Crate ark_vrf 

Elliptic Curve VRF

Implementations of Verifiable Random Function with Additional Data (VRF-AD) schemes built on a transcript-based Fiat-Shamir transform with support for multiple input/output pairs via delinearization.

Built on the Arkworks framework with configurable cryptographic parameters and no_std support.

Security

VRF input points must be constructed via hash-to-curve (e.g. Input::new) so that nobody knows their discrete-log relation to the generator G. If the prover knew such a relation, they could forge outputs. This is critical because the delinearization merges the Schnorr and VRF pairs into a single check.

Schemes

• Tiny VRF: Compact proof. Loosely inspired by RFC-9381, adapted with a transcript-based Fiat-Shamir transform, support for additional data, and multiple I/O pairs via delinearization.

• Thin VRF: Same structure as Tiny VRF but stores the nonce commitment instead of the challenge, enabling batch verification at the cost of a slightly larger proof.

• Pedersen VRF: Key-hiding VRF based on the construction introduced by BCHSV23. Replaces the public key with a Pedersen commitment to the secret key, serving as a building block for anonymized ring signatures.

• Ring VRF: Anonymized ring VRF combining Pedersen VRF with the ring proof scheme derived from CSSV22. Proves that a single blinded key is a member of a committed ring without revealing which one.

Specifications

• VRF Schemes
• Ring Proof

Built-In suites

The library conditionally includes the following pre-configured suites (see features section):

• Ed25519: Supports Tiny, Thin, and Pedersen VRF.
• Secp256r1: Supports Tiny, Thin, and Pedersen VRF.
• Bandersnatch (Edwards curve on BLS12-381): Supports Tiny, Thin, Pedersen, and Ring VRF.
• JubJub (Edwards curve on BLS12-381): Supports Tiny, Thin, Pedersen, and Ring VRF.
• Baby-JubJub (Edwards curve on BN254): Supports Tiny, Thin, Pedersen, and Ring VRF.

Usage

use ark_vrf::suites::bandersnatch::*;

let secret = Secret::from_seed([0; 32]);
let public = secret.public();
let input = Input::new(b"example input").unwrap();
let output = secret.output(input);
let hash_bytes: [u8; 32] = output.hash();

Features

• default: std
• full: Enables all features listed below except secret-split, parallel, asm, test-vectors.
• secret-split: Split-secret scalar multiplication. Secret scalar is split into the sum of two scalars, which randomly mutate but retain the same sum. Incurs 2x penalty in some internal sensible scalar multiplications, but provides side channel defenses.
• ring: Ring-VRF for the curves supporting it.
• test-vectors: Deterministic ring-vrf proof. Useful for reproducible test vectors generation.

Curves

• ed25519
• jubjub
• bandersnatch
• baby-jubjub
• secp256r1

Arkworks optimizations

• parallel: Parallel execution where worth using rayon.
• asm: Assembly implementation of some low level operations.

License

Distributed under the MIT License.

Modules

pedersen

Pedersen VRF

reexports

Re-export stuff that may be useful downstream.

ring

Ring VRF

suites

Cipher Suites

thin

Thin VRF

tiny

Tiny VRF

utils

Common utilities

Macros

ring_suite_types

Type aliases for the given ring suite.

suite_types

Type aliases for the given suite.

Structs

Input

VRF input point generic over the cipher suite.

Output

VRF output point generic over the cipher suite.

Public

Public key generic over the cipher suite.

Secret

Secret key for VRF operations.

VrfIo

VRF input-output pair.

Enums

Error

Crate error type.

Traits

Suite

Defines a cipher suite.

Type Aliases

AffinePoint

Suite’s affine curve point type.

BaseField

Suite’s base field type.

CurveConfig

Suite’s curve configuration type.

ScalarField

Suite’s scalar field type.