Unbiasable Randomness with VDF

The one you use for a billion dollars lottery. Not for some tiny dice games.

Biasability of Distributed RNGs

Distributed RNGs are susceptible to biasing and manipulating, including Nakamoto Consensus, Private VRFs, PVSS, and Unique Threshold Signature. They could use many setups and cryptographic schemes, but in the end, they all rely on some efficient PRNG.

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

Those PRNGs are so efficient that the calculation time is almost always instant, once they have the input. The quicker the calculation is, the more time they spare to cheat. They could spend this biasing time to grind and/or withhold the input or try to contact and collude with other participants.

Biasing a distributed RNG is surprisingly easy on blockchains. One can just anonymously publish a biasing contract and bribe away any of the existing distributed RNG.

if ("you can commit a valid input" && "the output is not what I want")
{
    if ("the input is not committed") {
        transfer(you, reward + slashed + bribe);
    } else {
        bribe = bribe × 2; // increase the bribe
    }
}

Verifiable Delay Function

To make an RNG truly unbiasable, the idea is to delay the calculation so the output is only known long after the input has been committed. When no one can see the output yet, no one can bias it.

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

Input Source

With VDF, we can have an unbiased random number using an biasable input. One can argue that using a RANDAO output as the input for a VDF will produce an unbiasable random seed.

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

Let's look at a biasing contract for RANDAO-VDF:

// we have all the time in the world to prepare this
let S = [s0, s1, ..sn-1] where VDF(PACK(s0, s1, ..sn-1)) = WhatIWant.

for each i in [0..n) {
    if (seeder[i].seed == s[i]) {
        transfer(seeder[i], reward + slashed + bribe);
    } else {
        // someone is not compromised, should increase the bribe
        revert; // no one gets the bribe either
    }
}

Now the RANDAO-VDF setup can be biased since the input and output of the RANDAO can be made secretly available much earlier in time.

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

Input Age

The key here is time. (One could guess from the name 'delay'.)

It's not how complex or decentralized the input is constructed, it's how recent the data is available that matter. The age of the data is the time elapsed from the first moment it became available. The older the data is, the more it's vulnerable to randomness prediction and manipulation.

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

The best way to make the data more recent, is to aggregate it from many different sources since the age of an aggregated data is the age of the most recent source.

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

Block hash is a valuable source of recent data, since changing any part of a block will create an avalanche effect to every following block hash.

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

Hence, to know the next

N

block hashes in advance, one must (A) control 100% sealers of those

N

blocks and (B) isolate the network in entirely

N

block time, i.e. no transaction from outside can be included. Effectively making a blockchain non-operational for the whole duration.

Setup

Requirements

The VDF implementation of POA Network and Harmony using class groups based on approaches described in the following papers:

Simple Verifiable Delay Functions. Pietrzak, 2018
Efficient Verifiable Delay Functions. Wesolowski, 2018

Using class groups allows the VDF proof to be public verifiable without the trusted setup.

Reward System

Rewards will be given to VDF evaluators (or miners) to incentivize the public computation. The reward system must have the following properties:

The quicker the result is submitted the more reward it earns.
Re-submitting the same result is not beneficial.
No one can steal other work.

Design

The VDF RNG has 2 phases, which is designed to:

Attract better and more powerful VDF evaluator.
Incentivize multiple VDF evaluators instead of just the best one.
Weed out the Class Group failure cases.

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

Challenge

The RNG process is started when a challenger submits a request with:

$T$ : number of blocks for the whole process.
$U s e r E n t r o p y$ : optional user entropy data.

Evaluation

VDF evaluators race for the rewards by calculating the challenge submitted. When an evaluator finishes her job and found the VDF result along with the

O u t p u t

, she will submit her

C o m m i t m e n t = H a s h (A d d r e s s + O u t p u t)

to the chain, but not the

O u t p u t

itself.

Verfication

After the evaluation time is finished,

O u t p u t

can be submitted.

O u t p u t

is verified by using the pre-compiled contract, supported by the consensus.

If there are more than 1 valid

O u t p u t

s, the random number cannot be secured. Challenger must request a new random process since there's no reliable value to be used.

If there is only 1 valid

O u t p u t

submitted in the Verification phase, the random number is successfully generated. Anyone can use the random number after the Verification phase ends, which is

T

blocks after the Challenge transaction is confirmed.

Rewards

Let's call

B_{i}

is the block that the

i^{t h}

success evaluator has her Commitment submitted during the Evaluation phase.

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

After the Verification phase is finished with success, the valid

O u t p u t

will be used on each Commitment to verify and pay each evaluator with the following rate of reward:

R_{i} = \sum_{i = 0}^{n - 1} Δ_{i} \times r^{i}

Where r is the reduction rate and

Δ_{i} = B_{i + 1} - B_{i}

To prevent early evaluator griefing attack, r must have this proved condition:

0 < r < \frac{1}{2}

This reward system has the following properties:

The sooner the Commitment is submitted, the more reward evaluator will get.
The later the next Commitment is submitted, the more reward the previous evaluator will get.
Re-committing the same
$O u t p u t$ (with the same or different Commitment) will cause the evaluator losing her reward.
Two or more evaluators committing in the same block will have the same reward.

Rationale

A good VDF system should attract calculation power from the public to secure the network, as well as incentivize them to continuously works. Unlike PoW where there's a random chance for everyone, VDF calculation doesn't take chance, the fastest one always wins. When there's always the same winner, runner-ups will leave. That's why we should also reward the runner-up and some after that.

To have the random number truely unbiasable, the VDF result should always be the same whether who does the calculation. Since the result is the same, revealing it too early will let others copy your work, and get the rewards without working at all. The hash-commit and reveal-verify mechanism allow honest worker will get rewards they deserve.

The rewards system where the more people committing correct results after you do, the less prize you will get, prevent early evaluator griefing attack. Submitting the same result, or sharing it with your accomplices does not bring any profit, but only loosing more of your prize.

Security Parameters

$M i n S u b m i s s i o n$ : this is a protocol configurable param for a minimum of VDF verificators to maintain a stable network.
$M a x S p e e d$ : speed of the all-time fastest VDF evaluation, in
$i t e r a t i o n / b l o c k$ .
$M i n S p e e d$ : average speed of recent
$M i n S u b m i s s i o n^{t h}$ evaluator
$t$ : number of the iteration for the VDF evaluation. We want to have the
$t$ so even the slowest of
$M i n S u b m i s s i o n$ evaluators can have rewards, so
$t = T_{e} \times M i n S p e e d$ with
$T_{e}$ is the number of block for evaluation phase.

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

To prevent pre-image grinding attack, the

U s e r E n t r o p y

has to be submitted before

T_{0} = \frac{t}{M a x S p e e d} \geq I n p u t A g e

So the

T_{e}

must be chosen so that:

T_{e} \geq I n p u t A g e \times \frac{M a x S p e e d}{M i n S p e e d}

In PoW consensus where miners don't have any spare time to delay the winning block propagation, their only option to bias the result is to give up their winning block. InputAge as short as a block time can give reasonable security against the VDF pre-image attack.

With PoS consensus, miners have at least a block time to delay the block propagation. InputAge of 2 blocks is safe against a single miner pre-image attacks. For security against n-miners colluding pre-image attack, InputAge should not be less than 1+n blocks.

Class Group Failure Handling

The verification phase allows honest

O u t p u t

to be submitted after the false-positive

O u t p u t

is successfully verified.

A challenge with more than one valid

O u t p u t

is a failure case of Class Group setup and safely discarded. Challenger is recommended to request for another RNG challenge.

Attack Vectors

Pre-image attack

Pre-image attack can happens when challenge request doesn't follow the security guideline of

T_{e} \geq I n p u t A g e \times \frac{M a x S p e e d}{M i n S p e e d}

. Or the

M a x S p e e d

is greatly incorrect due to either:

Attacker has secretly developed a superior ASIC or FPGA for the VDF calculation.
The reward system is not attractive enough for the top tier VDF evaluators.

Censorship attack

Miners can censor the Commitment transaction to get the most out of the reward share. This only affects the temporary reward distribution, not the biasiability of the mechanism.

Early Evaluators Griefing attacks

Early evaluators can spam the Commitment right before the next evaluator submit their works to cut down their rewards. This also cut down their own reward, so it's not economically efficient to keep attacking for a long time.

Late Evaluators Griefing attacks

Later evaluators can also spam the Commitment to cut down rewards of all previous evaluators. This also removes their own reward, so it's not economically efficient to keep attacking a long time.

Bribing Attacks

Early evaluators can bribe late evaluators not to submit their work, in exchange for more reward, resulting in more reward is distributed as a whole. This attack does not affect the biasability of the result. The only harm is done is more reward is distributed by the system, causing more inflation.

Future Development

With Watermarking Proof implemented, we can merge the Evaluation and Verification to one phase, remove the Commitment transactions and prevent early evaluator griefing attack.

Thanh Dao

2019/10/11 04:35:49

d (Edited)

Zergity

2019/10/29 03:48:59

it’s when the data is available that matter (Edited)

2019/10/29 03:50:01

1 and 2, instead of A and B (Edited)

Louis

2020/08/06 07:57:05

Verification (Edited)

2020/08/06 08:05:49

loosing

losing (Edited)

Unbiasable Randomness with VDF

Biasability of Distributed RNGs

Verifiable Delay Function

Input Source

Input Age

Setup

Requirements

Reward System

Design

Challenge

Evaluation

Verfication

Rewards

Rationale

Security Parameters

Class Group Failure Handling

Attack Vectors

Pre-image attack

Censorship attack

Early Evaluators Griefing attacks

Late Evaluators Griefing attacks

Bribing Attacks

Future Development

Read more

r²PoS - A Relay-friendly Proof of Stake

Orderbook-based Segniorage Stablecoin