From 28568cdc453561086244f1fa42be9581a2bcf5af Mon Sep 17 00:00:00 2001 From: Skalman Date: Tue, 26 Mar 2024 07:42:32 -0400 Subject: [PATCH] Start of PedersonVRF Spec and Peredson VRF Sign --- Specification.toml | 1 + dleq_vrf/src/pedersen.rs | 34 +++++++++++++++++++++++++++--- spec/specification.md | 44 ++++++++++++++++++++++++++++++++++++++- specification_template.md | 3 ++- 4 files changed, 77 insertions(+), 5 deletions(-) diff --git a/Specification.toml b/Specification.toml index ff7c995..28bfde7 100644 --- a/Specification.toml +++ b/Specification.toml @@ -17,5 +17,6 @@ vrf-keys = "dleq_vrf/src/keys.rs" ## Thin VRF ## Pedersen VRF +pedersen-vrf = "dleq_vrf/src/pedersen.rs" # Bandersnatch VRF diff --git a/dleq_vrf/src/pedersen.rs b/dleq_vrf/src/pedersen.rs index ad897bf..371ec42 100644 --- a/dleq_vrf/src/pedersen.rs +++ b/dleq_vrf/src/pedersen.rs @@ -3,10 +3,18 @@ // Authors: // - Jeffrey Burdges +//~ ### Pedersen VRF +//~ +//~ Strictly speaking Pederson VRF is not a VRF. Instead, it proves +//~ that the output has been generated with a secret key associated +//~ with a blinded public (instead of public key). The blinded public +//~ key is a cryptographic commitement to the public key. And it could +//~ unblinded to prove that the output of the VRF is corresponds to +//~ the public key of the signer. +//~ //! ### Pedersen VRF routines //! //! - use ark_ff::PrimeField; use ark_ec::{AffineRepr, CurveGroup}; use ark_serialize::{CanonicalSerialize,CanonicalDeserialize}; @@ -231,6 +239,20 @@ where K: AffineRepr, H: AffineRepr, Witness { r, k } } + //~ ### Pedersen VRF Sign + //~ **Inputs**:\ + //~ - Transcript $t$ of `ArkTranscript` type\ + //~ - $inputs$: An array of points on elliptic curve $E$.\ + //~ - $sb$: Blinding coefficient $\in F$\ + //~ - $sk$: A VRF secret key.\ + //~ - $pk$: VRF verification key corresponds to $sk$.\ + //~ **Output**:\ + //~ - $signature$: of VRFPreOutput type. + //~ + //~ --- + //~ + + /// /// Sign Pedersen VRF signature /// /// We create the secret blinding unless the user supplies one. @@ -245,19 +267,25 @@ where K: AffineRepr, H: AffineRepr, let flavor = self; let mut t = t.into_transcript(); let t = t.borrow_mut(); + //~ 1. AddLabel(t, "PedersenVRF") t.label(b"PedersenVRF"); let io = vrf::vrfs_merge(t, ios); - // Allow derandomization by constructing secret_blinding and // witness as late as possible. let secret_blinding = secret_blinding.unwrap_or_else( || secret.new_secret_blinding(t) ); + //~ 2. $compk = sk*G + b*K$ let compk = flavor.compute_blinded_publickey(secret.as_publickey(), &secret_blinding); + //~ 3. AddLabel("KeyCommitment") + //~ 1. Append(t, compk) t.label(b"KeyCommitment"); t.append(&compk); // In principle our new secret blinding should be derandomizable - // if the user supplied none. + // if the user supplied none. + //~ 1. $w \leftarrow GeneratePedersenFiatShamir(t,inputs,secret)$ let w = flavor.new_pedersen_witness(t,&io.input,secret); + //~ 1. $signature \leftarrow GeneratePedersonProof(t,sb,sk,compk)$ + //~ 1. **return** $signature$ let signature = w.sign_final(t,&secret_blinding,secret,compk).0; ( signature, secret_blinding ) } diff --git a/spec/specification.md b/spec/specification.md index b96f5c3..e9017d0 100644 --- a/spec/specification.md +++ b/spec/specification.md @@ -19,6 +19,19 @@ where - $ArkTranscript$ function is described in [[ark-transcript]] section. - $H2C: B \rightarrow G$ is a hash to curve function correspond to curve $E$ specified in Section [[hash-to-curve]] for the specific choice of $E$ +## EC VRF Input +The EC-VRF input ultimately is a point on the elliptic curve +as out put of hash of the transcript using arkworks chosen hash +for the given curve. + +VRF Input point should always be created locally, either as a hash-to-cuve +output of the transcripto or ocasionally some base point. +It should never be sent over the wire nor deserialized???Do you mean serialized? + + +**Definition**: *VRF pre-output* is defined to be a point in $G$ in serialized affine representation +** Definition **: *VRF InOut* is defined as a pair as follows: +$$(VRF Input, VRF Preoutput)$$ @@ -72,13 +85,42 @@ As the Pedersen VRF needs two verification equations, we support DLEQ proofs between two distinct curves provided both have the same subgroup order. Around this, we support omitting the blinding factors for cross curve DLEQ proofs, like proving public keys on G1 and G2 -of a BLS12 curve have the same secret key. +of a BLS12 curve have the same secret key. ### Thin VRF ### Pedersen VRF +### Pedersen VRF + +Strictly speaking Pederson VRF is not a VRF. Instead, it proves +that the output has been generated with a secret key associated +with a blinded public (instead of public key). The blinded public +key is a cryptographic commitement to the public key. And it could +unblinded to prove that the output of the VRF is corresponds to +the public key of the signer. + +### Pedersen VRF Sign +**Inputs**:\ + - Transcript $t$ of `ArkTranscript` type\ + - $inputs$: An array of points on elliptic curve $E$.\ + - $sb$: Blinding coefficient $\in F$\ + - $sk$: A VRF secret key.\ + - $pk$: VRF verification key corresponds to $sk$.\ +**Output**:\ + - $signature$: of VRFPreOutput type. + +--- + +1. AddLabel(t, "PedersenVRF") +1. $compk = sk*G + b*K$ +1. AddLabel("KeyCommitment") +1. Append(t, compk) +1. $w \leftarrow GeneratePedersenFiatShamir(t,inputs,secret)$ +1. $signature \leftarrow GeneratePedersonProof(t,sb,sk,compk)$ +1. **return** $signature$ + ## Bandersnatch VRF diff --git a/specification_template.md b/specification_template.md index 8e0aa14..1a1d72c 100644 --- a/specification_template.md +++ b/specification_template.md @@ -48,13 +48,14 @@ As the Pedersen VRF needs two verification equations, we support DLEQ proofs between two distinct curves provided both have the same subgroup order. Around this, we support omitting the blinding factors for cross curve DLEQ proofs, like proving public keys on G1 and G2 -of a BLS12 curve have the same secret key. +of a BLS12 curve have the same secret key. {sections.dleq-vrf-preliminaries} ### Thin VRF ### Pedersen VRF +{sections.pedersen-vrf} ## Bandersnatch VRF