In this article, we propose a way of combining lotteries from several different countries which would require an adversary to manipulate several independent draws in order to introduce a trap in the generated cryptosystem. Each and every time a new source of public entropy is suggested, it receives its share of criticism for being "easy to manipulate". We do not expect our solution to be an exception on this aspect, and will gladly receive any suggestion allowing to increase the confidence in the cryptosystem parameters we generate.
Our method allows to build what we call a Publicly verifiable RNG, from which we extract a seed that is used to instantiate and initialize a Blum-Blum-Shub random generator. We then use the binary stream produced by this generator as an input to a filtering function which deterministically outputs secure and uniformly distributed parameters from uniform bitstreams.
We apply our methodology to the ECDH cryptosystem, and propose the "Million Dollar Curve" as an alternative to curves P-256 and Curve25519.Category / Keywords: public-key cryptography / Publicly verifiable RNG, lottery, trusted cryptosystem parameters, elliptic curve, Million Dollar Curve, decentralized beacon, NSA, Snowden Date: received 1 Jan 2016, last revised 1 Feb 2016 Contact author: thomas baigneres at cryptoexperts com Available format(s): PDF | BibTeX Citation Note: This is a commitment on the SHA256 hash of the MDCurve201601 design text file. This file is available at https://cryptoexperts.github.io/million-dollar-curve/specifications/mdcurve_201601/2016_01_27_million_dollar_curve.txt. The hash is: e9dd4baf0d351b5a64c59ed6b1efd3108094b3585e17a0e5350fb200500058d9.
This is a commitment on the SHA256 hash of the MDCurve201601 seeding text file. This file is available at https://cryptoexperts.github.io/million-dollar-curve/specifications/mdcurve_201601/2016_01_29_million_dollar_curve_seeding.txt. The hash is: f8bdb5bd4957a2d65b567378bb32744d0d0573a77e4ef0247311a5a4b98744da.Version: 20160201:145717 (All versions of this report) Short URL: ia.cr/2015/1249 Discussion forum: Show discussion | Start new discussion