SCRAPE: Scalable Randomness Attested by Public Entities

Uniform randomness beacons whose output can be publicly attested to be unbiased are required in several cryptographic protocols. A common approach to building such beacons is having a number parties run a coin tossing protocol with guaranteed output delivery (so that adversaries cannot simply keep honest parties from obtaining randomness, consequently halting protocols that rely on it). However, current constructions face serious scalability issues due to high computational and communication overheads. We present a coin tossing protocol for an honest majority that allows for any entity to verify that an output was honestly generated by observing publicly available information (even after the execution is complete), while achieving both guaranteed output delivery and scalability. The main building block of our construction is the first Publicly Verifiable Secret Sharing scheme for threshold access structures that requires only O(n) exponentiations. Previous schemes required O(nt) exponentiations (where t is the threshold) from each of the parties involved, making them unfit for scalable distributed randomness generation, which requires \(t=n/2\) and thus \(O(n^2)\) exponentiations.

[1]  R. J. McEliece,et al.  On sharing secrets and Reed-Solomon codes , 1981, CACM.

[2]  Iddo Bentov,et al.  Proof of Activity: Extending Bitcoin's Proof of Work via Proof of Stake [Extended Abstract]y , 2014, PERV.

[3]  Elaine Shi,et al.  Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[4]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[5]  Aggelos Kiayias,et al.  The Bitcoin Backbone Protocol: Analysis and Applications , 2015, EUROCRYPT.

[6]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[7]  Elaine Shi,et al.  On Scaling Decentralized Blockchains - (A Position Paper) , 2016, Financial Cryptography Workshops.

[8]  Jorge Luis Villar Santos,et al.  Public verifiability from pairings in secret sharing schemes , 2009 .

[9]  Benoît Libert,et al.  Unidirectional Chosen-Ciphertext Secure Proxy Re-Encryption , 2008, IEEE Transactions on Information Theory.

[10]  Michael J. Fischer,et al.  Scalable Bias-Resistant Distributed Randomness , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[11]  Paul Feldman,et al.  A practical scheme for non-interactive verifiable secret sharing , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[12]  Mahabir Prasad Jhanwar,et al.  Paillier-based publicly verifiable (non-interactive) secret sharing , 2014, Des. Codes Cryptogr..

[13]  Ivan Damgård,et al.  Publicly Auditable Secure Multi-Party Computation , 2014, SCN.

[14]  Ariel Gabizon,et al.  Cryptocurrencies Without Proof of Work , 2014, Financial Cryptography Workshops.

[15]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[16]  Tanja Lange,et al.  Dual EC: A Standardized Back Door , 2015, The New Codebreakers.

[17]  Aggelos Kiayias,et al.  Ouroboros: A Provably Secure Proof-of-Stake Blockchain Protocol , 2017, CRYPTO.

[18]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[19]  Arjen K. Lenstra,et al.  A random zoo: sloth, unicorn, and trx , 2015, IACR Cryptol. ePrint Arch..

[20]  Nickolai Zeldovich,et al.  Vuvuzela: scalable private messaging resistant to traffic analysis , 2015, SOSP.

[21]  Markus Stadler,et al.  Publicly Verifiable Secret Sharing , 1996, EUROCRYPT.

[22]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[23]  Jacques Traoré,et al.  Efficient Publicly Verifiable Secret Sharing Schemes with Fast or Delayed Recovery , 1999, ICICS.

[24]  Patrick Longa,et al.  Faster Explicit Formulas for Computing Pairings over Ordinary Curves , 2011, EUROCRYPT.

[25]  David Wolinsky,et al.  Dissent in Numbers: Making Strong Anonymity Scale , 2012, OSDI.

[26]  Kenneth G. Paterson,et al.  Pairings for Cryptographers , 2008, IACR Cryptol. ePrint Arch..

[27]  Tancrède Lepoint,et al.  Trap Me If You Can - Million Dollar Curve , 2015, IACR Cryptol. ePrint Arch..

[28]  Tatsuaki Okamoto,et al.  A Practical and Provably Secure Scheme for Publicly Verifiable Secret Sharing and Its Applications , 1998, EUROCRYPT.

[29]  Berry Schoenmakers,et al.  Universally Verifiable Multiparty Computation from Threshold Homomorphic Cryptosystems , 2015, ACNS.

[30]  Ignacio Cascudo,et al.  Rate-1, Linear Time and Additively Homomorphic UC Commitments , 2016, CRYPTO.

[31]  Michael O. Rabin,et al.  Transaction Protection by Beacons , 1983, J. Comput. Syst. Sci..

[32]  Mahabir Prasad Jhanwar,et al.  A Practical (Non-interactive) Publicly Verifiable Secret Sharing Scheme , 2011, ISPEC.

[33]  Ben Adida,et al.  Helios: Web-based Open-Audit Voting , 2008, USENIX Security Symposium.

[34]  Tal Rabin,et al.  Verifiable secret sharing and multiparty protocols with honest majority , 1989, STOC '89.

[35]  Paulo S. L. M. Barreto,et al.  Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[36]  Kenneth G. Paterson,et al.  Backdoors in Pseudorandom Number Generators: Possibility and Impossibility Results , 2016, CRYPTO.

[37]  Berry Schoenmakers,et al.  A Simple Publicly Verifiable Secret Sharing Scheme and Its Application to Electronic , 1999, CRYPTO.

[38]  Moni Naor,et al.  Bit commitment using pseudorandomness , 1989, Journal of Cryptology.

[39]  David Chaum,et al.  Wallet Databases with Observers , 1992, CRYPTO.

[40]  Rob Jansen,et al.  A TorPath to TorCoin: Proof-of-Bandwidth Altcoins for Compensating Relays , 2014 .

[41]  Vitalik Buterin A NEXT GENERATION SMART CONTRACT & DECENTRALIZED APPLICATION PLATFORM , 2015 .

[42]  Baruch Awerbuch,et al.  Verifiable secret sharing and achieving simultaneity in the presence of faults , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[43]  Masayuki Abe,et al.  Design in Type-I, Run in Type-III: Fast and Scalable Bilinear-Type Conversion Using Integer Programming , 2016, CRYPTO.

[44]  Manuel Blum,et al.  Coin Flipping by Telephone. , 1981, CRYPTO 1981.

[45]  Jorge Luis Villar,et al.  Publicly Verfiable Secret Sharing from Paillier's Cryptosystem , 2005, WEWoRC.

[46]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[47]  Jeremy Clark,et al.  On Bitcoin as a public randomness source , 2015, IACR Cryptol. ePrint Arch..

[48]  Richard Cleve,et al.  Limits on the security of coin flips when half the processors are faulty , 1986, STOC '86.