HydRand is a protocol for generating continuous distributed randomness that provides properties like bias-resistance, scalability, unpredictability, and public verifiability. It works by having nodes propose, acknowledge, and vote on new random beacon values in rounds. The beacon values are generated by secret sharing a random value among nodes and reconstructing it. The protocol guarantees unpredictability after f+1 rounds and derives the next leader from the previous output. Evaluation shows verification takes around 57ms and the protocol is scalable with reasonable network and CPU costs. Future work aims to improve scalability further and allow dynamic participation.

1. 1
HydRand: Efficient Continuous
Distributed Randomness
Philipp Schindler*
, Aljosha Judmayer*
, Nicholas Stifter*†
,
Edgar Weippl*†
IEEE S&P 2020
SBA Research, 2020
*
SBA Research, †
TU Wien

2. 2
https://xkcd.com/221

3. 3

4. 4
Local vs. Distributed Randomness
Local
• os-builtins primitives,
e.g. /dev/urandom
• dedicated hardware devices
• (typically) kept secret
• individually used, e.g. seed
for cryptographic keys
Distributed
• built on-top of local primitives
• multi-party protocol
• secret first, but published at a
specific point in time
• collectively used

5. 5
A Randomness Beacon
We propose a solution employing a “beacon” which emits at
regularly spaced time intervals, randomly chosen integers in
the range 1 ⩽ i ⩽ k. (Rabin, 1983)

6. 6
Desired Properties
?
Bias-Resistance
Scalability
Unpredictability Liveness
Public-Verifiability
Energy Efficiency
Guaranteed Output Delivery

7. 7
Motivation & Applications
Selection Processes
• gambling & lotteries services, jury selection, sport draws
Blockchain & BFT Protocols
• leader & committee selection, sharding, Smart Contracts
(Online-)Gaming
• shuffling, distribution of in-game items, team/tournament
assignment
Cryptographic Protocols
• parameter generation, privacy preserving messaging,
anonymous browsing

8. 8
Cryptographic Building Blocks
Digital Signatures
• Ed25519
Cryptographic Hash Functions
• SHA3-256
Public-Verifiable Secret Sharing (PVSS)
• Scrape's PVSS

9. 9
Secret Sharing
Distribution Reconstruction
S1
S2
S3
S4
S5
S
S
S2
S4
S5
dealer
participants
subset of participants

10. 10
(Publicly-Verifiable) Secret Sharing
Shamir’s Secret Sharing
• (t, n) threshold scheme
• dealer distributes secret value
s to n participants
• any set of at least t participants
can reconstruct s
• dealer must be trusted
PVSS
• (t, n) threshold scheme
• correctness of shares can be
verified prior to reconstruction
• uses non-interactive zero
knowledge proofs
• malicious dealers are
detected

11. 11
System and Threat Model
Fixed set of known participants
• n nodes total, f may deviate arbitrarily from the protocol
• standard n = 3f + 1 assumption
• t = f + 1 for PVSS threshold
Network
• synchronous, known upper bound on network delay
• authenticated point-to-point messaging channels
No DKG
No common broadcast channel

12. 12
High-Level View on HydRand
Setup
• exchange public keys & initial PVSS shares
• determine initial random beacon value
Execution
• propose phase
• acknowledge phase
• vote phase
⇒ new random beacon value
⇒ new leader
round

13. 13
Propose Acknowledge Vote Propose...
leader

14. 14
Propose Acknowledge Vote Propose...
leader
S1 S1
S3S4
shares for new secret
(encrypted)
S revealed secret

15. 15
Propose Acknowledge Vote Propose...

16. 16
Propose Acknowledge Vote Propose...
S revealed secret
H( ) sig( )

17. 17
Propose Acknowledge Vote Propose...

18. 18
confirm vote
Propose Acknowledge Vote Propose...

19. 19
confirm vote
Propose Acknowledge Vote Propose...
S2
share for secret
(decrypted)
recover vote

20. 20
confirm vote
Propose Acknowledge Vote Propose...
Compute beacon output
confirm vote
confirm vote
confirm vote
S revealed secret
S revealed secret
S revealed secret
revealed secretS

21. 21
confirm vote
Propose Acknowledge Vote Propose...
S2
share for secret
(decrypted)
recover vote
Compute beacon output
confirm vote
confirm vote
confirm vote
S revealed secret
S revealed secret
S revealed secret
revealed secret
S2
share for secret
(decrypted)
recover vote
S5
share for secret
(decrypted)
recover vote
S2
S4
S5
recovered secret
S
S

22. 22
confirm vote
Propose Acknowledge Vote Propose...
S2
share for secret
(decrypted)
recover vote
Compute beacon output
confirm vote
confirm vote
confirm vote
S revealed secret
S revealed secret
S revealed secret
revealed secret
S2
share for secret
(decrypted)
recover vote
S5
share for secret
(decrypted)
recover vote
S2
S4
S5
recovered secret
S
S
=

23. 23
Propose Acknowledge Vote Propose...
Compute beacon output
S revealed secret
S revealed secret
S revealed secret
revealed secret
S2
S4
S5
recovered secret
S
S
=
HRprev Rnew

24. 24
Propose Acknowledge Vote Propose...
Derive next leader
Rnew
Leader is derived via previous output
• non-interactively
• uniformly at random from the set of potential leaders
Potential leaders:
• were not recently selected as leader
• did fulfil their duties as leader so far

25. 25
Desired Properties
?
Bias-Resistance
Scalability
Unpredictability Liveness
Public-Verifiability
Energy Efficiency
Guaranteed Output Delivery

26. 26
Security Analysis: Unpredictability
Guaranteed after f+1 rounds
Additional probabilistic guarantees

27. 27
Desired Properties
?
Bias-Resistance
Scalability
Unpredictability Liveness
Public-Verifiability
Energy Efficiency
Guaranteed Output Delivery

28. 28
Desired Properties
?
Bias-Resistance
Scalability
Unpredictability Liveness
Public-Verifiability
Energy Efficiency
Guaranteed Output Delivery

29. 29
Desired Properties
?
Bias-Resistance
Scalability
Unpredictability Liveness
Public-Verifiability
Energy Efficiency
Guaranteed Output Delivery

30. 30
Desired Properties
?
Bias-Resistance
Scalability
Unpredictability Liveness
Public-Verifiability
Energy Efficiency
Guaranteed Output Delivery

31. 31
Scalability / Throughput
https://github.com/PhilippSchindler/hydrand

32. 32
Evaluation Results
Verification
• duration: ~57ms
• proof size: ~26kB
Network bandwidth CPU Utilization

33. 33
Desired Properties
?
Bias-Resistance
Scalability
Unpredictability Liveness
Public-Verifiability
Energy Efficiency
Guaranteed Output Delivery

34. 34
Desired Properties
?
Bias-Resistance
Scalability
Unpredictability Liveness
Public-Verifiability
Energy Efficiency
Guaranteed Output Delivery

35. 35
Outlook
Scalability improvements
• threshold cryptography
• pre-sharing PVSS secrets
• multiple threads for verification
Rejoining / dynamic participation
Different model
• partially synchronous network
• n = 2f + 1 threshold model

36. 36

37. 37
Random numbers should not be generated with a method
chosen at random. (Donald Knuth)

38. 38