TRUST, AND PUBLIC ENTROPY: A UNICORN HUNT Arjen K. Lenstra and - - PowerPoint PPT Presentation

trust and public entropy a unicorn hunt
SMART_READER_LITE
LIVE PREVIEW

TRUST, AND PUBLIC ENTROPY: A UNICORN HUNT Arjen K. Lenstra and - - PowerPoint PPT Presentation

Oct 08, 2022 28 likes •422 views

TRUST, AND PUBLIC ENTROPY: A UNICORN HUNT Arjen K. Lenstra and Benjamin Wesolowski 1 WHAT IS PUBLIC RANDOMNESS And what is it good for? 2 ELEMENTARY EXAMPLES National Sporting Tie breaking in lotteries event draws elections Totally based on

slide-1
SLIDE 1

TRUST, AND PUBLIC ENTROPY: A UNICORN HUNT

Arjen K. Lenstra and Benjamin Wesolowski

1

slide-2
SLIDE 2

WHAT IS PUBLIC RANDOMNESS

And what is it good for?

2

slide-3
SLIDE 3

ELEMENTARY EXAMPLES

National Sporting Tie breaking in lotteries event draws elections

Totally based on randomness (presumably), and huge amounts of money or power at stake

3

slide-4
SLIDE 4

A TOOL FOR DEMOCRACY

First known democracy in the world, in Athens: legislative and judicial power distributed to assemblies of randomly selected citizens Require a secure random sampling procedure, that every sceptical citizen can trust and verify

4

slide-5
SLIDE 5

r a n d

  • m

b e a c

  • n

= p u b l i c s t r e a m

  • f

r a n d

  • m

n u m b e r s

TRANSACTION PROTECTION BY BEACONS

  • M. O. Rabin.

Transaction protection by beacons

Journal of Computer and System Sciences, 27(2):256-267, 1983.

Introduces the notion of random beacon: A random beacon is an online service broadcasting (allegedly) unpredictable random numbers at regular intervals (say, every minute)

5

…00111100010101

slide-6
SLIDE 6

TRANSACTION PROTECTION BY BEACONS

A few applications of trustworthy public randomness:

➤ transaction protocols: fair contract signing,

confidential disclosure, mail certification

➤ choice of standard parameters: standard elliptic

curves, constants in S-Boxes or round constants in hash algorithms…

➤ random challenges for cryptographic elections ➤ smart contracts in crypto-currencies: secure

lotteries, non-interactive cut-and-choose protocols…

➤ preventing selfish mining in crypto-currencies

6

slide-7
SLIDE 7

GENERATING PUBLIC RANDOMNESS

Can you trust someone else’s entropy

7

slide-8
SLIDE 8

THE (GOOD?) OLD WAY

a kleroterion

8

slide-9
SLIDE 9

2600 YEARS LATER

Can the security be upgraded?…

9

slide-10
SLIDE 10

USING WIDELY ACCESSIBLE ENTROPY

  • J. Clark and U. Hengartner.

On the use of financial data as a random beacon.

USENIX EVT/WOTE, 2010.

Easy to imagine that financial exchanges could subtly adjust the prices they announce to bias the “random”

  • utput

10

slide-11
SLIDE 11

COMBINING LOTTERIES

seed

results of national

elliptic curve

public deterministic procedure

lotteries around the world in February 2016 published in January 2016

The Million Dollar Curve

http://cryptoexperts.github.io/million-dollar-curve/, CryptoExperts

11

slide-12
SLIDE 12

COMBINING LOTTERIES

➤ Cannot produce a regular stream of numbers like a

beacon (not a problem for their application)

➤ Last draw attack ➤ Again, you have to trust some third party…

http://www.businesspundit.com/5-of-the-biggest-lottery-scandals/

12

slide-13
SLIDE 13

THE NIST RANDOM BEACON

➤ 512 random bits per minute ➤ generated based on quantum mechanical

phenomena, “true randomness”

➤ No proof that the numbers are properly generated

can be provided

13

slide-14
SLIDE 14

Can we get rid of the trust assumptions, in favor of computational assumptions?

14

slide-15
SLIDE 15

BITCOIN ENTROPY

The Bitcoin blockchain

transactions 64465734 00000000

15

slide-16
SLIDE 16

BITCOIN ENTROPY

The Bitcoin blockchain

68775763 transactions 64465734 hash 00000000

16

slide-17
SLIDE 17

68775763 64465734

BITCOIN ENTROPY

The Bitcoin blockchain

09436663 transactions hash 36457740 00000000

16

slide-18
SLIDE 18

68775763 09436663 64465734 36457740

BITCOIN ENTROPY

The Bitcoin blockchain

88445551 transactions hash 00924221 00000000

16

slide-19
SLIDE 19

68775763 09436663 88445551 64465734 36457740 00924221

BITCOIN ENTROPY

The Bitcoin blockchain

00004339 transactions hash 86797810 00000000

16

slide-20
SLIDE 20

64465734 68775763 36457740 09436663 00924221 88445551

BITCOIN ENTROPY

The Bitcoin blockchain

transactions hash 86797810 00004339 00000000 transactions 45364536 00004339

17

slide-21
SLIDE 21

64465734 68775763 36457740 09436663 00924221 88445551

BITCOIN ENTROPY

The Bitcoin blockchain

transactions hash 86797810 00004339 00000000 transactions hash 45364536 00007522 00004339

17

slide-22
SLIDE 22

64465734 68775763 36457740 09436663 00924221 88445551

BITCOIN ENTROPY

The Bitcoin blockchain

transactions hash 86797810 00004339 00000000 transactions hash 45364536 00007522 00004339 transactions hash 00119427 00001294 00007522

17

slide-23
SLIDE 23

64465734 68775763 36457740 09436663 00924221 88445551

BITCOIN ENTROPY

transactions hash 86797810 00004339 00000000

Finding such that starts with enough leading zeros is called mining, performed by miners, who get a reward when they find a valid block

18

slide-24
SLIDE 24

64465734 68775763 36457740 09436663 00924221 88445551

BITCOIN ENTROPY

transactions hash 86797810 00004339 00000000

Idea: use

4339 as a random number

Protocol is decentralised, mining is

  • costly. Should render manipulations

difficult How difficult?

19

slide-25
SLIDE 25

64465734 68775763 36457740 09436663 00924221 88445551

(Antpool and F2Pool each control more that 26%)

BITCOIN ENTROPY

transactions 86797810 00000000

Idea: use

4339 as a random number

Problem: Groups of colluding miners can bias the output

hash

If 25% of the miners are colluding, they can bias a coin toss from probability 0.5 to 0.74!

00004339 Numbers from Cécile Pierrot and B. W., Malleability of the blockchain’s entropy, to be presented at ArcticCrypt Conference 2016

20

slide-26
SLIDE 26

UNICORN: UNCONTESTABLE RANDOM NUMBERS

Arjen Lenstra and B. W.

A random zoo: sloth, unicorn and trx.

http://eprint.iacr.org/2015/366.

21

slide-27
SLIDE 27

UNICORN: UNCONTESTABLE RANDOM NUMBERS

  • 1. Open protocol: anyone is able to take part in the

generation process (and it is very easy)

  • 2. Verifiable: anyone can verify everything went right
  • 3. Secure: even if only one single participant is honest

(and that can be you, thanks to 1.)

22

slide-28
SLIDE 28

T a k e s t i m e a t l F i n a l l y f

  • u

n d a t t i

UNICORN: UNCONTESTABLE RANDOM NUMBERS

Observation: a number can be fully determined at point in time t, while none of its bits can be known by anyone before time t + Δ, for some delay Δ

34560039 slow-timed hash (sloth) data generated at time t

e a s t Δ t

  • c
  • m

p u t e m e t + Δ

23

slide-29
SLIDE 29

UNICORN: UNCONTESTABLE RANDOM NUMBERS

34560039 slow-timed hash (sloth) data generated at time t

Sloth must be guaranteed to take time at least Δ to compute, irrespective of available parallel resources Trivial example: SHA-2 iterated millions of times Better example: sloth, based on square root extractions in finite fields (efficiently verifiable, with only some squarings)

24

slide-30
SLIDE 30

UNICORN: UNCONTESTABLE RANDOM NUMBERS

34560039 slow-timed hash (sloth) data generated at time t

➤ Latest news at time t, weather data, stock values,

latest output of the NIST beacon

➤ Screenshot of a public online bulletin board ➤ Latest tweets containing the hashtag #unicorn

By sending a tweet at the right moment, you are guaranteed nobody knew before time t

25

slide-31
SLIDE 31

UNICORN: UNCONTESTABLE RANDOM NUMBERS

34560039 slow-timed hash (sloth) data generated at time t

At time t, the input

  • f sloth is published, and the

computation begins

26

slide-32
SLIDE 32

UNICORN: UNCONTESTABLE RANDOM NUMBERS

34560039 slow-timed hash (sloth) data generated at time t

By sending a tweet at the right moment, you are guaranteed nobody knew before time t

+

sloth takes time Δ to finish

=

not a single bit of is known before t + Δ

27

slide-33
SLIDE 33

UNICORN: UNCONTESTABLE RANDOM NUMBERS

34560039 slow-timed hash (sloth) data generated at time t

not a single bit of is known before t + Δ

+

is fixed (and public) at time t

=

Nobody can willingly bias even a single bit of

28

slide-34
SLIDE 34

DESIGNING A SECURE RANDOM BEACON

Guarantees and constraints

29

slide-35
SLIDE 35

TRUSTWORTHY ENTROPY, RATHER THAN TRUSTED ENTROPY

Get rid of the trust assumption: prove to everybody that your random numbers are not manipulated

30

slide-36
SLIDE 36

THE TRUMAN SHOW MODEL

A user of a secure beacon may trust nobody but himself

➤ lotteries are rigged ➤ Bitcoin miners are all colluding against him ➤ and with everybody else in the world but him

Yet he should still be able to verify that the output numbers are not manipulated

31

slide-37
SLIDE 37

OPEN PUBLIC INPUT

34560039 slow-timed hash (sloth) data generated at time t

The unicorn protocol needs public input, for people to make sure the data wasn’t known by anyone before t We argue open public input is necessary in the Truman Show model, in order to fix the random number in time even for the most skeptical users

32

slide-38
SLIDE 38

TIME DELAY

34560039 slow-timed hash (sloth) data generated at time t

(1) (2)

The unicorn protocol suffers a delay in its execution We also argue that in this model, there must be a delay separating the moment where the output is determined (1), and the moment it can be known (2)

33

slide-39
SLIDE 39

34