Try   HackMD

Drand: User Guide

A drand beacon provides several public services to clients. Those services are exposed on a gRPC endpoint as well as a REST JSON endpoint, on the same port. The latter is especially useful if one wishes to retrieve randomness from a Javascript application.

This document explains ways to retrieve randomness from a running drand node. The first section shows the commands using the Go command-line application to retrieve public and private randomness. The second section shows how to communicate with drand nodes using plain HTTP methods with curl and drandjs, a Javascript library.

Command-line application

The command-line application can fetch public and private randomness from a running drand node, as well as its distributed public key.

Note on TLS: Communication to a drand node is protected through TLS by default. If the contacted node is using a self-signed certificate, the client can use the --tls-cert flag to specify the server's certificate. As well, if the contacted node does not use TLS, the client must add the --tls-disable flag.

Fetching Public Randomness

To get the latest public random value, run:

drand get public  <group.toml> [--round <i>]

where <group.toml> is the group identity file of a drand node. You can specify the round number when the public randomness has been generated. If not specified, this command returns the most recent random beacon.

The JSON-formatted output produced by drand is of the following form:

 {
    "round": 1969,
    "previous": "e3a3e302335812e3bf4b684e1ddccef42eeff4d8a3625467d516286100d43744",
    "signature": "8019f77e6e3ef94a477d9dd0f9ca169e1fca917f3a6412eef581f855bc72c711c155fe0b6c2dc6ae005baa00a04ece3f1845955d408442a84a7a91a48327ff5ddb5d95d0363a79da27a929e4e05d22c3314c69435c6049da824335461437a01b",
    "randomness": "2b8a2db9fd29462991e3cc7b664eab2832a0b102d85ab70dc987c35d1d008862"
}

Here randomness is the latest random value produced by the network: it is the hash (sha256) of the threshold BLS signature produced by the participants over the previous signature previous and the round number. The field round specifies the index of randomness in the sequence of all random values produced by this drand instance. The message signed is the concatenation of the round number treated as a uint64 and the previous signature. Currently, the signature is using the BLS12-381 curve, signature are made over

G2 and public keys are over
G1.

Fetching Private Randomness

To get a private random value, run:

drand get private <group.toml>

The JSON-formatted output produced by drand should look like the following:

{
    "Randomness": "764f6e3eecdc4aba8b2f0119e7b2fd8c35948bf2be3f87ebb5823150c6065764"
}

The output is a 32-byte hex-encoded random value generated from the local randomness engine of the contacted server. The private randomness contained in the response is encrypted towards an ephemereal public key embedded in the request. The encryption is done using the ECIES scheme. If the encryption is not correct, the command outputs an error instead.

Using HTTP endpoints

One may want get the public randomness by issuing a GET to a HTTP endpoint instead of using a gRPC client. This can be done easily with curl. For example, to get the last randomness value, you can use:

curl <address>/api/public

All the REST endpoints specified in the api.proto protobuf file.

drandjs

drandjs facilitates the use of drand's randomness in JavaScript-based applications. The main method fetchAndVerify of this JavaScript library fetches from a drand node the latest random beacon generated and then verifies it against the distributed key.

For more details on the procedure and instructions on how to use it,
please refer to the readme of the library.

Last changed by 
Nicolas Gailly
0
1851

Read more

Lagrange ZKsync Prover

Setup instructions to run a Lagrange ZKsync prover

Dec 23, 2024
Groth16 aggregation with public input trick

Regular Groth 16 CRS Random $\tau$ chosen during trusted setup as well as $\alpha$, $\beta$ $n$ is number of gates. $u_i$, $v_i$ and $w_i$ are the QAP polynomials created from the R1CS circuit $SRS = {g_1^\alpha, g_1^\beta, g_1^\delta, {{ g_1^{\tau^i}}, {g_1^{\alpha \tau^i}}, {g_1^{\beta \tau^i}}}{i=0}^{n-1}, {g_1^{\beta u_i(\tau) + \alpha v_i(\tau) + w_i(\tau)}}{i=0}^n}, {g^{\frac{\tau^it(x)}{\delta}}}{i=0}^{n-1},\g_2^\beta, g_2^\delta, {g_2^{\tau ^i}}{i=0}^{n-1}}$ Prover Settings:

Apr 15, 2023
Efficient threshold BLS & Encryption

This post explains an inherent tension between threshold BLS signature and Elgamal encryption for onchain verification, and then presents a way to augment such threshold network such that a smart contract can efficiently verify a signature and decrypt/verify encryption onchain. 21/03/23, Nicolas Gailly, Cryptonet team, Protocol Labs. Introduction For encryption/decryption and signing, we (usually) require a group, i.e. a single elliptic curve. However, using pairings, we have to choose between $\mathbb{G_1}$ and $\mathbb{G_2}$ (and even $\mathbb{G_t}$), each group have their pros and cons depending on the cryptographic protocol we want to use. In practice, $\mathbb{G_1}$ is usually preferred given it is much shorter and faster to compute in it, than its counter-parties. This choice of group comes up when designing threshold networks. Indeed, there is a distributed key lying in a group $\mathbb{G}$ which could be any of the three groups aforementioned. In particular, when using pairing equipped curves, a threshold network can be used to create threshold BLS signatures but it can also be used as a decryption oracle. In the latter, users encrypts towards the threshold network and push the encryption on-chain. This posts shows the pros and cons of using $\mathbb{G_1}$ and $\mathbb{G_2}$ for each and shows there is a tension between the two. This posts then shows a simple solution to get the best of both worlds. The technique is heavily inspired by a post by Kobi Gurkan on efficient multisignature verification onchain, translated to the threshold setting.

Mar 21, 2023
Trusted Setup: KZG and PST

KZG trusted setup First Player First player has secret $s$ and generates $$ [s]_1, [s^2]_1 ... $$ as well as the &quot;check&quot; point $$ [s]_2 $$

Jan 31, 2023
Read more from Nicolas Gailly
Published on HackMD