A radom zoo:

sloth, unicorn, and trx

B06902097 howard41436

Why Delay function

  • Uncontestable randomness
  • We need randomness values that are:
    • Unpredictable
    • Unbiased
    • before manipulation isn't allowed anymore
  • In some situations, the result doesn't need to be generated immediately
    • delay function can be used!

This work

  • Delay functions that can be verified faster
  • Longer result generation latency
  • Unbiased result

Our work

  • Verifiable Delay functions
  • Shorter result generation latency
  • Unpredictable result

Unpredictable vs Unbiased

  • There is a slight difference of security properties we can consider for a randomness generation
  • Unpredictable:
    Probability of guessing the output is negligible
  • Unbiased:
    Advantage of guessing the binary encoding of the output is negligible
  • The latter is a stronger security guarantee

VDF as random oracle? 

  • It will be great if we can treat VDF as random oracles like we do with strong hash functions
  • But no, they are often far from it
  • From unpredictability, we can only derive that if input entropy is \(\lambda\), output entropy is \(\omega(\log \lambda)\)
  • Which is a very weak bound
  • With high entropy loss, there will be problems chaining them
     
  • But permutation VDF preserves entropy!

A random zoo

  • sloth:
    • a delay function that can be faster verified
  • unicorn:
    • a public randomness generation scheme utilizing sloth
  • trx (t-rex):
    • a elliptic curve parameter generator using unicorn

Sloth

  • naive thought: hashing \(T\) times, and providing \(n\) checkpoints so that it can be verified \(n\) times faster with parallelism
    • not fast enough

Sloth

  • Let \(p \equiv 3 \mod 4\)
  • In \(F_p^\times\), exactly one of \(x, -x\) has two square roots \(y, -y\)
    • Let \(x\) be the one with square roots
    • Let \(y\) be the one with even canonical lift
  • Let \(\rho(x)=y, \rho(-x)=-y\)
    • \(\rho\) is a permutation on \(F_p^\times\)

Sloth

  • Basically, \(\sigma\) is a discrete square root function
    • Fastest known algorithm takes \(\log p - 2\) unparallelizable squarings
    • But verifying only takes one!
  • So if \(p\) is about \(k\) bits, evaluating is about \(O(k^2)\) and verifying about \(O(k)\)
  • However, \(k\) would have to be very large to have sufficient delay
    • problems generating the prime
    • multiplication issue

Sloth

  • Use smaller \(k\), but \(l\) rounds
    • still a permutation!
  • Verifying can be \(n\) times further faster with checkpoints and parallelism
     
  • problem: \(\rho^l(x)=w\) is the root of \(x^{2^l} - w = 0\)
    • Shortcut is available because algebraic structure preserved through iterations

Sloth

  • Add a simple permutation to compute forwards and backwards between iterations to destroy the algebraic structure
    • That is, use \(\tau = \rho \circ \sigma\), where \(\sigma\) is the chosen permutation
  • Choice of \(\sigma\):
    • Neighbor swapping
    • Binary permutations (block ciphers)

Unicorn

  • public randomness generation, just like our work
  • use tweets with hashtag and photo
  • timeline \(t_{-2} \sim t_2\):
    • \(t_{-2}\): event announced, publish \(t_{-1}, t_0\), and the hashtag
    • \(t_{-1}\): contribution phase starts
    • \(t_0\): contribution phase ends
    • \(t_1\): result announced
    • \(t_2\): all verifications could be done

Unicorn

  • Contributors contribute a string \(s_i\)
  • Concatenate \(s_i\)s to \(s_0\)
  • Server generates a \(s_1\) (using a photo taken at the moment is proposed) at \(t_0\), concatenate \(s0,s1\) to \(s\)
  • Commit \(h(s)\) at \(t_0\)
  • Compute \(g=sloth(s)\) as the result
  • publish and result and reveal the commitment

Security

  • Assume \(h, \sigma\) are random function and permutation under Random Oracle Model
  • Limit the attacker to \(q\) oracle queries
  • For any binary encoding \(b\), the probability the attacker can make \(b(g)=1\) is less than




    where \(\epsilon=O(p^{\frac{1}{2}})\)
\cfrac{2q+|b^{-1}(\{1\})|}{2^{2k}} + \cfrac{q+\epsilon lq(p-1)}{p-1-q}

Trx

  • trustworthy random elliptic curves service
  • Cryptographic parameters like those of elliptic curves are hard to generate, thus a fixed set is used
  • What if they are designed with backdoor/ already broken, but not revealed publicly?
  • Use unicorn as a generator of elliptic curve parameters that is constantly running
  • http://trx.epfl.ch/index.php

Discussion

  • VDF is a rapidly developing field these years
    • most of them are constructed from unknown order groups
  • A common public source of randomness can be very useful
    • currently: NIST randomness beacon
    • what if NIST is corrupted?
  • What is a reasonable threat model? Can you really trust no one after using VDF beacons?
  • https://vdfresearch.org​

deck

By Howard Yang

Made with Slides.com

deck

  • 71

More from Howard Yang