An Anonymous Verifiable Random Function with Applications in Blockchain

Yao, Shuang; Zhang, Dawei

doi:https://doi.org/10.1155/2022/6467866

Wireless Communications and Mobile Computing

On this page

Abstract Introduction Related Works Preliminaries Implementation and Evaluation Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Emerging Technologies towards Improving Confidentiality and Privacy in Blockchain

View this Special Issue

Research Article | Open Access

Volume 2022 | Article ID 6467866 | https://doi.org/10.1155/2022/6467866

An Anonymous Verifiable Random Function with Applications in Blockchain

Shuang Yao^1,2and Dawei Zhang^1,2

Academic Editor: Liquan Chen

Received15 Nov 2021

Revised14 Mar 2022

Accepted29 Mar 2022

Published19 Apr 2022

Abstract

Verifiable random function is a powerful function that provides a noninteractively public verifiable proof for its output. Recently, verifiable random function has found essential applications in designing secure consensus protocols in blockchain. How to construct secure and practical verifiable random functions has also attracted more and more attention. In this paper, we propose a practical anonymous verifiable random function. Security proofs show that the proposed anonymous verifiable random function achieves correctness, anonymity, uniqueness, and pseudorandomness. In addition, we show a concrete application of our proposed anonymous verifiable random function in blockchain to improve the consensus mechanism for Hyperledger fabric. Finally, we implement the proposed anonymous verifiable random function and evaluate its performance. Test results show that the proposed anonymous verifiable random function supports faster computing operations and has a smaller proof size.

1. Introduction

The notion of verifiable random function was proposed by Micali et al. [1] in 1999. In a verifiable random function, the verifier can verify the function value generated by the prover using a random message and secret key sk via the proof and public key pk by the prover in a noninteractive and public way as shown in Figure 1. A common verifiable random function should satisfy the following security properties. First, the verifier that receives the function value and the corresponding proof generated by the prover is able to verify that is computed correctly on input . Second, there is a unique function value corresponding to each public key pk and the verifiable random function input . Finally, there is no efficient adversary that can distinguish a function value from a random element.

Since verifiable random function was proposed, it has been widely used in practice such as lottery systems [2], E-cash [3, 4], and many other situations [5]. It is also applied in Domain Name Security Extension (DNSSEC) protocol [6] to prevent offline zone enumeration attacks. Besides these traditional usages, one of the most attractive applications recently is that it is used in blockchain to improve consensus mechanisms. Consensus mechanisms play an important role in blockchain for the reason that they are responsible for achieving data consistency among untrusted nodes in blockchain. Applications utilizing verifiable random function include Algorand [7], Dfinity [8], and Ouroboros [9–11]. The main route that verifiable random function used in consensus mechanism can be roughly summarized as follows. Take Algorand for example; each user has a public key pk and a secret key sk. The user computes the function value through verifiable random function on a random input . If lies in the preset range, the user will be a committee member. However, this relationship can also be publicly verified by all users in Algorand through the verification algorithm of verifiable random function. Furthermore, in public blockchain, current Proof-of-Stake (PoS) protocols inherently disclose both the identity and the wealth of the stakeholders and thus seem incompatible with privacy-preserving cryptocurrencies [12], so it is necessary to provide a construction a privacy-preserving PoS protocol, that is, one where the identity of the lottery winner is kept secret by the protocol to satisfy the anonymity requirement. This also promotes the introduction of anonymous verifiable random function.

Numerous efforts have been invested in the pursuit of diversifying and simplifying constructions and underlying assumptions of verifiable random functions [13–21]. Most of them are based on RSA assumption or other complex assumptions. As verifiable random function has been gradually applied in various scenarios recently, how to construct a more efficient verifiable random function that satisfies different security properties attracts more and more attention. Ganesh et al.[12] put forward the first verifiable random function that is anonymous, which can be seen as an independent interest. There are also many other constructed verifiable random functions based on various theoretical assumptions. They all achieve the basic properties of verifiable random function except for anonymity. Therefore, in this paper, we aim to construct a more efficient anonymous verifiable random function (AVRF) that is applicable for building secure consensus mechanisms.

In addition, as one of the most popular consortium blockchains, Hyperledger fabric [22], has leveraged the benefits of both public and private blockchains. The consensus framework in Hyperledger fabric is different from public blockchain. In Hyperledger fabric, there are three types of nodes. They are endorsers, orderers, and validators. Endorsers endorse a transaction that is proposed by the transaction proposer; then, orderers block transactions and broadcast them. Validators validate transactions and update blocks on the chain. However, there is a drawback in Hyperledger fabric. Endorsing peers (endorsers) are quite essential in Hyperledger fabric as they are responsible for executing transactions proposals to ensure the transaction legality and they can directly process lots of sensitive transaction data, but these endorsing peers in consortium blockchain such as Hyperledger fabric are predetermined and endorser’s identity is known to all participants. Thus, they are more likely to be attacked such as attacks possible on selective endorsers to block certain transactions, and it is necessary to construct an optimized consensus scheme with privacy properties such as randomness and anonymity for permissioned blockchain Hyperledger fabric. More precisely, endorsers should be chosen randomly, and their identities are anonymous to avoid possible attacks. Therefore, we also utilize our proposed anonymous verifiable random function to optimize the consensus mechanism in Hyperledger fabric for eliminating this drawback.

The main contributions of this paper are summarized as follows: (i)We propose and construct an anonymous verifiable random function. The verifier can publicly verify the correctness of the function value that is the output of the prover. Meanwhile, the prover is anonymous to the verifier(ii)We show a concrete application of the proposed verifiable random function. We use our anonymous verifiable random function to improve the consensus mechanism of Hyperledger fabric. We also analyze the security and the performance of the optimized consensus mechanism(iii)We give theoretical analysis of the proposed anonymous verifiable random function. We also implement our anonymous verifiable random function, EC verifiable random function, Dodis verifiable random function, and the Ganesh et al. anonymous verifiable random function to evaluate their performance. Theoretical and experimental analysis results show that our anonymous verifiable random function has higher computation efficiency and a smaller proof size

1.1. Organization

We first introduce some related works in Section 2. We recall some necessary preliminaries in Section 3, and then, in Section 4, we give the concrete construction and detailed security proofs of our anonymous verifiable random function. In Section 5, we show an application of the proposed anonymous verifiable random function to improve consensus mechanism in blockchain. We then implement our anonymous verifiable random function and analyze its performance in Section 6. Conclusions are drawn in Section 7.

The concept of verifiable random function was first put forth by Micali et al. [1]. Since then, verifiable random function based on elliptic curves [13] and pairing-based verifiable random function [13] have been gradually proposed. Dodis proposed a verifiable random function based on RSA[14]. In addition, some postquantum verifiable random functions [23, 24] are also proposed, but they do not have good performance in practice. Esgin et al.[25] put forward the first practical postquantum verifiable random function. It achieves significant increase in the communication size and was applied to Algorand. There are also many verifiable random functions [15, 21, 26] based on certain theoretical assumptions that have been constructed. Though these verifiable random functions all guarantee the security in pseudorandomness and uniqueness, they do not take the prover’s privacy into consideration, and they cannot achieve anonymity. Ganesh et al.[12] constructed the first verifiable random function that is anonymous. In this anonymous verifiable random function, the verifier can publicly verify the correctness of the function value as well as not reveal the public key in the verification.

In recent, verifiable random function has been widely used for consensus construction because of its randomness and public verifiability. Micali et al. proposed Algorand [7] that combines the verifiable random function and Practical Byzantine Fault Tolerance (PBFT) to select proposer and verifier committees. It avoids targeted attacks at chosen participants and achieves a high efficiency. Dfinity [8] is similar to Algorand. It actually uses Boneh–Lynn–Shacham (BLS) based verifiable random function to produce random seed which acts as the source of randomness for leader selection and leader ranking. Praos [9] is an optimized version of Ouroboros [9]. Instead of using a secure multiparty implementation of a coin-flipping protocol to produce the randomness for the leader election process, Praos uses verifiable random function for random selecting a slot leader from the stakeholder. It also prevents the adversary from learning the slot leader’s identity ahead of time. Ganesh et al.[12] take the privacy properties of PoS protocol into consideration. They show that it is possible to add privacy to PoS protocols and give a privacy-preserving version of a popular PoS protocol. Most of these usages of verifiable random function mainly focus on the public blockchain. There are few researches that pay attention to providing privacy-preserving consensus scheme of the permissioned blockchain as their key nodes are predefined, and they are more likely to be attacked.

3. Preliminaries

In this section, we introduce the related hard problem and the complexity assumption, the detail of verifiable random function, and the anonymous random function. Notations used in the paper are summarized in Table 1.

3.1. Hard Problem and Complexity Assumption

Let be a cyclic group of order , where is a prime number and it is bits. is a generator of group . Given group elements as , the decisional Diffie-Hellman (DDH) problem is to distinguish between and .

We say that the DDH assumption holds if there is no probabilistic polynomial-time (PPT) algorithmthat has advantage at leastin solving the DDH problem in.

3.2. Verifiable Random Function

Let verifiable random function be a tuple of algorithms (Gen, Prove, and Verify) that are defined as follows: (1): the Gen algorithm takes a security parameter as input. It generates public key pk and secret key sk. It outputs a key pair ()(2): the Prove algorithm takes and secret key sk as input. It generates a function value and a proof , then it outputs (3): the Verify algorithm takes a public key pk, , a function value , and a proof as input. It outputs or

The verifiable random function satisfies correctness, pseudorandomness, and uniqueness as defined in the following: (i)Correctness. For all (pk,sk) generated from the Gen algorithm and all update public key generated by the KeyUpdate algorithm, and all , if , then (ii)Pseudorandomness. For any pair of PPT , the following probability is :

Concretely, the definition means that no function value can be distinguished from random, even after seeing any other function values together with their corresponding proofs. (i)Uniqueness. No PPT adversary can output values such that and

3.3. Anonymous Verifiable Random Function

We also briefly review the anonymous verifiable random function proposed in [12]. Let anonymous verifiable random function be a tuple of algorithms (Gen, Update, Prove, and Verify) as defined in the following: (i): it takes a security parameter as input. It generates public key pk and secret key sk. It outputs a key pair (ii): it takes as input the public key and updates the public key . It outputs the updated public key (iii): it takes as input , the updated public key , and the secret key . It generates a function value and a proof ; then, it outputs (iv): it takes as input the updated public key , , a function value and a proof . It outputs or

A function family is a family of anonymous verifiable random functions, if there is a tuple of algorithms (Gen, Update, Prove, and Verify) that satisfies the following properties [12]: (i)Correctness. For all generated from the Gen algorithm, all update public key generated by the Update algorithm, and all , if , then (ii)Pseudorandomness. For any pair of PPT , the following probability is :

The sets contain all the queries made to the Prove oracle. The random variable state stores information that can save and pass on to . (i)Uniqueness. No PPT adversary can output values such that and(ii)Anonymity. For any PPT algorithm , the following probability is :

4. Construction of Our Anonymous Verifiable Random Function

In this section, we give the concrete construction of the proposed anonymous verifiable random function. The proposed anonymous verifiable random function contains a tuple of algorithms (Gen, Update, Prove, and Verify) as the following shows: (1): the Gen algorithm takes as input the security parameter . This algorithm randomly chooses ; then, it computes and . Thus, the public key is and the secret key is . The Gen algorithm returns public key and secret key , where the secret key is kept secretly(2): the Update algorithm takes as input the public key . This algorithm randomly chooses ; then, it computes , , and . Therefore, the updated public key is set as . The Update algorithm returns the updated public key (3): the Prove algorithm takes as input the updated public key , a random input , and secret key . This algorithm generates the function value and the corresponding proof as the following shows:(i)It calculates and . So the function value can be computed as (ii)It sets the proof as , and the function value is . It returns the updated public key, the function value, and the proof (4): the Verify algorithm takes as input the updated public key , a random input , function value , and the proof . It computes ; then, it determines whether equation (6) and equation (7) hold:

If equation (6) and equation (7) all hold, the Verify algorithm outputs 1. Otherwise, the Verify algorithm outputs .

We then prove the proposed anonymous verifiable random function satisfies correctness, anonymity, uniqueness, and pseudorandomness. (i)Correctness. The correctness of the proposed anonymous verifiable random function represents that it can generate a function value on any random input with secret key through the Prove algorithm and also compute a proof that was computed correctly

For all public key and secret key generated by the Gen algorithm, all updated public key generated from the Update algorithm, all , proof , and function value generated by the Prove algorithm, we have

So we get and . Therefore, the function value can be determined by secret key and and can be verified by proof and public key . The proposed anonymous verifiable random function satisfies correctness. (ii)Anonymity. The anonymity of the proposed verifiable random function means that the verification does not reveal the public key. We adopt the idea about anonymity from the original anonymous verifiable random function that there are lots of public keys under the same secret key, and two different evaluations under the same secret key cannot be linked to a public key

We prove that the proposed anonymous verifiable random function is anonymous as the following shows.

Theorem 1. If the DDH assumption holds in groupthe proposed anonymous verifiable random function satisfies anonymity.

Proof of Theorem 1. Let be the adversary that wins the anonymity game. We can build an algorithm to break the DDH assumption. receives and determines whether it is a DDH tuple or not. The algorithm performs as the following shows: (i)The algorithm randomly selects , . It computes the public key as ; then, it honestly executes the Gen algorithm to generate . The algorithm returns and to the adversary (ii)Once receiving the random input , the algorithm computes the updated public key as . It sets ; then, it computes , and the function value . It sets the proof as . The algorithm returns to the adversary (iii)Let be the output of the adversary . If , the algorithm outputs “DDH tuple,” otherwise the algorithm outputs “not a DDH tuple.”

Supposing the adversary wins the anonymity game, then the probability that we defined in the anonymity experiment is . So we get

If the adversary receives a non-DDH tuple, then the view of the adversary is independent of for the reason that . Thus, is a correctly updated public key of . The probability of outputs 1 is the same as the probability that the adversary wins the anonymity game we defined. Therefore, we have

Then, if the algorithm receives a non-DDH tuple, then the view of the adversary is independent of because is independent of both and . So the algorithm cannot guess with probability more than , so we have . Thus, we have

Therefore, the proposed anonymous verifiable random function satisfies anonymity as the DDH assumption holds. (i)Uniqueness. The uniqueness of the proposed anonymous verifiable random function means that the function value is uniquely determined by the corresponding secret key and a random input , and accepting proofs only exist for this function value

Suppose that for all generated by the Gen algorithm, all updated public key generated from the Update algorithm, and all , there exits the tuple such that , we can get and , so

and according to the definition of , we have and . From equation (12), we have, as this is in contradiction with. Therefore, for all , all update pulic key , and all , there does not exit any tuple such that ) and . The proposed anonymous verifiable random function satisfies uniqueness. (ii)Pseudorandomness. We prove the pseudorandomness of the proposed anonymous verifiable random function as the following shows

Theorem 2. If the DDH assumption holds in group, the proposed anonymous verifiable random function satisfies pseudorandomness.

Proof of Theorem 2. Let be a group and is the generator of . Suppose that there is an adversary that can break the pseudorandomness experiment we defined; then, we build a series of games as the following shows. Let be the probability that the adversarywins Game 0. Let be the advantage of the adversary in the pseudorandomness experiment.

Game 0. This is the original pseudorandomness game we defined. The challenger and the adversary are interacted as the following shows: (i)The challenger computes public key and secret key . It sends the generated public key to the adversary (ii)The adversary queries the oracle . The challenger answers these queries(iii)Once the challenger receiving the message that is sent by the adversary , the challenger computes and randomly chooses . It randomly chooses and returns to the adversary (iv)The adversary outputs which is the guess of , and the adversary wins the game if So we get .

Game 1. Game 1 is the same as Game 0 except that we make a change. We compute for randomly chosen instead of computing . Let be the event that in Game 1. The challenger and the adversary are interacted as the following shows: (i)The challenger computes public key and secret key . It sends the generated to the adversary (ii)The adversary queries the oracle . The challenger answers these queries(iii)Once the challenger receiving the message that is sent by the adversary , it randomly chooses and computes . The challenger computes , and the function value . It sets ; then, it obtains . The challenger randomly chooses . It randomly chooses and returns to the adversary (iv)The adversary outputs , and it wins the game if .Since the adversary ’s output of is independent of , we have

Lemma 3. We prove that, whereis the advantage of some efficient algorithms to break the DDH advantage. It is negligible.

Proof of Lemma 3. In Game 0, we have the tuple , while in Game 1, we have the tuple . The adversary cannot recognize the difference under the DDH assumption. We define a distinguishing algorithm . If the input to is in the form of , the computation proceeds as in Game 0. So we have . If the input to is in the form of , the computation proceeds as in Game 1. So we have .

So the advantage to break the DDH assumption is equal to . As is negligible, , is negligible.

According to the above proof, we have , is negligible. Therefore, the proposed anonymous verifiable random function satisfies pseudorandomness.

5. Application of the Proposed AVRF in Blockchain

In this section, we show a specific application of the proposed anonymous verifiable random function in blockchain. As the key nodes in consortium blockchain such as endorsing peers in Hyperledger fabric are predetermined and fixed, they are more likely to be attacked. Therefore, we use the proposed anonymous verifiable random function to improve the consensus mechanism for Hyperledger fabric by randomly choosing endorsing peers instead of presetting them. The improved consensus scheme is aimed at making the identity of endorsing peer random. It also provides identity privacy preservation of endorsing peers and reduces the risk attack of endorsing peers.

5.1. Hyperledger Fabric Consensus Mechanism Optimization Based on the Proposed AVRF

The consensus mechanism in Hyperledger fabric [22] is in the form of a more flexible trust model called “endorse-order-validate” which is different from consensus mechanism in public blockchain [27–29]. As we can see in Figure 2, in Hyperledger fabric, there are three types of nodes. They are endorsers, orderers, and validators. Firstly, in the endorsement phase, endorsers are predetermined and fixed. Endorsers execute transactions and record these results. Secondly, in the ordering step, it uses a pluggable consensus protocol to produce a totally ordered sequence of endorsed transactions grouped in blocks. These endorsed transactions are broadcasted to all peers via the gossip protocol. Next, in the validation step, validators validate the state changes from endorsed transactions with respect to the endorsement policy in the validation step.

In Hyperledger fabric, endorsing peers (endorsers) are quite essential as they are responsible for executing transactions proposals to ensure the transaction legality, and they can directly process lots of sensitive transaction data. However, as endorsers’ identities are public and fixed, they are more likely to be attacked. Besides, the number of endorsers is small compared to other peers’ numbers in general. It is even in single digits in some systems. This makes that there are many-to-one relationships between clients and endorsers, so it is difficult for endorsers to process transactions timely, which increases the transaction processing time.

In accordance with the above problems, we construct a noninteractive, verifiable, and optimized consensus scheme for randomly selecting endorsers based on the proposed anonymous verifiable random function. We use the candidate set of endorsing peers and randomly select endorsing peers in the candidate set through our anonymous verifiable random function. The usage of anonymous verifiable random function achieves the identity privacy of endorsers before endorsement, and this randomly expands the number of endorsing peers.

As we can see in Figure 3, the optimized consensus scheme based our anonymous verifiable random function is defined as follows: (1)The client generates proposal . is the transaction data which includes chaincode and its parameters. is the random input that satisfies . The client signs these data and generates . It sends the proposal to the candidate set of endorsing peers; then, the client starts a timer(2)The candidate endorsing peer verifies the signature to check the integrity. If the verification fails, it aborts. Otherwise, the candidate endorsing peer performs as follows: (i)The candidate endorsing peer executes the anonymous verifiable random function Update algorithm to generate the update public key . It executes to get the function value and proof (ii)The candidate endorsing peer compares whether holds. is the predetermined threshold. is a hash function and is the length of . If it holds, it means that the candidate endorsing peer is an endorser. It goes to the next step. Otherwise, it aborts(iii)If a candidate endorsing peer has confirmed that it is an endorser, it executes the proposal to generate read and write set and the endorsing result ; then, it computes the signature of as , while and . Therefore, the proposal response message as . It sends the proposal response message to the client(3)The client continuously receives proposal response messages from different endorsers before the timer runs out. It performs as the following shows:(i)The client verifies the signature for checking the integrity. If the verification fails, it aborts. Otherwise, it executes to verify the function value . On one hand, if there is an adversary that replaces without secret key, which may lead to some malicious endorsing peers without endorsers qualifications to become logical endorsers. This will influence transaction endorsing results. However, when the client receives the replaced response message, it first verifies the signature , then it verifies the function value . For the reason that the signature satisfies unforgeability and the anonymous verifiable random function satisfies uniqueness, the replaced response message will not pass these verifications, and the malicious endorsing peer without endorser qualification will not become the logical endorser to influence transaction endorsing results. On the other hand, our anonymous verifiable random function can also be extended to provide some level of unpredictability under malicious key generation. In order to achieve this goal, in the Prove algorithm, it adds a computation , where is a hash function. Also, let . It outputs . In the Verify algorithm, it adds an verification to check whether holds. In this case, our extended anonymous verifiable random function can provide unpredictability under malicious key generation. It means that an adversary that can maliciously choose the verifiable random keys cannot skew the output distribution, as long as the adversary has no information on the random input when choosing its verifiable random function keys. We adopt the idea about unpredictability under malicious key generation from [9] and [25] that have given us detailed explanation and proof(ii)The client computes and checks whether holds. If it holds, the proposal response message is from a logical endorser. The client sends these transactions to orderers(4)Orderer monitors and receives all transactions and block transactions as . Let denote that there are orderly transactions in a block. Orders sign blocks and broadcast them(5)Validator receives the block, then it verifies the signature of the block the read and write set and updates the ledger. After all these steps, it represents that a consensus of transactions initiated by clients is gained

5.2. Analysis of the Optimized Consensus Scheme

5.2.1. Security Analysis

(1) Randomness. In our optimized consensus scheme, endorsers are randomly selected from the candidate set of endorsing peers via the proposed anonymous verifiable random function instead of predetermined. Whether a candidate endorsing peer is an endorser or not is determined by the function value which is the random output of the anonymous verifiable random function’s Prove algorithm. Only the function value satisfies that ; a candidate endorsing peer is chosen as an endorser. As we can see from the definition of anonymous verifiable random function, satisfies randomness, so the selection of endorsers is random. This reduces the centralization of endorsing peers.

At the same time, in the original consensus scheme, clients continue to process the transaction only after they have compared all endorsing results that were sent from endorsers and results are all same. So, the adversary can easily control endorsing results to destroy the correctness of transaction results if it has successfully attacked only one endorser to make endorsing results inconsistent and the client aborts the transaction. Furthermore, if the decision strategy is modified, the endorsing results are valid only if there are more than half of the results that are consistent. In this case, adversary can control the endorsing result to destroy the correctness of transaction results if more than half of endorsing peers are malicious. On the contrary, in our optimized consensus scheme, clients do not have to compare endorsing results from all predetermined endorsing peers. Endorsers are chosen randomly and dynamically; this will reduce the probability of adversary’s influence on the transaction.

(2) Anonymity. In our optimized consensus scheme, endorser’s identity is verifiable and anonymous to the client. As the proposed anonymous verifiable random function satisfies correctness, the endorsing peer’s identity can be verified. Furthermore, observers cannot obtain the result about which candidate endorsing peers have been chosen if secret keys are not leaked. Moreover, the client can use the endorsing peer’s update public keys to verify the identity validity of the endorsing peer, so the client cannot recognize the identity of endorsing peers for the reason that the proposed anonymous verifiable random function satisfies anonymity. Concretely, verification using update public keys will not reveal endorsing peers’ public keys. The anonymity of our optimized consensus scheme provides privacy preservation of endorsing peers and reduces their risk of being attacked.

5.2.2. Performance Analysis of the Optimized Consensus Scheme

On one hand, for the same , different secret key will generate different function value by the Prove algorithm of the proposed anonymous verifiable random function. Therefore, different candidate endorsing peer will generate different function values in the same transaction. Some of candidate endorsing peers will become endorsers for this transaction, while the rest of endorsing peers in candidate set will become other transactions’ endorsers. The randomness of function value ensures that the transaction is uniformly distributed to candidate endorsing peers. This reduces the workload of each endorsing peer and improves concurrent processing of transactions.

On the other hand, the transaction delay is the time it takes to initiate a proposal, endorse, validate, order, and commit transactions to the ledger. In our optimized consensus scheme, as the transaction flow is the same as the original consensus scheme except for the endorsing step, the main factor that increases the transaction processing time is that there is an extra endorser selection process and endorser identity’s verification process. According to the prove time and the verify time of the proposed anonymous verifiable random function in Table 2, they are both milliseconds. It is negligible compared with the whole transaction processing time. Thus, the impact of the proposed anonymous verifiable random function on the transaction delay is negligible and there is no much difference on transaction delay between our optimized consensus scheme and the original consensus scheme.

6. Implementation and Evaluation

In this section, in order to give a better evaluation of the performance about our proposed anonymous verifiable random function, we give a reference implementation of our anonymous verifiable random function as well as the anonymous verifiable random function proposed in [12] in Python language. For convenience, we call it Ganesh et al. anonymous verifiable random function. We also implement another two representative verifiable random functions the Dodis verifiable random function [13] which is used in Algorand and the EC verifiable random function [6] that has been widely used in many scenarios such as in DNSSEC. We use the Charm [30] library to implement the elliptic curve group operations. We measure the prove time and the verify time of these verifiable random functions. Our tests are performed on a Linux desktop with an 8-core Intel Core i7-8550U 2.00 GHz processor and 8 GB of RAM. We also average the performance over 50 runs.

In Table 2, we give the efficiency analysis by comparing our proposed anonymous verifiable random function, the Ganesh et al. anonymous verifiable random function, and the Dodis verifiable random function in terms of time complexity, computation overhead, and the size of proof . We denote as exponentiation operation in group , as hash function, as multiplication operation in group , as pairing operation, as multiplication operation in group , as the size of elements in group , and as the size of elements in . As we can see from Table 2, verify times of the Dodis verifiable random function, Ganesh et al. anonymous verifiable random function, and our proposed anonymous verifiable random function are, respectively, 3.3 ms, 1.2 ms, and 0.9 ms with the 80-bit security level. It is obvious that our anonymous verifiable random function has the best performance in terms of the verify time and the proof size.

In Figure 4, we compare the computation of prove time among our anonymous verifiable random function, the Ganesh et al. anonymous verifiable random function, and the EC verifiable random function. As we set the security level as 80 bits, 96 bits, 112 bits, 128 bits, and 192 bits, respectively, the prove time of Ganesh et al. anonymous verifiable random function grows from 1.6 ms to 7.0 ms while our proposed anonymous verifiable random function increases from 0.9 ms to 4.0 ms. It is obvious that our anonymous verifiable random function has lower prove computation overhead compared with the Ganesh et al. anonymous verifiable random function. However, the prove computation overhead of our proposed anonymous verifiable random function is a little higher than the EC verifiable random function for the reason that there are extra exponentiation operations in our proposed verifiable random function to achieve anonymity, while the EC verifiable random function is not anonymous.

In Figure 5, we compare the computation of verify time among our anonymous verifiable random function, the Ganesh et al. anonymous verifiable random function and the EC verifiable random function. When security levels are set to be 80 bits, 96 bits, 112 bits, 128 bits, and 192 bits, respectively, the verify time of the Ganesh et al. anonymous verifiable random function grows from 1.2 ms to 5.4 ms and the EC verifiable random function grows from 0.7 ms to 2.9 ms. In our verifiable random function, it increases from 0.5 ms to 2.1 ms. Our anonymous verifiable random function also has the lowest verify computation overhead among these three verifiable random functions.

Therefore, the proposed anonymous verifiable random function is efficient according to the above analytical measurements and experimental evaluation as it has shorter prove and verify time as well as a smaller proof size.

7. Conclusions

In this paper, we construct an efficient anonymous verifiable random function which has a potential utilization in blockchain to build secure consensus protocols. Specially, our proposed verifiable random function is anonymous. It means that the verification will not reveal the public key of the prover. We also analyze and prove its security properties. Furthermore, we give a concrete utilization of our proposed anonymous verifiable random function to optimize the consensus mechanism of Hyperledger fabric. In addition, we implement and evaluate the proposed anonymous verifiable random function and another three representative verifiable random functions. Experimental results show that the proposed anonymous verifiable random function has lower computation overhead and a smaller proof size compared with other representative verifiable random functions. The proposed anonymous verifiable random function can also be applied to other permissioned blockchains as their transactions are processed by certain key nodes. However, to achieve a practical postquantum anonymous verifiable random function is still for future work.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that there are no conflicts of interest.

Acknowledgments

This paper was supported by National Natural Science Foundation of China (Grant no. U21A20463).

References

S. Micali, M. Rabin, and S. Vadhan, “Verifiable random functions,” in 40th Annual Symposium on Foundations of Computer Science (cat. No. 99CB37039), pp. 120–130, New York, NY, USA, 1999.
View at: Publisher Site | Google Scholar
S. Micali and R. L. Rivest, Micropayments revisited. Cryptographers’ Track at the RSA Conference, Springer, 2002.
M. H. Au, W. Susilo, and Y. Mu, “Practical compact e-cash,” in Australasian Conference on Information Security and Privacy, pp. 431–445, Berlin, Heidelberg, 2007.
View at: Publisher Site | Google Scholar
M. Belenkiy, M. Chase, M. Kohlweiss, and A. Lysyanskaya, “Compact e-cash and simulatable VRFs revisited,” in International Conference on Pairing-Based Cryptography, pp. 114–131, Berlin, Heidelberg, 2009.
View at: Publisher Site | Google Scholar
B. Mishra, D. Jena, and S. Patnaik, “Privacy preserving file auditing schemes for cloud storage using verifiable random function,” International Journal of Communication Networks and Distributed Systems, vol. 26, pp. 50–75, 2021.
View at: Google Scholar
D. Papadopoulos, D. Wessels, S. Huque, M. Naor, J. Vˇcelák, and S. Goldberg, Making NSEC5 practical for DNSSEC, Cryptology ePrint Archive, 2017.
Y. Gilad, R. Hemo, S. Micali, G. Vlachos, and N. Zeldovich, “Algorand: scaling byzantine agreements for cryptocurrencies,” in Proceedings of the 26th symposium on operating systems principles, pp. 51–68, Shanghai, China, 2017.
View at: Publisher Site | Google Scholar
T. Hanke, M. Movahedi, and D. Williams, “DFINITY technology overview series, consensus system,” https://arxiv.org/abs/1805.04548.
View at: Google Scholar
B. David, P. Gaži, A. Kiayias, and A. Russell, “Ouroboros Praos: an adaptively-secure, semisynchronous proof-of-stake blockchain,” in Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 66–98, Cham.
View at: Publisher Site | Google Scholar
C. Badertscher, P. Gaži, A. Kiayias, A. Russell, and V. Zikas, “Ouroboros Genesis: composable proof-of-stake blockchains with dynamic availability,” in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 913–930, 2018.
View at: Publisher Site | Google Scholar
A. Kiayias, A. Russell, B. David, and R. Oliynykov, “Ouroboros: a provably secure proof-of-stake blockchain protocol,” in Annual International Cryptology Conference, pp. 357–388, Cham, 2017.
View at: Publisher Site | Google Scholar
C. Ganesh, C. Orlandi, and D. Tschudi, “Proof-of-stake protocols for privacy-aware blockchains,” in Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 690–719, Cham, 2019.
View at: Publisher Site | Google Scholar
Y. Dodis and A. Yampolskiy, A verifiable random function with short proofs and keys. International Workshop on Public Key Cryptography, Springer, 2005.
Y. Dodis, Efficient construction of (distributed) verifiable random functions. International Workshop on Public Key Cryptography, Springer, 2003.
N. Chandran, S. Raghuraman, and D. Vinayagamurthy, Constrained pseudorandom functions: verifiable and delegatable, Cryptology ePrint Archive, 2014.
G. Guo, Y. Zhu, E. Chen, G. Zhu, D. Ma, and W. C. Chu, “Continuous improvement of script-driven verifiable random functions for reducing computing power in blockchain consensus protocols,” Peer-to-Peer Networking and Applications, vol. 15, pp. 304–323, 2021.
View at: Publisher Site | Google Scholar
G. Fuchsbauer, “Constrained verifiable random functions,” in International Conference on Security and Cryptography for Networks, pp. 95–114, Cham, 2014.
View at: Publisher Site | Google Scholar
S. Hohenberger and B. Waters, “Constructing verifiable random functions with large input spaces,” in Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 656–672, Berlin, Heidelberg, 2010.
View at: Publisher Site | Google Scholar
T. Jager, “Verifiable random functions from weaker assumptions,” in Theory of Cryptography Conference, pp. 121–143, Berlin, Heidelberg, 2015.
View at: Publisher Site | Google Scholar
D. Hofheinz and T. Jager, “Verifiable random functions from standard assumptions,” in Theory of Cryptography Conference, pp. 336–362, Berlin, Heidelberg, 2016.
View at: Publisher Site | Google Scholar
N. Bitansky, “Verifiable random functions from non-interactive witness-indistinguishable proofs,” Journal of Cryptology, vol. 33, pp. 459–493, 2020.
View at: Google Scholar
E. Androulaki, A. Barger, V. Bortnikov et al., “Hyperledger fabric: a distributed operating system for permissioned blockchains,” in Proceedings of the Thirteenth EuroSys Conference, pp. 1–15, Porto, Portugal, 2018.
View at: Publisher Site | Google Scholar
S. Yamada, “Asymptotically compact adaptively secure lattice IBEs and verifiable random functions via generalized partitioning techniques,” in Annual International Cryptology Conference, pp. 161–193, Cham, 2017.
View at: Publisher Site | Google Scholar
R. Goyal, S. Hohenberger, V. Koppula, and B. Waters, “A generic approach to constructing and proving verifiable random functions,” in Theory of Cryptography Conference, pp. 537–566, Cham, 2017.
View at: Publisher Site | Google Scholar
M. F. Esgin, V. Kuchta, A. Sakzad et al., “Practical postquantum few-time verifiable random function with applications to Algorand,” in International Conference on Financial Cryptography and Data Security, pp. 560–578, Berlin, Heidelberg, 2021.
View at: Publisher Site | Google Scholar
L. Kohl, “Hunting and gathering–verifiable random functions from standard assumptions with short proofs,” in IACR International Workshop on Public Key Cryptography, pp. 408–437, Cham, 2019.
View at: Publisher Site | Google Scholar
S. Nakamoto, “Bitcoin: a peer-to-peer electronic cash system,” Decentralized Business Review, p. 21260, 2008.
View at: Google Scholar
G. Wood, “Ethereum: a secure decentralised generalised transaction ledger,” Ethereum project yellow paper, vol. 151, pp. 1–32, 2014.
View at: Google Scholar
E. B. Sasson, A. Chiesa, C. Garman et al., “Zerocash: decentralized anonymous payments from bitcoin,” in 2014 IEEE Symposium on Security and Privacy, pp. 459–474, Berkeley, CA, USA, 2014.
View at: Publisher Site | Google Scholar
J. A. Akinyele, C. Garman, I. Miers et al., “Charm: a framework for rapidly prototyping cryptosystems,” Journal of Cryptographic Engineering, vol. 3, pp. 111–128, 2013.
View at: Google Scholar

Copyright

Copyright © 2022 Shuang Yao and Dawei Zhang. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

723

Downloads

583

Citations

Wireless Communications and Mobile Computing

Emerging Technologies towards Improving Confidentiality and Privacy in Blockchain

An Anonymous Verifiable Random Function with Applications in Blockchain

Abstract

1. Introduction

1.1. Organization

2. Related Works

3. Preliminaries

3.1. Hard Problem and Complexity Assumption

3.2. Verifiable Random Function

3.3. Anonymous Verifiable Random Function

4. Construction of Our Anonymous Verifiable Random Function

5. Application of the Proposed AVRF in Blockchain

5.1. Hyperledger Fabric Consensus Mechanism Optimization Based on the Proposed AVRF

5.2. Analysis of the Optimized Consensus Scheme

5.2.1. Security Analysis

5.2.2. Performance Analysis of the Optimized Consensus Scheme

6. Implementation and Evaluation

7. Conclusions

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright