Lib.rs

#vrf #zk-snarks #cryptography #elliptic-curve #side-channel #ring-vrf

no-std ark-ec-vrfs

Elliptic curve VRF with additional data

by Davide Galassi

3 releases

new 0.1.2 Mar 20, 2025
0.1.1 Feb 28, 2025
0.1.0 Feb 21, 2025

#7 in #side-channel

Download history 132/week @ 2025-02-19 403/week @ 2025-02-26 15/week @ 2025-03-05 8/week @ 2025-03-12

558 downloads per month

MIT license

785KB
2.5K SLoC

Elliptic Curve VRF-AD

This library provides flexible and efficient implementations of Verifiable Random Functions with Additional Data (VRF-AD), a cryptographic construct that augments a standard VRF scheme by incorporating auxiliary information into its signature.

It leverages the Arkworks framework and supports customization of scheme parameters.

Supported VRFs

  • IETF VRF: Complies with ECVRF described in RFC9381.
  • Pedersen VRF: Described in BCHSV23.
  • Ring VRF: A zero-knowledge-based inspired by BCHSV23.

Schemes Specifications

Built-In suites

The library conditionally includes the following pre-configured suites (see features section):

  • Ed25519-SHA-512-TAI: Supports IETF and Pedersen VRFs.
  • Secp256r1-SHA-256-TAI: Supports IETF and Pedersen VRFs.
  • Bandersnatch (Edwards curve on BLS12-381): Supports IETF, Pedersen, and Ring VRFs.
  • JubJub (Edwards curve on BLS12-381): Supports IETF, Pedersen, and Ring VRFs.
  • Baby-JubJub (Edwards curve on BN254): Supports IETF, Pedersen, and Ring VRFs.

Basic Usage

use ark_ec_vrfs::suites::bandersnatch::*;
let secret = Secret::from_seed(b"example seed");
let public = secret.public();
let input = Input::new(b"example input");
let output = secret.output(input);
let aux_data = b"optional aux data";

IETF-VRF

Prove

use ark_ec_vrfs::ietf::Prover;
let proof = secret.prove(input, output, aux_data);

Verify

use ark_ec_vrfs::ietf::Verifier;
let result = public.verify(input, output, aux_data, &proof);

Ring-VRF

Ring construction

const RING_SIZE: usize = 100;
let prover_key_index = 3;
// Construct an example ring with dummy keys
let mut ring = (0..RING_SIZE).map(|i| Secret::from_seed(&i.to_le_bytes()).public().0).collect();
// Patch the ring with the public key of the prover
ring[prover_key_index] = public.0;
// Any key can be replaced with the padding point
ring[0] = RingProofParams::padding_point();

Ring parameters construction

let params = RingProofParams::from_seed(RING_SIZE, b"example seed");

Prove

use ark_ec_vrfs::ring::Prover;
let prover_key = params.prover_key(&ring);
let prover = params.prover(prover_key, prover_key_index);
let proof = secret.prove(input, output, aux_data, &prover);

Verify

use ark_ec_vrfs::ring::Verifier;
let verifier_key = params.verifier_key(&ring);
let verifier = params.verifier(verifier_key);
let result = Public::verify(input, output, aux_data, &proof, &verifier);

Verifier key from commitment

let ring_commitment = params.verifier_key().commitment();
let verifier_key = params.verifier_key_from_commitment(ring_commitment);

Features

  • default: std
  • full: Enables all features listed below except secret-split, parallel, asm, rfc-6979, test-vectors.
  • secret-split: Point scalar multiplication with secret split. Secret scalar is split into the sum of two scalars, which randomly mutate but retain the same sum. Incurs 2x penalty in some internal sensible scalar multiplications, but provides side channel defenses.
  • ring: Ring-VRF for the curves supporting it.
  • rfc-6979: Support for nonce generation according to RFC-9381 section 5.4.2.1.
  • test-vectors: Deterministic ring-vrf proof. Useful for reproducible test vectors generation.

Curves

  • ed25519
  • jubjub
  • bandersnatch
  • baby-jubjub
  • secp256r1

Arkworks optimizations

  • parallel: Parallel execution where worth using rayon.
  • asm: Assembly implementation of some low level operations.

License

Distributed under the MIT License.

Dependencies

~4.5–6MB
~114K SLoC