RFC 9381: Verifiable Random Functions (VRFs)
- S. Goldberg,
- L. Reyzin,
- D. Papadopoulos,
- J. Včelák
Abstract
A Verifiable Random Function (VRF) is the public key version of a keyed cryptographic hash. Only the holder of the secret key can compute the hash, but anyone with the public key can verify the correctness of the hash. VRFs are useful for preventing enumeration of hash-based data structures. This document specifies VRF constructions based on RSA and elliptic curves that are secure in the cryptographic random oracle model.¶
This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.¶
Status of This Memo
This document is not an Internet Standards Track specification; it is published for informational purposes.¶
This document is a product of the Internet Research Task Force
(IRTF). The IRTF publishes the results of Internet
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
https://
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://
1. Introduction
A Verifiable Random Function (VRF) [MRV99] is the public key version of a keyed cryptographic hash. Only the holder of the VRF secret key can compute the hash, but anyone with the corresponding public key can verify the correctness of the hash.¶
A key application of the VRF is to provide privacy against offline dictionary attacks (also known as enumeration attacks) on data stored in a hash-based data structure. In this application, a Prover holds the VRF secret key and uses the VRF hashing to construct a hash-based data structure on the input data.¶
Due to the nature of the VRF, only the Prover can answer queries about whether or not some data is stored in the data structure. Anyone who knows the VRF public key can verify that the Prover has answered the queries correctly. However, no offline inferences (i.e., inferences without querying the Prover) can be made about the data stored in the data structure.¶
This document defines VRFs based on RSA and elliptic curves. The choices of VRFs for inclusion in this document were based, in part, on synergy with existing RFCs and commonly available implementations of individual components that are used within the VRFs.¶
The particular choice of the VRF for a given application depends on the desired security properties, the availability of cryptographical
This document represents the consensus of the Crypto Forum Research Group (CFRG).¶
1.1. Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
1.2. Terminology
The following terminology is used throughout this document:¶
- SK:
- The secret key for the VRF. (Note: The secret key is also sometimes called a "private key".)¶
- PK:
- The public key for the VRF.¶
- alpha or alpha_string:
- The input to be hashed by the VRF.¶
- beta or beta_string:
- The VRF hash output.¶
- pi or pi_string:
- The VRF proof.¶
- Prover:
- Holds the VRF secret key SK and public key PK.¶
- Verifier:
- Holds the VRF public key PK.¶
- Adversary:
- Potential attacker; often used to define a security property.¶
- Malicious (or adversarial):
- Performed by an adversary.¶
2. VRF Algorithms
A VRF comes with a key generation algorithm that generates a VRF public key PK and secret key SK.¶
The Prover hashes an input alpha using the VRF secret key SK to obtain a VRF hash output beta:¶
beta = VRF_hash(SK, alpha)¶
The VRF_hash algorithm is deterministic, in the sense that it always produces the same output beta, given the same pair of inputs (SK, alpha).¶
The Prover also uses the secret key SK to construct a proof pi that beta is the correct hash output:¶
pi = VRF_prove(SK, alpha)¶
The VRFs defined in this document allow anyone to deterministical
beta = VRF
Thus, for the VRFs defined in this document, VRF_hash is defined as¶
VRF_hash(SK, alpha) = VRF
and therefore this document will specify VRF_prove and VRF
The proof pi allows a Verifier holding the public key PK to verify that beta is the correct VRF hash of input alpha under key PK. Thus, the VRFs defined in this document also come with an algorithm¶
VRF_verify(PK, alpha, pi)¶
that outputs ("VALID", beta = VRF
3. VRF Security Properties
VRFs are designed to ensure the following security properties: uniqueness (full or trusted), collision resistance (full or trusted),
and pseudorandomnes
3.1. Full Uniqueness
Uniqueness means that, for any fixed VRF public key and for any input alpha, it is infeasible to find proofs for more than one VRF output beta.¶
More precisely, "full uniqueness" means that an adversary cannot find¶
such that¶
3.2. Full Collision Resistance
Like cryptographic hash functions, VRFs are collision resistant. Collision resistance means that it is infeasible to find two different inputs alpha1 and alpha2 with the same output beta.¶
More precisely, "full collision resistance" means that an adversary cannot find¶
such that¶
3.3. Trusted Uniqueness and Trusted Collision Resistance
Full uniqueness and full collision resistance hold even if the VRF keys are generated maliciously. For some applications, it is sufficient for a VRF to possess weaker security properties than full uniqueness and full collision resistance. These properties are called "trusted uniqueness" and "trusted collision resistance"; they are the same as full uniqueness and full collision resistance, respectively, but are not guaranteed to hold if the adversary gets to choose the VRF public key PK. Instead, they are guaranteed to hold only if the VRF keys PK and SK are generated as specified by the VRF key generation algorithm and then given to the adversary. In other words, they are guaranteed to hold even if the adversary has knowledge of SK and PK but are not guaranteed to hold if the adversary has the ability to choose SK and PK.¶
As further discussed in Section 7.1.1, some of the VRFs specified in this document satisfy only trusted uniqueness and trusted collision resistance. VRFs in this document that satisfy only trusted uniqueness and trusted collision resistance MUST NOT be used in applications that need protection against adversarial VRF key generation.¶
3.4. Full Pseudorandomness or Selective Pseudorandomness
Pseudorandomnes
More precisely, suppose that the public and secret VRF keys (PK, SK) were generated
correctly.
Pseudorandomnes
The "full pseudorandomnes
"Selective pseudorandomnes
As further discussed in Section 7.3,
the VRFs specified in this document satisfy both full pseudorandomnes
It is important to remember that the VRF output beta is always distinguishable from
random by the Prover or by any other party that knows the VRF
secret key SK. Such a party can easily distinguish beta from
a random value by comparing beta to the result of VRF_hash(SK, alpha). In particular, if the key is generated maliciously, even parties other than the Prover may know SK, and thus pseudorandomnes
Similarly, the VRF output beta is always distinguishable from random by any party that knows a valid VRF proof pi corresponding to the VRF input alpha, even if this party does not know the VRF secret key SK. Such a party can easily distinguish beta from a random value by checking to see whether VRF_verify(PK, alpha, pi) returns ("VALID", beta).¶
Additionally, the VRF output beta may be distinguishable from random if VRF key generation was not done correctly (for example, if VRF keys were generated with bad randomness).¶
3.5. Unpredictability under Malicious Key Generation
As explained in Section 3.4, pseudorandomnes
There is, however, a different type of unpredictabilit
A formal definition of this property appears in Section 3.2 of [DGKR18]. As further discussed in Section 7.1.3, only some of the VRFs specified in this document satisfy this property.¶
4. RSA Full Domain Hash VRF (RSA-FDH-VRF)
The RSA Full Domain Hash VRF (RSA-FDH-VRF) is a VRF that, for suitable key lengths, satisfies
the "trusted uniqueness", "trusted
collision resistance", and "full pseudorandomnes
The VRF computes the proof pi as a deterministic RSA signature on input alpha using the RSA Full Domain Hashing algorithm [RFC8017] parameterized with the selected hash algorithm. RSA signature verification is used to verify the correctness of the proof. The VRF hash output beta is simply obtained by hashing the proof pi with the selected hash algorithm.¶
The key pair for the RSA-FDH-VRF MUST satisfy the conditions specified in Section 3 of [RFC8017].¶
In this section, the notation from [RFC8017] is used.¶
- Parameters used:
-
- Fixed options (specified in Section 4.4):
-
- Primitives used:
-
- I2OSP:
- Conversion of a non-negative integer to an octet string as defined in Section 4.1 of [RFC8017] (given an integer and a length (in octets), produces a big-endian representation of the integer, zero-padded to the desired length)¶
- OS2IP:
- Conversion of an octet string to a non-negative integer as defined in Section 4.2 of [RFC8017] (given a big-endian encoding of an integer, produces the integer)¶
- RSASP1:
- RSA signature primitive as defined in Section 5.2.1 of [RFC8017] (given a private key and an input, raises the input to the private RSA exponent modulo n)¶
- RSAVP1:
- RSA verification primitive as defined in Section 5.2.2 of [RFC8017] (given a public key and an input, raises the input to the public RSA exponent modulo n)¶
- MGF1:
- Mask generation function based on the hash function Hash as defined in Appendix B.2.1 of [RFC8017] (given an input, produces a random
-oracle -like output of desired length)¶ - ||:
- octet string concatenation¶
4.1. RSA-FDH-VRF Proving
RSAFDHVRF
- Input:
-
- Optional input:
-
- MGF_salt:
- a public octet string used as a hash function salt; this input is not used when MGF_salt is specified as part of the ciphersuite¶
- Output:
-
- pi_string:
- proof, an octet string of length k¶
Steps:¶
4.2. RSA-FDH-VRF Proof to Hash
RSAFDHVRF
- Input:
-
- pi_string:
- proof, an octet string of length k¶
- Output:
-
- beta_string:
- VRF hash output, an octet string of length hLen¶
Important note:¶
RSAFDHVRF
Steps:¶
4.3. RSA-FDH-VRF Verifying
RSAFDHVRF
- Input:
-
- Optional input:
-
- MGF_salt:
- a public octet string used as a hash function salt; this input is not used when MGF_salt is specified as part of the ciphersuite¶
- Output:
-
("VALID", beta_string), where beta_string is the VRF hash output, an octet string of length hLen, or¶
"INVALID"¶
Steps:¶
4.4. RSA-FDH-VRF Ciphersuites
This document defines RSA
This document defines RSA
This document defines RSA
5. Elliptic Curve VRF (ECVRF)
The Elliptic Curve Verifiable Random Function (ECVRF) is a VRF that, for suitable parameter choices,
satisfies the "full uniqueness", "trusted collision resistance",
and "full pseudorandomnes
- Notation used:
-
Elliptic curve operations are written in additive notation, with P+Q denoting point addition and x*P denoting scalar multiplication of a point P by a scalar x¶
- Fixed options (specified in Section 5.5):
-
- F:
- finite field¶
- fLen:
- length, in octets, of an element in F encoded as an octet string¶
- E:
- elliptic curve (EC) defined over F¶
- ptLen:
- length, in octets, of a point on E encoded as an octet string¶
- G:
- subgroup of E of large prime order¶
- q:
- prime order of group G¶
- qLen:
- length of q, in octets, i.e., the smallest integer such that 2^(8qLen) > q¶
- cLen:
- length, in octets, of a challenge value used by the VRF (note that in the typical case, cLen is qLen/2 or close to it)¶
- cofactor:
- number of points on E divided by q¶
- B:
- generator of group G¶
- Hash:
- cryptographic hash function¶
- hLen:
- output length, in octets, of Hash (hLen must be at least cLen; in the typical case, it is at least qLen)¶
- ECVRF
_encode _to _curve : - a function that hashes strings to points on E¶
- ECVRF
_nonce _generation : - a function that derives a pseudorandom nonce from SK and the input as part of ECVRF proving¶
- suite_string:
- an octet string specifying the ECVRF ciphersuite, which determines the above options as well as type conversions and parameter generation¶
- Type conversions (specified in Section 5.5):
-
- int_to_string(a, len):
- conversion of non-negative integer a to octet string of length len¶
- string
_to _int (a _string ): - conversion of an octet string a_string to a non-negative integer¶
- point_to_string:
- conversion of a point on E to a ptLen-octet string¶
- string_to_point:
- conversion of a ptLen-octet string to a point on E. string_to_point returns "INVALID" if the octet string does not convert to a valid EC point on the curve E¶
Note that with certain software libraries (for big integer and elliptic curve arithmetic), the int_to_string and point_to_string conversions are not needed when the libraries encode integers and EC points in the same way as required by the ciphersuites. For example, in some implementations
, EC point operations will take octet strings as inputs and produce octet strings as outputs, without introducing a separate elliptic curve point type.¶ - Parameters used (the generation of these parameters is specified in Section 5.5):
-
- SK:
- VRF secret key¶
- x:
- VRF secret scalar, an integer. Note: Depending on the ciphersuite used, the VRF secret scalar may be equal to SK; else it is derived from SK¶
- Y = x*B:
- VRF public key, a point on E¶
- PK_string = point
_to _string (Y ): - VRF public key represented as an octet string¶
- encode
_to _curve _salt : - a public value used as a hash function salt¶
5.1. ECVRF Proving
ECVRF_prove(SK, alpha_string[, encode
- Input:
-
- Optional input:
-
- encode
_to _curve _salt : - a public salt value, an octet string; this input is not used when encode
_to _curve _salt is specified as part of the ciphersuite¶
- encode
- Output:
-
- pi_string:
- VRF proof, an octet string of length ptLen+cLen+qLen¶
Steps:¶
5.2. ECVRF Proof to Hash
ECVRF
- Input:
-
- pi_string:
- VRF proof, an octet string of length ptLen+cLen+qLen¶
- Output:
-
- "INVALID", or
- beta_string:
- VRF hash output, an octet string of length hLen¶
Important note:¶
ECVRF
Steps:¶
5.3. ECVRF Verifying
ECVRF
- Input:
-
- Optional input:
-
- encode
_to _curve _salt : - a public salt value, an octet string; this input is not used when encode
_to _curve _salt is specified as part of the ciphersuite¶ - validate_key:
- a boolean. An implementation MAY support only the option of validate_key = TRUE, or only the option of validate_key = FALSE, in which case this input is not needed. If an implementation supports only one option, it MUST specify which option it supports¶
- encode
- Output:
-
("VALID", beta_string), where beta_string is the VRF hash output, an octet string of length hLen, or¶
"INVALID"¶
Steps:¶
Note that the first three steps need to be performed only once for a given public key.¶
5.4. ECVRF Auxiliary Functions
5.4.1. ECVRF Encode to Curve
The ECVRF
This section specifies a number of such algorithms; these algorithms are not compatible with each other and are intended for use with the various ciphersuites specified in Section 5.5.¶
- Input:
-
- Output:
-
- H:
- hashed value, a point in G¶
5.4.1.1. ECVRF_encode_to_curve_try_and_increment
The ECVRF
The running time of this algorithm depends on alpha_string. For the ciphersuites specified in Section 5.5, this algorithm is expected to find a valid curve point after approximately two attempts (i.e., when ctr = 1) on average.¶
However, because the algorithm's running time depends on alpha_string, this algorithm SHOULD be avoided in applications where it is important that the VRF input alpha remain secret.¶
ECVRF
- Fixed option (specified in Section 5.5):
-
- interpret
_hash _value _as _a _point : - a function that attempts to convert a cryptographic hash value to a point on E; may output "INVALID"¶
- interpret
Steps:¶
Note that even though the loop is infinite as written and int
5.4.1.2. ECVRF_encode_to_curve_h2c_suite
The ECVRF
ECVRF
- Fixed option (specified in Section 5.5):
-
- h2c
_suite _ID _string : - a hash-to-curve Suite ID, encoded in ASCII (see discussion below)¶
- h2c
Steps:¶
The encode function is provided by the hash-to-curve suite (as specified in Section 8 of [RFC9380]) whose ID is h2c
"ECVRF_" || h2c
where "ECVRF_" is represented as a 6-byte ASCII encoding (in hexadecimal, octets 45 43 56 52 46 5F).¶
5.4.2. ECVRF Nonce Generation
The following algorithms generate the nonce value k in a deterministic pseudorandom fashion. This section specifies a number of such algorithms; these algorithms are not compatible with each other. The choice of a particular algorithm from the options specified in this section depends on the ciphersuite, as specified in Section 5.5.¶
5.4.2.1. ECVRF Nonce Generation from RFC 6979
ECVRF
- Input:
-
- Output:
-
- k:
- an integer nonce between 1 and q-1¶
The ECVRF
5.4.2.2. ECVRF Nonce Generation from RFC 8032
The following is derived from Steps 2 and 3 in Section 5.1.6 of [RFC8032]. To use this algorithm, hLen MUST be at least 64.¶
ECVRF
- Input:
-
- Output:
-
- k:
- an integer nonce between 0 and q-1¶
Steps:¶
5.4.3. ECVRF Challenge Generation
ECVRF
- Input:
-
- P1, P2, P3, P4, P5:
- EC points¶
- Output:
-
- c:
- challenge value, an integer between 0 and 2^(8*cLen)-1¶
Steps:¶
5.4.4. ECVRF Decode Proof
ECVRF
- Input:
-
- pi_string:
- VRF proof, an octet string
(pt Len+c Len+q Len octets)¶
- Output:
-
Steps:¶
5.4.5. ECVRF Validate Key
ECVRF
Important note:¶
The public key Y provided as input to this procedure MUST be a valid point on E.¶
Steps:¶
Note that if the cofactor = 1, then Step 1 simply sets Y'=Y. In particular, for the P-256 curve, ECVRF
Any algorithm with identical input-output behavior MAY be used in place of the above steps. For example, if the total number of Y values that could cause Step 2 to output "INVALID" is small, it may be more efficient to simply check Y against a fixed list of such values. For example, the following algorithm MAY be used for the edwards25519 curve:¶
(This algorithm works for the following reason. Note that there are eight bad points -- namely, the points whose order is 1, 2, 4, or 8 -- on the edwards25519 curve. Their y-coordinates happen to be 0 (two points of order 4), 1 (one point of order 1), bad_y2 (two points of order 8), p-bad_y2 (two points of order 8), and p-1 (one point of order 2). They can be obtained by converting the points specified in [X25519] to Edwards coordinates. Thus, bad_pk[0] (of order 4), bad_pk[2] (of order 8), and bad_pk[3] (of order 8) each match two bad points, depending on the sign of the x-coordinate. This sign is cleared in Step 3 in order to make sure that it does not affect the comparison. bad_pk[1] (of order 1) and bad_pk[4] (of order 2) each match one bad point, because the x-coordinate is 0 for these two points. Note that the first five list elements cover the eight bad points. However, to cover the case when the y-coordinate of the public key Y has not been modular reduced by p, the list also includes bad_pk[5] and bad_pk[6], which are simply bad_pk[0] and bad_pk[1] shifted by p. There is no need to shift the other bad_pk values by p (or any bad_pk values by a larger multiple of p), because their y-coordinates would exceed 2^255, and the algorithm ensures that y_string corresponds to an integer less than 2^255 in Step 3.)¶
5.5. ECVRF Ciphersuites
This document defines ECVRF
This document defines ECVRF
This document defines ECVRF
This document defines ECVRF
6. IANA Considerations
This document has no IANA actions.¶
7. Security Considerations
7.1. Key Generation
Implementations of the VRFs defined in this document MUST ensure that they generate VRF keys correctly and use good randomness. However, in some applications, keys may be generated by an adversary who does not necessarily implement this document. We now discuss the implications of this possibility.¶
7.1.1. Uniqueness and Collision Resistance under Malicious Key Generation
See Section 3 for definitions of uniqueness and collision resistance properties.¶
The RSA-FDH-VRF satisfies only the "trusted" variants of uniqueness and collision resistance. Thus, for the RSA-FDH-VRF, uniqueness and collision resistance may not hold if the keys are generated adversarially (specifically, if the RSA function specified in the public key is not bijective because the modulus n or the exponent e are chosen without complying with [RFC8017]); thus, the RSA-FDH-VRF as defined in this document does not have "full uniqueness" and "full collision resistance". Therefore, if malicious key generation is a concern, the RSA-FDH-VRF has to be enhanced by additional cryptographic checks (such as zero-knowledge proofs) to ensure that its public key has the right form. These enhancements are left for future specifications.¶
For the ECVRF, the Verifier MUST obtain E and B from a trusted source, such as a ciphersuite specification, rather than from the Prover. If the Verifier does so, then the ECVRF satisfies "full uniqueness", ensuring uniqueness even under malicious key generation. The ECVRF also satisfies "trusted collision resistance". It additionally satisfies "full collision resistance" if the validate_key parameter given to ECVRF_verify is TRUE. This setting of ECVRF_verify ensures collision resistance under malicious key generation.¶
7.1.2. Pseudorandomness under Malicious Key Generation
Without good randomness, the "pseudorandomne
7.1.3. Unpredictability under Malicious Key Generation
Unpredictabilit
Unpredictabilit
7.2. Security Levels
As shown in [PWHVNRG17], the RSA-FDH-VRF satisfies the trusted uniqueness property unconditionally
- For trusted collision resistance:
- approximately 8*min(k/2, hLen/2) (as shown in [PWHVNRG17]).¶
- For selective pseudorandomnes
s : - approximately as strong as the security, in bits, of the RSA problem for the key (n, e) (as shown in [GNPRVZ15]).¶
As shown in [PWHVNRG17], the security level of the ECVRF, measured in bits, is as follows (in the random oracle model for the functions Hash and ECVRF
- For uniqueness (both trusted and full):
- approximately 8*min(qLen, cLen).¶
- For collision resistance (trusted or full, depending on whether validation is performed as explained in Section 7.1.1):
-
approximately 8*min(qLen/2, hLen/2).¶ - For selective pseudorandomnes
s : - approximately as strong as the security, in bits, of the decisional Diffie-Hellman problem in the group G (which is at most 8*qLen/2).¶
See Section 3 for the definitions of these security properties and Section 7.3 for the discussion of full pseudorandomnes
7.3. Selective vs. Full Pseudorandomness
[PWHVNRG17] presents cryptographic reductions to an
underlying hard problem (namely, the RSA problem for the RSA-FDH-VRF
and the decisional Diffie-Hellman problem for the ECVRF)
to prove that the VRFs specified in this
document possess not only selective pseudorandomnes
While no known attacks against full pseudorandomnes
7.4. Proper Pseudorandom Nonce for the ECVRF
The security of the ECVRF defined in this document relies on the
fact that the nonce k used in the ECVRF_prove algorithm is
chosen uniformly and pseudorandomly modulo q and is unknown to the adversary.
Otherwise, an adversary may be able to recover
the VRF secret scalar x (and thus break pseudorandomnes
7.5. Side-Channel Attacks
Side-channel attacks on cryptographic primitives are an important issue.
Implementers should
take care to avoid side-channel attacks that leak information about
the VRF secret key SK (and the nonce k used in the ECVRF), which is
used in VRF_prove.
In most applications, the VRF
The VRF input alpha may also be a sensitive input to VRF_prove and may need to be protected against side-channel attacks. Below, we discuss one particular class of such attacks: timing attacks that can be used to leak information about the VRF input alpha.¶
The ECVRF
ECVRF
7.6. Proofs Provide No Secrecy for the VRF Input
The VRF proof pi is not designed to provide secrecy and, in general, may reveal the VRF input alpha. Anyone who knows PK and pi is able to perform an offline dictionary attack to search for alpha, by verifying guesses for alpha using VRF_verify. This is in contrast to the VRF hash output beta, which, without the proof, is pseudorandom and thus is designed to reveal no information about alpha.¶
7.7. Prehashing
The VRFs specified in this document allow for read-once access to
the input alpha for both signing and verifying. Thus, additional
prehashing of alpha (as specified, for example, in
[RFC8032] for Edwards-curve Digital Signature Algorithm (EdDSA) signatures) is not needed,
even for applications that need to handle long alpha or
to support the
Initialize
7.8. Hash Function Domain Separation
Hashing is used for different purposes in the two VRFs. Specifically, in the RSA-FDH-VRF, hashing is used in MGF1 and in proof_to_hash; in the ECVRF, hashing is used in encode
This is also the case for the ECVRF ciphersuites defined in this document, because¶
7.9. Hash Function Salting
If a hash collision is found, in order to make it more difficult for the adversary to exploit such a collision, the MGF1 function for the RSA-FDH-VRF and the ECVRF
7.10. Futureproofing
If future designs need to specify variants (e.g., additional ciphersuites) of the RSA-FDH-VRF or the ECVRF as defined in this document,
then, to avoid the possibility
that an adversary can obtain a VRF output under one variant and then claim it was obtained under
another variant,
they should specify a different suite_string constant. The suite_string constants discussed in this document are all single octets; if a future suite_string constant is longer than one octet, then it should start with a different octet than the suite_string constants discussed in this document. Then, for the RSA-FDH-VRF, the inputs to the hash function used in MGF1 and proof_to_hash will be different from other ciphersuites.
For the ECVRF, the inputs to the
ECVRF
8. References
8.1. Normative References
- [RFC2119]
-
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10
.17487 , , <https:///RFC2119 www >..rfc -editor .org /info /rfc2119 - [RFC5114]
-
Lepinski, M. and S. Kent, "Additional Diffie-Hellman Groups for Use with IETF Standards", RFC 5114, DOI 10
.17487 , , <https:///RFC5114 www >..rfc -editor .org /info /rfc5114 - [RFC6234]
-
Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)", RFC 6234, DOI 10
.17487 , , <https:///RFC6234 www >..rfc -editor .org /info /rfc6234 - [RFC6979]
-
Pornin, T., "Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)", RFC 6979, DOI 10
.17487 , , <https:///RFC6979 www >..rfc -editor .org /info /rfc6979 - [RFC8017]
-
Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, "PKCS #1: RSA Cryptography Specifications Version 2.2", RFC 8017, DOI 10
.17487 , , <https:///RFC8017 www >..rfc -editor .org /info /rfc8017 - [RFC8032]
-
Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital Signature Algorithm (EdDSA)", RFC 8032, DOI 10
.17487 , , <https:///RFC8032 www >..rfc -editor .org /info /rfc8032 - [RFC8174]
-
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10
.17487 , , <https:///RFC8174 www >..rfc -editor .org /info /rfc8174 - [RFC9380]
-
Faz-Hernandez, A., Scott, S., Sullivan, N., Wahby, R. S., and C. A. Wood, "Hashing to Elliptic Curves", RFC 9380, DOI 10
.17487 , , <https:///RFC9380 www >..rfc -editor .org /info /rfc9380 - [SECG1]
-
Standards for Efficient Cryptography Group (SECG), "SEC 1: Elliptic Curve Cryptography", Version 2.0, , <https://
www >..secg .org /sec1 -v2 .pdf - [SP-800-186]
-
National Institute for Standards and Technology (NIST), "Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters", NIST SP 800-186, DOI 10
.6028 , , <https:///NIST .SP .800 -186 nvlpubs >..nist .gov /nistpubs /Special Publications /NIST .SP .800 -186 .pdf
8.2. Informative References
- [ANSI
.X9 -62 -2005] -
American National Standards Institute (ANSI), "Public Key Cryptography for the Financial Services Industry: the Elliptic Curve Digital Signature Algorithm (ECDSA)", ANSI X9.62, , <https://
standards >..globalspec .com /std /1955141 /ANSI %20X9 .62 - [BreHen19]
-
Breitner, J. and N. Heninger, "Biased Nonce Sense: Lattice Attacks against Weak ECDSA Signatures in Cryptocurrencie
s" , Cryptology ePrint Archive, Paper 2019/023, , <https://eprint >..iacr .org /2019 /023 - [DGKR18]
-
David, B., Gaži, P., Kiayias, A., and A. Russell, "Ouroboros Praos: An adaptively
-secure, semi , Cryptology ePrint Archive, Paper 2017/573, , <https://-synchronous proof-of-stake blockchain" eprint >..iacr .org /2017 /573 - [GHMVZ17]
-
Gilad, Y., Hemo, R., Micali, S., Vlachos, G., and N. Zeldovich, "Algorand: Scaling Byzantine Agreements for Cryptocurrencie
s" , Cryptology ePrint Archive, Paper 2017/454, , <https://eprint >..iacr .org /2017 /454 - [GNPRVZ15]
-
Goldberg, S., Naor, M., Papadopoulos, D., Reyzin, L., Vasant, S., and A. Ziv, "NSEC5: Provably Preventing DNSSEC Zone Enumeration", Cryptology ePrint Archive, Paper 2014/582, , <https://
eprint >..iacr .org /2014 /582 - [MRV99]
-
Micali, S., Rabin, M., and S. Vadhan, "Verifiable Random Functions", FOCS '99: Proceedings of the 40th Annual Symposium on Foundations of Computer Science, pp. 120-130, DOI 10
.1109 , , <https:///SFFCS .1999 .814584 dash >..harvard .edu /handle /1 /5028196 - [PWHVNRG17]
-
Papadopoulos, D., Wessels, D., Huque, S., Naor, M., Včelák, J., Reyzin, L., and S. Goldberg, "Making NSEC5 Practical for DNSSEC", Cryptology ePrint Archive, Paper 2017/099, , <https://
eprint >..iacr .org /2017 /099 - [X25519]
-
Bernstein, D.J., "How do I validate Curve25519 public keys?", , <https://
cr >..yp .to /ecdh .html#validate
Appendix A. Test Vectors for the RSA-FDH-VRF Ciphersuites
The test vectors in this section were generated using code provided at <https://
There are three keys used in the nine examples below. First, we provide the keys. They are shown in hexadecimal big-endian notation.¶
2048-bit key:¶
3072-bit key:¶
4096-bit key:¶
A.1. RSA-FDH-VRF-SHA256
Example 1, using the 2048-bit key above:¶
Example 2, using the 3072-bit key above:¶
Example 3, using the 4096-bit key above:¶
A.2. RSA-FDH-VRF-SHA384
Example 4, using the 2048-bit key above:¶
Example 5, using the 3072-bit key above:¶
Example 6, using the 4096-bit key above:¶
A.3. RSA-FDH-VRF-SHA512
Example 7, using the 2048-bit key above:¶
Example 8, using the 3072-bit key above:¶
Example 9, using the 4096-bit key above:¶
Appendix B. Test Vectors for the ECVRF Ciphersuites
The test vectors in this section were generated using code provided at <https://
B.1. ECVRF-P256-SHA256-TAI
The example secret keys and messages in Examples 10 and 11 are taken from Appendix A.2.5 of [RFC6979].¶
Example 10:¶
Example 11:¶
The example secret key in Example 12 is taken from Appendix L.4.2 of [ANSI.X9-62-2005].¶
Example 12:¶
B.2. ECVRF-P256-SHA256-SSWU
The example secret keys and messages in Examples 13 and 14 are taken from Appendix A.2.5 of [RFC6979].¶
Example 13:¶
Example 14:¶
The example secret key in Example 15 is taken from Appendix L.4.2 of [ANSI.X9-62-2005].¶
Example 15:¶
B.3. ECVRF-EDWARDS25519-SHA512-TAI
The example secret keys and messages in Examples 16, 17, and 18 are taken from Section 7.1 of [RFC8032].¶
Example 16:¶
Example 17:¶
Example 18:¶
B.4. ECVRF-EDWARDS25519-SHA512-ELL2
The example secret keys and messages in Examples 19, 20, and 21 are taken from Section 7.1 of [RFC8032].¶
Example 19:¶
Example 20:¶
Example 21:¶
Contributors
This document would not be possible without the work of Moni Naor, Sachin Vasant, and Asaf Ziv. Chloe Martindale provided a thorough cryptographer's review. Liliya Akhmetzyanova, Tony Arcieri, Gary Belvin, Mario Cao Cueto, Brian Chen, Sergey Gorbunov, Shumon Huque, Gorka Irazoqui Apecechea, Marek Jankowski, Burt Kaliski, Mallory Knodel, David C. Lawrence, Derek Ting-Haye Leung, Antonio Marcedone, Piotr Nojszewski, Chris Peikert, Colin Perkins, Trevor Perrin, Sam Scott, Stanislav Smyshlyaev, Adam Suhl, Nick Sullivan, Christopher Wood, Jiayu Xu, and Annie Yousar provided valuable input to this document. Christopher Wood, Malte Thomsen, Marcus Rasmussen, and Tobias Vestergaard provided independent verification of the test vectors. Riad Wahby helped this document align with [RFC9380].¶