dfinity crypto techniques · producing a decentralized verifiable random function (vrf) random...
TRANSCRIPT
![Page 1: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/1.jpg)
![Page 2: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/2.jpg)
DFINITY Crypto
Techniques
V1 - 19th May 2017
INTRODUCING
![Page 3: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/3.jpg)
Threshold RelayProduce randomness that is incorruptible,
unmanipulable and unpredictable
![Page 4: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/4.jpg)
Explain “unique deterministic” threshold signatures…BACKGROUNDER
![Page 5: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/5.jpg)
Signer’s identity
01010101010110101110110101010101010101001010
10101010101001011010101001010101010010101001
Signature
SignerPublic
Key
SIGN
Usually a signer creates a signature on message data
AUTHORIZED SIGNER SIGNATURE VERIFIERS
Verifier
Verifier
Verifier
Private Key
Shared seed data (“message”)
�
![Page 6: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/6.jpg)
Signer’s identity
01010101010110101110110101010101010101001010
10101010101001011010101001010101010010101001
Signature
SignerPublic
Key
SIGN
VERIFY
That can be verified using the signer’s public key
AUTHORIZED SIGNER SIGNATURE VERIFIERS
Verifier
Verifier
Verifier
Private Key
Shared seed data (“message”)
![Page 7: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/7.jpg)
Signer’s identity
01010101010110101110110101010101010101001010
10101010101001011010101001010101010010101001
Signature
SignerPublic
Key
SIGN
Verifier
Verifier
Verifier
VERIFY
If scheme unique and deterministic then only 1 correct signature
AUTHORIZED SIGNER SIGNATURE VERIFIERS
Private Key
DETERMINISTIC RANDOMNUMBER
Shared seed data (“message”)
THE SIGNATURE IS A RANDOM NUMBER, AS IF IT WERE PREDICTABLE, THE SIGNATURE
SCHEME WOULD NOT BE SECURE
![Page 8: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/8.jpg)
Unique and deterministic threshold signature scheme possible
Group’s identity
01010101010110101110110101010101010101001010
10101010101001011010101001010101010010101001
Signature
SignerPublic
Key
SIGN
SignerSigner
SIGNSIGN COMBINE
THRESHOLD GROUP SIGNATURE VERIFIERS
Shared seed data (“message”)
Verifier
Verifier
Verifier
VERIFY
DETERMINISTIC RANDOMNUMBER
Shar
e 1
Shar
e 2
Shar
e 3
GROUP MEMBERS INDEPENDENTLY SIGN THE MESSAGE TO CREATE “SIGNATURE SHARES”. A THRESHOLD NUMBER ARE COMBINED TO
CREATE THE OUTPUT SIGNATURE
![Page 9: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/9.jpg)
Whatever subset (threshold) of group sign still same signature
Group’s identity
01010101010110101110110101010101010101001010
10101010101001011010101001010101010010101001
Signature
SignerPublic
Key
VERIFY
SignerSigner
SignerSignerSigner
SignerSignerSigner
COMBINE
THRESHOLD GROUP SIGNATURE VERIFIERS
Shared seed data (“message”)
Verifier
Verifier
Verifier
DETERMINISTIC RANDOMNUMBER
Shar
e 1
Shar
e 3
Shar
e 4
Shar
e 5
Shar
e 7
Shar
e 9
![Page 10: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/10.jpg)
Important observations of powerful magic
Verifier
Verifier
Verifier
DETERMINISTIC RANDOMNUMBER
1. A group identified by its threshold public key can only produce a single valid output signature on given seed data
![Page 11: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/11.jpg)
Important observations of powerful magic
Verifier
Verifier
Verifier
DETERMINISTIC RANDOMNUMBER
1. A group identified by its threshold public key can only produce a single valid output signature on given seed data
2. A group is fault tolerant and any subset of threshold size can distribute signature shares for combination into the signature
![Page 12: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/12.jpg)
Important observations of powerful magic
Verifier
Verifier
Verifier
DETERMINISTIC RANDOMNUMBER
1. A group identified by its threshold public key can only produce a single valid output signature on given seed data
2. A group is fault tolerant and any subset of threshold size can distribute signature shares for combination into the signature
3. The resulting threshold signature can be validated by anyone who has the group’s public key and the seed data
![Page 13: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/13.jpg)
Important observations of powerful magic
Verifier
Verifier
Verifier
DETERMINISTIC RANDOMNUMBER
1. A group identified by its threshold public key can only produce a single valid output signature on given seed data
2. A group is fault tolerant and any subset of threshold size can distribute signature shares for combination into the signature
3. The resulting threshold signature can be validated by anyone who has the group’s public key and the seed data
4. The signature is a deterministically produced random number
![Page 14: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/14.jpg)
Important observations of powerful magic
Verifier
Verifier
Verifier
DETERMINISTIC RANDOMNUMBER
1. A group identified by its threshold public key can only produce a single valid output signature on given seed data
2. A group is fault tolerant and any subset of threshold size can distribute signature shares for combination into the signature
3. The resulting threshold signature can be validated by anyone who has the group’s public key and the seed data
4. The signature is a deterministically produced random number
5. Given a group’s public key and the input seed data the verifiers reach immediate consensus on the random number produced without running a consensus protocol…
![Page 15: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/15.jpg)
A unique deterministic threshold signature scheme Boneh-Lynn-Shacham signatures (BLS)
H(m) 2 G1
Key Generation - Secret key: - Public key:
Signing - Message hashed to - Signature:
Verification ?
x mod r
P = xQ2 2 G2
H(m) 2 G1
s = xH(m) 2 G1
e(s,Q2) = e(H(m), P )
BLS, 2001 (Stanford University)
G1, G2
e : G1 ⇥G2 7! GT
Q1 2 G1, Q2 2 G2
Parameters - Two groups of prime order r
(on two elliptic curves) - Generators - Bi-linear pairing
G1, G2
e : G1 ⇥G2 7! GT
Q1 2 G1, Q2 2 G2
TIP 1 Ben Lynn is a full time member of the DFINITY team
TIP 2 You don’t need to understand this crypto to understand the remaining slides…
![Page 16: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/16.jpg)
Relay between groups to create a random sequenceDECENTRALIZED VERIFIABLE RANDOM FUNCTION
![Page 17: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/17.jpg)
A vast peer-to-peer broadcast network of mining clients…
![Page 18: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/18.jpg)
Whose public keys are registered on a supporting ledger
PUBKEY 0x1bd1ccf169d755306e077b38cb9aeae28e245351
PUBKEY 0x2b197453dcfabe85be2fbe31c8cc19bd30576ed0
PUBKEY 0x9a197453dcface85be2fbe32c8cc19bd30576ee1
DEPOSIT: 1000 DFN
DEPOSIT: 1000 DFN
DEPOSIT: 1000 DFN
![Page 19: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/19.jpg)
Each client (“process”) belongs to threshold groups
![Page 20: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/20.jpg)
GRP PUBKEY0x7de4ac5…
GRP PUBKEY0x8fb251b…
GRP PUBKEY0x1a7234e…
GRP PUBKEY0x2b197453…
GRP PUBKEY0xb6e1a33…
…
Whose public keys are also registered on the supporting ledger
![Page 21: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/21.jpg)
At each height in the sequence, there is a current group…
h
![Page 22: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/22.jpg)
That signs the previous group’s signature…
BLS Signature Scheme
![Page 23: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/23.jpg)
Their random number selects the next group (the “relay”)
Gh+1= G[�h
mod |G|]
![Page 24: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/24.jpg)
The relaying between groups is unmanipulable and infinite
![Page 25: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/25.jpg)
This is what Threshold Relay looks like
�h�1
SIGNATURE
h� 1
![Page 26: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/26.jpg)
The signature created at h-1 selects the group at h
Gh= G[�h�1
mod |G|]=)
h
![Page 27: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/27.jpg)
Group members at h broadcast signature shares
BROADCAST
{�hp , p 2 Gh}
h
![Page 28: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/28.jpg)
Collect threshold of shares & create unique group signature…
SIGNATURE
�h = bls({�hp , p 2 Gh})
h
![Page 29: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/29.jpg)
That selects the next group, ad infinitum
Gh+1= G[�h
mod |G|]=)
h+ 1
![Page 30: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/30.jpg)
Producing a decentralized Verifiable Random Function (VRF)
Random number sequence isDeterministic Verifiable Unmanipulable
Next value released on agreement a threshold of the current group…Unpredictable
. .
�h�4�h�7 �h�6 �h�5 �h�3 �h�2 �h�1 �h, , , , , , , =)
No consensus protocol is necessary!
![Page 31: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/31.jpg)
Random numbers should not be generated with a
method chosen at random
- Donald Knuth
“
![Page 32: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/32.jpg)
E.g. PHI autonomous loan issuance and crypto “fiat”
Decentralized Applications with advanced features
Decentralized Protocols for “Scaling Out”
Validation Towers
Validation Trees
USCIDs
Lottery Charging Lazy Validation
TLDR; such unmanipulable randomness is powerful…
PSP Blockchain Designs
Validate anything…
Fair financial exchanges…
COMING UP…
![Page 33: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/33.jpg)
Processes 10,000
Faulty 3,000
(Correct) 7,000
Group Size 400
Threshold 201
Fault Tolerance Example
NETWORK METRICS
Note: in practice the probability 30% of professionally run mining
processes “just stop” is very low. Miners will generally deregister IDs to retrieve deposits when exiting.
Calculated using hypergeometric probability e.g.http://www.geneprof.org/GeneProf/tools/
hypergeometric.jsp
Probability that a sufficient proportion of the group are faulty that it cannot produce a signature
Note: groups should expire to thwart “adaptive” adversaries
1e�17P (Faulty � 200)
![Page 34: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/34.jpg)
GROUP SIZE
Group size 400
Threshold 201
MESSAGE FORMAT
Process ID 20 bytes
Signature share 32 bytes
Signature on comms 32 bytes
Total 84 bytes
Communications Overhead Example
COMMUNICATION OVERHEAD
Expected 22 KB
In order for a group to produce a threshold signature, its members
must broadcast “signature shares” on the message that can be
combined. Here is a typical packet carrying a signature share.
400 messages involve 34 KB of data transfer. However, only 17 KB (half
the messages) are required to construct the signature. Thereafter signature shares are not relayed, so a more typical overhead is 22 KB.
![Page 35: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/35.jpg)
How to setup groups…BACKGROUNDER
![Page 36: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/36.jpg)
Clients randomly assigned to groups by randomness (VRF)
…GRP PUBKEY
-GRP PUBKEY
-GRP PUBKEY
-GRP PUBKEY
-GRP PUBKEY
-
![Page 37: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/37.jpg)
…
Need setup threshold scheme within 1000 blocks using DKG…
Joint Feldman
DKG
GRP PUBKEY-
GRP PUBKEY-
GRP PUBKEY-
GRP PUBKEY-
GRP PUBKEY-
![Page 38: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/38.jpg)
…
Successful groups register their Public Key on the ledger
GRP PUBKEY-
GRP PUBKEY-
GRP PUBKEY-
GRP PUBKEY0x2b197453…
GRP PUBKEY-
![Page 39: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/39.jpg)
…
Joint Feldman
DKG
Joint Feldman
DKG
Setup is independent of blockchain progression…
GRP PUBKEY-
GRP PUBKEY-
GRP PUBKEY-
GRP PUBKEY0x2b197453…
GRP PUBKEY-
![Page 40: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/40.jpg)
…
And occurs asynchronously
GRP PUBKEY0x7de4ac5…
GRP PUBKEY0x8fb251b…
GRP PUBKEY-
GRP PUBKEY0x2b197453…
GRP PUBKEY-
![Page 41: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/41.jpg)
New clients and groups activated in CURRENT_EPOCH + 2
KEY FRAME BLOCK
⇠ � 1⇠ � 2 ⇠
Join tx CLIENT
0x6e22e1ba…
KEY FRAME BLOCK
KEY FRAME BLOCK
KEY FRAME BLOCK
Join tx GROUP
0x2b197453…
GROUP0x2b197453…
CLIENT0x6e22e1ba…
Activation…
⇠ � 3
CHAIN HEAD
In choosing the epoch length there are a number of considerations. For correctness, an epoch must minimally contain more blocks than may ever be present in a chain fork. However, since light clients only
require key frame header copies, for reasons of efficiency, epochs may be much longer e.g. one week
![Page 42: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/42.jpg)
Probabilistic Slot ProtocolExtend the Threshold Relay system to produce a more secure
and faster (50X faster than Ethereum) blockchain
![Page 43: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/43.jpg)
At each height, the randomness orders the processes…
P0xA19...
P0x9E3...
P0x11F...
P0x402...
�h�3 VRF
![Page 44: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/44.jpg)
At each height, the randomness orders the processes…
P0xA19...
P0x9E3...
P0x11F...
P0x402...
P0x8C2...
P0x398...
P0x2DA...
P0x7A5...
�h�2�h�3 VRF
![Page 45: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/45.jpg)
At each height, the randomness orders the processes…
P0xA19...
P0x9E3...
P0x11F...
P0x402...
P0x8C2...
P0x398...
P0x2DA...
P0x7A5...
P0x49B...
P0x621...
P0xB0B...
P0x904...
�h�1�h�2�h�3 VRF
![Page 46: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/46.jpg)
At each height, the randomness orders the processes…
P0xA19...
P0x9E3...
P0x11F...
P0x402...
P0x8C2...
P0x398...
P0x2DA...
P0x7A5...
P0x49B...
P0x621...
P0xB0B...
P0x904...
P0xC6A...
P0x03E...
P0xD1D...
P0x3E1...
�h�h�1�h�2�h�3 VRF
![Page 47: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/47.jpg)
Indexes are priority “slots” for forging (zero highest)
SLOT0
SLOT1
SLOT2
SLOT3
...
P0xA19...
P0x9E3...
P0x11F...
P0x402...
P0x8C2...
P0x398...
P0x2DA...
P0x7A5...
P0x49B...
P0x621...
P0xB0B...
P0x904...
P0xC6A...
P0x03E...
P0xD1D...
P0x3E1...
�h�h�1�h�2�h�3 VRF
![Page 48: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/48.jpg)
Value of candidate blocks scored by author’s slot…
1pt
1
2pt
1
4pt
1
8pt
P0xA19...
P0x9E3...
P0x11F...
P0x402...
P0x8C2...
P0x398...
P0x2DA...
P0x7A5...
P0x49B...
P0x621...
P0xB0B...
P0x904...
P0xC6A...
P0x03E...
P0xD1D...
P0x3E1...
�h�h�1�h�2�h�3 VRF
![Page 49: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/49.jpg)
Can also introduce block relay rules, e.g. delays
1pt
1
2pt
1
4pt
1
8pt
� 5s
� 6s
� 7s
� 8s
P0xA19...
P0x9E3...
P0x11F...
P0x402...
P0x8C2...
P0x398...
P0x2DA...
P0x7A5...
P0x49B...
P0x621...
P0xB0B...
P0x904...
P0xC6A...
P0x03E...
P0xD1D...
P0x3E1...
�h�h�1�h�2�h�3 VRF
![Page 50: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/50.jpg)
We can create & score blockchains that converge
hh� 1h� 2h� 3
1pt
1
2pt
1
4pt
1
8pt
� 5s
� 6s
� 7s
� 8s
3pts
BEST PARENT 3
1
4pts
![Page 51: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/51.jpg)
Very nice. But usual limitations. O no…
The adversary can withhold blocks to gain an advantage
over honest processes.
Selfish mining attacks increase the confirmations
necessary for finality.
SELFISH MINING ATTACKS
The adversary can go back in time and create forks from below h to Double Spend.
He only needs to be lucky and be granted a sequence of
zero slots.
NOTHING AT STAKE
![Page 52: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/52.jpg)
Solution?
Threshold groups “notarize” (sign) at least one block at their height before relaying…
A valid block proposed at h must reference a block that was notarized at h-1
Thus, blocks must be published in good time or have no chance of notarization
![Page 53: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/53.jpg)
When group selected, its members start their timers…
1s 2s 3s�h�1
�h�1
�h�1
p 2 Gh
1s 2s 3s
1s 2s 3s
Members start processing blocks
after expiry BLOCK_TIME. Clocks will be
slightly out-of-sync, but that's OK!
Triggered by propagation
threshold signature
![Page 54: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/54.jpg)
Queue blocks score order while waiting BLOCK_TIME
3pts
Highest scoring chain
head
base score +
base score +
31
4pts
PRIORITY QUEUE OF
CHAIN HEADS SEEN WHILE
WAITING
![Page 55: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/55.jpg)
When BLOCK_TIME expires, witness by notarizing…
Group members sign until ≥1 blocks receive threshold signature
Broadcast sig. share on block
Broadcast sig. share on σ h-1
HALT
Block @ h received from P
Thresh. sig. on block at h received
Sign the best blocks seen
Stop signing, relay and halt
Is valid and P’s SLOT ready?
Signed higher scoring
chain?
NO YES
![Page 56: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/56.jpg)
An important observation
In normal operation, if BLOCK_TIME is sufficiently large considering network synchrony, each group member will remove from its queue and process the highest scoring chain head first…
Consequently, the group will ONLY witness (notarize/sign) the block representing the highest scoring chain head
This prevents and immediately collapses forks in normal operation driving extremely high consistency and rapid finality
![Page 57: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/57.jpg)
TLDR; tweaking to address the threat of equivocation
A faulty process in SLOT 0 controlled by an adversary might wish to broadcast vast numbers different versions of its block to DOS…
Of course, this faulty process will later be expelled for its provably Byzantine actions, but why provide room for misbehavior…
SOLUTION if process sees equivocated highest scoring block(s), only forward to peers that haven’t detected equivocation yet. If group member
sees equivocated highest scoring block, don’t sign it, and instead start signing next highest scoring block seen when from a different slot
![Page 58: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/58.jpg)
Fair mining, super high consistency and rapid finality
hh� 1h� 2h� 3
1pt
1
2pt
1
4pt
1
8pt
� 5s
� 6s
� 7s
� 8s
� �
�
�
Publish immediately or your block loses its chance to be notarized
and included….
DEAD
![Page 59: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/59.jpg)
Optimal case. Overwhelming finality in 2 blocks + relay
hh� 1h� 2
1pt
1
2pt
� 5s
� 6s
�
�
� �
DEAD
h+ 1
No alternative chain heador even partially signed chain
head is visible. Yet, for a viable chain head to exist, it must have been shared with some correct processes to collect signatures, and they
would have propagated (broadcast) it…
RELAY
The trap shuts! Now group h+1 has
relayed it will not notarize/sign any more blocks. Too late for any
alternative chain head at h to “appear” and get
notarized…
Gh+1
![Page 60: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/60.jpg)
Gains from Notarization
Fast Optimal Avg. Finality
- Selfish Mining
- Nothing At Stake
- EquivocationSPV
Light client needs only Merkle root of groups
Quantifiable finality
Hooks make possible calculate probabilities more
meaningfully
BLOCK TIME = 5s
7.5s=)
Addresses Key Challenges
![Page 61: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/61.jpg)
Relative Performance Copper Release
Block Time
“TX finality” (speed)
Gas available
Average 10 minsvaries wildly
Average 20 secsvaries wildly
Average 5 secslow variance
6 confirmationsavg. 1 hr
37 confirmationsavg. 10 mins
2 confirmations+relayavg. 7.5 secs
- - - Low due toPoisson distribution 50X+ Ethereum
Unlimited scale-out achieved by applying randomness in
following techniques…
Optimal case normal operation
![Page 62: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/62.jpg)
Miscellanea
![Page 63: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/63.jpg)
Death By Poisson Process
Bitcoin Could Consume as
Much Electricity as Denmark
by 2020, Motherboard
3/29/2016
The Simplest Flaws Are The Worst…
50% of Ethereum blocks are empty !
Miners prefer to build on empty blocks
since no need validate/delay= more profitable
An empty block has more chance being
confirmed….
Duh !
![Page 64: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/64.jpg)
ValidationSybil resistance
State storageConsensus
ValidationSybil
resistanceState storage
Consensus
Proof-of-Work Blockchain DFINITY
Separate and decouple concerns
TCP/IP
Application
Transport
Internet
Network Access
Computer Science should not go out of fashion
![Page 65: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/65.jpg)
CONSENSUS Threshold Relay chain
generates randomness and records network metadata and
Validation Tree “state root”.
VALIDATION Asynchronous “Validation Tree” composed “Validation Towers”. Does for state validation what
Merkle tree does for data.
STORAGE State and updates to state
stored on shards. State transitions passed to
Validation Tree.
“Scale-out” using 3-layer architecture
STATE ROOT
RANDOM BEACON DRIVES TREE
(TX,ReadTX ,�S)
STATE SHARDS
TX
![Page 66: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/66.jpg)
Near Term Client Releases
2 ZINC
- Special features enabling creation robust and high performance private networks using unlimited host computers
- Single atomic call from smart contract on private cloud into smart contract on public cloud network
3 TUNGSTEN
- State sharding (basic)
- Validation Towers (basic)
- Asynchronous model for cross-shard programming
- USCIDs(Unique State Copy IDs)
- Advancements in BNS
1 COPPER
- Threshold Relay + PSP
- Blockchain Nervous System (BNS)
- Security deposits
- State-root-only-chain (transaction logging not necessary)
![Page 67: DFINITY Crypto Techniques · Producing a decentralized Verifiable Random Function (VRF) Random number sequence is Deterministic Verifiable Unmanipulable Next value released on agreement](https://reader036.vdocuments.net/reader036/viewer/2022071511/6130aadd1ecc515869443e38/html5/thumbnails/67.jpg)
The Decentralized Cloud
http:// twitter.com /dominic_williams
President/CTO String Labs
President/Chief Scientist DFINITY Stiftung
http:// linkedin.com /in/thedwilliams/