Verifiable Random Function (VRF)

Article directory

1. Background and scene

In the blockchain scenario, some frameworks use algorithms to randomly generate block nodes and verification nodes (such as Algorand), and even resolve forks. According to the traditional random algorithm and random polling according to certain hash rules, a node is selected for accounting/verification. If this random polling rule can be reproduced by anyone, then we can speculate on a certain accounting/verification node in the future and focus on attacking it .
In order to solve this problem, VRF was introduced. Only he can complete the hashing process, and others can only verify the process after he declares it, preventing someone from guessing future accounting in advance. node.

The purpose of VRF is to generate random values that cannot be predicted, while also being verifiable and replayable.

consensus development

A new generation of blockchain consensus algorithm: VRF distributed verifiable random function
Reference URL: https://blog.csdn.net/wxid2798226/article/details/84316219< /span>

Assume that a small island has no legal currency, and 101 peer-to-peer bookkeepers without affiliation record the economic activities of the island (the so-called decentralized bookkeeping). Such a design should have very good redundancy. If a certain bookkeeper has a problem, it will not affect the entire system. The biggest trouble is that there are so many people keeping the same account, and there is no centralized unified command. Will there be any differences? People's memories are inconsistent? By whom? So under the premise that different people keep separate accounts, how can we use rules to ensure that the accounts they keep are consistent with each other? This is the so-called consensus issue

The first generation of POW “wins with force”

In the real world, Bitcoin and Ethereum use POW, which relies on strength (i.e. chip computing power). Several generations of special chips have been developed, which consumes huge amounts of equipment purchase funds. The POW mining process also consumes a lot of money. energy. In addition, the performance of POW is not good, and the tps (transactions processed per second) of Bitcoin and Ethereum are not high. The biggest advantage of POW is that it has been tested for a long time. Bitcoin has been running for ten years now, and the POW algorithm has proven to be effective; Ethereum POW has been running for several years now, and I have not switched to other algorithms even though I wanted to. It can be seen that POW has its own reasons for existing at this stage.

Second Generation POS/DPOS “Democratic Voting”

In the real world, Ethereum is preparing to change from POW to POS. The consensus algorithm of EOS is DPOS (the difference between DPOS and POS can be considered as the difference between indirect democracy and direct democracy. POS is a one-coin, one-vote direct vote; DPOS is a one-coin, one-vote direct vote. The votes first elect deputies to the National People’s Congress, who then vote on specific issues). In practice the effect is very general:

Although POS does not waste energy, don't forget the eternal imbalance of human society. In many cases, huge wealth is only in the hands of a small number of people. Most of Ethereum is only in the hands of a few "giant whales". If it is changed to POS, small parties have no say and will not go against the concepts of voting, ecological construction, and decentralization.
The practice of DPOS in EOS also needs to be tested. At present, ordinary users have little motivation to vote. First, they do not understand the candidates, and second, voting takes time, not to mention that ordinary people’s votes do not have much effect. Because it is not worth a fraction in the hands of the "giant whale".

Third Generation VRF “Luck Draw”

In addition to voting,there is another solution for human society is to draw lots, but it is not about queuing up and taking turns to draw lots from a tube (that is too central) (the lottery bucket in the center is easy to manipulate), instead each person has a lottery bucket. After each draw, they will show it out to compare the size. The smallest one shall prevail; two people draw the same bucket. If you draw a lot, these two people can draw another round.

So how to prevent cheating? For example, everyone picks the smallest lot and then claims that they are the winner. Such a distributed lottery will never come to an end. To deal with such problems in the real world, a mathematical mechanism called "zero-knowledge proof" is adopted. Without actual drawing, the actual result cannot be obtained, and it will not pass everyone's verification. **On the blockchain island, you can imagine that everyone uses their mobile phone to record the lottery process and round marks while drawing lots. If you have any questions, you can play back the video.

In short, I feel that this solution is very close to the blockchain world originally envisioned by Satoshi Nakamoto. No more mines and mining machines waste energy and harm decentralization; the efficiency is also very high; and ensures that tail participants can also have the opportunity to participate in accounting, with a certain degree of fairness< /span>. The next generation of consensus algorithms is here.

POW relies on brute force to win. The "one CPU, one vote" utopia envisioned by Satoshi Nakamoto has not come. He has forgotten the imbalance of human society. POW has formed large centralized mines, and the concentration of interests has led to The general public does not care about the blockchain; the mine owners themselves are here for profit and do not care about the ecology; resources and interests are concentrated in the hands of a few large mines and large exchanges, and the general public only wants a piece of the coin speculation pie. , and ended up being "cut off leeks".

DPOS also has the same problem. The voting system was first invented in Athens, Greece, when it faced the invasion of the Persians. It was a matter of life and death to decide whether to fight or surrender (see the origin of democracy); DPOS’s current voting rate is very low, and the votes are concentrated in a small number of people. How many of the ordinary people who are hyping EOS actually care about the ecology and take the time to exercise their voting rights seriously?

**Solving this problem requires long-term exploration. Maybe a lottery-based VRF is a solution. **At least under this system, it is possible for tail participants to obtain benefits, and the distribution of benefits is not as concentrated as in the past.

2. Quick Start with Verifiable Random Function (VRF)

1. What is VRF?

The concept of VRF was first proposed by Micali, Rabin and Vadhan.
One sentence description: Taking sk and random seed as input, output pseudo-random number r and corresponding proof proof
Anyone can pass the public key vk corresponding to sk Add a proof to verify whether the pseudo-random number r is generated by the sk holder.

VRF is a verifiable random function, which has pseudo-randomness on the one hand, and verifiability on the other (the output includes a non-interactive zero-knowledge proof)

eg. Assuming it is round 10 (the 10th round), the nodes may take turns to draw lots, using the node’s own private key + a random number known to the entire network (for example, round 10 of this round) As input, a random number (0-100) is generated; a condition is set: 100 nodes take turns to draw lots, and whoever draws the random number first is greater than 10 will be the packer of this round. Suppose node No. 5 draws 11, but only No. 5 knows that others do not, so he needs to broadcast a zero-knowledge proof while broadcasting this random number. Through zero-knowledge proof, the entire network only needs to pass the public key of No. 5 to verify and accept No. 5 as the packager of this round.

Insert image description here

Insert image description here

About the third step: Verification
Verification function Verify inputs the verification key vk, message x and pseudo-random y and proof π \piπ. Output result 0/1: Only if the function verifies that π \piπ is generated based on x, and Y can be deduced based on the proof π \piπ, will it output 1. That is to say, the function verifies whether there is a unique combination of X and Y. Correspondence.

The so-called VRF means that given a message and a private key, a unique and certain value can be calculated. This value is unique and unpredictable, and can be verified.
Traditional signature algorithms do not have unique and certain characteristics, and the private key holder can calculate multiple legal solutions.

VRF has a similar function to the pseudo-random function. Through any input, a random number output can be obtained:

For different inputs, the output is random and evenly distributed within the value range.
For the same input, the output is the same
But compared to the pseudo-random function, VRF has a non-interactive zero-knowledge proof, which is generated using the private key and input proof,Others can use the public key and input to verify the correctness of the random number output.

Insert image description here
Input is legal input, sk is the user's private key, output is the random number output, and proof can prove that the output data is legal.

Insert image description here

2. The difference between MD5 hash function and VRF (Verifiable Random Function)

MD5 hash function and VRF (Verifiable Random Function) do have similarities, they both produce the same output for the same input. However, the main difference between them is that VRF is verifiable.

Specifically, the output generated by the VRF is not only related to the input, but also related to the specific private key. Moreover, while VRF generates output, it also generates a proof. This proof can be verified by anyone using the corresponding public key to ensure that the output was generated by the specific private key and input. This is the so-called "verifiability", which is not available in ordinary hash functions such as MD5.

In addition, the output of VRF is random, that is, its output is uniformly distributed in all possible output spaces. This allows the output of the VRF to be used as random numbers. Although ordinary hash functions such as MD5 can generate fixed-length outputs, these outputs do not necessarily have good randomness.

Therefore, although the MD5 hash function and VRF are similar in some aspects, VRF has verifiability and randomness of the output, making it more advantageous in many applications.

3. VRF-Verifiable Random Function

VRF-Verifiable Random Function
Reference URL: https://blog.csdn.net/yhc166188/article/details/100188559
Yes Verify random function VRF
Reference URL: https://blog.csdn.net/shangsongwww/article/details/88813116

VRF (Verifiable Random Function): The meaning of the verifiable random function used in the blockchain is well understood - it is used to complete the random selection of block-producing nodes.

As a new consensus model based on cryptography, the biggest advantages of the VRF algorithm are fast consensus, attack resistance, and extremely low computing power requirements. Existing solutions include the Algorand algorithm and the BLS-based algorithm in Dfinity.

result = SHA256(secret,info)

The above function requires secret and info to get the result. To verify the result, secret and info are also needed. That is to say, the secret needs to be known to verify whether info and result match.

Is it possible to verify whether the result and info match each other without showing the secret? This is what a verifiable random function VRF can do.

result = VRF_HASH(SK,info)

Among them, SK means secret key, which is a private key and is not disclosed to the public. You can keep it secretly. The PK paired with SK represents the public key, which is a public key and needs to be disclosed for verification. With the above basic elements, the specific VRF operation process is very simple and clear:

1. The prover generates a pair of secret keys, PK and SK;
2. The prover calculates result = VRF_HASH(SK,info);
3. The prover calculates proof = VRF_Proof(SK,info);
4. The prover submits the result and proof to the verifier;
5. The verifier Calculate whether result = VRF_P2H (proof) is true. If true, continue, otherwise abort;
6. The prover submits PK and info to the verifier;
7 .The verifier calculates True/False = VRF_Verify(PK,info,proof), True means the verification passed, False means the verification failed.

Verification passed refers to whether the proof is generated through info, and whether the result can be calculated through the proof, so that it can be deduced that the info and result are correspondingly matched. As can be seen from the above, the verifier does not obtain the certifier's private key SK. The verifier can also deduce whether the info and result match. This is the wonderful use of VRF.

The continuous evolution of the hash function can be simply expressed as the following path:

原始的哈希函数: info -> result 

带秘钥的哈希函数： info,secret -> result

公钥版本的VRF： info,SK -> proof,PK -> result

vrf common libraries (continuous accumulation and updates)

Schnorrkel is a cryptographic signature library of the Web3 Foundation:https://github.com/w3f/schnorrkel
Schnorrkel implements a derivative version of Ed25519, called sr25519, also known as Schnorrkel/Ristretto x25519, which solves the problem of using Ed25519 Security issues of complex protocols and using them with Substrate. This library also supports other protocols, such as Hierarchical Deterministic Key Derivation (HDKD), multi-signatures (MuSig), **VRF (verifiable random function, verifiable random function)** wait.

reference

VRF Introduction
Reference URL: https://blog.csdn.net/shangsongwww/article/details/88797403
Chainlink Oracle Tutorial ( Principle explanation & code demonstration)
Reference URL: https://www.bilibili.com/video/BV1ed4y1N7Uv/
Principle analysis of Chainlink oracle a>
Reference URL: https://learnblockchain.cn/article/4766