Post on 05-Jan-2016
description
A Verifiable Random Beacon
Luis von AhnCarnegie Mellon University
A Random Beacon…
A Random Beacon continually emits random integers 1 i k regularly spaced apart in time.
7 3 11 1 2 9
A Random Beacon…
All integers emitted by the Beacon are time-stamped and signed.
S(7,t) S(3,t+) S(11,t+2)
We will assume that the Beacon is trusted: nobody knows or can predict in advance the value of the next integer (Not even the owner of the Beacon).
A Random Beacon…
Applications:Lotteries
Applications: Contract Signing
Alice and Bob negotiate a contract C.
If Alice signs C and sends it to Bob, then he can delay the return of his signature. During this time Alice is committed to C but Bob is not.
This problem is usually solved using a trusted third party
Applications: Contract Signing
Using a Random Beacon, Alice and Bob can sign a contract with a very small probability of being able to cheat.
Rabin ‘83
Contract Signing with a Beacon
If for some Beacon message M, Bob can produce
then I, Alice, will be committed to C.
Signed Alice.
(C, M) signed by Alice
M signed by Beacon
and
If for some Beacon message M, Alice can produce
then I, Bob, will be committed to C.
Signed Bob.
(C, M) signed by Bob
M signed by Beacon
and
Alice BobChoose a
(future) time t
tChoose 1 i k
i
SAlice(C, (i,t))
SBob(C, (i,t))
Contract Signing with a BeaconIf for some Beacon message M, Alice can produce
then I, Bob, will be committed to C.
Signed Bob.
(C, M) signed by Bob
M signed by Beacon
and
C takes effect if the pair (i,t) matches a Beacon message
Alice BobChoose a
(future) time t
tChoose 1 i k
i
SAlice(C, (i,t))
SBob(C, (i,t))
Contract Signing with a BeaconAlice and Bob iterate this procedure >> k times
Alice BobChoose a
(future) time t
tChoose 1 i k
i
SAlice(C, (i,t))
SBob(C, (i,t))
Contract Signing with a Beaconw.h.p. some pair (i,t) matches a beacon message
Alice BobChoose a
(future) time t
tChoose 1 i k
i
SAlice(C, (i,t))
SBob(C, (i,t))
Contract Signing with a BeaconThe probability of Bob being able to cheat is 1/k
How is this better than the regular trusted party solution?
Contract Signing with a Beacon
Applications: Fuhrman Buster
Bennett ‘97
Mark Fuhrman, a detective in the OJ Simpson case, was accused of presenting modified tapes of the crime scene to the court.
The Fuhrman Buster is a video camera that prevents anybody from introducing modified tapes to court.
Fuhrman Busting with a Beacon
Repository
Beacon
Fuhrman Buster
Crime Scene
hash
This prevents pre-recordings, as well as post-editings!
Other Applications?
We want to build a Random Beacon here at CMU!
Get truly random bits
Broadcast them
Convince everybody that we should be trusted
To do…
$$$ Win the lottery $$$
www.lavarand.sgi.com
SGI has a random beacon.
Their random numbers come from lava lamps.
Bits from Pulsars
Nobody knows how to predict the amplitude of the next pulse.
On Off
We can output 1 if the measured amplitude is above the median and 0 if it
is below.
Get truly random bits
Broadcast them
Convince everybody that we should be trusted
To do…
$$$ Win the lottery $$$
Get truly random bits
Broadcast them
Convince everybody that we should be trusted
To do…
$$$ Win the lottery $$$
www.lavarand.sgi.com
They convince us to trust them by showing a live picture of the lamp that generates the bits.
It is hard to convince people to trust you
Lavarand + Fuhrman Buster
Though this appears circular, the idea is not totally out the question.
Get truly random bits
Broadcast them
Convince everybody that we should be trusted
To do…
$$$ Win the lottery $$$
Some pulsars can be seen from anywhere in the northern hemisphere
Bits from Pulsars
If we get our bits from pulsars, others can see that we are outputting the right bits!
B0329+54
A Verifiable Random Beacon
We will convince people to trust us by getting our random bits in a way that:
others can verify that we are not modifying the stream
Wait a Second…
Measurement Error: no two measurements of the pulse amplitude will be exactly the same!
This might allow us to win the lottery! If someone disagrees with our measurements, we can always say it was a measurement error.
0010101110001010110
Wait a Second…
Measurement Error: no two measurements of the pulse amplitude will be exactly the same!
This might allow us to win the lottery! If someone disagrees with our measurements, we can always say it was a measurement error.
0010101110001010110
Wait a Second…
Measurement Error: no two measurements of the pulse amplitude will be exactly the same!
This might allow us to win the lottery! If someone disagrees with our measurements, we can always say it was a measurement error.
0001101110001010111
But we want to be trusted, so we want to find a way in which our bits always agree with the verifier’s bits.
A and B are chosen uniformly from {0,1}n
A and B are highly correlated: Pr(Ai Bi)
Pr( h(A) h(B) )
We want h:{0,1}n {0,1} balanced such that
Ke Yang: If A and B are chosen uniformly
from {0,1}n and Pr(Ai Bi) then for all
balanced h:{0,1}n {0,1}, we have
Pr( h(A) h(B) )
According to this, our best bet is to make as small as possible.
But there is hope…
It is not true that the owner of the beacon can change whichever bit she wants
Ideas are welcome