SBA Research Building Blocks for Blockchains and Distributed Systems Philipp Schindler pschindler@sba-research.org SBA Research, 2019 1
SBA Research Randomness Beacons Philipp Schindler, Aljosha Judmayer, Nicholas Stifter, and Edgar Weippl. Hydrand: Practical continuous distributed randomness. In Proceedings of IEEE Symposium on Security and Privacy (IEEE S&P). IEEE, 2020. to appear. SBA Research, 2019 2
https://xkcd.com/221 3
Why Randomness Beacons? 4
Properties Bias-Resistance Scalability Public-Verifiability Liveness ? Unpredictability Energy Efficiency Guaranteed Output Delivery 5
Approaches Publicly-Verifiable Secret Sharing (PVSS) • Ouroboros, Scrape, RandHerd, HydRand Verifiable Random Functions (VRFs) • Algorand, Ouroboros Praos (Verifiable) Delay Functions (VDFs) • Bünz et. al. [1], Ethereum Casper? Threshold Signatures (e.g. BLS) • HoneyBadger BFT, Dfinity [1] B. Bunz, S. Goldfeder, and J. Bonneau. Proofs-of-delay and randomness beacons in Ethereum. 6 In S&B ’17: Proceedings of the 1st IEEE Security & Privacy on the Blockchain Workshop, April 2017.
Secret Sharing Reconstruction Distribution S 1 S 2 S S 2 S Dealer S 4 S 3 S 5 S 4 Participants Subset of Participants S 5 7
(Publicly-Verifiable) Secret Sharing Shamir’s Secret Sharing Schoenmakers’ PVSS • ( t , n ) threshold scheme • ( t , n ) threshold scheme • dealer distributes secret value • correctness of shares can be s to n participants verified prior to reconstruction • any set of at least t participants • uses non-interactive zero can reconstruct s knowledge proofs • dealer must be trusted • malicious dealers are detected 8
Randomness Beacon via PVSS Every node performs the following steps 1. share a random secret with all parties 2. run (BFT) consensus protocol to agree on the shared values 3. a) reveal previously shares secret b) recover missing shared secrets 4. output new random beacon as combination of shares values 9
HydRand's Approach in a Nutshell • integrated low overhead BFT protocol • pipelining: only one PVSS per round 10
11
Verifiable Random Functions (VRFs) • each node commits to a VRF public key pk • obtain new random number R privately R, π = VRF(sk, seed || round) • reveal (R, π) if R < threshold as leadership-credentials • correctness verified using pk • implemented e.g. using unique signatures and hashes in practice 12
Verifiable Delay Function (VDFs) VDF VDF VDF VDF VDF 13
Unique Threshold Signatures 1. sign message using individual secret key 2. aggregate signatures 3. check signature via group public key 14
Unique Threshold Signatures • share master secret key among nodes requires trusted dealer or o distributed key generation protocol (DKG) o • each node signs seed (e.g. round index) using its private key share • shares are checked for correctness • aggregation of shares as soon as enough correct shares are obtained 15
Unique Threshold Signatures cont. • aggregated signature serves as new random number • can be checked against master public key • typically using pairing based cryptography BLS signature scheme o 16
Comparison PVSS VRFs VDFs Thres. Sig. + bias-resistance + low communication + low communication + low communication + overhead + overhead + overhead + no DKG + no DKG + bias-resistance + bias-resistance + leader privacy - communication - bias-resistance - timing assumptions - requires DKG - overhead - not ensured - throughput - requires pairings - computation compl. - parameter setup 17
Detailed Comparison & Our Protocol Philipp Schindler, Aljosha Judmayer, Nicholas Stifter, and Edgar Weippl. Hydrand: Practical continuous distributed randomness. In Proceedings of IEEE Symposium on Security and Privacy (IEEE S&P). IEEE, 2020. to appear. 18
SBA Research Distributed Key Generation Philipp Schindler, Aljosha Judmayer, Nicholas Stifter, and Edgar Weippl. ETHDKG: Distributed Key Generation with Ethereum Smart Contracts. Cryptology ePrint Archive, Report 2019/985. SBA Research, 2019 19
Applications • randomness beacons • (BFT) consensus protocols • custodian and escrow schemes • smart contracts • threshold and time-lock encryption • ... 20
1. sign message using individual  secret key 2. aggregate signatures 3. check signature via group public key 21
individual secret / public key pairs group public key 22
individual secret / public key pairs group public key 23
smart contract on the Ethereum blockchain client application run by all the parties 24
Registration Sharing Dispute Key Derivation Client: • generate BLS keypair • submit public key Smart Contract: • checks eligibility of client to register 25
Registration Sharing Dispute Key Derivation Client: • run VSS protocol for all registered parties • submit encrypted shares and verification vectors Smart Contract: • "basic" validity checks on the submitted data • store hash of the submitted data 26
Registration Sharing Dispute Key Derivation Client: • verifies all of its shares received • submits a dispute for all invalid shares Smart Contract: • checks if a claimed dispute is valid • [withdraw security deposit on success] 27
Registration Sharing Dispute Key Derivation verify that all shares are valid check that a single share is indeed invalid if a party claims that 28
Registration Sharing Dispute Key Derivation Client: • derive set of qualified nodes • submit / recover final key shares • compute master public key Smart Contract: • derive set of qualified nodes • verify master public key 29
Scalability 30
Philipp Schindler, Aljosha Judmayer, Nicholas Stifter, and Edgar Weippl. ETHDKG: Distributed Key Generation with Ethereum Smart Contracts. Cryptology ePrint Archive, Report 2019/985. 2020. 31
SBA Research Building Blocks for Blockchains and Distributed Systems Philipp Schindler pschindler@sba-research.org SBA Research, 2019 32
Recommend
More recommend