Adaptive-Secure VRFs with Shorter Keys from Static Assumptions

Verifiable random functions are pseudorandom functions producing publicly verifiable proofs for their outputs, allowing for efficient checks of the correctness of their computation. In this work, we introduce a new computational hypothesis, the n-Eigen-Value assumption, which can be seen as a relaxation of the U_n-MDDH assumption, and prove its equivalence with the n-Rank assumption. Based on the newly introduced computational hypothesis, we build the core of a verifiable random function having an exponentially large input space and reaching adaptive security under a static assumption. The final construction achieves shorter public and secret keys compared to the existing schemes reaching the same properties

Verifiable Random Functions from Standard Assumptions

The question whether there exist verifiable random functions with exponential-sized input space and full adaptive security based on a non-interactive, constant-size assumption is a long-standing open problem. We construct the first verifiable random functions which simultaneously achieve all these properties. Our construction can securely be instantiated in symmetric bilinear groups, based on any member of the (n-1)-linear assumption family with n >= 3. This includes, for example, the 2-linear assumption, which is also known as the decision linear (DLIN) assumption

Hunting and Gathering - Verifiable Random Functions from Standard Assumptions with Short Proofs

A verifiable random function (VRF) is a pseudorandom function, where outputs can be publicly verified. That is, given an output value together with a proof, one can check that the function was indeed correctly evaluated on the corresponding input. At the same time, the output of the function is computationally indistinguishable from random for all non-queried inputs. We present the first construction of a VRF which meets the following properties at once: It supports an exponential-sized input space, it achieves full adaptive security based on a non-interactive constant-size assumption and its proofs consist of only a logarithmic number of group elements for inputs of arbitrary polynomial length. Our construction can be instantiated in symmetric bilinear groups with security based on the decision linear assumption. We build on the work of Hofheinz and Jager (TCC 2016), who were the first to construct a verifiable random function with security based on a non-interactive constant-size assumption. Basically, their VRF is a matrix product in the exponent, where each matrix is chosen according to one bit of the input. In order to allow verification given a symmetric bilinear map, a proof consists of all intermediary results. This entails a proof size of Omega(L) group elements, where L is the bit-length of the input. Our key technique, which we call hunting and gathering, allows us to break this barrier by rearranging the function, which - combined with the partitioning techniques of Bitansky (TCC 2017) - results in a proof size of l group elements for arbitrary l in omega(1)

Primary-Secondary-Resolver Membership Proof Systems

We consider Primary-Secondary-Resolver Membership Proof Systems (PSR for short) and show different constructions of that primitive. A PSR system is a 3-party protocol, where we have a primary, which is a trusted party which commits to a set of members and their values, then generates a public and secret keys in order for secondaries (provers with knowledge of both keys) and resolvers (verifiers who only know the public key) to engage in interactive proof sessions regarding elements in the universe and their values. The motivation for such systems is for constructing a secure Domain Name System (DNSSEC) that does not reveal any unnecessary information to its clients. We require our systems to be complete, so honest executions will result in correct conclusions by the resolvers, sound, so malicious secondaries cannot cheat resolvers, and zero-knowledge, so resolvers will not learn additional information about elements they did not query explicitly. Providing proofs of membership is easy, as the primary can simply precompute signatures over all the members of the set. Providing proofs of non-membership, i.e. a denial-of-existence mechanism, is trickier and is the main issue in constructing PSR systems. We provide three different strategies to construct a denial of existence mechanism. The first uses a set of cryptographic keys for all elements of the universe which are not members, which we implement using hierarchical identity based encryption and a tree based signature scheme. The second construction uses cuckoo hashing with a stash, where in order to prove non-membership, a secondary must prove that a search for it will fail, i.e. that it is not in the tables or the stash of the cuckoo hashing scheme. The third uses a verifiable ``random looking\u27\u27 function which the primary evaluates over the set of members, then signs the values lexicographically and secondaries then use those signatures to prove to resolvers that the value of the non-member was not signed by the primary. We implement this function using a weaker variant of verifiable random/unpredictable functions and pseudorandom functions with interactive zero knowledge proofs. For all three constructions we suggest fairly efficient implementations, of order comparable to other public-key operations such as signatures and encryption. The first approach offers perfect ZK and does not reveal the size of the set in question, the second can be implemented based on very solid cryptographic assumptions and uses the unique structure of cuckoo hashing, while the last technique has the potential to be highly efficient, if one could construct an efficient and secure VRF/VUF or if one is willing to live in the random oracle model

The Price of Verifiability: Lower Bounds for Verifiable Random Functions

Verifiable random functions (VRFs) are a useful extension of pseudorandom functions for which it is possible to generate a proof that a certain image is indeed the correct function value (relative to a public verification key). Due to their strong soundness requirements on such proofs, VRFs are notoriously hard to construct, and existing constructions suffer either from complex proofs (for function images), or rely on complex and non-standard assumptions. In this work, we attempt to explain this phenomenon. We show that for a large class of pairing-based VRFs, it is not possible to obtain short proofs and a reduction to a simple assumption simultaneously. Since the class of consecutively verifiable VRFs we consider contains in particular the VRF of Lysyanskaya and that of Dodis-Yampolskiy, our results explain the large proof size, resp. the complex assumption of these VRFs

Blockchain security and applications

Cryptocurrencies, such as Bitcoin and Ethereum, have proven to be highly successful. In a cryptocurrency system, transactions and ownership data are stored digitally in a ledger that uses blockchain technology. This technology has the potential to revolutionize the future of financial transactions and decentralized applications. Blockchains have a layered architecture that enables their unique method of authenticating transactions. In this research, we examine three layers, each with its own distinct functionality: the network layer, consensus layer, and application layer. The network layer is responsible for exchanging data via a peer-to-peer (P2P) network. In this work, we present a practical yet secure network design. We also study the security and performance of the network and how it affects the overall security and performance of blockchain systems. The consensus layer is in charge of generating and ordering the blocks, as well as guaranteeing that everyone agrees. We study the existing Proof-of-stake (PoS) protocols, which follow a single-extension design framework. We present an impossibility result showing that those single-extension protocols cannot achieve standard security properties (e.g., common prefix) and the best possible unpredictability if the honest players control less than 73\% stake. To overcome this, we propose a new multi-extension design framework. The application layer consists of programs (e.g., smart contracts) that users can use to build decentralized applications. We construct a protocol on the application layer to enhance the security of federated learning

Universally Composable Verifiable Random Oracles

Random Oracles werden häufig in der Kryptographie eingesetzt um sehr effiziente Instanziierungen mächtiger kryptographischer Primitive zu konstruieren. Jedoch ist diese Praxis im Allgemeinen nicht zulässig wie verschiedene Nicht-Instanziierungs-Ergebnisse für Random Oracles mittels lokal berechenbarer Familien von Funktionen durch Halevi et al. (JACM ’04) zeigt. Die Random Oracle Modell kann sicher eingesetzt werden, indem Random Oracles nicht mit einer lokal berechenbaren Hashfunktion, sondern stattdessen mit einem interaktiven Protokoll instanziiert werden. In der realen Welt könnte solch ein interaktives Protokoll beispielsweise aus einem vertrauenswürdigen Server, welcher über das Internet erreichbar ist, bestehen. Dieser Server würde sodann eine der bekannten Techniken wie lazy sampling oder das Auswerten einer Pseudo-Zufälligen Funktion verwenden, um die Funktionalität eines Random Oracle bereitzustellen. Ein klarer Nachteil dieses Ansatzes ist die große Menge an Interaktion, die bei jeder Berechnung, die eine Auswertung des Random Oracle beinhaltet, nötig ist. Wir wollen diese Interaktion auf ein Minimum reduzieren. Um obiges Unmöglichkeitsresultat zu umgehen, muss die Auswertung des Random Oracle auf einer frischen Eingabe Interaktion der auswertenden Partei mit einer anderen Partei beinhalten. Dies ist jedoch nicht der einzige Verwendungszweck von Random Oracles, der häufig in kryptographischen Protokollen auftritt. Bei einem weiteren solchen Zweck wertet zunächst eine Partei A das Orakel auf einer Eingabe aus und erhält einen Hashwert. Im Anschluss sendet A Eingabe und Ausgabe (im Kontext eines Protokolls) an eine zweite Partei B und möchte B davon überzeugen, dass das Random Oracle korrekt ausgewertet wurde. Eine einfache Möglichkeit dies zu prüfen besteht darin, dass B selbst eine Auswertung des Random Oracle auf der erhaltenen Eingabe tätigt und die beiden Ausgaben vergleicht. In unserem Kontext benötigt dies jedoch erneut Interaktion. Der Wunsch diesen zweiten Verwendungszweck nicht-interaktiv zu machen führt uns zum Begriff eines Verifiable Random Oracle (VRO) als Erweiterung eines Random Oracle. Abstrakt besteht ein VRO aus zwei Orakeln. Das erste Orakel verhält sich wie ein Random Oracle dessen Ausgabe um einen Korrektheitsbeweis erweitert wurde. Mit Hilfe dieses Beweises kann das zweite Orakel dazu verwendet werden öffentlich die korrekte Auswertung des Random Oracle zu verifizieren. Obwohl diese Orakel-basierte Formulierung nicht notwendigerweise nicht-interaktive Verifikation besitzt, so erlaubt jedoch die Einführung expliziter Korrektheitsbeweise dies. In dieser Masterarbeit formalisieren wir zunächst den Begriff eines VRO im Universal Composability Framework von Canetti (FOCS ’01). Danach wenden wir VROs auf zwei kryptographische Anwendungen an, die in ihrer ursprünglichen Formulierung das Random Oracle Modell verwenden, und zeigen, das deren Sicherheitseigenschaften erhalten bleiben. Um zu zeigen, dass unsere Definition realisierbar ist, konstruieren wir mehrere Protokolle, die die ideale VRO Funktionalität realisieren. Diese reichen von Protokollen für eine einzelne vertrauenswürdige Partei bis hin zu verteilten Protokollen, die eine gewisse Menge an böswilliger Korruption erlauben. Wir vergleichen weiterhin VROs mit ähnlichen existierenden Primitiven

Vault: Fast Bootstrapping for the Algorand Cryptocurrency

Decentralized cryptocurrencies rely on participants to keep track of the state of the system in order to verify new transactions. As the number of users and transactions grows, this requirement becomes a significant burden, requiring users to download, verify, and store a large amount of data to participate. Vault is a new cryptocurrency design based on Algorand that minimizes these storage and bootstrapping costs for participants. Vault’s design is based on Algorand’s proof-of-stake consensus protocol and uses several techniques to achieve its goals. First, Vault decouples the storage of recent transactions from the storage of account balances, which enables Vault to delete old account state. Second, Vault allows sharding state across participants in a way that preserves strong security guarantees. Finally, Vault introduces the notion of stamping certificates, which allow a new client to catch up securely and efficiently in a proof-of-stake system without having to verify every single block. Experiments with a prototype implementation of Vault’s data structures show that Vault’s design reduces the bandwidth cost of joining the network as a full client by 99.7% compared to Bitcoin and 90.5% compared to Ethereum when downloading a ledger containing 500 million transactions