dleq_vrf

Crates.iodleq_vrf
lib.rsdleq_vrf
version0.0.1
sourcesrc
created_at2023-04-13 18:57:56.276211
updated_at2023-04-13 18:57:56.276211
descriptionVRFs from Chaum-Pedersen DLEQ proofs, usable in Ring VRFs
homepage
repositoryhttps://github.com/w3f/ring-vrf/tree/master/dleq_vrf
max_upload_size
id838611
size57,989
Jeff Burdges (burdges)

documentation

README

DLEQ VRF-AD

Implements the two relevant verifiable random functions (VRFs) with associated data (VRF-ADs) which arise from Chaum-Pedersen DLEQ proofs, polymorphic over Arkworks' elliptic curves.

Thin VRF aka ThinVrf provides a regular VRF similar but broadly superior to "EC VRF". Thin VRF support batch verification or half-aggregation exactly like Schnorr signatures, but which ECVRF lacks. In essence, thin VRF is a Schnorr signature with base point given by a pseudo-random (Fiat-Shamir) linear combination of base points, while EC VRF is two linked Schnorr signatures on distinct base points. Thin VRF should be slightly faster than EC VRF, be similarly sized on typical Edwards curves, but slightly larger on larger BLS12 curves. As a rule, new applications should always prefer thin VRF over EC VRF.

Pedersen VRF aka PedersenVRF resembles EC VRF but replaces the public key by a Pedersen commitment to the secret key, which makes the Pedersen VRF useful in anonymized ring VRFs, or perhaps group VRFs. We provide both batchable and nonbatchable forms of the Pedresen VRF. We favor the batchable form because our blinding factors enlarge our signatures anyways, making the batchable form less significant proportionally than batchable forms of EV VRF.

As the Pedersen VRF needs two verification equations, we support DLEQ proofs between two distinct curves provided both have the same subgroup order. Around this, we support omitting the blinding factors for cross curve DLEQ proofs, like proving public keys on G1 and G2 of a BLS12 curve have the same secret key.

Commit count: 0

cargo fmt