Simulatable verifiable random function from the LWE assumption

Abstract

A verifiable random function (VRF) is a pseudorandom function F that can be publicly verified. A simulatable VRF (sVRF) is an important variant of a VRF, which additionally provides simulatability. Informally, the simulatability of a VRF depicts the ability to simulate a valid proof π that y=F(sk,x) for any input x and any output value y. A (simulatable) VRF can be used in the E-Cash, E-Lottery, blockchain and constructing the multi-theorem non-interactive zero-knowledge (NIZK) proof. However, up to now, the existing constructions of an sVRF either rely on non-standard assumptions (e.g., the Q-type ones), or are built in the random oracle model, or resort to time-consuming techniques like the Cook-Levin reduction.In this paper, we design the first sVRF from the LWE assumption in the standard model (free of a random oracle) without using a Cook-Levin reduction. In our construction of an sVRF, we take as building blocks a pseudorandom function, a trapdoor fully homomorphic commitment (FHC) scheme, and a NIZK proof system for a language specified by FHC. Our trapdoor FHC is the key technical tool, which helps the simplification of the underlying NIZK language, thus making possible an instantiation of a NIZK proof from LWE without a Cook-Levin reduction. Together with an LWE-based PRF, we obtain an sVRF scheme from LWE.