http://en.zaoniao.it/index.php?action=history&feed=atom&title=Verifiable_random_functionVerifiable random function - Revision history2026-05-15T09:14:42ZRevision history for this page on the wikiMediaWiki 1.32.0http://en.zaoniao.it/index.php?title=Verifiable_random_function&diff=2487&oldid=prevAdmin: Created page with "'''Verifiable random function''' (VRF) was introduced by Micali, Rabin, and Vadhan. It is a pseudo-random function..."2019-03-24T06:24:57Z<p>Created page with "'''Verifiable random function''' (VRF) was introduced by <a href="/index.php?title=Silvio_Micali&action=edit&redlink=1" class="new" title="Silvio Micali (page does not exist)">Micali</a>, <a href="/index.php?title=Michael_O._Rabin&action=edit&redlink=1" class="new" title="Michael O. Rabin (page does not exist)">Rabin</a>, and <a href="/index.php?title=Salil_Vadhan&action=edit&redlink=1" class="new" title="Salil Vadhan (page does not exist)">Vadhan</a>. It is a <a href="/index.php?title=Pseudo-random_function&action=edit&redlink=1" class="new" title="Pseudo-random function (page does not exist)">pseudo-random function</a>..."</p>
<p><b>New page</b></p><div>'''Verifiable random function''' (VRF) was introduced by [[Silvio Micali|Micali]], [[Michael O. Rabin|Rabin]], and [[Salil Vadhan|Vadhan]]. It is a [[pseudo-random function]] that provides publicly verifiable proofs of its outputs' correctness. Given an input value ''x'', the owner of the secret [[key (cryptography)|key]] SK can compute the function value ''y'' = ''F''<sub>SK</sub>(''x'') and the proof ''p''<sub>SK</sub>(''x''). Using the proof and the public key <math> PK = g^{SK}</math>, everyone can check that the value ''y'' = ''F''<sub>SK</sub>(''x'') was indeed computed correctly, yet this information cannot be used to find the secret key.<br />
<br />
The original construction was rather inefficient. Later, an efficient and practical verifiable random function was proposed by Yevgeniy Dodis and Aleksandr Yampolskiy. In their construction,<br />
:<math> F_{SK}(x) = e(g, g)^{1/(x+SK)} \quad\mbox{and}\quad p_{SK}(x) = g^{1/(x+SK)}, </math><br />
where ''e''(·,·) is a [[bilinear map]].<br />
To verify whether <math>F_{SK}(x)</math> was computed correctly or not, one can check<br />
if <math>e(g^x PK, p_{SK}(x))=e(g,g)</math> and <math>e(g, p_{SK}(x))=F_{SK}(x)</math>.<br />
<br />
The proof of security relies on a new decisional bilinear Diffie-Hellman inversion assumption, which asks given <math>(g, g^{x}, \ldots, g^{(x^q)}, R)</math> as input to distinguish <math>R=e(g,g)^{1/x}</math> from random.<br />
<br />
==Uses==<br />
<br />
VRFs provide deterministic precommitments which can revealed at a later time using proofs which can only be generated by a private key. This is useful for providing a 1:1 mapping of low entropy inputs (e.g. names, email addresses, phone numbers) to some random values which can be committed to in advance, e.g. through a timestamping service such as a transparency log.<br />
<br />
Unlike traditional digital signature algorithms, VRF outputs can be published publicly without being subject to a preimage attack, even if the verifier knows the public key (but not the proof). This is useful to prevent enumeration of the names/identifiers in a directory which is using a transparency system.<br />
<br />
==Source==<br />
[http://wikipedia.org/ http://wikipedia.org/]<br />
<br />
[[Category:Cryptography]]</div>Admin