Abstract
The scientific interest in the area of Decentralized Randomness Beacon (DRB) protocols has been thriving recently. Partially that interest is due to the success of the disruptive technologies introduced by modern cryptography, such as cryptocurrencies, blockchain technologies, and decentralized finances, where there is an enormous need for a public, reliable, trusted, verifiable, and distributed source of randomness. On the other hand, recent advancements in the development of new cryptographic primitives brought a huge interest in constructing a plethora of DRB protocols differing in design and underlying primitives.
To the best of our knowledge, no systematic and comprehensive work systematizes and analyzes the existing DRB protocols. Therefore, we present a Systematization of Knowledge (SoK) intending to structure the multi-faced body of research on DRB protocols. In this SoK, we delineate the DRB protocols along the following axes: their underlying primitive, properties, and security. This SoK tries to fill that gap by providing basic standard definitions and requirements for DRB protocols, such as Unpredictability, Bias-resistance, Availability (or Liveness), and Public Verifiability. We classify DRB protocols according to the nature of interactivity among protocol participants. We also highlight the most significant features of DRB protocols such as scalability, complexity, and performance along with a brief discussion on its improvement. We present future research directions along with a few interesting research problems.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
We use node and participant interchangeably in protocols throughout the paper.
References
Adida, B.: Helios: Web-based open-audit voting. In: USENIX Security Symposium. vol. 17, pp. 335–348 (2008)
Azouvi, S., McCorry, P., Meiklejohn, S.: Winning the caucus race: continuous leader election via public randomness. arXiv preprint arXiv:1801.07965 (2018)
Baigneres, T., Delerablée, C., Finiasz, M., Goubin, L., Lepoint, T., Rivain, M.: Trap me if you can-million dollar curve. IACR Cryptol. ePrint Arch. p. 1249 (2015)
Baum, C., David, B., Dowsley, R.: Insured MPC: efficient secure computation with financial penalties. In: Bonneau, J., Heninger, N. (eds.) FC 2020. LNCS, vol. 12059, pp. 404–420. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51280-4_22
Baum, C., David, B., Dowsley, R., Nielsen, J.B., Oechsner, S.: TARDIS: a foundation of time-lock puzzles in UC. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12698, pp. 429–459. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77883-5_15
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62–73 (1993)
Bentov, I., Gabizon, A., Zuckerman, D.: Bitcoin beacon. arXiv preprint arXiv:1605.04559 (2016)
Bhat, A., Shrestha, N., Kate, A., Nayak, K.: Randpiper-reconfiguration-friendly random beacons with quadratic communication. IACR Cryptol. ePrint Arch. 2020, 1590 (2020)
Blum, M.: Coin flipping by telephone a protocol for solving impossible problems. ACM SIGACT News 15(1), 23–27 (1983)
Boneh, D.: The decision diffie-hellman problem. In: International Algorithmic Number Theory Symposium, pp. 48–63. Springer, Boston (1998). https://doi.org/10.1007/978-1-4419-5906-5_443
Boneh, D., Bonneau, J., Bünz, B., Fisch, B.: Verifiable delay functions. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 757–788. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_25
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_30
Bonneau, J., Clark, J., Goldfeder, S.: On bitcoin as a public randomness source. IACR Cryptol. ePrint Arch. 2015, 1015 (2015)
Bünz, B., Goldfeder, S., Bonneau, J.: Proofs-of-delay and randomness beacons in ethereum. In: IEEE Security and Privacy on the blockchain (IEEE S &B) (2017)
Buser, M., et al.: Post-quantum verifiable random function from symmetric primitives in POS blockchain. IACR Cryptol. ePrint Arch. 2021, 302 (2021)
Cachin, C., Kursawe, K., Shoup, V.: Random oracles in constantinople: practical asynchronous byzantine agreement using cryptography. J. Cryptol. 18(3), 219–246 (2005)
Cascudo, I., David, B.: SCRAPE: scalable randomness attested by public entities. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) ACNS 2017. LNCS, vol. 10355, pp. 537–556. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-61204-1_27
Cascudo, I., David, B.: ALBATROSS: publicly attestable batched randomness based on secret sharing. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12493, pp. 311–341. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64840-4_11
Chavez-Saab, J., HenrÃquez, F.R., Tibouchi, M.: Verifiable isogeny walks: towards an isogeny-based postquantum VDF. Cryptology ePrint Archive, Report 2021/1289
Cherniaeva, A., Shirobokov, I., Shlomovits, O.: Homomorphic encryption random beacon. IACR Cryptol. ePrint Arch. 2019, 1320 (2019)
Clark, J., Hengartner, U.: On the use of financial data as a random beacon. In: EVT/WOTE. vol. 89 (2010)
Corestar: Corestar arcade: Tendermint-based byzantine fault tolerant (BFT) middleware with an embedded BLS-based random beacon (2019)
Croman, K., et al.: On scaling decentralized blockchains. In: Clark, J., Meiklejohn, S., Ryan, P.Y.A., Wallach, D., Brenner, M., Rohloff, K. (eds.) FC 2016. LNCS, vol. 9604, pp. 106–125. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53357-4_8
DAOBet: Daobet to deliver on-chain random beacon based on BLS cryptography (2019). https://daobet.org/blog/on-chain-random-generator/
Das, S., Krishnan, V., Isaac, I.M., Ren, L.: Spurt: scalable distributed randomness beacon with transparent setup. IACR Cryptol. ePrint Arch. 2021, 100 (2021)
Das, S., Xiang, Z., Ren, L.: Asynchronous data dissemination and its applications. IACR Cryptol. ePrint Arch. (2021)
David, B., Gaži, P., Kiayias, A., Russell, A.: Ouroboros Praos: an adaptively-secure, semi-synchronous proof-of-stake blockchain. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 66–98. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_3
Dimakis, A.G., Godfrey, P.B., Wu, Y., Wainwright, M.J., Ramchandran, K.: Network coding for distributed storage systems. IEEE Trans. Inf. Theory 56(9), 4539–4551 (2010). https://doi.org/10.1109/TIT.2010.2054295
Dodis, Y.: Efficient construction of (distributed) verifiable random functions. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 1–17. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_1
Drake, J.: Minimal VDF randomness beacon. Ethereum Research (2018)
drand: Drand - a distributed randomness beacon daemon (2020). https://github.com/drand/drand
ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31(4), 469–472 (1985)
Elrond, A.: Highly scalable public blockchain via adaptive state sharding and secure proof of stake (2019)
Ephraim, N., Freitag, C., Komargodski, I., Pass, R.: Continuous verifiable delay functions. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 125–154. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_5
Fetch.ai.: Distributed verifiable random functions: an enabler of decentralized random beacons (2020). https://github.com/fetchai/research-dvrf
Galindo, D., Liu, J., Ordean, M., Wong, J.M.: Fully distributed verifiable random functions and their application to decentralised random beacons. IACR Cryptol. ePrint Arch. 2020, 96 (2020)
Gennaro, R., Goldfeder, S., Narayanan, A.: Threshold-optimal DSA/ECDSA signatures and an application to bitcoin wallet security. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 156–174. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39555-5_9
Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Secure distributed key generation for discrete-log based cryptosystems. In: International Conference on the Theory and Applications of Cryptographic Techniques, pp. 295–310 (1999)
Gilad, Y., Hemo, R., Micali, S., Vlachos, G., Zeldovich, N.: Algorand: Scaling byzantine agreements for cryptocurrencies. In: Proceedings of the 26th Symposium on Operating Systems Principles, pp. 51–68 (2017)
Goel, S., Robson, M., Polte, M., Sirer, E.: Herbivore: a scalable and efficient protocol for anonymous communication. Cornell University, Tech. rep. (2003)
Goulet, D., Kadianakis, G.: Random number generation during tor voting. In: Tor’s protocol specifications-Proposal, p. 250 (2015)
Gurkan, K., Jovanovic, P., Maller, M., Meiklejohn, S., Stern, G., Tomescu, A.: Aggregatable distributed key generation. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 147–176. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_6
Haahr, M.: Random.org: True Random Number Service. School of Computer Science and Statistics, Trinity College, Dublin, Ireland, p. 10 (2010)
Han, R., Yu, J., Lin, H.: RandChain: decentralised randomness beacon from sequential proof-of-work. IACR Cryptol. ePrint Arch. 2020, 1033 (2020)
Hanke, T., Movahedi, M., Williams, D.: Dfinity technology overview series, consensus system. arXiv preprint arXiv:1805.04548 (2018)
Kelsey, J., Brandão, L.T., Peralta, R., Booth, H.: A reference for randomness beacons: Format and protocol version 2. Tech. rep, National Institute of Standards and Technology (2019)
Kiayias, A., Russell, A., David, B., Oliynykov, R.: Ouroboros: a provably secure proof-of-stake blockchain protocol. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 357–388. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_12
Kosba, A., Miller, A., Shi, E., Wen, Z., Papamanthou, C.: Hawk: The blockchain model of cryptography and privacy-preserving smart contracts. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 839–858 (2016)
Lenstra, A.K., Wesolowski, B.: A random zoo: sloth, unicorn, and TRX. IACR Cryptol. ePrint Arch. 2015, 366 (2015)
Li, Z., Tan, T.G., Szalachowski, P., Sharma, V., Zhou, J.: Post-quantum VRF and its applications in future-proof blockchain system (2021)
LoE: League of entropy : Decentralized randomness beacon (2019). https://www.cloudflare.com/it-it/leagueofentropy/
Loe, A.F., Medley, L., O’Connell, C., Quaglia, E.A.: A practical verifiable delay function and delay encryption scheme. Cryptology ePrint Archive (2021)
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system. http://bitcoin.org/bitcoin.pdf (2009)
Naor, O., Baudet, M., Malkhi, D., Spiegelman, A.: Cogsworth: Byzantine view synchronization. arXiv preprint arXiv:1909.05204 (2019)
Nguyen-Van, T., et al.: Scalable distributed random number generation based on homomorphic encryption. In: 2019 IEEE International Conference on Blockchain (Blockchain), pp. 572–579. IEEE (2019)
Oraclize.it: Provable random number generator. https://provable.xyz
Pietrzak, K.: Simple verifiable delay functions. In: 10th Innovations in Theoretical Computer Science Conference (ITCS 2019) (2018)
Rabin, M.O.: Transaction protection by beacons. J. Comput. Syst. Sci. 27(2), 256–267 (1983)
Randao: Randao: A dao working as rng of ethereum, https://github.com/randao/randao. Accessed 1 Nov 2021
Rashmi, K.V., Shah, N.B., Gu, D., Kuang, H., Borthakur, D., Ramchandran, K.: A solution to the network challenges of data recovery in erasure-coded distributed storage systems: a study on the facebook warehouse cluster. In: 5th USENIX Workshop on Hot Topics in Storage and File Systems, USENIX (2013)
Reed, I.S., Solomon, G.: Polynomial codes over certain finite fields. J. Soc. Ind. Appl. Math. 8(2), 300–304 (1960)
Mahmoody, M., Moran, T., Vadhan, S.: Time-lock puzzles in the random oracle model. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 39–50. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_3
Rotem, L.: Simple and efficient batch verification techniques for verifiable delay functions. Cryptology ePrint Archive (2021)
Schindler, P.: Hydrand. https://github.com/PhilippSchindler/hydrand
Schindler, P., Judmayer, A., Hittmeir, M., Stifter, N., Weippl, E.: Randrunner: distributed randomness from trapdoor VDFs with strong uniqueness. IACR Cryptol. ePrint Arch. 2020, 942 (2020)
Schindler, P., Judmayer, A., Stifter, N., Weippl, E.: Hydrand: efficient continuous distributed randomness. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 73–89. IEEE (2020)
Schoenmakers, B.: A simple publicly verifiable secret sharing scheme and its application to electronic voting. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 148–164. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_10
Shumow, D., Ferguson, N.: On the possibility of a back door in the NIST sp800-90 dual EC PRNG. In: Proceedings of the Cryptology, vol. 7 (2007)
Syta, E., et al.: Scalable bias-resistant distributed randomness. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 444–460. IEEE (2017)
Tomescu, A., et al.: Towards scalable threshold cryptosystems. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 877–893 (2020)
Wang, G., Nixon, M.: Randchain: practical scalable decentralized randomness attested by blockchain. In: 2020 IEEE International Conference on Blockchain (Blockchain), pp. 442–449. IEEE (2020)
Wesolowski, B.: Efficient verifiable delay functions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 379–407. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_13
Ye, M., Barg, A.: Explicit constructions of high-rate MDS array codes with optimal repair bandwidth. IEEE Trans. Inf. Theory 63(4), 2001–2014 (2017)
Yin, M., Malkhi, D., Reiter, M.K., Gueta, G.G., Abraham, I.: HotStuff: BFT consensus with linearity and responsiveness. In: Proceedings of the 2019 ACM Symposium on Principles of Distributed Computing, pp. 347–356 (2019)
Yurek, T., Luo, L., Fairoze, J., Kate, A., Miller, A.K.: hbACSS: how to robustly share many secrets. IACR Cryptol. ePrint Arch. 2021, 159 (2021)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
ASecure DRB Protocol
A DRB protocol is said to be secure if for any probabilistic polynomial-time adversary \(\mathcal {A}\) corrupting at most t parties in a round e, in a security game \(\mathcal {G}\) played between the adversary \(\mathcal {A}\) and a challenger \(\mathcal {C}\), \(\mathcal {A}\) has negligible advantage.
-
1.
\(\mathcal {C}\) executes the setup and sends the public parameters of the system to \(\mathcal {A}\).
-
2.
\(\mathcal {A}\) corrupts up to t participants and informs about t corrupted nodes to \(\mathcal {C}\).
-
3.
\(\mathcal {C}\) creates the secret and public keys of honest nodes and sends the public keys of honest nodes to \(\mathcal {A}\).
-
4.
\(\mathcal {A}\) sends the remaining public parameters (e.g. public keys) of t nodes to \(\mathcal {C}\).
-
5.
\(\mathcal {C}\) and \(\mathcal {A}\) runs the protocol execution interactively per round where:
-
(a)
\(\mathcal {C}\) sends all the honest participants’ messages to \(\mathcal {A}\).
-
(b)
\(\mathcal {A}\) decides on the delivery (sends / does not send) of the messages.
-
(c)
At the end of a round e, an honest node outputs the protocol transcript.
-
(a)
-
6.
\(\mathcal {C}\) samples a bit \(b \in \{0,1\}\) and sends either the DRB output based on transcript or a random element.
-
7.
\(\mathcal {A}\) makes a guess \(b'\) and the advantage of \(\mathcal {A}\) is defined as \(|\Pr [b=b'] - \frac{1}{2}|\).
BPublicly Verifiable Secret Sharing (PVSS)
In a PVSS scheme, a dealer shares a randomly selected secret s among a set of n nodes using an \((n,t+1)\) threshold access-structure. That means, secret s can be recovered from a set of \(t+1\) valid shares.
Definition 6
(PVSS): It is defined as a collection of following algorithms:
-
\(\textsf{Setup}(\lambda )\): Given a security parameter \(\lambda \), generates the public parameters pp and the public-private key-pair for each node, output the public parameter and public keys (pp, pk). pp is an implicit input to all the other algorithms.
-
\(\textsf{Share}(s)\): For a randomly chosen secret s, a dealer creates the secret shares for each node \(\vec {S} = (s_1,s_2,\ldots ,s_n)\) along with the encryption of the shares \(\vec {E} = (c_1,c_2,\ldots ,c_n)\) where \(c_i = Enc(s_i)\) and proof of correct encryption \(\vec {\pi } = ({\pi }_1,{\pi }_2,\ldots ,{\pi }_n)\). It outputs \((\vec {S},\vec {E},\vec {\pi })\).
-
\(\textsf{Verify}(\vec {E}, \vec {\pi })\): Given the encrypted shares and the proofs, any external \(\mathcal {V}\) can non-interactively verifies if the sharing is correct. It outputs 0 or 1.
-
\(\textsf{Recon}(\vec {S})\): Given valid set \(\vec {S} \subseteq {\{s_1,s_2,\ldots ,s_n\}}^{t+1}\) of \(t+1\) decrypted shares, it reconstructs the secret and outputs s.
In a DRB protocol involving a leader, once the setup phase is completed, for the round e, first a leader election algorithm \(\textsf{LeaderElec}(e,O_{e-1},P_1, P_2, \ldots , P_n)\) is executed and a leader \(L_e\) is selected. The election algorithm can be round-robin selection or sampling uniformly at random. The leader \(L_e\) chooses a secret value \(s_{L_e}\) (either a new value or previously committed value in the previous round) and executes the PVSS scheme for secret \(s_{L_e}\). At the end of round e, DRB output \(O_e\) is generated using the reconstructed secret and the previous round (or rounds’) output value. Figure 2 depicts leader and non-leader-based DRB protocols. In the first sub-figure, a leader is elected, followed by leader’s secret is shared and beacon output is produced. In the second sub-figure, all participants randomly choose secrets at the start of the round and further share the encrypted shares of the secret to all the other participants. In the final stage, the first n-t reconstructed (or decrypted) shares are used to obtain beacon output.
Definition 7
(PVSS-based Interactive Decentralized Randomness Beacon (I-DRB)) Given a set of participants \(\mathcal {P} = (P_1, P_2, \ldots , P_n)\), a PVSS-based I-DRB without leader can be defined as a tuple \(\mathcal {B}\) of polynomial-time algorithms:
\(\mathcal {B} = (\textsf{Setup, Share, Verify, Recon, Aggregation})\)
-
\(\textsf{Setup}(e,\lambda )\): Set the round \(e = 1\). Run \(\mathsf {PVSS.Setup}(\lambda )\) and generate public parameter pp and key-pairs \((sk_i,pk_i)\) for each participant.
-
\(\textsf{Share}(e)\): For a round e, each participant \(P_i\) runs \(\mathsf {PVSS.Share}(s_i)\) for a randomly chosen value \(s_i\) from the input space and gets \((\vec {S}_i,\vec {E}_i,\vec {\pi }_i)\). \(P_i\) shares the encrypted shares and corresponding proofs \((\vec {E}_i,\vec {\pi }_i)\) with other participants.
-
\(\textsf{Verify}(e,\{\vec {E},\vec {\pi }\})\): Each party \(P_j\) runs the share verification algorithm \(\mathsf {PVSS.Verify} (\vec {E}_i,\vec {\pi }_i); \forall i, i\ne j \) on every shared secret. Let \(\mathcal {C}\) be the set of first \(n-t\) participants who have correctly shared their random secret values.
-
\(\textsf{Recon}(e,\{\vec {S}_i\})\): Each party \(P_i\) in \(\textsf{C}\) opens the Shamir secret \(s_i\) and the randomness used, other participants \(P_j; \forall j, j\ne i\) verify if it is consistent with sharing posted during \(\textsf{Share}\) phase. If a party \(P_i\) refuses to open its secret \(s_i\), the secret is reconstructed by executing \(\mathsf {PVSS.Recon}(\vec {S}_i)\).
-
\(\textsf{Aggregation}(e,\{s_i\})\): Once the valid decrypted or reconstructed shares are available for the parties \(P_i \in \mathcal {C}\). The beacon output is generated by executing a function f on input a set of valid shares \(\{s_i\}\). This function f takes all the valid shares \(\{s_i\}\) (additionally previous beacon outputs) as input and aggregates these input values to generate the beacon output \(O_e\) for round e.
CVerifiable Delay Function (VDF)
Verifiable delay function \(f : \mathcal {X} \rightarrow \mathcal {Y}\) was defined formally by Boneh et al. [11]. After the introduction of VDF, two new proposals [57, 72] were presented. A VDF has properties of Sequentiality, Uniqueness and \(\epsilon \)-Evaluation time.
Definition 8
(VDF): A VDF is defined as a tuple of following algorithms:
-
\(\textsf{Setup}(\lambda , T\)): It is a randomized algorithm that takes security parameter \(\lambda \), time parameter T and outputs public parameter \(pp := (\mathbb {G}, N, H, T)\), where \(\mathbb {G}\) is a finite abelian group of unknown order, N is an RSA modulus, and \(H: \mathcal {X} \rightarrow \mathbb {G}\) is a hash function.
-
\(\textsf{Eval}({pp}, x, T\)): The evaluation algorithm applies T squarings in \(\mathbb {G}\) starting with H(x) and outputs the value \(y\leftarrow H(x)^{\left( 2^{T} \right) } \textsf{mod}\,N\), along with a proof \(\pi \).
-
\(\textsf{Verify}({pp}, x, y, \pi , T\)): The verification algorithm outputs a bit \(\in \{0,1\}\), given the input as public parameter \(\textsf{pp}\), input value x, output value y, proof \(\pi \), and time parameter T.
DVerifiable Random Function (VRF)
VRF has properties of Uniqueness, Collision resistance and Pseudorandomness.
Definition 9
(VRF): A VRF is defined as a tuple of following algorithms:
-
\(\textsf{KeyGen}(r)\): On input value r, the algorithm generates a secret key sk and a verification key vk.
-
\(\textsf{Eval}(sk, M)\): Evaluation algorithm produces pseudorandom output O and the corresponding proof \(\pi \) on input sk and a message M.
-
\(\textsf{Verify}(vk, M, O, \pi )\): Verify algorithm outputs 1 if and only if the output produced by evaluation algorithm is O and it is verified by the proof \(\pi \) given the verification key vk and the message M.
EHomomorphic Encryption (HE)
Definition 10
(HE): An HE scheme is defined as a set of following alogorithms:
-
\(\textsf{Setup}(1^{\lambda })\): Given security parameter \(\lambda \), Output global parameters params.
-
\(\textsf{KeyGen}(params) \): Given global parameters param, output a public-private key-pair (pk, sk).
-
\(\textsf{Enc}(params, pk,\mu )\): Given a message \(\mu \in R_\mathcal {M}\), output a ciphertext c.
-
\(\textsf{Dec}(params, sk, c)\): Given a ciphertext c, output a message \(\mu ^* \in R_\mathcal {M}\).
-
\(\textsf{Eval}(pk, f , c_1 , . . . , c_l )\): Given the inputs as public key pk, a function \(f : R_\mathcal {M}^l \rightarrow R_\mathcal {M}\) which is an arithmetic circuit over \(R_\mathcal {M}\), and a set of l ciphertexts \(c_1 , . . . , c_l \), output a ciphertext \(c_f\).
In the above scheme, the message space \(\mathcal {M}\) of the encryption schemes is a ring \(R_\mathcal {M}\), and the functions to be evaluated are represented as arithmetic circuits over this ring, composed of addition and multiplication gates. HE can be categorized into: Partially HE that supports only addition or multiplication; Somewhat HE that allows both operations but with limited times; Fully HE that supports arbitrary computation by allowing both operations with unlimited times.
FHybrid DRB Protocols
There are many more DRB protocols. Some of these protocols use more than one crypto primitive to achieve all DRB properties with better efficiency/optimization.
-
Mt. Random (PVSS + T(VRF))(eprint 2021/1096): It is a multi-tiered DRB protocol that combines PVSS, VRF, and Threshold VRF (TVRF) to construct a DRB with optimal efficiency and without compromising security guarantees of DRB. It is a flexible architecture for DRB where each tier runs a separate beacon based on PVSS, VRF, and TVRF, and output of one tier works as a seed for the next tier. Being constructed using different crypto-primitives, each tier differs in the provided randomness and complexity. Due to that, a high-level application can decide on which tier to use to obtain randomness.
-
Harmony (VRF + VDF)(https://harmony.one/whitepaper.pdf): Harmony is a sharding-based, provably secure, and scalable blockchain. In Harmony, nodes compute local entropy by executing VRF using their secret keys. DRB output is computed using VDF where the input for the VDF is constructed from a threshold number of VRF evaluations from pairwise different nodes. DRB output is made pseudorandom by applying a random oracle on VDF output.
-
CRAFT (TLP + VDF)(eprint 2020/784): Baum et. al first construct UC-secure publicly verifiable TLP and UC-secure VDF. To construct DRB, they replace the commitments with the UC-secure TLP in the standard commit-reveal coin-tossing protocol. Their construction achieves \(\textsf{O}(n)\) communication to generate DRB output. DRB output can be obtained as fast as the communication channel delay allows when nodes communicate their TLPs faster.
-
VeeDo (STARK+VDF)(https://github.com/starkware-libs/veedo): It is based on STARK-based VDF. STARK is a post-quantum secure zero-knowledge proof protocol. VeeDo is a smart-contract-based DRB where a beacon smart contract and a verifier smart contract is placed on-chain. However, heavy computational parts involving VDF and STARK prover are kept off-chain. A VDF is run on a seed s from a block hash to compute the DRB output and a proof is computed using the STARK prover. The VDF output and the proof are sent to the on-chain contracts for verification and subsequently publishing.
-
STROBE (RSA-based)(eprint 2021/1643): It is a history-generating DRB (HGDRB). It allows efficient generation of previous beacon outputs given only the current beacon value and public key. It is based on origin squaring based RSA approach of Beaver. It is well-suited for practical applications especially in streaming designs where it allows client software to generate game states by computing every missing beacon value and state. It is NIZK-free, concisely self-verifying and can be efficiently used in blockchain and voting systems.
-
OptRand (Bilinear paring-based PVSS + NIZK)(eprint 2022/193): It is an optimally responsive DRB protocol. It employs a pairing-based PVSS scheme together with a NIZK proof system to produce DRB outputs. Despite the synchrony of the network, it can provide an optimal response and can progress. Therefore, OptRand can provide availability at actual network speed during optimistic conditions. It is reconfiguration-friendly and has low communication complexity and low latency while generating beacon outputs.
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Raikwar, M., Gligoroski, D. (2022). SoK: Decentralized Randomness Beacon Protocols. In: Nguyen, K., Yang, G., Guo, F., Susilo, W. (eds) Information Security and Privacy. ACISP 2022. Lecture Notes in Computer Science, vol 13494. Springer, Cham. https://doi.org/10.1007/978-3-031-22301-3_21
Download citation
DOI: https://doi.org/10.1007/978-3-031-22301-3_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22300-6
Online ISBN: 978-3-031-22301-3
eBook Packages: Computer ScienceComputer Science (R0)