drand_pr - HackMD

# EVM-compatible drand @kevincharm [drand](https://drand.love) is a decentralised verifiable random beacon network. It's a good high-quality source of verifiable randomness, especially for networks that have no sources of (even low-quality) entropy to feed into traditional VRF schemes that require a seed. The canonical drand network is run by the League of Entropy, which is a consortium of reputable organisations that operate a threshold signature network. Every few seconds, the required threshold of nodes sign a round number and contribute partial signatures to form the group signature, which is then used as an input to a hash function to output verifiable randomness. The random numbers are unpredictable as long as you trust that not enough of the reputable organisations in the League of Entropy would collude to precompute all future randomness. Key reshare happens often enough such that any would-be adversaries have very limited time to collect the required threshold of private key shares. It is important to note that there is no economic incentive not to collude, and it is impossible to know if collusion has taken place. ## drand drand PR: https://github.com/drand/drand/pull/1304 kyber PR: https://github.com/drand/kyber/pull/55 These PRs implement a new BLS scheme that performs operations on the BN254 curve instead of the BLS12-381 curve. This means that signature verification operations can be efficiently performed using existing EVM precompiles. To make this implementation maximally compatible with all EVM networks, `expand_message_xmd` used in the hash-to-field function uses keccak256 instead of sha256 (which is not yet available on some early zkEVM rollups such as Scroll, and is half as expensive in terms of gas cost anyway). Hashing to the curve is done in constant-time using a specialised SW mapping for BN curves proposed by [Fouque and Tibouchi](https://link.springer.com/chapter/10.1007/978-3-642-33481-8_1). ## BLS Verifier Solidity Library BLS-on-BN254 signature verifier contract: https://github.com/kevincharm/bls-bn254 This accompanying repository includes Solidity code to verify BLS signatures and other related utilities such as hashing-to-curve and subgroup checks. ## VRF Fulfiller Contract RNGesus Reloaded: https://github.com/fairylabs/rngesus-reloaded RNGesus (Reloaded) is an example contract that turns drand into a request-response model similar to Chainlink VRF. It can serve as the canonical drand verification contract. However, as drand is a public network, anyone may operate a fulfiller like RNGesus without any additional trust assumptions. Fun fact: RNGesus Reloaded is the successor to RNGesus, which was a SNARK-powered (using 0xPARC's circom-pairing circuits) drand verifier for BLS-on-BLS12-381 beacons that won some prizes at ETHDenver 2023. Unfortunately it was rather impractical as it took a long time to generate proofs, and is still much costlier in gas overall compared to verifying BLS signatures on BN254.