Randomness beacons in theory and practice

Joseph Bonneau

​

Real World Crypto

March 28, 2025

Dedicated to Ross Anderson (1956-2024)

An ideal randomness beacon [Rabin83]

Goals (high level):

• Statistically uniform randomness
• Public consensus
• High bandwidth
• Attackers can’t:
• Manipulate
• Predict
• Block

time

epoch 1

4169

epoch 2

9772

epoch 3

6015

...

...

Beacons can power verifiable lotteries

Beacons can power verifiable lotteries

Many use cases beyond lotteries

• Games
• Randomized audits
• Parameter setup for cryptographic protocols
• Leader election in consensus protocols
• Randomized transaction ordering
• Challenges for non-interactive cryptographic proofs

Goal: Many applications driven by a public randomness beacon

State of the art has barely changed for millenia!

This talk: distributed randomness beacons

• Multiparty protocol with n participants, produce output Ω_i in epoch i
• Up to t out of n nodes are controlled by the adversary

​

time

Ω₁

Ω₂

Ω₃

...

entropy

entropy

entropy

Classic: Commit-Reveal

c₃

c₂

c₁

Classic: Commit-Reveal

e₃

e₂

e₁

Classic: Commit-Reveal

∅

e₂

e₁

DRB design comparison

DRB design comparison

Commit-reveal-punish

1. Commit/deposit

​

​

c₁,$

c₃,$

c₂,$

Commit-reveal-punish

1. Commit/deposit

​

2. Reveal + refund
1. Participants who don’t reveal lose funds
2. Restart if any participant aborts

​

e₂

e₁

∅

$

$

DRB design comparison

Commit-reveal-punish: RANDAO

• Deployed in Ethereum since 2020
• Used for committee selection
• Also available to smart contracts
• block.prevrandao
• Proposer can reveal VRF or withhold
• Withholding precludes block reward
• Withholding is profitable! [AW24]

Commit-reveal-punish: RANDAO

• Deployed in Ethereum since 2020
• Used for committee selection
• Also available to smart contracts
• block.prevrandao
• Proposer can reveal VRF or withhold
• Withholding precludes block reward
• Withholding is profitable! [AW24]

Optimal RANDAO Manipulation in Ethereum. Kaya Alpturer, S. Matthew Weinberg. AFT 2024.

Commit-reveal-recover

1. Commit
1. Publish c_i = Commit(e_i) as in classic CR
2. Secret-share e_i with all other nodes
1. PVSS: Publicly verifiable secret sharing

​

​

​

c₂ , PVSS(e₂)

c₁ , PVSS(e₁)

c₃, PVSS(e₃)

Commit-reveal-recover

1. Commit
1. Publish c_i = Commit(e_i) as in classic CR
2. Secret-share e_i with all other nodes
1. PVSS: Publicly verifiable secret sharing

​

• Reveal
2. Publish e_i as in classic CR
• ​
• Recover
3. Honest participants reconstruct any missing e_i

e₂

e₁

∅

e₃

PVSS.reconstruct()

Ω

Commit-reveal-recover variants

• Better PVSS
• SCRAPE [CD 17]

​

• Amortized PVSS
• HERB [CSO 19]
• Albatross [CD 20]

​

• Remove optimistic case (share-reconstruct-aggregate)
• RandShare [SJKGGKFF 17]
• SecRand [GSX 20]

DRB design comparison

Pseudorandom DRBs

1. Setup
1. Output is t-out-of-n secret-shared VRF key
2. Can be distributed setup (DKG) or centralized

​

​

​

e₃

e₂

e₁

PubKey_DRB

Pseudorandom DRBs

1. Setup
1. Output is t-out-of-n secret-shared VRF key
2. Can be distributed setup (DKG) or centralized

​

2. Output
2. Compute VRF on round input r_i
3. Can be static (epoch number) or prior Ω
4. Collect partial VRF evaluations
5. Combine to output distributed VRF

σ₃

σ₂

σ₁

VRF(r_i , PubKey_DRB)

r_i

Pseudorandom DRB variants

• drand/DFINITY
• Threshold BLS signatures

​

• STROBE [BCKKLNNRS 21]
• Threshold RSA decryption, with history generation

​

• RandHerd [SJKGGKFF 17]
• Threshold Schnorr, sharded into groups

​

• DDH-DRB, GLOW-DRB [GLOW 20]
• Threshold DDH-VRF (like BLS, but NIZK instead of pairings)

DRB design comparison

drand: a production pseudorandom DRB

• Launched 2019

​

• Threshold BLS signatures
• BLS12-381 curve

​

• Currently 20 nodes
• t=11 required to sign

​

• 256 bits every 30 seconds

​

• Nodes run by academics + industry

Reveal-delay (Unicorn) [LW15]

1. Reveal
1. Raw entropy, no commitments needed!

​

​

e₃

e₁

e₂

Reveal-delay (Unicorn) [LW15]

• Reveal
• Raw entropy, no commitments needed!

​

​

e₃

e₁

e₂

Just

One

Honest

Node

Reveal-delay (Unicorn) [LW15]

1. Reveal
1. Raw entropy, no commitments needed!

​

2. Delay + combine
2. Modern approach: use a VDF
1. Slow (sequential) to compute
2. Efficiently verifiable

​

​

e₃

e₁

e₂

Ω

Reveal-delay (Unicorn) [LW15]

1. Reveal
1. Raw entropy, no commitments needed!

​

2. Delay + combine
2. Modern approach: use a VDF
1. Slow (sequential) to compute
2. Efficiently verifiable

​

​

e₁

e₂?

?

Last revealer(s) can’t compute VDF fast enough to bias

e₃?

Delay functions are a powerful tool

Fast

Intractable

Encryption

Decryption

Signing

Verification

Hashing

Key search

Discrete log

Factoring

Collision-

finding

Delay functions:

take a specified number of sequential steps

VDFs

Timed commitments

Time-lock encryption

Delay encryption

...

Delay-based DRB variants

• Frequent output: RandRunner [SJSHW20]
• Deliver output more often than delay parameter via pipelining

​

• Efficient optimistic case: Bicorn [CATB23]
• Skip delay function if all participants are honest

​

• Sublinear communication: Cornucopia [CCB24]
• Leader gathers contributions and broadcasts succinct commitment

Delay-based DRBs in practice: Chia

• Used for consensus
• Launched 2021

​

• VDF: Repeated squaring in class group
• 1024-bit discriminant
• Wesolowski proofs [W19]

DRB design comparison

VDF designs are relatively new

Dishonest-majority DRB without delay functions?

Dishonest-majority DRB without delay functions?

• Classic result: Dishonest majority DRBs impossible
• Limits on the security of coin flips when half the processors are faulty. Richard Cleve. TOC 1986.

​

• Practical observation: Dishonest majority DRBs possible with VDFs

​

• New result: Dishonest majority DRB require delay functions!
• Good Things Come to Those Who Wait: Dishonest-Majority Coin-Flipping Requires Delay Functions. Joseph Bonneau, Benedikt Bünz, Miranda Christ, Yuval Efron. Eurocrypt 2025.
• Simple delay function, not full VDF
• Not parameterizable, not efficiently verifiable
• Assumes network synchrony

Why design to tolerate n-1 dishonest nodes?

​

• Dishonest majority enables open participation
• No security downside to adding more participants!

DRB design comparison

Which DRB should I use?

commit-reveal (vulnerable)

Clear economic model?

commit-reveal-punish

Honest majority?

delay-based DRB

Static participant set?

pseudorandom DRB

Small participant set?

commit-reveal-recover

committee-based DRB

yes

no

yes

yes

no

Open questions (protocol design)

• Secret Leader Election
• DRBs where only winner finds out they have won

​

• Silent setup
• Use existing public keys for psuedorandom DRB with no (or limited) setup

​

• Optimistic protocols
• Faster execution if all nodes (or chosen leader) honest

​

• Certified randomness
• Use quantum computation, only need one node!

Open questions (engineering)

• Simpler API for developers
• Smart contract integration: Aptos Roll, Mysten sui::random

​

• VDF deployment
• Security requires public access to VDF hardware

​

• Local randomness generation
• DRB is no better than nodes’ RNGs!

​

• Ensuring public trust

Ensuring public trust is the primary challenge

Thank you!

For more, see 3 detailed surveys:

​

SoK: Decentralized randomness beacon protocols. Raikwar, Mayank, and Danilo Gligoroski. ACISP 2022. https://arxiv.org/pdf/2205.13333

​

SoK: Distributed Randomness Beacons. Kevin Choi, Athira Manoj and Joseph Bonneau. IEEE S&P 2023. https://eprint.iacr.org/2023/728

​

SoK: Public Randomness. Kavousi, Alireza, Zhipeng Wang, and Philipp Jovanovic. EuroS&P 2024. https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=10629002

Required disclosures

The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation.

​

This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities, digital assets, tokens, and/or cryptocurrencies are for illustrative purposes only and do not constitute a recommendation to invest in any such instrument nor do such references constitute an offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments for which the issuer has not provided permission for a16z to disclose publicly as well as unannounced investments in publicly traded digital assets) is available at https://a16z.com/investments/.

​

Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information.

Backup slides

Detailed comparison in SoK paper

SoK: Distributed Randomness Beacons.

Kevin Choi, Athira Manoj and Joseph Bonneau.

IEEE Security & Privacy (Oakland) 2023

https://eprint.iacr.org/2023/728

Current work on delay-based DRBs

Bicorn: eliminate delay function in optimistic case!

​

​

Bicorn: An optimistically efficient distributed randomness beacon

Kevin Choi, Arasu Arun, Nirvan Tyagi and Joseph Bonneau.

Financial Crypto 2023

https://eprint.iacr.org/2023/221

​

​

Cornucopia: scale to millions of contributors with an untrusted coordinator!

​

Cornucopia: Distributed randomness beacons at scale

Miranda Christ, Kevin Choi, and Joseph Bonneau.

(in submission)

https://eprint.iacr.org/2023/1554

VDFs are a potential game-changer

• The only way we know to get to a dishonest majority model
• Without trusted hardware or economic assumptions

​

• This is true for many other protocols beyond randomness!
• Example: auctions, voting

Do we need a dishonest majority?

• Consensus requires an honest majority...

​

​

• But, attacks on randomness are invisible
• Consensus attacks typically visible to the public

Delay functions enable participatory protocols

• Every participant in a massive online game or lottery can contribute!
• On-chain costs are constant

​

• Observation: participants don’t care who else participates!
• Only need to check that their own contribution is included
• “The more the merrier”

Open questions

• Can we make delay functions practical?

​

• How do cryptographic DRBs fit with existing regulations and laws?

​

• Will cryptographic DRBs be convincing to policy makers?

​

• Will cryptographic DRBs be convincing to users?

​

Papers cited

SoK: Distributed Randomness Beacons.

Kevin Choi, Athira Manoj and Joseph Bonneau.

IEEE Security & Privacy (Oakland) 2023

https://eprint.iacr.org/2023/728

​

​

Bicorn: An optimistically efficient distributed randomness beacon

Kevin Choi, Arasu Arun, Nirvan Tyagi and Joseph Bonneau.

Financial Crypto 2023

https://eprint.iacr.org/2023/221

​

Cornucopia: Distributed randomness beacons at scale

Miranda Christ, Kevin Choi, and Joseph Bonneau.

(in submission)

https://eprint.iacr.org/2023/1554

Commit-reveal-delay (Bicorn) [CATB23]

As secure as Unicorn, but with a fast optimistic case!

• Fast if all participants are honest

​

Commit-reveal-delay (Bicorn) [CATB23]

1. Commit
1. Using a variant of timed commitments

c₃

c₂

c₁

Commit-reveal-delay (Bicorn) [CATB23]

1. Commit
1. Using a variant of timed commitments

​

2. Reveal
2. If all reveal, result immediately available

e₃

e₂

e₁

Ω

Commit-reveal-delay (Bicorn) [CATB23]

1. Commit
1. Using a variant of timed commitments

​

2. Reveal
2. If all reveal, result immediately available

​

3. Delay (pessimistic case)
3. Force open any unopened commitments
4. Homomorphism enables single delay computation
5. Identical result to optimistic case (no bias possible)

c₃

c₂

c₁

Ω

Cornucopia [CCB24]

As secure as Unicorn, but with a constant-size broadcast!

• Using a semi-trusted coordinator

​

Cornucopia [CCB24]

N users

Public Bulletin Board

Coordinator

Contribution r_i

Inclusion proof π_i

Commitment R

Result Ω = Delay(R)

• Verify r_i ∊ R
• Verify Ω = Delay(R)

Output Ω is guaranteed random if r_i is random

... regardless of other participant’s actions!

Result Ω

Cornucopia [CCB24]

• N users submit their contribution r_i to coordinator

​

• Coordinator accumulates all contributions
• R = Accumulate(r₁, r₂, ... , r_N)
• Each user receives π_i = ProveInclusion(R, r_N)
• Public random output Ω = Delay(R)
• Any single party can compute this. Efficiently verified using a VDF

​

Security proven using a new accumulator property:

insertion security

Many combinations are possible

• Punishments can be added to many protocols
1. Discourage withholding attacks which harm efficiency

​

• Tricky to combine parallel protocols
• Last protocol can subvert others
• Delay functions patch this!

​

• Committee-based protocol can use any DRB as a subroutine

Slight improvement: better entropy combination

• Poor choices: linear function
• e.g. addition, xor
• Attacker can choose any outcome
• Better: hash function
• Attacker must grind to find good outcome
• Classic line of research: low-influence functions
• last mover must have influence Ω(1/n)

e₃

e₂

e₁

Committee DRB options

1. Freshly generated entropy
• Commit-reveal-recover variants
2. Precommitted entropy
• Randomness comes from unpredictability of committee

Unbiasability security game

Ω₀

Ω₁

Ω_b

b=1

honest run

infiltrated run

Unbiasability: Attacker has negligible advantage guessing b

Expected attack costs for commit-reveal-punish

• Attacker gains utility +U from event which occurs with probability p

​

• Attacker expects (1/p - 1) aborts

​

• Require a deposit d such that d > U(1-p)/p

​

Might be okay for low probability events

Approaches we won’t discuss in detail

• Centralized beacons [e.g. NIST, random.org]
• No verifiability whatsoever
• Physical randomness
• No cryptographic verifiability
• “Implicit beacons” [e.g. stock market, blockchain data]
• Unclear security guarantees
• ... but commonly used in the early days of Ethereum! (block.blockhash)

Generalized security definition framework

1. Unbiasability
• Attackers participating in the protocol cannot produce distinguishable bias
2. Liveness
• Attackers participating in the protocol cannot prevent output (Ω=⟂)
3. Unpredictability
• Attackers cannot predict any property of the output (Ω=⟂)
• Intra-unpredictability (within an epoch)
• Inter-unpredictability (between epochs)

Public randomness: an ancient challenge

kleroterion, Ancient Greece dice, Ancient Rome

DRB design flow chart

commit-reveal (vulnerable)

Clear economic model?

commit-reveal-punish

Honest majority?

delay-based DRB

Static participant set?

pseudorandom DRB

Small participant set?

commit-reveal-recover

yes

no

yes

yes

Many additional practical considerations

• Efficiency
• Communication complexity
• Verifier complexity
• Delay computation requirements
• Worst-case damage
• Biasing vs. predictability
• Recovery from faults
• Ad hoc participation (re-keying costs)

Long-term goal: deploying DRBs outside of web3

Key challenge: explaining limits of physical randomness, benefits of DRBs

Many avenues for future work

• Cryptographic
• Improved single secret leader election (SSLE)
• Develop definitions in UC framework
• Prove adaptive security of (sub)protocols
• Harness traditional crypto literature on randomness extractors
• Prove fundamental limits on DRBs in each model
• Engineering
• Improve practicality of verifiable delay functions
• Economics
• Attacker costs with more complex attacker utility function
• Security model for implicit beacons (asset prices, blockchain data)

Detailed comparison in SoK paper

SoK: Distributed Randomness Beacons.

Kevin Choi, Athira Manoj and Joseph Bonneau.

IEEE Security & Privacy (Oakland) 2023

https://eprint.iacr.org/2023/728

Important disclosures

The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation.

​

This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities, digital assets, tokens, and/or cryptocurrencies are for illustrative purposes only and do not constitute a recommendation to invest in any such instrument nor do such references constitute an offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments for which the issuer has not provided permission for a16z to disclose publicly as well as unannounced investments in publicly traded digital assets) is available at https://a16z.com/investments/.

​

Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information.

Strawman: Rock-Paper-Scissors

Ω = e₁ + e₂ + e₃ (mod k)

Secure given any one honest participant... assuming perfect synchrony

e₃

e₂

e₁

Manipulating Rock-Paper-Scissors with Δ>0

• Last participant sets e₃ = Ω_* - e₁ - e₂
• For desirable outcome Ω_*

​

Ω_* (forced beacon output)

e₃

e₂

e₁

Public randomness: an ancient challenge

kleroterion, Ancient Greece dice, Ancient Rome

Verifiable Delay Functions [BBBF18]

​

• Setup(t, λ) → pp

​

• Eval(pp, x) → y, π

​

• Verify(pp, x, y, π) → Y/N

​

V: efficient to verify

​

D: t-sequential to solve

​

F: unique output

API

Security goals

Timeline for a verifiable lottery

1. Commit to lottery algorithm
2. Open audit period
3. Read random seed from beacon
4. Run algorithm using seed
5. Independent verification

for p in players:

p.rank = H(p, R)

​

sort(players)

for p in players:

p.rank = H(p, R)

sort(players)

+

Timeline for a verifiable lottery (take 2)

1. Run lottery algorithm n times
2. Open audit period
3. Read random seed from beacon
4. Select from precomputed outputs

for p in players:

p.rank = H(p, R)

​

sort(players)

+

Alice

Alice

Alice

Alice

Alice

Physical randomness can be faked

Physical randomness can fail

US conscription lottery, 1969

Physical randomness can fail

US conscription lottery, 1969

1. Load in order 2. Rotate axially 3. Draw from top

1

2

3

4

5

6

7

8

9

7

4

1

8

5

2

9

6

3

1

3

2

6

4

5

8

9

7

Physical randomness can fail

US conscription lottery, 1969

Commit-reveal: real-world example

1. Put die under cup

Commit-reveal: real-world example

1. Put die under cup
2. Roll die under cup

Commit-reveal: real-world example

1. Put die under cup
2. Roll die under cup
3. Lift cup

Commit-reveal: real-world example

1. Put die under cup
2. Roll die under cup
3. Lift cup
4. Combine die values

+ + =

(mod 6)

Beacons often implemented via authority

Committee-based DRBs

1. Select Committee
1. Deterministic/randomized
2. Public/secret elections

Committee-based DRBs

1. Select Committee
1. Deterministic/randomized
2. Public/secret elections

​

1. Committee runs another DRB
2. Typically commit-reveal-recover or pseudorandom
3. May run for many epochs

​

c₂ , PVSS(e₂)

c₁ , PVSS(e₁)

c₃, PVSS(e₃)

Ω

Committee selection strategies

1. Public
• Round-robin
• Leader-based selection
• Random selection (use previous output Ωi-1)
2. Private
• E.g. verifiable random function (VRF)
• Single secret-leader election (SSLE)

Better

adaptive security

Example committee-based DRBs

Freshly generated entropy

Precommitted entropy

Public selection

Private selection

Ouroboros [KRBO 17]

RandHound [SJKGGKFF 17]

SPURT [DVIR 21]

OptRand [BSKN 23]

​

HydRand [SJSW 20]

GRandPiper [BSKN 21]

Algorand [GHMVZ 17]

Variant of NV [NNLNNLN 19]

Pros/cons of committee-based DRBs

• Pro
1. Scalable costs with large numbers of participants
2. Flexible/modular construction possible

​

• Challenges
• Committee selection is an extra risk
• Adaptive security is challenging

​

Better SSLE would help

Observe: VDFs can patch many DRBs

• Stock-market/asset prices
• “Hash the blockchain”
• Commit-reveal-punish
• Including Ethereum’s RANDAO

​

​

​

DRB design flow chart

commit-reveal (vulnerable)

Clear economic model?

commit-reveal-punish

Honest majority?

delay-based DRB

Static participant set?

pseudorandom DRB

Small participant set?

commit-reveal-recover

committee-based DRB

yes

no

yes

yes

no

Commit-reveal-punish

• Advantages
• efficient
• O(n) communication, compute
• easily implemented

​

• Cons
• Requires capital lockup
• Benign faults must be punished
• Hard to bound attacker utility if beacons have multiple purposes

DRB design flow chart

commit-reveal (vulnerable)

Clear economic model?

commit-reveal-punish

Honest majority?

delay-based DRB

Static participant set?

pseudorandom DRB

Small participant set?

commit-reveal-recover

committee-based DRB

yes

no

yes

yes

no

Commit-reveal-recover

1. Commit
1. Publish c_i = Commit(e_i) as in classic CR
2. Secret-share e_i with all other nodes
1. PVSS: Publicly verifiable secret sharing

​

• Reveal
2. Publish e_i as in classic CR

​

e₂

e₁

e₃

Ω

Commit-reveal-recover

• Advantages
• Flexible participation
• Per-round entropy

​

• Challenges
• Relatively inefficient
• O(n²) communication
• Complex protocols
• If t needed to compute, n-t can block liveness
• Reconstruction causes extra overhead

Pseudorandom DRBs

• Advantages
• Efficient
• O(n) communication, compute
• Dishonest majority cannot manipulate
• Can only predict or stall

​

• Challenges
• If t needed to compute, n-t can block liveness
• Malicious coalition can predict infinitely far into the future
• No recovery from compromise
• Prudent to periodically re-key

Commit-reveal-recover

• Commit
• Publish c_i = Commit(e_i) as in classic CR
• Secret-share e_i with all other nodes
• PVSS: Publicly verifiable secret sharing

​

​

​

c₂ , PVSS(e₂)

c₁ , PVSS(e₁)

c₃, PVSS(e₃)

Commit-reveal-recover

• Commit
• Publish c_i = Commit(e_i) as in classic CR
• Secret-share e_i with all other nodes
• PVSS: Publicly verifiable secret sharing

​

• Reveal
• Publish e_i as in classic CR

​

e₂

e₁

e₃

Ω

Commit-reveal-recover

• Commit
• Publish c_i = Commit(e_i) as in classic CR
• Secret-share e_i with all other nodes
• PVSS: Publicly verifiable secret sharing

​

• Reveal
• Publish e_i as in classic CR
• ​
• Recover
• Honest participants reconstruct any missing e_i

e₂

e₁

∅

e₃

PVSS.reconstruct()

Ω

Commit-reveal-recover variants

• Better PVSS
• SCRAPE [CD 17]

​

• Amortized PVSS
• HERB [CSO 19]
• Albatross [CD 20]

​

• Remove optimistic case (share-reconstruct-aggregate)
• RandShare [SJKGGKFF 17]
• SecRand [GSX 20]

Commit-reveal-recover

• Advantages
• Flexible participation
• Per-round entropy

​

• Challenges
• Relatively inefficient
• O(n²) communication
• Complex protocols
• If t needed to compute, n-t can block liveness
• Reconstruction causes extra overhead

DRB design flow chart

commit-reveal (vulnerable)

Clear economic model?

commit-reveal-punish

Honest majority?

delay-based DRB

Static participant set?

pseudorandom DRB

Small participant set?

commit-reveal-recover

committee-based DRB

yes

no

yes

yes

no

Delay-based DRBs

• Advantages
• Secure under dishonest majority
• Efficient
• O(n) communication, compute. Can be reduced w/leader
• Flexible participation
• Per-round entropy
• Guaranteed output delivery

​

Delay-based DRBs

• Advantages
• Secure under dishonest majority
• Efficient
• O(n) communication, compute. Can be reduced w/leader
• Flexible participation
• Per-round entropy
• Guaranteed output delivery

​

• Challenges
• Delay functions induce latency
• Some party must compute the delay function
• a public good?
• Relatively new cryptographic assumptions
• Intra-predictability: attacker with faster VDF may learn outcome early