A radom zoo:
sloth, unicorn, and trx
B06902097 howard41436
Why Delay function
- Uncontestable randomness
- We need randomness values that are:
- Unpredictable
- Unbiased
- before manipulation isn't allowed anymore
- In some situations, the result doesn't need to be generated immediately
- delay function can be used!
This work
- Delay functions that can be verified faster
- Longer result generation latency
- Unbiased result
Our work
- Verifiable Delay functions
- Shorter result generation latency
- Unpredictable result
Unpredictable vs Unbiased
- There is a slight difference of security properties we can consider for a randomness generation
- Unpredictable:
Probability of guessing the output is negligible - Unbiased:
Advantage of guessing the binary encoding of the output is negligible - The latter is a stronger security guarantee
VDF as random oracle?
- It will be great if we can treat VDF as random oracles like we do with strong hash functions
- But no, they are often far from it
- From unpredictability, we can only derive that if input entropy is \(\lambda\), output entropy is \(\omega(\log \lambda)\)
- Which is a very weak bound
- With high entropy loss, there will be problems chaining them
- But permutation VDF preserves entropy!
A random zoo
- sloth:
- a delay function that can be faster verified
- unicorn:
- a public randomness generation scheme utilizing sloth
- trx (t-rex):
- a elliptic curve parameter generator using unicorn
Sloth
- naive thought: hashing \(T\) times, and providing \(n\) checkpoints so that it can be verified \(n\) times faster with parallelism
- not fast enough
Sloth
- Let \(p \equiv 3 \mod 4\)
- In \(F_p^\times\), exactly one of \(x, -x\) has two square roots \(y, -y\)
- Let \(x\) be the one with square roots
- Let \(y\) be the one with even canonical lift
- Let \(\rho(x)=y, \rho(-x)=-y\)
- \(\rho\) is a permutation on \(F_p^\times\)
Sloth
- Basically, \(\sigma\) is a discrete square root function
- Fastest known algorithm takes \(\log p - 2\) unparallelizable squarings
- But verifying only takes one!
- So if \(p\) is about \(k\) bits, evaluating is about \(O(k^2)\) and verifying about \(O(k)\)
- However, \(k\) would have to be very large to have sufficient delay
- problems generating the prime
- multiplication issue
Sloth
- Use smaller \(k\), but \(l\) rounds
- still a permutation!
- Verifying can be \(n\) times further faster with checkpoints and parallelism
- problem: \(\rho^l(x)=w\) is the root of \(x^{2^l} - w = 0\)
- Shortcut is available because algebraic structure preserved through iterations
Sloth
- Add a simple permutation to compute forwards and backwards between iterations to destroy the algebraic structure
- That is, use \(\tau = \rho \circ \sigma\), where \(\sigma\) is the chosen permutation
- Choice of \(\sigma\):
- Neighbor swapping
- Binary permutations (block ciphers)
Unicorn
- public randomness generation, just like our work
- use tweets with hashtag and photo
- timeline \(t_{-2} \sim t_2\):
- \(t_{-2}\): event announced, publish \(t_{-1}, t_0\), and the hashtag
- \(t_{-1}\): contribution phase starts
- \(t_0\): contribution phase ends
- \(t_1\): result announced
- \(t_2\): all verifications could be done
Unicorn
- Contributors contribute a string \(s_i\)
- Concatenate \(s_i\)s to \(s_0\)
- Server generates a \(s_1\) (using a photo taken at the moment is proposed) at \(t_0\), concatenate \(s0,s1\) to \(s\)
- Commit \(h(s)\) at \(t_0\)
- Compute \(g=sloth(s)\) as the result
- publish and result and reveal the commitment
Security
- Assume \(h, \sigma\) are random function and permutation under Random Oracle Model
- Limit the attacker to \(q\) oracle queries
- For any binary encoding \(b\), the probability the attacker can make \(b(g)=1\) is less than
where \(\epsilon=O(p^{\frac{1}{2}})\)
\cfrac{2q+|b^{-1}(\{1\})|}{2^{2k}} + \cfrac{q+\epsilon lq(p-1)}{p-1-q}
Trx
- trustworthy random elliptic curves service
- Cryptographic parameters like those of elliptic curves are hard to generate, thus a fixed set is used
- What if they are designed with backdoor/ already broken, but not revealed publicly?
- Use unicorn as a generator of elliptic curve parameters that is constantly running
- http://trx.epfl.ch/index.php
Discussion
- VDF is a rapidly developing field these years
- most of them are constructed from unknown order groups
- A common public source of randomness can be very useful
- currently: NIST randomness beacon
- what if NIST is corrupted?
- What is a reasonable threat model? Can you really trust no one after using VDF beacons?
- https://vdfresearch.org
deck
By Howard Yang
deck
- 71