{
  "{\"\\ufeff\\nSupraVRF Service\\nSupra Research\\nWeb3 applications based on blockchains regularly need access to randomness that is unbiased, unpre-dictable, and publicly verifiable. A verifiable random function (VRF) protocol satisfies these requirements naturally, and there is a tremendous rise in the use of VRF services. As most blockchains cannot main-tain the secret keys required for VRFs, Web3 applications interact with external VRF services via a smart contract where a VRF output is exchanged for a fee. However, a single VRF service node may become a single point of failure. Therefore, the VRF service is deployed in a decentralized fashion as a committee consisting of a number of nodes, each holding only a share of secret \\u2013 the notion is called distributed VRF (DVRF) and offers additional security properties such as consistency, robustness, liveness/availability and strong pseudorandomness.\\nWhile this smart contract-based service offers the much-needed public verifiability immediately, it severely limits the way a client can employ the VRF service: the VRF requests cannot be made in advance, and the output cannot be reused. This introduces significant latency and monetary overhead. To resolve this we extend the traditional notion of VRF by adding a novel output-privacy requirement, in that the VRF output is only revealed to the client\": null, \" everyone else, including the smart-contract and the service nodes observes blinded/masked values. We call this notion Output-private VRF (PVRF) and incorporate it to Supra\\u2019s VRF framework as an additional service (like its non-private counterpart this notion too supports decentralization). In our design, we observe a moderate computational overhead of around 2x for VRF service nodes to add output-privacy. The client may decide whether to go for a standard non-private VRF or a output-private VRF based on the requirements.\\nThis document elaborates on the entire VRF service provided by Supra. In particular, it includes the definitions, technical details, security guarantees of Supra\\u2019s distributed VRF protocol and its output-private counterpart. This document also provides the details of the VRF framework.\\nContents\\n1\\nIntroduction\\n2\\n2\\nRelated Work\\n3\\n3\\nPreliminaries\\n4\\n4\\n3.1\\nBuilding Blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .\\n5\\n\\n3.2\\n(Distributed) Verifiable Random Functions\\n. . . . . . . . . . . . . . . . . . . . . . . . . . . .\\n7\\n\\nSupra core VRF Construction\\n8\\n5\\nOutput-private DVRF (PVRF)\\n9\\n6\\n5.1\\nSupra PVRF Construction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .\\n11\\n\\nSupra VRF Service Framework\\n13\\n7\\n6.1\\nPrivate VRF (without batching)\\n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .\\n16\\n\\n6.2\\nConstructing the VRF input, INP.\\n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .\\n16\\n\\nConclusion\\n17\\n1\\n\\n1 \\tIntroduction\\nVerifiable Random Functions. \\tRandomness is a precious resource in computing. With the gigantic rise of blockchain technology and Web3 based applications, the demand for a reliable source of randomness has increased enormously. However, given that the on-chain randomness-generation within a smart contract is an expensive procedure, a natural approach is to delegate this to off-chain computation. Off-chain computations, nevertheless, must be verified on-chain to ensure the integrity of computation. Verifiable random functions enable such functionality. A Verifiable Random Function, V is a keyed deterministic function which, on an input x, outputs a string y \": \"Vsk(x). The secret-key sk is selected uniformly at random. Intuitively, the VRF provides two main security guarantees: (i) pseudorandomness, which implies that, as long as the secret-key is hidden, the output is indistinguishable from a uniform random string \\u2013 this ensures both unpredictability and unbiasability\", \" (ii) verifiability, which implies that given x, y and a proof \\u03c0, anyone can publicly verify that y is indeed computed correctly as Vsk(x) \\u2013 such a proof is produced using the secret-key sk.\\nDistributed VRFs. \\tIf a single node holds the entire VRF secret key, then it becomes a single point of failure \\u2013 (i) if it is compromised, the adversary knows the key sk, and the VRF output is not unpredictable anymore\": null, \" (ii) if there\\u2019s a system/network issue with this node, the computation may not terminate. To mit-igate these, in the Supra VRF framework we consider a variant of VRF, called Distributed VRF ": {}
}