Aleator: Random Beacon via Scalable Threshold Signatures

Transcription

1 Aleator: Random Beacon via Scalable Threshold Signatures Robert Chen Mentored by Alin Tomescu PRIMES Computer Science Conference 10/13/18 1

2 Why Scalability? Scalable threshold signature scheme Increased security Scalable random beacon 2

3 What is a Random Beacon? A set of servers that periodically output a random number. Servers R 1 R 2 Random Output R n 3

4 What is a Random Beacon? A set of servers that periodically output a random number. Some servers could maliciously bias the output 4

5 What is a Random Beacon? A set of servers that periodically output a random number. Some servers could maliciously bias the output Need unbiasability: servers cannot influence the output in their favor 5

6 Contributions Elegant, scalable random beacon design For 100,000 participants, a random output can be produced every 20 seconds with only 3.05 MB of bandwidth (~5 minutes if many dishonest Limiting factor is bandwidth: For 33 outputs 3.05MB/output 100 MB, we can produce a random output every 0.6 to 10 seconds Participants Time Total Time Across System Bandwidth Randherd 512 6s >200s >100 MB Aleator 33,000 4s 8s 1 MB 6

7 Naive Random Beacon: Combine all Approach: Combine all random inputs to produce random output Servers 7

8 Naive Random Beacon: Combine all Approach: Combine all random inputs to produce random output Servers R 1 R 2 R n 8

9 Naive Random Beacon: Combine all Approach: Combine all random inputs to produce random output Servers R 1 R 2 Assuming they can agree on everyone s random inputs R n 9

10 Naive Random Beacon: Combine all Approach: Combine all random inputs to produce random output Servers R 1 R 2 Random Output R n 10

11 Naive Random Beacon: Combine all Approach: Combine all random inputs to produce random output Servers R 1 Cannot exclude any random inputs R 2 Random Output R n 11

12 Naive Random Beacon: Combine all Approach: Combine all random inputs to produce random output Problem: Last participant controls random output Servers R 1 R 2 Random Output R n 12

13 Naive Random Beacon: Combine all Approach: Combine all random inputs to produce random output Problem: Last participant controls random output Servers R 1 R 2 13

14 Naive Random Beacon: Combine all Approach: Combine all random inputs to produce random output Problem: Last participant controls random output Servers R 1 R 2 14

15 Naive Random Beacon: Combine all Approach: Combine all random inputs to produce random output Problem: Last participant controls random output Servers R 1 R 2 R x 15

16 Naive Random Beacon: Combine all Approach: Combine all random inputs to produce random output Problem: Last participant controls random output Servers R 1 R 2 Random Output = X R x 16

17 Naive Random Beacon: Commit-then-reveal Approach: Commit-then-reveal random inputs Compute own commitment c 1 = C(R 1 Servers c 2 = C(R 2 c n = C(R n 17

18 Naive Random Beacon: Commit-then-reveal Approach: Commit-then-reveal random inputs Servers c 1 c 2 c n 18

19 Naive Random Beacon: Commit-then-reveal Approach: Commit-then-reveal random inputs Servers c 1, c 2,, c n c 1, c 2,, c n c 1, c 2,, c n 19

20 Naive Random Beacon: Commit-then-reveal Approach: Commit-then-reveal random inputs Servers c 1, c 2,, c n R 1 c 1, c 2,, c n R 2 c 1, c 2,, c n R n 20

21 Naive Random Beacon: Commit-then-reveal Approach: Commit-then-reveal random inputs Verify all Commitments Servers c 1 = C(R 1,, c n = C(R n R 1 c 1 = C(R 1,, c n = C(R n R 2 c 1 = C(R 1,, c n = C(R n R n 21

22 Naive Random Beacon: Commit-then-reveal Approach: Commit-then-reveal random inputs Verify all Commitments Servers c 1 = C(R 1,, c n = C(R n R 1 c 1 = C(R 1,, c n = C(R n R 2 Random Output c 1 = C(R 1,, c n = C(R n R n 22

23 Naive Random Beacon: Commit-then-reveal Approach: Commit-then-reveal random inputs Problem: Dishonest participants refuse to reveal Verify all Commitments Servers c 1 = C(R 1,, c n = C(R n R 1 c 1 = C(R 1,, c n = C(R n R 2 Random Output c 1 = C(R 1,, c n = C(R n R n 23

24 Naive Random Beacon: Commit-then-reveal Approach: Commit-then-reveal random inputs Problem: Dishonest participants refuse to reveal Servers R 1 R 2 24

25 Naive Random Beacon: Commit-then-reveal Approach: Commit-then-reveal random inputs Problem: Dishonest participants refuse to reveal Servers R 1 R 2 25

26 Naive Random Beacon: Commit-then-reveal Approach: Commit-then-reveal random inputs Problem: Dishonest participants refuse to reveal Servers R 1 R 2 No Random Output Produced 26

27 Solution: Use a threshold signature scheme σ 1 σ 2 σ = random output σ n (e.g., DFINITY blockchain 27

28 Solution: Use a threshold signature scheme σ 1 σ 2 σ = random output σ n (e.g., DFINITY blockchain 28

29 Digital Signatures: Motivation Alice Bob M M = Hello, this is Alice. 29

30 Problem: Mallory can pretend to be Alice to Bob Alice Bob M Mallory M = Hello, this is Alice. 30

31 Problem: Mallory can tamper with Alice's messages Alice Bob M M = Hello, this is Alice. Mallory M M = Hello, this is John. 31

32 Solution: Digital Signatures Alice (Diffie-Hellman '76, RSA '78 Bob Alice has her own secret key Bob has Alice s public key 32

33 Solution: Digital Signatures Alice (Diffie-Hellman '76, RSA '78 Bob M = Hello, this is Alice. σ = Sign(M, SK Alice Alice has her own secret key Bob has Alice s public key 33

34 Solution: Digital Signatures Alice (Diffie-Hellman '76, RSA '78 Bob M σ M = Hello, this is Alice. σ = Sign(M, SK Alice Alice has her own secret key Bob has Alice s public key 34

35 Solution: Digital Signatures Alice (Diffie-Hellman '76, RSA '78 Bob M σ M = Hello, this is Alice. σ = Sign(M, SK Alice Alice has her own secret key Verify(σ, M, PK Alice = true Bob has Alice s public key 35

36 Naive Threshold Signatures σ 1 = Sign(M, SK 1 σ 2 = Sign(M, SK 2 σ k = Sign(M, SK k 36

37 Naive Threshold Signatures M σ 1 = Sign(M, SK 1 σ 1 M σ 2 = Sign(M, SK 2 σ 2 M σ k σ k = Sign(M, SK k 37

38 Naive Threshold Signatures M σ 1 Verify(σ 1, M, PK 1 = true σ 1 = Sign(M, SK 1 M σ 2 Verify(σ 2, M, PK 2 = true σ 2 = Sign(M, SK 2 M σ k Verify(σ k, M, PK k = true σ k = Sign(M, SK k 38

39 Naive Threshold Signatures M σ 1 Verify(σ 1, M, PK 1 = true σ 1 = Sign(M, SK 1 σ 2 = Sign(M, SK 2 M σ 2 Verify(σ 2, M, PK 2 = true Too large k signatures Too much time k verifications M σ k Verify(σ k, M, PK k = true σ k = Sign(M, SK k 39

40 Threshold Signatures (Desmedt, CRYPTO 1987 Signature Shares M σ 1 = Sign(M, SK 1 σ 2 = Sign(M, SK 2 σ 1 M σ 2 Verifies signature shares Aggregator M σ Single threshold signature M σ k σ k = Sign(M, SK k 40

41 Threshold Signatures (Desmedt, CRYPTO 1987 Signature Shares M σ 1 = Sign(M, SK 1 σ 1 Verifies signature shares M M σ 2 = Sign(M, SK 2 σ 2 Aggregator σ Single threshold signature One threshold signature One verification M Verify(σ, M, PK = true σ k σ k = Sign(M, SK k 41

42 Random Beacon via Threshold Signatures σ 1 = Sign(M, SK 1 σ 2 = Sign(M, SK 2 Signature Shares M σ 1 M σ 2 Verifies signature shares Leader (Aggregator Participants sign M = current time. M σ Random Output = Single threshold signature M σ k = Sign(M, SK k σ k 42

43 Random Beacon Throughput Random beacon throughput = signature scheme throughput (assuming good network High traffic at leader Multiple leaders more throughput more traffic :( σ 1 σ 2 σ = random output σ n 43

44 Random Beacon: Benefits of Threshold Signatures Original Problems Last participant controls random output Dishonest participants refuse to reveal Addressed using Threshold Signature Scheme Guaranteed to produce a signature, as long as k of the total n servers are honest Each message has a unique threshold signature 44

45 But We Want a Scalable Random Beacon! Servers can be compromised Crucial to have a very large set of servers Can we get a scalable threshold signature scheme? 45

46 Shamir s Secret Sharing Recover secret given k shares 46

47 Shamir s Secret Sharing Recover secret given k shares 1 Point - Point 47

48 Shamir s Secret Sharing Recover secret given k shares 1 Point - Point 2 Points - Line 48

49 Shamir s Secret Sharing Recover secret given k shares 1 Point - Point 2 Points - Line 3 Points - Quadratic 49

50 Lagrange Interpolation for Secret Sharing Current implementations are inefficient Given k points, takes O(k 2 time to recover secret We use some known mathematical tricks to speed this up to O(klog 2 k time Net result: We can aggregate a threshold signature from 100,000 participants in 20 seconds rather than 13 minutes. 50

51 Our Results: Scalable Threshold Signatures Implementation Details: Implemented in C++ Used libff and libntl 51

52 Our Results: Scalable Threshold Signatures Implementation Details: Implemented in C++ Used libff and libntl Machine Details: ASUS ZenBook Core i7-8550u 1.80Ghz 16 GB of RAM Ubuntu LTS running inside VirtualBox r

53 O(k 2 Naive Aggregation Time Time (s Participants 53

54 O(k log 2 k Efficient Aggregation Time Time (s Participants 54

55 O(k 2 Naive Aggregation Time Time (s Participants 55

56 O(k log 2 k Efficient Aggregation Time Time (s Participants 56

57 Threshold Signatures: Not just for Random Beacons Applications to: Consensus algorithms (such as the one used by Bitcoin Securing HTTPs (every time you access a webpage 57

58 Future Work Implement random beacon protocol Threshold signature implementation works Verifying signature shares is computationally expensive We speed it up using batch verification Fast when almost all shares are valid, slow when many are not More parallelization by decreasing traffic Optimistically guess subset of k honest servers 58

59 Acknowledgements I would like to thank: My mentor, Alin Tomescu, for his support and guidance Srini Devadas, for coordinating CS-PRIMES My parents and family MIT-PRIMES program 59

60 Thank you! Questions? 60