vrf_fun 0.12.0

RFC 9381 compliant Verifiable Random Function (VRF) for secp256k1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131

# vrf_fun

Verifiable Random Function (VRF) implementation for secp256k1.

## Use

```toml
[dependencies]
vrf_fun = "0.12"
secp256kfun = "0.12"
sha2 = "0.10"
```

## Overview

This crate provides RFC 9381 compliant VRF implementations for secp256k1, supporting both:
- **TAI (Try-And-Increment)** hash-to-curve method
- **RFC 9380** hash-to-curve method

## Features

- RFC 9381 compliant VRF implementation
- Support for both TAI and RFC 9380 hash-to-curve methods
- Simple VRF variant for when spec compliance is not required
- Generic over hash functions (SHA-256, etc.)
- Deterministic proofs
  - Suite strings: `0xFE` for TAI, `0xFF` for RFC SSWU
  
## Usage

### High-Level API

#### RFC 9381 with TAI (Try-And-Increment)

```rust
use secp256kfun::{prelude::*, KeyPair};
use vrf_fun::rfc9381;

// Generate a keypair
let keypair = KeyPair::new(Scalar::random(&mut rand::thread_rng()));

// Create a VRF proof
let alpha = b"test message";
let proof = rfc9381::tai::prove::<sha2::Sha256>(&keypair, alpha);

// Verify the proof
let verified = rfc9381::tai::verify::<sha2::Sha256>(
    keypair.public_key(), 
    alpha, 
    &proof
).expect("proof should verify");

// Get the VRF output
let beta = verified.rfc9381_output::<sha2::Sha256>();
```

#### RFC 9381 with RFC 9380 Hash-to-Curve

```rust
use vrf_fun::rfc9381;

// Same keypair and message
let proof = rfc9381::sswu::prove::<sha2::Sha256>(&keypair, alpha);

// Verify with the RFC 9380 verifier
let verified = rfc9381::sswu::verify::<sha2::Sha256>(
    keypair.public_key(), 
    alpha, 
    &proof
).expect("proof should verify");

let beta = verified.rfc9381_sswu_output::<sha2::Sha256>();
```

### Low-Level API

For more control over the hash-to-curve process:

```rust
use vrf_fun::{rfc9381::Rfc9381TaiVrf, SimpleVrf};
use secp256kfun::{prelude::*, KeyPair};

// Create VRF instance
let vrf = Rfc9381TaiVrf::<sha2::Sha256>::default();

// Hash to curve yourself
let h = Point::hash_to_curve_rfc9381_tai::<sha2::Sha256>(alpha, b"");

// Generate proof
let proof = vrf.prove(&keypair, h);

// Verify
let verified = vrf.verify(keypair.public_key(), h, &proof)
    .expect("proof should verify");
```

## Implementation Details

### Challenge Generation

The challenge is computed as:
```
c = Hash(suite_string || 0x02 || Y || H || Gamma || U || V || 0x00)
```

Where:
- `suite_string`: `0xFE` for TAI, `0xFF` for RFC 9380
- `Y` is the public key
- `H` is the hash-to-curve of the input
- `Gamma` is the VRF output point (x*H)
- `U` and `V` are the DLEQ proof commitments

The hash output is truncated to 16 bytes for secp256k1.

### VRF Output

The VRF output beta is computed as:
```
beta = Hash(suite_string || 0x03 || Gamma || 0x00)
```

## Important Notes

- The TAI and RFC 9380 variants use different suite strings (0xFE and 0xFF)
- Proofs generated with one method cannot be verified with the other
- The same input will produce different outputs with different hash-to-curve methods
- This implementation includes the public key in the challenge (unlike draft-05)

## Generic Hash Support

The implementation is generic over the hash function, constrained by `secp256kfun::hash::Hash32`. This allows using different SHA256 implementations or other 32-byte output hash functions.