Skip to content

Commit

Permalink
Start of PedersonVRF Spec and Peredson VRF Sign
Browse files Browse the repository at this point in the history
  • Loading branch information
drskalman committed Mar 26, 2024
1 parent 5fe3210 commit 28568cd
Show file tree
Hide file tree
Showing 4 changed files with 77 additions and 5 deletions.
1 change: 1 addition & 0 deletions Specification.toml
Original file line number Diff line number Diff line change
Expand Up @@ -17,5 +17,6 @@ vrf-keys = "dleq_vrf/src/keys.rs"
## Thin VRF

## Pedersen VRF
pedersen-vrf = "dleq_vrf/src/pedersen.rs"

# Bandersnatch VRF
34 changes: 31 additions & 3 deletions dleq_vrf/src/pedersen.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,18 @@
// Authors:
// - Jeffrey Burdges <jeff@web3.foundation>

//~ ### Pedersen VRF
//~
//~ Strictly speaking Pederson VRF is not a VRF. Instead, it proves
//~ that the output has been generated with a secret key associated
//~ with a blinded public (instead of public key). The blinded public
//~ key is a cryptographic commitement to the public key. And it could
//~ unblinded to prove that the output of the VRF is corresponds to
//~ the public key of the signer.
//~
//! ### Pedersen VRF routines
//!
//!
use ark_ff::PrimeField;
use ark_ec::{AffineRepr, CurveGroup};
use ark_serialize::{CanonicalSerialize,CanonicalDeserialize};
Expand Down Expand Up @@ -231,6 +239,20 @@ where K: AffineRepr, H: AffineRepr<ScalarField = K::ScalarField>,
Witness { r, k }
}

//~ ### Pedersen VRF Sign
//~ **Inputs**:\
//~ - Transcript $t$ of `ArkTranscript` type\
//~ - $inputs$: An array of points on elliptic curve $E$.\
//~ - $sb$: Blinding coefficient $\in F$\
//~ - $sk$: A VRF secret key.\
//~ - $pk$: VRF verification key corresponds to $sk$.\
//~ **Output**:\
//~ - $signature$: of VRFPreOutput type.
//~
//~ ---
//~

///
/// Sign Pedersen VRF signature
///
/// We create the secret blinding unless the user supplies one.
Expand All @@ -245,19 +267,25 @@ where K: AffineRepr, H: AffineRepr<ScalarField = K::ScalarField>,
let flavor = self;
let mut t = t.into_transcript();
let t = t.borrow_mut();
//~ 1. AddLabel(t, "PedersenVRF")
t.label(b"PedersenVRF");
let io = vrf::vrfs_merge(t, ios);

// Allow derandomization by constructing secret_blinding and
// witness as late as possible.
let secret_blinding = secret_blinding.unwrap_or_else( || secret.new_secret_blinding(t) );
//~ 2. $compk = sk*G + b*K$
let compk = flavor.compute_blinded_publickey(secret.as_publickey(), &secret_blinding);
//~ 3. AddLabel("KeyCommitment")
//~ 1. Append(t, compk)
t.label(b"KeyCommitment");
t.append(&compk);

// In principle our new secret blinding should be derandomizable
// if the user supplied none.
// if the user supplied none.
//~ 1. $w \leftarrow GeneratePedersenFiatShamir(t,inputs,secret)$
let w = flavor.new_pedersen_witness(t,&io.input,secret);
//~ 1. $signature \leftarrow GeneratePedersonProof(t,sb,sk,compk)$
//~ 1. **return** $signature$
let signature = w.sign_final(t,&secret_blinding,secret,compk).0;
( signature, secret_blinding )
}
Expand Down
44 changes: 43 additions & 1 deletion spec/specification.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,19 @@ where
- $ArkTranscript$ function is described in [[ark-transcript]] section.
- $H2C: B \rightarrow G$ is a hash to curve function correspond to curve $E$ specified in Section [[hash-to-curve]] for the specific choice of $E$

## EC VRF Input
The EC-VRF input ultimately is a point on the elliptic curve
as out put of hash of the transcript using arkworks chosen hash
for the given curve.

VRF Input point should always be created locally, either as a hash-to-cuve
output of the transcripto or ocasionally some base point.
It should never be sent over the wire nor deserialized???Do you mean serialized?


**Definition**: *VRF pre-output* is defined to be a point in $G$ in serialized affine representation
** Definition **: *VRF InOut* is defined as a pair as follows:
$$(VRF Input, VRF Preoutput)$$



Expand Down Expand Up @@ -72,13 +85,42 @@ As the Pedersen VRF needs two verification equations, we support
DLEQ proofs between two distinct curves provided both have the same
subgroup order. Around this, we support omitting the blinding factors
for cross curve DLEQ proofs, like proving public keys on G1 and G2
of a BLS12 curve have the same secret key.
of a BLS12 curve have the same secret key.



### Thin VRF

### Pedersen VRF
### Pedersen VRF

Strictly speaking Pederson VRF is not a VRF. Instead, it proves
that the output has been generated with a secret key associated
with a blinded public (instead of public key). The blinded public
key is a cryptographic commitement to the public key. And it could
unblinded to prove that the output of the VRF is corresponds to
the public key of the signer.

### Pedersen VRF Sign
**Inputs**:\
- Transcript $t$ of `ArkTranscript` type\
- $inputs$: An array of points on elliptic curve $E$.\
- $sb$: Blinding coefficient $\in F$\
- $sk$: A VRF secret key.\
- $pk$: VRF verification key corresponds to $sk$.\
**Output**:\
- $signature$: of VRFPreOutput type.

---

1. AddLabel(t, "PedersenVRF")
1. $compk = sk*G + b*K$
1. AddLabel("KeyCommitment")
1. Append(t, compk)
1. $w \leftarrow GeneratePedersenFiatShamir(t,inputs,secret)$
1. $signature \leftarrow GeneratePedersonProof(t,sb,sk,compk)$
1. **return** $signature$


## Bandersnatch VRF

3 changes: 2 additions & 1 deletion specification_template.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,13 +48,14 @@ As the Pedersen VRF needs two verification equations, we support
DLEQ proofs between two distinct curves provided both have the same
subgroup order. Around this, we support omitting the blinding factors
for cross curve DLEQ proofs, like proving public keys on G1 and G2
of a BLS12 curve have the same secret key.
of a BLS12 curve have the same secret key.


{sections.dleq-vrf-preliminaries}
### Thin VRF

### Pedersen VRF
{sections.pedersen-vrf}

## Bandersnatch VRF

0 comments on commit 28568cd

Please sign in to comment.