Start of PedersonVRF Spec and Peredson VRF Sign

w3f · Mar 26, 2024 · 28568cd · 28568cd
1 parent 5fe3210
commit 28568cd
Show file tree

Hide file tree

Showing 4 changed files with 77 additions and 5 deletions.
diff --git a/Specification.toml b/Specification.toml
@@ -17,5 +17,6 @@ vrf-keys = "dleq_vrf/src/keys.rs"
 ## Thin VRF
 
 ## Pedersen VRF
+pedersen-vrf = "dleq_vrf/src/pedersen.rs"
 
 # Bandersnatch VRF
diff --git a/dleq_vrf/src/pedersen.rs b/dleq_vrf/src/pedersen.rs
@@ -3,10 +3,18 @@
 // Authors:
 // - Jeffrey Burdges <[email protected]>
 
+//~ ### Pedersen VRF
+//~
+//~ Strictly speaking Pederson VRF is not a VRF. Instead, it proves
+//~ that the output has been generated with a secret key associated
+//~ with a blinded public (instead of public key). The blinded public
+//~ key is a cryptographic commitement to the public key. And it could
+//~ unblinded to prove that the output of the VRF is corresponds to 
+//~ the public key of the signer.
+//~
 //! ### Pedersen VRF routines
 //! 
 //! 
-
 use ark_ff::PrimeField;
 use ark_ec::{AffineRepr, CurveGroup};
 use ark_serialize::{CanonicalSerialize,CanonicalDeserialize};
@@ -231,6 +239,20 @@ where K: AffineRepr, H: AffineRepr<ScalarField = K::ScalarField>,
         Witness { r, k }
     }
 
+    //~ ### Pedersen VRF Sign
+    //~ **Inputs**:\
+    //~   - Transcript $t$ of `ArkTranscript` type\
+    //~   - $inputs$: An array of points on elliptic curve $E$.\
+    //~   - $sb$: Blinding coefficient $\in F$\
+    //~   - $sk$: A VRF secret key.\
+    //~   - $pk$: VRF verification key corresponds to $sk$.\
+    //~ **Output**:\
+    //~   - $signature$: of VRFPreOutput type.
+    //~
+    //~ ---
+    //~
+
+    ///
     /// Sign Pedersen VRF signature
     /// 
     /// We create the secret blinding unless the user supplies one.
@@ -245,19 +267,25 @@ where K: AffineRepr, H: AffineRepr<ScalarField = K::ScalarField>,
         let flavor = self;
         let mut t = t.into_transcript();
         let t = t.borrow_mut();
+        //~ 1. AddLabel(t, "PedersenVRF")
         t.label(b"PedersenVRF");
         let io = vrf::vrfs_merge(t, ios);
-
         // Allow derandomization by constructing secret_blinding and
         // witness as late as possible.
         let secret_blinding = secret_blinding.unwrap_or_else( || secret.new_secret_blinding(t) );
+        //~ 2. $compk = sk*G + b*K$
         let compk = flavor.compute_blinded_publickey(secret.as_publickey(), &secret_blinding);
+        //~ 3. AddLabel("KeyCommitment")
+        //~ 1. Append(t, compk)
         t.label(b"KeyCommitment");
         t.append(&compk);
 
         // In principle our new secret blinding should be derandomizable
-        // if the user supplied none. 
+        // if the user supplied none.
+        //~ 1. $w \leftarrow GeneratePedersenFiatShamir(t,inputs,secret)$
         let w = flavor.new_pedersen_witness(t,&io.input,secret);
+        //~ 1. $signature \leftarrow GeneratePedersonProof(t,sb,sk,compk)$
+        //~ 1. **return** $signature$
         let signature = w.sign_final(t,&secret_blinding,secret,compk).0;
         ( signature, secret_blinding )
     }

diff --git a/spec/specification.md b/spec/specification.md
@@ -19,6 +19,19 @@ where
 - $ArkTranscript$ function is described in [[ark-transcript]] section.
 - $H2C: B \rightarrow G$  is a hash to curve function correspond to curve $E$ specified in Section [[hash-to-curve]] for the specific choice of $E$
 
+## EC VRF Input
+The EC-VRF input ultimately is a point on the elliptic curve
+as out put of hash of the transcript using arkworks chosen hash
+for the given curve.
+
+VRF Input point should always be created locally, either as a hash-to-cuve
+output of the transcripto or ocasionally some base point.
+It should never be sent over the wire nor deserialized???Do you mean serialized?
+
+
+**Definition**: *VRF pre-output* is defined to be a point in $G$ in serialized  affine representation 
+** Definition **: *VRF InOut* is defined as a pair as follows:
+$$(VRF Input, VRF Preoutput)$$
 
 
 
@@ -72,13 +85,42 @@ As the Pedersen VRF needs two verification equations, we support
 DLEQ proofs between two distinct curves provided both have the same
 subgroup order.  Around this, we support omitting the blinding factors
 for  cross curve DLEQ proofs, like proving public keys on G1 and G2
-of a BLS12 curve have the same secret key.  
+of a BLS12 curve have the same secret key.
 
 
 
 ### Thin VRF
 
 ### Pedersen VRF
+### Pedersen VRF
+
+Strictly speaking Pederson VRF is not a VRF. Instead, it proves
+that the output has been generated with a secret key associated
+with a blinded public (instead of public key). The blinded public
+key is a cryptographic commitement to the public key. And it could
+unblinded to prove that the output of the VRF is corresponds to 
+the public key of the signer.
+
+### Pedersen VRF Sign
+**Inputs**:\
+  - Transcript $t$ of `ArkTranscript` type\
+  - $inputs$: An array of points on elliptic curve $E$.\
+  - $sb$: Blinding coefficient $\in F$\
+  - $sk$: A VRF secret key.\
+  - $pk$: VRF verification key corresponds to $sk$.\
+**Output**:\
+  - $signature$: of VRFPreOutput type.
+
+---
+
+1. AddLabel(t, "PedersenVRF")
+1. $compk = sk*G + b*K$
+1. AddLabel("KeyCommitment")
+1. Append(t, compk)
+1. $w \leftarrow GeneratePedersenFiatShamir(t,inputs,secret)$
+1. $signature \leftarrow GeneratePedersonProof(t,sb,sk,compk)$
+1. **return** $signature$
+
 
 ## Bandersnatch VRF
 
diff --git a/specification_template.md b/specification_template.md
@@ -48,13 +48,14 @@ As the Pedersen VRF needs two verification equations, we support
 DLEQ proofs between two distinct curves provided both have the same
 subgroup order.  Around this, we support omitting the blinding factors
 for  cross curve DLEQ proofs, like proving public keys on G1 and G2
-of a BLS12 curve have the same secret key.  
+of a BLS12 curve have the same secret key.
 
 
 {sections.dleq-vrf-preliminaries}
 ### Thin VRF
 
 ### Pedersen VRF
+{sections.pedersen-vrf}
 
 ## Bandersnatch VRF