An Anonymous Verifiable Random Function with Applications in Blockchain

ﬁ able random function is a powerful function that provides a noninteractively public veri ﬁ able proof for its output. Recently, veri ﬁ able random function has found essential applications in designing secure consensus protocols in blockchain. How to construct secure and practical veri ﬁ able random functions has also attracted more and more attention. In this paper, we propose a practical anonymous veri ﬁ able random function. Security proofs show that the proposed anonymous veri ﬁ able random function achieves correctness, anonymity, uniqueness, and pseudorandomness. In addition, we show a concrete application of our proposed anonymous veri ﬁ able random function in blockchain to improve the consensus mechanism for Hyperledger fabric. Finally, we implement the proposed anonymous veri ﬁ able random function and evaluate its performance. Test results show that the proposed anonymous veri ﬁ able random function supports faster computing operations and has a smaller proof size.


Introduction
The notion of verifiable random function was proposed by Micali et al. [1] in 1999. In a verifiable random function, the verifier can verify the function value y generated by the prover using a random message m and secret key sk via the proof π and public key pk by the prover in a noninteractive and public way as shown in Figure 1. A common verifiable random function should satisfy the following security properties. First, the verifier that receives the function value y and the corresponding proof π generated by the prover is able to verify that y is computed correctly on input m. Second, there is a unique function value y corresponding to each public key pk and the verifiable random function input m. Finally, there is no efficient adversary that can distinguish a function value y from a random element.
Since verifiable random function was proposed, it has been widely used in practice such as lottery systems [2], Ecash [3,4], and many other situations [5]. It is also applied in Domain Name Security Extension (DNSSEC) protocol [6] to prevent offline zone enumeration attacks. Besides these traditional usages, one of the most attractive applications recently is that it is used in blockchain to improve consensus mechanisms. Consensus mechanisms play an important role in blockchain for the reason that they are responsible for achieving data consistency among untrusted nodes in blockchain. Applications utilizing verifiable random function include Algorand [7], Dfinity [8], and Ouroboros [9][10][11]. The main route that verifiable random function used in consensus mechanism can be roughly summarized as follows. Take Algorand for example; each user has a public key pk and a secret key sk. The user computes the function value y through verifiable random function on a random input m. If y lies in the preset range, the user will be a committee member. However, this relationship can also be publicly verified by all users in Algorand through the verification algorithm of verifiable random function. Furthermore, in public blockchain, current Proof-of-Stake (PoS) protocols inherently disclose both the identity and the wealth of the stakeholders and thus seem incompatible with privacy-preserving cryptocurrencies [12], so it is necessary to provide a construction a privacy-preserving PoS protocol, that is, one where the identity of the lottery winner is kept secret by the protocol to satisfy the anonymity requirement. This also promotes the introduction of anonymous verifiable random function.
Numerous efforts have been invested in the pursuit of diversifying and simplifying constructions and underlying assumptions of verifiable random functions [13][14][15][16][17][18][19][20][21]. Most of them are based on RSA assumption or other complex assumptions. As verifiable random function has been gradually applied in various scenarios recently, how to construct a more efficient verifiable random function that satisfies different security properties attracts more and more attention. Ganesh et al. [12] put forward the first verifiable random function that is anonymous, which can be seen as an independent interest. There are also many other constructed verifiable random functions based on various theoretical assumptions. They all achieve the basic properties of verifiable random function except for anonymity. Therefore, in this paper, we aim to construct a more efficient anonymous verifiable random function (AVRF) that is applicable for building secure consensus mechanisms.
In addition, as one of the most popular consortium blockchains, Hyperledger fabric [22], has leveraged the benefits of both public and private blockchains. The consensus framework in Hyperledger fabric is different from public blockchain. In Hyperledger fabric, there are three types of nodes. They are endorsers, orderers, and validators. Endorsers endorse a transaction that is proposed by the transaction proposer; then, orderers block transactions and broadcast them. Validators validate transactions and update blocks on the chain. However, there is a drawback in Hyperledger fabric. Endorsing peers (endorsers) are quite essential in Hyperledger fabric as they are responsible for executing transactions proposals to ensure the transaction legality and they can directly process lots of sensitive transaction data, but these endorsing peers in consortium blockchain such as Hyperledger fabric are predetermined and endorser's identity is known to all participants. Thus, they are more likely to be attacked such as attacks possible on selective endorsers to block certain transactions, and it is necessary to construct an optimized consensus scheme with privacy properties such as randomness and anonymity for permissioned blockchain Hyperledger fabric. More precisely, endorsers should be chosen randomly, and their identities are anonymous to avoid possible attacks. Therefore, we also utilize our proposed anonymous verifiable random function to optimize the consensus mechanism in Hyperledger fabric for eliminating this drawback.
The main contributions of this paper are summarized as follows: (i) We propose and construct an anonymous verifiable random function. The verifier can publicly verify the correctness of the function value that is the output of the prover. Meanwhile, the prover is anonymous to the verifier (ii) We show a concrete application of the proposed verifiable random function. We use our anonymous verifiable random function to improve the consensus mechanism of Hyperledger fabric. We also analyze the security and the performance of the optimized consensus mechanism (iii) We give theoretical analysis of the proposed anonymous verifiable random function. We also implement our anonymous verifiable random function, EC verifiable random function, Dodis verifiable random function, and the Ganesh et al. anonymous verifiable random function to evaluate their performance. Theoretical and experimental analysis results show that our anonymous verifiable random function has higher computation efficiency and a smaller proof size 1.1. Organization. We first introduce some related works in Section 2. We recall some necessary preliminaries in Section 3, and then, in Section 4, we give the concrete construction and detailed security proofs of our anonymous verifiable random function. In Section 5, we show an application of the proposed anonymous verifiable random function to improve consensus mechanism in blockchain. We then implement our anonymous verifiable random function and analyze its performance in Section 6. Conclusions are drawn in Section 7.

Related Works
The concept of verifiable random function was first put forth by Micali et al. [1]. Since then, verifiable random function based on elliptic curves [13] and pairing-based verifiable random function [13] have been gradually proposed. Dodis proposed a verifiable random function based on RSA [14]. In addition, some postquantum verifiable random functions [23,24] are also proposed, but they do not have good performance in practice. Esgin et al. [25] put forward the first practical postquantum verifiable random function. It achieves significant increase in the communication size and was applied to Algorand. There are also many verifiable random functions [15,21,26] based on certain theoretical assumptions that have been constructed. Though these verifiable random functions all guarantee the security in pseudorandomness and uniqueness, they do not take the prover's privacy into consideration, and they cannot achieve anonymity. Ganesh et al. [12] constructed the first verifiable random function that is anonymous. In this anonymous In recent, verifiable random function has been widely used for consensus construction because of its randomness and public verifiability. Micali et al. proposed Algorand [7] that combines the verifiable random function and Practical Byzantine Fault Tolerance (PBFT) to select proposer and verifier committees. It avoids targeted attacks at chosen participants and achieves a high efficiency. Dfinity [8] is similar to Algorand. It actually uses Boneh-Lynn-Shacham (BLS) based verifiable random function to produce random seed which acts as the source of randomness for leader selection and leader ranking. Praos [9] is an optimized version of Ouroboros [9]. Instead of using a secure multiparty implementation of a coin-flipping protocol to produce the randomness for the leader election process, Praos uses verifiable random function for random selecting a slot leader from the stakeholder. It also prevents the adversary from learning the slot leader's identity ahead of time. Ganesh et al. [12] take the privacy properties of PoS protocol into consideration. They show that it is possible to add privacy to PoS protocols and give a privacy-preserving version of a popular PoS protocol. Most of these usages of verifiable random function mainly focus on the public blockchain. There are few researches that pay attention to providing privacy-preserving consensus scheme of the permissioned blockchain as their key nodes are predefined, and they are more likely to be attacked.

Preliminaries
In this section, we introduce the related hard problem and the complexity assumption, the detail of verifiable random function, and the anonymous random function. Notations used in the paper are summarized in Table 1. 3.1. Hard Problem and Complexity Assumption. Let G be a cyclic group of order q, where q is a prime number and it is λ bits. g is a generator of group G. Given group elements ðα = g a , β = g b , γ = g ab Þ as a, b, c ∈ ℤ * q , the decisional Diffie-Hellman (DDH) problem is to distinguish between ðα, β, γÞ and ðα, β, g c Þ.
We say that the DDH assumption holds if there is no probabilistic polynomial-time (PPT) algorithmAthat has advantage at leastεin solving the DDH problem inG.

Verifiable Random Function.
Let verifiable random function be a tuple of algorithms (Gen, Prove, and Verify) that are defined as follows: (1) Genð1 λ Þ: the Gen algorithm takes a security parameter λ as input. It generates public key pk and secret key sk. It outputs a key pair (pk, sk) (2) Proveðm, skÞ: the Prove algorithm takes m ∈ f0, 1g inðλÞ and secret key sk as input. It generates a function value y and a proof π, then it outputs ðy, πÞ (3) Verifyðpk, m, y, πÞ: the Verify algorithm takes a public key pk, m, a function value y, and a proof π as input. It outputs 1 or ⊥ The verifiable random function satisfies correctness, pseudorandomness, and uniqueness as defined in the following: (i) Correctness. For all (pk,sk) generated from the Gen algorithm and all update public key pk ′ generated by the KeyUpdate algorithm, and all m ∈ f0, 1g inðλÞ , if ðy, πÞ ⟵ Proveðpk′, m, skÞ, then Verifyðpk′, y, πÞ = 1 (ii) Pseudorandomness. For any pair of PPT ðA 1 , A 2 Þ, the following probability is neglðλÞ: Concretely, the definition means that no function value can be distinguished from random, even after seeing any other function values together with their corresponding proofs.
(i) Uniqueness. No PPT adversary A can output values ðpk, m, y 1 , y 2 , π 1 , π 2 Þ such that y 1 ≠ y 2 and Verif y pk m, y 1 , π 1 ð Þ= Verif y pk m, y 2 , π 2 ð Þ= 1 3.3. Anonymous Verifiable Random Function. We also briefly review the anonymous verifiable random function proposed in [12]. Let anonymous verifiable random function be a tuple of algorithms (Gen, Update, Prove, and Verify) as defined in the following: Public key sk Secret key 3 Wireless Communications and Mobile Computing (i) Genð1 λ Þ: it takes a security parameter λ as input. It generates public key pk and secret key sk. It outputs a key pair ðpk, skÞ (ii) UpdateðpkÞ: it takes as input the public key pk and updates the public key pk. It outputs the updated public key pk ′ (iii) Proveðm, pk ′ , skÞ: it takes as input m ∈ f0, 1g inðλÞ , the updated public key pk ′ , and the secret key sk.
It generates a function value Y and a proof π; then, it outputs ðpk ′ , Y, πÞ (iv) Verifyðpk ′ , m, Y, πÞ: it takes as input the updated public key pk′, m, a function value Y and a proof π. It outputs 1 or ⊥ A function family Fð·Þ: f0, 1g inðλÞ ⟶ f0, 1g outðλÞ is a family of anonymous verifiable random functions, if there is a tuple of algorithms (Gen, Update, Prove, and Verify) that satisfies the following properties [12]: (i) Correctness. For all ðpk, skÞ generated from the Gen algorithm, all update public key pk ′ generated by the Update algorithm, and all m ∈ f0, 1g inðλÞ , if ðy, πÞ ⟵ Proveðpk′, m, skÞ, then Verifyðpk′, y, πÞ = 1 (ii) Pseudorandomness. For any pair of PPT ðA 1 , A 2 Þ, the following probability is neglðλÞ: pk, m ð Þ⟵ Gen 1 λ ; The sets Q 1 , Q 2 contain all the queries made to the Prove oracle. The random variable state stores information that A 1 can save and pass on to A 2 .

Construction of Our Anonymous Verifiable Random Function
In this section, we give the concrete construction of the proposed anonymous verifiable random function. The proposed anonymous verifiable random function contains a tuple of algorithms (Gen, Update, Prove, and Verify) as the following shows: (1) Genð1 λ Þ: the Gen algorithm takes as input the security parameter λ. This algorithm randomly chooses a, b ∈ ℤ * q ; then, it computes h 1 = g a and h 2 = g b . Thus, the public key is pk = ðg, h 1 , h 2 Þ and the secret key is sk = ða, bÞ. The Gen algorithm returns public key pk and secret key sk, where the secret key sk is kept secretly (2) UpdateðpkÞ: the Update algorithm takes as input the public key pk. This algorithm randomly chooses r ∈ ℤ * q ; then, it computes g ′ = g r , h ′ 1 = h r 1 , and h ′ 2 = h r 2 . Therefore, the updated public key is set as pk ′ = ðg′, h′ 1 , h′ 2 Þ. The Update algorithm returns the updated public key pk ′ (3) Proveðpk ′ , m, skÞ: the Prove algorithm takes as input the updated public key pk′, a random input m, and secret key sk. This algorithm generates the function value y and the corresponding proof π as the following shows: (i) It calculates σ = H 0 ðh′ 1 b , mÞ and s = b + σ/a. So the function value can be computed as y = H 1 ðs ⊕ mÞ (ii) It sets the proof π as π = ðσ, sÞ, and the function value is y. It returns the updated public key, the function value, and the proof ðpk ′ , y, πÞ (4) Verifyðpk ′ , m, y, πÞ: the Verify algorithm takes as input the updated public key pk ′ , a random input m, function value y, and the proof π = ðσ, sÞ. It computes w = h ′ 1 s · g ′ −σ ; then, it determines whether equation (6) and equation (7) hold:

Wireless Communications and Mobile Computing
If equation (6) and equation (7) all hold, the Verify algorithm outputs 1. Otherwise, the Verify algorithm outputs ⊥.
We then prove the proposed anonymous verifiable random function satisfies correctness, anonymity, uniqueness, and pseudorandomness.
(i) Correctness. The correctness of the proposed anonymous verifiable random function represents that it can generate a function value y on any random input m with secret key through the Prove algorithm and also compute a proof π that y was computed correctly For all public key and secret key ðpk, skÞ generated by the Gen algorithm, all updated public key pk ′ generated from the Update algorithm, all m ∈ f0, 1g inðλÞ , proof π, and function value y generated by the Prove algorithm, we have Therefore, the function value y can be determined by secret key sk and m and can be verified by proof π and public key pk. The proposed anonymous verifiable random function satisfies correctness.
(ii) Anonymity. The anonymity of the proposed verifiable random function means that the verification does not reveal the public key. We adopt the idea about anonymity from the original anonymous verifiable random function that there are lots of public keys under the same secret key, and two different evaluations under the same secret key cannot be linked to a public key We prove that the proposed anonymous verifiable random function is anonymous as the following shows. Theorem 1. If the DDH assumption holds in group G, the proposed anonymous verifiable random function satisfies anonymity.
Proof of Theorem 1. Let A be the adversary that wins the anonymity game. We can build an algorithm B to break the DDH assumption. B receives ðg, g 1 = g a , g 2 = g b , g 3 = g c Þ and determines whether it is a DDH tuple or not. The algorithm B performs as the following shows: (i) The algorithm B randomly selects r ∈ ℤ * q , α ∈ f0, 1g. It computes the public key pk α as pk α = ðg r , g 1 = g ar , g dr Þ; then, it honestly executes the Gen algorithm to generate pk 1−α . The algorithm B returns pk 0 and pk 1 to the adversary A (ii) Once receiving the random input m, the algorithm B computes the updated public key as pk ′ = ðg r 2 = g br , g r 3 = g cr , g dbr Þ. It sets w = g ad ; then, it computes σ = H 0 ðw, mÞ, s = d + σ/a and the function value y = H 1 ðs ⊕ mÞ. It sets the proof π as π = ðσ, sÞ. The algorithm B returns ðpk ′ , y, πÞ to the adversary A (iii) Let η be the output of the adversary A. If η = α, the algorithm B outputs "DDH tuple," otherwise the algorithm B outputs "not a DDH tuple." Supposing the adversary A wins the anonymity game, then the probability η = η′ that we defined in the anonymity experiment is Pr ½η = η′ ≥ 1/2 + ðAdv A /2Þ. So we get If the adversary B receives a non-DDH tuple, then the view of the adversary B is independent of η for the reason that pk′ = ðg br , g abr Þ = ðg br , ðg br Þ a Þ. Thus, pk′ is a correctly updated public key of pk η . The probability of B outputs 1 is the same as the probability that the adversary A wins the anonymity game we defined. Therefore, we have Then, if the algorithm B receives a non-DDH tuple, then the view of the adversary A is independent of η because pk ′ = ðg br , g cr Þ is independent of both pk 0 and pk 1 . So the algorithm B cannot guess α with probability more than 1/2, so we have Pr ½B outputs1jnon − DDH = 1/2. Thus, we have Therefore, the proposed anonymous verifiable random function satisfies anonymity as the DDH assumption holds.
(ii) Pseudorandomness. We prove the pseudorandomness of the proposed anonymous verifiable random function as the following shows Theorem 2. If the DDH assumption holds in group G , the proposed anonymous verifiable random function satisfies pseudorandomness.
Proof of Theorem 2. Let G be a group and g is the generator of G. Suppose that there is an adversary A that can break the pseudorandomness experiment we defined; then, we build a series of games as the following shows. Let W 0 be the probability that the adversaryAwins Game 0. Let Adv A be the advantage of the adversary A in the pseudorandomness experiment.
Game 0. This is the original pseudorandomness game we defined. The challenger C and the adversary A are interacted as the following shows: (i) The challenger C computes public key and secret key ðpk, skÞ ⟵ Genð1 λ Þ. It sends the generated public key pk to the adversary A (ii) The adversary A queries the oracle O Prove . The challenger C answers these queries (iii) Once the challenger C receiving the message m * that is sent by the adversary A, the challenger C computes ðy 0 , π 0 Þ ⟵ Proveðpk, m * , skÞ and randomly chooses y 1 ∈ f0, 1g outðλÞ . It randomly chooses η ∈ f0, 1g and returns y η to the adversary A (iv) The adversary A outputs η ′ which is the guess of η, and the adversary A wins the game if η = η ′ So we get Adv A = jPr ½W 0 − 1/2j. Game 1. Game 1 is the same as Game 0 except that we make a change. We compute g′ γθ for randomly chosen γ, θ ∈ ℤ * q instead of computing h ′ 1 b . Let W 1 be the event that η = η ′ in Game 1. The challenger C and the adversary A are interacted as the following shows: (i) The challenger A computes public key and secret key ðpk, skÞ ⟵ Genð1 λ Þ. It sends the generated pk to the adversary A (ii) The adversary A queries the oracle O Prove . The challenger C answers these queries (iii) Once the challenger C receiving the message m * that is sent by the adversary C, it randomly chooses γ, θ ∈ ℤ * q and computes w = g ′ γθ . The challenger C computes σ = H 0 ðw, mÞ, s = γ + σ/θ and the function value y 0 = H 1 ðs ⊕ mÞ. It sets π = ðσ, sÞ; then, it obtains ðy 0 , πÞ. The challenger C randomly chooses y 1 ∈ f0, 1g outðλÞ . It randomly chooses η ∈ f0, 1g and returns y η to the adversary A (iv) The adversary A outputs b ′ , and it wins the game if η = η ′ .Since the adversary A's output of b ′ is independent of b, we have Pr ½W 1 = 1/2 Lemma 3. We prove that jPr ½W 0 − Pr ½W 1 j = ε , where ε is the advantage of some efficient algorithms to break the DDH advantage. It is negligible.
Proof of Lemma 3. In Game 0, we have the tuple ðg′, g′ a , g The adversary A cannot recognize the difference under the DDH assumption. We define a distinguishing algorithm D. If the input to D is in the form of ðg ′ , g ′ a , g ′ b , g ′ ab Þ, the computation proceeds as in Game 0. So we have Pr ½Dðg ′ , g′ a , g′ b , g′ ab Þ = 1 : a, b ∈ ℤ * q = Pr ½W 0 . If the input to D is in the form of ðg ′ , g ′ a , g ′ b , g ′ γθ Þ, the computation proceeds as in Game 1. So we have Pr ½Dðg′, g′ a , g′ b , g′ γθ Þ = 1 : a, b ∈ ℤ * q = Pr ½W 1 .
So the advantage to break the DDH assumption Adv DDH is equal to jPr ½W 0 − Pr ½W 1 j. As Adv DDH is negligible, j Pr ½W 0 − Pr ½W 1 j = ε, ε is negligible.

Application of the Proposed AVRF in Blockchain
In this section, we show a specific application of the proposed anonymous verifiable random function in blockchain.
As the key nodes in consortium blockchain such as endorsing peers in Hyperledger fabric are predetermined and fixed, they are more likely to be attacked. Therefore, we use the proposed anonymous verifiable random function to improve the consensus mechanism for Hyperledger fabric by randomly choosing endorsing peers instead of presetting 6 Wireless Communications and Mobile Computing them. The improved consensus scheme is aimed at making the identity of endorsing peer random. It also provides identity privacy preservation of endorsing peers and reduces the risk attack of endorsing peers.

Hyperledger Fabric Consensus Mechanism Optimization
Based on the Proposed AVRF. The consensus mechanism in Hyperledger fabric [22] is in the form of a more flexible trust model called "endorse-order-validate" which is different from consensus mechanism in public blockchain [27][28][29]. As we can see in Figure 2, in Hyperledger fabric, there are three types of nodes. They are endorsers, orderers, and validators. Firstly, in the endorsement phase, endorsers are predetermined and fixed. Endorsers execute transactions and record these results. Secondly, in the ordering step, it uses a pluggable consensus protocol to produce a totally ordered sequence of endorsed transactions grouped in blocks. These endorsed transactions are broadcasted to all peers via the gossip protocol. Next, in the validation step, validators validate the state changes from endorsed transactions with respect to the endorsement policy in the validation step. In Hyperledger fabric, endorsing peers (endorsers) are quite essential as they are responsible for executing transactions proposals to ensure the transaction legality, and they can directly process lots of sensitive transaction data. However, as endorsers' identities are public and fixed, they are more likely to be attacked. Besides, the number of endorsers is small compared to other peers' numbers in general. It is even in single digits in some systems. This makes that there are many-to-one relationships between clients and endorsers, so it is difficult for endorsers to process transactions timely, which increases the transaction processing time.
In accordance with the above problems, we construct a noninteractive, verifiable, and optimized consensus scheme for randomly selecting endorsers based on the proposed anonymous verifiable random function. We use the candidate set of endorsing peers and randomly select endorsing peers in the candidate set through our anonymous verifiable random function. The usage of anonymous verifiable random function achieves the identity privacy of endorsers before endorsement, and this randomly expands the number of endorsing peers.
As we can see in Figure 3, the optimized consensus scheme based our anonymous verifiable random function is defined as follows: (1) The client generates proposal proposal = <req, m, clientsig > . req is the transaction data which includes chaincode and its parameters. m is the random input that satisfies m ∈ f0, 1g inðλÞ . The client signs these data and generates clientsig. It sends the proposal to the candidate set of endorsing peers; then, the client starts a timer (2) The candidate endorsing peer verifies the signature clientsig to check the integrity. If the verification fails, it aborts. Otherwise, the candidate endorsing peer performs as follows: (i) The candidate endorsing peer executes the anonymous verifiable random function Update algorithm to generate the update public key pk ′ . It executes Proveðpk ′ , m, skÞ to get the function value y and proof π (ii) The candidate endorsing peer compares whether ðHðyÞ/2 hlen Þ > η holds. η is the predetermined threshold. H is a hash function and hlen is the length of HðyÞ. If it holds, it means that the candidate endorsing peer is an endorser. It goes to the next step. Otherwise, it aborts (iii) If a candidate endorsing peer has confirmed that it is an endorser, it executes the proposal to generate read and write set rw set and the endorsing result ed; then, it computes the signature of ðrw set, ed, ðpk ′ , y, πÞÞ as epsig, while si g sk = ra and sig pk = h ′ 1 = g ra . Therefore, the proposal response message as res pro = <rw set, ed, ðpk′, y, πÞ, epsig > . It sends the proposal response message res pro to the client (3) The client continuously receives proposal response messages res pro from different endorsers before the timer runs out. It performs as the following shows: (i) The client verifies the signature epsig for checking the integrity. If the verification fails, it aborts. Otherwise, it executes Verifyðpk ′ , y, πÞ to verify the function value y. On one hand, if there is an adversary that replaces ðpk ′ , y, πÞ without secret key, which may lead to some malicious endorsing peers without endorsers qualifications to become logical endorsers. This will influence transaction endorsing results. However, when the client receives the replaced response message, it first verifies the signature epsig, then it verifies the function value y. For the reason that the signature satisfies unforgeability and the anonymous verifiable random function satisfies uniqueness, the replaced response message will not pass these verifications, and the malicious endorsing peer without endorser qualification will not become the logical endorser to influence transaction endorsing results. On the other hand, our anonymous verifiable random function can also be extended to provide some level of unpredictability under malicious key generation. In order to achieve this goal, in the Prove algorithm, it adds a computation v = H 2 ðy, mÞ, where H 2 is a hash function. Also, let π = ðσ, s, yÞ. It outputs ðπ, vÞ. In the Verify algorithm, it adds an verification to check whether v = H 2 ðy, mÞ holds. In this case, our extended anonymous verifiable random function can provide unpredictability under malicious key generation. It means that an adversary that can maliciously choose the verifiable random keys cannot skew the output distribution, as long as the adversary has no information on the 7 Wireless Communications and Mobile Computing random input m when choosing its verifiable random function keys. We adopt the idea about unpredictability under malicious key generation from [9] and [25] that have given us detailed explanation and proof (ii) The client computes HðyÞ/2 hlen and checks whether ðHðyÞ/2 hlen Þ > η holds. If it holds, the proposal response message is from a logical endorser. The client sends these transactions to orderers  Figure 2: The consensus mechanism of Hyperledger fabric.   Wireless Communications and Mobile Computing endorsing peers via the proposed anonymous verifiable random function instead of predetermined. Whether a candidate endorsing peer is an endorser or not is determined by the function value y which is the random output of the anonymous verifiable random function's Prove algorithm.
Only the function value y satisfies that ðHðyÞ/2 hlen Þ > η; a candidate endorsing peer is chosen as an endorser. As we can see from the definition of anonymous verifiable random function, y satisfies randomness, so the selection of endorsers is random. This reduces the centralization of endorsing peers.
At the same time, in the original consensus scheme, clients continue to process the transaction only after they have compared all endorsing results that were sent from endorsers and results are all same. So, the adversary can easily control endorsing results to destroy the correctness of transaction results if it has successfully attacked only one endorser to make endorsing results inconsistent and the client aborts the transaction. Furthermore, if the decision strategy is modified, the endorsing results are valid only if there are more than half of the results that are consistent. In this case, adversary can control the endorsing result to destroy the correctness of transaction results if more than half of endorsing peers are malicious. On the contrary, in our optimized consensus scheme, clients do not have to compare endorsing results from all predetermined endorsing peers. Endorsers are chosen randomly and dynamically; this will reduce the probability of adversary's influence on the transaction.
(2) Anonymity. In our optimized consensus scheme, endorser's identity is verifiable and anonymous to the client. As the proposed anonymous verifiable random function satisfies correctness, the endorsing peer's identity can be verified. Furthermore, observers cannot obtain the result about which candidate endorsing peers have been chosen if secret keys are not leaked. Moreover, the client can use the endorsing peer's update public keys to verify the identity validity of the endorsing peer, so the client cannot recognize the identity of endorsing peers for the reason that the proposed anonymous verifiable random function satisfies anonymity. Concretely, verification using update public keys will not reveal endorsing peers' public keys. The anonymity of our optimized consensus scheme provides privacy preservation of endorsing peers and reduces their risk of being attacked.

Performance Analysis of the Optimized Consensus
Scheme. On one hand, for the same m, different secret key sk will generate different function value y by the Prove algorithm of the proposed anonymous verifiable random function. Therefore, different candidate endorsing peer will generate different function values y in the same transaction. Some of candidate endorsing peers will become endorsers for this transaction, while the rest of endorsing peers in candidate set will become other transactions' endorsers. The randomness of function value y ensures that the transaction is uniformly distributed to candidate endorsing peers. This reduces the workload of each endorsing peer and improves concurrent processing of transactions.
On the other hand, the transaction delay is the time it takes to initiate a proposal, endorse, validate, order, and commit transactions to the ledger. In our optimized consensus scheme, as the transaction flow is the same as the original consensus scheme except for the endorsing step, the main factor that increases the transaction processing time is that there is an extra endorser selection process and endorser identity's verification process. According to the prove time and the verify time of the proposed anonymous verifiable random function in Table 2, they are both milliseconds. It is negligible compared with the whole transaction processing time. Thus, the impact of the proposed anonymous verifiable random function on the transaction delay is negligible and there is no much difference on transaction delay between our optimized consensus scheme and the original consensus scheme.

Implementation and Evaluation
In this section, in order to give a better evaluation of the performance about our proposed anonymous verifiable random function, we give a reference implementation of our anonymous verifiable random function as well as the anonymous verifiable random function proposed in [12] in Python language. For convenience, we call it Ganesh et al. anonymous verifiable random function. We also implement another two representative verifiable random functions the Dodis verifiable random function [13] which is used in Algorand and the EC verifiable random function [6] that has been widely used in many scenarios such as in DNSSEC. We use the Charm [30] library to implement the elliptic curve group operations. We measure the prove time and the verify time of these verifiable random functions. Our tests are performed on a Linux desktop with an 8-core Intel Core i7-8550U 2.00 GHz processor and 8 GB of RAM. We also average the performance over 50 runs. In Table 2, we give the efficiency analysis by comparing our proposed anonymous verifiable random function, the Ganesh et al. anonymous verifiable random function, and the Dodis verifiable random function in terms of time complexity, computation overhead, and the size of proof π. We denote E as exponentiation operation in group G, H as hash function, E as multiplication operation in group G T , P as pairing operation, M as multiplication operation in group G, jGj as the size of elements in group G, and jℤ q j as the size of elements in ℤ q . As we can see from Table 2, verify times of the Dodis verifiable random function, Ganesh et al. anonymous verifiable random function, and our proposed anonymous verifiable random function are, respectively, 3.3 ms, 1.2 ms, and 0.9 ms with the 80-bit security level. It is obvious that our anonymous verifiable random function has the best performance in terms of the verify time and the proof size.
In Figure 4, we compare the computation of prove time among our anonymous verifiable random function, the Ganesh et al. anonymous verifiable random function, and the EC verifiable random function. As we set the security level as 80 bits, 96 bits, 112 bits, 128 bits, and 192 bits, respectively, the prove time of Ganesh et al. anonymous verifiable random function grows from 1.6 ms to 7.0 ms while our proposed anonymous verifiable random function increases from 0.9 ms to 4.0 ms. It is obvious that our anonymous verifiable random function has lower prove computation overhead compared with the Ganesh et al. anonymous verifiable random function. However, the prove computation overhead of our proposed anonymous verifiable random function is a little higher than the EC verifiable random function for the reason that there are extra exponentiation operations in our proposed verifiable random function to achieve anonymity, while the EC verifiable random function is not anonymous.
In Figure 5, we compare the computation of verify time among our anonymous verifiable random function, the Ganesh et al. anonymous verifiable random function and the EC verifiable random function. When security levels are set to be 80 bits, 96 bits, 112 bits, 128 bits, and 192 bits, respectively, the verify time of the Ganesh et al. anonymous verifiable random function grows from 1.2 ms to 5.4 ms and the EC verifiable random function grows from 0.7 ms to 2.9 ms. In our verifiable random function, it increases from 0.5 ms to 2.1 ms. Our anonymous verifiable random function also has the lowest verify computation overhead among these three verifiable random functions. Therefore, the proposed anonymous verifiable random function is efficient according to the above analytical measurements and experimental evaluation as it has shorter prove and verify time as well as a smaller proof size.

Conclusions
In this paper, we construct an efficient anonymous verifiable random function which has a potential utilization in blockchain to build secure consensus protocols. Specially, our proposed verifiable random function is anonymous. It means that the verification will not reveal the public key of the prover. We also analyze and prove its security properties. Furthermore, we give a concrete utilization of our proposed anonymous verifiable random function to optimize the consensus mechanism of Hyperledger fabric. In addition, we implement and evaluate the proposed anonymous verifiable random function and another three representative verifiable random functions. Experimental results show that the proposed anonymous verifiable random function has lower computation overhead and a smaller proof size compared with other representative verifiable random functions. The proposed anonymous verifiable random function can also be applied to other permissioned blockchains as their transactions are processed by certain key nodes. However, to achieve a practical postquantum anonymous verifiable random function is still for future work.

Data Availability
The data used to support the findings of this study are included within the article.

Conflicts of Interest
The authors declare that there are no conflicts of interest.