Lecciones aprendidas

Verifiable random/unpredictable functions, defined by Micali et al. [55], are functions which look random or unpredictable, in the computational sense, but a prover (who knows a secret key) can prove the value of the function on a given element, to a verifier that knows only the public key of the function. In our constructions we use a weaker variant of both primitives. We will define both the original primitives and their variations, as we will also consider implementations of VRFs and VUFs for our constructions (although they have stronger requirements than we need). All the discussed primitives are verifiable functions and use the following three algorithms:

Definition 8. A verifiable function (VF) is a function F : {0,1}seed(k)_{× {0,1}}in(k) _{→ {0,1}}out(k)_{, where}

seed, in and out are polynomials in the security parameter k and are efficiently computable. F has three algorithms(Setup, P rove, V erif y)such that:

Setup(1k): gets as input the security parameterk and outputs the public and secret keys(P K, SK).

P roveSK(x): gets as input the secret keySK andx∈ {0,1}in(k)_{and outputs the evaluation of the function}

on xand its proof,(FSK(x), πSK(x)).

V erif yP K(x, y, π): gets a proof π that FSK(x) = y and verifies it is correct. Returns 1 when the proof is

valid and0 otherwise.

We require three properties from verifiable functions. The completeness requirement, which is called

provability, states that if the value of the function and its proof over xwere computed honestly, then they will be verified successfully with probability 1. More formally:

Definition 9. Provability.

The second requirement is a soundness condition, which is called uniqueness and trusted uniqueness. This requirement states that no false statements could be proven in the system, i.e. that F(x) is unique and cannot be proven to be a different value either for all public keys or for validly chosen public keys. We will require not only that our verification accepts at most one evaluation per element, but also that an overwhelming fraction of the domain has an evaluation (i.e. some value which can be verified successfully). More formally:

Definition 10. Uniqueness and Trusted Uniqueness.

1. Uniqueness. For every public key P K there doesn’t exist any tuple (x, y1, y2, π1, π2)such that y16=y2

and both V erif yP K(x, y1, π1) = 1 and V erif yP K(x, y2, π2) = 1. For every such P K there is an over-

whelming fraction of the domain for which for everyxthere is ayandπsuch thatV erif yP K(x, y, π) = 1. 2. Trusted Uniqueness. For every validly chosen public key P K ∈ Setup(1k_{), there doesn’t exist any}

tuple (x, y1, y2, π1, π2)such thaty16=y2 and bothV erif yP K(x, y1, π1) = 1andV erif yP K(x, y2, π2) = 1.

For every such P K there is an overwhelming fraction of the domain for which for everyx there is ay

andπ such thatV erif yP K(x, y, π) = 1.

The third condition we require determines the randomness of the function. We can choose between

pseudorandomness and unpredictability, where the first means one cannot distinguish between a random value and F(x) and the latter means one cannot compute F(x). We can also choose between existential

andselective randomness, i.e. whether the adversary in the security game gets to choose its target element x ahead of time (before getting the public key) or at the time of its choice. We define the 4 notions of randomness more formally:

Definition 11. Pseudorandomness and Unpredictability both selective and existential.

1. Selective Pseudorandomness. All probabilistic polynomial time adversaries with oracle access to

P roveSK(·)cannot distinguishbetween a random valuer∈ {0,1}out(k) andFSK(x) with more than a

negligible advantage, where the adversary gets to choose xahead of time, i.e. before getting the public key P K. The adversary is not allowed to query the oracle onxat any point in time.

2. (Existential) Pseudorandomness. Similar to selective pseudorandomness, but the adversary gets to choose its target xatany timeit chooses to.

3. Selective Unpredictability.All probabilistic polynomial time adversaries with oracle access toP roveSK(·)

cannot compute FSK(x) with more than negligible probability, where the adversary gets to chooses x ahead of time, i.e. before getting the public key P K. The adversary is not allowed to query the oracle on xat any point in time.

4. (Existential) Unpredictability. Similar to selective unpredictability, but the adversary gets to choose its target xatany time it chooses to.

Originally Micali et al. defined VRFs to be verifiable functions with provability, uniqueness and (ex- istential) pseudorandomness and VUFs to be the same but with (existential) unpredictability instead of pseudorandomness. Their requirements are too strong for our needs in constructing PSR systems. Instead of uniqueness we only require from our functions to have trusted uniqueness, as the party which will generate the keys for the verifiable functions will be the primary, which is a trusted party, thus we do not need the very stringent requirement of uniqueness to hold for all public keys, just for validly chosen ones. Note that Brakerski et al. [20] presented a different weakening for verifiable random/unpredictable functions, where the pseudorandomness/unpredictability only holds for randomly chosen elements. This primitive is too weak for us, as we are not guaranteed that the set of valuesF(R) will look random, asRis not chosen randomly, which is critical for the ZK property we desire from our construction.

We show two constructions of PSR systems with verifiable functions, one with pseudorandom functions and the second with unpredictable functions. But again we do not need to use the existential notion of randomness defined originally for VRFs and VUFs, as the selective version will suffice for our constructions. The pseudorandomness property gives us the ability to replace the set of valuesF(R) ={F(xi)|xi∈R}with a

set of random values, without an adversary noticing the difference, which gives us the zero-knowledge property we desire. As the set R is chosen ahead of time by the primary, the notion of selective pseudorandomness will suffice for our needs. We use the unpredictable functions to construct pseudorandom functions, so again selective security will suffice. As most previous work on the subject concentrated on constructing VRFs and VUFs, we can use existing constructions of VUFs and VRFs and plug them into the constructions described in Section7.2 and in Section 7.3. Besides such existing constructions, we can also use other constructions such as the GHR signature scheme [33], described in Section 7.3, which is not a VUF, as it only has the trusted uniqueness property, but trusted uniqueness suffices for our needs.

We call verifiable functions which have provability, trusted uniqueness and selective pseudorandomness

trusted selective verifiable random functions(or tsVRF for short) and the selective unpredictable variant will be calledtrusted selective verifiable unpredictable functions (or tsVUF for short).