Building Blocks for Blockchains and Distributed Systems Philipp - - PowerPoint PPT Presentation

1

Building Blocks for Blockchains and Distributed Systems

Philipp Schindler pschindler@sba-research.org

SBA Research, 2019

SBA Research

2

Randomness Beacons

Philipp Schindler, Aljosha Judmayer, Nicholas Stifter, and Edgar Weippl. Hydrand: Practical continuous distributed randomness. In Proceedings of IEEE Symposium on Security and Privacy (IEEE S&P). IEEE,

• 2020. to appear.

SBA Research, 2019

SBA Research

3

https://xkcd.com/221

4

Why Randomness Beacons?

5

Properties

?

Bias-Resistance Scalability Unpredictability Liveness Public-Verifiability Energy Efficiency Guaranteed Output Delivery

6

Approaches

Publicly-Verifiable Secret Sharing (PVSS)

• Ouroboros, Scrape, RandHerd, HydRand

Verifiable Random Functions (VRFs)

• Algorand, Ouroboros Praos

(Verifiable) Delay Functions (VDFs)

• Bünz et. al. [1], Ethereum Casper?

Threshold Signatures (e.g. BLS)

• HoneyBadger BFT, Dfinity

[1] B. Bunz, S. Goldfeder, and J. Bonneau. Proofs-of-delay and randomness beacons in Ethereum. In S&B ’17: Proceedings of the 1st IEEE Security & Privacy on the Blockchain Workshop, April 2017.

7

Secret Sharing

Distribution Reconstruction

S1 S2 S3 S4 S5

S S

S2 S4 S5

Dealer Participants Subset of Participants

8

(Publicly-Verifiable) Secret Sharing

Shamir’s Secret Sharing

• (t, n) threshold scheme
• dealer distributes secret value

s to n participants

• any set of at least t participants

can reconstruct s

• dealer must be trusted

Schoenmakers’ PVSS

• (t, n) threshold scheme
• correctness of shares can be

verified prior to reconstruction

• uses non-interactive zero

knowledge proofs

• malicious dealers are

detected

9

Randomness Beacon via PVSS

Every node performs the following steps

• 1. share a random secret with all parties
• 2. run (BFT) consensus protocol to agree on the shared values
• 3. a) reveal previously shares secret

b) recover missing shared secrets

• 4. output new random beacon as combination of shares values

10

HydRand's Approach in a Nutshell

• integrated low overhead BFT protocol
• pipelining: only one PVSS per round

11

12

Verifiable Random Functions (VRFs)

• each node commits to a VRF public key pk
• obtain new random number R privately

R, π = VRF(sk, seed || round)

• reveal (R, π) if R < threshold as

leadership-credentials

• correctness verified using pk
• implemented e.g. using unique signatures and

hashes in practice

13

Verifiable Delay Function (VDFs)

VDF VDF VDF VDF VDF

14

Unique Threshold Signatures

• 1. sign message using

individual secret key

• 3. check signature via

group public key

• 2. aggregate

signatures

15

Unique Threshold Signatures

• share master secret key among nodes
• requires trusted dealer or
• distributed key generation protocol (DKG)
• each node signs seed (e.g. round index) using

its private key share

• shares are checked for correctness
• aggregation of shares as soon as enough

correct shares are obtained

16

Unique Threshold Signatures cont.

• aggregated signature serves as new random

number

• can be checked against master public key
• typically using pairing based cryptography
• BLS signature scheme

17

Comparison

PVSS VRFs VDFs

• Thres. Sig.

+ bias-resistance + no DKG + low communication + overhead + no DKG + leader privacy + low communication + overhead + bias-resistance + low communication + overhead + bias-resistance

• communication
• overhead
• bias-resistance
• not ensured
• timing assumptions
• throughput
• computation compl.
• parameter setup
• requires DKG
• requires pairings

18

Detailed Comparison & Our Protocol

Philipp Schindler, Aljosha Judmayer, Nicholas Stifter, and Edgar Weippl. Hydrand: Practical continuous distributed randomness. In Proceedings of IEEE Symposium on Security and Privacy (IEEE S&P). IEEE, 2020. to appear.

19

Distributed Key Generation

Philipp Schindler, Aljosha Judmayer, Nicholas Stifter, and Edgar Weippl. ETHDKG: Distributed Key Generation with Ethereum Smart Contracts. Cryptology ePrint Archive, Report 2019/985.

SBA Research, 2019

SBA Research

20

Applications

• randomness beacons
• (BFT) consensus protocols
• custodian and escrow schemes
• smart contracts
• threshold and time-lock encryption
• ...

21

• 1. sign message using individual

secret key

• 3. check signature via

group public key

• 2. aggregate signatures



22

individual secret / public key pairs group public key

23

individual secret / public key pairs group public key

24

smart contract on the Ethereum blockchain client application run by all the parties

25

Registration Sharing Dispute Key Derivation Client:

• generate BLS keypair
• submit public key

Smart Contract:

• checks eligibility of client to register

26

Registration Sharing Dispute Key Derivation Client:

• run VSS protocol for all registered parties
• submit encrypted shares and verification vectors

Smart Contract:

• "basic" validity checks on the submitted data
• store hash of the submitted data

27

Registration Sharing Dispute Key Derivation Client:

• verifies all of its shares received
• submits a dispute for all invalid shares

Smart Contract:

• checks if a claimed dispute is valid
• [withdraw security deposit on success]

28

Registration Sharing Dispute Key Derivation verify that all shares are valid check that a single share is indeed invalid if a party claims that

29

Registration Sharing Dispute Key Derivation Client:

• derive set of qualified nodes
• submit / recover final key shares
• compute master public key

Smart Contract:

• derive set of qualified nodes
• verify master public key

30

Scalability

31

Philipp Schindler, Aljosha Judmayer, Nicholas Stifter, and Edgar Weippl. ETHDKG: Distributed Key Generation with Ethereum Smart Contracts. Cryptology ePrint Archive, Report 2019/985. 2020.

32

Building Blocks for Blockchains and Distributed Systems

Philipp Schindler pschindler@sba-research.org

SBA Research, 2019

SBA Research