Skip to main content

SoK: Decentralized Randomness Beacon Protocols

  • Conference paper
  • First Online:
Information Security and Privacy (ACISP 2022)

Abstract

The scientific interest in the area of Decentralized Randomness Beacon (DRB) protocols has been thriving recently. Partially that interest is due to the success of the disruptive technologies introduced by modern cryptography, such as cryptocurrencies, blockchain technologies, and decentralized finances, where there is an enormous need for a public, reliable, trusted, verifiable, and distributed source of randomness. On the other hand, recent advancements in the development of new cryptographic primitives brought a huge interest in constructing a plethora of DRB protocols differing in design and underlying primitives.

To the best of our knowledge, no systematic and comprehensive work systematizes and analyzes the existing DRB protocols. Therefore, we present a Systematization of Knowledge (SoK) intending to structure the multi-faced body of research on DRB protocols. In this SoK, we delineate the DRB protocols along the following axes: their underlying primitive, properties, and security. This SoK tries to fill that gap by providing basic standard definitions and requirements for DRB protocols, such as Unpredictability, Bias-resistance, Availability (or Liveness), and Public Verifiability. We classify DRB protocols according to the nature of interactivity among protocol participants. We also highlight the most significant features of DRB protocols such as scalability, complexity, and performance along with a brief discussion on its improvement. We present future research directions along with a few interesting research problems.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    We use node and participant interchangeably in protocols throughout the paper.

References

  1. Adida, B.: Helios: Web-based open-audit voting. In: USENIX Security Symposium. vol. 17, pp. 335–348 (2008)

    Google Scholar 

  2. Azouvi, S., McCorry, P., Meiklejohn, S.: Winning the caucus race: continuous leader election via public randomness. arXiv preprint arXiv:1801.07965 (2018)

  3. Baigneres, T., Delerablée, C., Finiasz, M., Goubin, L., Lepoint, T., Rivain, M.: Trap me if you can-million dollar curve. IACR Cryptol. ePrint Arch. p. 1249 (2015)

    Google Scholar 

  4. Baum, C., David, B., Dowsley, R.: Insured MPC: efficient secure computation with financial penalties. In: Bonneau, J., Heninger, N. (eds.) FC 2020. LNCS, vol. 12059, pp. 404–420. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51280-4_22

    Chapter  MATH  Google Scholar 

  5. Baum, C., David, B., Dowsley, R., Nielsen, J.B., Oechsner, S.: TARDIS: a foundation of time-lock puzzles in UC. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12698, pp. 429–459. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77883-5_15

    Chapter  MATH  Google Scholar 

  6. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62–73 (1993)

    Google Scholar 

  7. Bentov, I., Gabizon, A., Zuckerman, D.: Bitcoin beacon. arXiv preprint arXiv:1605.04559 (2016)

  8. Bhat, A., Shrestha, N., Kate, A., Nayak, K.: Randpiper-reconfiguration-friendly random beacons with quadratic communication. IACR Cryptol. ePrint Arch. 2020, 1590 (2020)

    Google Scholar 

  9. Blum, M.: Coin flipping by telephone a protocol for solving impossible problems. ACM SIGACT News 15(1), 23–27 (1983)

    Article  MATH  Google Scholar 

  10. Boneh, D.: The decision diffie-hellman problem. In: International Algorithmic Number Theory Symposium, pp. 48–63. Springer, Boston (1998). https://doi.org/10.1007/978-1-4419-5906-5_443

  11. Boneh, D., Bonneau, J., Bünz, B., Fisch, B.: Verifiable delay functions. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 757–788. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_25

    Chapter  Google Scholar 

  12. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_30

    Chapter  Google Scholar 

  13. Bonneau, J., Clark, J., Goldfeder, S.: On bitcoin as a public randomness source. IACR Cryptol. ePrint Arch. 2015, 1015 (2015)

    Google Scholar 

  14. Bünz, B., Goldfeder, S., Bonneau, J.: Proofs-of-delay and randomness beacons in ethereum. In: IEEE Security and Privacy on the blockchain (IEEE S &B) (2017)

    Google Scholar 

  15. Buser, M., et al.: Post-quantum verifiable random function from symmetric primitives in POS blockchain. IACR Cryptol. ePrint Arch. 2021, 302 (2021)

    Google Scholar 

  16. Cachin, C., Kursawe, K., Shoup, V.: Random oracles in constantinople: practical asynchronous byzantine agreement using cryptography. J. Cryptol. 18(3), 219–246 (2005)

    Article  MathSciNet  MATH  Google Scholar 

  17. Cascudo, I., David, B.: SCRAPE: scalable randomness attested by public entities. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) ACNS 2017. LNCS, vol. 10355, pp. 537–556. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-61204-1_27

    Chapter  Google Scholar 

  18. Cascudo, I., David, B.: ALBATROSS: publicly attestable batched randomness based on secret sharing. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12493, pp. 311–341. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64840-4_11

    Chapter  Google Scholar 

  19. Chavez-Saab, J., Henríquez, F.R., Tibouchi, M.: Verifiable isogeny walks: towards an isogeny-based postquantum VDF. Cryptology ePrint Archive, Report 2021/1289

    Google Scholar 

  20. Cherniaeva, A., Shirobokov, I., Shlomovits, O.: Homomorphic encryption random beacon. IACR Cryptol. ePrint Arch. 2019, 1320 (2019)

    Google Scholar 

  21. Clark, J., Hengartner, U.: On the use of financial data as a random beacon. In: EVT/WOTE. vol. 89 (2010)

    Google Scholar 

  22. Corestar: Corestar arcade: Tendermint-based byzantine fault tolerant (BFT) middleware with an embedded BLS-based random beacon (2019)

    Google Scholar 

  23. Croman, K., et al.: On scaling decentralized blockchains. In: Clark, J., Meiklejohn, S., Ryan, P.Y.A., Wallach, D., Brenner, M., Rohloff, K. (eds.) FC 2016. LNCS, vol. 9604, pp. 106–125. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53357-4_8

    Chapter  Google Scholar 

  24. DAOBet: Daobet to deliver on-chain random beacon based on BLS cryptography (2019). https://daobet.org/blog/on-chain-random-generator/

  25. Das, S., Krishnan, V., Isaac, I.M., Ren, L.: Spurt: scalable distributed randomness beacon with transparent setup. IACR Cryptol. ePrint Arch. 2021, 100 (2021)

    Google Scholar 

  26. Das, S., Xiang, Z., Ren, L.: Asynchronous data dissemination and its applications. IACR Cryptol. ePrint Arch. (2021)

    Google Scholar 

  27. David, B., Gaži, P., Kiayias, A., Russell, A.: Ouroboros Praos: an adaptively-secure, semi-synchronous proof-of-stake blockchain. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 66–98. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_3

    Chapter  Google Scholar 

  28. Dimakis, A.G., Godfrey, P.B., Wu, Y., Wainwright, M.J., Ramchandran, K.: Network coding for distributed storage systems. IEEE Trans. Inf. Theory 56(9), 4539–4551 (2010). https://doi.org/10.1109/TIT.2010.2054295

    Article  MATH  Google Scholar 

  29. Dodis, Y.: Efficient construction of (distributed) verifiable random functions. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 1–17. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_1

    Chapter  Google Scholar 

  30. Drake, J.: Minimal VDF randomness beacon. Ethereum Research (2018)

    Google Scholar 

  31. drand: Drand - a distributed randomness beacon daemon (2020). https://github.com/drand/drand

  32. ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31(4), 469–472 (1985)

    Article  MathSciNet  MATH  Google Scholar 

  33. Elrond, A.: Highly scalable public blockchain via adaptive state sharding and secure proof of stake (2019)

    Google Scholar 

  34. Ephraim, N., Freitag, C., Komargodski, I., Pass, R.: Continuous verifiable delay functions. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 125–154. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_5

    Chapter  Google Scholar 

  35. Fetch.ai.: Distributed verifiable random functions: an enabler of decentralized random beacons (2020). https://github.com/fetchai/research-dvrf

  36. Galindo, D., Liu, J., Ordean, M., Wong, J.M.: Fully distributed verifiable random functions and their application to decentralised random beacons. IACR Cryptol. ePrint Arch. 2020, 96 (2020)

    Google Scholar 

  37. Gennaro, R., Goldfeder, S., Narayanan, A.: Threshold-optimal DSA/ECDSA signatures and an application to bitcoin wallet security. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 156–174. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39555-5_9

    Chapter  MATH  Google Scholar 

  38. Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Secure distributed key generation for discrete-log based cryptosystems. In: International Conference on the Theory and Applications of Cryptographic Techniques, pp. 295–310 (1999)

    Google Scholar 

  39. Gilad, Y., Hemo, R., Micali, S., Vlachos, G., Zeldovich, N.: Algorand: Scaling byzantine agreements for cryptocurrencies. In: Proceedings of the 26th Symposium on Operating Systems Principles, pp. 51–68 (2017)

    Google Scholar 

  40. Goel, S., Robson, M., Polte, M., Sirer, E.: Herbivore: a scalable and efficient protocol for anonymous communication. Cornell University, Tech. rep. (2003)

    Google Scholar 

  41. Goulet, D., Kadianakis, G.: Random number generation during tor voting. In: Tor’s protocol specifications-Proposal, p. 250 (2015)

    Google Scholar 

  42. Gurkan, K., Jovanovic, P., Maller, M., Meiklejohn, S., Stern, G., Tomescu, A.: Aggregatable distributed key generation. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 147–176. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_6

    Chapter  Google Scholar 

  43. Haahr, M.: Random.org: True Random Number Service. School of Computer Science and Statistics, Trinity College, Dublin, Ireland, p. 10 (2010)

    Google Scholar 

  44. Han, R., Yu, J., Lin, H.: RandChain: decentralised randomness beacon from sequential proof-of-work. IACR Cryptol. ePrint Arch. 2020, 1033 (2020)

    Google Scholar 

  45. Hanke, T., Movahedi, M., Williams, D.: Dfinity technology overview series, consensus system. arXiv preprint arXiv:1805.04548 (2018)

  46. Kelsey, J., Brandão, L.T., Peralta, R., Booth, H.: A reference for randomness beacons: Format and protocol version 2. Tech. rep, National Institute of Standards and Technology (2019)

    Google Scholar 

  47. Kiayias, A., Russell, A., David, B., Oliynykov, R.: Ouroboros: a provably secure proof-of-stake blockchain protocol. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 357–388. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_12

    Chapter  Google Scholar 

  48. Kosba, A., Miller, A., Shi, E., Wen, Z., Papamanthou, C.: Hawk: The blockchain model of cryptography and privacy-preserving smart contracts. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 839–858 (2016)

    Google Scholar 

  49. Lenstra, A.K., Wesolowski, B.: A random zoo: sloth, unicorn, and TRX. IACR Cryptol. ePrint Arch. 2015, 366 (2015)

    Google Scholar 

  50. Li, Z., Tan, T.G., Szalachowski, P., Sharma, V., Zhou, J.: Post-quantum VRF and its applications in future-proof blockchain system (2021)

    Google Scholar 

  51. LoE: League of entropy : Decentralized randomness beacon (2019). https://www.cloudflare.com/it-it/leagueofentropy/

  52. Loe, A.F., Medley, L., O’Connell, C., Quaglia, E.A.: A practical verifiable delay function and delay encryption scheme. Cryptology ePrint Archive (2021)

    Google Scholar 

  53. Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system. http://bitcoin.org/bitcoin.pdf (2009)

  54. Naor, O., Baudet, M., Malkhi, D., Spiegelman, A.: Cogsworth: Byzantine view synchronization. arXiv preprint arXiv:1909.05204 (2019)

  55. Nguyen-Van, T., et al.: Scalable distributed random number generation based on homomorphic encryption. In: 2019 IEEE International Conference on Blockchain (Blockchain), pp. 572–579. IEEE (2019)

    Google Scholar 

  56. Oraclize.it: Provable random number generator. https://provable.xyz

  57. Pietrzak, K.: Simple verifiable delay functions. In: 10th Innovations in Theoretical Computer Science Conference (ITCS 2019) (2018)

    Google Scholar 

  58. Rabin, M.O.: Transaction protection by beacons. J. Comput. Syst. Sci. 27(2), 256–267 (1983)

    Article  MathSciNet  MATH  Google Scholar 

  59. Randao: Randao: A dao working as rng of ethereum, https://github.com/randao/randao. Accessed 1 Nov 2021

  60. Rashmi, K.V., Shah, N.B., Gu, D., Kuang, H., Borthakur, D., Ramchandran, K.: A solution to the network challenges of data recovery in erasure-coded distributed storage systems: a study on the facebook warehouse cluster. In: 5th USENIX Workshop on Hot Topics in Storage and File Systems, USENIX (2013)

    Google Scholar 

  61. Reed, I.S., Solomon, G.: Polynomial codes over certain finite fields. J. Soc. Ind. Appl. Math. 8(2), 300–304 (1960)

    Article  MathSciNet  MATH  Google Scholar 

  62. Mahmoody, M., Moran, T., Vadhan, S.: Time-lock puzzles in the random oracle model. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 39–50. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_3

    Chapter  MATH  Google Scholar 

  63. Rotem, L.: Simple and efficient batch verification techniques for verifiable delay functions. Cryptology ePrint Archive (2021)

    Google Scholar 

  64. Schindler, P.: Hydrand. https://github.com/PhilippSchindler/hydrand

  65. Schindler, P., Judmayer, A., Hittmeir, M., Stifter, N., Weippl, E.: Randrunner: distributed randomness from trapdoor VDFs with strong uniqueness. IACR Cryptol. ePrint Arch. 2020, 942 (2020)

    Google Scholar 

  66. Schindler, P., Judmayer, A., Stifter, N., Weippl, E.: Hydrand: efficient continuous distributed randomness. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 73–89. IEEE (2020)

    Google Scholar 

  67. Schoenmakers, B.: A simple publicly verifiable secret sharing scheme and its application to electronic voting. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 148–164. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_10

    Chapter  Google Scholar 

  68. Shumow, D., Ferguson, N.: On the possibility of a back door in the NIST sp800-90 dual EC PRNG. In: Proceedings of the Cryptology, vol. 7 (2007)

    Google Scholar 

  69. Syta, E., et al.: Scalable bias-resistant distributed randomness. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 444–460. IEEE (2017)

    Google Scholar 

  70. Tomescu, A., et al.: Towards scalable threshold cryptosystems. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 877–893 (2020)

    Google Scholar 

  71. Wang, G., Nixon, M.: Randchain: practical scalable decentralized randomness attested by blockchain. In: 2020 IEEE International Conference on Blockchain (Blockchain), pp. 442–449. IEEE (2020)

    Google Scholar 

  72. Wesolowski, B.: Efficient verifiable delay functions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 379–407. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_13

    Chapter  Google Scholar 

  73. Ye, M., Barg, A.: Explicit constructions of high-rate MDS array codes with optimal repair bandwidth. IEEE Trans. Inf. Theory 63(4), 2001–2014 (2017)

    Article  MathSciNet  MATH  Google Scholar 

  74. Yin, M., Malkhi, D., Reiter, M.K., Gueta, G.G., Abraham, I.: HotStuff: BFT consensus with linearity and responsiveness. In: Proceedings of the 2019 ACM Symposium on Principles of Distributed Computing, pp. 347–356 (2019)

    Google Scholar 

  75. Yurek, T., Luo, L., Fairoze, J., Kate, A., Miller, A.K.: hbACSS: how to robustly share many secrets. IACR Cryptol. ePrint Arch. 2021, 159 (2021)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Mayank Raikwar .

Editor information

Editors and Affiliations

Appendices

ASecure DRB Protocol

A DRB protocol is said to be secure if for any probabilistic polynomial-time adversary \(\mathcal {A}\) corrupting at most t parties in a round e, in a security game \(\mathcal {G}\) played between the adversary \(\mathcal {A}\) and a challenger \(\mathcal {C}\), \(\mathcal {A}\) has negligible advantage.

  1. 1.

    \(\mathcal {C}\) executes the setup and sends the public parameters of the system to \(\mathcal {A}\).

  2. 2.

    \(\mathcal {A}\) corrupts up to t participants and informs about t corrupted nodes to \(\mathcal {C}\).

  3. 3.

    \(\mathcal {C}\) creates the secret and public keys of honest nodes and sends the public keys of honest nodes to \(\mathcal {A}\).

  4. 4.

    \(\mathcal {A}\) sends the remaining public parameters (e.g. public keys) of t nodes to \(\mathcal {C}\).

  5. 5.

    \(\mathcal {C}\) and \(\mathcal {A}\) runs the protocol execution interactively per round where:

    1. (a)

      \(\mathcal {C}\) sends all the honest participants’ messages to \(\mathcal {A}\).

    2. (b)

      \(\mathcal {A}\) decides on the delivery (sends / does not send) of the messages.

    3. (c)

      At the end of a round e, an honest node outputs the protocol transcript.

  6. 6.

    \(\mathcal {C}\) samples a bit \(b \in \{0,1\}\) and sends either the DRB output based on transcript or a random element.

  7. 7.

    \(\mathcal {A}\) makes a guess \(b'\) and the advantage of \(\mathcal {A}\) is defined as \(|\Pr [b=b'] - \frac{1}{2}|\).

BPublicly Verifiable Secret Sharing (PVSS)

In a PVSS scheme, a dealer shares a randomly selected secret s among a set of n nodes using an \((n,t+1)\) threshold access-structure. That means, secret s can be recovered from a set of \(t+1\) valid shares.

Definition 6

(PVSS): It is defined as a collection of following algorithms:

  • \(\textsf{Setup}(\lambda )\): Given a security parameter \(\lambda \), generates the public parameters pp and the public-private key-pair for each node, output the public parameter and public keys (pppk). pp is an implicit input to all the other algorithms.

  • \(\textsf{Share}(s)\): For a randomly chosen secret s, a dealer creates the secret shares for each node \(\vec {S} = (s_1,s_2,\ldots ,s_n)\) along with the encryption of the shares \(\vec {E} = (c_1,c_2,\ldots ,c_n)\) where \(c_i = Enc(s_i)\) and proof of correct encryption \(\vec {\pi } = ({\pi }_1,{\pi }_2,\ldots ,{\pi }_n)\). It outputs \((\vec {S},\vec {E},\vec {\pi })\).

  • \(\textsf{Verify}(\vec {E}, \vec {\pi })\): Given the encrypted shares and the proofs, any external \(\mathcal {V}\) can non-interactively verifies if the sharing is correct. It outputs 0 or 1.

  • \(\textsf{Recon}(\vec {S})\): Given valid set \(\vec {S} \subseteq {\{s_1,s_2,\ldots ,s_n\}}^{t+1}\) of \(t+1\) decrypted shares, it reconstructs the secret and outputs s.

Fig. 2.
figure 2

PVSS-based DRB protocols with and without leader

In a DRB protocol involving a leader, once the setup phase is completed, for the round e, first a leader election algorithm \(\textsf{LeaderElec}(e,O_{e-1},P_1, P_2, \ldots , P_n)\) is executed and a leader \(L_e\) is selected. The election algorithm can be round-robin selection or sampling uniformly at random. The leader \(L_e\) chooses a secret value \(s_{L_e}\) (either a new value or previously committed value in the previous round) and executes the PVSS scheme for secret \(s_{L_e}\). At the end of round e, DRB output \(O_e\) is generated using the reconstructed secret and the previous round (or rounds’) output value. Figure 2 depicts leader and non-leader-based DRB protocols. In the first sub-figure, a leader is elected, followed by leader’s secret is shared and beacon output is produced. In the second sub-figure, all participants randomly choose secrets at the start of the round and further share the encrypted shares of the secret to all the other participants. In the final stage, the first n-t reconstructed (or decrypted) shares are used to obtain beacon output.

Definition 7

(PVSS-based Interactive Decentralized Randomness Beacon (I-DRB)) Given a set of participants \(\mathcal {P} = (P_1, P_2, \ldots , P_n)\), a PVSS-based I-DRB without leader can be defined as a tuple \(\mathcal {B}\) of polynomial-time algorithms:

\(\mathcal {B} = (\textsf{Setup, Share, Verify, Recon, Aggregation})\)

  • \(\textsf{Setup}(e,\lambda )\): Set the round \(e = 1\). Run \(\mathsf {PVSS.Setup}(\lambda )\) and generate public parameter pp and key-pairs \((sk_i,pk_i)\) for each participant.

  • \(\textsf{Share}(e)\): For a round e, each participant \(P_i\) runs \(\mathsf {PVSS.Share}(s_i)\) for a randomly chosen value \(s_i\) from the input space and gets \((\vec {S}_i,\vec {E}_i,\vec {\pi }_i)\). \(P_i\) shares the encrypted shares and corresponding proofs \((\vec {E}_i,\vec {\pi }_i)\) with other participants.

  • \(\textsf{Verify}(e,\{\vec {E},\vec {\pi }\})\): Each party \(P_j\) runs the share verification algorithm \(\mathsf {PVSS.Verify} (\vec {E}_i,\vec {\pi }_i); \forall i, i\ne j \) on every shared secret. Let \(\mathcal {C}\) be the set of first \(n-t\) participants who have correctly shared their random secret values.

  • \(\textsf{Recon}(e,\{\vec {S}_i\})\): Each party \(P_i\) in \(\textsf{C}\) opens the Shamir secret \(s_i\) and the randomness used, other participants \(P_j; \forall j, j\ne i\) verify if it is consistent with sharing posted during \(\textsf{Share}\) phase. If a party \(P_i\) refuses to open its secret \(s_i\), the secret is reconstructed by executing \(\mathsf {PVSS.Recon}(\vec {S}_i)\).

  • \(\textsf{Aggregation}(e,\{s_i\})\): Once the valid decrypted or reconstructed shares are available for the parties \(P_i \in \mathcal {C}\). The beacon output is generated by executing a function f on input a set of valid shares \(\{s_i\}\). This function f takes all the valid shares \(\{s_i\}\) (additionally previous beacon outputs) as input and aggregates these input values to generate the beacon output \(O_e\) for round e.

CVerifiable Delay Function (VDF)

Verifiable delay function \(f : \mathcal {X} \rightarrow \mathcal {Y}\) was defined formally by Boneh et al. [11]. After the introduction of VDF, two new proposals [57, 72] were presented. A VDF has properties of Sequentiality, Uniqueness and \(\epsilon \)-Evaluation time.

Definition 8

(VDF): A VDF is defined as a tuple of following algorithms:

  • \(\textsf{Setup}(\lambda , T\)): It is a randomized algorithm that takes security parameter \(\lambda \), time parameter T and outputs public parameter \(pp := (\mathbb {G}, N, H, T)\), where \(\mathbb {G}\) is a finite abelian group of unknown order, N is an RSA modulus, and \(H: \mathcal {X} \rightarrow \mathbb {G}\) is a hash function.

  • \(\textsf{Eval}({pp}, x, T\)): The evaluation algorithm applies T squarings in \(\mathbb {G}\) starting with H(x) and outputs the value \(y\leftarrow H(x)^{\left( 2^{T} \right) } \textsf{mod}\,N\), along with a proof \(\pi \).

  • \(\textsf{Verify}({pp}, x, y, \pi , T\)): The verification algorithm outputs a bit \(\in \{0,1\}\), given the input as public parameter \(\textsf{pp}\), input value x, output value y, proof \(\pi \), and time parameter T.

DVerifiable Random Function (VRF)

VRF has properties of Uniqueness, Collision resistance and Pseudorandomness.

Definition 9

(VRF): A VRF is defined as a tuple of following algorithms:

  • \(\textsf{KeyGen}(r)\): On input value r, the algorithm generates a secret key sk and a verification key vk.

  • \(\textsf{Eval}(sk, M)\): Evaluation algorithm produces pseudorandom output O and the corresponding proof \(\pi \) on input sk and a message M.

  • \(\textsf{Verify}(vk, M, O, \pi )\): Verify algorithm outputs 1 if and only if the output produced by evaluation algorithm is O and it is verified by the proof \(\pi \) given the verification key vk and the message M.

EHomomorphic Encryption (HE)

Definition 10

(HE): An HE scheme is defined as a set of following alogorithms:

  • \(\textsf{Setup}(1^{\lambda })\): Given security parameter \(\lambda \), Output global parameters params.

  • \(\textsf{KeyGen}(params) \): Given global parameters param, output a public-private key-pair (pksk).

  • \(\textsf{Enc}(params, pk,\mu )\): Given a message \(\mu \in R_\mathcal {M}\), output a ciphertext c.

  • \(\textsf{Dec}(params, sk, c)\): Given a ciphertext c, output a message \(\mu ^* \in R_\mathcal {M}\).

  • \(\textsf{Eval}(pk, f , c_1 , . . . , c_l )\): Given the inputs as public key pk, a function \(f : R_\mathcal {M}^l \rightarrow R_\mathcal {M}\) which is an arithmetic circuit over \(R_\mathcal {M}\), and a set of l ciphertexts \(c_1 , . . . , c_l \), output a ciphertext \(c_f\).

In the above scheme, the message space \(\mathcal {M}\) of the encryption schemes is a ring \(R_\mathcal {M}\), and the functions to be evaluated are represented as arithmetic circuits over this ring, composed of addition and multiplication gates. HE can be categorized into: Partially HE that supports only addition or multiplication; Somewhat HE that allows both operations but with limited times; Fully HE that supports arbitrary computation by allowing both operations with unlimited times.

FHybrid DRB Protocols

There are many more DRB protocols. Some of these protocols use more than one crypto primitive to achieve all DRB properties with better efficiency/optimization.

  • Mt. Random (PVSS + T(VRF))(eprint 2021/1096): It is a multi-tiered DRB protocol that combines PVSS, VRF, and Threshold VRF (TVRF) to construct a DRB with optimal efficiency and without compromising security guarantees of DRB. It is a flexible architecture for DRB where each tier runs a separate beacon based on PVSS, VRF, and TVRF, and output of one tier works as a seed for the next tier. Being constructed using different crypto-primitives, each tier differs in the provided randomness and complexity. Due to that, a high-level application can decide on which tier to use to obtain randomness.

  • Harmony (VRF + VDF)(https://harmony.one/whitepaper.pdf): Harmony is a sharding-based, provably secure, and scalable blockchain. In Harmony, nodes compute local entropy by executing VRF using their secret keys. DRB output is computed using VDF where the input for the VDF is constructed from a threshold number of VRF evaluations from pairwise different nodes. DRB output is made pseudorandom by applying a random oracle on VDF output.

  • CRAFT (TLP + VDF)(eprint 2020/784): Baum et. al first construct UC-secure publicly verifiable TLP and UC-secure VDF. To construct DRB, they replace the commitments with the UC-secure TLP in the standard commit-reveal coin-tossing protocol. Their construction achieves \(\textsf{O}(n)\) communication to generate DRB output. DRB output can be obtained as fast as the communication channel delay allows when nodes communicate their TLPs faster.

  • VeeDo (STARK+VDF)(https://github.com/starkware-libs/veedo): It is based on STARK-based VDF. STARK is a post-quantum secure zero-knowledge proof protocol. VeeDo is a smart-contract-based DRB where a beacon smart contract and a verifier smart contract is placed on-chain. However, heavy computational parts involving VDF and STARK prover are kept off-chain. A VDF is run on a seed s from a block hash to compute the DRB output and a proof is computed using the STARK prover. The VDF output and the proof are sent to the on-chain contracts for verification and subsequently publishing.

  • STROBE (RSA-based)(eprint 2021/1643): It is a history-generating DRB (HGDRB). It allows efficient generation of previous beacon outputs given only the current beacon value and public key. It is based on origin squaring based RSA approach of Beaver. It is well-suited for practical applications especially in streaming designs where it allows client software to generate game states by computing every missing beacon value and state. It is NIZK-free, concisely self-verifying and can be efficiently used in blockchain and voting systems.

  • OptRand (Bilinear paring-based PVSS + NIZK)(eprint 2022/193): It is an optimally responsive DRB protocol. It employs a pairing-based PVSS scheme together with a NIZK proof system to produce DRB outputs. Despite the synchrony of the network, it can provide an optimal response and can progress. Therefore, OptRand can provide availability at actual network speed during optimistic conditions. It is reconfiguration-friendly and has low communication complexity and low latency while generating beacon outputs.

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Raikwar, M., Gligoroski, D. (2022). SoK: Decentralized Randomness Beacon Protocols. In: Nguyen, K., Yang, G., Guo, F., Susilo, W. (eds) Information Security and Privacy. ACISP 2022. Lecture Notes in Computer Science, vol 13494. Springer, Cham. https://doi.org/10.1007/978-3-031-22301-3_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-22301-3_21

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-22300-6

  • Online ISBN: 978-3-031-22301-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics