the new nist reference for randomness beacons
play

The new NIST reference for Randomness Beacons Lu s Brand ao Joint - PowerPoint PPT Presentation

The new NIST reference for Randomness Beacons Lu s Brand ao Joint work with: John Kelsey, Ren e Peralta, Harold Booth National Institute of Standards and Technology (Gaithersburg MD, USA) 1 1 1 1 0 1 1 0 1 1 0 1 0 0 0


  1. 1. Introduction This talk is about the NISTIR 8213 (draft) “A Reference for Randomness Beacons: Format and Protocol Version 2” https://doi.org/10.6028/NIST.IR.8213-draft Some topics in the report: Draft NISTIR 8213 1 ◮ format for pulses 2 A Reference for Randomness Beacons 3 4 Format and Protocol Version 2 ◮ protocol for beacon operations 5 John Kelsey 6 Lu´ ıs T. A. N. Brand˜ ao Ren´ e Peralta 7 Harold Booth 8 ◮ using Beacon randomness 9 This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8213-draft 10 ◮ security considerations Public comments till August 05, 2019. 11 6/30

  2. 1. Introduction This talk is about the NISTIR 8213 (draft) “A Reference for Randomness Beacons: Format and Protocol Version 2” https://doi.org/10.6028/NIST.IR.8213-draft Some topics in the report: Draft NISTIR 8213 1 ◮ format for pulses 2 A Reference for Randomness Beacons 3 4 Format and Protocol Version 2 ◮ protocol for beacon operations 5 John Kelsey 6 Lu´ ıs T. A. N. Brand˜ ao Ren´ e Peralta 7 Harold Booth 8 ◮ using Beacon randomness 9 This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8213-draft 10 ◮ security considerations Public comments till August 05, 2019. 11 Two goals in this presentation: ◮ Provide an overview of the new reference ◮ Motivate engagement: NISTIR feedback, new beacons and apps 6/30

  3. 1. Introduction Components of the Beacon service, at a high level HSM Time Legend: RNG - App: software app lication #3 server - DB: d ata b ase RNG Sign - Fw: f ire w all - HSM: h ardware s ecurity m odule - RNG: r andom- n umber g enerator Fw Clock Beacon queries DB Pulse Web App (web RNG frontend) (users) replies external Beacon Engine entropy 7/30

  4. 1. Introduction Components of the Beacon service, at a high level HSM Time Legend: RNG - App: software app lication #3 server - DB: d ata b ase RNG Sign - Fw: f ire w all - HSM: h ardware s ecurity m odule - RNG: r andom- n umber g enerator Fw Clock Beacon queries DB Pulse Web App (web RNG frontend) (users) replies external Beacon Engine entropy But what exactly is a pulse , what is its randomness, ...? 7/30

  5. 2. Pulse format Outline 1. Introduction 2. Pulse format 3. Beacon Protocol 4. Using a Beacon 5. Brief security considerations 6. Conclusion 8/30

  6. 2. Pulse format A pulse (simplified example) uri:str="https://beacon.nist.gov/beacon/2.0/chain/1/pulse/220394" version:str="2.0" ... period:dec="60000" ... chainId:dec="1" pulseId:dec="220394" time:str="2018-12-26T16:07:00.000Z" randLocal:hex="5FF1E0C019C42C77FA72D522...(512 bits total)" ... out.Prev:hex="BA646CC4E7AE195D2C85E9D3...(512 bits total)" ... preCom:hex="269908B840E79BE71CEC4EBA...(512 bits total)" ... sig:hex="17943D886DA8C7C24B9244BE...(4096 bits total)" randOut:hex="0A8863E03E200F6940A009B0...(512 bits total)" 9/30

  7. 2. Pulse format A pulse (simplified example) uri:str="https://beacon.nist.gov/beacon/2.0/chain/1/pulse/220394" version:str="2.0" ... period:dec="60000" ... chainId:dec="1" pulseId:dec="220394" time:str="2018-12-26T16:07:00.000Z" randLocal:hex="5FF1E0C019C42C77FA72D522...(512 bits total)" ... out.Prev:hex="BA646CC4E7AE195D2C85E9D3...(512 bits total)" ... preCom:hex="269908B840E79BE71CEC4EBA...(512 bits total)" ... sig:hex="17943D886DA8C7C24B9244BE...(4096 bits total)" randOut:hex="0A8863E03E200F6940A009B0...(512 bits total)" ◮ Each pulse is indexed 9/30

  8. 2. Pulse format A pulse (simplified example) uri:str="https://beacon.nist.gov/beacon/2.0/chain/1/pulse/220394" version:str="2.0" ... period:dec="60000" ... chainId:dec="1" pulseId:dec="220394" time:str="2018-12-26T16:07:00.000Z" randLocal:hex="5FF1E0C019C42C77FA72D522...(512 bits total)" ... out.Prev:hex="BA646CC4E7AE195D2C85E9D3...(512 bits total)" ... preCom:hex="269908B840E79BE71CEC4EBA...(512 bits total)" ... sig:hex="17943D886DA8C7C24B9244BE...(4096 bits total)" randOut:hex="0A8863E03E200F6940A009B0...(512 bits total)" ◮ Each pulse is indexed 9/30

  9. 2. Pulse format A pulse (simplified example) uri:str="https://beacon.nist.gov/beacon/2.0/chain/1/pulse/220394" version:str="2.0" ... period:dec="60000" ... chainId:dec="1" pulseId:dec="220394" time:str="2018-12-26T16:07:00.000Z" randLocal:hex="5FF1E0C019C42C77FA72D522...(512 bits total)" ... out.Prev:hex="BA646CC4E7AE195D2C85E9D3...(512 bits total)" ... preCom:hex="269908B840E79BE71CEC4EBA...(512 bits total)" ... sig:hex="17943D886DA8C7C24B9244BE...(4096 bits total)" randOut:hex="0A8863E03E200F6940A009B0...(512 bits total)" ◮ Each pulse is indexed 9/30

  10. 2. Pulse format A pulse (simplified example) uri:str="https://beacon.nist.gov/beacon/2.0/chain/1/pulse/220394" version:str="2.0" ... period:dec="60000" ... chainId:dec="1" pulseId:dec="220394" time:str="2018-12-26T16:07:00.000Z" randLocal:hex="5FF1E0C019C42C77FA72D522...(512 bits total)" ... out.Prev:hex="BA646CC4E7AE195D2C85E9D3...(512 bits total)" ... preCom:hex="269908B840E79BE71CEC4EBA...(512 bits total)" ... sig:hex="17943D886DA8C7C24B9244BE...(4096 bits total)" randOut:hex="0A8863E03E200F6940A009B0...(512 bits total)" ◮ Each pulse is indexed ◮ Two main random values (“rands”): randLocal and randOut . 9/30

  11. 2. Pulse format A pulse (simplified example) uri:str="https://beacon.nist.gov/beacon/2.0/chain/1/pulse/220394" version:str="2.0" ... period:dec="60000" ... chainId:dec="1" pulseId:dec="220394" time:str="2018-12-26T16:07:00.000Z" randLocal:hex="5FF1E0C019C42C77FA72D522...(512 bits total)" ... out.Prev:hex="BA646CC4E7AE195D2C85E9D3...(512 bits total)" ... preCom:hex="269908B840E79BE71CEC4EBA...(512 bits total)" ... sig:hex="17943D886DA8C7C24B9244BE...(4096 bits total)" randOut:hex="0A8863E03E200F6940A009B0...(512 bits total)" ◮ Each pulse is indexed ◮ Two main random values (“rands”): randLocal and randOut . ◮ Other features: signature 9/30

  12. 2. Pulse format A pulse (simplified example) uri:str="https://beacon.nist.gov/beacon/2.0/chain/1/pulse/220394" version:str="2.0" ... period:dec="60000" ... chainId:dec="1" pulseId:dec="220394" time:str="2018-12-26T16:07:00.000Z" randLocal:hex="5FF1E0C019C42C77FA72D522...(512 bits total)" ... out.Prev:hex="BA646CC4E7AE195D2C85E9D3...(512 bits total)" ... preCom:hex="269908B840E79BE71CEC4EBA...(512 bits total)" ... sig:hex="17943D886DA8C7C24B9244BE...(4096 bits total)" randOut:hex="0A8863E03E200F6940A009B0...(512 bits total)" ◮ Each pulse is indexed ◮ Two main random values (“rands”): randLocal and randOut . ◮ Other features: signature, precommit randLocal 9/30

  13. 2. Pulse format A pulse (simplified example) uri:str="https://beacon.nist.gov/beacon/2.0/chain/1/pulse/220394" version:str="2.0" ... period:dec="60000" ... chainId:dec="1" pulseId:dec="220394" time:str="2018-12-26T16:07:00.000Z" randLocal:hex="5FF1E0C019C42C77FA72D522...(512 bits total)" ... out.Prev:hex="BA646CC4E7AE195D2C85E9D3...(512 bits total)" ... preCom:hex="269908B840E79BE71CEC4EBA...(512 bits total)" ... sig:hex="17943D886DA8C7C24B9244BE...(4096 bits total)" randOut:hex="0A8863E03E200F6940A009B0...(512 bits total)" ◮ Each pulse is indexed ◮ Two main random values (“rands”): randLocal and randOut . ◮ Other features: signature, precommit randLocal , chain randOut , ... 9/30

  14. 2. Pulse format The two “rands” in a pulse 10/30

  15. 2. Pulse format The two “rands” in a pulse randLocal (a.k.a. local random value): randOut (a.k.a. output value): 10/30

  16. 2. Pulse format The two “rands” in a pulse randLocal (a.k.a. local random value): ◮ Hash (SHA512) of randomness output by ≥ 2 RNGs ◮ Pre-committed 1 minute in advance of release ◮ Useful for combining beacons randOut (a.k.a. output value): 10/30

  17. 2. Pulse format The two “rands” in a pulse randLocal (a.k.a. local random value): ◮ Hash (SHA512) of randomness output by ≥ 2 RNGs ◮ Pre-committed 1 minute in advance of release ◮ Useful for combining beacons randOut (a.k.a. output value): ◮ Hash of all other fields ◮ Fresh at the time of release ◮ The actual randomness to be used by applications 10/30

  18. 2. Pulse format The two “rands” in a pulse Pulse i Pulse i+1 T i =2019-05-17T16:1 3 :00.000Z T i =2019-05-17T16:1 4 :00.000Z ... ... out.Prev: R i-1 =0110... out.Prev: R i = 1110... ... ... rand Local : r i = 1001... rand Local : r i+1 = 1101... preCom: C i = 0101... preCom: C i+1 = 0010... ... ... sig: S i = 1010... sig: S i+1 = 0111... rand Out : R i = 1110... rand Out : R i+1 = 1011... 11/30

  19. 2. Pulse format The two “rands” in a pulse randLocal : r i +1 = Hash ( ρ 1 , i || ρ 2 , i [ || ρ 3 , i ] ), with random ρ j , i from i th RNG Pulse i Pulse i+1 T i =2019-05-17T16:1 3 :00.000Z T i =2019-05-17T16:1 4 :00.000Z ... ... out.Prev: R i-1 =0110... out.Prev: R i = 1110... ... ... rand Local : r i = 1001... rand Local : r i+1 = 1101... preCom: C i = 0101... preCom: C i+1 = 0010... ... ... sig: S i = 1010... sig: S i+1 = 0111... rand Out : R i = 1110... rand Out : R i+1 = 1011... 11/30

  20. 2. Pulse format The two “rands” in a pulse randLocal : r i +1 = Hash( ρ 1 , i || ρ 2 , i [ || ρ 3 , i ]), with random ρ j , i from i th RNG preCom : C i = Hash( r i +1 ), released 1 min before r i +1 Pulse i Pulse i+1 T i =2019-05-17T16:1 3 :00.000Z T i =2019-05-17T16:1 4 :00.000Z ... ... out.Prev: R i-1 =0110... out.Prev: R i = 1110... ... ... rand Local : r i = 1001... rand Local : r i+1 = 1101... Hash preCom: C i = 0101... preCom: C i+1 = 0010... ... ... sig: S i = 1010... sig: S i+1 = 0111... rand Out : R i = 1110... rand Out : R i+1 = 1011... 11/30

  21. 2. Pulse format The two “rands” in a pulse randLocal : r i +1 = Hash( ρ 1 , i || ρ 2 , i [ || ρ 3 , i ]), with random ρ j , i from i th RNG preCom : C i = Hash( r i +1 ), released 1 min before r i +1 Pulse i Pulse i+1 T i =2019-05-17T16:1 3 :00.000Z T i =2019-05-17T16:1 4 :00.000Z ... ... out.Prev: R i-1 =0110... out.Prev: R i = 1110... ... ... M i M i rand Local : r i = 1001... rand Local : r i+1 = 1101... preCom: C i = 0101... preCom: C i+1 = 0010... ... ... Hash Hash sig: S i = 1010... sig: S i+1 = 0111... rand Out : R i = 1110... rand Out : R i+1 = 1011... randOut : R i = Hash ( M i ), with M i being the serialization of all previous fields 11/30

  22. 2. Pulse format The two “rands” in a pulse randLocal : r i +1 = Hash( ρ 1 , i || ρ 2 , i [ || ρ 3 , i ]), with random ρ j , i from i th RNG preCom : C i = Hash( r i +1 ), released 1 min before r i +1 Pulse i Pulse i+1 T i =2019-05-17T16:1 3 :00.000Z T i =2019-05-17T16:1 4 :00.000Z ... ... out.Prev: R i-1 =0110... out.Prev: R i = 1110... ... ... M i M i rand Local : r i = 1001... rand Local : r i+1 = 1101... preCom: C i = 0101... preCom: C i+1 = 0010... = ... ... Hash Hash sig: S i = 1010... sig: S i+1 = 0111... rand Out : R i = 1110... rand Out : R i+1 = 1011... randOut : R i = Hash ( M i ), with M i being the serialization of all previous fields out.Prev has the output value ( R i ) of the previous pulse 11/30

  23. 2. Pulse format The two “rands” in a pulse randLocal : r i +1 = Hash( ρ 1 , i || ρ 2 , i [ || ρ 3 , i ]), with random ρ j , i from i th RNG preCom : C i = Hash( r i +1 ), released 1 min before r i +1 Pulse i Pulse i+1 T i =2019-05-17T16:1 3 :00.000Z T i =2019-05-17T16:1 4 :00.000Z ... ... out.Prev: R i-1 =0110... out.Prev: R i = 1110... ... ... M i M i rand Local : r i = 1001... rand Local : r i+1 = 1101... Hash preCom: C i = 0101... preCom: C i+1 = 0010... = ... ... Hash Hash sig: S i = 1010... sig: S i+1 = 0111... rand Out : R i = 1110... rand Out : R i+1 = 1011... randOut : R i = Hash ( M i ), with M i being the serialization of all previous fields out.Prev has the output value ( R i ) of the previous pulse 11/30

  24. 3. Beacon Protocol Outline 1. Introduction 2. Pulse format 3. Beacon Protocol 4. Using a Beacon 5. Brief security considerations 6. Conclusion 12/30

  25. 3. Beacon Protocol Beacon proper operation ◮ Timing and entropy requirements ◮ Beacon interface: getting pulses and skiplists ◮ Others (not here): external values, status fields, ... 13/30

  26. 3. Beacon Protocol Timing requirements for generation and release π : intended pulsation period Time T i T i +1 14/30

  27. 3. Beacon Protocol Timing requirements for generation and release 1. No advanced release of pulse ( δ ≥ 0) π : intended pulsation period δ δ Time release P i release T i T i +1 P i +1 14/30

  28. 3. Beacon Protocol Timing requirements for generation and release 1. No advanced release of pulse ( δ ≥ 0) � ⇒ Unpredictability 2. Generate with entropy ( ≥ 2 RNGs) π : intended pulsation period δ δ Time release P i release T i T i +1 P i +1 14/30

  29. 3. Beacon Protocol Timing requirements for generation and release 1. No advanced release of pulse ( δ ≥ 0) � ⇒ Unpredictability 2. Generate with entropy ( ≥ 2 RNGs) 3. Generate not too in advance (small ∆) π : intended pulsation period ∆ ∆ δ δ Time start start release P i release T i T i +1 gen. gen. P i +1 P i +1 P i 14/30

  30. 3. Beacon Protocol Timing requirements for generation and release 1. No advanced release of pulse ( δ ≥ 0) � ⇒ Unpredictability 2. Generate with entropy ( ≥ 2 RNGs) 3. Generate not too in advance (small ∆) ⇒ Freshness π : intended pulsation period ∆ ∆ δ δ Time start start release P i release T i T i +1 gen. gen. P i +1 P i +1 P i 14/30

  31. 3. Beacon Protocol Timing requirements for generation and release 1. No advanced release of pulse ( δ ≥ 0) � ⇒ Unpredictability 2. Generate with entropy ( ≥ 2 RNGs) 3. Generate not too in advance (small ∆) ⇒ Freshness 4. Release soon (small δ ) π : intended pulsation period ∆ ∆ δ δ Time start start release P i release T i T i +1 gen. gen. P i +1 P i +1 P i 14/30

  32. 3. Beacon Protocol Timing requirements for generation and release 1. No advanced release of pulse ( δ ≥ 0) � ⇒ Unpredictability 2. Generate with entropy ( ≥ 2 RNGs) 3. Generate not too in advance (small ∆) ⇒ Freshness 4. Release soon (small δ ) ⇒ Timeliness π : intended pulsation period ∆ ∆ δ δ Time start start release P i release T i T i +1 gen. gen. P i +1 P i +1 P i 14/30

  33. 3. Beacon Protocol Timing requirements for generation and release 1. No advanced release of pulse ( δ ≥ 0) � ⇒ Unpredictability 2. Generate with entropy ( ≥ 2 RNGs) 3. Generate not too in advance (small ∆) ⇒ Freshness 4. Release soon (small δ ) ⇒ Timeliness 5. Timestamp (non-repeating) indexation π : intended pulsation period ∆ ∆ δ δ Time start start release P i release T i T i +1 gen. gen. P i +1 P i +1 P i 14/30

  34. 3. Beacon Protocol Timing requirements for generation and release 1. No advanced release of pulse ( δ ≥ 0) � ⇒ Unpredictability 2. Generate with entropy ( ≥ 2 RNGs) 3. Generate not too in advance (small ∆) ⇒ Freshness 4. Release soon (small δ ) ⇒ Timeliness 5. Timestamp (non-repeating) indexation ⇒ Unambiguity π : intended pulsation period ∆ ∆ δ δ Time start start release P i release T i T i +1 gen. gen. P i +1 P i +1 P i 14/30

  35. 3. Beacon Protocol Timing requirements for generation and release 1. No advanced release of pulse ( δ ≥ 0) � ⇒ Unpredictability 2. Generate with entropy ( ≥ 2 RNGs) 3. Generate not too in advance (small ∆) ⇒ Freshness 4. Release soon (small δ ) ⇒ Timeliness 5. Timestamp (non-repeating) indexation ⇒ Unambiguity π : intended pulsation period ∆ ∆ δ δ γ γ Time start start obtain release P i obtain release T i T i +1 gen. gen. P i P i +1 P i +1 P i +1 P i R i R i R i : randOut r i +1 r i +1 r i : randLocal 14/30

  36. 3. Beacon Protocol Timing requirements for generation and release 1. No advanced release of pulse ( δ ≥ 0) � ⇒ Unpredictability 2. Generate with entropy ( ≥ 2 RNGs) 3. Generate not too in advance (small ∆) ⇒ Freshness 4. Release soon (small δ ) ⇒ Timeliness 5. Timestamp (non-repeating) indexation ⇒ Unambiguity π : intended pulsation period ∆ ∆ δ δ γ γ Time start start obtain release P i obtain release T i T i +1 gen. gen. P i P i +1 P i +1 P i +1 P i R i R i R i : randOut r i +1 r i +1 r i : randLocal (The reference document specifies allowed intervals for δ and ∆, relative to π ) 14/30

  37. 3. Beacon Protocol Fetching pulses 15/30

  38. 3. Beacon Protocol Fetching pulses Beacon App: a pulse release means sending the pulse to the database Fw queries DB Beacon Pulse Web (web App frontend) (users) replies 15/30

  39. 3. Beacon Protocol Fetching pulses Beacon App: a pulse release means sending the pulse to the database Fw queries DB Beacon Pulse Web (web App frontend) (users) replies How do users request pulses from the database? 15/30

  40. 3. Beacon Protocol Fetching pulses Beacon App: a pulse release means sending the pulse to the database Fw queries DB Beacon Pulse Web (web App frontend) (users) replies How do users request pulses from the database? uri/url 15/30

  41. 3. Beacon Protocol Fetching pulses Beacon App: a pulse release means sending the pulse to the database Fw queries DB Beacon Pulse Web (web App frontend) (users) replies How do users request pulses from the database? uri/url https://beacon.nist.gov/beacon/2.0/chain/last/pulse/last Example: URI for the latest pulse in chain 1 of the NIST randomness Beacon (version 2) 15/30

  42. 3. Beacon Protocol Skiplists — efficient chain verification 16/30

  43. 3. Beacon Protocol Skiplists — efficient chain verification How to prove that an old pulse is consistent with a recent pulse? 16/30

  44. 3. Beacon Protocol Skiplists — efficient chain verification How to prove that an old pulse is consistent with a recent pulse? Example: Anchor = 2019-05-17 14:12 → Target = 2016-02-14 17:45 16/30

  45. 3. Beacon Protocol Skiplists — efficient chain verification How to prove that an old pulse is consistent with a recent pulse? Example: Anchor = 2019-05-17 14:12 → Target = 2016-02-14 17:45 Solution: check that there is a hash-chain linking them 16/30

  46. 3. Beacon Protocol Skiplists — efficient chain verification How to prove that an old pulse is consistent with a recent pulse? Example: Anchor = 2019-05-17 14:12 → Target = 2016-02-14 17:45 Solution: check that there is a hash-chain linking them Inefficient : check the hash-chain of ( > 1M) consecutive pulses Efficient : check the hash-chaining in a skiplist ( < 125 pulses). 16/30

  47. 3. Beacon Protocol Skiplists — efficient chain verification How to prove that an old pulse is consistent with a recent pulse? Example: Anchor = 2019-05-17 14:12 → Target = 2016-02-14 17:45 Solution: check that there is a hash-chain linking them Inefficient : check the hash-chain of ( > 1M) consecutive pulses 2019-05-17 14:12 → 2019-05-17 14:11 → (1 per minute) → 2016-02-14 17:45 Efficient : check the hash-chaining in a skiplist ( < 125 pulses). 16/30

  48. 3. Beacon Protocol Skiplists — efficient chain verification How to prove that an old pulse is consistent with a recent pulse? Example: Anchor = 2019-05-17 14:12 → Target = 2016-02-14 17:45 Solution: check that there is a hash-chain linking them Inefficient : check the hash-chain of ( > 1M) consecutive pulses 2019-05-17 14:12 → 2019-05-17 14:11 → (1 per minute) → 2016-02-14 17:45 Efficient : check the hash-chaining in a skiplist ( < 125 pulses). Use the 5 past output fields in the pulse format: ◮ out.Prev : the previous pulse ◮ out.H , out.D , out.M , out.Y : the first of the hour / day / month / year 16/30

  49. 3. Beacon Protocol Skiplists — efficient chain verification How to prove that an old pulse is consistent with a recent pulse? Example: Anchor = 2019-05-17 14:12 → Target = 2016-02-14 17:45 Solution: check that there is a hash-chain linking them Inefficient : check the hash-chain of ( > 1M) consecutive pulses 2019-05-17 14:12 → 2019-05-17 14:11 → (1 per minute) → 2016-02-14 17:45 Efficient : check the hash-chaining in a skiplist ( < 125 pulses). Use the 5 past output fields in the pulse format: ◮ out.Prev : the previous pulse ◮ out.H , out.D , out.M , out.Y : the first of the hour / day / month / year 2019-05-17 14:12 → 2019-01 -01 00:00 → 2018-01 -01 00:00 → 2017-01 -01 00:00 → 16/30

  50. 3. Beacon Protocol Skiplists — efficient chain verification How to prove that an old pulse is consistent with a recent pulse? Example: Anchor = 2019-05-17 14:12 → Target = 2016-02-14 17:45 Solution: check that there is a hash-chain linking them Inefficient : check the hash-chain of ( > 1M) consecutive pulses 2019-05-17 14:12 → 2019-05-17 14:11 → (1 per minute) → 2016-02-14 17:45 Efficient : check the hash-chaining in a skiplist ( < 125 pulses). Use the 5 past output fields in the pulse format: ◮ out.Prev : the previous pulse ◮ out.H , out.D , out.M , out.Y : the first of the hour / day / month / year 2019-05-17 14:12 → 2019-01 -01 00:00 → 2018-01 -01 00:00 → 2017-01 -01 00:00 → 2016- 12-01 00:00 → (1 per month) → 2016- 03-01 00:00 16/30

  51. 3. Beacon Protocol Skiplists — efficient chain verification How to prove that an old pulse is consistent with a recent pulse? Example: Anchor = 2019-05-17 14:12 → Target = 2016-02-14 17:45 Solution: check that there is a hash-chain linking them Inefficient : check the hash-chain of ( > 1M) consecutive pulses 2019-05-17 14:12 → 2019-05-17 14:11 → (1 per minute) → 2016-02-14 17:45 Efficient : check the hash-chaining in a skiplist ( < 125 pulses). Use the 5 past output fields in the pulse format: ◮ out.Prev : the previous pulse ◮ out.H , out.D , out.M , out.Y : the first of the hour / day / month / year 2019-05-17 14:12 → 2019-01 -01 00:00 → 2018-01 -01 00:00 → 2017-01 -01 00:00 → 2016- 12-01 00:00 → (1 per month) → 2016- 03-01 00:00 → 2016-02- 29 00 :00 → (1 per day) → 2016-02- 15 00 :00 16/30

  52. 3. Beacon Protocol Skiplists — efficient chain verification How to prove that an old pulse is consistent with a recent pulse? Example: Anchor = 2019-05-17 14:12 → Target = 2016-02-14 17:45 Solution: check that there is a hash-chain linking them Inefficient : check the hash-chain of ( > 1M) consecutive pulses 2019-05-17 14:12 → 2019-05-17 14:11 → (1 per minute) → 2016-02-14 17:45 Efficient : check the hash-chaining in a skiplist ( < 125 pulses). Use the 5 past output fields in the pulse format: ◮ out.Prev : the previous pulse ◮ out.H , out.D , out.M , out.Y : the first of the hour / day / month / year 2019-05-17 14:12 → 2019-01 -01 00:00 → 2018-01 -01 00:00 → 2017-01 -01 00:00 → 2016- 12-01 00:00 → (1 per month) → 2016- 03-01 00:00 → 2016-02- 29 00 :00 → (1 per day) → 2016-02- 15 00 :00 → 2016-02-14 23:00 → (1 per hour) → 2016-02-14 18:00 16/30

  53. 3. Beacon Protocol Skiplists — efficient chain verification How to prove that an old pulse is consistent with a recent pulse? Example: Anchor = 2019-05-17 14:12 → Target = 2016-02-14 17:45 Solution: check that there is a hash-chain linking them Inefficient : check the hash-chain of ( > 1M) consecutive pulses 2019-05-17 14:12 → 2019-05-17 14:11 → (1 per minute) → 2016-02-14 17:45 Efficient : check the hash-chaining in a skiplist ( < 125 pulses). Use the 5 past output fields in the pulse format: ◮ out.Prev : the previous pulse ◮ out.H , out.D , out.M , out.Y : the first of the hour / day / month / year 2019-05-17 14:12 → 2019-01 -01 00:00 → 2018-01 -01 00:00 → 2017-01 -01 00:00 → 2016- 12-01 00:00 → (1 per month) → 2016- 03-01 00:00 → 2016-02- 29 00 :00 → (1 per day) → 2016-02- 15 00 :00 → 2016-02-14 23:00 → (1 per hour) → 2016-02-14 18:00 → 2016-02-14 17: 59 → (1 per minute) → 2016-02-14 17:45 16/30

  54. 3. Beacon Protocol A possible diagram of pulse generation Time MD i : some metadata (uri, version, cipher, period, certId, chainId) Server i: pulse index (integer, incremented by 1 for each released pulse) (remote) Ti: time (UTC string, ms precision, e.g., "2018-07-23T19:26:00.000Z") Hash of r i : randLocal (512 bits) NTP E i : external (srcId, status, value) (all-zeros when not available) external Past i = (R i-1 , R H[i-1] , R D[i-1] , R M[i-1] , R Y[i-1] ): previous (i-1) Clock value and 1st of {hour (H), day (D), month (M) and year (Y)} of previous (on chip) C i : preCom (512 bits) M i = MD i || i || T i || r i || E i || Past i || C i || z i z i : status (32 bits) M i P i (pulse) Hash Hash Local DB pulsify cache R i S i R i P i = M i || R i || S i r i+1 r i+1 (randLocal of M i M i || S i Hash Hash R i : randOut next pulse) RNG #1 � i,1 || � i,2 � i,1 Hash Hash (on chip) [|| � i,3 ] (512 Hash* Hash S i : sig bits) � i,2 S i RNG #3 � i,3 (512 bits) H i Legend: - DB: database - : release not before timestamp (Quantum) (512 - HSM: hardware security module Signing* bits) RNG #2 HSM - RNG: random-number generator module - NTP: network time protocol - ||: concatenation For simplicity, the diagram omits serialization details (e.g., field lengths and padding) and some metadata fields. 17/30

  55. 4. Using a Beacon Outline 1. Introduction 2. Pulse format 3. Beacon Protocol 4. Using a Beacon 5. Brief security considerations 6. Conclusion 18/30

  56. 4. Using a Beacon Using Beacon randomness (if I trust the beacon) (some simplifications for presentation purpose) 19/30

  57. 4. Using a Beacon Using Beacon randomness (if I trust the beacon) (some simplifications for presentation purpose) Simply getting a practically uniform number in [0 , N − 1] : 19/30

  58. 4. Using a Beacon Using Beacon randomness (if I trust the beacon) (some simplifications for presentation purpose) Simply getting a practically uniform number in [0 , N − 1] : ◮ Just calculate randOut (mod N ), if N < 2 384 19/30

  59. 4. Using a Beacon Using Beacon randomness (if I trust the beacon) (some simplifications for presentation purpose) Simply getting a practically uniform number in [0 , N − 1] : ◮ Just calculate randOut (mod N ), if N < 2 384 If I want future auditability of a randomized operation: 19/30

  60. 4. Using a Beacon Using Beacon randomness (if I trust the beacon) (some simplifications for presentation purpose) Simply getting a practically uniform number in [0 , N − 1] : ◮ Just calculate randOut (mod N ), if N < 2 384 If I want future auditability of a randomized operation: 1. Commit upfront: 2. Derive a seed: 3. Perform the operation: 19/30

  61. 4. Using a Beacon Using Beacon randomness (if I trust the beacon) (some simplifications for presentation purpose) Simply getting a practically uniform number in [0 , N − 1] : ◮ Just calculate randOut (mod N ), if N < 2 384 If I want future auditability of a randomized operation: 1. Commit upfront: publish a statement S that explains my deterministic operation that will use the Beacon randomness (the output value randOut ) from future time t ; 2. Derive a seed: 3. Perform the operation: 19/30

  62. 4. Using a Beacon Using Beacon randomness (if I trust the beacon) (some simplifications for presentation purpose) Simply getting a practically uniform number in [0 , N − 1] : ◮ Just calculate randOut (mod N ), if N < 2 384 If I want future auditability of a randomized operation: 1. Commit upfront: publish a statement S that explains my deterministic operation that will use the Beacon randomness (the output value randOut ) from future time t ; 2. Derive a seed: Get R = randOut [ t ] (from the pulse with timestamp t ), and set the seed as Z = SHA512( S || R ) 3. Perform the operation: 19/30

  63. 4. Using a Beacon Using Beacon randomness (if I trust the beacon) (some simplifications for presentation purpose) Simply getting a practically uniform number in [0 , N − 1] : ◮ Just calculate randOut (mod N ), if N < 2 384 If I want future auditability of a randomized operation: 1. Commit upfront: publish a statement S that explains my deterministic operation that will use the Beacon randomness (the output value randOut ) from future time t ; 2. Derive a seed: Get R = randOut [ t ] (from the pulse with timestamp t ), and set the seed as Z = SHA512( S || R ) 3. Perform the operation: Do what the statement S promised, using Z as the seed for all needed pseudo-randomness. 19/30

  64. 4. Using a Beacon Using Beacon randomness (if I trust the beacon) (some simplifications for presentation purpose) Simply getting a practically uniform number in [0 , N − 1] : ◮ Just calculate randOut (mod N ), if N < 2 384 If I want future auditability of a randomized operation: 1. Commit upfront: publish a statement S that explains my deterministic operation that will use the Beacon randomness (the output value randOut ) from future time t ; 2. Derive a seed: Get R = randOut [ t ] (from the pulse with timestamp t ), and set the seed as Z = SHA512( S || R ) 3. Perform the operation: Do what the statement S promised, using Z as the seed for all needed pseudo-randomness. We defer reference guidance to complementary future documentation 19/30

  65. 4. Using a Beacon Combining Beacons 20/30

  66. 4. Using a Beacon Combining Beacons What Beacon randomness R [ t ] to use if I do not trust any Beacon in isolation? 20/30

  67. 4. Using a Beacon Combining Beacons What Beacon randomness R [ t ] to use if I do not trust any Beacon in isolation? ... but trust that two Beacons ( A and B ) will not collude? 20/30

  68. 4. Using a Beacon Combining Beacons What Beacon randomness R [ t ] to use if I do not trust any Beacon in isolation? ... but trust that two Beacons ( A and B ) will not collude? Desired properties: ◮ A single Beacon cannot bias the output; ◮ Even two colluding beacons cannot fully control the output. 20/30

  69. 4. Using a Beacon Combining Beacons What Beacon randomness R [ t ] to use if I do not trust any Beacon in isolation? ... but trust that two Beacons ( A and B ) will not collude? Desired properties: ◮ A single Beacon cannot bias the output; ◮ Even two colluding beacons cannot fully control the output. Not good: ◮ R [ t ] = Hash( A [ t ] . randOut || B [ t ] . randOut ) 20/30

  70. 4. Using a Beacon Combining Beacons What Beacon randomness R [ t ] to use if I do not trust any Beacon in isolation? ... but trust that two Beacons ( A and B ) will not collude? Desired properties: ◮ A single Beacon cannot bias the output; ◮ Even two colluding beacons cannot fully control the output. Not good: ◮ R [ t ] = Hash( A [ t ] . randOut || B [ t ] . randOut ) ( A could wait to know B ’s value) 20/30

  71. 4. Using a Beacon Combining Beacons What Beacon randomness R [ t ] to use if I do not trust any Beacon in isolation? ... but trust that two Beacons ( A and B ) will not collude? Desired properties: ◮ A single Beacon cannot bias the output; ◮ Even two colluding beacons cannot fully control the output. Not good: ◮ R [ t ] = Hash( A [ t ] . randOut || B [ t ] . randOut ) ( A could wait to know B ’s value) ◮ R [ t ] = Hash( A [ t ] . randLocal || B [ t ] . randLocal ) 20/30

  72. 4. Using a Beacon Combining Beacons What Beacon randomness R [ t ] to use if I do not trust any Beacon in isolation? ... but trust that two Beacons ( A and B ) will not collude? Desired properties: ◮ A single Beacon cannot bias the output; ◮ Even two colluding beacons cannot fully control the output. Not good: ◮ R [ t ] = Hash( A [ t ] . randOut || B [ t ] . randOut ) ( A could wait to know B ’s value) ◮ R [ t ] = Hash( A [ t ] . randLocal || B [ t ] . randLocal ) ( A & B could force repeating R [ t ]) 20/30

  73. 4. Using a Beacon Combining Beacons What Beacon randomness R [ t ] to use if I do not trust any Beacon in isolation? ... but trust that two Beacons ( A and B ) will not collude? Desired properties: ◮ A single Beacon cannot bias the output; ◮ Even two colluding beacons cannot fully control the output. Not good: ◮ R [ t ] = Hash( A [ t ] . randOut || B [ t ] . randOut ) ( A could wait to know B ’s value) ◮ R [ t ] = Hash( A [ t ] . randLocal || B [ t ] . randLocal ) ( A & B could force repeating R [ t ]) Solution : get R [ t ] from two randLocal [ t ] and two randOut [ t − π ] values: 20/30

  74. 4. Using a Beacon Combining Beacons What Beacon randomness R [ t ] to use if I do not trust any Beacon in isolation? ... but trust that two Beacons ( A and B ) will not collude? Desired properties: ◮ A single Beacon cannot bias the output; ◮ Even two colluding beacons cannot fully control the output. Not good: ◮ R [ t ] = Hash( A [ t ] . randOut || B [ t ] . randOut ) ( A could wait to know B ’s value) ◮ R [ t ] = Hash( A [ t ] . randLocal || B [ t ] . randLocal ) ( A & B could force repeating R [ t ]) Solution : get R [ t ] from two randLocal [ t ] and two randOut [ t − π ] values: R [ t ] = Hash( A [ t − π ] . randOut || B [ t − π ] . randOut || A [ t ] . randLocal || B [ t ] . randLocal ) 20/30

  75. 4. Using a Beacon Combining Beacons What Beacon randomness R [ t ] to use if I do not trust any Beacon in isolation? ... but trust that two Beacons ( A and B ) will not collude? Desired properties: ◮ A single Beacon cannot bias the output; ◮ Even two colluding beacons cannot fully control the output. Not good: ◮ R [ t ] = Hash( A [ t ] . randOut || B [ t ] . randOut ) ( A could wait to know B ’s value) ◮ R [ t ] = Hash( A [ t ] . randLocal || B [ t ] . randLocal ) ( A & B could force repeating R [ t ]) Solution : get R [ t ] from two randLocal [ t ] and two randOut [ t − π ] values: R [ t ] = Hash( A [ t − π ] . randOut || B [ t − π ] . randOut || A [ t ] . randLocal || B [ t ] . randLocal ) Also need to check: ◮ reception of A [ t − π ] . randOut and B [ t − π ] . randOut before time T ◮ correctness of standalone pulses: A [ t − π ] , B [ t − π ] , A [ t ] , B [ t ] ◮ hash-chaining (e.g., A [ t ] .out.Prev = A [ t − π ] .randOut ) ◮ pre-commitments (e.g., Hash(A[t]. randLocal ) = A [ t − π ] . preCom ) 20/30

  76. 4. Using a Beacon Some Beacons in development Three countries are developing Beacons to match the current reference: ◮ (United States) NIST Randomness Beacon https://beacon.nist.gov/home United States ◮ (Chile) CLCERT Randomness Beacon https://beacon.clcert.cl/ Brazil ◮ (Brazil) Brazilian Randomness Beacon Chile https://beacon.inmetro.gov.br/ 21/30

  77. 4. Using a Beacon Some Beacons in development Three countries are developing Beacons to match the current reference: ◮ (United States) NIST Randomness Beacon https://beacon.nist.gov/home United States ◮ (Chile) CLCERT Randomness Beacon https://beacon.clcert.cl/ Brazil ◮ (Brazil) Brazilian Randomness Beacon Chile https://beacon.inmetro.gov.br/ We would like others to join 21/30

  78. 4. Using a Beacon Some conceivable applications “ You have been randomly selected for additional screening ” 22/30

  79. 4. Using a Beacon Some conceivable applications “ You have been randomly selected for additional screening ” Example applications: ◮ Select test and control groups for clinical trials ◮ Select random government officials for financial audits ◮ Assign court cases to random judges ◮ Sample random lots for quality-measuring procedures ◮ Provide entropy to digital lotteries 22/30

  80. 4. Using a Beacon Some conceivable applications “ You have been randomly selected for additional screening ” Example applications: ◮ Select test and control groups for clinical trials ◮ Select random government officials for financial audits ◮ Assign court cases to random judges ◮ Sample random lots for quality-measuring procedures ◮ Provide entropy to digital lotteries Some generic goals: ◮ Prevent auditors from biasing selections (or being accused of it) ◮ Prevent auditees from addressing only the items to-be sampled ◮ Enable public verifiability of correct sampling 22/30

  81. 5. Brief security considerations Outline 1. Introduction 2. Pulse format 3. Beacon Protocol 4. Using a Beacon 5. Brief security considerations 6. Conclusion 23/30

  82. 5. Brief security considerations Security against intrusions Security is “easy” in uncompromised scenario! 24/30

Recommend


More recommend