A radom zoo:
sloth, unicorn, and trx
B06902097 howard41436
Why Delay function
Uncontestable randomness
We need randomness values that are:
Unpredictable
Unbiased
before manipulation isn't allowed anymore
In some situations, the result doesn't need to be generated immediately
delay function can be used!
This work
Delay functions that can be verified faster
Longer result generation latency
Unbiased result
Our work
Verifiable Delay functions
Shorter result generation latency
Unpredictable result
Unpredictable vs Unbiased
There is a slight difference of security properties we can consider for a randomness generation
Unpredictable:
Probability of guessing the output is negligible
Unbiased:
Advantage of guessing the binary encoding of the output is negligible
The latter is a stronger security guarantee
VDF as random oracle?
It will be great if we can treat VDF as random oracles like we do with strong hash functions
But no, they are often far from it
From unpredictability, we can only derive that if input entropy is \(\lambda\), output entropy is \(\omega(\log \lambda)\)
Which is a very weak bound
With high entropy loss, there will be problems chaining them
But permutation VDF preserves entropy!
A random zoo
sloth:
a delay function that can be faster verified
unicorn:
a public randomness generation scheme utilizing sloth
trx (t-rex):
a elliptic curve parameter generator using unicorn
Sloth
naive thought: hashing \(T\) times, and providing \(n\) checkpoints so that it can be verified \(n\) times faster with parallelism
not fast enough
Sloth
Let \(p \equiv 3 \mod 4\)
In \(F_p^\times\), exactly one of \(x, -x\) has two square roots \(y, -y\)
Let \(x\) be the one with square roots
Let \(y\) be the one with even canonical lift
Let \(\rho(x)=y, \rho(-x)=-y\)
\(\rho\) is a permutation on \(F_p^\times\)
Sloth
Basically, \(\sigma\) is a discrete square root function
Fastest known algorithm takes \(\log p - 2\) unparallelizable squarings
But verifying only takes one!
So if \(p\) is about \(k\) bits, evaluating is about \(O(k^2)\) and verifying about \(O(k)\)
However, \(k\) would have to be very large to have sufficient delay
problems generating the prime
multiplication issue
Sloth
Use smaller \(k\), but \(l\) rounds
still a permutation!
Verifying can be \(n\) times further faster with checkpoints and parallelism
problem: \(\rho^l(x)=w\) is the root of \(x^{2^l} - w = 0\)
Shortcut is available because algebraic structure preserved through iterations
Sloth
Add a simple permutation to compute forwards and backwards between iterations to destroy the algebraic structure
That is, use \(\tau = \rho \circ \sigma\), where \(\sigma\) is the chosen permutation
Choice of \(\sigma\):
Neighbor swapping
Binary permutations (block ciphers)
Unicorn
public randomness generation, just like our work
use
tweets with hashtag
and
photo
timeline \(t_{-2} \sim t_2\):
\(t_{-2}\): event announced, publish \(t_{-1}, t_0\), and the hashtag
\(t_{-1}\): contribution phase starts
\(t_0\): contribution phase ends
\(t_1\): result announced
\(t_2\): all verifications could be done
Unicorn
Contributors contribute a string \(s_i\)
Concatenate \(s_i\)s to \(s_0\)
Server generates a \(s_1\) (using a photo taken at the moment is proposed) at \(t_0\), concatenate \(s0,s1\) to \(s\)
Commit \(h(s)\) at \(t_0\)
Compute \(g=sloth(s)\) as the result
publish and result and reveal the commitment
Security
Assume \(h, \sigma\) are random function and permutation under Random Oracle Model
Limit the attacker to \(q\) oracle queries
For any binary encoding \(b\), the probability the attacker can make \(b(g)=1\) is less than
where \(\epsilon=O(p^{\frac{1}{2}})\)
\cfrac{2q+|b^{-1}(\{1\})|}{2^{2k}} + \cfrac{q+\epsilon lq(p-1)}{p-1-q}
Trx
trustworthy random elliptic curves service
Cryptographic parameters like those of elliptic curves are hard to generate, thus a fixed set is used
What if they are designed with backdoor/ already broken, but not revealed publicly?
Use unicorn as a generator of elliptic curve parameters that is constantly running
http://trx.epfl.ch/index.php
Discussion
VDF is a rapidly developing field these years
most of them are constructed from unknown order groups
A common public source of randomness can be very useful
currently: NIST randomness beacon
what if NIST is corrupted?
What is a reasonable threat model? Can you really trust no one after using VDF beacons?
https://vdfresearch.org
Made with Slides.com