the new nist reference for randomness beacons
play

The new NIST reference for Randomness Beacons Lu s Brand ao Joint - PowerPoint PPT Presentation

Oct 02, 2023 •190 likes •1.42k views

The new NIST reference for Randomness Beacons Lu s Brand ao Joint work with: John Kelsey, Ren e Peralta, Harold Booth National Institute of Standards and Technology (Gaithersburg MD, USA) 1 1 1 1 0 1 1 0 1 1 0 1 0 0 0

  1. 1. Introduction This talk is about the NISTIR 8213 (draft) “A Reference for Randomness Beacons: Format and Protocol Version 2” https://doi.org/10.6028/NIST.IR.8213-draft Some topics in the report: Draft NISTIR 8213 1 ◮ format for pulses 2 A Reference for Randomness Beacons 3 4 Format and Protocol Version 2 ◮ protocol for beacon operations 5 John Kelsey 6 Lu´ ıs T. A. N. Brand˜ ao Ren´ e Peralta 7 Harold Booth 8 ◮ using Beacon randomness 9 This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8213-draft 10 ◮ security considerations Public comments till August 05, 2019. 11 6/30

  2. 1. Introduction This talk is about the NISTIR 8213 (draft) “A Reference for Randomness Beacons: Format and Protocol Version 2” https://doi.org/10.6028/NIST.IR.8213-draft Some topics in the report: Draft NISTIR 8213 1 ◮ format for pulses 2 A Reference for Randomness Beacons 3 4 Format and Protocol Version 2 ◮ protocol for beacon operations 5 John Kelsey 6 Lu´ ıs T. A. N. Brand˜ ao Ren´ e Peralta 7 Harold Booth 8 ◮ using Beacon randomness 9 This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8213-draft 10 ◮ security considerations Public comments till August 05, 2019. 11 Two goals in this presentation: ◮ Provide an overview of the new reference ◮ Motivate engagement: NISTIR feedback, new beacons and apps 6/30

  3. 1. Introduction Components of the Beacon service, at a high level HSM Time Legend: RNG - App: software app lication #3 server - DB: d ata b ase RNG Sign - Fw: f ire w all - HSM: h ardware s ecurity m odule - RNG: r andom- n umber g enerator Fw Clock Beacon queries DB Pulse Web App (web RNG frontend) (users) replies external Beacon Engine entropy 7/30

  4. 1. Introduction Components of the Beacon service, at a high level HSM Time Legend: RNG - App: software app lication #3 server - DB: d ata b ase RNG Sign - Fw: f ire w all - HSM: h ardware s ecurity m odule - RNG: r andom- n umber g enerator Fw Clock Beacon queries DB Pulse Web App (web RNG frontend) (users) replies external Beacon Engine entropy But what exactly is a pulse , what is its randomness, ...? 7/30

  5. 2. Pulse format Outline 1. Introduction 2. Pulse format 3. Beacon Protocol 4. Using a Beacon 5. Brief security considerations 6. Conclusion 8/30

  6. 2. Pulse format A pulse (simplified example) uri:str="https://beacon.nist.gov/beacon/2.0/chain/1/pulse/220394" version:str="2.0" ... period:dec="60000" ... chainId:dec="1" pulseId:dec="220394" time:str="2018-12-26T16:07:00.000Z" randLocal:hex="5FF1E0C019C42C77FA72D522...(512 bits total)" ... out.Prev:hex="BA646CC4E7AE195D2C85E9D3...(512 bits total)" ... preCom:hex="269908B840E79BE71CEC4EBA...(512 bits total)" ... sig:hex="17943D886DA8C7C24B9244BE...(4096 bits total)" randOut:hex="0A8863E03E200F6940A009B0...(512 bits total)" 9/30

  7. 2. Pulse format A pulse (simplified example) uri:str="https://beacon.nist.gov/beacon/2.0/chain/1/pulse/220394" version:str="2.0" ... period:dec="60000" ... chainId:dec="1" pulseId:dec="220394" time:str="2018-12-26T16:07:00.000Z" randLocal:hex="5FF1E0C019C42C77FA72D522...(512 bits total)" ... out.Prev:hex="BA646CC4E7AE195D2C85E9D3...(512 bits total)" ... preCom:hex="269908B840E79BE71CEC4EBA...(512 bits total)" ... sig:hex="17943D886DA8C7C24B9244BE...(4096 bits total)" randOut:hex="0A8863E03E200F6940A009B0...(512 bits total)" ◮ Each pulse is indexed 9/30

  8. 2. Pulse format A pulse (simplified example) uri:str="https://beacon.nist.gov/beacon/2.0/chain/1/pulse/220394" version:str="2.0" ... period:dec="60000" ... chainId:dec="1" pulseId:dec="220394" time:str="2018-12-26T16:07:00.000Z" randLocal:hex="5FF1E0C019C42C77FA72D522...(512 bits total)" ... out.Prev:hex="BA646CC4E7AE195D2C85E9D3...(512 bits total)" ... preCom:hex="269908B840E79BE71CEC4EBA...(512 bits total)" ... sig:hex="17943D886DA8C7C24B9244BE...(4096 bits total)" randOut:hex="0A8863E03E200F6940A009B0...(512 bits total)" ◮ Each pulse is indexed 9/30

  9. 2. Pulse format A pulse (simplified example) uri:str="https://beacon.nist.gov/beacon/2.0/chain/1/pulse/220394" version:str="2.0" ... period:dec="60000" ... chainId:dec="1" pulseId:dec="220394" time:str="2018-12-26T16:07:00.000Z" randLocal:hex="5FF1E0C019C42C77FA72D522...(512 bits total)" ... out.Prev:hex="BA646CC4E7AE195D2C85E9D3...(512 bits total)" ... preCom:hex="269908B840E79BE71CEC4EBA...(512 bits total)" ... sig:hex="17943D886DA8C7C24B9244BE...(4096 bits total)" randOut:hex="0A8863E03E200F6940A009B0...(512 bits total)" ◮ Each pulse is indexed 9/30

  10. 2. Pulse format A pulse (simplified example) uri:str="https://beacon.nist.gov/beacon/2.0/chain/1/pulse/220394" version:str="2.0" ... period:dec="60000" ... chainId:dec="1" pulseId:dec="220394" time:str="2018-12-26T16:07:00.000Z" randLocal:hex="5FF1E0C019C42C77FA72D522...(512 bits total)" ... out.Prev:hex="BA646CC4E7AE195D2C85E9D3...(512 bits total)" ... preCom:hex="269908B840E79BE71CEC4EBA...(512 bits total)" ... sig:hex="17943D886DA8C7C24B9244BE...(4096 bits total)" randOut:hex="0A8863E03E200F6940A009B0...(512 bits total)" ◮ Each pulse is indexed ◮ Two main random values (“rands”): randLocal and randOut . 9/30

  11. 2. Pulse format A pulse (simplified example) uri:str="https://beacon.nist.gov/beacon/2.0/chain/1/pulse/220394" version:str="2.0" ... period:dec="60000" ... chainId:dec="1" pulseId:dec="220394" time:str="2018-12-26T16:07:00.000Z" randLocal:hex="5FF1E0C019C42C77FA72D522...(512 bits total)" ... out.Prev:hex="BA646CC4E7AE195D2C85E9D3...(512 bits total)" ... preCom:hex="269908B840E79BE71CEC4EBA...(512 bits total)" ... sig:hex="17943D886DA8C7C24B9244BE...(4096 bits total)" randOut:hex="0A8863E03E200F6940A009B0...(512 bits total)" ◮ Each pulse is indexed ◮ Two main random values (“rands”): randLocal and randOut . ◮ Other features: signature 9/30

  12. 2. Pulse format A pulse (simplified example) uri:str="https://beacon.nist.gov/beacon/2.0/chain/1/pulse/220394" version:str="2.0" ... period:dec="60000" ... chainId:dec="1" pulseId:dec="220394" time:str="2018-12-26T16:07:00.000Z" randLocal:hex="5FF1E0C019C42C77FA72D522...(512 bits total)" ... out.Prev:hex="BA646CC4E7AE195D2C85E9D3...(512 bits total)" ... preCom:hex="269908B840E79BE71CEC4EBA...(512 bits total)" ... sig:hex="17943D886DA8C7C24B9244BE...(4096 bits total)" randOut:hex="0A8863E03E200F6940A009B0...(512 bits total)" ◮ Each pulse is indexed ◮ Two main random values (“rands”): randLocal and randOut . ◮ Other features: signature, precommit randLocal 9/30

  13. 2. Pulse format A pulse (simplified example) uri:str="https://beacon.nist.gov/beacon/2.0/chain/1/pulse/220394" version:str="2.0" ... period:dec="60000" ... chainId:dec="1" pulseId:dec="220394" time:str="2018-12-26T16:07:00.000Z" randLocal:hex="5FF1E0C019C42C77FA72D522...(512 bits total)" ... out.Prev:hex="BA646CC4E7AE195D2C85E9D3...(512 bits total)" ... preCom:hex="269908B840E79BE71CEC4EBA...(512 bits total)" ... sig:hex="17943D886DA8C7C24B9244BE...(4096 bits total)" randOut:hex="0A8863E03E200F6940A009B0...(512 bits total)" ◮ Each pulse is indexed ◮ Two main random values (“rands”): randLocal and randOut . ◮ Other features: signature, precommit randLocal , chain randOut , ... 9/30

  14. 2. Pulse format The two “rands” in a pulse 10/30

  15. 2. Pulse format The two “rands” in a pulse randLocal (a.k.a. local random value): randOut (a.k.a. output value): 10/30

  16. 2. Pulse format The two “rands” in a pulse randLocal (a.k.a. local random value): ◮ Hash (SHA512) of randomness output by ≥ 2 RNGs ◮ Pre-committed 1 minute in advance of release ◮ Useful for combining beacons randOut (a.k.a. output value): 10/30

  17. 2. Pulse format The two “rands” in a pulse randLocal (a.k.a. local random value): ◮ Hash (SHA512) of randomness output by ≥ 2 RNGs ◮ Pre-committed 1 minute in advance of release ◮ Useful for combining beacons randOut (a.k.a. output value): ◮ Hash of all other fields ◮ Fresh at the time of release ◮ The actual randomness to be used by applications 10/30

  18. 2. Pulse format The two “rands” in a pulse Pulse i Pulse i+1 T i =2019-05-17T16:1 3 :00.000Z T i =2019-05-17T16:1 4 :00.000Z ... ... out.Prev: R i-1 =0110... out.Prev: R i = 1110... ... ... rand Local : r i = 1001... rand Local : r i+1 = 1101... preCom: C i = 0101... preCom: C i+1 = 0010... ... ... sig: S i = 1010... sig: S i+1 = 0111... rand Out : R i = 1110... rand Out : R i+1 = 1011... 11/30

  19. 2. Pulse format The two “rands” in a pulse randLocal : r i +1 = Hash ( ρ 1 , i || ρ 2 , i [ || ρ 3 , i ] ), with random ρ j , i from i th RNG Pulse i Pulse i+1 T i =2019-05-17T16:1 3 :00.000Z T i =2019-05-17T16:1 4 :00.000Z ... ... out.Prev: R i-1 =0110... out.Prev: R i = 1110... ... ... rand Local : r i = 1001... rand Local : r i+1 = 1101... preCom: C i = 0101... preCom: C i+1 = 0010... ... ... sig: S i = 1010... sig: S i+1 = 0111... rand Out : R i = 1110... rand Out : R i+1 = 1011... 11/30

  20. 2. Pulse format The two “rands” in a pulse randLocal : r i +1 = Hash( ρ 1 , i || ρ 2 , i [ || ρ 3 , i ]), with random ρ j , i from i th RNG preCom : C i = Hash( r i +1 ), released 1 min before r i +1 Pulse i Pulse i+1 T i =2019-05-17T16:1 3 :00.000Z T i =2019-05-17T16:1 4 :00.000Z ... ... out.Prev: R i-1 =0110... out.Prev: R i = 1110... ... ... rand Local : r i = 1001... rand Local : r i+1 = 1101... Hash preCom: C i = 0101... preCom: C i+1 = 0010... ... ... sig: S i = 1010... sig: S i+1 = 0111... rand Out : R i = 1110... rand Out : R i+1 = 1011... 11/30

  21. 2. Pulse format The two “rands” in a pulse randLocal : r i +1 = Hash( ρ 1 , i || ρ 2 , i [ || ρ 3 , i ]), with random ρ j , i from i th RNG preCom : C i = Hash( r i +1 ), released 1 min before r i +1 Pulse i Pulse i+1 T i =2019-05-17T16:1 3 :00.000Z T i =2019-05-17T16:1 4 :00.000Z ... ... out.Prev: R i-1 =0110... out.Prev: R i = 1110... ... ... M i M i rand Local : r i = 1001... rand Local : r i+1 = 1101... preCom: C i = 0101... preCom: C i+1 = 0010... ... ... Hash Hash sig: S i = 1010... sig: S i+1 = 0111... rand Out : R i = 1110... rand Out : R i+1 = 1011... randOut : R i = Hash ( M i ), with M i being the serialization of all previous fields 11/30

  22. 2. Pulse format The two “rands” in a pulse randLocal : r i +1 = Hash( ρ 1 , i || ρ 2 , i [ || ρ 3 , i ]), with random ρ j , i from i th RNG preCom : C i = Hash( r i +1 ), released 1 min before r i +1 Pulse i Pulse i+1 T i =2019-05-17T16:1 3 :00.000Z T i =2019-05-17T16:1 4 :00.000Z ... ... out.Prev: R i-1 =0110... out.Prev: R i = 1110... ... ... M i M i rand Local : r i = 1001... rand Local : r i+1 = 1101... preCom: C i = 0101... preCom: C i+1 = 0010... = ... ... Hash Hash sig: S i = 1010... sig: S i+1 = 0111... rand Out : R i = 1110... rand Out : R i+1 = 1011... randOut : R i = Hash ( M i ), with M i being the serialization of all previous fields out.Prev has the output value ( R i ) of the previous pulse 11/30

  23. 2. Pulse format The two “rands” in a pulse randLocal : r i +1 = Hash( ρ 1 , i || ρ 2 , i [ || ρ 3 , i ]), with random ρ j , i from i th RNG preCom : C i = Hash( r i +1 ), released 1 min before r i +1 Pulse i Pulse i+1 T i =2019-05-17T16:1 3 :00.000Z T i =2019-05-17T16:1 4 :00.000Z ... ... out.Prev: R i-1 =0110... out.Prev: R i = 1110... ... ... M i M i rand Local : r i = 1001... rand Local : r i+1 = 1101... Hash preCom: C i = 0101... preCom: C i+1 = 0010... = ... ... Hash Hash sig: S i = 1010... sig: S i+1 = 0111... rand Out : R i = 1110... rand Out : R i+1 = 1011... randOut : R i = Hash ( M i ), with M i being the serialization of all previous fields out.Prev has the output value ( R i ) of the previous pulse 11/30

  24. 3. Beacon Protocol Outline 1. Introduction 2. Pulse format 3. Beacon Protocol 4. Using a Beacon 5. Brief security considerations 6. Conclusion 12/30

  25. 3. Beacon Protocol Beacon proper operation ◮ Timing and entropy requirements ◮ Beacon interface: getting pulses and skiplists ◮ Others (not here): external values, status fields, ... 13/30

  26. 3. Beacon Protocol Timing requirements for generation and release π : intended pulsation period Time T i T i +1 14/30

  27. 3. Beacon Protocol Timing requirements for generation and release 1. No advanced release of pulse ( δ ≥ 0) π : intended pulsation period δ δ Time release P i release T i T i +1 P i +1 14/30

  28. 3. Beacon Protocol Timing requirements for generation and release 1. No advanced release of pulse ( δ ≥ 0) � ⇒ Unpredictability 2. Generate with entropy ( ≥ 2 RNGs) π : intended pulsation period δ δ Time release P i release T i T i +1 P i +1 14/30

  29. 3. Beacon Protocol Timing requirements for generation and release 1. No advanced release of pulse ( δ ≥ 0) � ⇒ Unpredictability 2. Generate with entropy ( ≥ 2 RNGs) 3. Generate not too in advance (small ∆) π : intended pulsation period ∆ ∆ δ δ Time start start release P i release T i T i +1 gen. gen. P i +1 P i +1 P i 14/30

  30. 3. Beacon Protocol Timing requirements for generation and release 1. No advanced release of pulse ( δ ≥ 0) � ⇒ Unpredictability 2. Generate with entropy ( ≥ 2 RNGs) 3. Generate not too in advance (small ∆) ⇒ Freshness π : intended pulsation period ∆ ∆ δ δ Time start start release P i release T i T i +1 gen. gen. P i +1 P i +1 P i 14/30

  31. 3. Beacon Protocol Timing requirements for generation and release 1. No advanced release of pulse ( δ ≥ 0) � ⇒ Unpredictability 2. Generate with entropy ( ≥ 2 RNGs) 3. Generate not too in advance (small ∆) ⇒ Freshness 4. Release soon (small δ ) π : intended pulsation period ∆ ∆ δ δ Time start start release P i release T i T i +1 gen. gen. P i +1 P i +1 P i 14/30

  32. 3. Beacon Protocol Timing requirements for generation and release 1. No advanced release of pulse ( δ ≥ 0) � ⇒ Unpredictability 2. Generate with entropy ( ≥ 2 RNGs) 3. Generate not too in advance (small ∆) ⇒ Freshness 4. Release soon (small δ ) ⇒ Timeliness π : intended pulsation period ∆ ∆ δ δ Time start start release P i release T i T i +1 gen. gen. P i +1 P i +1 P i 14/30

  33. 3. Beacon Protocol Timing requirements for generation and release 1. No advanced release of pulse ( δ ≥ 0) � ⇒ Unpredictability 2. Generate with entropy ( ≥ 2 RNGs) 3. Generate not too in advance (small ∆) ⇒ Freshness 4. Release soon (small δ ) ⇒ Timeliness 5. Timestamp (non-repeating) indexation π : intended pulsation period ∆ ∆ δ δ Time start start release P i release T i T i +1 gen. gen. P i +1 P i +1 P i 14/30

  34. 3. Beacon Protocol Timing requirements for generation and release 1. No advanced release of pulse ( δ ≥ 0) � ⇒ Unpredictability 2. Generate with entropy ( ≥ 2 RNGs) 3. Generate not too in advance (small ∆) ⇒ Freshness 4. Release soon (small δ ) ⇒ Timeliness 5. Timestamp (non-repeating) indexation ⇒ Unambiguity π : intended pulsation period ∆ ∆ δ δ Time start start release P i release T i T i +1 gen. gen. P i +1 P i +1 P i 14/30

  35. 3. Beacon Protocol Timing requirements for generation and release 1. No advanced release of pulse ( δ ≥ 0) � ⇒ Unpredictability 2. Generate with entropy ( ≥ 2 RNGs) 3. Generate not too in advance (small ∆) ⇒ Freshness 4. Release soon (small δ ) ⇒ Timeliness 5. Timestamp (non-repeating) indexation ⇒ Unambiguity π : intended pulsation period ∆ ∆ δ δ γ γ Time start start obtain release P i obtain release T i T i +1 gen. gen. P i P i +1 P i +1 P i +1 P i R i R i R i : randOut r i +1 r i +1 r i : randLocal 14/30

  36. 3. Beacon Protocol Timing requirements for generation and release 1. No advanced release of pulse ( δ ≥ 0) � ⇒ Unpredictability 2. Generate with entropy ( ≥ 2 RNGs) 3. Generate not too in advance (small ∆) ⇒ Freshness 4. Release soon (small δ ) ⇒ Timeliness 5. Timestamp (non-repeating) indexation ⇒ Unambiguity π : intended pulsation period ∆ ∆ δ δ γ γ Time start start obtain release P i obtain release T i T i +1 gen. gen. P i P i +1 P i +1 P i +1 P i R i R i R i : randOut r i +1 r i +1 r i : randLocal (The reference document specifies allowed intervals for δ and ∆, relative to π ) 14/30

  37. 3. Beacon Protocol Fetching pulses 15/30

  38. 3. Beacon Protocol Fetching pulses Beacon App: a pulse release means sending the pulse to the database Fw queries DB Beacon Pulse Web (web App frontend) (users) replies 15/30

  39. 3. Beacon Protocol Fetching pulses Beacon App: a pulse release means sending the pulse to the database Fw queries DB Beacon Pulse Web (web App frontend) (users) replies How do users request pulses from the database? 15/30

  40. 3. Beacon Protocol Fetching pulses Beacon App: a pulse release means sending the pulse to the database Fw queries DB Beacon Pulse Web (web App frontend) (users) replies How do users request pulses from the database? uri/url 15/30

  41. 3. Beacon Protocol Fetching pulses Beacon App: a pulse release means sending the pulse to the database Fw queries DB Beacon Pulse Web (web App frontend) (users) replies How do users request pulses from the database? uri/url https://beacon.nist.gov/beacon/2.0/chain/last/pulse/last Example: URI for the latest pulse in chain 1 of the NIST randomness Beacon (version 2) 15/30

  42. 3. Beacon Protocol Skiplists — efficient chain verification 16/30

  43. 3. Beacon Protocol Skiplists — efficient chain verification How to prove that an old pulse is consistent with a recent pulse? 16/30

  44. 3. Beacon Protocol Skiplists — efficient chain verification How to prove that an old pulse is consistent with a recent pulse? Example: Anchor = 2019-05-17 14:12 → Target = 2016-02-14 17:45 16/30

  45. 3. Beacon Protocol Skiplists — efficient chain verification How to prove that an old pulse is consistent with a recent pulse? Example: Anchor = 2019-05-17 14:12 → Target = 2016-02-14 17:45 Solution: check that there is a hash-chain linking them 16/30

  46. 3. Beacon Protocol Skiplists — efficient chain verification How to prove that an old pulse is consistent with a recent pulse? Example: Anchor = 2019-05-17 14:12 → Target = 2016-02-14 17:45 Solution: check that there is a hash-chain linking them Inefficient : check the hash-chain of ( > 1M) consecutive pulses Efficient : check the hash-chaining in a skiplist ( < 125 pulses). 16/30

  47. 3. Beacon Protocol Skiplists — efficient chain verification How to prove that an old pulse is consistent with a recent pulse? Example: Anchor = 2019-05-17 14:12 → Target = 2016-02-14 17:45 Solution: check that there is a hash-chain linking them Inefficient : check the hash-chain of ( > 1M) consecutive pulses 2019-05-17 14:12 → 2019-05-17 14:11 → (1 per minute) → 2016-02-14 17:45 Efficient : check the hash-chaining in a skiplist ( < 125 pulses). 16/30

  48. 3. Beacon Protocol Skiplists — efficient chain verification How to prove that an old pulse is consistent with a recent pulse? Example: Anchor = 2019-05-17 14:12 → Target = 2016-02-14 17:45 Solution: check that there is a hash-chain linking them Inefficient : check the hash-chain of ( > 1M) consecutive pulses 2019-05-17 14:12 → 2019-05-17 14:11 → (1 per minute) → 2016-02-14 17:45 Efficient : check the hash-chaining in a skiplist ( < 125 pulses). Use the 5 past output fields in the pulse format: ◮ out.Prev : the previous pulse ◮ out.H , out.D , out.M , out.Y : the first of the hour / day / month / year 16/30

  49. 3. Beacon Protocol Skiplists — efficient chain verification How to prove that an old pulse is consistent with a recent pulse? Example: Anchor = 2019-05-17 14:12 → Target = 2016-02-14 17:45 Solution: check that there is a hash-chain linking them Inefficient : check the hash-chain of ( > 1M) consecutive pulses 2019-05-17 14:12 → 2019-05-17 14:11 → (1 per minute) → 2016-02-14 17:45 Efficient : check the hash-chaining in a skiplist ( < 125 pulses). Use the 5 past output fields in the pulse format: ◮ out.Prev : the previous pulse ◮ out.H , out.D , out.M , out.Y : the first of the hour / day / month / year 2019-05-17 14:12 → 2019-01 -01 00:00 → 2018-01 -01 00:00 → 2017-01 -01 00:00 → 16/30

  50. 3. Beacon Protocol Skiplists — efficient chain verification How to prove that an old pulse is consistent with a recent pulse? Example: Anchor = 2019-05-17 14:12 → Target = 2016-02-14 17:45 Solution: check that there is a hash-chain linking them Inefficient : check the hash-chain of ( > 1M) consecutive pulses 2019-05-17 14:12 → 2019-05-17 14:11 → (1 per minute) → 2016-02-14 17:45 Efficient : check the hash-chaining in a skiplist ( < 125 pulses). Use the 5 past output fields in the pulse format: ◮ out.Prev : the previous pulse ◮ out.H , out.D , out.M , out.Y : the first of the hour / day / month / year 2019-05-17 14:12 → 2019-01 -01 00:00 → 2018-01 -01 00:00 → 2017-01 -01 00:00 → 2016- 12-01 00:00 → (1 per month) → 2016- 03-01 00:00 16/30

  51. 3. Beacon Protocol Skiplists — efficient chain verification How to prove that an old pulse is consistent with a recent pulse? Example: Anchor = 2019-05-17 14:12 → Target = 2016-02-14 17:45 Solution: check that there is a hash-chain linking them Inefficient : check the hash-chain of ( > 1M) consecutive pulses 2019-05-17 14:12 → 2019-05-17 14:11 → (1 per minute) → 2016-02-14 17:45 Efficient : check the hash-chaining in a skiplist ( < 125 pulses). Use the 5 past output fields in the pulse format: ◮ out.Prev : the previous pulse ◮ out.H , out.D , out.M , out.Y : the first of the hour / day / month / year 2019-05-17 14:12 → 2019-01 -01 00:00 → 2018-01 -01 00:00 → 2017-01 -01 00:00 → 2016- 12-01 00:00 → (1 per month) → 2016- 03-01 00:00 → 2016-02- 29 00 :00 → (1 per day) → 2016-02- 15 00 :00 16/30

  52. 3. Beacon Protocol Skiplists — efficient chain verification How to prove that an old pulse is consistent with a recent pulse? Example: Anchor = 2019-05-17 14:12 → Target = 2016-02-14 17:45 Solution: check that there is a hash-chain linking them Inefficient : check the hash-chain of ( > 1M) consecutive pulses 2019-05-17 14:12 → 2019-05-17 14:11 → (1 per minute) → 2016-02-14 17:45 Efficient : check the hash-chaining in a skiplist ( < 125 pulses). Use the 5 past output fields in the pulse format: ◮ out.Prev : the previous pulse ◮ out.H , out.D , out.M , out.Y : the first of the hour / day / month / year 2019-05-17 14:12 → 2019-01 -01 00:00 → 2018-01 -01 00:00 → 2017-01 -01 00:00 → 2016- 12-01 00:00 → (1 per month) → 2016- 03-01 00:00 → 2016-02- 29 00 :00 → (1 per day) → 2016-02- 15 00 :00 → 2016-02-14 23:00 → (1 per hour) → 2016-02-14 18:00 16/30

  53. 3. Beacon Protocol Skiplists — efficient chain verification How to prove that an old pulse is consistent with a recent pulse? Example: Anchor = 2019-05-17 14:12 → Target = 2016-02-14 17:45 Solution: check that there is a hash-chain linking them Inefficient : check the hash-chain of ( > 1M) consecutive pulses 2019-05-17 14:12 → 2019-05-17 14:11 → (1 per minute) → 2016-02-14 17:45 Efficient : check the hash-chaining in a skiplist ( < 125 pulses). Use the 5 past output fields in the pulse format: ◮ out.Prev : the previous pulse ◮ out.H , out.D , out.M , out.Y : the first of the hour / day / month / year 2019-05-17 14:12 → 2019-01 -01 00:00 → 2018-01 -01 00:00 → 2017-01 -01 00:00 → 2016- 12-01 00:00 → (1 per month) → 2016- 03-01 00:00 → 2016-02- 29 00 :00 → (1 per day) → 2016-02- 15 00 :00 → 2016-02-14 23:00 → (1 per hour) → 2016-02-14 18:00 → 2016-02-14 17: 59 → (1 per minute) → 2016-02-14 17:45 16/30

  54. 3. Beacon Protocol A possible diagram of pulse generation Time MD i : some metadata (uri, version, cipher, period, certId, chainId) Server i: pulse index (integer, incremented by 1 for each released pulse) (remote) Ti: time (UTC string, ms precision, e.g., "2018-07-23T19:26:00.000Z") Hash of r i : randLocal (512 bits) NTP E i : external (srcId, status, value) (all-zeros when not available) external Past i = (R i-1 , R H[i-1] , R D[i-1] , R M[i-1] , R Y[i-1] ): previous (i-1) Clock value and 1st of {hour (H), day (D), month (M) and year (Y)} of previous (on chip) C i : preCom (512 bits) M i = MD i || i || T i || r i || E i || Past i || C i || z i z i : status (32 bits) M i P i (pulse) Hash Hash Local DB pulsify cache R i S i R i P i = M i || R i || S i r i+1 r i+1 (randLocal of M i M i || S i Hash Hash R i : randOut next pulse) RNG #1 � i,1 || � i,2 � i,1 Hash Hash (on chip) [|| � i,3 ] (512 Hash* Hash S i : sig bits) � i,2 S i RNG #3 � i,3 (512 bits) H i Legend: - DB: database - : release not before timestamp (Quantum) (512 - HSM: hardware security module Signing* bits) RNG #2 HSM - RNG: random-number generator module - NTP: network time protocol - ||: concatenation For simplicity, the diagram omits serialization details (e.g., field lengths and padding) and some metadata fields. 17/30

  55. 4. Using a Beacon Outline 1. Introduction 2. Pulse format 3. Beacon Protocol 4. Using a Beacon 5. Brief security considerations 6. Conclusion 18/30

  56. 4. Using a Beacon Using Beacon randomness (if I trust the beacon) (some simplifications for presentation purpose) 19/30

  57. 4. Using a Beacon Using Beacon randomness (if I trust the beacon) (some simplifications for presentation purpose) Simply getting a practically uniform number in [0 , N − 1] : 19/30

  58. 4. Using a Beacon Using Beacon randomness (if I trust the beacon) (some simplifications for presentation purpose) Simply getting a practically uniform number in [0 , N − 1] : ◮ Just calculate randOut (mod N ), if N < 2 384 19/30

  59. 4. Using a Beacon Using Beacon randomness (if I trust the beacon) (some simplifications for presentation purpose) Simply getting a practically uniform number in [0 , N − 1] : ◮ Just calculate randOut (mod N ), if N < 2 384 If I want future auditability of a randomized operation: 19/30

  60. 4. Using a Beacon Using Beacon randomness (if I trust the beacon) (some simplifications for presentation purpose) Simply getting a practically uniform number in [0 , N − 1] : ◮ Just calculate randOut (mod N ), if N < 2 384 If I want future auditability of a randomized operation: 1. Commit upfront: 2. Derive a seed: 3. Perform the operation: 19/30

  61. 4. Using a Beacon Using Beacon randomness (if I trust the beacon) (some simplifications for presentation purpose) Simply getting a practically uniform number in [0 , N − 1] : ◮ Just calculate randOut (mod N ), if N < 2 384 If I want future auditability of a randomized operation: 1. Commit upfront: publish a statement S that explains my deterministic operation that will use the Beacon randomness (the output value randOut ) from future time t ; 2. Derive a seed: 3. Perform the operation: 19/30

  62. 4. Using a Beacon Using Beacon randomness (if I trust the beacon) (some simplifications for presentation purpose) Simply getting a practically uniform number in [0 , N − 1] : ◮ Just calculate randOut (mod N ), if N < 2 384 If I want future auditability of a randomized operation: 1. Commit upfront: publish a statement S that explains my deterministic operation that will use the Beacon randomness (the output value randOut ) from future time t ; 2. Derive a seed: Get R = randOut [ t ] (from the pulse with timestamp t ), and set the seed as Z = SHA512( S || R ) 3. Perform the operation: 19/30

  63. 4. Using a Beacon Using Beacon randomness (if I trust the beacon) (some simplifications for presentation purpose) Simply getting a practically uniform number in [0 , N − 1] : ◮ Just calculate randOut (mod N ), if N < 2 384 If I want future auditability of a randomized operation: 1. Commit upfront: publish a statement S that explains my deterministic operation that will use the Beacon randomness (the output value randOut ) from future time t ; 2. Derive a seed: Get R = randOut [ t ] (from the pulse with timestamp t ), and set the seed as Z = SHA512( S || R ) 3. Perform the operation: Do what the statement S promised, using Z as the seed for all needed pseudo-randomness. 19/30

  64. 4. Using a Beacon Using Beacon randomness (if I trust the beacon) (some simplifications for presentation purpose) Simply getting a practically uniform number in [0 , N − 1] : ◮ Just calculate randOut (mod N ), if N < 2 384 If I want future auditability of a randomized operation: 1. Commit upfront: publish a statement S that explains my deterministic operation that will use the Beacon randomness (the output value randOut ) from future time t ; 2. Derive a seed: Get R = randOut [ t ] (from the pulse with timestamp t ), and set the seed as Z = SHA512( S || R ) 3. Perform the operation: Do what the statement S promised, using Z as the seed for all needed pseudo-randomness. We defer reference guidance to complementary future documentation 19/30

  65. 4. Using a Beacon Combining Beacons 20/30

  66. 4. Using a Beacon Combining Beacons What Beacon randomness R [ t ] to use if I do not trust any Beacon in isolation? 20/30

  67. 4. Using a Beacon Combining Beacons What Beacon randomness R [ t ] to use if I do not trust any Beacon in isolation? ... but trust that two Beacons ( A and B ) will not collude? 20/30

  68. 4. Using a Beacon Combining Beacons What Beacon randomness R [ t ] to use if I do not trust any Beacon in isolation? ... but trust that two Beacons ( A and B ) will not collude? Desired properties: ◮ A single Beacon cannot bias the output; ◮ Even two colluding beacons cannot fully control the output. 20/30

  69. 4. Using a Beacon Combining Beacons What Beacon randomness R [ t ] to use if I do not trust any Beacon in isolation? ... but trust that two Beacons ( A and B ) will not collude? Desired properties: ◮ A single Beacon cannot bias the output; ◮ Even two colluding beacons cannot fully control the output. Not good: ◮ R [ t ] = Hash( A [ t ] . randOut || B [ t ] . randOut ) 20/30

  70. 4. Using a Beacon Combining Beacons What Beacon randomness R [ t ] to use if I do not trust any Beacon in isolation? ... but trust that two Beacons ( A and B ) will not collude? Desired properties: ◮ A single Beacon cannot bias the output; ◮ Even two colluding beacons cannot fully control the output. Not good: ◮ R [ t ] = Hash( A [ t ] . randOut || B [ t ] . randOut ) ( A could wait to know B ’s value) 20/30

  71. 4. Using a Beacon Combining Beacons What Beacon randomness R [ t ] to use if I do not trust any Beacon in isolation? ... but trust that two Beacons ( A and B ) will not collude? Desired properties: ◮ A single Beacon cannot bias the output; ◮ Even two colluding beacons cannot fully control the output. Not good: ◮ R [ t ] = Hash( A [ t ] . randOut || B [ t ] . randOut ) ( A could wait to know B ’s value) ◮ R [ t ] = Hash( A [ t ] . randLocal || B [ t ] . randLocal ) 20/30

  72. 4. Using a Beacon Combining Beacons What Beacon randomness R [ t ] to use if I do not trust any Beacon in isolation? ... but trust that two Beacons ( A and B ) will not collude? Desired properties: ◮ A single Beacon cannot bias the output; ◮ Even two colluding beacons cannot fully control the output. Not good: ◮ R [ t ] = Hash( A [ t ] . randOut || B [ t ] . randOut ) ( A could wait to know B ’s value) ◮ R [ t ] = Hash( A [ t ] . randLocal || B [ t ] . randLocal ) ( A & B could force repeating R [ t ]) 20/30

  73. 4. Using a Beacon Combining Beacons What Beacon randomness R [ t ] to use if I do not trust any Beacon in isolation? ... but trust that two Beacons ( A and B ) will not collude? Desired properties: ◮ A single Beacon cannot bias the output; ◮ Even two colluding beacons cannot fully control the output. Not good: ◮ R [ t ] = Hash( A [ t ] . randOut || B [ t ] . randOut ) ( A could wait to know B ’s value) ◮ R [ t ] = Hash( A [ t ] . randLocal || B [ t ] . randLocal ) ( A & B could force repeating R [ t ]) Solution : get R [ t ] from two randLocal [ t ] and two randOut [ t − π ] values: 20/30

  74. 4. Using a Beacon Combining Beacons What Beacon randomness R [ t ] to use if I do not trust any Beacon in isolation? ... but trust that two Beacons ( A and B ) will not collude? Desired properties: ◮ A single Beacon cannot bias the output; ◮ Even two colluding beacons cannot fully control the output. Not good: ◮ R [ t ] = Hash( A [ t ] . randOut || B [ t ] . randOut ) ( A could wait to know B ’s value) ◮ R [ t ] = Hash( A [ t ] . randLocal || B [ t ] . randLocal ) ( A & B could force repeating R [ t ]) Solution : get R [ t ] from two randLocal [ t ] and two randOut [ t − π ] values: R [ t ] = Hash( A [ t − π ] . randOut || B [ t − π ] . randOut || A [ t ] . randLocal || B [ t ] . randLocal ) 20/30

  75. 4. Using a Beacon Combining Beacons What Beacon randomness R [ t ] to use if I do not trust any Beacon in isolation? ... but trust that two Beacons ( A and B ) will not collude? Desired properties: ◮ A single Beacon cannot bias the output; ◮ Even two colluding beacons cannot fully control the output. Not good: ◮ R [ t ] = Hash( A [ t ] . randOut || B [ t ] . randOut ) ( A could wait to know B ’s value) ◮ R [ t ] = Hash( A [ t ] . randLocal || B [ t ] . randLocal ) ( A & B could force repeating R [ t ]) Solution : get R [ t ] from two randLocal [ t ] and two randOut [ t − π ] values: R [ t ] = Hash( A [ t − π ] . randOut || B [ t − π ] . randOut || A [ t ] . randLocal || B [ t ] . randLocal ) Also need to check: ◮ reception of A [ t − π ] . randOut and B [ t − π ] . randOut before time T ◮ correctness of standalone pulses: A [ t − π ] , B [ t − π ] , A [ t ] , B [ t ] ◮ hash-chaining (e.g., A [ t ] .out.Prev = A [ t − π ] .randOut ) ◮ pre-commitments (e.g., Hash(A[t]. randLocal ) = A [ t − π ] . preCom ) 20/30

  76. 4. Using a Beacon Some Beacons in development Three countries are developing Beacons to match the current reference: ◮ (United States) NIST Randomness Beacon https://beacon.nist.gov/home United States ◮ (Chile) CLCERT Randomness Beacon https://beacon.clcert.cl/ Brazil ◮ (Brazil) Brazilian Randomness Beacon Chile https://beacon.inmetro.gov.br/ 21/30

  77. 4. Using a Beacon Some Beacons in development Three countries are developing Beacons to match the current reference: ◮ (United States) NIST Randomness Beacon https://beacon.nist.gov/home United States ◮ (Chile) CLCERT Randomness Beacon https://beacon.clcert.cl/ Brazil ◮ (Brazil) Brazilian Randomness Beacon Chile https://beacon.inmetro.gov.br/ We would like others to join 21/30

  78. 4. Using a Beacon Some conceivable applications “ You have been randomly selected for additional screening ” 22/30

  79. 4. Using a Beacon Some conceivable applications “ You have been randomly selected for additional screening ” Example applications: ◮ Select test and control groups for clinical trials ◮ Select random government officials for financial audits ◮ Assign court cases to random judges ◮ Sample random lots for quality-measuring procedures ◮ Provide entropy to digital lotteries 22/30

  80. 4. Using a Beacon Some conceivable applications “ You have been randomly selected for additional screening ” Example applications: ◮ Select test and control groups for clinical trials ◮ Select random government officials for financial audits ◮ Assign court cases to random judges ◮ Sample random lots for quality-measuring procedures ◮ Provide entropy to digital lotteries Some generic goals: ◮ Prevent auditors from biasing selections (or being accused of it) ◮ Prevent auditees from addressing only the items to-be sampled ◮ Enable public verifiability of correct sampling 22/30

  81. 5. Brief security considerations Outline 1. Introduction 2. Pulse format 3. Beacon Protocol 4. Using a Beacon 5. Brief security considerations 6. Conclusion 23/30

  82. 5. Brief security considerations Security against intrusions Security is “easy” in uncompromised scenario! 24/30

Recommend

Breeding Unicorns: Developing Trustworthy and Scalable Randomness Beacons Samvid Dharanikota,

Breeding Unicorns: Developing Trustworthy and Scalable Randomness Beacons Samvid Dharanikota,

@csunivie Breeding Unicorns: Developing Trustworthy and Scalable Randomness Beacons Samvid Dharanikota, Michael Jensen, Sebastian Kristensen, Mathias Michno, Yvonne-Anne Pignolet, Rene Hansen, Stefan Schmid Randomness: An Important Tool of Our

394 views • 35 slides
Protecting Wi-Fi Beacons from Outsider Forgeries Mathy Vanhoef, Prasant Adhikari, and Christina

Protecting Wi-Fi Beacons from Outsider Forgeries Mathy Vanhoef, Prasant Adhikari, and Christina

Protecting Wi-Fi Beacons from Outsider Forgeries Mathy Vanhoef, Prasant Adhikari, and Christina Ppper WiSec, 9 July 2020. Background: beacons Wi-Fi networks use beacons to announce their presence They are sent every ~100 ms by an

713 views • 32 slides
Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn

Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn

Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn Tillmanns, Jiska Classen, Felix Rohrbach, Matthias Hollick Technische Universitt Darmstadt, Germany ??? 2 How to acquire randomness? A: 42 B: Random

562 views • 32 slides
Beacons 1 Beacon is continuous Bluetooth Low Energy (BLE) transmitter device with unique

Beacons 1 Beacon is continuous Bluetooth Low Energy (BLE) transmitter device with unique

Beacons 1 Beacon is continuous Bluetooth Low Energy (BLE) transmitter device with unique identifier at a known place. 2 The beacons manufacturers BlueCats BlueSense Estimote Gelo Kontact Sonic Notify

972 views • 11 slides
Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University

Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University

Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Baileys ECE 422 Randomness and Pseudorandomness Review Problem:

1.69k views • 33 slides
EDDYSTONE BEACONS: An application for Earthquake Survivors Identification By Jaylen Gregory

EDDYSTONE BEACONS: An application for Earthquake Survivors Identification By Jaylen Gregory

EDDYSTONE BEACONS: An application for Earthquake Survivors Identification By Jaylen Gregory Eddystone Beacons: Results Though we were unable to perform the experiment, we created viable webpage and server that will activate when a survivor

204 views • 8 slides
anytime anywhere with Apsima 1 www.apsima.com Intro to BLE Beacons Micro-location

anytime anywhere with Apsima 1 www.apsima.com Intro to BLE Beacons Micro-location

Stay in touch, anytime anywhere with Apsima 1 www.apsima.com Intro to BLE Beacons Micro-location beacons utilize Bluetooth Low Energy (BLE) to allow any mobile device with enabled Bluetooth 4.0 to know where it is in relation to a

443 views • 28 slides
Abusing Wi-Fi Beacons and Detecting &amp; Preventing Attacks Mathy Vanhoef, Prasant Adhikari, and

Abusing Wi-Fi Beacons and Detecting &amp; Preventing Attacks Mathy Vanhoef, Prasant Adhikari, and

Abusing Wi-Fi Beacons and Detecting &amp; Preventing Attacks Mathy Vanhoef, Prasant Adhikari, and Christina Ppper. With special thanks to various IEEE members. Black Hat Webcast, 17 September 2020. Background: beacons Wi-Fi networks use

798 views • 42 slides
Randomness Some content taken from Silence on the Wire by Michal Zalewski Todays Agenda

Randomness Some content taken from Silence on the Wire by Michal Zalewski Todays Agenda

Randomness Some content taken from Silence on the Wire by Michal Zalewski Todays Agenda Randomness in Private Key Generation Randomness in Election (fraud) Randomness in Coin Flipping What is random? Chosen without method

693 views • 35 slides
NIST Gaithersburgs Approach to a Solar PV Array Project John.R.Bollinger@nist.gov 2 NIST

NIST Gaithersburgs Approach to a Solar PV Array Project John.R.Bollinger@nist.gov 2 NIST

NIST Gaithersburgs Approach to a Solar PV Array Project John.R.Bollinger@nist.gov 2 NIST had awarded larger ESPC ($45M) with 4 ECMs the previous year (June 2015) Non-selected ECM was fixed-tilt, ground-mounted solar array on federal

559 views • 17 slides
Driver Yielding at Traffic Control S ignals, Pedestrian Hybrid Beacons, and Rectangular Rapid

Driver Yielding at Traffic Control S ignals, Pedestrian Hybrid Beacons, and Rectangular Rapid

Driver Yielding at Traffic Control S ignals, Pedestrian Hybrid Beacons, and Rectangular Rapid Flashing Beacons by Kay Fitzpatrick Texas A&amp;M Transportation Institute Traffic Safety Conference, May 13, 2014 Recent Research Efforts

237 views • 21 slides
Randomness and analysis: a tutorial Part I: Randomness notions and almost everywhere theorems

Randomness and analysis: a tutorial Part I: Randomness notions and almost everywhere theorems

Randomness and analysis: a tutorial Part I: Randomness notions and almost everywhere theorems Andr e Nies CCC 2015, Kochel am See 1/1 Di ff erentiability Di ff erentiability of a function f at a real z means that the rate of change

1.19k views • 108 slides
Ben Cousins and Santosh Vempala Georgia Tech The Volume Problem Solution: Use Randomness!

Ben Cousins and Santosh Vempala Georgia Tech The Volume Problem Solution: Use Randomness!

Ben Cousins and Santosh Vempala Georgia Tech The Volume Problem Solution: Use Randomness! Reference Complexity Remarks Dyer, Frieze, and Kannan First polynomial algorithm (89) Lovsz and Simonovits (90) Isoperimetry,

448 views • 17 slides
15-251 Great Theoretical Ideas in Computer Science Lecture 21: Introduction to Randomness and

15-251 Great Theoretical Ideas in Computer Science Lecture 21: Introduction to Randomness and

15-251 Great Theoretical Ideas in Computer Science Lecture 21: Introduction to Randomness and Probability Theory Review April 4th, 2017 Randomness and the Universe Randomness and the Universe Does the universe have true randomness?

693 views • 52 slides
NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov

NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov

NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov ICANN Meeting Oct. 15 th , 2014 Los Angeles CA First, A Bit of History 2011 USG DNSSEC Tiger Team has a 2 nd goal: authenticated email

308 views • 4 slides
Randomness in Computing L ECTURE 1 Randomness in Computing Course information Verifying

Randomness in Computing L ECTURE 1 Randomness in Computing Course information Verifying

Randomness in Computing L ECTURE 1 Randomness in Computing Course information Verifying polynomial identities Probability Amplification Probability Review Sofya Raskhodnikova 1/21/2020 Sofya Raskhodnikova;Randomness in Computing

348 views • 21 slides
Counting Words: Non- Randomness Pre-Processing and Non-Randomness The End Marco Baroni &amp;

Counting Words: Non- Randomness Pre-Processing and Non-Randomness The End Marco Baroni &amp;

Pre-processing and non-randomness Baroni &amp; Evert Pre-Processing Counting Words: Non- Randomness Pre-Processing and Non-Randomness The End Marco Baroni &amp; Stefan Evert M alaga, 11 August 2006 Outline Pre-processing and

879 views • 55 slides
Physical Randomness Extractors Kai-Min Chung Academia Sinica, Taiwan Xiaodi Wu Yaoyun Shi

Physical Randomness Extractors Kai-Min Chung Academia Sinica, Taiwan Xiaodi Wu Yaoyun Shi

Physical Randomness Extractors Kai-Min Chung Academia Sinica, Taiwan Xiaodi Wu Yaoyun Shi MIT/UC Berkeley University of Michigan Presented in QIP14 as plenary talk (joint with [MS14]) 1 Randomness Randomness is a vital resource

391 views • 17 slides
How can SACRES transform schools to become beacons of HOPE? Thank you for inviting me here to

How can SACRES transform schools to become beacons of HOPE? Thank you for inviting me here to

NASACRE Conference 22-05-2019 Cohesive Communities and Effective Partnerships RE near and far. How can SACRES transform schools to become beacons of HOPE? Thank you for inviting me here to address you today. I would like to start with

382 views • 13 slides
Algorithmic randomness Cuny logic worshop Benoit Monin - LACL - Universit e Paris-Est Cr

Algorithmic randomness Cuny logic worshop Benoit Monin - LACL - Universit e Paris-Est Cr

Algorithmic randomness Beyond arithmetic Higher randomness ITTM and randomness Algorithmic randomness Cuny logic worshop Benoit Monin - LACL - Universit e Paris-Est Cr eteil 5 May 2017 Algorithmic randomness Beyond arithmetic Higher

771 views • 64 slides
BEACONS BEACH IMPROVEMENTS 18-185 Design Review October 15, 2018 1 WELCOME WEL COME AND

BEACONS BEACH IMPROVEMENTS 18-185 Design Review October 15, 2018 1 WELCOME WEL COME AND

BEACONS BEACH IMPROVEMENTS 18-185 Design Review October 15, 2018 1 WELCOME WEL COME AND AND INTR INTRODUC ODUCTIO TIONS Facilitator Jerry Harmon City of Encinitas Brenda Wisneski, Development Services Director Ed

921 views • 45 slides
Federal Computer Security Managers Forum Meeting September 10, 2018 NIST Gaithersburg NIST

Federal Computer Security Managers Forum Meeting September 10, 2018 NIST Gaithersburg NIST

Federal Computer Security Managers Forum Meeting September 10, 2018 NIST Gaithersburg NIST Heritage Room NIST Building 101 Ground Floor Map FCSM Quarterly Meeting Overview| 2 NIST Building 101 Ground Floor Map Stairs to Outside and

664 views • 11 slides
Randomness in C 2 and Pluripotential Theory Randomness in C 2 and Pluripotential Theory Outline 1

Randomness in C 2 and Pluripotential Theory Randomness in C 2 and Pluripotential Theory Outline 1

Randomness in C 2 and Pluripotential Theory Randomness in C 2 and Pluripotential Theory Outline 1 Zeros of univariate random polynomials p : C C and potential theory; recent results of Bloom-Dauvergne 2 Random polynomials p : C 2 C and

585 views • 42 slides
Randomness Dependent Randomness Dependent Message Security g y Eleanor Birrell Kai

Randomness Dependent Randomness Dependent Message Security g y Eleanor Birrell Kai

Randomness Dependent Randomness Dependent Message Security g y Eleanor Birrell Kai Min Chung Rafael Pass Sidharth Telang Public key Encryption Public key Encryption Goal: l (pk,sk) Gen c = Enc(pk,m) E ( k ) Dec(sk,c) = m

638 views • 40 slides

More recommend