Verifiable Random Functions

Home , Cynthia Dwork, Moni Naor, Salil Vadhan, Shafi Goldwasser, Silvio Micali, Tal Rabin

Veriﬁable Random Functions

y z Silvio Micali Michael Rabin Salil Vadhan

Abstract random string of the proper length. The possibility thus ex-

ists that, if it so suits him, the party knowing the seed s may

We efﬁciently combine unpredictability and veriﬁability by declare that the value of his pseudorandom oracle at some

x f x

extending the Goldreich–Goldwasser–Micali construction point is other than s without fear of being detected. It

f s

of pseudorandom functions s from a secret seed , so that is for this reason that we refer to these objects as “pseudo-

s f

knowledge of not only enables one to evaluate s at any random oracles” rather than using the standard terminology

f x

x NP

point , but also to provide an -proof that the value “pseudorandom functions” — the values s come “out

f x

s is indeed correct without compromising the unpre- of the blue,” as if from an oracle, and the receiver must sim-

s f dictability of s at any other point for which no such a proof ply trust that they are computed correctly from the seed . was provided. Therefore, though quite large, the applicability of pseudorandom oracles is limited: for instance, to settings in which (1) the “seed owner”, and thus the one evaluating 1Introduction the pseudorandom oracle, is totally trusted; or (2) it is to the seed-owner’s advantage to evaluate his pseudorandom oracle correctly; or (3) there is absolutely nothing for the PSEUDORANDOM ORACLES. Goldreich, Goldwasser, and seed-owner to gain from being dishonest.

Micali [GGM86] show how to simulate a random ora-

f x

One efﬁcient way of enabling anyone to verify that s b

cle from a-bit strings to -bit strings by means of a con-

f x

really is the value of pseudorandom oracle s at point struction using a seed, that is, a secret and short random clearly consists of publicizing the seed s.However,this

string. They show that, if pseudorandom generators exist f

will also destroy the unpredictability of s : anyone could

[BM84, Yao82], then there exists a polynomial-time algo- f

easily compute the value of s at any point.

s rithm F such that, letting denote the seed, the func- We instead wish to provide a new type of pseudoran-

def

a b

f F s f g f g

tion s passes all efﬁ- dom oracle. Informally, we want one in which the owner f cient statistical tests for oracles. That is, to an observer s

of the seed can, as usual, evaluate s at any point, but

with sufﬁciently limited computational resources, accessing also prove (with an NP proof ) that the so obtained values

a b

g f g

a random oracle from f to is provably indis- are indeed correct without compromising the unpredictabil-

s x tinguishable from accessing (as an oracle) ,evenifal- f

ity of the value of s at any point for which no proof

F s

x gorithm is publicly known (provided that is still kept f

of correctness for s is given. That is, given an input

secret). x, the seed-owner should be able to produce in polynomial

v f x proof

time the value s together with a string ef- x

THE PROBLEM OF CONSTRUCTING VERIFIABLE PSEUDO- ﬁciently proving that v is correct. The scheme should have

RANDOM FUNCTIONS. By its very deﬁnition, a pseudoran- the property that a unique value v is provable as the value

f x dom oraclea ` la [GGM86] is not veriﬁable: without knowl- of s . We call such a mathematical object a veriﬁable

edge of the seed (or any other additional information), upon (pseudo-)random function, VRF for brevity.

z f receiving the value of a pseudorandom oracle s at point

x, one cannot distinguish it from an independently selected A WEAKER SOLUTION: PSEUDORANDOM ORACLES + ZERO-KNOWLEDGE PROOFS. If interaction were allowed, Laboratory for Computer Science, MIT, Cambridge, MA 02139. VRFs could be constructed from GGM pseudorandom or- y Department of Applied Science, Harvard University, Cambridge, MA 02138. Work supported in part by NSF Contract CCR-9877138. acles via zero-knowledge proofs [GMR89] and a commit-

z MIT Laboratory for Computer Science. 545 Technology Square. ment scheme. Indeed, as suggested in a signature scheme Cambridge, MA 02139. E-mail: [email protected]. of Bellare and Goldwasser [BG89], the owner of the seed

URL: http://theory.lcs.mit.edu/˜salil. Supported by a

DOD/NDSEG fellowship and partially by DARPA grant DABT63-96-C- Strictly speaking, we actually allow “MA proofs”, since their veriﬁ- 0018. cation may be probabilistic.

s f c

to a pseudorandom oracle s can publish a commitment changed. But VRFs may also be useful in settings where v

to s. Whenever he wishes to prove that is the value of his the public key is provided “on the ﬂy” to prove that vari- V

oracle at a point x to a veriﬁer , he proves in zero knowl- ous function values (given previously or at the same time)

V v f x c s edge to that s and that is a commitment to . are indeed consistent with one single VRF. In case the VRF Such a statement is provable in zero knowledge because all outputs strings longer than the public key, it may even be NP statements are provable in zero knowledge [GMW91]. useful to provide the public key on the ﬂy to prove that The trouble with such an approach is that it requires inter- a single value is consistent with some VRF, as this would action. A very efﬁcient incarnation of this idea is given by limit the owner to relatively few choices. Naor and Reingold [NR97], but it still suffers from the need In addition to introducing this notion, we provide an ex- for interaction. plicit VRF construction, based on a variant of the RSA as- Such interaction could be removed by using noninter- sumption. Informally stated, we prove: active zero-knowledge proofs (NIZK) [BFM88, BDMP91], as done by Bellare and Goldwasser [BG89]. This ap- Main Theorem: Assume that the RSA function with

proach however suffers from another drawback: noninterac- large prime exponents cannot be inverted in polyno-

tive zero-knowledge proofs presuppose that the prover and mial time. Then, there exists a VRF from f into

g veriﬁer share a bit-string that is guaranteed to be random. f . So the question is who is to select this shared random string

R . Each of the possibilities has a deficiency that we wish to OVERVIEW OF THE CONSTRUCTION. We motivate our avoidindefining VRFs: construction by first discussing the relationship between

1. The seed owner selects R : If the seed owner selects the VRFs and secure signature schemes. In a signature scheme shared random string improperly, the soundness of the that is existentially unforgeable against a chosen message NIZK proof system is no longer guaranteed, so there

attack [GMR88], the signature of a message x, denoted

v f x

maybemanyvalues that are “provable” as s .

x SIG , is a value that is unpredictable (even given sig-

2. The verifier selects R :Iftheverifier selects the shared natures of chosen other messages), but verifiable (given the

random string improperly, the zero-knowledge prop- proper public key). However, such schemes do not directly

x SIG x

erty of the NIZK proof system is no longer guaranteed. give rise to VRFs by setting f to be ,fortwo

f x v Thus, by proving s with respect to such an reasons:

improperly chosen R , the prover may leak knowledge 1. There may be many valid signatures for a given string

s f

about the seed and s will “lose” its pseudorandom-

x (violating the unique provability requirement).

ness.

x 2. SIG is only unpredictable, not necessarily pseudo- 3. The seed owner and verifier jointly select R by a “coin- random. flipping” protocol.: This requires interaction, which we wish to avoid. We begin by discussing the first deficiency, as it is the

4. A trusted third party selects R : We do not want to as- more serious one. Even though the deﬁnition does not guar- sume the existence of such a trusted third party. antee the uniqueness of signatures, one might hope that ex- isting signature schemes happen to have this property. How- ever, most known secure signature schemes are either prob- OUR SOLUTION. We propose a notion of VRF’s which abilistic or history dependent. Either property violates the

needs neither interaction nor sharing a guaranteed ran-

x the unique provability requirement: if we deﬁne f to be

dom string. Rather, we only require that the owner of the

x x

SIG , there may be a multiplicity of signatures of and PK

function f publish a public key , which can be viewed

x thus a multiplicity of f values, all duly provable. One as a commitment to the function f . (Indeed, something can transform a probabilistic signature scheme, such as the

must bind the owner to the function in order for “proving scheme in [GMR88], into a deterministic one if the signer

xv the statement f ” to make sense.) The crucial way uses a GGM pseudorandom oracle to replace the random- in which our notion differs from what the NIZK-based ap- ness used. Even so, this does not yield a VRF because one

proach discussed above achieves is: cannot be certain that the signer used the proper GGM ora-

x cle when producing SIG , and hence unique provability

For any public key PK , even an improperly chosen one,a

is NOT guaranteed.

f x unique value v is provable as the value of . More generally, it is not enough that the specified signing Thus, we may safely have the owner of the function unilat- algorithm produces a unique signature for every message. erally select and publish the public key. The most obvious Rather, it should be the case that the verification algorithm scenario in which this applies is when the public key can be accepts a unique (or at most one) signature for every mes- published once and for all, in a location where it cannot be sage (given any fixed, but even improperly chosen, public key). A signature scheme that satisfies this latter property rity. This restriction on input length is of no concern, be- can be thought of as a verifiable unpredictable function;that cause we increase the input length after converting it into a is, a verifiable unpredictable function is defined analogously VRF using the tree-based construction mentioned above. to a verifiable pseudorandom function except the pseudorandomness requirement is replaced with unpredictability. 2 Preliminaries So the two questions that remain are (1) do verifiable un-

predictable functions imply veriﬁable pseudorandom func-

If A is a probabilistic algorithm, then for any input

tions?, and (2) can we construct veriﬁable unpredictable

Ax x, the notation “ ” refers to the probability space that

functions? The natural approach to answering the ﬁrst ques-

A x assigns to the string the probability that , on input ,

tion is to use the hardcore bit construction of Goldreich and R

S x S Levin [GL89], which is a general tool for converting un- outputs .If is a probability space, then “ ”de-

predictability to pseudorandomness. That is, we replace notes the algorithm which assigns to x an element randomly

S x x S n

selected according to ,and“ ” denotes

x f x

the veriﬁable unpredictable function f with

x x n n

the algorithm that respectively assigns to, , ele-

f xri r h ,where is a randomly chosen binary string of the

ments randomly and independently selected according to S .

x h i

same length as f and denotes mod-2 inner product.

F x F

Note that for this construction to preserve veriﬁability, r If is a ﬁnite set, then the notation “ ” denotes the

x F p

should be placed in the public key (the proof that f algorithm that chooses uniformly from .If

R R

S y y PROBx

v hrvi b n

is a string such that together with a proof that is a predicate, the notation

Ax px y y

f xv n

). Unfortunately, it has been shown by Naor and denotes the probability

px y y n

Reingold [NR98] that using a public Goldreich–Levin vec- that will be true after the ordered ex-

R R

S y y Ax

tor does not work in general for converting unpredictable x n ecution of the algorithms . functions into pseudorandom functions. The way we get around this obstacle is by noting that, a public r can be 3 The Notion of a VRF used if we restrict to functions whose input length is logarithmically related to the security. Then, we remove this restriction on the input length via a tree-based construction 3.1 An Informal Exposition

which converts any VRF with a ﬁxed input length into one

VRF GENERATION. To be a VRF, a function f must pos-

g whose domain is f . Thus, we are left with the task of finding a veri- sess both fiable unpredictable function. Our construction builds 1. a compact, implicit representation, which does not en- upon an RSA-based unpredictable number generator of able one to evaluate f efficiently, and Shamir [Sha83], adapted to secure signature schemes by 2. a compact, explicit representation, which enables any-

[GMY83, DN94, CD96, GHR99, CS99]. Shamir shows that one to evaluate f efﬁciently.

mo d m r e e i

seeing for different exponents i

k The ﬁrst representation can be viewed as ’s public key,

r m

does does not help one predict mo d as long as

PK SK f

f , and the second as its corresponding secret key, .

all of these k exponents are relatively prime to each

SK PK f

Of course, f will be hard to compute from .Ac-

m other and to . This suggests constructing a veriﬁable

cordingly, to formalize our notion of a VRF we make use of r

unpredictable function by placing m and in the public key,

e G

i a probabilistic generating algorithm outputting a public

i v r mo d m

and deﬁning f to be . This can be ver- e

i key with its matching secret key from a sequence of coin

r mo d m iﬁed simply by checking that v ; the solution

tosses.

v Z e

to this equation will be unique as long as i is

m guaranteed to be relatively prime to . Thus, we obtain

all the desired properties as long as we can efﬁciently index VRF COMPUTATION AND VERIFICATION. Knowledge of

SK f

f enables one both to evaluate and to prove the cor- e

into a set of such i ’s which are guaranteed to be all rela-

rectness of such evaluations. We actually envisage that f

tively prime to each other and to . We accomplish this

oof is always computed together with, pr , a string “prov- by restricting to exponents which are distinct primes larger x

ing its correctness”, by running an efﬁcient algorithm F on

than m, and we index into such a set by using the prime se-

x SK f quence generator of Cachin, Micali, and Stadler [CMS99]. inputs and f . The function proper is thus evalu-

This turns out to yield a veriﬁable unpredictable function ated by running F , so as to obtain a function value and its

whose input length is logarithmically related to the secu- proof, and then “stripping out” the proof. The correctness of

oof

pr is instead veriﬁed by running an efﬁcient algorithm

V PK x f x proof r

Interestingly, they show that using a private does in fact work. This on inputs f , , ,and . For convenience, x is the only known application of the Goldreich–Levin hardcore bit where keeping the vector private is necessary. Verbatim from [BDMP91] and [GMR88].

F SK x F SK x V

we denote the two components of by (the function veriﬁer) is probabilistic; receives as

F SK x f x proof PK x v proof

and (corresponding to the and ,re- input four binary strings ( , , ,and ); and

x NO

spectively). outputs either YES or .

Because a proof of correctness for f is only checked

N N fg b s N N Let a and be any three func-

against f ’s public key, we require that it is impossible to ﬁnd

k bk sk

a public key (even a “fake” one) of a VRF for which one can tions such that a are all computable in time

k ak bk

“prove” the correctness of two different VRF outputs for the poly and and are both bounded by a polyno-

same VRF input. mial in k (except when takes on the value ). We say that

G F V

is a veriﬁable pseudorandom function (VRF) with

k bk sk input length a , output length ,andsecurity if VRF PSEUDORANDOMNESS. Our VRFs are unpredictable the following properties hold:

in a very strong sense, that suitably generalizes to our con-

text the original notion of [GGM86]. Informally, VRFs pass 1. The following conditions hold with probability

k k

PK SK G all efﬁcient statistical tests for functions at those values for over :

which no proof of correctness was provided. In essence, (a) (Domain-Range Correctness):

k bk

an efﬁcient statistical test for veriﬁable functions is an ef- a

x f g F SK x f g

for all , .

ﬁcient algorithm T that is given the public key of one of

f f

f g

our functions , and then “experiments with ”byasking (b) (Complete Provability): for all x ,if

v proof F SK x and receiving both the function value and its corresponding ,

proof of correctness at any input of its choice. After this

PROBV PK x v proof YES x experimentation phase, T outputs a string in the domain

of f ,theexam, which is supposed to be different from any

input on which it has already queried the function. At this (this probability is over the coin tosses of V ). v

point, T is provided with a value that, with equal proba-

PK x v v proof

2. (Unique Provability): For every , , , , ,

bility, consists of either (a) f evaluated at the exam or (b)

proof v v

and such that , the following holds for

a random value in f ’s range. Then enters a “judgement

i either i or :

phase,” in which it attempts to guess whether (a) or (b) is the

case (after obtaining additional function values and proofs

PROBV PK x v proof YES

i i

at points of its choice other than x). We say that our VRFs

T T

pass statistical test if the probability of guessing cor- (this probability over the coin tosses of V ).

rectly is not substantially better than .

T T T J 3. (Residual Pseudorandomness): Let E be

We ﬁnd it convenient to think of T as comprising two

T T J

any pair of algorithms such that E and

T T T

J E

components: E and . is the experimental compo-

run for a total of at most s steps when their ﬁrst

f T k

nent that queries and computes the exam, while J the T input is . Then the probability that succeeds in the

judging component that, given the exam and v ,triestodis-

following experiment is at most : f

tinguishes whether v is the value of at the exam or a ran-

PK SK

(a) Run G to obtain .

T T J

dom value. To enable coordination between E and ,we

F SK

T T J

let E pass on to not only the exam, but also any piece

PK x state (b) Run T to obtain .

of “state” information that it may deem useful. E

f g

r v F SK x

i. if ,let .

3.2 A Formal Deﬁnition R

v f g

ii. if r , choose .

F SK

T vstate guess

F V G (d) Run to obtain .

Deﬁnition (VRFs): Let , ,and be polynomial-time J

algorithms, where a

T T T x f g J

(e) E succeeds if ,

r x

(the function generator) is probabilistic; receives as guess ,and was not asked as a query to

SK T T

input a unary string (the security parameter ); and F J by either E or .

outputs two binary strings (the public key PK and se-

PK SK G f

cret key ); If , we shall refer to

F SK ak k

as an individual VRF.If for all ,we

F F F (the function evaluator) is determinis- say that the VRF has unrestricted input length.

tic; receives as input two binary strings (SK and an x

input to the VRF); and outputs two binary strings

When a takes the value , it means that the VRF is deﬁned for

F SK x x

(the value of the VRF on and the corre-

k f g

inputs of all lengths. Speciﬁcally, if a ,then is to be

proof F SK x

sponding ); and interpreted as the set of all binary strings, as usual.

Remarks. 3. (Residual Unpredictability) Let T be any algorithm

T T T F SK

sk J 1. Note the adversary E is given as that runs in time when its ﬁrst input is .Then

an oracle, and thus gets answers that include function the probability that T succeeds in the following exper-

values and proofs of their correctness. iment is at most :

ak bk

2. A VRF with input length and output length k

PK SK

1. Run G to obtain .

can and security s can be converted into one with

F SK k

T PK x guess

k ak dlog k e

input length a , output length 2. Run to obtain .

b k bk k s k sk k

, and security . a

x f g guess

3. T succeeds if ,

f xf x u f x u f x

Simply deﬁne

x F SK x

,and was not asked as a query to

u u u k

k k

,where are the ﬁrst strings of

SK T

F by .

log k e

length d . (A factor of is lost in the secu-

rity because it takes queries to to simulate a single

query to f , and because a factor of is lost in the ad- 4 Formal statement of results versary’s success probability in the “hybrid argument”

based security reduction.) First, we exhibit general techniques for converting VUFs Hence, to construct a VRF it is sufficient to fix b to VRFs and increasing the input length for VRFs. (i.e., to construct a “verifiable pseudorandom predi-

cate”), and vice versa. In this case, residual unpre- Proposition 1 (from VUF to VRF) If there is a VUF with

k bk sk

dictability can be so simpliﬁed: input length a , output length , and security ,

k ak

then, for any a , there is a VRF with input

3 . (Residual Pseudorandomness for Predicates): Let

k bk s k

length a , output length , and security

a k

T be any algorithm that runs in time

k k

s poly . k

when its ﬁrst input is . Then the probability

that T succeeds in the following experiment is at Proposition 2 (increasing the input length) If there is a

most : VRF with input length a , output length 1, and se-

PK SK

(a) Run G to obtain .

curity s , then there is a VRF with unrestricted input

F SK k

PK x guess

(b) Run T to obtain .

length, output length b , and security at least

T x f g guess

fsk g k

F SK x x

,and was not asked as a query

SK T to F by . These two propositions reduce the problem of construct-

ing VRFs to constructing VUFs. We do the latter based on T

The reasons the “judgement” component J can PRIMES

be eliminated for predicates are: (a) there are a variant of the RSA assumption. We denote by k

k RSA

the set of the -bit primes, and by k the set of com-

only two possible values for v , so all the oracle

F SK

k posite integers that are the product of two primes of length

vstate

queries that T would make

bk c k RSA k

.(For large, k contains the hardest -

v in case v or can be asked before bit inputs to any known factoring algorithm.) We make the

actually receiving v . (b) distinguishing a pred-

following assumption on the hardness of RSA, where the

x icate f from a random bit with probability

exponents are primes (1-bit) bigger than the modulus. For

sk f x

is equivalent to guessing with

k k the same probability (cf., [Yao82]). any function s computable in time poly :

In order to construct a VRF, we will ﬁrst construct a ver-

sk A The RSA -Hardness Assumption: Let be any

iﬁable unpredictable function, which can also be thought of

k probabilistic algorithm which runs in time s when its

as a signature scheme in which a unique (or at most one) k A ﬁrst input is . Then the probability that succeeds in the

signature is accepted by the veriﬁcation algorithm for every

sk following experiment is at most :

message and public key.

R R R

m RSA x Z p PRIMES

1. Select k

A mxp

Deﬁnition (VUFs): A veriﬁable unpredictable function 2. Let y .

p G F V

(VUF) (or unique signature scheme ) with input

y x mo d m

3. A succeeds if .

k bk sk length a , output length , and security is deﬁned

in the same way as a VRF, except that the Residual Pseudo- Given the state-of-the-art in computational number theory,

randomness requirement is replaced with the following: it seems reasonable to take s for a small constant

The terminology “unique signature scheme” was suggested to us by , though we will be able to construct VRFs as long as

k k Moni Naor and Omer Reingold. s .

k k

Proposition 3 (RSA-based VUFs) Let a poly

and s be any functions (both computable in time

k RSA sk

poly ). Under the -Hardness Assumption,

k bk

there is a VUF with input length a , output length

s k sk k , and security poly .

Putting all the above together, we conclude:

sk Theorem 4 Under the RSA -Hardness Assumption,

there is a VRF with unrestricted input length, output length

k sk k

b , and security poly . In particular, if

k k RSA

s (i.e., cannot be inverted in polynomial

time), then the VRF also has security k .

To deduce Theorem 4 we apply the above Propositions

k a k logsk with a . Note that this requires

Figure 1. The tree construction

knowing an apriorilower bound s on the security of

RSA . However, this drawback can be removed. That is, we

can build VRFs whose construction is independent of the

hf xri r

taken just over the choice of is at least RSA

hardness of , while the security remains polynomially

. related to that of RSA . This can be done using a standard

trick, which we describe in the full version of the paper. 3. The Goldreich–Levin reconstruction algorithm then

x f x

implies that for the same fraction ’s, itself

5 From Unpredictability to Pseudorandom- can be computed with probability at least at a

cost of increasing the running time of T by a factor of

ness

k poly .

In this section, we sketch how to prove Proposition 1, 4. All together this gives an adversary T running in time

k s f x

using the Goldreich–Levin [GL89] hardcore bit to convert s poly which guesses correctly

veriﬁable unpredictable functions to veriﬁable pseudoran- at an unseen point with probability at least

s f dom function. The construction and proof will be given in , contradicting the fact that has se-

more detail in the full version of the paper. Given a VUF curity s.

f f xhf xri f ,theVRF is deﬁned by ,where

r is a binary vector chosen uniformly and placed in the pub- 6 Increasing the input length

lic key and h denotes inner product mod 2. The proof

x v hv ri

that f consists of a value such that In this section, we sketch the proof of Proposition 2,

x v

and a proof that f . The Domain-Range Correct- which takes a VRF with small (but super-logarithmic) in- ness, Complete Provability, and Unique Provability of f put length and converts it into a VRF with unrestricted in- all follow immediately from the same properties of f . put length. The construction and its analysis will be given We now outline the steps in the proof of the residual

in more detail in the full version of the paper. Let f be unpredictability of f . Suppose, for sake of contradiction

any VRF with input length a, output length 1, and se-

s that there is an adversary T running in time that predicts

curity s. By Remark 2 after the deﬁnition of VRFs, we

f x hf xri

at an unseen value with probability at f

can easily transform f into a VRF with input length

least . Then,

a O log a b a

a , output length ,andsecu-

hf xri

1. T can actually be used to guess for a ran-

sb s k

rity s poly .

dom, prespeciﬁed x rather than one that chooses a

From this VRF f which shrinks an -bit input by one

its own. This can be done at the price of reducing T ’s x

bit, we will construct a VRF f which can take inputs of

s success probability to for ,be-

arbitrary lengths. We view f as deﬁning an inﬁnite binary

cause a random x will equal the exam chooses with

tree whose nodes are labelled by strings of length a .

a probability . (Recall that is the input length for

The root of the tree is labelled , and the two children

f .)

f y f y

of a node labelled y are labelled and (see

2. By a Markov argument, at least an fraction of the Figure 1). Now, to evaluate f on a string ,weviewthe

t T

x’s, the marginal probability that correctly guesses

f g t

bits of x as deﬁning a path of length from the

root of the tree. We deﬁne f to be the label of the node T

Actually, the choice of f and the coin tosses of should also be in-

cluded and ﬁxed with x in this probability. at the last point on this path. Now, a proof for the value of

f can be obtained by giving the labels of all nodes on this struction, we shall use the following two well-known facts

m path together with f -proofs for each label. about :

One small problem with the construction as described so

m q q Fact 1: If is the product of two distinct primes and ,

far is that the path corresponding to a string x contains the

mq q then .

path corresponding to all preﬁces of x, so having seen the

x f

proof for f , one knows the value of on all preﬁces

e m x x mo d m Fact 2: If , then the map

of x. To avoid this problem, we work with a preﬁx-free

is a permutation on Z . In particular, for any inte-

x f g

encoding of strings, which is a map x from to

x Z x r

ger r , there is at most one such that

g x y x

f such that there is no pair where is a preﬁx

rm x m

mo d (there will be none if ). This

y jx j O jxj x

of and furthermore, for all . (It is easy to

construct such a map which is efﬁciently computable, e.g., (if it exists) is denoted r and one can compute it in

e x m

polynomial time given inputs m, , ,and .

b b b b b b b b b

t t t

x So, in the actual construction, f is computed as

As outlined in the introduction, our VUF construc-

x b b y

t follows: Let and , and recur-

tion is based on the unpredictable number generator of

y f y b f x

i i i p

sively compute . is deﬁned to be

x r

Shamir [Sha83]. The value of f will be deﬁned as

y f x y y y

t t

. The proof that is a sequence

m r Z p mo d m

,where and are public and x is a

y y y f y b

i i i

such that t together with proofs that .

m x p

prime 1-bit larger than .Todeﬁne the indexing x The Domain–Range Correctness, Complete Provability, and

into a “random” set of large primes, we use a prime se-

Unique Provability of f follow from the same properties of

quence generator of Cachin et al. [CMS99], which we de- f . The proof of Residual Pseudorandomness proceeds as scribe ﬁrst. follows:

1. As long as the subtree of labels seen by the adversary THE PRIME-SEQUENCE GENERATOR. Ideally, a prime-

p a does not contain a repetition (i.e. two different nodes x

sequence generator is a 1-1 mapping x from -

in the tree that have the same label), the value of bit strings to -bit primes. Based on currently

at a new point x is equal to the value of at a new known results on the distribution of primes, such a map-

y y y b xb b b

t t point (namely t ,where ). ping certainly exists, but might not be efﬁciently com- Hence, it is not be distinguishable from random. putable, unless one uses some unproven assumption — such 2. The subtree of labels seen by the adversary does not as Cramer’s conjecture. To avoid making such assumptions,

contain a repetition: This follows from the residual we use a a construction of [CMS99], which probabilisti-

cally constructs such a mapping as follows: First, a - f

pseudorandomness of f and the fact that has a rea-

f g fk g wise independent function Q from

sonably large output length b . Suppose an efﬁcient

adversary does ﬁnd a repetition with noticeable proba- to the set of -bit integers is randomly selected and

fixed. Then, x is defined to be the first prime among

bility. Then, one can predict f by randomly guessing

x Qx Qx k

which of the two nodes in the subtree form the ﬁrst rep- Q . Primes are sufﬁciently

k etition, and using the label of the ﬁrst node to predict dense so that this sequence of independent -bit num-

the label of the second node. Being able to predict the bers will contain a prime with high probability, and even just the pairwise independence of Q guarantees that all the

value of f at a new point with probability noticeably

b p

x ’s will be distinct with high probability.

more than distinguishes it from a random value,

To implement this idea, we need a polynomial-time violating the residual pseudorandomness of f .

primality tester PrimalityTest, e.g. one of the algorithms given in [SS77, Rab80]. Such an algorithm

7 A Veriﬁable Unpredictable Function

k n

PrimalityTest takes a a -bit integer and

k k

poly random bits and outputs 1 with high prob-

n In this section we construct a VUF based on the RSA ability if is prime and outputs 0 with high probability if

hardness assumption, proving Proposition 3. First we recall n is composite. We assume that the error probability of this

k some basic number theory. algorithm is at most on -bit inputs. In order

for the ﬁnal mapping to be deterministic, the random coins

a b PrimalityTest

NUMBER THEORY. We write denote the greatest of will be externally chosen and ﬁxed and

b PrimeSeq

common divisor of positive integers a and . For a positive given as input to . Another technicality is that the

m k Q

integer m, Euler’s totient function, ,isdeﬁned as the -wise mapping will be deﬁned by a polynomial over

number of positive integers that are relatively prime GF , so a representation of this ﬁeld (i.e., an irreducible

m k

to m. Under multiplication modulo , the set of all such polynomial of degree over GF ) must be included with

integers form a group, denoted by Z . In our VRF con- . m

Now we formally describe the prime-sequence generator 1. Use PrimalityTest to compute (by trial and

PrimeSeq q q

. The only modiﬁcation to the construction of error) two random primes and (of length

k bk c m q q RSA

[CMS99] is that we force its outputs to be “truly - ). Compute ,and

mq q

bit” integers (i.e., without leading 0’s). then compute .

R R

Z coins f g

2. r , .

Description of PrimeSeq

k 3. Choose a representation for GF (by ran-

domly picking degree k polynomials over

x Q

Inputs: an a-bit string , a polynomial of degree at most Q

GF and testing for irreducibiility) and let

over GF (together with a representation of be selected uniformly from the set of all polyno-

coins k

the ﬁeld GF ), and an -bit string .

mials of degree at most over GF .

k p

Output:a -bit integer x (a prime with overwhelm-

m rQcoins m

4. Output and .

coins

ing probability over the choice of Q and ).

x f g F

x Q coins

Code for PrimeSeq : When given , the evaluation algorithm x

uses to index into the prime sequence, obtaining a prime

j k y k

1. For ,let j be the -bit string

p p r Z

x x

, and outputs the ’th root of as the value of

Qx j j j

,where denotes the ’th string in

k the VUF at . This value is its own proof, so we do not

g f under the lexicographic order and we

k include a separate proof in the output. Strictly speaking,

f g

associate GF with .

the output should be a bit-string of a ﬁxed length b ,so

PrimalityTest coins

2. Use with random coins elements of Z should be written with leading zeroes to

y k

to test each (viewed as a -bit integer) make them of length exactly k as strings. (Recall that

bk c

for primality, and let be the ﬁrst (probable) m is the product of two primes of length ,so

y y y

k k

prime in the sequence . Output

m .) p

x .

DESCRIPTION OF F

The main property of this generator that we will use is the

PK m PK

following. Inputs: A secret key SK ,where

m r Q coins x f g

and .

a k

Proposition 5 ([CMS99]) Let . Then, with prob- Output: avaluev (which is its own proof).

Q coins

m rQcoins mx

ability at least over and selected uni- Code for F :

fPrimeSeqx Q coins x f g g

PrimeSeqx Q coins formly, is a set of p

1. Compute x (We

k distinct -bit primes. p

expect x to be a -bit prime.)

r mo d m

2. Compute and output v .

THE VUF. We now decribe the VUF construction. Fix (easily done due to knowledge of ).

k sk

a , the input length, and , the assumed hardness of

p v

To check that the value of the VUF at point x is ,the

RSA ; we may assume that , as known factoring main thing the veriﬁcation algorithm needs to do is make

p RSA

algorithms (cf., [Pom90]) can be break in that much x

r v p r m v

sure that is a x ’th root of mod , i.e.,

time. For notational convenience, we will usually hide the

mo d . However, to guarantee that this value is unique, a

dependence of the parameters k , writing, for example, or

p m

it also should check that x is in fact a prime larger than

ak sk G

s instead of or . The generation algorithm

and that v .

r Z

chooses the RSA modulus m, the public whose

roots will be the values of the function, and the random- Description of V

ization needed to ﬁx the prime sequence (the polynomial Q

m r Q coins x Inputs: A public key PK , a point , and the coin tosses for PrimalityTest).

and a value v . NO

Output: YES or .

Description of k

m rQcoins xv

Code for V :

p PrimeSeqx Q coins

1. Compute x k

Inputs: a security parameter .

p m

2. Check that x is greater than and is prime

m r Q coins Outputs: a public key PK and a secret

(by running PrimalityTest using fresh random

SK PK m m RSA r Z

key ,where k ; ;

m coin tosses, not those from the public key).

coins f g Q p

;and is a polynomial of degree at

r mo d m Z v

3. Check that v and .

most over GF (together with a representa- YES

k 4. If all checks pass, output . Otherwise, out-

tion of GF ). NO

k put .

Code for G :

7.1 Correctness of the VUF construction

p k x f g

Inputs: aprime of length ,and .

G F V

In this section, we prove that described in the

Output: a polynomial Q of degree at most

s k

previous section is in fact a VRF with security k

coins

over GF and a -bit string (such that

s , establishing Proposition 3. The efﬁciency of the

PrimeSeqx Qcoins p

)

F V

algorithms G, ,and is apparent, so we proceed to the

ChoosePolyp x

other conditions. Code for :

w w f g

k 1.

DOMAIN–RANGE CORRECTNESS &COMPLETE PROV-

j j w j 2. Let be the smallest such that is prime

ABILITY. By Proposition 5, it is true that with probabil-

PrimalityTest

(by running on each of them).

ity over the generation of the keys

m r Q coins SK m

and , that all the values 3. Choose and ﬁx a representation for GF (ex-

PrimeSeqx Y y z k p actly as done in the generation algorithm ).

x are primes of length .

m m p

Since , it follows that all of these x ’s

4. Let Q be the unique polynomial of degree at most

m r p

are relatively prime with , and hence has a x ’th

over GF subject to the conditions

root modulo . Given that these roots exist, it is im-

Qx j p Qx j w j j

and for all F

mediate that will successfully compute them, establish-

k a (where j denotes the -bit representation of ing Domain–Range Correctness. Complete Provability also j , with possible leading zeroes). This step can be follows immediately; the only reason V would reject a cor- implemented using standard polynomial interpo-

rect proof is a faulty execution of the primality testing al- lation. PrimalityTest

gorithm (which occurs with exponentially R

oins f g

small probability). 5. c .

Q coins 6. Output .

UNIQUE PROVABILITY. Assume that an adversary

x f g chooses a (good-looking but illegitimate) public key Claim 6 For every , the distribution on

def

Q coins ChoosePolyp x

m rQcoins x p obtained by running for a

and consider any input .Ifx

p k

x Q coins

PrimeSeq is not prime or is not larger than random prime of length has statistical difference

Q coins

m, then the veriﬁcation algorithm will detect this and reject from the uniform distribution on .

p m

with high probability. If x is a prime larger than ,then

m r p

p It is straightforward to verify this claim using Propo- x x must be relatively prime to ,so has a unique ’th

root mod m, and this is the only value that the veriﬁcation sition 5 and the fact that the error probability of

Q coins algorithm will accept. PrimalityTest is . Of course, is only part

of the public key. We now describe how the remainder of

m p u

RESIDUAL UNPREDICTABILITY. Suppose, for sake of con- the public key is generated. On input , the follow-

G x

G F V s k T

tradiction, is not an -secure VUF and let ing algorithm will “guess” which point the adversary

T ChoosePoly

be the adversary running in time s that guesses the value will choose as its exam; use to guarantee

p p r Z

that x ; and, following [Sha83], prepare

of the function at an unseen point with probability at least m

p r

s k

. so that the x ’th root of can be easily computed for all

x x p r

T A x , while the ’th root of can be used to compute

We will use to construct an algorithm that con-

p u

sk A

tradicts the RSA -Hardness Assumption. will be the ’th root of . (This will all be proven in more detail

p u Z

given a modulus m,aprime ,and as input, from shortly.) m

which it will construct a public key PK which it will give

to T . Thus, we ﬁrst concentrate on how the public key Description of

m r Q coins Q

PK will be constructed. will be cho-

PrimeSeqx Qcoins p

RSA p k seninsuchawaythat for a m

Inputs: a modulus k ,aprime of length ,

x f g Qx j

speciﬁed . This means that should and u .

p j fk g Qx j

equal for some , while

m rQcoins x f g

Output: and .

j j

should be composite for . We want the distribution

m p u

Code for G :

p k

of Q obtained in this way (when is a random -bit

x f g prime) to be close to its distribution in the actual scheme, 1. .

which is uniform. This is done using the following proce- R

Q coins ChoosePolyp x

2. .

dure:

The statistical difference between two random variables X and is

ChoosePoly max jPROBX S PROBY S j

Description of deﬁned to be S .

Q Q

e PrimeSeqx Q coins r PK m r Q coins e p

3. Set and 2. Set and x ,

x x x x

e def

mo d m

u .

p PrimeSeqx Q coins

where x .

m rQcoins x k

4. Output and .

PK 3. Simulate T . Respond to an oracle

query y as follows:

m rQcoins x

Claim 7 The distribution on ob-

y x FAIL

R R

(a) If , abort with output .

G m RSA p PRIMES

tained by running on k , ,

e p

y y

u y x r

(b) If , respond with

u has statistical difference at most

e ep mo d m

y y

k ,where .

from the distribution obtained by running G to select

m rQcoins x

x guess T

and independently selecting uniformly 4. Obtain output from .

in f .

r mo d m FAIL

5. If guess , then output .

Claim 7 is easily deduced from Claim 6 and the fact 6. If guess , use the GCD algorithm to calcu-

u u Z

Z e p that the map is a permutation on as long as

m late such that , and output

e m e u

(which is the case, since is the product guess .

of primes greater than with high probability). By

Claim 7, if T is presented with a public key generated by

m p u u mo d m

Claim 8 A with probability

R R G

, it’s success probability will be reduced to by only an

RSA m p s

at least (over the choice of k ,

s k

exponentially small amount to . In addi- R

PRIMES u Z A

k , , and the coins of ).

m x

tion, since is independent from the public key produced

T by G (up to statistical difference ), the event that

We now quickly justify this claim. A straightforward

x T chooses as its exam is also independent of ’s success.

calculation shows that the responses to T ’s oracle queries

T x

Hence, additionally requiring that ’s success be at only

y x T

are computed correctly (when ). Thus, as long as

decreases the success probability by a factor of .To x formalize this, we consider the following experiment. does not ask oracle query , everything proceeds exactly

as in Experiment A. Our analysis of Experiment A tells us

T x

that with probability at least , does not ask query

p p

Experiment A:

r r

and guess . The GCD algorithm will

R R R

m RSA p PRIMES u Z

k k

1. ; ; p m

succeed as long as all the x ’s are distinct, and this is the R

case with overwhelming probability by Proposition 5 and

m rQcoins x G m p u

Claim 6. Assuming guess and the GCD algorithm

m r Q coins SK PK m 3. Set PK ,

succeeds, it follows that

F SK

x guess T

T x x guess F SK x

u r u

5. succeeds if , (i.e., guess

guess r mo d m x

), and was not asked to the e

u u

oracle F .

e pp p

u u mo d m By Claim 7 and the above discussion, it follows that the

def

probability that T succeeds in Experiment A is at least We now just need to analyze the running time of .

a k

s k s

. ’s running time is dominated by simulating the oracle

T A

Now we use the analysis of Shamir [Sha83], which queries of T . For every oracle query of , must com-

e a

e y

u mo d m e O k

p r u e y

pute ,where is an integer of length

shows that since where x , it is easy

x x

e k

F SK x x x T (since is the product of primes of length ).

to answer all of ’s queries for (for )

O k k

m F SK x r This modular exponenation takes time poly

without using . In addition, from ,

k T s

it is easy to compute u . In more detail, we consider the poly . Since there makes at most oracle queries,

s k s

following algorithm A. the total running time is at most poly ,vio-

lating the RSA -Hardness Assumption.

Description of A

Acknowledgments

m p k

Inputs: a k -bit modulus ,aprime of length ,and

u .

m p We thank Oded Goldreich, Shaﬁ Goldwasser, Shai

Output: u (hopefully)

Halevi, Joe Kilian, and David Mazieres, Moni Naor, and

m p u

Code for A : Omer Reingold for their insightful comments and sugges-

m rQcoins x G m p u

1. tions. References the Twenty First Annual ACM Symposium on Theory of Computing, pages 25–32, Seattle, Washington, 15– [BG89] Mihir Bellare and Shafi Goldwasser. New paradigms 17 May 1989. for digital signatures and message authentication [GMW91] Oded Goldreich, Silvio Micali, and Avi Wigderson. based on non-interactive zero knowledge proofs. Proofs that yield nothing but their validity or all lan- In G. Brassard, editor, Advances in Cryptology— guages in NP have zero-knowledge proof systems. CRYPTO ’89, volume 435 of Lecture Notes in Com- Journal of the ACM, 38(3):691–729, July 1991. puter Science, pages 194–211. Springer-Verlag, 1990, [GMR89] Shafi Goldwasser, Silvio Micali, and Charles Rack- 20–24 August 1989. off. The knowledge complexity of interactive proof [BDMP91] Manuel Blum, Alfredo De Santis, Silvio Micali, and systems. SIAM Journal on Computing, 18(1):186– Giuseppe Persiano. Noninteractive zero-knowledge. 208, February 1989. SIAM Journal on Computing, 20(6):1084–1118, De- [GMR88] Shafi Goldwasser, Silvio Micali, and Ronald L. cember 1991. Rivest. A digital signature scheme secure against [BFM88] Manuel Blum, Paul Feldman, and Silvio Micali. Non- adaptive chosen-message attacks. SIAM Journal on interactive zero-knowledge and its applications (ex- Computing, 17(2):281–308, April 1988. tended abstract). In Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, [GMY83] Shafi Goldwasser, Silvio Micali, and Andy Yao. pages 103–112, Chicago, Illinois, 2–4 May 1988. Strong signature schemes. In Proceedings of the Fif- teenth Annual ACM Symposium on Theory of Com- [BM84] Manuel Blum and Silvio Micali. How to gener- puting, pages 431–439, Boston, Massachusetts, 25– ate cryptographically strong sequences of pseudo- 27 April 1983. random bits. SIAM Journal on Computing, 13(4):850–864, November 1984. [NR97] Moni Naor and Omer Reingold. Number-theoretic constructions of efficient pseudo-random functions [CMS99] Christian Cachin, Silvio Micali, and Markus Stadler. (extended abstract). In 38th Annual Symposium on Computationally private information retrieval with Foundations of Computer Science, pages 458–467, polylogarithmic communication. In J. Stern, editor, Miami Beach, Florida, 20–22 October 1997. IEEE. Advances in Cryptology—EUROCRYPT ’99, volume 1592 of Lecture Notes in Computer Science, pages [NR98] Moni Naor and Omer Reingold. From unpredictabil- 402–414. Springer-Verlag, 1999, 2–6 May 1999. ity to indistinguishability: A simple construction of pseudorandom functions from macs (extended ab- [CD96] Ronald Cramer and Ivan Damgard.˚ New genera- stract). In Hugo Krawczyk, editor, Advances in tion of secure and practical RSA-based signatures. Cryptology—CRYPTO ’98, volume 1462 of Lec- In Neal Koblitz, editor, Advances in Cryptology— ture Notes in Computer Science, pages 267–282. CRYPTO ’96, volume 1109 of Lecture Notes in Com- Springer-Verlag, 23–27 August 1998. puter Science, pages 173–185. Springer-Verlag, 18– 22 August 1996. [Pom90] Carl Pomerance. Factoring. In Carl Pomerance, editor, Cryptology and Computational Number Theory, [CS99] Ronald Cramer and Victor Shoup. Signature schemes volume 42 of Proceedings of Symposia in Applied based on the strong RSA assumption. Technical Re- Mathematics, pages 27–47. American Mathematical port 99-01, Theory of Cryptography Library, January Society, 1990. 1999. See also revision, July 1999. [Rab80] Michael O. Rabin. Probabilistic algorithms for testing [DN94] Cynthia Dwork and Moni Naor. An efficient ex- primality. Journal of Number Theory, 12:128–138, istentially unforgeable signature scheme and its ap- 1980. plications. In Yvo G. Desmedt, editor, Advances in Cryptology—CRYPTO ’94, volume 839 of Lec- [Sha83] Adi Shamir. On the generation of cryptographically ture Notes in Computer Science, pages 234–246. strong pseudorandom sequences. ACM Transactions Springer-Verlag, 21–25 August 1994. on Computer Systems, 1(1):38–44, February 1983. [GHR99] Rosario Gennaro, Shai Halevi, and Tal Rabin. Se- [SS77] R. Solovay and V. Strassen. A fast Monte-Carlo test cure hash-and-sign signatures without the random or- for primality. SIAM Journal on Computing, 6(1):84– acle. In J. Stern, editor, Advances in Cryptology— 85, March 1977. EUROCRYPT ’99, volume 1592 of Lecture Notes in [Yao82] Andrew C. Yao. Theory and applications of trapdoor Computer Science, pages 123–139. Springer-Verlag, functions (extended abstract). In 23rd Annual Sym- 1999, 2–6 May 1999. posium on Foundations of Computer Science, pages [GGM86] Oded Goldreich, Shafi Goldwasser, and Silvio Micali. 80–91, Chicago, Illinois, 3–5 November 1982. IEEE. How to construct random functions. Journal of the ACM, 33(4):792–807, October 1986. [GL89] Oded Goldreich and Leonid A. Levin. A hard-core predicate for all one-way functions. In Proceedings of