This document provides an overview of the cryptographic building blocks that drand uses to generate publicly verifiable, unbiased, and unpredictable randomness in a distributed manner.
drand relies on threshold cryptography, where a minimum number of participants must work together to execute cryptographic operations. This approach avoids single points of failure and enhances security.
The drand beacon operates in two phases: 1.) the setup phase and 2.) the beacon phase.
The setup phase creates a collective private and public key pair shared among participants. This is done through a Distributed Key Generation (DKG) process, ensuring that no individual node knows the entire collective private key. Each private key share is used for cryptographic threshold computations, such as generating threshold signatures.
Secret sharing allows a secret value to be split into shares, which can be reconstructed only if a threshold of shares is available. drand uses Shamir's Secret Sharing (SSS) scheme, which is well-known for its reliability and security.
<aside> <img src="/icons/mathematics_green.svg" alt="/icons/mathematics_green.svg" width="40px" /> In Shamir's Secret Sharing (SSS), a polynomial of degree $tβ1$ is constructed, where $t$ is the threshold. The secret is the constant term of this polynomial, and each share is a point on the polynomial. To reconstruct the secret, at least $t$ shares are needed to solve the polynomial equation.
</aside>
Verifiable Secret Sharing (VSS) ensures that participants can verify their shares, protecting against malicious dealers. drand uses Feldman's VSS scheme, an extension of SSS, to ensure the shared secret can be correctly reconstructed.
<aside> <img src="/icons/mathematics_green.svg" alt="/icons/mathematics_green.svg" width="40px" /> Feldman's VSS enhances SSS by adding commitments to the polynomial's coefficients. These commitments allow participants to verify their shares against the public commitments, ensuring that the dealer has distributed consistent shares.
</aside>
DKG creates a collectively shared secret without any single participant knowing it. drand uses Pedersen's DKG scheme, running multiple instances of Feldman's VSS in parallel to create a final share for each participant. This collective public key is then used in the randomness generation phase.
<aside> <img src="/icons/mathematics_green.svg" alt="/icons/mathematics_green.svg" width="40px" /> In Pedersen's DKG, each participant generates their own secret and shares it using VSS. The participants then combine these shares to form the collective secret, ensuring that no single participant knows the entire secret.
</aside>
In the beacon phase, drand uses pairing-based cryptography to generate publicly verifiable, unbiased, and unpredictable randomness. The process involves threshold Boneh-Lynn-Shacham (BLS) signatures.
Pairing-based cryptography uses bilinear groups to create efficient cryptographic operations. drand currently uses the BLS12-381 curve.
<aside> πΊοΈ Pairing-based cryptography involves a bilinear map, usually denoted as $e: G_1 \times G_2 \to G_T$, where $G_1$, $G_2$, and $G_T$ are groups with certain mathematical properties. This map allows for efficient verification of signatures and is central to constructing BLS signatures.
</aside>