This document provides an overview of the cryptographic building blocks that drand uses to generate publicly-verifiable, unbiased, and unpredictable randomness in a distributed manner. The drand beacon has two phases (a setup phase, and a beacon phase), which we describe below.
Generally, we assume that there are
Threshold cryptography has many applications, as it avoids single points of failure. One such application is cryptocurrency multi-sig wallets, where
Note: This document is intended for a general audience, and no in-depth cryptographic background knowledge is necessary to understand the presented concepts.
# Setup phase
The purpose of the drand setup phase is to create a collective private, and public key pair shared among
Each private key share can then be used to perform cryptographic threshold computations, such as generating threshold signatures, where at least
A DKG is performed in a fully distributed manner, avoiding any single points of failure. We give an overview of the different sub-components of the drand DKG implementation (opens new window) in the following subsections.
# Secret sharing
Secret sharing (opens new window) is an important technique that many advanced threshold cryptography mechanisms rely on. Secret sharing allows one to split a secret value
Shamir's Secret Sharing (opens new window) (SSS) scheme is one of the most well-known and widely used secret sharing approaches, and it is a core component of drand. SSS works over an arbitrary finite field, but for simplicity, we use the integers modulo
Share Distribution: To share
The dealer then creates one share
Secret Reconstruction: To recover the secret
Note that any subset of
# Verifiable secret sharing
Shamir's Secret Sharing scheme assumes that the dealer is honest but this assumption might not always hold in practice.
A Verifiable Secret Sharing (opens new window) (VSS) scheme protects against malicious dealers by enabling participants to verify that their shares are consistent with those dealt to other nodes ensuring that the shared secret can be correctly reconstructed later on.
Drand uses Feldman's VSS (opens new window) scheme, an extension of SSS. Let
A cyclic group means there exists a generator
Share Distribution: In addition to distributing shares of the secret to the participants, the dealer also broadcasts commitments to the coefficients of the polynomial
These commitments enable each participant
Secret Reconstruction: The recovery of secret
# Distributed key generation (DKG)
Although VSS schemes protect against a malicious dealer, the dealer still knows the secret itself. To create a collectively shared secret
Drand uses Pedersen's DKG (opens new window) scheme, which essentially runs
Share Distribution: Every participant
Share Verification: Each participant verifies the shares it receives as prescribed by Feldman's VSS scheme. If participant
Share Finalization: At the end of the protocol, the final share of participant
The collective public key associated with the valid shares can be computed as
Note: Even though the secret created using Pedersen's DKG can be biased, it is safe to use for threshold signing as shown by Rabin et al. (opens new window)
# Beacon phase
In the previous section, we gave an overview of how to produce a collective distributed key pair via a DKG protocol. In this section, we describe how to use this collective key pair to generate publicly-verifiable, unbiased, and unpredictable randomness in a distributed manner
We first give an overview of pairing-based cryptography (opens new window) (PBC) which has become quite popular lately and is used in many modern consensus protocols or zero-knowledge proofs such as zk-SNARKs (opens new window).
Afterward, we show how drand uses PBC in the randomness beacon generation phase for threshold Boneh-Lynn-Shacham (BLS) signatures (opens new window).
Finally, we explain how drand links the generated threshold BLS signatures into a randomness chain.
# Pairing-based cryptography
Pairing-based cryptography is based on bilinear groups
Computability: There exists an efficient algorithm to compute
Drand currently uses the BLS12-381 curve (opens new window).
# Randomness generation
To generate publicly-verifiable, unbiased, distributed randomness, drand utilizes threshold Boneh-Lynn-Shacham (BLS) signatures (opens new window).
Below we first describe regular BLS signatures (opens new window) followed by the threshold variant.
# BLS signature
BLS signatures are short signatures that rely on bilinear pairings and consist only of a single element in
They are deterministic in the sense that a BLS signature depends only on the message and the signer's key unlike other signature schemes, such as ECDSA (opens new window), which requires a fresh random value for each signed message to be secure.
Put differently, any two BLS signatures on a given message produced with the same key are identical. In drand, we utilize this property to achieve unbiasability for the randomness generation. The BLS signature scheme consists of the following sub-procedures:
Key Generation: To generate a key pair, a signer first chooses a private key
Signature Generation: Let
To compute a BLS signature
Signature Verification: To verify that a BLS signature
It is easy to see that this equation holds for valid signatures since
# Signature threshold
The goal of a threshold signature scheme is to collectively compute a signature by combining individual partial signatures independently generated by the participants. A threshold BLS signature scheme has the following sub-procedures:
Key Generation: The
Partial Signature Generation: To sign a message
Partial Signature Verification: To verify the correctness of a partial signature
Signature Reconstruction: To reconstruct the collective BLS signature
Signature Verification: To verify a collective BLS signature
Thanks to the properties of Lagrange interpolation, the value of
Additionally, Lagrange interpolation also guarantees that no set of less than
In summary, a threshold BLS signature
Drand nodes can work in two modes: chained or unchained.
The drand randomness beacon operates in discrete rounds
In chained mode, in order to extend the chain of randomness, each drand participant
In unchained mode, in order to produce unchained randomness, each drand participant
Once at least
At that point, the random value of round
Afterward, drand nodes move to round
In a nutshell, this construction of using the hash of a BLS signature can be considered as a Verifiable Random Function (opens new window) because of the uniqueness of the signature output combined with the usage of the random oracle (the hash function). When the input is unpredictable, the output of the random oracle is indistinguishable from a uniform distribution.
To summarize, drand is an efficient randomness beacon daemon that utilizes pairing-based cryptography,
To learn more about the background of drand, we refer to the corresponding slides (opens new window).
Finally, for more formal background on public randomness, we refer to the research paper titled "Scalable Bias-Resistant Distributed Randomness" (opens new window) published at the 38th IEEE Symposium on Security and Privacy (opens new window).
The threshold scheme described here is described and proven in this paper from Boldyreva (opens new window).