SCRAPE: Scalable Randomness Attested by Public Entities

  • Ignacio Cascudo
  • Bernardo DavidEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10355)


Uniform randomness beacons whose output can be publicly attested to be unbiased are required in several cryptographic protocols. A common approach to building such beacons is having a number parties run a coin tossing protocol with guaranteed output delivery (so that adversaries cannot simply keep honest parties from obtaining randomness, consequently halting protocols that rely on it). However, current constructions face serious scalability issues due to high computational and communication overheads. We present a coin tossing protocol for an honest majority that allows for any entity to verify that an output was honestly generated by observing publicly available information (even after the execution is complete), while achieving both guaranteed output delivery and scalability. The main building block of our construction is the first Publicly Verifiable Secret Sharing scheme for threshold access structures that requires only O(n) exponentiations. Previous schemes required O(nt) exponentiations (where t is the threshold) from each of the parties involved, making them unfit for scalable distributed randomness generation, which requires \(t=n/2\) and thus \(O(n^2)\) exponentiations.



We thank Vincent Hanquez and Andrzej Rybczak for implementing \(\pi _{DDH}\) and \(\pi _{DBS}\), respectively.


  1. [Adi08]
    Adida, B.: Helios: web-based open-audit voting. In: van Oorschot, P.C. (ed.) Proceedings of 17th USENIX Security Symposium, 28 July–1 August 2008, San Jose, CA, USA, pp. 335–348. USENIX Association (2008)Google Scholar
  2. [AHO16]
    Abe, M., Hoshino, F., Ohkubo, M.: Design in type-I, run in type-III: fast and scalable bilinear-type conversion using integer programming. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 387–415. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53015-3_14 CrossRefGoogle Scholar
  3. [AKL+11]
    Aranha, D.F., Karabina, K., Longa, P., Gebotys, C.H., López, J.: Faster explicit formulas for computing pairings over ordinary curves. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 48–68. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-20465-4_5 CrossRefGoogle Scholar
  4. [B+14]
    Buterin, V., et al.: A next-generation smart contract and decentralized application platform. White paper (2014)Google Scholar
  5. [BCG15]
    Bonneau, J., Clark, J., Goldfeder, S.: On bitcoin as a public randomness source. Cryptology ePrint Archive, Report 2015/1015 (2015).
  6. [BDF+15]
    Baignères, T., Delerablée, C., Finiasz, M., Goubin, L., Lepoint, T., Rivain, M.: Trap me if you can - million dollar curve. Cryptology ePrint Archive, Report 2015/1249 (2015).
  7. [BDO14]
    Baum, C., Damgård, I., Orlandi, C.: Publicly auditable secure multi-party computation. In: Abdalla, M., De Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 175–196. Springer, Cham (2014). doi: 10.1007/978-3-319-10879-7_11 Google Scholar
  8. [BGM16]
    Bentov, I., Gabizon, A., Mizrahi, A.: Cryptocurrencies without proof of work. In: Clark et al. [CMR+16], pp. 142–157 (2016)Google Scholar
  9. [BLMR14]
    Bentov, I., Lee, C., Mizrahi, A., Rosenfeld, M.: Proof of activity: extending bitcoin’s proof of work via proof of stake [extended abstract]y. SIGMETRICS Perform. Eval. Rev. 42(3), 34–37 (2014)CrossRefGoogle Scholar
  10. [BLN16]
    Bernstein, D.J., Lange, T., Niederhagen, R.: Dual EC: a standardized back door. In: Ryan, P.Y.A., Naccache, D., Quisquater, J.-J. (eds.) The New Codebreakers. LNCS, vol. 9100, pp. 256–281. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49301-4_17 CrossRefGoogle Scholar
  11. [Blu81]
    Blum, M.: Coin flipping by telephone. In: Gersho, A. (ed.) CRYPTO 1981, vol. ECE report 82-04, pp. 11–15. U.C. Santa Barbara, Department of Electrical and Computer Engineering (1981)Google Scholar
  12. [BN06]
    Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006). doi: 10.1007/11693383_22 CrossRefGoogle Scholar
  13. [BR93]
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Ashby, V. (ed.) ACM CCS 1993, pp. 62–73. ACM Press, November 1993Google Scholar
  14. [BT99]
    Boudot, F., Traoré, J.: Efficient publicly verifiable secret sharing schemes with fast or delayed recovery. In: Varadharajan, V., Mu, Y. (eds.) ICICS 1999. LNCS, vol. 1726, pp. 87–102. Springer, Heidelberg (1999). doi: 10.1007/978-3-540-47942-0_8 CrossRefGoogle Scholar
  15. [CD17]
    Cascudo, I., David, B.: Scrape: scalable randomness attested by public entities. Cryptology ePrint Archive, Report 2017/216 (2017).
  16. [CDE+16]
    Croman, K., Decker, C., Eyal, I., Gencer, A.E., Juels, A., Kosba, A.E., Miller, A., Saxena, P., Shi, E., Sirer, E.G., Song, D., Wattenhofer, R.: On scaling decentralized blockchains - (a position paper). In: Clark et al. [CMR+16], pp. 106–125 (2016)Google Scholar
  17. [CGMA85]
    Chor, B., Goldwasser, S., Micali, S., Awerbuch, B.: Verifiable secret sharing and achieving simultaneity in the presence of faults (extended abstract). In: 26th FOCS, pp. 383–395. IEEE Computer Society Press, October 1985Google Scholar
  18. [Cle86]
    Cleve, R.: Limits on the security of coin flips when half the processors are faulty (extended abstract). In: Hartmanis, J. (ed.) Proceedings of 18th Annual ACM Symposium on Theory of Computing, 28–30 May 1986, Berkeley, California, USA, pp. 364–369. ACM (1986)Google Scholar
  19. [CMR+16]
    Clark, J., Meiklejohn, S., Ryan, P.Y.A., Wallach, D.S., Brenner, M., Rohloff, K. (eds.): FC 2016 Workshops. LNCS, vol. 9604. Springer, Heidelberg (2016)Google Scholar
  20. [CP93]
    Chaum, D., Pedersen, T.P.: Wallet databases with observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993). doi: 10.1007/3-540-48071-4_7 Google Scholar
  21. [DMS04]
    Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. In: Proceedings of 13th Conference on USENIX Security Symposium, SSYM 2004, Berkeley, CA, USA, vol. 13, p. 21. USENIX Association (2004)Google Scholar
  22. [DPSW16]
    Degabriele, J.P., Paterson, K.G., Schuldt, J.C.N., Woodage, J.: Backdoors in pseudorandom number generators: possibility and impossibility results. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 403–432. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53018-4_15 CrossRefGoogle Scholar
  23. [Fel87]
    Feldman, P.: A practical scheme for non-interactive verifiable secret sharing. In: 28th FOCS, pp. 427–437. IEEE Computer Society Press, October 1987Google Scholar
  24. [FO98]
    Fujisaki, E., Okamoto, T.: A practical and provably secure scheme for publicly verifiable secret sharing and its applications. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 32–46. Springer, Heidelberg (1998). doi: 10.1007/BFb0054115 Google Scholar
  25. [FS87]
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). doi: 10.1007/3-540-47721-7_12 Google Scholar
  26. [GKL15]
    Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46803-6_10 Google Scholar
  27. [GRFJ14]
    Ghosh, M., Richardson, M., Ford, B., Jansen, R.: A torpath to torcoin: proof-of-bandwidth altcoins for compensating relays. Technical report, DTIC Document (2014)Google Scholar
  28. [HV09]
    Heidarvand, S., Villar, J.L.: Public verifiability from pairings in secret sharing schemes. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 294–308. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-04159-4_19 CrossRefGoogle Scholar
  29. [Jha11]
    Jhanwar, M.P.: A practical (non-interactive) publicly verifiable secret sharing scheme. In: Bao, F., Weng, J. (eds.) ISPEC 2011. LNCS, vol. 6672, pp. 273–287. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-21031-0_21 CrossRefGoogle Scholar
  30. [JVSN14]
    Jhanwar, M.P., Venkateswarlu, A., Safavi-Naini, R.: Ayineedi venkateswarlu, and reihaneh safavi-naini. paillier-based publicly verifiable (non-interactive) secret sharing. Des. Codes Crypt. 73(2), 529–546 (2014)CrossRefzbMATHGoogle Scholar
  31. [KKR+16]
    Kiayias, A., Konstantinou, I., Russell, A., David, B., Oliynykov, R.: A provably secure proof-of-stake blockchain protocol. Cryptology ePrint Archive, Report 2016/889 (2016).
  32. [KMS+16]
    Kosba, A.E., Miller, A., Shi, E., Wen, Z., Papamanthou, C.: Hawk: the blockchain model of cryptography and privacy-preserving smart contracts. In: 2016 IEEE Symposium on Security and Privacy, pp. 839–858. IEEE Computer Society Press, May 2016Google Scholar
  33. [LV08]
    Libert, B., Vergnaud, D.: Unidirectional chosen-ciphertext secure proxy re-encryption. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 360–379. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-78440-1_21 CrossRefGoogle Scholar
  34. [LW15]
    Lenstra, A.K., Wesolowski, B.: A random zoo: sloth, unicorn, and trx. Cryptology ePrint Archive, Report 2015/366 (2015).
  35. [Mau96]
    Maurer, U.M. (ed.): EUROCRYPT 1996. LNCS, vol. 1070. Springer, Heidelberg (1996). doi: 10.1007/3-540-68339-9 zbMATHGoogle Scholar
  36. [MS81]
    McEliece, R.J., Sarwate, D.V.: On sharing secrets and reed-solomon codes. Commun. ACM 24(9), 583–584 (1981)MathSciNetCrossRefGoogle Scholar
  37. [Nak08]
    Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system (2008)Google Scholar
  38. [Pai99]
    Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). doi: 10.1007/3-540-48910-X_16 Google Scholar
  39. [PS96]
    Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer [Mau96], pp. 387–398 (1996)Google Scholar
  40. [Rab83]
    Rabin, M.O.: Transaction protection by beacons. J. Comput. Syst. Sci. 27(2), 256–267 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  41. [RBO89]
    Rabin, T., Ben-Or, M.: Verifiable secret sharing and multiparty protocols with honest majority (extended abstract). In: 21st ACM STOC, pp. 73–85. ACM Press. May 1989Google Scholar
  42. [RV05]
    Ruiz, A., Villar, J.L.: Publicly verifiable secret sharing from Paillier’s cryptosystem. In: Wolf, C., Lucks, S., Yau, P.-W. (eds.) WEWoRC 2005 - Western European Workshop on Research in Cryptology. Leuven, Belgium, 5–7 July 2005. LNI, vol. 74, pp. 98–108. GI (2005)Google Scholar
  43. [Sch99]
    Schoenmakers, B.: A simple publicly verifiable secret sharing scheme and its application to electronic voting. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 148–164. Springer, Heidelberg (1999). doi: 10.1007/3-540-48405-1_10 Google Scholar
  44. [Sha79]
    Shamir, A.: How to share a secret. Commun. Assoc. Comput. Mach. 22(11), 612–613 (1979)MathSciNetzbMATHGoogle Scholar
  45. [SJK+16]
    Syta, E., Jovanovic, P., Kokoris Kogias, E., Gailly, N., Gasser, L., Khoffi, I., Fischer, M.J., Ford, B.: Scalable bias-resistant distributed randomness. Cryptology ePrint Archive, Report 2016/1067 (2016). (To appear at IEEE Security & Privacy 2017).
  46. [Sta96]
    Stadler, M.: Publicly verifiable secret sharing. In: Maurer [Mau96], pp. 190–199 (1996)Google Scholar
  47. [SV15]
    Schoenmakers, B., Veeningen, M.: Universally verifiable multiparty computation from threshold homomorphic cryptosystems. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 3–22. Springer, Cham (2015). doi: 10.1007/978-3-319-28166-7_1 CrossRefGoogle Scholar
  48. [vdHLZZ15]
    van den Hooff, J., Lazar, D., Zaharia, M., Zeldovich, N.: Vuvuzela: scalable private messaging resistant to traffic analysis. In: Proceedings of 25th Symposium on Operating Systems Principles, SOSP 2015, pp. 137–152. ACM, New York (2015)Google Scholar
  49. [WCGFJ12]
    Wolinsky, D.I., Corrigan-Gibbs, H., Ford, B., Johnson, A.: Dissent in numbers: making strong anonymity scale. In: Proceedings of 10th USENIX Conference on Operating Systems Design and Implementation, OSDI 2012, pp. 179–192. USENIX Association, Berkeley (2012)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Aalborg UniversityAalborgDenmark
  2. 2.Aarhus UniversityAarhusDenmark
  3. 3.IOHKHong KongHong Kong

Personalised recommendations