Bitcoin as a source of verifiable public randomness (working paper)
Many security protocols can be strengthened by a public randomness beacon: a source of randomness which can be sampled by anybody after time t, but is strongly unpredictable to anybody prior to time t. Applications include public lotteries, election auditing, and multiple cryptographic protocols such as cut-and-choose or fair contract signing. Until recently, all proposals for instantiating a beacon either rely on a trusted third party (such as the NIST beacon or random.org) or have difficult-to-evaluate security properties (such as hashing stock market data). In this talk we introduce a new construction for building a beacon based on Bitcoin's block chain. This beacon outputs 64 bits of min-entropy every 10 minutes on average and we can prove strong financial lower bounds on the cost of manipulating the output which are at least in the tens of thousands of dollars. We discuss constructions for building a manipulation-resistant lottery, a new security construction, on top of this primitive which can make attacks even more expensive. Finally, we discuss a number of interesting smart contracts that can be efficiently implemented by extending Bitcoin script to enable sampling the beacon output, including secure multi-party lotteries and self-enforcing non-interactive cut and choose.