Eliminate MonadRandom from the VRF interface

[edsko]

I think the only remaining use of it is in SimpleVRF. It would be nice to keep that as a reference implementation, rather than delete it altogether. Relevant discussion with @brunjlar :

Lars Brünjes  1:09 PM
Ah, if you look at line 172, you'll see that the output of the VRF does not use the random r. That is only used in the certificate. So basically, the output of the function is deterministic, but the certificate is not.
I think that's common practice with things like digital signatures, that the signature to a given document is indeterminate.
1:09
I guess the certificate is indeterminate for similar reasons.
1:14
This might shed some light: https://crypto.stackexchange.com/questions/66190/why-random-secret-necessary-almost-in-all-digital-signature-algorithms
Seems using randomness is quite crucial.

Edsko de Vries  1:14 PM
I see. but we don't expect SimpleVRF to be used anywhere except in tests right?

Lars Brünjes  1:15 PM
I guess, but I still tried to implement a proper VRF as faithfully as I could.

Edsko de Vries  1:15 PM
yeah, ok. The problem is that MonadRandom should go.
1:16
though I'm now wondering why the real VRF doesn't run into that problem, maybe it doesn't need that randomness

Lars Brünjes  1:16 PM
In above link, the person answering explains it - randomness is not necessary if you have something else in place - so I hope our real-world implementations do. (edited) 
1:17
You'll just have to come up with something for tests then that doesn't need randomness.

Edsko de Vries  1:18 PM
no, MonadRandom should go from the class
1:18
so no implementation canuse it at all

Lars Brünjes  1:18 PM
Yes, I got that.
1:18
That's why I said you need something for tests that doesn't use randomness.

Edsko de Vries  1:18 PM
sorry, I don't quite follow?

Lars Brünjes  1:19 PM
You need to replace the randomness in things like SimpleVRF, that you use for tests, with something deterministic.
1:20
According to the link above, it's fine to be deterministic if it depends on the "document" and the "signing key". So instead of using randomness, you can probably use the hash of a combination of the inputs instead.
1:22
Except if you want to kick out SimpleVRFcompletely, which might also be fine, now that you have libsodium.

Edsko de Vries  1:23 PM
I'd like to keep it if I can

Lars Brünjes  1:24 PM
In that case, as I said, it should be fine to calculate the r as the hash of aand k.

Edsko de Vries  1:24 PM
ok great

Lars Brünjes  1:25 PM
Not sure what type r has - you probably need to convert it somehow from a hash.

[edsko]

@brunjlar adds: "If you want it as a reference implementation, maybe add a comment in the line where you calculate r and mention that this should be random?".