410 likes | 608 Views
A Verifiable Random Beacon. Luis von Ahn. Carnegie Mellon University. A Random Beacon…. A Random Beacon continually emits random integers 1 i k regularly spaced apart in time. 7 3 11 1 2 9. . A Random Beacon….
E N D
A Verifiable Random Beacon Luis von Ahn Carnegie Mellon University
A Random Beacon… A Random Beacon continually emits random integers 1 i k regularly spaced apart in time. 7 3 11 1 2 9
A Random Beacon… All integers emitted by the Beacon are time-stamped and signed. S(7,t) S(3,t+) S(11,t+2)
A Random Beacon… We will assume that the Beacon is trusted: nobody knows or can predict in advance the value of the next integer (Not even the owner of the Beacon).
Lotteries Applications:
This problem is usually solved using a trusted third party Applications: Contract Signing Alice and Bob negotiate a contract C. If Alice signs C and sends it to Bob, then he can delay the return of his signature. During this time Alice is committed to C but Bob is not.
Applications: Contract Signing Using a Random Beacon, Alice and Bob can sign a contract with a very small probability of being able to cheat. Rabin ‘83
M signed by Beacon M signed by Beacon and and (C, M) signed by Alice (C, M) signed by Bob Contract Signing with a Beacon If for some Beacon message M, Bob can produce If for some Beacon message M, Alice can produce then I, Alice, will be committed to C. Signed Alice. then I, Bob, will be committed to C. Signed Bob.
C takes effect if the pair (i,t) matches a Beacon message If for some Beacon message M, Alice can produce t M signed by Beacon and i (C, M) signed by Bob then I, Bob, will be committed to C. Signed Bob. SAlice(C, (i,t)) SBob(C, (i,t)) Contract Signing with a Beacon Alice Bob Choose a (future) time t Choose 1 i k
Alice and Bob iterate this procedure >> k times t i SAlice(C, (i,t)) SBob(C, (i,t)) Contract Signing with a Beacon Alice Bob Choose a (future) time t Choose 1 i k
w.h.p. some pair (i,t) matches a beacon message t i SAlice(C, (i,t)) SBob(C, (i,t)) Contract Signing with a Beacon Alice Bob Choose a (future) time t Choose 1 i k
The probability of Bob being able to cheat is 1/k t i SAlice(C, (i,t)) SBob(C, (i,t)) Contract Signing with a Beacon Alice Bob Choose a (future) time t Choose 1 i k
Contract Signing with a Beacon How is this better than the regular trusted party solution?
Applications: Fuhrman Buster Mark Fuhrman, a detective in the OJ Simpson case, was accused of presenting modified tapes of the crime scene to the court. The Fuhrman Buster is a video camera that prevents anybody from introducing modified tapes to court. Bennett ‘97
hash This prevents pre-recordings, as well as post-editings! Fuhrman Busting with a Beacon Beacon Fuhrman Buster Crime Scene Repository
To do… Get truly random bits Broadcast them Convince everybody that we should be trusted $$$ Win the lottery $$$
www.lavarand.sgi.com SGI has a random beacon. Their random numbers come from lava lamps.
We can output 1 if the measured amplitude is above the median and 0 if it is below. Bits from Pulsars On Off Nobody knows how to predict the amplitude of the next pulse.
To do… Get truly random bits Broadcast them Convince everybody that we should be trusted $$$ Win the lottery $$$
To do… Get truly random bits Broadcast them Convince everybody that we should be trusted $$$ Win the lottery $$$
www.lavarand.sgi.com They convince us to trust them by showing a live picture of the lamp that generates the bits.
Though this appears circular, the idea is not totally out the question. Lavarand + Fuhrman Buster
To do… Get truly random bits Broadcast them Convince everybody that we should be trusted $$$ Win the lottery $$$
B0329+54 Bits from Pulsars Some pulsars can be seen from anywhere in the northern hemisphere If we get our bits from pulsars, others can see that we are outputting the right bits!
A Verifiable Random Beacon We will convince people to trust us by getting our random bits in a way that: others can verifythat we are not modifying the stream
This might allow us to win the lottery! If someone disagrees with our measurements, we can always say it was a measurement error. Wait a Second… Measurement Error: no two measurements of the pulse amplitude will be exactly the same! 0010101110001010110
This might allow us to win the lottery! If someone disagrees with our measurements, we can always say it was a measurement error. Wait a Second… Measurement Error: no two measurements of the pulse amplitude will be exactly the same! 0010101110001010110
This might allow us to win the lottery! If someone disagrees with our measurements, we can always say it was a measurement error. Wait a Second… Measurement Error: no two measurements of the pulse amplitude will be exactly the same! 0001101110001010111
A and B are chosen uniformly from {0,1}n A and B are highly correlated: Pr(Ai Bi) =e We want h:{0,1}n {0,1} balanced such that Pr( h(A) h(B) ) <e But we want to be trusted, so we want to find a way in which our bits always agree with the verifier’s bits.
According to this, our best bet is to make as small as possible. Ke Yang: If A and B are chosen uniformly from {0,1}n and Pr(Ai Bi) =e then for all balanced h:{0,1}n {0,1}, we have Pr( h(A) h(B) ) e
But there is hope… It is not true that the owner of the beacon can change whichever bit she wants