### VRF Security Properties

We need a VRF to satisfy the following properties:

Correctness: If $$(Y,\pi)=Eval(sk,X)$$ then $$Verify(pk,X,Y,\pi)=1$$

Uniqueness: There do not exist tuples $$(Y,\pi)$$ and $$Y',\pi'$$ with $$Y \ne Y'$$ and: $$\mathsf{Verify}(pk,X,Y,\pi)=\mathsf{Verify}(pk,X,Y',\pi')=1$$

Pseudorandomess: For any adversary $$\mathcal{A}$$ the probability $$|Pr[ExpRand^A_{VRF}(\lambda)=1]-\dfrac{1}{2}|$$ is negilible where $$ExpRand_{VRF}^{\mathcal{A}}(1^\lambda)$$ is defined as follows:

$$ExpRand_{VRF}^{\mathcal{A}}(1^\lambda)$$:

• $$(sk,pk) \leftarrow \mathsf{Gen}(1^{\lambda})$$
• $$(X^*,st) \leftarrow \mathcal{A}^{\mathcal{O_{VRF}}(.)}(pk)$$
• $$Y_0 \leftarrow \mathsf{Eval}(X*,sk)$$
• $$Y_1 \leftarrow \{0,1\}^{out(\lambda)}$$
• $$b {\stackrel{}{\leftarrow}} \{0,1\}$$
• $$b' \leftarrow \mathcal{A}(Y_b,st)$$
• Return $$b=b'$$

The oracle $$\mathcal{O_{VRF}}(.)$$ works as follow: Given an input $$x$$, it outputs the VRF value computed by $$x$$ and its proof.

In the paper of [PWHVNRG17], the authors stated that a VRF must also be collision resistant. This property is formally defined below:

Collision Resistant: Collision Resistant: For any adversarial prover $$\mathcal{A}=(\mathcal{A_1},\mathcal{A_2})$$ the probability $$Pr\left[ExpCol_{VRF}^\mathcal{A}(1^\lambda)=1\right]$$ is negligible where $$ExpCol_{VRF}^\mathcal{A}(1^\lambda)$$ is defined as follows:

$$ExpCol_{VRF}^\mathcal{A}(1^\lambda)$$:

• $$(pk,sk) \leftarrow \mathcal{A_1}(\mathsf{Gen}(1^{\lambda}))$$
• $$(X,X',st) \leftarrow \mathcal{A_2}(sk,pk)$$
• Return $$X \ne X'$$ and $$\mathsf{Eval}(X,sk)=\mathsf{Eval}(X',sk)$$

It is interesting to see that, VRF can be used for signing messages. However, several signing algorithms such as ECDSA cannot be used to build a VRF. For a given message and a secret key, there can be multiple valid signatures, thus an adversiral prover could produce different valid outputs from a given input, and chooses the one that benefits him. This contradicts the uniqueness property of VRF.