1 of 42

Ethereum 2.0 randomness

using a Verifiable Delay Function (VDF)

2 of 42

  1. Randomness beacon
  2. VDF cryptography
  3. VDF hardware

3 of 42

  • Randomness beacon

4 of 42

Core infrastructure

beacon chain

consensus layer

shards

application layer

secure sampling

EVM2.0 opcode

leader election

committee election

5 of 42

Key goals

unpredictable

unbiasable

unstoppable

6 of 42

Alternative randomness beacons

commit-reveal

RANDAO, Algorand, PoW

unpredictable

unbiasable

unstoppable

threshold crypto

Dfinity, Ouroboros (GOD)

unpredictable

unbiasable

unstoppable

7 of 42

RANDAO

slot 128

slot 2

slot 3

slot 4

beacon proposers

RANDAO epoch

128 slots (~17 minutes)

...

slot 1

...

global clock

8 of 42

RANDAO

slot 128

slot 2

slot 3

slot 4

RANDAO mix

beacon proposers

revealed?

RANDAO epoch

128 slots (~17 minutes)

...

slot 1

...

9 of 42

RANDAO

slot 128

slot 2

slot 3

slot 4

RANDAO mix

beacon proposers

revealed?

RANDAO epoch

128 slots (~17 minutes)

...

slot 1

...

10 of 42

RANDAO

slot 128

slot 2

slot 3

slot 4

RANDAO mix

beacon proposers

0x00

revealed?

RANDAO epoch

128 slots (~17 minutes)

...

slot 1

...

11 of 42

RANDAO

slot 128

slot 2

slot 3

slot 4

RANDAO mix

beacon proposers

0x00

revealed?

RANDAO epoch

128 slots (~17 minutes)

...

slot 1

...

12 of 42

RANDAO

slot 128

slot 2

slot 3

slot 4

RANDAO mix

beacon proposers

...

...

0x00

1-bit bias

revealed?

RANDAO epoch

128 slots (~17 minutes)

...

slot 1

or

0x00

...

13 of 42

Verifiable Delay Function (VDF)

VDF

input

32 bytes

output

256 bytes

14 of 42

Verifiable Delay Function (VDF)

VDF

difficulty

integer

input

32 bytes

output

256 bytes

15 of 42

Verifiable Delay Function (VDF)

VDF

difficulty

integer

input

32 bytes

output

256 bytes

proof

256 bytes�0.5ms verification

16 of 42

RANDAO + VDF

RANDAO mix

biasable

VDF output

unbiasable

1 epoch

RANDAO

mixing

VDF

delay

≥1 epoch

17 of 42

Safety argument

RANDAO

mixing

earliest

RANDAO mix

1 epoch

≥1 honest proposer

predictable by

attacker

18 of 42

Safety argument

RANDAO

mixing

VDF

delay

earliest

VDF output

earliest

RANDAO mix

1 epoch

≥1 honest proposer

19 of 42

Safety assumption

speed advantage ≤ Amax

vs

attacker hardware

commodity hardware

20 of 42

Liveness assumption

≥1 online VDF evaluator

21 of 42

Guaranteed delay

≥1 epoch

guaranteed delay

Amax epochs

evaluation period

22 of 42

Inclusion buffer

VDF

evaluation

RANDAO

mixing

1 epoch

1 epoch

Amax epochs

inclusion

buffer

onchain

offchain

23 of 42

RANDAO reseed

RANDAO

mixing

VDF

evaluation

RANDAO

mixing

inclusion

buffer

...

next 128 proposers

24 of 42

Parallel staggered beacons

25 of 42

  • Randomness beacon

  • VDF cryptography

  • VDF hardware

26 of 42

Sequentiality assumption

x -> x2 % N

SQUARING

N # fixed 2048-bit RSA modulus

27 of 42

Sequentiality assumption

x -> x2 % N

SQUARING

N # fixed 2048-bit RSA modulus

x # VDF input

T # time parameter

x -> x2 -> x4 -> ... -> x2**T

T SQUARINGS

28 of 42

Wesolowski VDF (June 2018)

y = x2**T % N

OUTPUT

29 of 42

Wesolowski VDF (June 2018)

y = x2**T % N

p = x2**T//B % N

B # random 128-bit prime (Fiat-Shamir)

OUTPUT

PROOF

30 of 42

Wesolowski VDF (June 2018)

y = x2**T % N

p = x2**T//B % N

B # random 128-bit prime (Fiat-Shamir)

OUTPUT

PROOF

y == pB * x2**T%B % N

VERIFICATION

31 of 42

One-time RSA ceremony

1024

participants

trustless

coordinator

...

2048-bit

RSA modulus

N

32 of 42

Multi-party computation

Ligero Inc.

Participants

1024

Modulus size

2048 bits

Security

(n – 1)-maliciously secure

Synchronicity

synchronous

Duration

~10 minutes

Communication

20 rounds

33 of 42

  • Randomness beacon
  • VDF cryptography

  • VDF hardware

34 of 42

Rough expectations

Latency

2 ns per modular squaring

Process node

TSMC 16nm (FinFET)

Die area

20 mm2

Power

7 W

Form factor

standalone

VDF ASIC count

10 (= Amax, valid for 5 years)

Cooling

fan

Power

100 W

VDF ASIC

VDF rig

35 of 42

Costs

R&D

$15–$25 million

Rigs

$5 million (5K rigs @ $1K each)

Total

$20–$30 million

in partnership with

36 of 42

Circuit competition

$1+ million

cash prizes

37 of 42

Open hardware research

  • (modular) multipliers
  • reduction trees
  • compressors
  • finFET cells
  • asynchronous circuits
  • approximate adders

VDF@ethereum.org

VDFresearch.org

38 of 42

PoW randomness vs VDF randomness

Ethereum 1.0

(massively parallel) PoW

Ethereum 2.0

(inherently sequential) VDF

Leader election

biasable

unbiasable

Power consumption

~2,300 MW

~0.25 MW

Hardware

~10,000,000 GPUs

2,500 VDF rigs

Protocol subsidies

~$1 billion per year

~$1 million per year

39 of 42

WW3-proof unbiasable randomness

largest multiparty computation

first open-source ASIC

largest cross-blockchain collaboration

40 of 42

thank you

and ~50 researchers and contributors

41 of 42

Question—What about exotic hardware?

  • gallium-arsenide (GaAs)
  • silicon-germanium (SiGe)
  • carbon nanotubes (CNTFET)
  • rapid single flux quantum (RSFQ)
  • photonics/optical
  • single electron transistor (SET)
  • quantum-dot cellular automata (QCA)

→ not manufacturable for millions of gates

42 of 42

Question—Are any other projects interested in VDFs?