I Introduction
Historically, decentralised random number generation algorithms have used a commit-reveal process in which participants submit a commitment to their randomly generated share. Once all participants have submitted commitments, each participant reveals their share. The shares are combined using a deterministic algorithm to produce the generated random value. The last participant to reveal their share, known as the Last Actor, can view all of the other shares. They can determine the impact of revealing their share, and thus decide to reveal their share or withhold their share, thus influencing the generated random value.
DFINITY defined a Decentralised Random Beacon [1] using a threshold scheme and BLS Signatures to prevent the Last Actor Problem. Inspired by their work, the scheme described in this paper uses the Shamir Threshold Scheme [2] combined with modulo addition to provide a decentralised random number generation scheme. This scheme is similar in some aspects to the scheme recently proposed by Drake [3].
Ii Background
In Shamir’s Threshold Scheme random coefficients are generated for an equation of the form shown below, where the value is the secret value.
shares are generated. Any shares can be used to calculate the value for any value. As such, the secret value can be constructed from any shares.
Iii Algorithm
Set-up: Deploy a smart contract to the blockchain to manage the random number generation process.
Registration: The value for each participant is the participant’s Ethereum address . Each participant generates an ephemeral RSA or ECC encryption key pair. To register, they publish their public key to the contract. The act of publishing their public key publicises their Ethereum address and hence their value.
Calculate Random Coefficients: All participants generate random coefficients for an equation in the range to . They calculate the values for each of the participant values.
Post Commitment: All participants post to the contract the message digest of the values for each of the participant values. Any participant which does not post commitment values drops out of the random number generation process and is fined.
Post Encrypted Y values All participants post to the contract the encrypted values for each of the participant values, encrypted against the public keys of each other participant. Any participant which does not post all of the encrypted values drops out of the random number generation process and is fined.
Post Private Keys and Calculate Random All participants post their private decryption keys. The contract then has enough information to calculate the random value and check for correctness. Correctness can be checked for by decrypting the encrypted values, checking commitments, and checking that the order of the curve that each entity posted is . The random value is calculated as the sum of the values .
To save gas, all participants post the plain text values for all of the encrypted values. All participant can off-chain check the decryptions, commitments, and order of equations. If an incorrect value is detected, this could be indicated by a call to the contract, with the contract verifying the bad value and fining the participant.
Iv Properties
Using commitments and asymmetrically encrypting the values means that individual attackers have to commit to a single value and can not control the release of the information. Each participant holds their own private key and publishes it once all of the encrypted values are posted, thus releasing the information for all parties to see.
V Attacks
If attackers collude they can decrypt the encrypted values as they are posted. The attackers could wait for the other sets of encrypted values to be posted, and then choose one or more attackers to withhold their private key, thus affecting the generated random value. The random generation process could be stopped by attackers not publishing their private keys. Doing this would mean that at least sets of values can not decrypted, and hence the
values can not be interpolated. Both of these attacks can be countered by fining participants who do not obey the algorithm.
References
- [1] T. Hanke, M. Movahedi, and D. Williams. (2018) Dfinity technology overview seriers: Consensus system rev.1. [Online]. Available: https://dfinity.org/pdf-viewer/pdfs/viewer?file=../library/dfinity-consensus.pdf
- [2] A. Shamir, “How to share a secret,” Commun. ACM, vol. 22, no. 11, pp. 612–613, 1979. [Online]. Available: https://cs.jhu.edu/~sdoshi/crypto/papers/shamirturing.pdf
- [3] J. Drake. (2018) Leaderless k-of-n random beacon. [Online]. Available: https://ethresear.ch/t/leaderless-k-of-n-random-beacon/2046
Comments
There are no comments yet.