Do *silent setup* threshold VUFs exist (i.e., no DKGs)?
This would be nice for randomness beacons like @aptos Roll! 🎉
In this blog post, we try to tackle this question, with much help from @lera_banda, @josephbonneau, @rex1fernando, @bennypinkas, @danboneh and @TrishaCDatta 🙏
In the blog post, we describe a BLS-like construction for silent-setup threshold VUFs from *multilinear maps*.
So theoretical; not efficient.
In fact, *efficient* silent-setup threshold VUFs would imply *efficient* multiparty non-interactive key exchange (NIKE).
This was recently pointed out in a talk by @gvamsip in the 3rand workshop organized by @SUPRA_Labs.
But, AFAICT, only 1-out-of-n silent setup threshold VUFs would imply n-party NIKE.
As a result, maybe variants where the threshold must be *high* could actually be efficient? 🤔
In other words, there may be *efficient* n/2-out-of-n silent setup VUFs because they do not imply *efficient* n-party NIKE?
Food for thought! 🌮
alin.apt
@alinush407
I put the "crypto" in "cryptocurrency" | Founding Team & Head of Cryptography at @AptosLabs