Crate dleq_vrf

DLEQ VRF-AD

Implements the two relevant verifiable random functions (VRFs) with associated data (VRF-ADs) which arise from Chaum-Pedersen DLEQ proofs, polymorphic over Arkworks’ elliptic curves.

Thin VRF aka ThinVrf provides a regular VRF similar but broadly superior to “EC VRF”. Thin VRF support batch verification or half-aggregation exactly like Schnorr signatures, but which ECVRF lacks. In essence, thin VRF is a Schnorr signature with base point given by a pseudo-random (Fiat-Shamir) linear combination of base points, while EC VRF is two linked Schnorr signatures on distinct base points. Thin VRF should be slightly faster than EC VRF, be similarly sized on typical Edwards curves, but slightly larger on larger BLS12 curves. As a rule, new applications should always prefer thin VRF over EC VRF.

Pedersen VRF aka PedersenVRF resembles EC VRF but replaces the public key by a Pedersen commitment to the secret key, which makes the Pedersen VRF useful in anonymized ring VRFs, or perhaps group VRFs. We provide both batchable and nonbatchable forms of the Pedresen VRF. We favor the batchable form because our blinding factors enlarge our signatures anyways, making the batchable form less significant proportionally than batchable forms of EV VRF.

As the Pedersen VRF needs two verification equations, we support DLEQ proofs between two distinct curves provided both have the same subgroup order. Around this, we support omitting the blinding factors for cross curve DLEQ proofs, like proving public keys on G1 and G2 of a BLS12 curve have the same secret key.

Re-exports

• pub use ark_transcript as transcript;
• pub use error::SignatureResult;
• pub use error::SignatureError;
• pub use keys::PublicKey;
• pub use keys::SecretKey;
• pub use vrf::IntoVrfInput;
• pub use vrf::VrfInput;
• pub use vrf::VrfPreOut;
• pub use vrf::VrfInOut;

Modules

• error
• keys
  VRF keys
• vrf
  VRF Output routines

Structs

• NonBatchableSignature
  Non-batchable VRF signature detached from VRF inputs and outpus,resembles EC VRF.
• PedersenVrf
  Pedersen VRF flavor
• Signature
  VRF signature detached from VRF inputs and outpus
• ThinVrf
  Thin VRF flavor
• Transcript
  Shake128 transcript style hasher.

Constants

• SMALL_COFACTOR_BOUND
  Any cofactor of this size or smaller gets treated as small, resulting in only doing on-curve checks, not full subgroup checks, and instead multiplying by the cofactor in hashing and equality checks.

Traits

• Flavor
  VRF flavors based upon DLEQ proofs: Thin/Schnorr vs Pedersen vs something else.
• IntoTranscript
  All types interpretable as Transcripts, including primarily impl BorrowMut<Traanscript> types like Transcript and &mut Transcript.

Functions

• mul_by_small_cofactor
• small_cofactor_affine
  Report if an elliptic curve has a small cofactor
• small_cofactor_projective
  Report if an elliptic curve has a small cofactor
• zero_mod_small_cofactor