Public randomness, blockchains,
and delay functions
Joseph Bonneau
Chinese University of Hong Kong
Jan 26 2017
End goal: accountable algorithms
Verify that an authority is behaving faithfully
Procedural fairness: “the rules are followed”
Key milestone: verifiable random algorithms
US Diversity Visa (green card) lottery
“During DV season, I double my business. Everybody participates. Even I do.”
--Ethiopian WebCafe owner Tsehay Wondim, as told to the Wall Street Journal
2012 US Diversity Visa lottery bug
When participants submit their records, the computer program assigns a sequential number to each record based on the participant’s region. Subsequently, the selection process uses the sequential numbers to randomly rank-order the participants’ records. CST management decided in November 2010 not to use the commercial off-the-shelf statistics analysis program that it had used successfully for random rank-ordering in numerous previous years. Instead, CST management asked one of its contractors to develop a program. This new computer program had a coding error that produced a nonrandom rankordering and thus failed to meet INA requirements. The program not only selected 98 percent of the applicants from the first two dates of the allowed submission dates, it also selected multiple individuals from the same families.
--OIG investigation report on 2012 DV lottery
Public displays of randomness
Pros: cheap, simple to understand
Cons: difficult to verify (sleight of hand)
high-latency
1980 “Triple Six Fix”, PA state lottery
Balls “6” and “4” weighted with lead
1985 NBA draft lottery
1985: Knicks win rights to Patrick Ewing
2015 Serbian lottery
Five numbers shown
Only 3 balls drawn!
Cryptographic beacons
01010001 01101011 10101000 11110000 10010100
Many Applications: lotteries, auditing, zero-knowledge proofs, cut-and-choose, ...
service to regularly publish random data
Security goals
01010001 01101011 10101000 11110000 10010100
Engineering goals
01010001 01101011 10101000 11110000 10010100
NIST beacon
Pros: high-bandwidth, frequent
quantum-mechanical randomness
Cons: completely centralized
Security goals
01010001 01101011 10101000 11110000 10010100
No trusted parties
Multiparty randomness: commit-reveal
Alice
Bob
Carol
commit(rA,nA)
time
commit(rB,nB)
commit(rC,nC)
t0
t1
rA,nA
rB,nB
rC,nC
R = rA⊕rB⊕rC
R = rA⊕rB⊕rC
R = rA⊕rB⊕rC
Multiparty randomness: commit-reveal
Improvements:
[Andrychowicz et al. 2014]
[Syta et al. 2016]
Security goals
01010001 01101011 10101000 11110000 10010100
distributed?
Natural phenomena
Sun spots
Cosmic background radiation
Weather
Pros: cheap, random, manipulation-resistant
Cons: low-bandwidth, no consensus
Stock prices
Pros: good randomness [6-9 bits/stock]
Cons: high-latency, possible insider attacks
[Clark, Hengartner 2010]
Stock prices can be manipulated...
Bitcoin to the rescue!
Recall: Bitcoin block chain format
trans: H( )
prev: H( )
trans: H( )
prev: H( )
trans: H( )
prev: H( )
H( ) H( )
H( ) H( )
H( ) H( )
transaction
transaction
transaction
transaction
Hash chain of blocks
Hash tree (Merkle tree) of transactions in each block
Recall: Bitcoin block criteria
mrkl_root: H( )
prev: H( )
mrkl_root: H( )
hash: 0x0000
nonce: 0x7a83
prev: H( )
hash:
hash: 0x3485...
hash: 0x6a1f...
nonce: 0x0000...
nonce: 0x0001...
hash: 0xc9c8...
nonce: 0x0002...
hash: 0x300c...
nonce: 0xffff...
hash:
nonce: 0x0000...
hash: 0xd0c7...
nonce: 0x0001...
hash: 0x0224...
hash: 0x0000...
nonce: 0xf77e...
mrkl_root: H( )
prev: H( )
hash:
hash: 0x3485...
hash: 0x6a1f...
nonce: 0x0000...
nonce: 0x0001...
hash: 0xc9c8...
nonce: 0x0002...
hash: 0x300c...
nonce: 0xffff...
hash:
nonce: 0x0000...
hash: 0xd0c7...
nonce: 0x0001...
hash: 0x0224...
hash: 0x0000...
nonce: 0xf77e...
≤ 00000000000000001FB893000000000000000000000000000000000000000000
69+ leading zeroes required...
Hash
Turning the block chain into a beacon
mrkl_root: H( )
prev: H( )
mrkl_root: H( )
hash: 0x0000
nonce: 0x7a83
prev: H( )
hash:
hash: 0x3485...
hash: 0x6a1f...
nonce: 0x0000...
nonce: 0x0001...
hash: 0xc9c8...
nonce: 0x0002...
hash: 0x300c...
nonce: 0xffff...
hash:
nonce: 0x0000...
hash: 0xd0c7...
nonce: 0x0001...
hash: 0x0224...
hash: 0x0000...
nonce: 0xf77e...
mrkl_root: H( )
prev: H( )
hash:
hash: 0x3485...
hash: 0x6a1f...
nonce: 0x0000...
nonce: 0x0001...
hash: 0xc9c8...
nonce: 0x0002...
hash: 0x300c...
nonce: 0xffff...
hash:
nonce: 0x0000...
hash: 0xd0c7...
nonce: 0x0001...
hash: 0x0224...
hash: 0x0000...
nonce: 0xf77e...
Extract
Extract
Extract
01010001 10101000 10010100
70+ bits
Computational min-entropy bound
If you could predict the next nonce with a greater than 2-d probability, you’d have a mining shortcut
Therefore, each valid block has
d bits of computational min-entropy
Currently, d > 70
Assuming miners follow the default protocol
At least one lottery startup
Beacon useful in smart contracts
Is it secure?
No! miners can withhold blocks
Assume rational attacker
Can we bound the cost of manipulation?
Attack model based on bribery
12.5 BTC opportunity cost to suppress a block
Manipulation via Bernoulli trial
To force a beacon outcome with probability p:
Can we extend to multiple rounds?
mrkl_root: H( )
prev: H( )
mrkl_root: H( )
hash: 0x0000
nonce: 0x7a83
prev: H( )
hash:
hash: 0x3485...
hash: 0x6a1f...
nonce: 0x0000...
nonce: 0x0001...
hash: 0xc9c8...
nonce: 0x0002...
hash: 0x300c...
nonce: 0xffff...
hash:
nonce: 0x0000...
hash: 0xd0c7...
nonce: 0x0001...
hash: 0x0224...
hash: 0x0000...
nonce: 0xf77e...
mrkl_root: H( )
prev: H( )
hash:
hash: 0x3485...
hash: 0x6a1f...
nonce: 0x0000...
nonce: 0x0001...
hash: 0xc9c8...
nonce: 0x0002...
hash: 0x300c...
nonce: 0xffff...
hash:
nonce: 0x0000...
hash: 0xd0c7...
nonce: 0x0001...
hash: 0x0224...
hash: 0x0000...
nonce: 0xf77e...
Extract
01010001
Last block is privileged!
Extension via collective coin-flipping
[Ben-Or, Linial 1990]
AND
AND
AND
AND
OR
output
Each block must have
Ω(lg n / n) influence
Problem: blockchains can fork
Block A
Block B
?
Collisions blow up security model
Solution: use a proof-of-delay
mrkl_root: H( )
prev: H( )
mrkl_root: H( )
hash: 0x0000
nonce: 0x7a83
prev: H( )
hash:
hash: 0x3485...
hash: 0x6a1f...
nonce: 0x0000...
nonce: 0x0001...
hash: 0xc9c8...
nonce: 0x0002...
hash: 0x300c...
nonce: 0xffff...
hash:
nonce: 0x0000...
hash: 0xd0c7...
nonce: 0x0001...
hash: 0x0224...
hash: 0x0000...
nonce: 0xf77e...
mrkl_root: H( )
prev: H( )
hash:
hash: 0x3485...
hash: 0x6a1f...
nonce: 0x0000...
nonce: 0x0001...
hash: 0xc9c8...
nonce: 0x0002...
hash: 0x300c...
nonce: 0xffff...
hash:
nonce: 0x0000...
hash: 0xd0c7...
nonce: 0x0001...
hash: 0x0224...
hash: 0x0000...
nonce: 0xf77e...
Extract
Extract
Extract
01010001 10101000 10010100
Delay
Delay
Delay
delay period
Delay functions
F: {0,1}* × Z → {0,1}k
x t y
input time output
Delay functions: required properties
Many uses!
Verifiable in an Ethereum contract
Multiparty randomness: Unicorn
Alice
Bob
Carol
time
t0
t1
rC
R = F(rA⊕rB⊕rC)
R = F(rA⊕rB⊕rC)
R = F(rA⊕rB⊕rC)
rA
rB
[Lenstra, Wesolowski 2015]
delay time
delay time
tclose
topen
delay time
Combining multiple public beacons
time
delay time
Proof-of-stake consensus
committee 1
committee 2
committee 3
Delay functions: required properties
Easy if we remove any one!
Best known approach
[Dwork, Naor 1992]
F(x): find y s.t. y2=x (mod p)
computation: x(p+1)/4 (mod p)
proof: y
verification: y2 (mod p)
lg p squarings
lg p bits
1 squaring
Hardening via iteration
F
π
F
π
F
π
F
x
y
proof
Invariant:
computation/verification ratio is constant
...
[Lenstra, Wesolowski 2015]
Sample parameters: p = 2048 bits, t = 217
computation: ~10 minutes
verification: ~1 second
proof size: 2048 bits
Refereed model
F
π
F
π
F
π
F
x
y
...
[Canetti,Riva, Rothblum, 2011]
x1
x2
Merkle commitment
proof
Challenge protocol:
Cost: lg t rounds, lg2 t hashes, 1 invocation of F
Refereed model in Ethereum
x
xn
[ongoing work]
x1
Ethereum costs:
POST: ~80000 gas (US $0.02)
CHALLENGE: ~720,000 gas (US $0.12)
DEFEND: ~280,000 gas (US $0.05)
Prover:
Challenger:
220○F
x2
220○F
xi-1
xi
220○F
...
...
Challenger: xi is wrong
Prover: yeah? Prove it!
xi-1
x’i
y1
216○F
y2
216○F
yi-1
yi
216○F
...
...
Prover:
yi-1
y’i
z1
212○F
z2
212○F
zi-1
zi
212○F
...
...
Direct recomputation
Generic approach: verifiable comp.
F
π
F
π
F
π
F
x
y
Problem:
circuit is very deep → massive proving time
...
Computationally-sound proof system
Generic approach: SNARGs
F
π
F
π
F
π
F
x
y
Problem:
circuit is very wide
...
witness
Succinct non-interactive argument system
Generic approach: SNARGs
F
π
F
π
F
π
F
x
y
Depth/width tradeoff:
Send sqrt(t) intermediate values
...
witness
Succinct non-interactive argument system
From black-box obfuscation
private signature_key k
function step(x, i, n, σ):
if (i == 0 || verify(x‖i-1‖n, σ):
for (j = 0; j < n; j++); //nop
return sign(x‖i‖n, k)
Given obfs(P), Define F(x) = sign(x‖t‖n, k)
Proofs-of-delay: required properties
Construction from recursive SNARKs
x
SNARK
SNARK
x
++
x+1
SNARK
x+1
++
x+2
SNARK
x+t-1
++
x+t
...
Language L:
successors(x)
x
y if y-1 ∈ L
Application: timestamping
committee 1
committee 2
committee 3
long-range fork
committee 2’
committee 3’
Prove which chain is longer using proof-of-delay
Takeaways
Both rely on an economic security model
Takeaways
Proofs-of-delay are a target for both
Takeaways
computation: x(p+1)/4 (mod p)
proof: y
verification: y2 (mod p)
lg p squarings
lg p bits
1 squaring
Takeaways
Takeaways
Thanks!
No succinct proof?
F(x): Ht(x)
[Morris, Thompson 1979]
Not inherently sequential?
F(x): find y s.t. H(x,y) < t
F(x): find y s.t. gy = x (mod p)
Use private setup?
F(x): compute y2^(2^d) (mod N)
[Rivest, Shamir, Wagner 1996]
[Boneh, Naor 2000]
[Karame, Capkun 2010]
Not deterministic?
Publicly-verifiable proof of sequential work
[Mahmoody, Moran, Vadhan 2013]
x0
x1
x2
x3
x4
x5
x6
x7
x8
x9
xt
x
y
...
Merkle commitment
NIZK (Fiat-Shamir)
depth-robust graph
Bandwidth
Latency required
time
parameters agreed
“not before” time
expected time
expected latency
Latency follows a Gamma distribution
Minimum 2 hours
Several papers use Bitcoin as a beacon
Constructing a lottery is difficult today
Andrychowicz, Dziembowski, Malinowski & Mazurek. “Secure Multiparty Computations on Bitcoin” IEEE Security & Privacy 2014
Lotteries are easy with OP_BEACON
// Beacon parameters:
0x41e053d8 // nonce
1 // number of blocks to wait
OP_BEACON // Push random integer on the stack
0 // Threshold to determine the winner
OP_LESSTHANOREQUAL
OP_IF // Check for Alice's signature, if Alice won
OP_DUP
OP_HASH160
<alicePubKeyHash>
OP_EQUALVERIFY
OP_CHECKSIG
OP_ELSE // Check for Bob's signature, if Bob won
OP_DUP
OP_HASH160
<bobPubKeyHash>
OP_EQUALVERIFY
OP_CHECKSIG
OP_ENDIF
Many applications for beacon opcode
Worst-case scenario: Dolev-Yao
Partial network control
Limits on network attacks
Practical concerns
Practical concerns
Courtesy:
Brian Warner
2012 US Diversity Visa lottery
Stock prices
[Clark, Hengartner 2010]
Not deterministic?
Subset sum problem
[Tritilanunt, Boyd, Foo, Nieto 2007]
Candidate: linear programming
F(x):
1969 Vietnam conscription lottery
Late-year birthday bias
Publicly-verifiable proof of seq. work
Publicly-verifiable proof of sequential work
[Mahmoody, Moran, Vadhan 2013]
x0
x1
x2
x3
x4
x5
x6
x7
x8
x9
xt
x
y
...
Merkle commitment
NIZK (Fiat-Shamir)
depth-robust graph
US Diversity Visa (green card) Lottery
Annual lottery for US permanent resident cards