Verifiable Random Function using Ed25519 curve.
Setup: Secret key x, public key g^x
Prove (input α):
h = H1(α)andγ = h^x- Choose random
k c = H3(g, h, g^x, γ, g^k, h^k)- Let
s = k - cx mod q. - Output:
- VRF output
β = H2(γ) - VRF proof
π = (γ, c, s)
- VRF output
Verify (input α, proof π = (γ, c, s), public key g^x):
-
u = (g^x)^c ⋅ g^sNote, if everything is correct:
$$u = (g^x)^c ⋅ g^s = g^xc ⋅ g^{k - cx} = g^xc ⋅ g^k ⋅ (g^{cx})^{-1} = g^k$$ -
h = H1(α)andv = γ^c ⋅ h^sNote, if everything is correct:
$$v = γ^c ⋅ h^s = γ^c ⋅ h^{k - cx} = γ^c ⋅ h^k ⋅ (h^{cx})^{-1} = γ^c ⋅ h^k ⋅ (γ^c)^{-1} = h^k$$ -
Check:
c = H3(g, h, g^x, γ, u, v) -
Output:
β = H2(γ)
cargo run --release
cargo test --release