# Statically Aggregate Verifiable Random Functions and Application to E-Lottery

^{1}

^{2}

^{*}

## Abstract

**:**

## 1. Introduction

**Our Contribution.**We introduce the notion of static aggregate verifiable random functions (static Agg-VRFs). Briefly, a static Agg-VRF is a family of keyed functions each associated with a pair of keys, such that, given the secret key, one can compute the aggregation function for both the function values and the proofs of the VRFs over super-polynomially large sets in polynomial time, while, given the public key, the correctness of the aggregate function values could be checked by the corresponding aggregated proof. It is very important that the sizes of the aggregated function values and proofs should be independent of the size of the set over which the aggregation is performed. The security requirement of a static Agg-VRF states that access to an aggregate oracle provides no advantage to the ability of a polynomial time adversary to distinguish the function value from a random value, even when the adversary could query an aggregation of the function values over a specific set (of possibly super-polynomial size) of his choice.

**Core Technique.**We present a construction of static aggregate VRFs, which performs the product aggregation over a bit-fixing set, following Hohenberger and Waters’ [13] VRF scheme. A bit-fixing set consists of bit-strings which match a particular bit pattern. It can be defined by a pattern string $v\in {\{0,1,\perp \}}^{poly\left(\lambda \right)}$ as ${S}_{v}=\{x\in {\{0,1\}}^{poly\left(\lambda \right)}:\forall i,{x}_{i}={v}_{i}\mathrm{or}{v}_{i}=\perp \}$. The evaluation of the VRF on input $x={x}_{1}\parallel {x}_{2}\parallel \dots \parallel {x}_{\ell}$ is defined as $y=e{(g,h)}^{{u}_{0}{\prod}_{i=1}^{\ell}{u}_{i}^{{x}_{i}}}$, where $g,h,{U}_{0}={g}^{{u}_{0}},\dots ,{U}_{\ell}={g}^{{u}_{\ell}}$ are public keys and ${u}_{0},\dots ,{u}_{\ell}$ are kept secret. The corresponding proofs of the VRF are given using a step ladder approach, namely, for $j=1$ to ℓ, ${\pi}_{j}={g}^{{\prod}_{i=1}^{j}{u}_{i}^{{x}_{i}}}$ and ${\pi}_{\ell +1}={g}^{{u}_{0}{\prod}_{i=1}^{\ell}{u}_{i}^{{x}_{i}}}$.

**Improved Efficiency.**We provide some highlights on the achieved efficiency.

**Related work.**We summarize relevant current state-of-the-art.

## 2. Preliminaries

#### 2.1. Verifiable Random Functions

- $\mathsf{Setup}\left({1}^{\lambda}\right)\to (sk,pk)$ takes as input a security parameter $\lambda $ and outputs a key pair $(pk,sk)$. We say that $sk$ is the secret key and $pk$ is the verification key.
- $\mathsf{Eval}(sk,x)\to (y,\pi )$ takes as input the secret key $sk$ and $x\in \mathcal{X}$ and outputs a function value $y\in \mathcal{Y}$ and a proof $\pi \in \mathcal{P}$. We write ${\mathsf{Fun}}_{sk}\left(x\right)$ to denote the function value y and ${\mathsf{Prove}}_{sk}\left(x\right)$ to denote the proof of correctness computed by Eval on input $(sk,x)$.
- $\mathsf{Verify}(pk,x,y,\pi )\to \{0,1\}$ takes as input the verification key $pk$, $x\in \mathcal{X}$, $y\in \mathcal{Y}$, and the proof $\pi \in \mathcal{P}$ and outputs a bit.

**Definition**

**1.**

- 1.
- Provability: For all $(pk,sk)\leftarrow \mathsf{Setup}\left({1}^{\lambda}\right)$ and inputs $x\in \mathcal{X}$ it holds: if $(y,\pi )\leftarrow \mathsf{Eval}(sk,x)$, then $\mathsf{Verify}(pk,x,y,\pi )=1$.
- 2.
- Uniqueness: For all $pk$ (not necessarily generated by $\mathsf{Setup}$) and inputs $x\in \mathcal{X}$, there does not exist a tuple $({y}_{0},{y}_{1},{\pi}_{0},{\pi}_{1})$ such that: $\left(1\right){y}_{0}\ne {y}_{1}$, $\left(2\right)\mathsf{Verify}(pk,x,{y}_{0},{\pi}_{0})=\mathsf{Verify}(pk,x,{y}_{1},{\pi}_{1})=1$.
- 3.
- Pseudorandomness: For all p.p.t. attackers $D=({D}_{1},{D}_{2})$, there exists a negligible function $\mu \left(\lambda \right)$ such that:$$\begin{array}{cc}\hfill \mathrm{Pr}[& (pk,sk)\leftarrow \mathsf{Setup}\left({1}^{\lambda}\right);({x}^{*},\mathsf{st})\leftarrow {D}_{1}^{\mathsf{Eval}(sk,\xb7)}\left(pk\right);{y}_{0}={\mathsf{Fun}}_{sk}\left({x}^{*}\right);{y}_{1}\leftarrow \mathcal{Y};\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& b\leftarrow \{0,1\};{b}^{\prime}\leftarrow {D}_{2}^{\mathsf{Eval}(sk,\xb7)}({y}_{b},\mathsf{st}):{b}^{\prime}=b\wedge {x}^{*}\notin {L}^{\mathsf{Eval}}]\le \frac{1}{2}+\mu \left(\lambda \right),\hfill \end{array}$$

#### 2.2. Bilinear Maps and the HW-VRF Scheme

**Assumption**

**A1**

**.**Let $\mathbb{G},{\mathbb{G}}_{T}$ be groups of prime order $p\in \mathsf{\Theta}\left({2}^{\lambda}\right)$. For all p.p.t. adversaries $\mathcal{A}$, there exists a negligible function μ such that:

**HW-VRF Scheme**Here, we describe one of the elegant constructions of VRFs proposed by Hohenberger and Waters [13] (that is abbreviated as HW-VRF scheme). The latter is employed as a basis for our aggregate VRF scheme. HW-VRF is the first fully-secure VRF from the Naor-Reingold PRF [27] with exponential-size input space whose security is based on the so-called q-type complexity assumption, namely q-DDHE assumption, and is built as follows.

- Setup$({1}^{\lambda},{1}^{\ell})$: The setup algorithm takes as input the security parameter $\lambda $ as well as the input length ℓ. It firstly runs $\mathcal{G}\left({1}^{\lambda}\right)$ to obtain the description of the groups $\mathbb{G}$, ${\mathbb{G}}_{T}$ and of a bilinear map $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_{T}$. The description of $\mathbb{G}$ contains the generators $g,h\in \mathbb{G}$. Let ${\{0,1\}}^{\ell}$ be the input space. It next selects random values ${u}_{0}$, ${u}_{1},\dots ,{u}_{\ell}\in {\mathbb{Z}}_{p}$ and sets ${U}_{0}={g}^{{u}_{0}}$, ${U}_{1}={g}^{{u}_{1}},\dots ,{U}_{\ell}={g}^{{u}_{\ell}}$. It then sets the keys as: $pk=(g,h,{U}_{0},{U}_{1},\dots ,{U}_{\ell}),sk=({u}_{0},{u}_{1},\dots ,{u}_{\ell})$.
- Fun$(sk,x)$: For $x\in {\{0,1\}}^{\ell}$, the function ${\mathsf{Fun}}_{sk}$ evaluates $x={x}_{1}\parallel {x}_{2}\parallel \dots \parallel {x}_{\ell}$ as:$$y={\mathsf{Fun}}_{sk}\left(x\right)=e{(g,h)}^{{u}_{0}{\prod}_{i=1}^{\ell}{u}_{i}^{{x}_{i}}}.$$
- Prove$(sk,x)$. This algorithm outputs a proof $\pi $, which is comprised as follows. Let ${\pi}_{\ell +1}={g}^{{u}_{0}{\prod}_{i=1}^{\ell}{u}_{i}^{{x}_{i}}}$, for $j=1$ to ℓ it computes: ${\pi}_{j}={g}^{{\prod}_{i=1}^{j}{u}_{i}^{{x}_{i}}}$. Set $\pi =({\pi}_{1},\dots ,{\pi}_{\ell},{\pi}_{\ell +1})$.
- Verify$(pk,x,y,\pi )$. Let $\pi =({\pi}_{1},\dots ,{\pi}_{\ell},{\pi}_{\ell +1})$. To verify that y was computed correctly, proceed in a step-by-step manner by checking that$$e({\pi}_{1},g)=\left\{\begin{array}{cc}e(g,g),\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}{x}_{1}=0;\hfill \\ e({U}_{1},g),\hfill & \mathrm{otherwise}.\hfill \end{array}\right.$$$$e({\pi}_{i},g)=\left\{\begin{array}{cc}e({\pi}_{i-1},g),\hfill & \mathrm{if}\phantom{\rule{4.pt}{0ex}}{x}_{i}=0;\hfill \\ e({\pi}_{i-1},{U}_{i}),\hfill & \mathrm{otherwise}.\hfill \end{array}\right.$$Finally, it checks that $e({\pi}_{\ell +1},g)=e({\pi}_{\ell},{U}_{0})$ and $e({\pi}_{\ell +1},h)=y$. It outputs 1, if and only if all checks verify. Otherwise, it outputs 0.

## 3. Static Aggregate VRFs

**Definition**

**2**

**.**Let $\mathcal{F}={\left\{{\mathcal{F}}_{\lambda}\right\}}_{\lambda \in \mathbb{N}}$ be a VRF function family where each function $F\in {\mathcal{F}}_{\lambda}:\mathcal{K}\times \mathcal{X}\to \mathcal{Y}\times \mathcal{P}$ computable in polynomial time is defined over a key space $\mathcal{K}$, a domain $\mathcal{X}$, a range $\mathcal{Y}$ and a proof space $\mathcal{P}$. Let $\mathcal{S}$ be an efficiently recognizable ensemble of sets ${\left\{{\mathcal{S}}_{\lambda}\right\}}_{\lambda}$ where for any $S\in \mathcal{S}$, $S\subset \mathcal{X}$, and ${\Psi}_{\lambda}:{({\mathcal{Y}}_{\lambda},{\mathcal{P}}_{\lambda})}^{*}\to ({\mathcal{Y}}_{\lambda},{\mathcal{P}}_{\lambda})$ be an aggregation function. We say that $\mathcal{F}$ is an $(\mathcal{S},\Psi )$-static aggregate verifiable random function family (abbreviated $(\mathcal{S},\Psi )$-sAgg-VRFs) if it satisfies:

**Efficient aggregation:**There exists an efficient (computable in polynomial time) algorithm ${\mathsf{Aggregate}}_{F,\mathcal{S},\Psi}(sk,S)\to ({y}_{\mathsf{agg}},{\pi}_{\mathsf{agg}})$ which on input the secret key $sk$ of a VRF and a set $S\in \mathcal{S}$, outputs aggregated results $({y}_{\mathsf{agg}},{\pi}_{\mathsf{agg}})\in \mathcal{Y}\times \mathcal{P}$ such that for any $S\in \mathcal{S}$, ${\mathsf{Aggregate}}_{{F}_{sk},\mathcal{S},\Psi}(sk,S)=\Psi ({F}_{sk}\left({x}_{1}\right),\dots ,{F}_{sk}\left({x}_{\left|S\right|}\right))$ where ${F}_{sk}\left({x}_{i}\right)=({y}_{i}={\mathsf{Fun}}_{sk}\left({x}_{i}\right),{\pi}_{i}={\mathsf{Prove}}_{sk}\left({x}_{i}\right))$ for $i=1,\dots ,\left|S\right|$;**Verification for aggregation:**There exists an efficient (computable in polynomial time) algorithm $\mathsf{AggVerify}(pk,S,{y}_{\mathsf{agg}},{\pi}_{\mathsf{agg}})\to \{0,1\}$ which on input the aggregated function value ${y}_{\mathsf{agg}}$ and the proof ${\pi}_{\mathsf{agg}}$ for an ensemble $S\in \mathcal{S}$ of the domain, verifies if it holds that ${y}_{\mathsf{agg}}=\Psi ({\mathsf{Fun}}_{sk}\left({x}_{1}\right),\dots ,{\mathsf{Fun}}_{sk}\left({x}_{\left|S\right|}\right))$ using the aggregated proof ${\pi}_{\mathsf{agg}}$.**Correctness of aggregated values:**For all $(pk,sk)\leftarrow \mathsf{Setup}\left({1}^{\lambda}\right)$, set $S\in \mathcal{S}$ and the aggregate function $\Psi \in {\Psi}_{\lambda}$, let $(y,\pi )\leftarrow \mathsf{Eval}(sk,x)$ and $({y}_{\mathsf{agg}},{\pi}_{\mathsf{agg}})\leftarrow {\mathsf{Aggregate}}_{F,\mathcal{S},\Psi}(sk,S)$, then $\mathsf{AggVerify}(pk,S,{y}_{\mathsf{agg}},{\pi}_{\mathsf{agg}})=1$.**Pseudorandomness:**For all p.p.t. attackers $D=({D}_{1},{D}_{2})$, there exists a negligible function $\mu \left(\lambda \right)$ s.t.:$$\begin{array}{cc}\hfill \mathrm{Pr}[& (pk,sk)\leftarrow \mathsf{Setup}\left({1}^{\lambda}\right);({x}^{*},\mathsf{st})\leftarrow {D}_{1}^{\mathsf{Eval}(sk,\xb7),{\mathsf{Aggregate}}_{F,\mathcal{S},\Psi}(sk,\xb7)}\left(pk\right);b\leftarrow \{0,1\};\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& {y}_{0}={\mathsf{Fun}}_{sk}\left({x}^{*}\right);\phantom{\rule{4pt}{0ex}}{y}_{1}\leftarrow \mathcal{Y};{b}^{\prime}\leftarrow {D}_{2}^{\mathsf{Eval}(sk,\xb7),{\mathsf{Aggregate}}_{F,\mathcal{S},\Psi}(sk,\xb7)}({y}_{b},\mathsf{st}):\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& {b}^{\prime}=b\wedge {C}_{{S}_{i}}\left({x}^{*}\right)=0\mathit{for}\mathit{all}{S}_{i}\in {L}^{\mathsf{Agg}}\wedge {x}^{*}\notin {L}^{\mathsf{Eval}}]\le \frac{1}{2}+\mu \left(\lambda \right),\hfill \end{array}$$**Compactness:**There exists a polynomial $poly(\xb7)$ such that for every $\lambda \in \mathbb{N}$, $x\in \mathcal{X}$, set $S\in \mathcal{S}$ and the aggregate function $\Psi \in {\Psi}_{\lambda}$, it holds with overwhelming probability over $(pk,sk)\leftarrow \mathsf{Setup}\left({1}^{\lambda}\right)$, $(y,\pi )\leftarrow \mathsf{Eval}(sk,x)$ and ${\mathsf{Aggregate}}_{F,\mathcal{S},\Psi}(sk,S)\to ({y}_{\mathsf{agg}},{\pi}_{\mathsf{agg}})$ that the resulting aggregated value ${y}_{\mathsf{agg}}$ and aggregated proof ${\pi}_{\mathsf{agg}}$ has size $|{y}_{\mathsf{agg}}|,|{\pi}_{\mathsf{agg}}|\le poly(\lambda ,\left|x\right|)$. In particular, the size of ${y}_{\mathsf{agg}}$ and ${\pi}_{\mathsf{agg}}$ are independent of the size of the set S.

#### 3.1. A Static Aggregate VRF for Bit-Fixing Sets

- Aggregate$(sk,v)$:Let ${\pi}_{0}^{\mathsf{agg}}:={g}^{{2}^{\ell -\tau}}$. We define the aggregated proof as ${\pi}^{\mathsf{agg}}=({\pi}_{1}^{\mathsf{agg}},\dots ,{\pi}_{\ell}^{\mathsf{agg}},{\pi}_{\ell +1}^{\mathsf{agg}}),$ where for $i=1,\dots ,\ell $,$${\pi}_{i}^{\mathsf{agg}}=\left\{\begin{array}{cc}{\left({\pi}_{i-1}^{\mathsf{agg}}\right)}^{{u}_{i}^{{v}_{i}}}\hfill & \mathrm{if}i\in \mathrm{Fixed}\left(v\right)\hfill \\ {\left({\pi}_{i-1}^{\mathsf{agg}}\right)}^{({u}_{i}+1)/2}\hfill & \mathrm{if}i\notin \mathrm{Fixed}\left(v\right).\hfill \end{array}\right.$$$${y}^{\mathsf{agg}}=e{(g,h)}^{{u}_{0}\xb7\left({\prod}_{i\in \mathrm{Fixed}\left(v\right)}{u}_{i}^{{v}_{i}}\right)\xb7\left({\prod}_{i\in \left[\ell \right]\setminus \mathrm{Fixed}\left(v\right)}({u}_{i}+1)\right)}.$$
- AggVerify$(pk,v,{y}^{\mathsf{agg}},{\pi}^{\mathsf{agg}})$:Parse ${\pi}^{\mathsf{agg}}=({\pi}_{1}^{\mathsf{agg}},\dots ,{\pi}_{\ell}^{\mathsf{agg}},{\pi}_{\ell +1}^{\mathsf{agg}})$. Let ${\pi}_{0}^{\mathsf{agg}}={g}^{{2}^{\ell -\tau}}$. The aggregation verification algorithm checks if the following equations are satisfied: for $i=1,\dots ,\ell $$$e(g,{\pi}_{i}^{\mathsf{agg}})=\left\{\begin{array}{cc}e({\pi}_{i-1}^{\mathsf{agg}},g)\hfill & \mathrm{if}\phantom{\rule{4pt}{0ex}}i\in \mathrm{Fixed}\left(v\right)\mathrm{and}{v}_{i}=0\hfill \\ e({\pi}_{i-1}^{\mathsf{agg}},{U}_{i})\hfill & \mathrm{if}\phantom{\rule{4pt}{0ex}}i\in \mathrm{Fixed}\left(v\right)\mathrm{and}{v}_{i}=1\hfill \\ e{({\pi}_{i-1}^{\mathsf{agg}},g\xb7{U}_{i})}^{1/2}\hfill & \mathrm{if}\phantom{\rule{4pt}{0ex}}i\notin \mathrm{Fixed}\left(v\right).\hfill \end{array}\right.$$

**Theorem**

**1.**

**Proof**

**of**

**Theorem 1.**

**Oracle Queries to $\mathsf{Eval}(sk,\xb7)$.**The distinguisher D will make queries of VRF evaluations and proofs. On receiving an input x, $\mathcal{B}$ first checks if $C\left(x\right)=q$ and aborts if this is true. Otherwise, it defines the function value as $F\left(x\right)=e({\left({g}^{{a}^{C\left(x\right)}}\right)}^{J\left(x\right)},h)$, and the corresponding proof as $\pi =({\pi}_{0},{\pi}_{1},\dots ,{\pi}_{\ell})$ where ${\pi}_{0}={\left({g}^{{a}^{C\left(x\right)}}\right)}^{J\left(x\right)}$, ${\pi}_{i}={\left({g}^{{a}^{\widehat{C}(x,i)}}\right)}^{\widehat{J}(x,i)}$ for $i=1,\dots ,\ell $. Note that for any $x\in {\{0,1\}}^{\ell}$ it holds:

- The maximum value of $C\left(x\right)$ is $m(1+\ell )+(1+\ell )(m-1)=(2m-1)(1+\ell )<2m(1+\ell )=2q$.
- The maximum value of $\widehat{C}(x,i)$ is $\ell (m-1)<m(1+\ell )=q$ for $i\in \left[\ell \right]$.

**Oracle Queries to ${\mathsf{Aggregate}}_{{F}_{sk},\mathcal{S},\Psi}(\xb7)$.**The distinguisher D will also make queries for aggregate values. On receiving a pattern string $v\in {\{0,1,\perp \}}^{\ell}$, $\mathcal{B}$ uses the above secret key to compute the aggregated proof and the aggregate function value. More precisely, $\mathcal{B}$ answers the query ${\mathsf{Aggregate}}_{{F}_{sk},\mathcal{S},\Psi}\left({S}_{v}\right)$ as follows: Let ${\pi}_{0}^{\mathsf{agg}}:={g}^{{2}^{\ell -\tau}}$. Since the aggregated proof is defined as ${\pi}^{\mathsf{agg}}=({\pi}_{1}^{\mathsf{agg}},\dots ,{\pi}_{\ell}^{\mathsf{agg}},{\pi}_{\ell +1}^{\mathsf{agg}}),$ where, for $i=1,\dots ,\ell $,

**Challenge.**D will send a challenge input ${x}^{*}$ with the condition that ${x}^{*}$ is never queried to its $\mathsf{Eval}$ oracle. If $C\left({x}^{*}\right)=q$, $\mathcal{B}$ returns the value y. When D responds with a bit ${b}^{\prime}$, $\mathcal{B}$ outputs ${b}^{\prime}$ as its guess to its own q-DDHE challenger. If $C\left({x}^{*}\right)\ne q$, $\mathcal{B}$ outputs a random bit as its guess. This ends our description of q-DDHE adversary $\mathcal{B}$. □

**Remark**

**1.**

#### 3.2. Efficiency Analysis

**Analysis of Costs.**The instantiation in Section 3.1 is very compact since the aggregated function value consists of a single element in ${\mathbb{G}}_{T}$, while the aggregated proof is composed of $\ell +1$ elements in $\mathbb{G}$, which are independent of the size of a set S. The Aggregate algorithm simply requires at most ℓ multiplications plus one exponentiation to compute ${y}^{\mathsf{agg}}$ and $\ell +2$ exponentiations to evaluate ${\pi}^{\mathsf{agg}}$, which needs much less computation compared to computing ${2}^{\ell -\tau}$ multiplications to obtain ${y}^{\mathsf{agg}}$ and ${2}^{\ell -\tau}\xb7(\ell +1)$ multiplications to obtain ${\pi}^{\mathsf{agg}}$ on all ${2}^{\ell -\tau}$ number of inputs in S. The AggVerify algorithm simply requires at most $(2\ell +3)$ pairing operations, while ${2}^{\ell -\tau}\xb7(2\ell +3)$ pairings are needed for verifying ${2}^{\ell -\tau}$ number of function values/proofs on all inputs in S.

#### 3.3. Implementation and Experimental Results

**Choice of elliptic curves and pairings.**In our implementation, we use Type A curves as described in [28], which can be defined as follows. Let q be a prime satisfying $q=3\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}4$ and let p be some odd dividing $q+1$. Let E be the elliptic curve defined by the equation ${y}^{2}={x}^{3}+x$ over ${\mathbb{F}}_{q}$; then, $E\left({\mathbb{F}}_{q}\right)$ is supersingular, $\#E\left({\mathbb{F}}_{q}\right)=q+1$, $\#E\left({\mathbb{F}}_{{q}^{2}}\right)={(q+1)}^{2}$, and $\mathbb{G}=E\left({\mathbb{F}}_{q}\right)\left[p\right]$ is a cyclic group of order p with embedding degree $k=2$. Given map $\Psi (x,y)=(-x,iy)$, where i is the square root of $-1$, $\Psi $ maps points of $E\left({\mathbb{F}}_{q}\right)$ to points of $E\left({\mathbb{F}}_{{q}^{2}}\right)\backslash E\left({\mathbb{F}}_{q}\right)$, and if f denotes the Tate pairing on the curve $E\left({\mathbb{F}}_{{q}^{2}}\right)$, then defining $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{F}}_{{q}^{2}}$ by $e(P,Q)=f(P,\Psi (Q\left)\right)$ gives a bilinear nondegenerate map. For more details about the choice of parameters, please refer to [28]. In our case, we use the standard parameters proposed by Lynn [28] (https://crypto.stanford.edu/pbc/), where q has 126 bits and $p=730750818665451621361119245571504901405976559617$. To generate random elements, we use libsodium (https://libsodium.gitbook.io/). Our implementation uses the programming language “C” and the GNU Multiple Precision Arithmetic for arithmetic with big numbers. We use the GCC version 10.0.1 with the following compilation flags: “-O3 -m64 -fPIC -pthread -MMD -MP -MF”.

**Implementing HW-VRF.**In our implementation, we use the bilinear map as pairing implemented by Lynn [28] for the BLS signature scheme. We notice that, when computing the function value ${\mathsf{Fun}}_{sk}\left(x\right)=e{(g,h)}^{{u}_{0}{\prod}_{i=1}^{\ell}{u}_{i}^{{x}_{i}}}$, we usually compute first the bilinear $e(g,h)$, and then do the exponentiation. However, it is expensive to do the exponentiation of an element in ${\mathbb{G}}_{T}$. To improve the efficiency of computing ${\mathsf{Fun}}_{sk}\left(x\right)$, we use the following mathematical trick: $e{(g,h)}^{ab}=e({g}^{a},{h}^{b})$, which implies that we calculate ${\mathsf{Fun}}_{sk}\left(x\right)$ as $e({g}^{{u}_{0}},{h}^{{\mathsf{\Pi}}_{i=1}^{\ell}{u}_{i}^{{x}_{i}}})$. Since the computation of ${g}^{a}$ (or ${h}^{b}$) corresponds to the scalar multiplication of a point P (or Q) by a scalar a (or b), using this trick, we avoid the exponentiation on an element in ${\mathbb{G}}_{T}$ by requiring cost of two scalar multiplications of a point of the curve.

**Implementing our static Agg-VRFs.**Since p is fixed, when calculating the aggregated proof as ${\pi}_{i}^{\mathsf{agg}}:={\left({\pi}_{i-1}^{\mathsf{agg}}\right)}^{({u}_{i}+1)/2}$, we can precompute the inversion of 2 and thus only need to compute ${\left({\pi}_{i-1}^{\mathsf{agg}}\right)}^{({u}_{i}+1)\mathsf{inv}\left(2\right)}$ by the scalar multiplication of a point on curve with scalar $({u}_{i}+1)\star \mathsf{inv}\left(2\right)$. We use a similar approach when computing $e{({\pi}_{i-1}^{\mathsf{agg}},g\xb7{U}_{i})}^{1/2}$; in this case, we always perform $e({\left({\pi}_{i-1}^{\mathsf{agg}}\right)}^{\mathsf{inv}\left(2\right)},g\phantom{\rule{3.33333pt}{0ex}}\xb7\phantom{\rule{3.33333pt}{0ex}}{U}_{i})$. Again, ${\left({\pi}_{i-1}^{\mathsf{agg}}\right)}^{\mathsf{inv}\left(2\right)}$ corresponds to the scalar multiplication of a point with scalar $\mathsf{inv}\left(2\right)$, while $g\xb7{U}_{i}$ corresponds to the additive operation on two points on the elliptic curve.

**Comparison.**We tested the performance of our static Agg-VRFs in comparison to a standard (non-aggregate) VRF, for five different input lengths, i.e., 56, 128, 256, 512, and 1024 bits. In all cases, we set the size of the fixed-bit equal to 20. Thus, naturally, we wanted to compare the efficiency of our aggregated VRF versus the evaluation and corresponding verification of ${2}^{36}$, ${2}^{108}$, ${2}^{236}$, ${2}^{492}$, and ${2}^{1004}$ VRF values. To perform our comparisons, we recorded the verification time for 100 pairs of function values and their corresponding proofs, if the verification is performed one-by-one (i.e., without using the aggregation) versus the corresponding performance of employing our proposed static aggregate VRF. Obviously, it holds $100\ll {2}^{36}$, $100\ll {2}^{108}$, $100\ll {2}^{236}$, $100\ll {2}^{492}$, and $100\ll {2}^{1004}$. In fact, it is fine to choose any number that is smaller than ${2}^{36}$. We choose 100 to have sensible running time for the performance of the standard (non-aggregate) VRF. By taking the 56 bits input length with 20 fixed bits as an example, the bit-fixing set should contain ${2}^{36}$ elements; then, we should consider the verification time for ${2}^{36}$ pairs of function values-proofs, which is drastically larger than the running time when we evaluate the verification for only 100 pairs. Thus, showing that our aggregate VRF is much more efficient than the evaluation and corresponding verification of 100 VRF values obviously implies that it is more efficient than the evaluation and corresponding verification of ${2}^{36}$, ${2}^{108}$, ${2}^{236}$, ${2}^{492}$, and ${2}^{1004}$ VRF values, correspondingly.

## 4. Application to the E-Lottery Scheme

#### 4.1. Discussion on the Practical Instantiation of Chow et al.’s E-Lottery

#### 4.2. An E-Lottery Scheme Based on Aggregate VRFs

- Generate a public/secret key pair of VRF as $({\mathsf{pk}}_{\mathsf{VRF}},{\mathsf{sk}}_{\mathsf{VRF}})\leftarrow \mathrm{VRF}.\mathrm{Setup}\left({1}^{\lambda}\right)$ and key pair of a signature scheme as $({\mathsf{pk}}_{\mathsf{SIG}},{\mathsf{sk}}_{\mathsf{SIG}})\leftarrow \mathrm{SIG}.\mathrm{Setup}\left({1}^{\lambda}\right)$.
- Choose an arbitrary integer ${N}_{max}\in {\mathbb{Z}}_{p}^{*}$. The numbers used in the lottery game are $\{1,2,\dots ,{N}_{max}\}$.
- Publish a collision-resistant hash function, public key of VRF ${\mathsf{pk}}_{\mathsf{VRF}}$, public key of signature scheme ${\mathsf{pk}}_{\mathsf{SIG}}$, the delaying function $D(\xb7)$, and the amount of time $\mathcal{T}$ in which the dealer must release the generated winning ticket value.

- The player chooses $x\in {\mathbb{Z}}_{p}^{*}$ as bet number and randomly samples $r\leftarrow {\mathbb{Z}}_{p}^{*}$. r is kept secret.
- The player obtains a sequence number s of the ticket from the dealer.
- Compute $H(x\parallel s\parallel r)$, and send ${\mathsf{ticket}}_{i}=s\parallel (x\oplus r)\parallel H(x\parallel s\parallel r)$ to the dealer.

- The dealer generates a signature for ticket ${\mathsf{ticket}}_{i}$ as ${\sigma}_{i}\leftarrow \mathsf{SIG}.\mathsf{Sign}({\mathsf{sk}}_{\mathsf{SIG}},{\mathsf{ticket}}_{i})$ and returns ${\sigma}_{i}$ to the player to acknowledge the recipient of player’s purchase request.
- The dealer creates the state of ${\mathsf{ticket}}_{1}$ as ${\mathsf{st}}_{1}:=H\left({\mathsf{ticket}}_{1}\right)$, and ${\mathsf{st}}_{i}:=H({\mathsf{st}}_{i-1}\parallel {\mathsf{ticket}}_{i})$ for $i=2,3,\dots $.
- The dealer generates blocks which contain: (1) the current state ${\mathsf{st}}_{i}\in {\{0,1\}}^{{\ell}_{H}}$; (2) ticket ${\mathsf{ticket}}_{i}$; and (3) signature ${\sigma}_{i}$ for ticket ${\mathsf{ticket}}_{i}$ under ${\mathsf{sk}}_{\mathsf{SIG}}$, e.g., with the following block structure:$${B}_{i}=({\mathsf{st}}_{i},{\mathsf{ticket}}_{i},{\sigma}_{i}):=({\mathsf{st}}_{i}:=H({\mathsf{st}}_{i-1}\parallel {\mathsf{ticket}}_{i}),{\mathsf{ticket}}_{i},{\sigma}_{i}).$$
- The dealer links all blocks to a blockchain, which is a sequence of blocks ${B}_{1},{B}_{2},\dots $.
- The dealer publishes a blockchain $\mathcal{C}={B}_{1},{B}_{2},\dots ,{B}_{n}$ where n is the number of tickets sold so far. The length of a chain $\mathsf{len}\left(\mathcal{C}\right)=n$ is its number of blocks. The structure of a blockchain $\mathcal{C}$ is depicted in Figure 2:

- Let the final state of the blockchain $\mathcal{C}$ be ${\mathsf{st}}_{n}$; the dealer computes $d:=D\left({\mathsf{st}}_{n}\right)$ by the delaying function and publishes d.
- Pad $d\in {\{0,1\}}^{{\ell}_{D}}$ with ⊥ as $\tilde{d}:={\perp}^{\ell -{\ell}_{D}}\parallel d$. Let $\tilde{d}={\perp}^{\ell -{\ell}_{D}}\parallel {d}_{1}\parallel \cdots \parallel {d}_{{\ell}_{D}}$. Define a set ${S}_{\tilde{d}}:=\{\xi \in {\{0,1\}}^{\ell}:\forall i\in \left[\ell \right],{\xi}_{i}={\tilde{d}}_{i}\mathrm{or}{\tilde{d}}_{i}=\perp \}$.
- The dealer calculates the productive aggregation of all $|{S}_{\tilde{d}}|={2}^{\ell -{\ell}_{D}}$ numbers of function values and their corresponding proofs by using the efficient aggregation algorithm as $({y}^{\mathsf{agg}},{\pi}^{\mathsf{agg}}):=\mathrm{Aggregate}({\mathsf{sk}}_{\mathsf{VRF}},\tilde{d})$. More precisely, since ${\mathsf{sk}}_{\mathsf{VRF}}=({u}_{0},{u}_{1},\dots ,{u}_{\ell})$, which is defined by HW-VRFs scheme in Section 2.2, we have ${y}^{\mathsf{agg}}=e{(g,h)}^{{u}_{0}\xb7\left({\prod}_{i=\ell -{\ell}_{D}+1}^{\ell}{u}_{i}^{{d}_{i}}\right)\xb7\left({\prod}_{i=1}^{\ell -{\ell}_{D}}({u}_{i}+1)\right)}$.
- Let $\mathsf{EXP}\left({y}^{\mathsf{agg}}\right):={u}_{0}\xb7\left({\prod}_{i=\ell -{\ell}_{D}+1}^{\ell}{u}_{i}^{{d}_{i}}\right)\xb7\left({\prod}_{i=1}^{\ell -{\ell}_{D}}({u}_{i}+1)\right)$. The dealer checks if $\mathsf{EXP}\left({y}^{\mathsf{agg}}\right)(\mathrm{mod}p-1)\le {N}_{max}$. If it is true, then set ${y}_{\mathsf{win}}:={y}^{\mathsf{agg}}$ as the winning result.
- Otherwise, the dealer chooses a random index $\zeta \in [1,\ell -{\ell}_{D}]$ and then uses $\zeta $ to define a new wildcard ${\tilde{d}}^{\prime}\leftarrow {\perp}^{\zeta -1}\parallel 0\parallel {\perp}^{\ell -{\ell}_{D}-\zeta}\parallel {d}_{1}\parallel \cdots \parallel {d}_{{\ell}_{D}}$. The dealer computes $\mathsf{EXP}\left({\tilde{d}}^{\prime}\right):={u}_{0}\xb7\left({\prod}_{i=\ell -{\ell}_{D}+1}^{\ell}{u}_{i}^{{d}_{i}}\right)\xb7\left({\prod}_{i=1,i\ne \zeta}^{\ell -{\ell}_{D}}({u}_{i}+1)\right)$, and checks if $\mathsf{EXP}\left({\tilde{d}}^{\prime}\right)(\mathrm{mod}p-1)\le {N}_{max}$. Once finding a $\zeta \in [1,\ell -{\ell}_{D}]$ s.t. $\mathsf{EXP}\left({\tilde{d}}^{\prime}\right)(\mathrm{mod}p-1)\le {N}_{max}$, the dealer sets ${y}_{\mathsf{win}}:=e{(g,h)}^{\mathsf{EXP}\left({\tilde{d}}^{\prime}\right)}$ as the winning result and computes the corresponding proof by using the efficient aggregation algorithm $\mathrm{Aggregate}({\mathsf{sk}}_{\mathsf{VRF}},{\tilde{d}}^{\prime})$.
- The dealer publishes the winning result and its proof $({y}_{\mathsf{win}},{\pi}_{\mathsf{win}})$ together with corresponding ${\tilde{d}}^{\prime}$ within $\Delta $ units of time after the closing of the lottery session.

- The player checks if $e{(g,h)}^{x}={y}_{\mathsf{win}}$. If it is true, the player wins.
- The player submits $(s,r)$ to the dealer.
- The dealer checks whether there exists a ticket ${\mathsf{ticket}}_{i}$ in the blockchain $\mathcal{C}$ such that ${\mathsf{ticket}}_{i}=s\parallel (x\oplus r)\parallel H(x\parallel s\parallel r)$.
- If it is true, the dealer checks whether the tuple $(s,r)$ has already been published (i.e., the prize has been claimed by someone already).
- If the prize is not yet claimed, the dealer pays the player and publishes $(s,r)$.

- The player checks whether his/her ticket(s) is/are included in the blockchain $\mathcal{C}$ and checks whether the final state ${\mathsf{st}}_{n}$ of the blockchain $\mathcal{C}$ is correct.
- The player verifies the correctness of d by using the verification algorithm of VDF.
- The player parses ${\tilde{d}}^{\prime}={\perp}^{\zeta -1}\parallel 0\parallel {\perp}^{\ell -{\ell}_{D}-\zeta}\parallel {d}_{1}\parallel \cdots \parallel {d}_{{\ell}_{D}}$ and checks if $d={d}_{1}\parallel \cdots \parallel {d}_{{\ell}_{D}}$.
- The player verifies the correctness of ${y}_{\mathsf{win}}$ by using the verification algorithm $b\leftarrow \mathrm{AggVerify}({\mathsf{pk}}_{\mathsf{VRF}},{\tilde{d}}^{\prime},{y}_{\mathsf{win}},{\pi}_{\mathsf{win}})$.
- For each winning ticket published, the players verify the validity of $s\parallel (x\oplus r)\parallel H(x\parallel s\parallel r)$.

#### 4.3. Implementation and Comparison on Chow et al.’s/Improved E-Lottery

## 5. Conclusions

## Author Contributions

## Funding

## Conflicts of Interest

## Abbreviations

PRFs | Pseudorandom functions |

VRFs | Verifiable random functions |

Agg-VRFs | Aggregate verifiable random functions |

DDHE | Decisional Diffie–Hellman Exponent |

## Appendix A. Verifiable Delay Functions (VDFs)

- $\mathcal{V}$ sends to $\mathcal{P}$ a random r in ${\mathbb{Z}}_{{2}^{\lambda}}$.
- Both $\mathcal{P}$ and $\mathcal{V}$ compute ${x}_{1}\leftarrow {x}^{r}\xb7\mu $ and ${y}_{1}\leftarrow {\mu}^{r}\xb7y$.
- $\mathcal{P}$ and $\mathcal{V}$ recursively engage in an interactive proof for statement $({\mathbb{Z}}_{N}^{*},{x}_{1},{y}_{1},T/2)\in L$, namely that ${y}_{1}={x}_{1}^{{2}^{\frac{T}{2}}}\in {\mathbb{Z}}_{N}^{*}$.

## References

- Micali, S.; Rabin, M.; Vadhan, S. Verifiable random functions. In Proceedings of the 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039), New York, NY, USA, 17–19 October 1999; pp. 120–130. [Google Scholar]
- Naor, M.; Pinkas, B.; Reingold, O. Distributed Pseudo-Random Functions and KDCs. In EUROCRYPT 1999; Springer: Berlin/Heidelberg, Germany, 1999; pp. 327–346. [Google Scholar]
- Micali, S.; Rivest, R.L. Micropayments Revisited; CT-RSA 2002; Springer: Berlin/Heidelberg, Germany, 2002; pp. 149–163. [Google Scholar]
- Papadopoulos, D.; Wessels, D.; Huque, S.; Naor, M.; Včelák, J.; Reyzin, L.; Goldberg, S. Making NSEC5 Practical for DNSSEC; Cryptology ePrint Archive, Report 2017/099; IACR 2017; Available online: https://eprint.iacr.org/2017/099 (accessed on 8 February 2017).
- Goldberg, S.; Naor, M.; Papadopoulos, D.; Reyzin, L.; Vasant, S.; Ziv, A. NSEC5: Provably Preventing DNSSEC Zone Enumeration; NDSS: New York, NY, USA, 2015. [Google Scholar]
- Papadopoulos, D.; Wessels, D.; Huque, S.; Naor, M.; Vcelák, J.; Reyzin, L.; Goldberg, S. Can NSEC5 be practical for DNSSEC deployments? IACR Cryptol. Eprint Arch.
**2017**, 2017, 99. [Google Scholar] - Chow, S.S.M.; Hui, L.C.K.; Yiu, S.M.; Chow, K.P. An e-Lottery Scheme Using Verifiable Random Function. In ICCSA 2005; Springer: Berlin/Heidelberg, Germany, 2005; pp. 651–660. [Google Scholar]
- David, B.; Gaži, P.; Kiayias, A.; Russell, A. Ouroboros Praos: An Adaptively-Secure, Semi-Synchronous Proof-of-Stake Blockchain. In EUROCRYPT 2018; Springer: Berlin/Heidelberg, Germany, 2018; pp. 66–98. [Google Scholar]
- Badertscher, C.; Gazi, P.; Kiayias, A.; Russell, A.; Zikas, V. Ouroboros Genesis: Composable Proof-of-Stake Blockchains with Dynamic Availability; Technical Report; Cryptology ePrint Archive, Report 2018/378; IACR 2018; Available online: https://eprint.iacr.org/2018/378.pdf (accessed on 25 April 2018).
- Cohen, A.; Goldwasser, S.; Vaikuntanathan, V. Aggregate Pseudorandom Functions and Connections to Learning. In TCC 2015; Springer: Berlin/Heidelberg, Germany, 2015; pp. 61–89. [Google Scholar]
- Boneh, D.; Waters, B. Constrained Pseudorandom Functions and Their Applications. In ASIACRYPT 2013; Springer: Berlin/Heidelberg, Germany, 2013; pp. 280–300. [Google Scholar]
- Boneh, D.; Lewi, K.; Montgomery, H.; Raghunathan, A. Key homomorphic PRFs and their applications. In CRYPTO 2013; Springer: Berlin/Heidelberg, Germany, 2013; pp. 410–428. [Google Scholar]
- Hohenberger, S.; Waters, B. Constructing verifiable random functions with large input spaces. In EUROCRYPT 2010; Springer: Berlin/Heidelberg, Germany, 2010; pp. 656–672. [Google Scholar]
- Jager, T.; Niehues, D. On the Real-World Instantiability of Admissible Hash Functions and Efficient Verifiable Random Functions. In SAC 2019; Springer: Berlin/Heidelberg, Germany, 2020; pp. 303–332. [Google Scholar]
- Lysyanskaya, A. Unique Signatures and Verifiable Random Functions from the DH-DDH Separation. In CRYPTO 2002; Springer: Berlin/Heidelberg, Germany, 2002; pp. 597–612. [Google Scholar]
- Dodis, Y. Efficient Construction of (Distributed) Verifiable Random Functions. In PKC 2003; Springer: Berlin/Heidelberg, Germany, 2003; pp. 1–17. [Google Scholar]
- Dodis, Y.; Yampolskiy, A. A Verifiable Random Function with Short Proofs and Keys. In PKC 2005; Springer: Berlin/Heidelberg, Germany, 2005; pp. 416–431. [Google Scholar]
- Jager, T. Verifiable Random Functions from Weaker Assumptions. In TCC 2015; Springer: Berlin/Heidelberg, Germany, 2015; pp. 121–143. [Google Scholar]
- Hofheinz, D.; Jager, T. Verifiable Random Functions from Standard Assumptions. In TCC 2016; Springer: Berlin/Heidelberg, Germany, 2016; pp. 336–362. [Google Scholar]
- Yamada, S. Asymptotically Compact Adaptively Secure Lattice IBEs and Verifiable Random Functions via Generalized Partitioning Techniques. In CRYPTO 2017; Springer: Berlin/Heidelberg, Germany, 2017; pp. 161–193. [Google Scholar]
- Katsumata, S. On the Untapped Potential of Encoding Predicates by Arithmetic Circuits and Their Applications. In ASIACRYPT 2017; Springer: Berlin/Heidelberg, Germany, 2017; pp. 95–125. [Google Scholar]
- Kohl, L. Hunting and Gathering—Verifiable Random Functions from Standard Assumptions with Short Proofs. In PKC 2019; Springer: Berlin/Heidelberg, Germany, 2019; pp. 408–437. [Google Scholar]
- Liu, Y.; Hu, L.; Liu, H. Using an efficient hash chain and delaying function to improve an e-lottery scheme. Int. J. Comput. Math.
**2007**, 84, 967–970. [Google Scholar] [CrossRef] - Lee, J.S.; Chang, C.C.; Fellow, IEEE. Design of electronic t-out-of-n lotteries on the Internet. Comput. Stand. Interfaces
**2009**, 31, 395–400. [Google Scholar] [CrossRef] - Chen, C.L.; Chiang, M.L.; Lin, W.C.; Li, D.K. A novel lottery protocol for mobile environments. Comput. Electr. Eng.
**2016**, 49, 146–160. [Google Scholar] [CrossRef] - Grumbach, S.; Riemann, R. Distributed Random Process for a Large-Scale Peer-to-Peer Lottery. In Distributed Applications and Interoperable Systems; Chen, L.Y., Reiser, H.P., Eds.; Springer: Berlin/Heidelberg, Germany, 2017; pp. 34–48. [Google Scholar]
- Naor, M.; Reingold, O. Number-theoretic constructions of efficient pseudo-random functions. J. ACM (JACM)
**2004**, 51, 231–262. [Google Scholar] [CrossRef] - Lynn, B. On the Implementation of Pairing-Based Cryptosystems. Ph.D. Thesis, Stanford University Stanford, Stanford, CA, USA, 2007. [Google Scholar]
- Pietrzak, K. Simple Verifiable Delay Functions. In Leibniz International Proceedings in Informatics (LIPIcs); ITCS 2019; Blum, A., Ed.; Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik: Dagstuhl, Germany, 2018; Volume 124, pp. 60:1–60:15. [Google Scholar] [CrossRef]
- Bernstein, D.J.; Duif, N.; Lange, T.; Schwabe, P.; Yang, B.Y. High-speed high-security signatures. J. Cryptogr. Eng.
**2012**, 2, 77–89. [Google Scholar] [CrossRef][Green Version]

**Figure 1.**Time in milliseconds with respect to different numbers of fixed bits $\tau $ in the aggregate VRFs considering the cases of $\ell =256$ and $\ell =1024$.

**Table 1.**The computation operations for the static aggregate VRF scheme with respect to bit-fixing sets.

Scheme | Assump. | Input Length | Cost for Aggregating Function Value | Cost for Aggregating Proof | Cost on Verification for Aggregation |
---|---|---|---|---|---|

HW-VRF [13] | q-DDHE | ℓ | ${2}^{\ell -\tau}$ MUL on ${\mathbb{G}}_{T}$ | ${2}^{\ell -\tau}\xb7(\ell +1)$ MUL on $\mathbb{G}$ | ${2}^{\ell -\tau}\xb7(\ell +1)$ bilinear pairings |

Our static Agg-VRFs for bit-fixing sets | q-DDHE | ℓ | ℓ MUL on ${\mathbb{Z}}_{p}$ & one EXP | $(2\ell +3)$ EXP | $(2\ell +3)$ bilinear pairings |

HW-VRFs [13] | Aggregate VRFs | |||||
---|---|---|---|---|---|---|

Input Length (bits) | Verify (ms) | Blocks Num. | Total Verification (ms) | Fixed-Bit Size | Aggregate (ms) | Our AggVerify (ms) |

56 | 89 | 100 | 949 | 20 | 41 | 122 |

128 | 197 | 100 | 22371 | 20 | 196 | 298 |

256 | 472 | 100 | 52199 | 20 | 602 | 579 |

512 | 842 | 100 | 95233 | 20 | 1924 | 1212 |

1024 | 1556 | 100 | 164129 | 20 | 6881 | 2459 |

Size | Frequency (GHz) | Time (ms) for AggVerify | Time (ms) for Verify of HW-VRFs [13] |
---|---|---|---|

56 | $1.6$ | 122 | 89 |

$2.1$ | 85 | 62 | |

$3.0$ | 70 | 51 | |

128 | $1.6$ | 298 | 197 |

$2.1$ | 208 | 138 | |

$3.0$ | 172 | 114 | |

256 | $1.6$ | 579 | 472 |

$2.1$ | 405 | 330 | |

$3.0$ | 335 | 274 | |

512 | $1.6$ | 1212 | 842 |

$2.1$ | 848 | 589 | |

$3.0$ | 702 | 488 | |

1024 | $1.6$ | 2459 | 1556 |

$2.1$ | 1696 | 1089 | |

$3.0$ | 1426 | 902 |

Lottery Scheme | Winning Number Generation | Player Verification |
---|---|---|

Scheme in [7] | 96.12992 s | 4.384418 s |

Our Scheme | 90.13322 s | 2.782610 s |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Liang, B.; Banegas, G.; Mitrokotsa, A. Statically Aggregate Verifiable Random Functions and Application to E-Lottery. *Cryptography* **2020**, *4*, 37.
https://doi.org/10.3390/cryptography4040037

**AMA Style**

Liang B, Banegas G, Mitrokotsa A. Statically Aggregate Verifiable Random Functions and Application to E-Lottery. *Cryptography*. 2020; 4(4):37.
https://doi.org/10.3390/cryptography4040037

**Chicago/Turabian Style**

Liang, Bei, Gustavo Banegas, and Aikaterini Mitrokotsa. 2020. "Statically Aggregate Verifiable Random Functions and Application to E-Lottery" *Cryptography* 4, no. 4: 37.
https://doi.org/10.3390/cryptography4040037