@csunivie Breeding Unicorns: Developing Trustworthy and Scalable Randomness Beacons Samvid Dharanikota, Michael Jensen, Sebastian Kristensen, Mathias Michno, Yvonne-Anne Pignolet, Rene Hansen, Stefan Schmid
Randomness: An Important Tool of Our (Digital) Society • In alg lgori rithm design: • Faster algorithms through randomization • Symmetry breaking in distributed algorithms • Secure cryptographic protocols based on random seeds (e.g., elliptic curves) • In entertainment: • Lotter eries es , game mes (Roulette) • Drafts in sports • In politics: • Military drafts ts , assignment of kids to schools • Block ockch chain : more soon IEEE Blockchain, Atlanta, USA 2
Randomness: An Important Tool of Our (Digital) Society • In alg lgori rithm design: Can be solved by • Faster algorithms through randomization producing • Symmetry breaking in distributed algorithms randomness locally myself • Secure cryptographic protocols based on random seeds (e.g., elliptic curves) (e.g., • In entertainment: /dev/urandom, • Lotter eries es , game mes (Roulette) using quantum photonics, etc.) • Drafts in sports • In politics: • Military drafts ts , assignment of kids to schools • Block ockch chain : more soon IEEE Blockchain, Atlanta, USA 3
Randomness: An Important Tool of Our (Digital) Society • In alg lgori rithm design: • Faster algorithms through randomization • Symmetry breaking in distributed algorithms • Secure cryptographic protocols based on random seeds (e.g., elliptic curves) • In entertainment: • Lotter eries es , game mes (Roulette) Requires randomness that • Drafts in sports is trustworthy for • In politics: everybody! Output of „shared randomness“ is • Military drafts ts , assignment of kids to schools relevant to multiple • Block ockch chain : more soon stakeholders. IEEE Blockchain, Atlanta, USA 4
Randomness: An Important Tool of Our (Digital) Society • In alg lgori rithm design: • Faster algorithms through randomization • Symmetry breaking in distributed algorithms • Secure cryptographic protocols based on random seeds (e.g., elliptic curves) • In entertainment: • Lotter eries es , game mes (Roulette) Requires randomness that • Drafts in sports is trustworthy for • In politics: everybody! Output of „shared randomness“ is • Military drafts ts , assignment of kids to schools relevant to multiple • Block ockch chain : more soon stakeholders. IEEE Blockchain, Atlanta, USA 5
Vision: Randomness Beacon Vision: service emitting unpr predi dictable random om • values es … Public : : seen by „everybody“ • IEEE Blockchain, Atlanta, USA 6
Vision: Randomness Beacon Vision: service emitting unpr predi dictable random om • values es … Public : : seen by „everybody“ • Introduced by Mich chael O O. Rabi bin in 1983 • IEEE Blockchain, Atlanta, USA 7
When Are Randomness Beacons Useful? When group of users need to agree on some random value but do not ot trust st each ch ot other • E.g.: • Lotteries • Secure electio tions • Prevent selfish shmini ning ng • Blockchain/distributed systems‘ conse sensu sus mechanisms • Overcoming slow bootstrapping in zero-knowledge proofs • Rabin‘s example: providing security ity to toe-ma mail based protocols with thmin inimal trust st • IEEE Blockchain, Atlanta, USA 8
When Are Randomness Beacons Useful? When group of users need to agree on some random value but do not ot trust st each ch ot other • E.g.: • Lotteries • Secure electio tions • Prevent selfish shmini ning ng • Blockchain/distributed systems‘ conse sensu sus mechanisms • Overcoming slow bootstrapping in zero-knowledge proofs • Rabin‘s example: providing security ity to toe-ma mail based protocols with thmin inimal trust st • IEEE Blockchain, Atlanta, USA 9
Available today?! E.g.: NIST‘s randomness beacon • One new value per minute • IEEE Blockchain, Atlanta, USA 10
Available today?! E.g.: NIST‘s randomness beacon • One new value per minute • Trustworthy? IEEE Blockchain, Atlanta, USA 11
Trustworthy? IEEE Blockchain, Atlanta, USA 12
Trustworthy? How to do better? Design choices and tradeoffs! IEEE Blockchain, Atlanta, USA 13
Design Choice 1: Input Sources Private e so source ce : e.g., NIST beacon • Potentially hi high h qu quality and nd hi high r h rate randomness • But denies user access to inspect generation process • Requires trust: not ot ok ok • Publ blicl cly av avai ailab able data : financial data, bitcoin block hashes, lottery data, weather (?) • Nice idea, bu but : sufficiently random? Rate? • Use User r input ut: outsource to the users, i.e., locally generated randomness • Users responsible to provide input! • IEEE Blockchain, Atlanta, USA 14
Design Choice 1: Input Sources Private e so source ce : e.g., NIST beacon • How random should it be? Potentially hi high h qu quality and nd hi high r h rate randomness • As random as they ey n need eed ! But denies user access to inspect generation process • Requires trust: not ot ok ok • Publ blicl cly av avai ailab able data : financial data, bitcoin block hashes, lottery data, weather (?) • Nice idea, bu but : sufficiently random? Rate? • Use User r input ut: outsource to the users, i.e., locally generated randomness • Users responsible to provide input! • IEEE Blockchain, Atlanta, USA 15
Design Choice 2: Beacon Operator Autoc ocratic c col ollector : e.g. run by a third party • Computation is blackbox, no p o proo oof of of hon onesty • Specialized M Multi-Pa Party Com omputation on ( (MPC) : collectively produce randomness • … typically from their own inputs • Despite significant work in the field, this approach is difficu cult t to o sca cale • Addi ddition or rem emoval of a f a u user er requires a new setup phase • But might fit in a controlled private context • Trans nsparent nt author ority model el : single entity collects inputs and publishes them • Focus on trans nsparenc ncy : users can observe and verify the beacon • IEEE Blockchain, Atlanta, USA 16
Design Choice 2: Beacon Operator Autoc ocratic c col ollector : e.g. run by a third party • Computation is blackbox, no p o proo oof of of hon onesty • Specialized M Multi-Pa Party Com omputation on ( (MPC) : collectively produce randomness • … typically from their own inputs • Despite significant work in the field, this approach is difficu cult t to o sca cale • Byzantine behavior possible, but dif iffic icult to o hi hide ! Addi ddition or rem emoval of a f a u user er requires a new setup phase • But might fit in a controlled private context • Trans nsparent nt author ority model el : single entity collects inputs and publishes them • Focus on trans nsparenc ncy : users can observe and verify the beacon • IEEE Blockchain, Atlanta, USA 17
Our Contributions • A randomness beacon requiring mi minima mal t trust • Based on the trans nspa parent nt auth thority ty model which relies on user ser inpu nput • Beacon operator has no private te i informatio tion • Allows users to • Joi oin any t ny time and at low overhead • Make subtle decisions on when to to tr trust the output • Practical: • Prototype demonstrates scalability ity of our approach • Beacon can be deployed on distributed ledg dger platforms IEEE Blockchain, Atlanta, USA 18
Our Approach in a Nutshell • No private information: all inp nputs a are hashed ed a and rel elea eased to to th the p public in batches before the computation • Uses commi mmitme ments and ver verifiable le del elay function on to ensure that the operator canno nnot tr try mor ore tha han on one commi mmitment before running out of time • The beacon protocol also lets use sers ver verify : • in inclusio ion of of the heir inp nput in the randomness generation (by commi mmitting to user inputs before starting the computation) • corre rrect ca calcu culati tion of the random value from the provided inputs • Several practic ical o optimiz izatio ions (e.g., for scalability) IEEE Blockchain, Atlanta, USA 19
A Deeper Dive • To To suppor ort „choos osable“ “ rando ndomness: : a user‘s input rate is not limited (except for DoS) • To To increase se secu curity : • Fast a and t trans nspa parent nt publishi hing: : input, output, and any data needed for verification needs to be published as soon as possible • “Dete terminis istic tic”: ”: any party can compute the randomness alongside the beacon operator • Op Open: anyone can contribute to the beacon to influence random generation • For or scalabil ility: : different channels for input and output IEEE Blockchain, Atlanta, USA 20
Recommend
More recommend