6 1712 alpha = 74657374 (ASCII "test") 1713 try_and_increment succeded on ctr = 0 1714 H = 1715 02ca565721155f9fd596f1c529c7af15dad671ab30c76713889e3d45b767ff6433 1716 k = c3c4f385523b814e1794f22ad1679c952e83bff78583c85eb5c2f6ea6eee2e7d 1717 U = k*B = 1718 034b3793d1088500ec3cccdea079beb0e2c7cdf4dccef1bbda379cc06e084f09d0 1719 V = k*H = 1720 02427cdb19aa5dd645e153d6bd8c0d81a658deee37b203edfd461953f301c4f868 1721 pi = 03873a1cce2ca197e466cc116bca7b1156fff599be67ea40b17256c4f34ba254 1722 9c94ffd2b31588b5fe034fd92c87de5b520b12084da6c4ab63080a7c5467094a1ee84 1723 b80b59aca54bba2e2baa0d108191b 1724 beta = 1725 dc85c20f95100626eddc90173ab58d5e4f837bb047fb2f72e9a408feae5bc6c1 1726 This example secret key and message are taken from Appendix L.4.2 of 1727 [ANSI.X9-62-2005]. 1729 SK = x = 1730 2ca1411a41b17b24cc8c3b089cfd033f1920202a6c0de8abb97df1498d50d2c8 1731 PK = 1732 03596375e6ce57e0f20294fc46bdfcfd19a39f8161b58695b3ec5b3d16427c274d 1733 alpha = 4578616d706c65206f66204543445341207769746820616e7369703235367 1734 23120616e64205348412d323536 (ASCII "Example of ECDSA with ansip256r1 1735 and SHA-256") 1736 try_and_increment succeded on ctr = 1 1737 H = 1738 02141e41d4d55802b0e3adaba114c81137d95fd3869b6b385d4487b1130126648d 1739 k = 6ac8f1efa102bdcdcc8db99b755d39bc995491e3f9dea076add1905a92779610 1740 U = k*B = 1741 034bf7bd3638ef06461c6ec0cfaef7e58bfdaa971d7e36125811e629e1a1e77c8a 1742 V = k*H = 1743 03b8b33a134759eb8c9094fb981c9590aa53fd13d35042575067a7bd7c5bc6287b 1744 pi = 02abe3ce3b3aa2ab3c6855a7e729517ebfab6901c2fd228f6fa066f15ebc9b9d 1745 415a680736f7c33f6c796e367f7b2f467026495907affb124be9711cf0e2d05722d3a 1746 33e11d0c5bf932b8f0c5ed1981b64 1747 beta = 1748 e880bde34ac5263b2ce5c04626870be2cbff1edcdadabd7d4cb7cbc696467168 1750 A.2. ECVRF-P256-SHA256-SWU 1752 These two example secret keys and messages are taken from 1753 Appendix A.2.5 of [RFC6979]. 1755 SK = x = 1756 c9afa9d845ba75166b5c215767b1d6934e50c3db36e89b127b8a622b120f6721 1757 PK = 1758 0360fed4ba255a9d31c961eb74c6356d68c049b8923b61fa6ce669622e60f29fb6 1759 alpha = 73616d706c65 (ASCII "sample") 1760 In SWU: t = 1761 f1523667d029b9119a319a5bb316ff846691600e3552514ec4f93f9c84d65a4f 1762 In SWU: w = 1763 d8125c3ae82fc2b7f1c326b6f3dbfdf3583272336a60cb08efb84e002e98a3b3 1764 In SWU: e = -1 1765 H = 1766 027827143876a58c2189402306c6ff6f7f9a7271067f3ed28eb63790d58a84fdd6 1767 k = cabfb61ad47b639814365bcbe2cc48a9ad4e3cfe61172aced7d539d47f459654 1768 U = k*B = 1769 023cd2988db2421dbfd5cefb8c2342ed2413160d4f6521d301e7b2995fe8551bd6 1770 V = k*H = 1771 025443fe6f00281ff3afa0ff93db2ce9cb20dfcafb7c17b78c9e912d26f4e22cf2 1772 pi = 021d684d682e61dd76c794eef43988a2c61fbdb2af64fbb4f435cc2a842b0024 1773 c3b3056b7310e0130317274a58e57317c469b46fe5ab6a34463d7ecb2a7ae1d808381 1774 f53c0f6aaaebe62195cfd14526f03 1775 beta = 1776 143f36bf7175053315693cfcfdff5aebb13e5eb9c47f897f53f81561993cfcd2 1778 SK = x = 1779 c9afa9d845ba75166b5c215767b1d6934e50c3db36e89b127b8a622b120f6721 1780 PK = 1781 0360fed4ba255a9d31c961eb74c6356d68c049b8923b61fa6ce669622e60f29fb6 1782 alpha = 74657374 (ASCII "test") 1783 In SWU: t = 1784 e20da1d7386cb673deffec63d47ec65862dce55f113be168fa45cba2a6c1ddbc 1785 In SWU: w = 1786 0eed10be2937c902c9612d80b8ea5b0783f81c419faedd57efc84e6dfcfe2c72 1787 In SWU: e = 1 1788 H = 1789 020e6c14efc8bc7150a3467aafa78be9856a2c6e405bdcc50f767fe638569d0172 1790 k = eb2035e5d6993b96589937c36482c647dab2b420fd152ffe026437b0b6c22e26 1791 U = k*B = 1792 038bf7231765143e6de2cef1bbd79dd80729a320dbc040ecd8f3d937b756b68e56 1793 V = k*H = 1794 0365e6610ff260aef9721450e2353677470e179573937756a803df1df9680ca698 1795 pi = 0376b758f457d2cabdfaeb18700e46e64f073eb98c119dee4db6c5bb1eaf6778 1796 0654504c6e583fd6eb129195b1836f91a6dd16504f957c8dedb653806952e3b0217ef 1797 187b87b9dda851f0a515f4dcc09d1 1798 beta = 1799 6b5bb622a6bc1387a7dcc4f46cfdcc3bce67669b32f3bc39e047c3b6cd3e65d9 1801 This example secret key and message are taken from Appendix L.4.2 of 1802 [ANSI.X9-62-2005]. 1804 SK = x = 1805 2ca1411a41b17b24cc8c3b089cfd033f1920202a6c0de8abb97df1498d50d2c8 1806 PK = 1807 03596375e6ce57e0f20294fc46bdfcfd19a39f8161b58695b3ec5b3d16427c274d 1808 alpha = 4578616d706c65206f66204543445341207769746820616e7369703235367 1809 23120616e64205348412d323536 (ASCII "Example of ECDSA with ansip256r1 1810 and SHA-256") 1811 In SWU: t = 1812 e93da6ba2bca714061dc94c8c513343ad11bfc9678339e4a8bd86a08232aa6d7 1813 In SWU: w = 1814 76f564cca31934c80dd2a285ba43543df63a078b132c8f34d2ab1b7089cb3401 1815 In SWU: e = -1 1816 H = 1817 02429690b91e1783cd0d7e393db07cc44b48c226cb837adb2282251cabf431a484 1818 k = 6181315ddb4f4d159ce8cbad48d5454625ccbf47c46c4cabd972be72b372a50b 1819 U = k*B = 1820 02c6dac6f9a51b79b8bc928a67320f4d569090b8c6b86f011ddf898788559c134d 1821 V = k*H = 1822 033f8070c0a09ac089d1ceffc384d3f25bb0597f63161ca82431331278baf1568f 1823 pi = 035e844533a7c5109ab3dffd04f2ef0d38d679101124f15243199ce92f0f2947 1824 7ca8e8f01b40c77c61a169ad6db9d76fae7938e94a4338bca9c586c8e266ead7a6b24 1825 b769d3d34efc85f6cdb82d96bb717 1826 beta = 1827 be1dcb17e9815ac6acf819e7ad4b75e575eafad25915c2608959d780364fc912 1829 A.3. ECVRF-EDWARDS25519-SHA512-TAI 1831 These three example secret keys and messages are taken from 1832 Section 7.1 of [RFC8032]. 1834 SK = 9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60 1835 PK = d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a 1836 alpha = (the empty string) 1837 x = 307c83864f2833cb427a2ef1c00a013cfdff2768d980c0a3a520f006904de94f 1838 try_and_increment succeded on ctr = 0 1839 H = 5b2c80db3ce2d79cc85b1bfb269f02f915c5f0e222036dc82123f640205d0d24 1840 k = 647ac2b3ca3f6a77e4c4f4f79c6c4c8ce1f421a9baaa294b0adf0244915130f70 1841 67640acb6fd9e7e84f8bc30d4e03a95e410b82f96a5ada97080e0f187758d38 1842 U = k*B = 1843 a21c342b8704853ad10928e3db3e58ede289c798e3cdfd485fbbb8c1b620604f 1844 V = k*H = 1845 426fe41752f0b27439eb3d0c342cb645174a720cae2d4e9bb37de034eefe27ad 1846 pi = 9275df67a68c8745c0ff97b48201ee6db447f7c93b23ae24cdc2400f52fdb08a 1847 1a6ac7ec71bf9c9c76e96ee4675ebff60625af28718501047bfd87b810c2d2139b73c 1848 23bd69de66360953a642c2a330a 1849 beta = a64c292ec45f6b252828aff9a02a0fe88d2fcc7f5fc61bb328f03f4c6c0657 1850 a9d26efb23b87647ff54f71cd51a6fa4c4e31661d8f72b41ff00ac4d2eec2ea7b3 1852 SK = 4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb 1853 PK = 3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c 1854 alpha = 72 (1 byte) 1855 x = 68bd9ed75882d52815a97585caf4790a7f6c6b3b7f821c5e259a24b02e502e51 1856 try_and_increment succeded on ctr = 4 1857 H = 08e18a34f3923db32e80834fb8ced4e878037cd0459c63ddd66e5004258cf76c 1858 k = 627237308294a8b344a09ad893997c630153ee514cd292eddd577a9068e2a6f24 1859 cbee0038beb0b1ee5df8be08215e9fc74608e6f9358b0e8d6383b1742a70628 1860 U = k*B = 1861 18b5e500cb34690ced061a0d6995e2722623c105221eb91b08d90bf0491cf979 1862 V = k*H = 1863 87e1f47346c86dbbd2c03eafc7271caa1f5307000a36d1f71e26400955f1f627 1864 pi = 84a63e74eca8fdd64e9972dcda1c6f33d03ce3cd4d333fd6cc789db12b5a7b9d 1865 03f1cb6b2bf7cd81a2a20bacf6e1c04e59f2fa16d9119c73a45a97194b504fb9a5c8c 1866 f37f6da85e03368d6882e511008 1867 beta = cddaa399bb9c56d3be15792e43a6742fb72b1d248a7f24fd5cc585b232c26c 1868 934711393b4d97284b2bcca588775b72dc0b0f4b5a195bc41f8d2b80b6981c784e 1870 SK = c5aa8df43f9f837bedb7442f31dcb7b166d38535076f094b85ce3a2e0b4458f7 1871 PK = fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025 1872 alpha = af82 (2 bytes) 1873 x = 909a8b755ed902849023a55b15c23d11ba4d7f4ec5c2f51b1325a181991ea95c 1874 try_and_increment succeded on ctr = 0 1875 H = e4581824b70badf0e57af789dd8cf85513d4b9814566de0e3f738439becfba33 1876 k = a950f736af2e3ae2dbcb76795f9cbd57c671eee64ab17069f945509cd6c4a7485 1877 2fe1bbc331e1bd573038ec703ca28601d861ad1e9684ec89d57bc22986acb0e 1878 U = k*B = 1879 5114dc4e741b7c4a28844bc585350240a51348a05f337b5fd75046d2c2423f7a 1880 V = k*H = 1881 a6d5780c472dea1ace78795208aaa05473e501ed4f53da57e1fb13b7e80d7f59 1882 pi = aca8ade9b7f03e2b149637629f95654c94fc9053c225ec21e5838f193af2b727 1883 b84ad849b0039ad38b41513fe5a66cdd2367737a84b488d62486bd2fb110b4801a46b 1884 fca770af98e059158ac563b690f 1885 beta = d938b2012f2551b0e13a49568612effcbdca2aed5d1d3a13f47e180e012189 1886 16e049837bd246f66d5058e56d3413dbbbad964f5e9f160a81c9a1355dcd99b453 1888 A.4. ECVRF-EDWARDS25519-SHA512-Elligator2 1890 These three example secret keys and messages are taken from 1891 Section 7.1 of [RFC8032]. 1893 SK = 9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60 1894 PK = d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a 1895 alpha = (the empty string) 1896 x = 307c83864f2833cb427a2ef1c00a013cfdff2768d980c0a3a520f006904de94f 1897 In Elligator: r = 1898 9ddd071cd5837e591a3a40c57a46701bb7f49b1b53c670d490c2766a08fa6e3d 1899 In Elligator: w = 1900 c7b5d6239e52a473a2b57a92825e0e5de4656e349bb198de5afd6a76e5a07066 1901 In Elligator: e = -1 1902 H = 1c5672d919cc0a800970cd7e05cb36ed27ed354c33519948e5a9eaf89aee12b7 1903 k = 868b56b8b3faf5fc7e276ff0a65aaa896aa927294d768d0966277d94599b7afe4 1904 a6330770da5fdc2875121e0cbecbffbd4ea5e491eb35be53fa7511d9f5a61f2 1905 U = k*B = 1906 c4743a22340131a2323174bfc397a6585cbe0cc521bfad09f34b11dd4bcf5936 1907 V = k*H = 1908 e309cf5272f0af2f54d9dc4a6bad6998a9d097264e17ae6fce2b25dcbdd10e8b 1909 pi = b6b4699f87d56126c9117a7da55bd0085246f4c56dbc95d20172612e9d38e8d7 1910 ca65e573a126ed88d4e30a46f80a666854d675cf3ba81de0de043c3774f061560f55e 1911 dc256a787afe701677c0f602900 1912 beta = 5b49b554d05c0cd5a5325376b3387de59d924fd1e13ded44648ab33c21349a 1913 603f25b84ec5ed887995b33da5e3bfcb87cd2f64521c4c62cf825cffabbe5d31cc 1914 SK = 4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb 1915 PK = 3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c 1916 alpha = 72 (1 byte) 1917 x = 68bd9ed75882d52815a97585caf4790a7f6c6b3b7f821c5e259a24b02e502e51 1918 In Elligator: r = 1919 92181bd612695e464049590eb1f9746750d6057441789c9759af8308ac77fd4a 1920 In Elligator: w = 1921 7ff6d8b773bfbae57b2ab9d49f9d3cb7d9af40a03d3ed3c6beaaf2d486b1fe6e 1922 In Elligator: e = 1 1923 H = 86725262c971bf064168bca2a87f593d425a49835bd52beb9f52ea59352d80fa 1924 k = fd919e9d43c61203c4cd948cdaea0ad4488060db105d25b8fb4a5da2bd40e4b83 1925 30ca44a0538cc275ac7d568686660ccfd6323c805b917e91e28a4ab352b9575 1926 U = k*B = 1927 04b1ba4d8129f0d4cec522b0fd0dff84283401df791dcc9b93a219c51cf27324 1928 V = k*H = 1929 ca8a97ce1947d2a0aaa280f03153388fa7aa754eedfca2b4a7ad405707599ba5 1930 pi = ae5b66bdf04b4c010bfe32b2fc126ead2107b697634f6f7337b9bff8785ee111 1931 200095ece87dde4dbe87343f6df3b107d91798c8a7eb1245d3bb9c5aafb093358c13e 1932 6ae1111a55717e895fd15f99f07 1933 beta = 94f4487e1b2fec954309ef1289ecb2e15043a2461ecc7b2ae7d4470607ef82 1934 eb1cfa97d84991fe4a7bfdfd715606bc27e2967a6c557cfb5875879b671740b7d8 1936 SK = c5aa8df43f9f837bedb7442f31dcb7b166d38535076f094b85ce3a2e0b4458f7 1937 PK = fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025 1938 alpha = af82 (2 bytes) 1939 x = 909a8b755ed902849023a55b15c23d11ba4d7f4ec5c2f51b1325a181991ea95c 1940 In Elligator: r = 1941 dcd7cda88d6798599e07216de5a48a27dcd1cde197ab39ccaf6a906ae6b25c7f 1942 In Elligator: w = 1943 2ceaa2c2ff3028c34f9fbe076ff99520b925f18d652285b4daad5ccc467e523b 1944 In Elligator: e = -1 1945 H = 9d8663faeb6ab14a239bfc652648b34f783c2e99f758c0e1b6f4f863f9419b56 1946 k = 8f675784cdc984effc459e1054f8d386050ec400dc09d08d2372c6fe0850eaaa5 1947 0defd02d965b79930dcbca5ba9222a3d99510411894e63f66bbd5d13d25db4b 1948 U = k*B = 1949 d6f8a95a4ce86812e3e50febd9d48196b3bc5d1d9fa7b6dfa33072641b45d029 1950 V = k*H = 1951 f77cd4ce0b49b386e80c3ce404185f93bb07463600dc14c31b0a09beaff4d592 1952 pi = dfa2cba34b611cc8c833a6ea83b8eb1bb5e2ef2dd1b0c481bc42ff36ae7847f6 1953 ab52b976cfd5def172fa412defde270c8b8bdfbaae1c7ece17d9833b1bcf31064fff7 1954 8ef493f820055b561ece45e1009 1955 beta = 2031837f582cd17a9af9e0c7ef5a6540e3453ed894b62c293686ca3c1e319d 1956 de9d0aa489a4b59a9594fc2328bc3deff3c8a0929a369a72b1180a596e016b5ded 1958 Authors' Addresses 1960 Sharon Goldberg 1961 Boston University 1962 111 Cummington St, MCS135 1963 Boston, MA 02215 1964 USA 1966 EMail: goldbe@cs.bu.edu 1968 Leonid Reyzin 1969 Boston University 1970 111 Cummington St, MCS135 1971 Boston, MA 02215 1972 USA 1974 EMail: reyzin@bu.edu 1976 Dimitrios Papadopoulos 1977 Hong Kong University of Science and Techology 1978 Clearwater Bay 1979 Hong Kong 1981 EMail: dipapado@cse.ust.hkbu.edu 1983 Jan Vcelak 1984 NS1 1985 16 Beaver St 1986 New York, NY 10004 1987 USA 1989 EMail: jvcelak@ns1.com