Usages of Public Luís T. A. N. Brandão · Carlos Galhardo · John Kelsey · René Peralta Cryptographic Technology Group, Computer Security Division, National Institute of Standards and Technology

Public Randomness Use-case 1: Random officials for financial audit Use-case 3: Legal metrology • An application motivated by INMETRO (Brazil), using a Beacon with the NIST reference Goals: Setting: The government of Chile selects random public officials for financial audits. Each official has a risk score based on public and private information (e.g., stock hold- • Goal: Improve metrological inspections through public randomness • Investigate the value of public randomness as a public good. ings of spouse). The probability of selection should be proportional to the risk score. • Challenge: Gas pumps and other instruments are subject to malicious firmware re- • Foster applications that use public randomness with the NIST format. • Challenge: Enable public auditability of the selection, placement and counterfeits along with privacy of the used to compute the score. Sources of public randomness: • Solution: Authentication checks using public randomness for metrological verifications • Solution: Use public randomness from a beacon along with • Natural: earthquakes, solar storms, fire patterns, ..., quantum processes zero-knowledge proofs. Note: Chile has implemented a The Protocol • Social: lottery results, stock market prices, twitter feeds, ..., blockchains Beacon following the NIST reference for randomness beacons. • • Model Registration: The metrology authority registers the approved gas pump model Custom: cryptographic Randomness Beacons (like the NIST Beacon) and publishes the digital fingerprint (hash H) of its secret software. The hash H is Use-case 2: Randomized clinical trials obtained through a function F that takes the software (binary code) as input.

A Randomness Beacon • Example setting: a placebo-controlled clinical H = F () H is public THE BEACON NEWS

www beaconnews com trial assigns patients to either the treatment AUDITABLETHE WORLD'S RANDOMNESS FAVOURITE NEWSPAPER IN • Periodically publishes a randomness pulse - Since Immemorial Times Lorem Ipsum In libris graecis appetere mea. At group or the control group. vim odio lorem iuvaret In libris graecis appetere H partiendo. mea. At vim odio lorem omnes, pri id iuvaret Placebos partiendo. Vivendo were ran- menandri et sed. Lorem • volumus blandit cu has. Sit Each pulse contains a fresh sequence of 512 random bits domized cu alia porro fuisset. across Ea pro natum invidunt • repudiandae, his et facilisis Goal: After the study, it is possible to convince subjects vituperatoribus. Mei eu ubique altera senserit, Sit cu alia appetere mea. consul eripuit accusata has At vim odio lorem omnes partiendo. Vivendo ne. volums meanandri et sed Ea pro natum invidunt • blandit cu has. The pulses are indexed, have a time stamp and a digital signature repudiandae, his et facilisis others that the trial was properly randomized. vituperatoribus. • Past pulses are publicly available Proprietary Legal Metrology • The sequence of pulses forms a hash chain Prepare clinical trial Obtain verifiably software (secret) Authority random groups for clinical trial • Device Inspection. The metrologist sends to each pump the timestamped NIST has a project about Interoperable Randomness Beacons, with four tracks: Randomness Beacon pulse Rt and the hash H. An honest pump can produce a verifi- A. Beacons Reference: promote a reference for randomness beacons; Trial id: 123 Control Treatment able proof PID while a rogue one cannot. The inspection results are sent to the legal metrology authority. B. NIST Beacon: maintain a NIST Beacon implementation; Created: 5 pm group: group: C. External beacons: promote the deployment of other Beacons by multiple organiza- 2. Bob 1. Ann ∗ Will use: pulse V (Rt,H,P ) = False tions; issued at 6pm 4. Dan 3. Cai ID 5. Eve 6. Fae V (Rt,H,PID) = True D. Uses of public randomness: foster applications that use beacon-issued randomness. Timestamp List patients: 3. P and post 6pm ID ID This poster is about track D, with a focus on public auditability. the list of 1. Ann 42 1. Rt patients and 2. Bob 3. Cai Gas pump the time to 2. Rt, H Beacon Generic applications perform the 4. Dan Assign 5. Eve random Metrologist assignment. 6. Fae 42 Public auditability 4. Timestamped ID verifications 6 • Setting: You need to make a random choice from a set {C1,...,Cn} of possibilities. 6 ∗ 3. PID • Time flow of a clinical trial protected by the Beacon Legal Metrology Challenge: At a later time you would like to prove to a judge that all choices were Rogue gas pump equally likely when you made the selection. Authority • Solution: Cryptographic commitments, time stamps, and a public source of random- ness are enough to solve your problem. Others example use-cases The Benefits Watching the watchers: Anti piracy: Power to the people: control Random judges for court cases • Setting: Randomized is used for quality control in processes. • For years, New Orleans has been struggling with a prob- The process can be compromised if the random samples are chosen by a worker in the lem referred to as forum shopping: prosecutors were being factory floor (or insiders in general). accused of gaming the court system so as to have friendly judges assigned to certain cases. Citizen • Application: With public randomness, a phone app can instead do the sampling. The The legal metrology Counterfeits without Any citizen can use the factory can also keep an audit trail for later verification. • The Criminal District Court judges saw it useful to im- plement of judges to cases. Real-life authority can use the proprietary randomness beacon to constraints makes this a non-trivial problem. NIST could (Rt,H,PID) to spot software cannot check that a pump has help if we get a full specification of the problem. malicious metrologists. construct the proof PID. the correct software.

Eliminating bias in randomized security checks The Interoperable Randomness Beacons Project: [email protected] • Setting: “You have been randomly chosen for additional security screening.” Webpage: https://csrc.nist.gov/Projects/Interoperable-Randomness-Beacons • Goal: Allow individuals to confirm that the selection was really random. Poster produced for: NIST-ITL Science Day 2019 — November 06, 2019 (Gaithersburg, USA)