Fact-checked by Grok 2 weeks ago

Verifiable random function

A verifiable random function (VRF) is a public-key that functions as a , enabling the secret holder to compute a pseudorandom output for any input along with a non-interactive proof of correctness, which can be verified by anyone using the corresponding public key without revealing the secret or compromising at other inputs. VRFs were introduced in 1999 by Silvio Micali, Michael Rabin, and Salil Vadhan to address the limitations of traditional pseudorandom functions, which lack verifiability without exposing the secret seed, by extending the Goldreich-Goldwasser-Micali construction to include efficient, non-interactive proofs based on the RSA assumption. Their design draws from probabilistic signature schemes and aims to simulate a verifiable , allowing applications requiring trusted yet unpredictable without interactive zero-knowledge proofs. The core security properties of a VRF include domain-range correctness, ensuring outputs fall within the specified ; complete and unique provability, where proofs are accepted with overwhelming probability and only one output is provable per input; and residual pseudorandomness, making unproven outputs computationally indistinguishable from random. Modern definitions, as standardized in RFC 9381, emphasize full uniqueness (no multiple proofs for different outputs), full collision resistance (distinct inputs yield distinct outputs), and full pseudorandomness (outputs appear random absent the proof). Constructions of VRFs typically rely on established assumptions: the original RSA-based scheme uses full-domain hashing, while variants (ECVRFs) leverage the decisional Diffie-Hellman problem in the model, with efficient implementations on curves like Ed25519 for short keys and proofs. These have evolved through subsequent research, including bilinear map-based designs for shorter proofs and keys, enhancing practicality for resource-constrained environments, and recent post-quantum secure constructions based on problems and isogenies to withstand quantum attacks. VRFs find critical applications in privacy-preserving protocols, such as preventing offline enumeration attacks on hash-based data structures in systems like DNSSEC, and in blockchain consensus mechanisms, including secret leader election in proof-of-stake networks to generate unbiased randomness verifiable by all participants.

Definition and Properties

Overview

A verifiable random function (VRF) is a public-key version of a pseudorandom function that produces a pseudorandom output and a proof of correctness, allowing anyone to verify the output against the public key without access to the secret key. The primary inputs are a secret key held privately by the evaluator and an input string, while the outputs consist of the pseudorandom value and a compact proof demonstrating that the value was computed correctly using the secret key. This design ensures that only the secret key holder can generate valid outputs, but verification remains efficient and public. VRFs extend traditional pseudorandom functions by incorporating verifiability, which prevents issues like offline attacks on hash-based structures and enables secure, trustless randomness generation in distributed environments such as blockchain protocols. To illustrate, a VRF operates like a system where the organizer uses a secret process to select a winner but provides a verifiable ticket that proves fairness to all participants without revealing the underlying mechanism. Introduced in the late , VRFs were created to enable verifiable computation of pseudorandom values in cryptographic settings where trust is limited.

Formal Definition

A verifiable random function (VRF) is defined as a consisting of three probabilistic polynomial-time : a Gen, an Eval, and a Verify. The Gen(1^k) takes a security parameter k and outputs a public pk and a corresponding secret sk, where k determines the input and output lengths as polynomials a(k) and b(k), respectively; typically, the input x is from {0,1}^{a(k)} and the output y from {0,1}^{b(k)} with b(k) ≈ a(k) to maintain security levels. The evaluation algorithm Eval(sk, x) takes the secret key sk and an input x ∈ {0,1}^{a(k)}, and deterministically produces an output y ∈ {0,1}^{b(k)} and a proof π, such that y = F_{sk}(x) for an underlying pseudorandom function F, and π serves as a proof of correct ; for any fixed sk and x, always yields the same y and π, ensuring uniqueness. The verification algorithm Verify(pk, x, y, π) takes the public key , input x, purported output y, and proof π, and outputs 1 (accept) or 0 (reject); it accepts with overwhelming probability (1 - negl(k)) if y = F_{sk}(x) and π is the valid proof from Eval(sk, x), and rejects otherwise, while y appears to parties without sk given only and x. Formally, a VRF scheme is specified as (Gen, Eval, Verify), satisfying: \text{Verify}(pk, x, y, \pi) = 1 \iff y = F_{sk}(x) \land \pi \text{ is valid proof}, where the equality holds with overwhelming probability over the randomness in Gen and Verify, and negl(k) denotes a negligible function in k.

Security Properties

Verifiable random functions (VRFs) are designed to satisfy several core cryptographic security properties that ensure their outputs behave like pseudorandom values while allowing efficient verification of correctness. These properties, originally formalized by Micali, Rabin, and Vadhan, distinguish VRFs from standard pseudorandom functions by incorporating provability without compromising secrecy. The properties are typically analyzed in the random oracle model, where security reductions rely on assumptions like the hardness of the RSA problem, though some constructions extend to the standard model. Pseudorandomness ensures that the VRF output y for a given input x and public key pk is computationally indistinguishable from a uniformly random value, even for an adversary that has observed multiple legitimate evaluations on other inputs. This holds under a residual pseudorandomness notion, where the adversary cannot predict or distinguish the output at unqueried points. Formally, security is defined via a game between a challenger and an adversary \mathcal{A}: the challenger generates key pair (pk, sk); \mathcal{A} adaptively queries the evaluation oracle on inputs x_i \neq x^* to receive (y_i, \pi_i); \mathcal{A} then chooses a challenge input x^* and receives either the true y^* = \text{Eval}(sk, x^*) or a random y^*; \mathcal{A} must guess which case occurred. The advantage of \mathcal{A} in winning this game is at most negligibly greater than $1/2. Modern standards refine this to full pseudorandomness, where the adversary may choose x^* after seeing prior outputs, or selective pseudorandomness, where x^* is fixed before key generation. Unforgeability prevents an adversary from producing a valid proof \pi and output y for a new input x not previously queried to the evaluation oracle, except with negligible probability. This property implies that only the holder of the secret key sk can generate convincing proofs, modeled similarly to existential unforgeability under chosen-message attacks (EUF-CMA) in signature schemes. In the security game, the adversary interacts with the evaluation oracle on chosen inputs, then outputs a (x, y, \pi); success requires x unqueried and \text{Verify}(pk, x, y, \pi) = 1, which occurs with negligible probability under the security parameter. Verifiability allows any party, using only the public key pk, to confirm that a provided proof \pi correctly attests to the output y = \text{Eval}(sk, x) for input x, without revealing sk or enabling . The verification algorithm \text{Verify}(pk, x, y, \pi) outputs accept with overwhelming probability if (y, \pi) is legitimately computed, ensuring : for any valid evaluation, succeeds except with negligible probability over the verifier's . This property guarantees that proofs are succinct and publicly checkable, supporting applications requiring trustless . Full uniqueness, also termed unique provability, ensures that for any fixed (sk, x), there exists exactly one valid output y and corresponding proof \pi such that \text{Verify}(pk, x, y, \pi) = 1. No two distinct proofs \pi_1 \neq \pi_2 can validate different outputs y_1 \neq y_2 for the same (pk, x), except with negligible probability; this prevents multiple parties from claiming conflicting random values from the same input. implies , where distinct inputs x_1 \neq x_2 cannot yield the same output y under trusted , though full collision resistance requires additional validation of keys to resist malicious generation. models distinguish trusted uniqueness (assuming honest key generation) from full uniqueness (robust against arbitrary keys). These properties are analyzed against probabilistic polynomial-time adversaries in either the random oracle model, which idealizes hash functions as perfect s for provable security, or the standard model for constructions avoiding random oracles. Adversary types include those with adaptive query access, reflecting real-world threats where inputs may be chosen based on prior observations.

History and Development

Origins and Early Work

The concept of verifiable random functions (VRFs) was introduced in 1999 by Silvio Micali, Michael Rabin, and Salil Vadhan in their seminal paper presented at the 40th Annual Symposium on Foundations of (FOCS). This work addressed the need for publicly verifiable in cryptographic protocols, where a party holding a secret seed could compute pseudorandom outputs while providing concise proofs of correctness that anyone could verify using a public key, without revealing the seed or compromising security elsewhere. The primary motivations stemmed from applications requiring trustless randomness generation, such as fair coin-tossing protocols between distrusting parties, secure lotteries with tamper-proof outcomes, and key evolution mechanisms that update cryptographic keys without exposing underlying secrets. Traditional pseudorandom functions, like those from the , lacked verifiability, forcing reliance on the seed-owner's honesty or interactive proofs, which were inefficient or impractical in decentralized settings. Early concepts built on precursors including verifiable unpredictable functions (VUFs) and unique signatures, which provide uniqueness in outputs for each input. VUFs, conceptualized as signature schemes where a unique output is provably tied to an input without predictability elsewhere, served as an intermediate step toward full VRFs. The key insight was to integrate pseudorandom functions with non-interactive zero-knowledge proofs, using the public key as a to enable efficient . Initial security was established in the model under the assumption, proving that VRFs remain pseudorandom and verifiable against adaptive adversaries.

Standardization and Recent Advances

The standardization of verifiable random functions (VRFs) has progressed through efforts by the Crypto Forum Research Group (CFRG) within the Internet Research Task Force (IRTF), beginning with draft specifications in March 2018. These drafts evolved over several iterations, addressing security proofs and practical implementations, and ultimately led to the publication of in August 2023. This defines secure VRF constructions in the model, supporting both RSA-based and elliptic curve-based schemes, thereby providing a standardized framework for in cryptographic systems. Key recent advances have focused on reducing reliance on idealized models and broadening the foundational assumptions for VRFs. In 2015, Hofheinz and Jager introduced the first VRF construction from standard cryptographic assumptions, eliminating the need for the model while maintaining full security. Building on this, Bitansky's 2019 work demonstrated VRFs constructed from non-interactive witness-indistinguishable proofs, enabling more general and flexible realizations without specific algebraic structures. Further innovation appeared in 2024 with the proposal of Exponent-VRFs (eVRFs) by Boneh, Haitner, and Lindell, which output exponentiated values rather than direct pseudorandom outputs, facilitating applications like schemes in distributed settings. In 2025, Boneh et al. introduced traceable verifiable random functions (), extending VRFs to include properties for improved in multi-party settings. The surge in VRF adoption stems from the need for verifiable randomness in protocols, particularly after the 2017 cryptocurrency boom, where systems like proof-of-stake mechanisms required provably fair selection processes. Current challenges in VRF development emphasize efficiency gains, such as shorter proofs and faster verification, alongside explorations of quantum-resistant variants, including lattice-based constructions proposed in since 2020.

Constructions

RSA-Based Constructions

RSA-based constructions for verifiable random functions leverage the hardness of the , specifically the difficulty of computing e-th roots a composite without of the factorization. The seminal work by Micali, Rabin, and Vadhan introduced the concept of VRFs and provided an initial RSA-based relying on a variant of the RSA assumption with prime exponents. In this construction, key generation proceeds by selecting two large primes p and q of equal bit length, computing the modulus N = p q, and choosing a random r \in \mathbb{Z}_N^*. Additional parameters include a polynomial Q over \mathbb{GF}(2^k) and random coins for a prime sequence generator, forming the public key PK = (N, r, Q, \mathrm{coins}). The secret key SK consists of PK augmented with \phi(N) = (p-1)(q-1), which enables efficient root extraction. Evaluation on an input x first derives a prime p_x > N deterministically from x using the prime sequence generator p_x = \mathrm{PrimeSeq}(x, Q, \mathrm{coins}), verified to be prime via a probabilistic test. The VRF output v is then the p_x-th root of r modulo N, computed as v = r^{1/p_x} \mod N using the secret key \phi(N) to facilitate the exponentiation in the multiplicative group. The proof \pi is v itself, providing direct verifiability without additional interactive elements. Verification takes the public key PK, input x, output v, and recomputes p_x. It checks that p_x > N and is prime, then confirms the RSA relation v^{p_x} \equiv r \pmod{N}. If all checks pass, the verifier accepts v as correct; otherwise, it rejects. This ensures uniqueness since p_x is prime and coprime to \phi(N), making the root extraction unambiguous. The security of this scheme rests on the assumption with prime exponents: given N and r^e \mod N where e > N is prime, it is computationally infeasible to compute the e-th root without the . This yields a verifiable unpredictable (VUF), which can be extended to a full VRF using additional techniques like hardcore bits. The construction achieves existential unforgeability against chosen-message attacks (EUF-CMA) for the proofs under the assumption. follows from the unpredictability, ensuring outputs appear random to adversaries without query access. Practical -based VRFs, as standardized in 9381, simplify the approach for efficiency while maintaining security in the model. follows standard : select primes p, q, set N = p q, choose e = 65537, and compute the private exponent d such that e d \equiv 1 \pmod{\phi(N)}, with public (N, e) and secret d. For input x, compute a padded h to fill the domain (e.g., using MGF1 on a suite string, salt, and x), then the proof \pi = h^d \mod N. The VRF output \beta is a cryptographic of \pi (e.g., \beta = \mathrm{Hash}(\mathrm{suite} || 0x02 || \pi)). Verification checks \pi^e \equiv h \pmod{N} using the recomputed h from x, and confirms \beta matches the hash of \pi. This direct relation provides efficient verifiability. relies on the standard assumption, ensuring EUF-CMA for proofs and for \beta indistinguishable from random without prior proofs, in the model. Variants optimize efficiency, such as using deterministic padding schemes to reduce computation or integrating with existing infrastructures for faster key generation and evaluation. These maintain the core hardness while improving practical performance for applications requiring compact proofs.

Elliptic Curve-Based Constructions

Elliptic curve-based verifiable random functions (VRFs) leverage the problem on for efficient, compact constructions that provide verifiable pseudorandom outputs. The primary standardized approach is the Elliptic Curve VRF (ECVRF), specified in RFC 9381, which supports curves such as NIST P-256 (secp256r1) and (Edwards form). These curves enable shorter key and proof sizes compared to modulus-based alternatives, making ECVRF suitable for resource-constrained environments while maintaining security under the (ECDLP). Key generation in ECVRF involves selecting a random secret key sk as a scalar in the curve's order q, typically 256 bits for security, and computing the public key pk = sk \cdot G, where G is the base point (generator) of the curve. This process ensures the public key verifies the prover's knowledge of sk without revealing it. For evaluation on input x, the algorithm first maps x to a curve point h = \text{hash-to-curve}(x) using a deterministic encoding method, such as Simplified SWU (SSWU) for P-256 or Elligator 2 for Edwards25519, to achieve full uniqueness. The pseudorandom output precursor is then y = sk \cdot h, and a non-interactive zero-knowledge proof \pi is generated via a Schnorr-like protocol in the Fiat-Shamir heuristic. Specifically, a nonce k is generated deterministically (e.g., via RFC 6979 using sk and x); compute R_U = k \cdot G and R_V = k \cdot h; challenge c = H(R_U, R_V, y, pk, h, x) (where H hashes serialized points with suite_string || 0x02 || str(pk) || str(h) || str(y) || str(R_U) || str(R_V) || 0x00, truncated to cLen bits); and s = k + c \cdot sk \mod q, with \pi encoding y, c, and s. The VRF output \beta is \mathrm{Hash}(\mathrm{suite_string} || 0x03 || \mathrm{point\_to\_string}(\mathrm{cofactor} \cdot y) || 0x00), where cofactor is curve-specific (e.g., 1 for P-256, 4 for Ed25519 base). Verification checks the proof's correctness without computing y directly from sk. It decodes \pi to retrieve y, c, and s; recomputes h = \text{hash-to-curve}(x); and verifies U = s \cdot G - c \cdot [pk](/page/PK) and V = s \cdot h - c \cdot y, ensuring c equals the hash of the serialized points: suite_string || 0x02 || str() || str(h) || str(y) || str(U) || str(V) || 0x00 (truncated appropriately). If valid, it computes \beta from cofactor · y as above, confirming the prover used the private key corresponding to [pk](/page/PK) and followed the . This structure provides a proof of correct computation of y = · h. The core mathematics can be summarized as follows: \begin{align*} h &= \text{hash-to-curve}(x), \\ y &= sk \cdot h, \\ k &\text{ deterministic from } sk, x, \\ R_U &= k \cdot G, \\ R_V &= k \cdot h, \\ c &= H(\text{suite} || 0x02 || \text{str}(pk) || \text{str}(h) || \text{str}(y) || \text{str}(R_U) || \text{str}(R_V) || 0x00), \\ s &= k + c \cdot sk \pmod{q}, \\ \pi &= \text{encode}(y, c, s). \end{align*} For verification: \begin{align*} U &= s \cdot G - c \cdot pk, \\ V &= s \cdot h - c \cdot y, \\ \text{check } &c = H(\text{suite} || 0x02 || \text{str}(pk) || \text{str}(h) || \text{str}(y) || \text{str}(U) || \text{str}(V) || 0x00), \\ \beta &= \mathrm{Hash}(\text{suite} || 0x03 || \text{str}(\mathrm{cofactor} \cdot y) || 0x00). \end{align*} These equations instantiate the general VRF model with operations, relying on the model for security. ECVRF achieves full uniqueness through deterministic hash-to-curve, trusted , and full , meaning outputs are indistinguishable from random even for adaptively chosen inputs, assuming ECDLP hardness. With key validation enabled, it also provides full and unpredictability against malicious . While vulnerable to quantum attacks like , ongoing research explores lattice-based post-quantum VRF alternatives in the , though ECVRF remains widely adopted for its efficiency. Advantages include significantly shorter keys and proofs—around 64 bytes versus RSA's 256+ bytes—enabling faster computations and lower in protocols.

Other Constructions

Beyond and variants, VRF constructions based on bilinear maps have been proposed for applications requiring even shorter keys and proofs. These leverage pairing-friendly elliptic curves and the decisional Diffie-Hellman assumption in bilinear groups to produce verifiable outputs with proof sizes around 34 bytes, as explored in works aiming to optimize for constrained devices.

Applications

In Blockchain and Decentralized Systems

Verifiable random functions (VRFs) play a pivotal role in and decentralized systems by providing cryptographically secure, tamper-proof essential for fair processes and integrations. These functions enable decentralized networks to generate unpredictable yet verifiable outputs, mitigating risks like miner extractable value (MEV) attacks and ensuring equitable participation without relying on trusted intermediaries. In particular, VRFs underpin mechanisms for random selection and data feeds in smart contracts, fostering trust in economic incentives and protocol integrity. Chainlink VRF, launched in as part of the Chainlink oracle network's mainnet deployment, employs an elliptic curve-based verifiable random function to deliver secure directly to smart contracts. This generates pseudorandom outputs along with cryptographic proofs that can be verified on-chain, effectively preventing by miners or operators who might otherwise influence results through block production or data submission. By integrating data as inputs, Chainlink VRF ensures outputs are unbiased and reproducible only with the associated proof, making it a standard for applications requiring provable fairness, such as dynamic NFT minting and gaming outcomes. The latest release of ScaffoldStylus introduces a chainlink-vrf template, enabling trustless, randomness-powered applications on Arbitrum and easing VRF integration for Stylus builders. In blockchain consensus protocols, VRFs facilitate randomized participant selection to enhance security and decentralization. , proposed in 2017 and launched in 2019, pioneered the use of VRFs for cryptographic within its pure proof-of-stake (PPoS) mechanism. Here, each account holder computes a VRF based on their private key and the previous block's hash to determine eligibility for proposing or voting on blocks, with the probability proportional to stake. The resulting proof allows the network to verify selections without revealing participants in advance, thwarting targeted attacks and ensuring liveness even in large-scale networks. This approach selects small, random committees of validators per round, balancing efficiency and inclusivity. Oracle networks extend VRF utility to off-chain , particularly for applications demanding verifiable like and non-fungible (NFTs). Chainlink VRF, for instance, powers random attribute assignment in NFT collections and loot box mechanics in games, where outputs determine item rarity or winner selection in a manner that participants can independently audit. These uses enable dynamic, trust-minimized experiences in entertainment ecosystems. Threshold VRFs represent an advanced multi-party extension, allowing distributed across untrusted participants in decentralized autonomous organizations (DAOs). In these variants, a group jointly computes a shared VRF key without any single entity accessing the full secret, using schemes to the computation. This enables DAOs to generate verifiable for decisions, such as random formation or ordering, while distributing and resisting key compromise. Constructions like output-private distributed VRFs ensure in the random output, making them suitable for sensitive applications in collaborative environments. The primary benefits of VRFs in these systems include tamper-proof randomness generation without a central , which preserves incentives and user confidence. For example, a VRF output can seed subsequent block hashes in consensus rounds, creating a chain of verifiable unpredictability that adversaries cannot foresee or influence retroactively. This verifiability property—where proofs confirm correct computation—directly counters predictability exploits common in pseudo-random sources like timestamps. A notable case study is the adoption of VRFs in Ethereum decentralized applications (dApps), where Chainlink VRF powered growth in lotteries and prediction markets. As of Q2 2023, Chainlink VRF had fulfilled over 15.8 million requests across supported networks. By August 2024, this had grown to over 21 million requests. This integration reduced disputes and boosted user participation, with platforms like PoolTogether using VRFs for prize draws and for market settlements, demonstrating VRFs' impact on scalable, incentive-aligned DeFi primitives.

In Cryptographic Protocols

Verifiable random functions (VRFs) play a crucial role in (MPC) by enabling the generation of verifiable random beacons, which provide parties with shared randomness that can be proven correct without revealing underlying secrets. In threshold settings, VRFs can be extended to oblivious evaluation protocols, where the evaluation key is secret-shared among participants, allowing a to compute the VRF output and proof jointly while maintaining and against malicious adversaries. For instance, constructions thresholdize the Dodis-Yampolskiy VRF to support composable in MPC frameworks, even when all key holders are potentially corrupt, facilitating applications like privacy-preserving signature schemes. VRFs enhance coin-tossing protocols by providing a non-interactive mechanism for fair, verifiable random bit generation over networks, extending the interactive approach introduced by in 1983. In 's original protocol, parties commit to random bits and reveal them to agree on a shared flip, but this requires interaction and trust in honest revelation; VRFs address these limitations by allowing the seed owner to compute a pseudorandom output and proof verifiable by anyone using the public key, ensuring uniqueness and unpredictability without ongoing communication. This makes VRF-based coin tossing suitable for distributed protocols where interaction must be minimized. In protocol design, VRF outputs can derive session keys securely without exposing the master key, as demonstrated in constructions that leverage VRFs for large input spaces to generate pseudorandom values for key evolution. This approach ensures that derived keys remain unpredictable and verifiable while the seed stays protected, reducing exposure risks in long-term scenarios. Hohenberger and Waters' 2010 scheme exemplifies this by building VRFs under non-interactive assumptions, enabling efficient derivation of session-specific keys for protocols. VRFs integrate with threshold schemes, such as , to enable distributed evaluation where the secret is shared among parties, and a number can reconstruct the VRF output and proof without full reconstruction. This distributed VRF (DVRF) construction supports applications requiring collective generation, with security proven under standard assumptions like decisional Diffie-Hellman. A representative example is the use of VRFs in anonymous credentials, where the credential holder's secret seeds a VRF to generate a unique for each presentation, proving in attribute blinding without linking presentations. In decentralized anonymous credential systems, the S = f_s(0 || t || i) (with t as validity period and i as presentation index) prevents while maintaining unlinkability, verifiable via the public . Regarding efficiency, VRF proofs introduce constant O(1) overhead to standard pseudorandom function (PRF) evaluations, as the proof generation and involve fixed-size elements independent of input length, making VRFs practical for into resource-constrained protocols. Constructions like the Dodis-Yampolskiy VRF achieve short proofs (e.g., a single group element) and keys, ensuring minimal computational and communication costs beyond the base PRF.

In Network Security

Verifiable random functions (VRFs) play a crucial role in network security by enabling privacy-preserving randomization in hash-based data structures, thereby thwarting enumeration attacks such as zone walking in DNS. In DNSSEC, the NSEC5 construction employs a VRF to generate pseudorandom hashes for record sets, ensuring that only authorized parties can compute and verify the correct outputs while preventing offline attackers from inferring non-existent records or enumerating zones. This approach, proposed in research and leveraging VRFs as standardized in RFC 9381, provides verifiable uniqueness and full pseudorandomness, making it resistant to dictionary attacks on stored data. In anonymity protocols like mix-nets, VRFs facilitate verifiable random path selection without revealing underlying choices, enhancing privacy against traffic analysis. For instance, the VeraSel scheme uses VRFs to enable distributed, unbiased selection of mix nodes based on weights, allowing participants to verify the randomness and fairness of path construction while maintaining unlinkability. This prevents adversaries from influencing routes or predicting selections, as the VRF's unforgeability property ensures outputs cannot be manipulated without detection. The 2023 VeraSel scheme includes a prototype implementation for verifiable random selection in mix-nets. VRFs also support verifiable random audits in certificate transparency (CT) systems to mitigate selective disclosure risks. In extensions to CT logs, such as those proposed for key transparency, VRFs index sparse maps with pseudorandom hashes derived from user identifiers, enabling auditors to verify log consistency without learning private keys or enabling targeted revelations. This mechanism, building on CT's append-only structures, ensures that audits are random and verifiable, reducing the potential for certificate authorities to hide malicious issuances. The IETF's standardization of VRFs in RFC 9381 has paved the way for their integration into protocols like and configuration, where random interface identifiers generated via VRFs can avoid address scanning by providing verifiable yet unpredictable IDs. The verifiable uniqueness of VRF outputs, stemming from their unforgeability, prevents replay and collision attacks in these environments by ensuring each input produces a distinct, provably correct pseudorandom value.

References

  1. [1]
    None
    ### Extracted Content
  2. [2]
    RFC 9381: Verifiable Random Functions (VRFs)
    A Verifiable Random Function (VRF) is the public key version of a keyed cryptographic hash. Only the holder of the secret key can compute the hash, ...
  3. [3]
    [PDF] A Verifiable Random Function With Short Proofs and Keys
    Jan 5, 2025 · A VRF is a pseudo-random function that provides a non-interactively verifiable proof for the correctness of its output. Given an input value x, ...
  4. [4]
    [PDF] Unbiasable Verifiable Random Functions - Cryptology ePrint Archive
    Abstract. Verifiable Random Functions (VRFs) play a pivotal role in. Proof of Stake (PoS) blockchain due to their applications in secret leader.
  5. [5]
    Reviewing Verifiable Random Functions - NCC Group
    Feb 24, 2020 · This blog post will introduce VRFs in the context of other well-known cryptographic primitives, describe three example use cases, and then ...<|control11|><|separator|>
  6. [6]
    Verifiable Random Functions from Standard Assumptions
    Oct 30, 2015 · Paper 2015/1048. Verifiable Random Functions from Standard Assumptions. Dennis Hofheinz and Tibor Jager. Abstract.
  7. [7]
    Verifiable Random Functions from Non-interactive Witness ...
    Sep 4, 2019 · Verifiable random functions (VRFs) are pseudorandom functions where the owner can prove the output is correct, without compromising ...
  8. [8]
    Exponent-VRFs and Their Applications - Cryptology ePrint Archive
    Mar 4, 2024 · In this paper we introduce the notion of an exponent-VRF (eVRF): a VRF that does not provide its output y explicitly, but instead provides Y = y ...
  9. [9]
    https://link.springer.com/article/10.1007/s00145-019-09331-1
  10. [10]
    RFC 9381 - Verifiable Random Functions (VRFs) - IETF Datatracker
    Dec 12, 2023 · This document specifies VRF constructions based on RSA and elliptic curves that are secure in the cryptographic random oracle model.
  11. [11]
    Three Years on Mainnet | Chainlink Blog
    May 30, 2022 · When Chainlink launched on May 30, 2019, the protocol supported a ... VRF, enhanced efficiency with the Off-Chain Reporting protocol ...
  12. [12]
    Chainlink VRF
    Learn how to securely generate random numbers for your smart contract with Chainlink VRF (an RNG). This guide uses Solidity code examples.VRF Billing · Migrating from VRF v2 · Migrating from VRF v1 · VRF Best PracticesMissing: 2019 | Show results with:2019
  13. [13]
    Verifiable Random Function (VRF) - Explained - Chainlink
    Oct 4, 2023 · A verifiable random function (VRF) is a cryptographic function that takes a series of inputs, computes them, and produces a pseudorandom output and proof of ...
  14. [14]
    Algorand (ALGO) - Research Primer - 21Shares
    Nov 30, 2021 · The protocol employs a dual-tier network architecture, combined with a novel alteration of the Proof of stake consensus mechanism called pure- ...Executive Summary · How Algorand Works · Algorand Ecosystem
  15. [15]
    Algorand consensus
    Nodes will verify the signature of the message and then validate the selection using the VRF proof. Next, the node will compare the hash from each validated ...Algorand Consensus · Soft Vote · Verifiable Random FunctionMissing: 2017 | Show results with:2017
  16. [16]
    Algorand Releases First Open-Source Code: Verifiable Random ...
    Oct 9, 2018 · VRFs were Introduced by Micali (founder of Algorand), Rabin, and Vadhan in '99. Today the primitive is used in various cryptographic schemes, ...
  17. [17]
    Verifiable source of randomness for smart contracts - Chainlink
    Chainlink VRF provides smart contract developers with a provably fair source of randomness for building dynamic and cryptographically secure blockchain ...Missing: 2019 miner
  18. [18]
    Gaming/Metaverse track winner Clan Wars TCG | by Theta Labs
    Jul 20, 2023 · The next in our Theta Hackathon profile series is Clan Wars TCG, an NFT-based trading card game where the cards you play with are NFTs you own on Theta ...
  19. [19]
    [PDF] Output Private (Distributed) VRFs and Application to Blockchains
    Its utility ranges from generating cryptographic keys to performing simulations to facilitating online gaming. With the gigantic rise of blockchain tech- nology ...
  20. [20]
    Chainlink VRF Security Considerations - Zokyo
    Sep 3, 2024 · For example, if a block hash is used to generate randomness, miners could manipulate the hash by controlling the block's contents, thereby ...
  21. [21]
    The Chainlink Network in 2023
    Jan 19, 2023 · Chainlink VRF has established itself as a foundational tool for the blockchain gaming and NFT space, powering provably fair experiences across ...<|separator|>
  22. [22]
    Chainlink VRF | Avalanche Builder Hub
    Chainlink VRF (Verifiable Random Function) is a provably fair and verifiable random number generator (RNG) that enables smart contracts to access random values.Missing: 2019 | Show results with:2019
  23. [23]
    [PDF] Securely computing threshold variants of signature schemes (and ...
    Jun 9, 2023 · Secure multiparty computation (MPC) is a branch of cryptography that enables ... Dodis and Yampolskiy Verifiable Random Function [DY05]. In ...
  24. [24]
    Constructing Verifiable Random Functions with Large Input Spaces
    Mar 1, 2010 · We present a family of verifiable random functions which are provably secure for exponentially-large input spaces under a non-interactive complexity assumption.
  25. [25]
    [PDF] Traceable Verifiable Random Functions - Cryptology ePrint Archive
    Perhaps the most natural open problem is to come up with addi- tional constructions of traceable threshold VRFs. ... Nevertheless, the Fiat-Shamir ...
  26. [26]
    [PDF] Decentralized Anonymous Credentials
    Feb 26, 2014 · To show a credential for the ith time in validity period t, the user generates a serial number S using a verifiable random function (VRF) as ...
  27. [27]
    RFC 9381 - Verifiable Random Functions (VRFs) - IETF Datatracker
    This document specifies VRF constructions based on RSA and elliptic curves that are secure in the cryptographic random oracle model.Missing: TLS | Show results with:TLS
  28. [28]
    VeraSel: Verifiable Random Selection for Mixnets Construction - arXiv
    Jan 22, 2023 · We present VeraSel, a scheme that enables Mixnodes to be chosen according to their weights in a distributed, unbiased, and verifiable fashion ...Missing: Tor | Show results with:Tor
  29. [29]
    [PDF] Transparency Logs via Append-Only Authenticated Dictionaries
    For example, in Certificate Transparency (CT), browsers are sup- posed to ... To avoid this, CONIKS proposed using a verifiable random function (VRF) [65, 71] to ...
  30. [30]
    Arbitrum Developers Announcement on ScaffoldStylus Chainlink VRF Template
    Twitter post announcing the new chainlink-vrf template in the latest ScaffoldStylus release for building randomness-powered apps on Arbitrum.