1
Building Blocks for Blockchains and Distributed SystemsPhilipp [email protected]
SBA Research, 2019
SBA Research
2
Randomness BeaconsPhilipp Schindler, Aljosha Judmayer, Nicholas Stifter, and Edgar Weippl. Hydrand: Practical continuous distributed randomness. In Proceedings of IEEE Symposium on Security and Privacy (IEEE S&P). IEEE, 2020. to appear.
SBA Research, 2019
SBA Research
3
https://xkcd.com/221
4
Why Randomness Beacons?
5
Properties
?
Bias-Resistance Scalability
Unpredictability
LivenessPublic-Verifiability
Energy Efficiency
Guaranteed Output Delivery
6
ApproachesPublicly-Verifiable Secret Sharing (PVSS)
• Ouroboros, Scrape, RandHerd, HydRand
Verifiable Random Functions (VRFs)• Algorand, Ouroboros Praos
(Verifiable) Delay Functions (VDFs)• Bünz et. al. [1], Ethereum Casper?
Threshold Signatures (e.g. BLS)• HoneyBadger BFT, Dfinity
[1] B. Bunz, S. Goldfeder, and J. Bonneau. Proofs-of-delay and randomness beacons in Ethereum. In S&B ’17: Proceedings of the 1st IEEE Security & Privacy on the Blockchain Workshop, April 2017.
7
Secret SharingDistribution Reconstruction
S1
S2
S3
S4
S5
SS
S2
S4
S5
Dealer
Participants Subset of Participants
8
(Publicly-Verifiable) Secret Sharing
Shamir’s Secret Sharing• (t, n) threshold scheme• dealer distributes secret value
s to n participants• any set of at least t participants
can reconstruct s• dealer must be trusted
Schoenmakers’ PVSS• (t, n) threshold scheme• correctness of shares can be
verified prior to reconstruction• uses non-interactive zero
knowledge proofs• malicious dealers are
detected
9
Randomness Beacon via PVSS
Every node performs the following steps1. share a random secret with all parties
2. run (BFT) consensus protocol to agree on the shared values
3. a) reveal previously shares secretb) recover missing shared secrets
4. output new random beacon as combination of shares values
10
HydRand's Approach in a Nutshell• integrated low overhead BFT protocol • pipelining: only one PVSS per round
11
12
Verifiable Random Functions (VRFs)
• each node commits to a VRF public key pk• obtain new random number R privately
R, π = VRF(sk, seed || round)• reveal (R, π) if R < threshold as
leadership-credentials• correctness verified using pk• implemented e.g. using unique signatures and
hashes in practice
13
Verifiable Delay Function (VDFs)
VDF
VDF
VDF
VDF
VDF
14
Unique Threshold Signatures1. sign message using individual secret key
3. check signature via group public key
2. aggregate signatures
15
Unique Threshold Signatures
• share master secret key among nodeso requires trusted dealer oro distributed key generation protocol (DKG)
• each node signs seed (e.g. round index) using its private key share
• shares are checked for correctness• aggregation of shares as soon as enough
correct shares are obtained
16
Unique Threshold Signatures cont.
• aggregated signature serves as new random number
• can be checked against master public key• typically using pairing based cryptography
o BLS signature scheme
17
ComparisonPVSS VRFs VDFs Thres. Sig.
+ bias-resistance
+ no DKG
+ low communication+ overhead
+ no DKG
+ leader privacy
+ low communication+ overhead
+ bias-resistance
+ low communication+ overhead
+ bias-resistance
- communication- overhead
- bias-resistance - not ensured
- timing assumptions
- throughput
- computation compl.
- parameter setup
- requires DKG
- requires pairings
18
Detailed Comparison & Our Protocol
Philipp Schindler, Aljosha Judmayer, Nicholas Stifter, and Edgar Weippl. Hydrand: Practical continuous distributed randomness. In Proceedings of IEEE Symposium on Security and Privacy (IEEE S&P). IEEE, 2020. to appear.
19
Distributed Key GenerationPhilipp Schindler, Aljosha Judmayer, Nicholas Stifter, and Edgar Weippl. ETHDKG: Distributed Key Generation with Ethereum Smart Contracts. Cryptology ePrint Archive, Report 2019/985.
SBA Research, 2019
SBA Research
20
Applications
• randomness beacons• (BFT) consensus protocols• custodian and escrow schemes• smart contracts• threshold and time-lock encryption• ...
21
1. sign message using individual secret key
3. check signature via group public key
2. aggregate signatures

22
individual secret / public key pairs
group public key
23
individual secret / public key pairs
group public key
24
smart contract on theEthereum blockchain
client applicationrun by all the parties
25
Registration Sharing Dispute Key Derivation
Client:• generate BLS keypair• submit public key
Smart Contract:• checks eligibility of client to register
26
Registration Sharing Dispute Key Derivation
Client:• run VSS protocol for all registered parties• submit encrypted shares and verification vectors
Smart Contract:• "basic" validity checks on the submitted data• store hash of the submitted data
27
Registration Sharing Dispute Key Derivation
Client:• verifies all of its shares received• submits a dispute for all invalid shares
Smart Contract:• checks if a claimed dispute is valid• [withdraw security deposit on success]
28
Registration Sharing Dispute Key Derivation
verify that all shares are valid
check that a single share is indeed invalidif a party claims that
29
Registration Sharing Dispute Key Derivation
Client:• derive set of qualified nodes• submit / recover final key shares• compute master public key
Smart Contract:• derive set of qualified nodes• verify master public key
30
Scalability
31
Philipp Schindler, Aljosha Judmayer, Nicholas Stifter, and Edgar Weippl. ETHDKG: Distributed Key Generation with Ethereum Smart Contracts. Cryptology ePrint Archive, Report 2019/985. 2020.
32
Building Blocks for Blockchains and Distributed SystemsPhilipp [email protected]
SBA Research, 2019
SBA Research