NIST Randomness Beacon
surely someone here has an opinion... http://www.nist.gov/itl/csd/ct/nist_beacon.cfm :-)
surely someone here has an opinion...
http://www.nist.gov/itl/csd/ct/nist_beacon.cfm
:-)
Sure. No trust in NIST no more. Thanks. --Michael
On Sun, Nov 10, 2013, at 01:48 AM, jd.cypherpunks@gmail.com wrote:
surely someone here has an opinion...
http://www.nist.gov/itl/csd/ct/nist_beacon.cfm
:-)
Sure. No trust in NIST no more. Thanks.
How is this any different from random.org? -- Shawn K. Quinn skquinn@rushpost.com
On Sat, Nov 09, 2013 at 08:28:17PM -0800, d.nix wrote:
surely someone here has an opinion...
From the page, a relevant suggestion:
WARNING: DO NOT USE BEACON GENERATED VALUES AS SECRET CRYPTOGRAPHIC KEYS. The Beacon is a potentially useful service. Folks have implemented similar semantics by, for example, hashing the DJIA closing value of a given date (see http://xkcd.com/426/). NIST's implementation, of course, makes them a trusted third party to any security critical applications of this oracle. I'd be more comfortable with a cryptographic hash of an unpredictable but publicly determined value; however, it's hard to find one that has as much entropy as the Beacon. For example, suppose you use the low bits of the bitcoin blockchain hash. An attacker with 10% of the hash power could probabilistically attack such a system by chosing blocks with a specific value in those bits; furthermore, the miners might know the relevant value earlier than other users of the system. -andy
On Sun, Nov 10, 2013 at 9:54 AM, Andy Isaacson <adi@hexapodia.org> wrote:
For example, suppose you use the low bits of the bitcoin blockchain hash. An attacker with 10% of the hash power could probabilistically attack such a system by chosing blocks with a specific value in those bits;
This can be avoided by running a sequential computation based on that hash. For example by hashing it 2^40 times. Obvious downside is that verifying that the computation was performed correctly is just as expensive (but parallelizable). Perhaps there is a function that's sequential and slow in one direction and fast in the reverse direction.
(Top posted, so sue me, my text explains itself without the history). Thats a big cc list. I think you could create a beacon with bitcoin hash chain by having miners reveal a preimage for 6 old, consecutive blocks where the newest of the 6 old blocks is itself 6-blocks confirmed. (ie reveal preimage on blocks 7-12. The xor of those preimages defines a rolling beacon (new output every block, just with reference to blocks 7-12 relative to the current block depth). The security against insider foreknowledge is not fantastic, as its relating to the trustworthiness of the 6 random miners (which have probabilty of winning relating to hashpower, which doesnt always relate to trustworthiness). Adam On Mon, Nov 11, 2013 at 05:42:54PM +0100, CodesInChaos wrote:
On Sun, Nov 10, 2013 at 9:54 AM, Andy Isaacson <adi@hexapodia.org> wrote:
For example, suppose you use the low bits of the bitcoin blockchain hash. An attacker with 10% of the hash power could probabilistically attack such a system by chosing blocks with a specific value in those bits;
This can be avoided by running a sequential computation based on that hash. For example by hashing it 2^40 times. Obvious downside is that verifying that the computation was performed correctly is just as expensive (but parallelizable).
Perhaps there is a function that's sequential and slow in one direction and fast in the reverse direction.
participants (6)
-
Adam Back -
Andy Isaacson -
CodesInChaos -
d.nix -
jd.cypherpunks@gmail.com -
Shawn K. Quinn