1

Building Blocks for Blockchains and Distributed SystemsPhilipp Schindlerpschindler@sba-research.org

SBA Research, 2019

SBA Research

2

Randomness BeaconsPhilipp Schindler, Aljosha Judmayer, Nicholas Stifter, and Edgar Weippl. Hydrand: Practical continuous distributed randomness. In Proceedings of IEEE Symposium on Security and Privacy (IEEE S&P). IEEE, 2020. to appear.

SBA Research, 2019

SBA Research

3

https://xkcd.com/221

4

Why Randomness Beacons?

5

Properties

?

Bias-Resistance Scalability

Unpredictability

LivenessPublic-Verifiability

Energy Efficiency

Guaranteed Output Delivery

6

ApproachesPublicly-Verifiable Secret Sharing (PVSS)

• Ouroboros, Scrape, RandHerd, HydRand

Verifiable Random Functions (VRFs)• Algorand, Ouroboros Praos

(Verifiable) Delay Functions (VDFs)• Bünz et. al. [1], Ethereum Casper?

Threshold Signatures (e.g. BLS)• HoneyBadger BFT, Dfinity

[1] B. Bunz, S. Goldfeder, and J. Bonneau. Proofs-of-delay and randomness beacons in Ethereum. In S&B ’17: Proceedings of the 1st IEEE Security & Privacy on the Blockchain Workshop, April 2017.

7

Secret SharingDistribution Reconstruction

S1

S2

S3

S4

S5

SS

S2

S4

S5

Dealer

Participants Subset of Participants

8

(Publicly-Verifiable) Secret Sharing

Shamir’s Secret Sharing• (t, n) threshold scheme• dealer distributes secret value

s to n participants• any set of at least t participants

can reconstruct s• dealer must be trusted

Schoenmakers’ PVSS• (t, n) threshold scheme• correctness of shares can be

verified prior to reconstruction• uses non-interactive zero

knowledge proofs• malicious dealers are

detected

9

Randomness Beacon via PVSS

Every node performs the following steps1. share a random secret with all parties

2. run (BFT) consensus protocol to agree on the shared values

3. a) reveal previously shares secretb) recover missing shared secrets

4. output new random beacon as combination of shares values

10

HydRand's Approach in a Nutshell• integrated low overhead BFT protocol • pipelining: only one PVSS per round

11

12

Verifiable Random Functions (VRFs)

• each node commits to a VRF public key pk• obtain new random number R privately

R, π = VRF(sk, seed || round)• reveal (R, π) if R < threshold as

leadership-credentials• correctness verified using pk• implemented e.g. using unique signatures and

hashes in practice

13

Verifiable Delay Function (VDFs)

VDF

VDF

VDF

VDF

VDF

14

Unique Threshold Signatures1. sign message using individual secret key

3. check signature via group public key

2. aggregate signatures

15

Unique Threshold Signatures

• share master secret key among nodeso requires trusted dealer oro distributed key generation protocol (DKG)

• each node signs seed (e.g. round index) using its private key share

• shares are checked for correctness• aggregation of shares as soon as enough

correct shares are obtained

16

Unique Threshold Signatures cont.

• aggregated signature serves as new random number

• can be checked against master public key• typically using pairing based cryptography

o BLS signature scheme

17

ComparisonPVSS VRFs VDFs Thres. Sig.

+ bias-resistance

+ no DKG

+ low communication+ overhead

+ no DKG

+ leader privacy

+ low communication+ overhead

+ bias-resistance

+ low communication+ overhead

+ bias-resistance

- communication- overhead

- bias-resistance - not ensured

- timing assumptions

- throughput

- computation compl.

- parameter setup

- requires DKG

- requires pairings

18

Detailed Comparison & Our Protocol

Philipp Schindler, Aljosha Judmayer, Nicholas Stifter, and Edgar Weippl. Hydrand: Practical continuous distributed randomness. In Proceedings of IEEE Symposium on Security and Privacy (IEEE S&P). IEEE, 2020. to appear.

19

Distributed Key GenerationPhilipp Schindler, Aljosha Judmayer, Nicholas Stifter, and Edgar Weippl. ETHDKG: Distributed Key Generation with Ethereum Smart Contracts. Cryptology ePrint Archive, Report 2019/985.

SBA Research, 2019

SBA Research

20

Applications

• randomness beacons• (BFT) consensus protocols• custodian and escrow schemes• smart contracts• threshold and time-lock encryption• ...

21

1. sign message using individual secret key

3. check signature via group public key

2. aggregate signatures



22

individual secret / public key pairs

group public key

23

individual secret / public key pairs

group public key

24

smart contract on theEthereum blockchain

client applicationrun by all the parties

25

Registration Sharing Dispute Key Derivation

Client:• generate BLS keypair• submit public key

Smart Contract:• checks eligibility of client to register

26

Registration Sharing Dispute Key Derivation

Client:• run VSS protocol for all registered parties• submit encrypted shares and verification vectors

Smart Contract:• "basic" validity checks on the submitted data• store hash of the submitted data

27

Registration Sharing Dispute Key Derivation

Client:• verifies all of its shares received• submits a dispute for all invalid shares

Smart Contract:• checks if a claimed dispute is valid• [withdraw security deposit on success]

28

Registration Sharing Dispute Key Derivation

verify that all shares are valid

check that a single share is indeed invalidif a party claims that

29

Registration Sharing Dispute Key Derivation

Client:• derive set of qualified nodes• submit / recover final key shares• compute master public key

Smart Contract:• derive set of qualified nodes• verify master public key

30

Scalability

31

Philipp Schindler, Aljosha Judmayer, Nicholas Stifter, and Edgar Weippl. ETHDKG: Distributed Key Generation with Ethereum Smart Contracts. Cryptology ePrint Archive, Report 2019/985. 2020.

32

Building Blocks for Blockchains and Distributed SystemsPhilipp Schindlerpschindler@sba-research.org

SBA Research, 2019

SBA Research