2.1 Concepts: Cryptography

This document provides an overview of the cryptographic building blocks that drand uses to generate publicly verifiable, unbiased, and unpredictable randomness in a distributed manner.

🕳️ Threshold Cryptography

drand relies on threshold cryptography, where a minimum number of participants must work together to execute cryptographic operations. This approach avoids single points of failure and enhances security.

The drand beacon operates in two phases: 1.) the setup phase and 2.) the beacon phase.

1. Setup Phase

The setup phase creates a collective private and public key pair shared among participants. This is done through a Distributed Key Generation (DKG) process, ensuring that no individual node knows the entire collective private key. Each private key share is used for cryptographic threshold computations, such as generating threshold signatures.

🤐 Secret Sharing

Secret sharing allows a secret value to be split into shares, which can be reconstructed only if a threshold of shares is available. drand uses Shamir's Secret Sharing (SSS) scheme, which is well-known for its reliability and security.

In Shamir's Secret Sharing (SSS), a polynomial of degree $t−1$ is constructed, where $t$ is the threshold. The secret is the constant term of this polynomial, and each share is a point on the polynomial. To reconstruct the secret, at least $t$ shares are needed to solve the polynomial equation.

🤫 Verifiable Secret Sharing

Verifiable Secret Sharing (VSS) ensures that participants can verify their shares, protecting against malicious dealers. drand uses Feldman's VSS scheme, an extension of SSS, to ensure the shared secret can be correctly reconstructed.

Feldman's VSS enhances SSS by adding commitments to the polynomial's coefficients. These commitments allow participants to verify their shares against the public commitments, ensuring that the dealer has distributed consistent shares.

🔑 Distributed Key Generation (DKG)

DKG creates a collectively shared secret without any single participant knowing it. drand uses Pedersen's DKG scheme, running multiple instances of Feldman's VSS in parallel to create a final share for each participant. This collective public key is then used in the randomness generation phase.

In Pedersen's DKG, each participant generates their own secret and shares it using VSS. The participants then combine these shares to form the collective secret, ensuring that no single participant knows the entire secret.

🚨 2. Beacon Phase

In the beacon phase, drand uses pairing-based cryptography to generate publicly verifiable, unbiased, and unpredictable randomness. The process involves threshold Boneh-Lynn-Shacham (BLS) signatures.

👫 Pairing-Based Cryptography

Pairing-based cryptography uses bilinear groups to create efficient cryptographic operations. drand currently uses the BLS12-381 curve.

🎲 Randomness Generation

To generate randomness, drand uses threshold BLS signatures. Each participant creates a partial signature, which are then combined to form a collective BLS signature. This signature is hashed to produce the final random value.

🔏 Smaller Signatures for Resource-Constrained Applications

drand supports schemes, which are network-level configurations that determine the cryptographic methods and protocols used to generate randomness. These scheme aim to minimize the size of signatures, reducing storage requirements and improving efficiency.

⛓️ Chained and Unchained Modes

drand operates in two modes: chained and unchained. In chained mode, each random value depends on all previous values, ensuring security and consistency. In unchained mode, each random value is generated independently.

🎓 Learning More

For more detailed information, refer to the drand project specifications and related research papers on scalable bias-resistant distributed randomness.