HydRand is a protocol for generating continuous distributed randomness that provides properties like bias-resistance, scalability, unpredictability, and public verifiability. It works by having nodes propose, acknowledge, and vote on new random beacon values in rounds. The beacon values are generated by secret sharing a random value among nodes and reconstructing it. The protocol guarantees unpredictability after f+1 rounds and derives the next leader from the previous output. Evaluation shows verification takes around 57ms and the protocol is scalable with reasonable network and CPU costs. Future work aims to improve scalability further and allow dynamic participation.
4. 4
Local vs. Distributed Randomness
Local
• os-builtins primitives,
e.g. /dev/urandom
• dedicated hardware devices
• (typically) kept secret
• individually used, e.g. seed
for cryptographic keys
Distributed
• built on-top of local primitives
• multi-party protocol
• secret first, but published at a
specific point in time
• collectively used
5. 5
A Randomness Beacon
We propose a solution employing a “beacon” which emits at
regularly spaced time intervals, randomly chosen integers in
the range 1 ⩽ i ⩽ k. (Rabin, 1983)
10. 10
(Publicly-Verifiable) Secret Sharing
Shamir’s Secret Sharing
• (t, n) threshold scheme
• dealer distributes secret value
s to n participants
• any set of at least t participants
can reconstruct s
• dealer must be trusted
PVSS
• (t, n) threshold scheme
• correctness of shares can be
verified prior to reconstruction
• uses non-interactive zero
knowledge proofs
• malicious dealers are
detected
11. 11
System and Threat Model
Fixed set of known participants
• n nodes total, f may deviate arbitrarily from the protocol
• standard n = 3f + 1 assumption
• t = f + 1 for PVSS threshold
Network
• synchronous, known upper bound on network delay
• authenticated point-to-point messaging channels
No DKG
No common broadcast channel
12. 12
High-Level View on HydRand
Setup
• exchange public keys & initial PVSS shares
• determine initial random beacon value
Execution
• propose phase
• acknowledge phase
• vote phase
⇒ new random beacon value
⇒ new leader
round
20. 20
confirm vote
Propose Acknowledge Vote Propose...
Compute beacon output
confirm vote
confirm vote
confirm vote
S revealed secret
S revealed secret
S revealed secret
revealed secretS
21. 21
confirm vote
Propose Acknowledge Vote Propose...
S2
share for secret
(decrypted)
recover vote
Compute beacon output
confirm vote
confirm vote
confirm vote
S revealed secret
S revealed secret
S revealed secret
revealed secret
S2
share for secret
(decrypted)
recover vote
S5
share for secret
(decrypted)
recover vote
S2
S4
S5
recovered secret
S
S
22. 22
confirm vote
Propose Acknowledge Vote Propose...
S2
share for secret
(decrypted)
recover vote
Compute beacon output
confirm vote
confirm vote
confirm vote
S revealed secret
S revealed secret
S revealed secret
revealed secret
S2
share for secret
(decrypted)
recover vote
S5
share for secret
(decrypted)
recover vote
S2
S4
S5
recovered secret
S
S
=
23. 23
Propose Acknowledge Vote Propose...
Compute beacon output
S revealed secret
S revealed secret
S revealed secret
revealed secret
S2
S4
S5
recovered secret
S
S
=
HRprev Rnew
24. 24
Propose Acknowledge Vote Propose...
Derive next leader
Rnew
Leader is derived via previous output
• non-interactively
• uniformly at random from the set of potential leaders
Potential leaders:
• were not recently selected as leader
• did fulfil their duties as leader so far