Cryptographic Random Beacon VS Random Oracle

A.Solei

12/30/22, 5:27 PM

Let's start with what I mean by cryptographic random beacon (RB). A RB is a protocol among some parties who generate a random value all together such that:

these parties do not trust each other
the result is publicly verifiable (anyone can verify the result is correctly generated by the protocol)
The output is unbiasable: No party can make a bias in the result.
the result is unpredictable: no body can predict the next output from the current output.

The first intuitive solution is commit-and-reveal, which does not work! everyone chooses a secret random value $s_i$ and commit to it, then in the second round they reveal their secrets.

The output is random, unpredictable and publicly verifiable, but not unbiasable. The malicious party can simply wait until every body reveals its secret, then she decides if this is good for her to reveal or not and she may withdraw from revealing its secret. Then there are several solutions based on random delay function or threshold cryptography (for me the most understandable one is the one based on the threshold BSL signature, from Dfinity company).

Now where in cryptography this can be used? why Random Oracle (+ Fiat-Shamir) is not enough?

I understand that this can be useful in the applications where the challenge should be unknown in special time-stamps. For example if a data storage want to prove that at the time-stamp $t$ it still has the data, it should use a challenge generated by RB at time-stamp $t$ and give a proof based on this challenge. Otherwise, it can generate the challenge by herself (by RO e.g.), remove the data and at time-stamp $t$ claims that it has the data because it can generate the proof based on the data and the challenge.

But If there is no time-stamp, I really do not see any point to use RB instead of RO. I think for non time-stamp applications RO is more practical.

So, is my understanding correct? I still see some papers which are using the output of RB as the challenge (or just for random generation) rather than using RO (while there is no concept of time), and I don't know why!

0 + 3

randomness

random-oracle-model

Geoffroy Couteau

12/30/22, 9:57 PM

An RO implies a public random beacon trivially (define the beacon to be $H(0), H(1),$ etc). But the ROM is an idealistic model which provably *cannot* be instantiated in the real world - like, never ever. It is solely a way to get heuristic confidence in our schemes, but it does not give *any* provable real world guarantee. In contrast, a random beacon is just a trusted setup assumption: something that can actually be instantiated in the real world.

Mikero

12/31/22, 3:35 AM

@Geoffroy: It sounds like the poster wants a value to appear at time $t$, which could not have been predicted at time $t-1$. And $H(1), H(2), \ldots$ doesn't have this property when $H$ is a public random oracle.

Geoffroy Couteau

12/31/22, 7:35 AM

Ha right, I did not read correctly. So yes, this cannot be instantiated easily with a random oracle

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Cryptographic Random Beacon VS Random Oracle

TH: Cryptographic Random Beacon VS สุ่ม Oracle

RO: Criptografic Random Beacon VS Random Oracle

RU: Криптографический случайный маяк VS случайный оракул

VI: Beacon ngẫu nhiên mật mã VS Oracle ngẫu nhiên

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.