Randomness Generation
In this section, we describe how to use this collective key pair to generate publicly-verifiable, unbiasable, and unpredictable randomness in a distributed manner.
First, we explain pairing-based cryptography (PBC), which has become quite popular, and is used in many modern consensus protocols or zero-knowledge proofs, such as zk-SNARKs. We will then show how drand uses PBC for the randomness beacon generation phase for threshold Boneh-Lynn-Shacham (BLS) signatures. Finally, we will discuss how drand links the generated threshold BLS signatures into a randomness chain.
Pairing-based cryptography is based on bilinear groups (πΎ1,πΎ2,πΎπ‘), where πΎ1, πΎ2, and πΎπ‘ are cyclic groups of prime order π with generators π1, π2, and ππ‘, respectively, and a pairing operation π:πΎ1ΓπΎ2βπΎπ‘ with these properties:
-
Bilinearity:
βπ,πββ€βπ,βπβπΎ1,βπβπΎ2,we haveπ(ππ,ππ)=π(π,π)ππ -
Non-degeneracy:
πβ 1 -
Computability: There exists an efficient algorithm to compute
π. drand currently uses the Barreto-Lynn-Scott curve BLS12-381.
To generate publicly-verifiable, unbiasable, distributed randomness, drand utilizes threshold Boneh-Lynn-Shacham (BLS) signatures. First we will describe regular BLS signatures and then the threshold variant.
BLS signatures are short signatures that rely on bilinear pairings and consist only of a single element in πΎ1. They are deterministic in the sense they depend only on the message and the signerβs key, unlike other signature schemes, such as ECDSA, that require a fresh random value for each signed message to be secure. Put differently, any two BLS signatures on a given message produced with the same key are identical. In drand, we utilize this property to achieve unbiasability for randomness generation.
The BLS signature scheme consists of the these sub-procedures.
To generate a key pair, a signer first chooses a private key, π₯ββ€βπ, at random, and then computes the corresponding public key as π=ππ₯2βπΎ2.
Let π»:{0,1}ββπΎ1 denote a cryptographic hash function that maps arbitrary bit strings to elements of πΎ1. To compute a BLS signature π on a message π, the signer computes π=π₯π»(π)βπΎ1.
To verify that a BLS signature π on a message π is valid, the verifier checks if π(π»(π),π)=π(π,π2) holds using the signerβs public key π.
Note that this equation holds for valid signatures since π(π»(π),π)=π(π»(π),ππ₯2)=π(π»(π),π2)π₯=π(π₯π»(π),π2)=π(π,π2).
The goal of a threshold signature scheme is to collectively compute a signature by combining individual partial signatures independently generated by the participants. A threshold BLS signature scheme has the following sub-procedures.
The π participants run a π‘-of-π DKG to setup a collective public key, πβπΎ2, and private key shares π πββ€βπ of the unknown collective private key, π , as described above.
To sign a message, π, each π uses their private key share, π π, to create a partial BLS signature, ππ=π ππ»(π).
To verify the correctness of a partial signature, ππ, on π, a verifier uses the public key share, ππ, generated during the DKG, and verifies that π(π»(π),ππ)=π(ππ,π2) holds.
To reconstruct the collective BLS signature, π on π, a verifier first gathers π‘ different and valid partial BLS signatures, ππ, on π followed by a Lagrange interpolation.
To verify a collective BLS signature, π, a verifier checks that π(π»(π),π)=π(π,π2) holds, where π is the collective public key.
Thanks to the properties of Lagrange interpolation, the value of π is independent of the subset of π‘ valid partial signatures, ππ, chosen during signature reconstruction. Additionally, Lagrange interpolation also guarantees that no set of less than π‘ signers can predict or bias π.
In summary, a threshold BLS signature, π, exhibits all properties required for publicly-verifiable, unbiasable, unpredictable, and distributed randomness.
In the above, πΎ1 and πΎ2 could be swapped. The implication is on the relative size of public key and signatures. The first drand chains are constructed as described above, with signatures on πΎ2 and public keys on πΎ1. Signature size is 96 bytes, and public key size is 48 bytes.
Certain applications prefer smaller signatures at the cost of a larger public key. This is why certain drand beacons have signatures on πΎ1 and public key on πΎ2. Such a change is referred to as πΎ1/πΎ2 swap.
The drand randomness beacon operates in discrete rounds, π. In every round, drand beacons configured to use chained randomness produce a new random value using threshold BLS signatures linked together into a chain of randomness. To extend this chain of randomness, each drand participant, π, creates in round π the partial BLS signature, πππ on the message π=π»(πβ₯ππβ1) where, ππβ1 denotes the (full) BLS threshold signature from round πβ1 and π», a cryptographic hash function.
Once at least π‘ participants have broadcasted their partial signatures, πππ, on π, anyone can recover the full BLS threshold signature, ππ that corresponds to the random value of round π. After this, drand nodes move to round π+1 and reiterate the process.
For round π=0, drand participants sign a seed fixed during drand setup. This process ensures that every new random value depends on all previously generated signatures. Since the signature is deterministic, there is also no possibility for an adversary forking the chain and presenting two distinct signatures ππ and πβ²π in a given round π to generate inconsistencies in the systems relying on public randomness.
drand beacons can also be configured to use unchained randomness. To extend this chain of randomness, each drand participant, π, creates in round π the partial BLS signature, πππ on the message π=π»(π) where π» a cryptographic hash function.
This process allows for a direct precomputation of message π for round π=i.