From Sequential Proof-of-Work - RANDCHAIN: Decentralised Randomness Beacon
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
R AND C HAIN: Decentralised Randomness Beacon
from Sequential Proof-of-Work
Runchao Han∗† , Jiangshan Yu∗¶ , Haoyu Lin‡§
∗ Monash University, {runchao.han, jiangshan.yu}@monash.edu
† CSIRO-Data61
‡ Bytom Foundation, chris.haoyul@gmail.com
§ ZenGo X
Abstract— Decentralised Randomness Beacon (DRB) is a ser- end of each round. Lock-step synchrony is a strong assumption,
vice that generates publicly verifiable randomness. Constructing and is considered unrealistic in real-world networks with de-
DRB protocols is challenging. Existing DRB protocols suffer from lays [5], [6]. Second, DRBs may suffer from high communica-
either strong network synchrony assumptions, high communica-
tion complexity or various attacks. tion complexity of no less than O(n2 ), where n is the number
In this paper, we propose R AND C HAIN, a new family of of nodes [1], [7]–[9]. Third, DRBs can be vulnerable [2],
(permissioned) DRB protocols. To construct R AND C HAIN, we first [10]–[12], including being biasible, i.e., the adversary can
introduce Sequential Proof-of-Work (SeqPoW), a Proof-of-Work choose its preferred random outputs, and being predictable,
(PoW) variant that is sequential, i.e., the work can only be done i.e., the adversary can predict randomness in the future. Last,
by a single processor. In R AND C HAIN, nodes jointly maintain
a blockchain, i.e., a chain of blocks, and each block derives a DRBs may need to rely on trustworthy components such as
random output. Each node derives a unique SeqPoW puzzle from full-fledged blockchains and smart contracts [11]–[15], which
the last block and its identity, and keeps mining, i.e., solving are not always reliable.
the SeqPoW puzzle, to append a block to the blockchain. This In this paper, we propose R AND C HAIN– a new family of
makes mining non-parallelisable. R AND C HAIN applies Nakamoto DRB protocols. R AND C HAIN is constructed from Sequential
consensus so that nodes agree on a unique blockchain.
While inheriting simplicity and scalability from Nakamoto Proof-of-Work (SeqPoW) and Nakamoto consensus [16]. Se-
consensus, R AND C HAIN produces strongly unpredictable ran- qPoW is a Proof-of-Work (PoW) variant that is sequential,
domness and remains energy-efficient and decentralised. R AND - i.e., the work can only be done by using a single processor.
C HAIN does not require nodes to provide local entropy, thus In R AND C HAIN, nodes jointly maintain a blockchain, i.e., a
giving no opportunity to bias randomness. Solutions of SeqPoW chain of blocks, and each block derives a random output. Each
puzzles are unpredictable, so nodes cannot predict randomness.
As each node can use at most a single processor for mining, node derives a unique SeqPoW puzzle from its identity and the
R AND C HAIN remains energy-efficient. SeqPoW mining can only last block, and keeps mining, i.e., solving the SeqPoW puzzle,
be accelerated by increasing processors’ clock rate, which is to append a block to the blockchain. This fixes each node’s
bound by processors’ voltage limit. Therefore, powerful nodes SeqPoW puzzle and makes mining non-parallelisable. R AND -
can only achieve limited speedup compared to normal nodes, C HAIN applies Nakamoto consensus so that nodes eventually
leading to a high degree of mining power decentralisation.
agree on a unique blockchain.
1. I NTRODUCTION While inheriting simplicity and scalability from PoW-based
Randomness beacon (RB) is a service that periodically consensus, R AND C HAIN produces secure randomness and
generates publicly verifiable randomness – an essential build- remains energy-efficient and decentralised. R AND C HAIN does
ing block for various cryptographic primitives. RB is not not require nodes to provide local entropy, thus giving no
always reliable: malicious centralised RBs may generate bi- opportunity to bias randomness. Solutions of SeqPoW puzzles
ased randomness to compromise the security and/or fairness are unpredictable, so nodes cannot predict randomness. As
of randomness-based cryptographic primitives. To make RB each node can use at most a single processor for mining,
trustworthy, a promising approach is the decentralised ran- R AND C HAIN is energy-efficient. SeqPoW mining can only
domness beacon (DRB). In a DRB, a group of participants be accelerated by increasing processors’ clock rate, which is
(aka. nodes) generates randomness that all participants agree bound by processors’ voltage limit. Therefore, powerful nodes
on. No single party can fully control the generated random- can only achieve limited speedup compared to normal nodes,
ness, so biasing or predicting the randomness can be hard. leading to a high degree of mining power decentralisation.
DRBs have been integrated into various protocols, especially R AND C HAIN explores a completely new approach for con-
blockchains [1]–[4]. structing DRBs. In most existing DRBs [1]–[3], [7]–[10],
However, constructing secure and scalable DRBs is chal- [12], [17]–[24], nodes execute in rounds, and for each round
lenging. First, DRBs may execute in rounds so relying on the nodes provide their own random inputs and combine them
lock-step synchrony, where all messages are delivered at the to a unique output. R AND C HAIN differs from them in three
aspects. First, nodes in R AND C HAIN are competitive, i.e,
¶ Corresponding author. each node tries to produce the next random output before
other nodes, whereas nodes in these DRBs are collaborative, TABLE I: Summary of notations.
i.e., nodes combine their local inputs to a unique output.
Notation Description
Second, R AND C HAIN reuses random entropy from bootstrap,
whereas these DRBs require nodes to provide new entropy for H(·), H 0 (·) Hash functions mapping {0, 1}∗ to {0, 1}κ
every round. Last, randomness in R AND C HAIN is affected by X,Y Domains
pp Public parameter
real-world entropy that nodes cannot control (such as nodes’
t Time parameter of VDFs (t ∈ N+ )
Byzantine behaviours and network delay), while these DRBs π Proof
only take entropy chosen by nodes. Concretely, we make the
following contributions. ψ Step parameter of SeqPoW (ψ ∈ N+ )
T Difficulty parameter of (Seq)PoW (T ∈ (1, ∞))
Sequential Proof-of-Work (SeqPoW). We propose SeqPoW, sk, pk Secret key and public key
a PoW [25] variant that is sequential, i.e., the work can only G, g Cyclic group and its generator
be done by using a single processor. To solve a PoW puzzle, HG (·) Hash function mapping {0, 1}∗ to an element on G
the prover should find a string (aka. nonce) that makes the Si , bi The i-th SeqPoW solution and its validity
PoW output to satisfy a difficulty parameter. The prover’s πi Proof of i-th SeqPoW solution
only strategy is to search all possible nonces. The searching {p1 , . . . , pn } Nodes in R AND C HAIN
process can be parallelised using multiple processors. Mean- skk , pkk Secret key and public key of node pk
while in SeqPoW, the prover keeps incrementing an iteratively Ck The local blockchain of node pk
sequential function with a given nonce as input, until finding MC k The the main chain of node pk
an intermediate output that satisfies the difficulty parameter. B` The `-th block
α, β ∈ (0, 1) Mining power portion of Byzantine and correct nodes
Given the iteratively sequential function, the prover cannot
accelerate the process of solving SeqPoW by parallelism.
Instead, the prover can only the process of solving SeqPoW
by increasing the processor’s clock rate, which gives little Section 3 introduces SeqPoW, including definitions, construc-
optimisation space. tions and analysis. Section 4 and 5 describe the construction
We formalise SeqPoW and propose two SeqPoW construc- and security analysis of R AND C HAIN, respectively. Section 6
tions, one is from Verifiable Delay Functions (VDFs) [26] discusses other security concerns in R AND C HAIN. Section 7
and the other is from the Sloth hash function [27]. We compares R AND C HAIN with existing RBs. Section 8 con-
formally analyse the security and efficiency of both SeqPoW cludes this paper and discusses future work. We defer some
constructions and evaluate their performance. Our results security proofs of our SeqPoW constructions to Appendix A.
show that SeqPoW is simple and efficient. Of independent
2. P RELIMINARIES
interest, SeqPoW is a powerful primitive and can be applied
to various protocols. We provide discussions on the potential Notations. Table I summarises notations in this paper.
applications of SeqPoW, including leader election and Proof-
of-Stake (PoS)-based consensus. PoW and PoW-based consensus. Proof-of-Work (PoW) is
a computationally intensive puzzle. To solve a PoW puzzle, a
R AND C HAIN– DRB from SeqPoW and Nakamoto con- prover should finish an amount of computation. Given a PoW’s
sensus. We then construct R AND C HAIN from SeqPoW and solution, the verifier can verify whether the prover has finished
Nakamoto consensus. R AND C HAIN works in a permissioned that amount of computation with negligible overhead. PoW
network: there is a fixed group of nodes, and each node has can be constructed from hash functions. As shown in Figure 1,
a pair of secret key and public key. Nodes jointly maintain a the prover needs to find a nonce x which makes H(inkx) ≤
blockchain, and each block derives a random output. Similar 2κ ∗ κ
T , where H : {0, 1} → {0, 1} is a cryptographic hash
to PoW-based blockchains, new blocks are generated via function, in is the puzzle, and T ∈ (1, ∞) is the difficulty
mining. To append a block, a node should solve a SeqPoW parameter. As hash functions produce pseudorandom outputs,
puzzle. Each node derives its SeqPoW puzzle from the last brute-force searching is the prover’s only strategy. Statistically,
block and its identity in the system. This makes each node’s with a larger T , the prover needs to try more nonces.
SeqPoW unique. Given a unique SeqPoW puzzle, mining in PoW-based consensus – first introduced in Bitcoin [16] –
R AND C HAIN is non-parallelisable. Nodes follow Nakamoto has become a practical and scalable alternative of traditional
consensus in order to agree on a unique blockchain. Byzantine Fault Tolerant (BFT) consensus. In PoW-based con-
We present the detailed construction of R AND C HAIN and sensus, nodes jointly maintain a blockchain. To append a block
analyse its security. Our analysis shows that R AND C HAIN im- to the blockchain, a node should solve a computationally hard
plements a DRB protocol and produces strongly unpredictable PoW puzzle [28]. Given the latest block, each node derives its
randomness. In addition, we show that R AND C HAIN achieves own PoW puzzle then keeps trying to solve it. Once solving
energy-efficiency and high mining power decentralisation. We the puzzle, the node appends its block to the blockchain. PoW
also discuss several security concerns of deploying R AND - specifies the amount of work needed by a difficulty parameter.
C HAIN in the real world. By adaptively adjusting the PoW’s difficulty parameter, PoW-
Paper organisation. Section 2 describes the background. based consensus ensures only one node solves the puzzle for
2each time period with high probability. Nodes in PoW-based Verify(pp, x, y, π, t) → {0, 1} : On input public parameter pp,
consensus are known as miners, the process of solving PoW input x, output y, proof π and time parameter t, produces
puzzles is known as mining, and the computation power used 1 if correct, otherwise 0.
for mining is known as mining power. VDF satisfies the following properties
• Completeness: For all λ, x and t,
Prover
pp ← Setup(λ)
Verify(pp, x, y,
Pr y ← Eval(pp, x, t) =1
π, t) = 1
π ← Prove(pp, x, y, t)
Work on
• Soundness: For all λ and adversary A,
Verify(pp, x, y, π, t) = 1 pp ← Setup(λ)
Pr
PoW puzzle
... ∧Eval(pp, x, t) 6= y (x, y, π, t) ← A(pp)
≤ negl(λ)
• σ-Sequentiality: For any λ, x, t, A0 which runs in time
O(poly(λ, t)) and A1 which runs in parallel time σ(t),
Verifier
pp ← Setup(λ)
Pr Eval(x, y, t) = y A1 ← A0 (λ, t, pp)
Fig. 1: Proof-of-Work. y ← A1 (x)
≤ negl(λ)
Iteratively sequential functions. A sequential function g(·)
is that, one cannot accelerate computing g(·) by parallelism. VDFs can be constructed from two ingredients: 1) an
An iteratively sequential function f (t, x) is implemented by iteratively sequential function f (·), and 2) a succinct proof
composing a sequential function g(x) for a number t of times, on f (·)’s execution results. For example, two prevalent
denoted as g t (x). The iteratively sequential function f (·) VDFs [29], [30] employ repeated squaring as the iteratively
inherits the sequentiality of g(·): the fastest way of computing sequential function. Such VDFs inherit the self-composability
f (t, x) is to iterate g(x) for t times. In addition, f (·) preserves from iteratively sequential functions, and are known as self-
a useful property called self-composability: for any x and composable VDFs [33].
(t1 , t2 ), let y ← f (x, t1 ), we have f (x, t1 + t2 ) = f (y, t2 ).
Commonly used iteratively sequential functions include re- Definition 2 (Self-Composability). A VDF
peated squaring [29], [30] and repeated square rooting [27] (Setup, Eval, Prove, Verify) satisfies self-composability if
on cyclic groups. for all λ, x, (t1 , t2 ),
Time-based cryptography and VDFs. Iteratively sequential Eval(pp, x, t1 + t2 ) pp ← Setup(λ)
Pr =1
functions are the key ingredient of time-based cryptographic = Eval(pp, y, t2 ) y ← Eval(pp, x, t1 )
primitives. Rivest, Shamir and Wagner first introduce the time- Lemma 1. If a VDF (Setup, Eval, Prove, Verify) satisfies self-
lock puzzle and constructs it from repeated squaring on RSA composability, then for all λ, x, (t1 , t2 ),
groups [31]. Proofs of Sequential Work (PoSW) [32] allow
to prove he has finished an amount of sequential computation pp ← Setup(λ)
with succinct proof. Verifiable Delay Functions (VDFs) [26] Verify(pp, x, y 0 , y ← Eval(pp, x, t1 )
Pr =1
can be seen as PoSW with uniqueness. After finishing the π, t1 + t2 ) = 1 y 0 ← Eval(pp, y, t2 )
sequential computation, the prover in addition produces an π ← Prove(pp, x, y 0 , t1 + t2 )
output that is unique, i.e., it’s computationally hard to find 3. S EQUENTIAL P ROOF - OF -W ORK
two inputs that give the same output. Formally,
In this section, we introduce Sequential Proof-of-Work
Definition 1 (Verifiable Delay Function). A Verifiable Delay (SeqPoW), a variant of PoW that is sequential and cannot be
Function VDF is a tuple of four algorithms solved faster by parallelism. We formalise SeqPoW, provide
two constructions, analyse their security and evaluate their
VDF = (Setup, Eval, Prove, Verify)
performance and efficiency.
Setup(λ) → pp : On input security parameter λ, outputs pub-
lic parameter pp. Public parameter pp specifies an input 1. Intuition and applications
domain X and an output domain Y. We assume X is Figure 2 gives the intuition of SeqPoW. Given an initial
efficiently sampleable. SeqPoW puzzle S0 , the solver keeps solving the puzzle by
Eval(pp, x, t) → y : On input public parameter pp, input x ∈ incrementing an iteratively sequential function. Each solving
X , and time parameter t ∈ N+ , produces output y ∈ Y. attempt takes the last output Si−1 as input to produce a new
Prove(pp, x, y, t) → π : On input public parameter pp, input output Si . For each output Si , the prover checks whether Si
x, and time parameter t, outputs proof π. satisfies a difficulty parameter T . If yes, then Si is a valid
3Prover Definition 3 (Sequential Proof-of-Work (SeqPoW)). A Se-
quential Proof-of-Work SeqPoW is a tuple of algorithms
SeqPoW = (Setup, Gen, Init, Solve, Verify)
Work on Iteratively
Sequential
... Function Setup(λ, ψ, T ) → pp : On input security parameter λ, step
ψ ∈ N+ and difficulty T ∈ (1, ∞), outputs public
parameter pp. Public parameter pp specifies an input
SeqPoW puzzle
domain X , an output domain Y, and a cryptographically
Difficulty
parameter T
Diff check Diff check Diff check
secure hash function H : Y → X . We assume X is
efficiently sampleable.
Gen(pp) → (sk, pk) : Probabilistic. On input public parame-
ter pp, produces a secret key sk ∈ X and a public key
pk ∈ X .
Init(pp, sk, x) → (S0 , π0 ) : On input public parameter pp,
Verifier secret key sk, and input x ∈ X , outputs initial solution
S0 ∈ Y and proof π.
Fig. 2: Sequential Proof-of-Work. Solve(pp, sk, Si ) → (Si+1 , bi+1 ) : On input public parameter
pp, secret key sk, and i-th solution Si ∈ Y, outputs (i +
1)-th solution Si+1 ∈ Y and result bi+1 ∈ {0, 1}.
solution of this SeqPoW puzzle. The prover can generate a Prove(pp, sk, i, x, Si ) → πi : On input public parameter pp,
proof πi on a valid solution Si , and the verifier with Si and secret key sk, i, input x, and i-th solution Si , outputs
πi can check Si ’s correctness without solving the puzzle again. proof πi .
Due to the data dependency, the prover cannot solve a SeqPoW Verify(pp, pk, i, x, Si , πi ) → {0, 1} : On input pp, public key
puzzle in parallel. pk, i, input x, i-th solution Si , and proof πi , outputs
SeqPoW is the main ingredient of R AND C HAIN. Of in- result {0, 1}.
dependent interest, SeqPoW can also be applied to other
protocols, such as leader election and PoS-based consensus. We define honest tuples and valid tuples as follows.
Leader election. In PoW-based consensus, PoW mining can Definition 4 (Honest tuple). A tuple (pp, sk, i, x, Si , πi ) is
be seen as a way of electing leaders: given a set of nodes, (λ, ψ, T )-honest if and only if for all λ, ψ, T and pp ←
the first node proposing a valid PoW solution becomes the Setup(λ, ψ, T ), the following holds:
leader and proposes a block. As a drop-in replacement of PoW, • i = 0 and (S0 , π0 ) ← Init(pp, sk, x), and
SeqPoW can be used for leader election. Compared to PoW- +
• i ∈ N , (Si , bi ) ← Solve(pp, sk, Si−1 ) and πi ←
based leader election, SeqPoW-based leader election is much Prove(pp, sk, i, x, Si ), where (pp, sk, i−1, x, Si−1 , πi−1 )
fairer and energy-efficient. Each node can run at most a single is (λ, ψ, T )-honest.
processor, which prevents mining marketisation and gives little
optimisation space of mining speed. Later in §5-D we will Definition 5 (Valid tuple). For all λ, ψ, T , and pp ←
discuss this in detail. Setup(λ, ψ, T ), a tuple (pp, sk, i, x, Si , πi ) is (λ, ψ, T )-valid
if
PoS-based consensus. In Proof-of-Stake (PoS)-based consen-
• (pp, sk, i, x, Si , πi ) is (λ, ψ, T )-honest, and
sus [34], each node’s chance of mining the next block is in
• Solve(pp, sk, Si−1 ) = (·, 1)
proportion to its stake, e.g, the node’s balance. In some PoS-
based consensus designs [35], each node solves a VDF with SeqPoW should satisfy completeness, soundness, hardness
time parameter inversely proportional to its stake, and the first and sequentiality, plus an optional property uniqueness. We
node solving its VDF proposes the next block. However, such start from completeness and soundness.
designs suffer from the “winner-takes-all” problem, where
the node with most stake always solves VDFs faster than Definition 6 (Completeness). A SeqPoW scheme satisfies
others. A way of addressing the “winner-takes-all” problem completeness if for all λ, ψ, T ,
is to randomise VDFs’ time parameters, so that the node (sk, pk) ← Gen(pp)
Verify(pp, pk, i,
with most stake does not always win, but only with a higher Pr (pp, pk, i, x, Si , πi ) = 1
x, Si , πi ) = 1
chance [36], [37]. SeqPoW provides an alternative approach is (λ, ψ, T )-valid
that, one can replace VDF with SeqPoW and specify the
Definition 7 (Soundness). A SeqPoW scheme satisfies sound-
difficulty parameter in inverse proportion to each node’s stake.
ness if for all λ, ψ, T ,
This also randomises the time of solving puzzles.
(sk, pk) ← Gen(pp)
2. Definition Verify(pp, pk, i,
Pr (pp, pk, i, x, Si , πi ) ≤ negl(λ)
x, Si , πi ) = 1
We formally define SeqPoW as follows. is not (λ, ψ, T )-valid
4Then, we define hardness that, each attempt of Solve(·) has Si satisfies the difficulty T , and 2) Si = Evali (pp, S0 , ψ).
the success rate of T1 . Figure 3 describes our SeqPoWVDF construction in detail.
Definition 8 (Hardness). A SeqPoW scheme satisfies hardness Unique SeqPoW from Sloth. SeqPoWVDF does not provide
if for all (λ, ψ, T )-honest tuple (pp, sk, i, x, Si , πi ), uniqueness: the prover can keep incrementing the iteratively
sequential function to find as many valid solutions as possi-
(Si+1 , bi+1 ) ← 1 ble. We present SeqPoWSloth – a SeqPoW construction with
Pr bi+1 = 1 ≤ + negl(λ)
Solve(pp, sk, Si , πi ) T uniqueness. SeqPoWSloth is based on Sloth [27], a slow-timed
Similar to VDF, we define sequentiality that, the fastest hash function. In Sloth, the prover square roots (on a cyclic
way of computing Si is honestly incrementing Solve(·) for group G) the input for t times to get the output. Given an
i times, which takes time σ(ψi). Sequentiality in SeqPoW output, the verifier squares the output for t times to recover
also captures the unpredictability that, the adversary A1 cannot the input and checks if the input is same as the one from
predict Si ’s value before finishing computing Si . the prover. Verification in Sloth can be fast: on cyclic group
G, squaring is O(log |G|) times faster than square rooting. In
Definition 9 (σ-Sequentiality). A SeqPoW scheme satisfies addition, Sloth is reversible [38]: given an output and t, the
σ-sequentiality if for all λ, ψ, T , i, x, A0 which runs in less verifier can recover all intermediate results and the input.
than time O(poly(λ, ψ, i)) and A1 which runs in less than Same as in SeqPoWVDF , SeqPoWSloth takes each of Si =
time σ(ψi), f (iψ, S0 ) as an intermediate output and checks if H(pkkSi ) ≤
2κ
T . In addition, SeqPoWSloth only treats the first solution satis-
pp ← Setup(λ, ψ, T )
fying the difficulty as valid, which makes the solution unique.
(pp, sk, i, x, Si , πi ) (sk, pk) ← Gen(pp)
Figure 4 describes the detailed construction of SeqPoWSloth .
Pr
is (λ, ψ, T )-honest A 1 ← A 0 (pp, sk)
Si ← A1 (i, x) Other possible constructions. The main ingredient of Se-
πi ← Prove(pp, sk, i, x, Si ) qPoW is the succinct proof of execution results of iteratively
≤ negl(λ) sequential functions. In addition to VDFs and Sloth, Incremen-
tal Verifiable Computation (IVC) [39] can also provide such
In addition, we define an optional property uniqueness that, proofs. IVC is a powerful primitive that, a prover can produce
each SeqPoW puzzle only has a single valid solution Si . a succinct proof on the correctness of any historical execution,
Before finding Si each Solve(·) attempt follows the hardness and for any further step of computation, the prover can obtain
definition, but after finding Si no Solve(·) attempt leads to a the proof by only updating the last step’s proof rather than
valid solution. Uniqueness implies that, once finding a valid computing it from scratch.
solution Si , the prover stops incrementing Solve(·). The advantage of IVC-based SeqPoW is that it supports
any iteratively sequential functions. This means IVC-based
Definition 10 (Uniqueness). A SeqPoW scheme satis-
SeqPoW can be more egalitarian by using iteratively sequential
fies uniqueness if for any two (λ, ψ, T )-valid tuples
functions that are more hard to parallelise and optimise.
(pp, sk, i, x, Si , πi ) and (pp, sk, i, x, Sj , πj ), i = j holds.
However, IVC is usually constructed from complicated cryp-
3. Constructions tographic primitives, such as SNARKs [39]–[43]. This makes
the construction inefficient and implementation challenging. In
We formally propose two SeqPoW constructions and discuss addition, when generating proofs in IVC takes non-negligible
other possible constructions. Let H : {0, 1}∗ → {0, 1}κ be a time, IVC-based SeqPoW may not be fair, as miners with pow-
cryptographic hash function. Let G be a cyclic group. Let erful hardware can take advantage of mining by accelerating
HG (·) be a hash function that takes an arbitrarily long string SeqPoW.Prove(·).
{0, 1}∗ to a point on G. Let g be a generator of G.
SeqPoW from VDFs. We first present a SeqPoW construction 4. Security and efficiency analysis
SeqPoWVDF based on self-composable VDFs. Let ψ be a step Security. We defer full security proofs to Appendix A. Proofs
parameter, x be the input, and T be the difficulty parameter. of completeness and soundness directly follow the complete-
Let the initial solution S0 ← HG (pkkx). We take each of ness, soundness and self-composability of Sloth and VDFs.
Si = f (iψ, S0 ) = VDF.Evali (pp, S0 , ψ) as an intermediate By pseudorandomness of HG (·) and sequentiality of Sloth
output. The prover keeps calculating each Si , and checks if and VDFs, Solve(·) outputs unpredictable solutions. Then, by
? κ
Si satisfies the difficulty T by calculating H(pkkSi ) ≤ 2T . If H(·)’s pseudorandomness and Solve(·)’s unpredictability, the
true, then Si is a valid solution. probability that the solution satisfies the difficulty is T1 , leading
Once finding the valid solution Si , the prover runs running to hardness. Sequentiality directly follows the sequentiality
VDF.Prove(ppVDF , S0 , Si , iψ) to compute proof πi that Si = and self-composability of Sloth and VDFs.
VDF.Evali (pp, S0 , ψ). Note that VDF.Evali (pp, S0 , ψ) = The underlying VDFs in SeqPoWVDF may use cyclic groups
VDF.Eval(pp, S0 , iψ) for self-composable VDFs. With pk, that require trusted setup. For example, Wesolowski’s VDF
i, x, Si , and πi , the verifier can run S0 ← HG (pkkx) (Wes19) [30] and Pietrzak’s VDF (Pie19) [29] – which are
and VDF.Verify(ppVDF , S0 , Si , πi , iψ) to check whether 1) two commonly used VDFs – use RSA groups. In this case,
5SeqPoWVDF .Setup(λ, ψ, T ) SeqPoWVDF .Init(pp, sk, x) SeqPoWVDF .Prove(pp, sk, i, x, Si )
∗ ∗
1 : ppVDF = ({0, 1} , G, g) 1 : ({0, 1} , G, g, ψ, T ) ← pp 1 : (ppVDF , ψ, T ) ← pp
← VDF.Setup(λ) 2: pk ← g ∈ G sk 2 : ({0, 1}∗ , G, g) ← ppVDF
2: pp ← (ppVDF , ψ, T ) 3: S0 ← HG (pkkx) 3: pk ← g sk ∈ G
3: return pp 4: return S0 4: S0 ← HG (pkkx)
5: πVDF ← VDF.Prove(ppVDF , S0 , Si , iψ)
SeqPoWVDF .Gen(pp) SeqPoWVDF .Solve(pp, sk, Si ) 6: return πVDF
∗
1 : ({0, 1} , G, g, ψ, T ) ← pp 1 : (ppVDF , ψ, T ) ← pp SeqPoWVDF .Verify(pp, pk, i, x, Si , πi )
: Sample random sk ∈ N ∗
2 2 : ({0, 1} , G, g) ← ppVDF 1: (ppVDF , ψ, T ) ← pp
3 : pk ← g sk ∈ G 3: pk ← g sk ∈ G 2: ({0, 1}∗ , G, g) ← ppVDF
4 : return (sk, pk) 4: Si+1 ← VDF.Eval(ppVDF , Si , ψ) 3: S0 ← HG (pkkx)
2κ 4: if VDF.Verify(ppVDF , S0 , Si , πi , iψ) = 0
5 : bi+1 ← H(pkkSi+1 ) ≤ ?1:0
T 5: return 0
6 : return (Si+1 , bi+1 ) 2κ
6 : if H(pkkSi ) > then return 0
T
7 : return 1
Fig. 3: Construction of SeqPoWVDF .
SeqPoWVDF .Setup(λ, ψ, T ) SeqPoWSloth .Init(pp, sk, x) SeqPoWSloth .Prove(pp, sk, i, x, Si )
∗ ∗
1 : pp ← ({0, 1} , G, g, ψ, T ) 1 : ({0, 1} , G, g, ψ, T ) ← pp 1 : return ⊥
2 : return pp 2 : pk ← g ∈ G sk SeqPoWSloth .Verify(pp, pk, i, x, Si , πi )
3 : S0 ← HG (pkkx) 1: ({0, 1}∗ , G, g, ψ, T ) ← pp
SeqPoWVDF .Gen(pp) 4 : return S0 2: y ← Si
1 : ({0, 1}∗ , G, g, ψ, T ) ← pp 2κ
3 : if H(pkky) > , then return 0
2 : Sample random sk ∈ N SeqPoWSloth .Solve(pp, sk, Si ) T
4 : repeat i times
3 : pk ← g sk ∈ G 1 : ({0, 1}∗ , G, g, ψ, T ) ← pp ψ
4 : return (sk, pk) 2 : pk ← g sk
∈G 5 : y ← y2
1 2κ
3 : Si+1 ← Si2
ψ 6 : if H(pkky) ≤ then return 0
T
2κ 7: g ← HG (pkkx)
4 : bi+1 ← H(pkkSi+1 ) ≤ ?1:0
T 8: if g 6= y then return 0
5 : return (Si+1 , bi+1 ) 9: return 1
Fig. 4: Construction of SeqPoWSloth .
TABLE II: Efficiency of two SeqPoW constructions. ISF an RSA group and repeated square rooting on a prime-order
stands for iteratively sequential function. group, respectively. Let s be the size (in Bytes) of an element
Construction Efficiency on the group, and ψ be the step parameter. Each Solve(·)
ISF Proof Solve(·) Prove(·) Verify(·) Proof size executes ψ steps of the iteratively sequential function. By
(Bytes)
hardness and uniqueness, a node attempts Solve(·) for T times
O(ψ) O(ψT ) O(log ψT ) s
SeqPoWVDF Wes19 [30] to find a valid solution on average. Thus, Prove(·) generates
Repeated SQ. √
Pie19 [29] O(ψ) O( ψT log ψT ) O(log ψT ) s log2 ψT proofs on ψT steps, and Verify(·) verifies proofs of ψT steps.
SeqPoWSloth Repeated Repeated O(ψ) 0 O(ψT ) 0
SQRT. SQ. We analyse the efficiency of SeqPoWVDF with two prevalent
VDF constructions, namely Wesolowski’s VDF (Wes19) [30]
and Pietrzak’s VDF (Pie19) [29]. According to the existing
we assume the underlying VDFs are securely bootstrapped. In analysis [46], the proving complexity, verification complexity
practice, one can either employ a trusted third party, or use and proof size of Wes19 are O(ψT ), O(log ψT ) and s
specialised multi-party protocols [44], [45] for trusted setup. Bytes, respectively; and the proving complexity, √ verification
Efficiency. Table II summarises the efficiency analysis of two complexity and proof size of Pie19 are O( ψT log ψT ),
SeqPoW constructions. For iteratively sequential functions, O(log ψT ) and s log2 ψT , respectively. There have been tech-
SeqPoWVDF and SeqPoWSloth employ repeated squaring on niques for optimising and parallelising VDF.Prove(·) for both
6VDFs [29], [30], [47]. The proof sizes of both SeqPoWVDF Solve
constructions are acceptable: when ψT = 240 and s = 32 0.4
Prove
0.3 Verify
Time (s)
Bytes, the proof sizes of SeqPoWVDF with Wes19 [30] and
with Pie19 [29] are 32 and 1280 Bytes, respectively. 0.2
SeqPoWSloth does not have proofs: the verifier keeps squar- 0.1
ing the solution to recover the input and checks whether the
recovered input equals to the real one. This leads to verification 0.0
0.0 0.5 1.0 1.5 2.0 2.5
complexity of O(ψT ). Time parameter t 1e5
5. Performance evaluation (a) SeqPoWVDF + Wes19 [30].
0.16 14
We evaluate the performance of our two SeqPoW construc- Solve Solve
0.14 Prove 12 Verify
0.12
tions. We implement both SeqPoWVDF and SeqPoW.Sloth Verify 10
Time (s)
Time (s)
0.10
0.08 8
without optimisation, and the code is available at Github [48]. 0.06 6
For SeqPoWVDF , Pie19 [29] is a better candidate compared to 0.04 4
0.02 2
Wes19 [30], given Pie19’s efficient proof generation and verifi- 0.00 0
0.0 0.5 1.0 1.5 2.0 2.5 0.0 0.5 1.0 1.5 2.0 2.5
cation and acceptable proof size. For SeqPoW.Sloth, verifying Time parameter t 1e5 Time parameter t 1e5
puzzles is approximately five times faster than solving puzzles.
Although far from the theoretically optimal value (i.e., 1024 (b) SeqPoWVDF + Pie19 [29]. (c) SeqPoWSloth .
in our case), the verification efficiency is acceptable. Fig. 5: Evaluation of SeqPoW constructions.
Implementation. We implement the two SeqPoW construc-
tions in Rust programming language. We use the rug [49]
crate for big integer arithmetic. With big integer arithmetic, we 4. R AND C HAIN : DRB FROM S EQ P OW
implement the RSA group with 1024-bit keys and the group of Based on Sequential Proof-of-Work (SeqPoW), we con-
prime order. We implement the two SeqPoWVDF constructions struct R AND C HAIN, a new family of Decentralised Random-
based on the RSA group, and SeqPoW.Sloth based on the ness Beacons (DRBs). Figure 6 describes the full construction
group of prime order. Our implementations strictly follow their of R AND C HAIN.
original papers [27], [29], [30] without any optimisation. System setting. Let H, H 0 : {0, 1}∗ → {0, 1}κ be two dif-
Experimental setup. We benchmark Solve(·), Prove(·) ferent hash functions. R AND C HAIN works in a permissioned
and Verify(·) for each SeqPoW construction. We test ψ ∈ system. Nodes P = {p1 , . . . , pn } register themselves into
[1000, 2000, 4000, 8000, 16000, 32000, 64000, 128000, 256000] the system through an identity management service such as
and assume i = 1. Note that SeqPoWSloth does not a Public Key Infrastructure. The identity management service
have Prove(·). We benchmark the performance using assigns each registered node pk ∈ P with a pair of secret
Rust’s native benchmarking suite cargo-bench [50] key skk and public key pkk . Each node is identified by its
and criterion [51]. We sample ten executions for public key in the system. Given a public key, any node in
each configuration, i.e., a function with a unique group the system can verify whether the node is in the system by
of parameters. We specify O3-level optimisation when querying the identity management service. There can be an
compiling. All experiments were conducted on a MacBook unlimited number of registered nodes. Each node does not
Pro with a 2.2 GHz 6-Core Intel Core i7 Processor and a 16 know the exact number of nodes in the system, and is only
GB 2400 MHz DDR4 RAM. directly connected to a subset of peers.
Results (Figure 5). For all SeqPoW constructions, the Structure (Figure 7a). All nodes jointly maintain a
running time of Solve(·) increases linearly with time param- blockchain. Each block B is of the format (h− , h, i, S, pk, π),
−
eter t. This is as expected as Solve(·) is dominated by the where h is the previous block ID, h is the current block ID,
iteratively sequential function. For SeqPoWVDF with Wes19, i is the SeqPoW solution index, S is the SeqPoW solution,
Prove(·) takes more time than Solve(·), as our implementation pk is the public key of this block’s creator, and π is the proof
−
follows the original algorithm rather than considering other that S is a valid SeqPoW solution on input h . The block ID
optimisations (such as [47]). SeqPoWVDF with Pie19 achieves B.h is calculated as B.h = H(pkkS). The block’s random
0
ideal performance: Prove(·) and Verify(·) takes negligible output B.rand is calculated as B.rand = H (pkkS).
time compared to Solve(·). In addition, according to the Each node pk has its local view Ck of the blockchain. The
efficiency analysis, the proof size of Pie19 is also acceptable. local view Ck may have forks: there may be multiple blocks
Thus, without optimisation, SeqPoWVDF with Pie19 is more following the same block. R AND C HAIN applies Nakamoto
practical than with Wes19. For SeqPoWSloth , Solve(·) is ap- consensus that, nodes considers the longest chain among all
proximately five times slower than Verify(·). Although this is forks as valid. As described in mainChain(·) of Figure 6, node
far from theoretically optimal value, i.e, log2 |G| = 1024 in pk considers the longest fork of Ck as the main chain MC k .
our case [38], the verification overhead is acceptable when Process (Figure 7b). We describe the process of R AND -
random outputs are not generated frequently. C HAIN from a node pk ’s perspective. Node pk runs two
7mainChain(Ck ) MineRoutine(pp, skk , pkk , Ck )
1 : MC k ← 1 : while T rue
2 : foreach Ckt ∈ Ck 2 : MC k ← mainChain(Ck )
3 : MC k ← max(Ckt , MC k ) 3: B − ← MC k [−1]
4 : return MC k 4: i←0
5: S ← SeqPoW.Init(pp, skk , B − .h)
MainProcedure(pp, skk , pkk ) 6: while T rue
1 : Synchronise chain as Ck 7: S, b ← SeqPoW.Solve(pp, skk , S)
2 : MineRoutine(pp, skk , pkk , Ck ) in a thread 8: if b = 1 then Break
3 : SyncRoutine(pp, Ck ) in a thread 9: i+ = 1
10 : MC 0k ← mainChain(Ck )
SyncRoutine(pp, C) 11 : if MC k 6= MC 0k
1: while T rue 12 : MC k ← MC 0k
2: Wait for a new block as B 13 : Repeat line 3-5
3 : (h− , h, i, S, pk, π) ← B 14 : h ← H(pkk kS)
4: if h− ∈/ Ck then Discard B 15 : π ← SeqPoWVDF .Prove(pp, sk, i, B − .h, S)
5: 6 H(pkkS) then Discard B
if h = 16 : B ← (B − .h, h, i, S, pkk , π)
6: if SeqPoW.Verify(pp, pk, i, h− , S, π) = 0 17 : New random output B.rand ← H 0 (pkk ||S)
7: Discard B 18 : Append B to MC k after B −
8: Append B to Ck after block with hash h− 19 : Propagate B
9: Propagate B
Fig. 6: Construction of R AND C HAIN.
routines: the synchronisation routine SyncRoutine(·) and the consistency guarantee in §5, and discuss how to achieve
mining routine MineRoutine(·). In SyncRoutine(·), node pk finality, i.e., make blocks irreversible in §6-B.
synchronises its local blockchain Ck with other nodes. The
5. S ECURITY AND EFFICIENCY OF R AND C HAIN
synchronisation process is the same as in other blockchains:
node pk keeps receiving blocks from other nodes, verifying In this section, we analyse the security and efficiency of
them, and adding valid blocks to its local blockchain Ck . R AND C HAIN. We define the notion of Decentralised Random-
In MineRoutine(·), node pk keeps mining, i.e., adding new ness Beacon (DRB), and prove that R AND C HAIN implements
blocks, on the main chain MC k . To append a block to a DRB and produces strongly unpredictable randomness. In
the blockchain, node pk should solve a SeqPoW puzzle. In addition, we show that while inheriting simplicity and scalabil-
particular, node pk finds its latest main chain MC k , and ity from PoW-based consensus, R AND C HAIN remains energy-
derives a SeqPoW puzzle from MC k ’s last block. Then, efficient and decentralised.
node pk executes SeqPoW.Init(·) to find the starting point 1. Security model
of mining. Node pk keeps solving SeqPoW by iterating We consider the network is synchronous: all messages are
SeqPoW.Solve(·) until finding a solution S satisfying the delivered within a known time bound ∆. We do not assume
difficulty. As SeqPoW.Init(·) takes each node’s secret key as rounds or lock-step synchrony [52]. The network consists of
input, nodes’ SeqPoW puzzles start from different points and n nodes, each of which controls the same amount of mining
take different steps to solve. With a valid solution S, node power. We consider an adaptive Byzantine adversary who can
pk constructs a block B consisting of a random output, and corrupt any of αn nodes at any time, where α ∈ [0, 1].
appends B to MC k . The adversary can coordinate its corrupted nodes in real-time
As R AND C HAIN employs Nakamoto consensus, R AND - without delay, and can arbitrarily delay, drop, forge and modify
C HAIN’s blockchain may have forks, and it’s possible that messages sent from its corrupted nodes. Let β = 1 − α be the
B is committed then reverted by a longer chain. If a block percentage of correct nodes.
has a sufficient number of succeeding blocks, then B is
considered stable, i.e., cannot be reverted, except for negligible 2. Defining Decentralised Randomness Beacon
probability [52]. The fork rate can be reduced by applying a We start from defining security properties of DRB. First,
high difficulty parameter T . With a high T , the average time similar to Nakamoto consensus, DRB should satisfy consis-
of mining a new block can be long, giveing nodes sufficient tency and liveness. We follow existing papers [5], [53]–[55]
time to propagate new blocks. We analyse R AND C HAIN’s for defining consistency and liveness. Consistency requires
8Definition 12 (Liveness). Parametrised by t, τ ∈ R+ . A DRB
satisfies (t, τ )-liveness if for any time period t, every correct
node receives at least bτ · tc new outputs.
Then, as a DRB, each output should be pseudorandom, i.e.,
uniformly distributed.
Definition 13 (Uniform distribution). A DRB satisfies uni-
Blockchain form distribution if every output is indistinguishable with a
uniformly random string with the same length, except for
Random outputs
negligible probability.
Last, each output should be unpredictable: given the current
blockchain, no one can learn any knowledge of the next output.
If one can predict the next output, it may take advantage in
(a) Beacon structure. protocols based on the DRB. From a node’s perspective, this
Miners with their own
SeqPoW puzzles includes two scenarios: 1) the next output is generated by
itself, and 2) the next output is generated by other nodes.
... Some papers [9], [22], [24], [56] refers unpredictability in the
Puzzle solved first scenario as bias-resistance. We follow the IND1-secrecy
(Indistinguishability of secrets) notion in SCRAPE [8] to
... define unpredictability. IND1-secrecy requires that each node
cannot learn anything about the final output before finishing
Construct
... block
the protocol.
... Definition 14 (Unpredictability). A DRB satisfies unpre-
dictability if no adversary can obtain non-negligible advantage
Commit and propagate block
on the following game. Assuming all messages are delivered
instantly and nodes agree on a blockchain of length `. Before
Blockchain the (` + 1)-th block is mined (either by other nodes or by the
Random outputs
adversary), the adversary makes a guess on the random output
in the (` + 1)-th block. Let r be the guessed random output,
(b) Process of mining. and r0 be the real random output. The adversary’s advantage
Fig. 7: Illustration of R AND C HAIN beacon. is quantified as Pr[r = r0 ].
3. Security analysis
nodes to have a consistent view on the blockchain. Without
consistency, nodes may revert random outputs arbitrarily. Consistency, liveness and uniform distribution. R AND -
C HAIN’s consistency and liveness are guaranteed by Nakamoto
Definition 11 (Consistency). Parametrised by ` ∈ N. A DRB consensus. There have been extensive works [5], [52]–[54],
satisfies `-consistency if for any two correct nodes at any time, [57]–[60] analysing and proving consistency and liveness
their chains can differ only in the last ` blocks, except for guarantee of Nakamoto consensus. As R AND C HAIN works
negligible probability. in the same system model as that of Ren [5], R AND C HAIN
The parameter ` defines the degree of consistency guarantee. at least satisfies the consistency and liveness bound proved by
Some based applications require RB to have finality, i.e., at Ren [5]. Uniform distribution is guaranteed by hash functions.
any time, correct nodes do not have conflicted views on the For every block B, B.rand is produced by the hash function
blockchain. The finality here is equivalent to 0-consistency. In H 0 (·). By pseudorandomness of hash functions, B.rand in-
§6 we discuss how to add finality to R AND C HAIN. distinguishable with a uniformly random κ-bit string.
Liveness requires DRB to produce no less than bτ ·tc random Unpredictability. Assuming all messages are delivered in-
outputs for every time period of t. Without liveness, DRB stantly, and nodes agree on a blockchain of length `. In the
may stop producing randomness forever. Existing papers usu- prediction game, the (` + 1)-th block is either produced by
ally define termination [7], [10], [18] or Guaranteed Output correct nodes or the adversary’s nodes. If the adversary’s
Delivery (G.O.D.) [8], [23], [24], [56] that, for every round, advantage is negligible for both cases, then R AND C HAIN
there will always be a new random output. We do not follow satisfies unpredictability. We prove the adversary’s advantage
their definitions, as R AND C HAIN neither iterates single-shot for both cases. For the first case that the (` + 1)-th block
DRG protocols nor uses the concept of rounds. In §7 we will is produced by correct nodes, the adversary’s best strategy is
compare R AND C HAIN with existing DRBs in detail. guessing, leading to negligible advantage.
9is produced by the adversary,
Qk−1then the adversary’s advantage
on the prediction game is i=0 αn−i
n−i ·β with α k
β probability.
Proof. The adversary controls αn nodes, and k ≤ αn. Let
Vk0 be the event that “the adversary mines k blocks before
Generates correct nodes mine the first block”. By uniqueness, each node
I like this output; can find only one valid SeqPoW solutions given a fixed input.
publish before B4
Let αk be the mining power of the adversary’s k-th node, and
P
αk = α. Then, we have
P r[V00 ] = β (1)
Fig. 8: Unpredictability game.
P r[V10 ] = αβ (2)
αn − 1
P r[V20 ] = αβ (3)
Lemma 2. Assuming all messages are delivered instantly and n−1
nodes agree on a blockchain of length `. If the (`+1)-th block αn − 2 αn − 1
P r[V30 ] = · αβ (4)
is produced by a correct node, then the adversary’s advantage n−2 n−1
on the prediction game is 21κ . ... (5)
k−1
We then consider the next output is produced by the adver- Y αn − i
P r[Vk0 ] = ·β (6)
sary’s nodes. By sequentiality, the adversary cannot predict its
i=0
n−i
SeqPoW solutions. As shown in Figure 8, the adversary’s best
strategy is to produce as many blocks before the next honest When Vk0 happens, the adversary’s advantage is 2kκ .
Qk−1
block as possible. With more blocks, the adversary has more Therefore, with less than the probability i=0 αn−i
n−i · β, the
random outputs to choose, leading to higher advantage. We adversary mines k blocks before correct nodes mine a block,
first analyse R AND C HAIN using SeqPoW without uniqueness, leading to the advantage of 2kκ (where k ≤ αn).
e.g., SeqPoWVDF .
Remark 1. Note that the probability that the adversary
Lemma 3. Consider R AND C HAIN using SeqPoW without achieves a certain advantage in R AND C HAIN with unique
uniqueness. Assuming all messages are delivered instantly and SeqPoW is always smaller than in R AND C HAIN with non-
nodes agree on a blockchain of length `. If the (`+1)-th block unique SeqPoW. In particular, for every k, P r[Vk0 ] ≤ P r[Vk ].
is produced by the adversary, then the adversary’s advantage Given k, we have
on the prediction game is 2kκ with αk β probability, where k−1
k ≤ αn. αn − i
Y
P r[Vk0 ] = ·β (7)
n−i
Proof. The adversary controls αn nodes, and k ≤ αn. Let Vk i=0
k−1
be the event that “the adversary mines k blocks before correct Y
αn − i
nodes mine the first block”. By hardness, each node can find = α· ·β (8)
i=0
αn − αi
unlimited valid SeqPoW solutions given a fixed input. Then,
we have αn−i
As i ≤ 0 and α ∈ [0, 1], αn−αi ≤ 1. Thus,
k
P r[Vk ] = α β k−1
Y
k P r[Vk0 ] ≤ α·β (9)
When Vk happens, the adversary’s advantage is 2κ . i=0
Therefore, with the probability αk β, the adversary mines k
= α β = P r[Vk ] (10)
k blocks before correct nodes mine a block, leading to the
advantage of 2kκ (where k ≤ αn). 4. Efficiency
Mining in R AND C HAIN is non-parallelisable: 1) SeqPoW
We then analyse R AND C HAIN with unique SeqPoW, e.g.,
is sequential, and 2) given the last block, each node’s input
SeqPoWSloth . In R AND C HAIN with unique SeqPoW, given the
of SeqPoW is fixed. Thanks to non-parallelisable mining,
latest blockchain with height `, each node can only mine a
R AND C HAIN is more energy-efficient and decentralised than
single block at height `+1. Thus, the chance that the adversary
PoW-based consensus.
mines blocks at height ` + 1 decreases while mining more
Parallelisable PoW mining has led to mining power cen-
blocks at height ` + 1. In addition, the adversary can mine at
tralisation and huge energy consumption. In order to max-
most αn blocks at height ` + 1.
imise mining reward, miners have been employing specialised
Lemma 4. Consider R AND C HAIN using SeqPoW with mining hardware such as GPUs, FPGAs and ASICs for PoW
uniqueness. Assuming all messages are delivered instantly and mining. Currenlty, PoW mining has been marketised: people
nodes agree on a blockchain of length `. If the (`+1)-th block manufacture, invest and trade high-end mining hardware for
10profit. Mining power marketisation leads to mining power election, then nodes may stop working and lose liveness. RAN-
centralisation: most blocks are mined only by several powe- DAO [12] and Proofs-of-Delay [15] bypass this by replacing
ful miners. Mining power centralisation weakens PoW-based H 0 (·) with a VDF, of which the execution time is longer than
consensus’ security, as powerful miners can perform various generating ` blocks, where ` is the degree of `-consistency.
attacks, e.g., 51% attacks to break PoW-based consensus. In Nodes can reveal every random output only after the block
addition, mining enforces hardware to fully operate all the deriving this random output becomes stable. However, this
time. As miners deploy powerful mining hardware, mining enables frontrunning – nodes with fast processors always learn
costs a great amount of electricity. For example, in 2019, random outputs earlier than normal nodes – which may lead
Bitcoin cost 58.93 KWh electricity – more than Switzerland to serious fairness issues in time-sensitive applications such as
which cost 58.46 KWh [61]. decentralised exchanges [72].
Compared to PoW-based consensus, R AND C HAIN remains We consider principled approaches for adding finality.
energy-efficient and decentralised. As R AND C HAIN does not Adding finality is equivalent to achieve 0-consistency: correct
allow nodes to choose their own entropy and SeqPoW is nodes decide the same block at every height. This is further
sequential, SeqPoW mining is non-parallelisable: each miner equivalent to making R AND C HAIN to execute in rounds, in
can only use a single processor for mining. Compared to each of which nodes execute a Byzantine agreement [73]
powerful specialised hardware in PoW mining, a single fully to agree on a block. R AND C HAIN satisfies validity and ter-
operating processor costs negligible electricity. In addition, mination, but provides eventual consistency rather than the
high-end mining hardware can only achieve limited speedup agreement property of Byzantine agreement, as nodes may
on running SeqPoW.Solve(·). SeqPoW.Solve(·) can only be temporarily agree on different blocks at the same height. We
accelerated by using processors with higher clock rate. The discuss two approaches to achieve agreement, namely the
highest clock rate achieved by processors is 8.723 GHz, quorum-based approach and the herding-based consensus.
while laptops’ clock rate is usually more than 2 GHz [62].
Quorum-based approach. In Byzantine agreement, quo-
Given the voltage limit of processors, the current clock rate
rum [74] is the minimum number of votes that a proposal
is hard to improve further [63]. This means one can speed
has to obtain for being agreed by nodes. If a proposal obtains
up SeqPoW.Solve(·) for less than five times. The limited
a quorum of votes in a view, then this means that nodes have
speedup is also evidenced by the recent VDF Alliance FPGA
reached an agreement on this proposal. The quorum size is
Contest [64]–[66], where optimised VDF implementations are
n−f , where n and f be the number of nodes and faulty nodes
approximately four times faster than the baseline implementa-
in the system, respectively. Existing research [74], [75] shows
tion. Compare to PoW mining where powerful nodes can mine
that n ≥ 3f + 1 is required to achieve agreement in partially
thousands of times faster than normal nodes, R AND C HAIN
synchronous networks, and n ≥ 2f + 1 is required to achieve
achieves a high degree of mining power decentralisation.
agreement in synchronous networks. A quorum certificate of
6. D ISCUSSION a proposal is a quorum of votes on this proposal. A vote is
1. Other security issues in Nakamoto consensus usually represented as a digital signature on the proposal, view
ID and other metadata.
R AND C HAIN employs Nakamoto consensus, so inherits
To achieve agreement in R AND C HAIN, we can apply the
most security issues from Nakamoto consensus. Nonetheless,
quorum mechanism as follows. The system should additionally
R AND C HAIN is a DRB rather than a transaction ledger, and
assume n ≥ 3f + 1. A node signs a block to vote this block.
security issues for transaction ledgers may not be critical for
The node’s view is represented as the previous block hash,
DRB. For example, R AND C HAIN is immune to all attacks on
which is inside the signed block. Nodes actively propagate
Nakamoto consensus’ incentive mechanisms [67]–[70], as it
their votes – i.e., signatures on blocks – the same way as prop-
works in permissioned networks. In addition, R AND C HAIN
agating blocks. Each node keeps received votes locally, and
can resist some attacks in Nakamoto consensus. SeqPoW
considers a block as finalised if collecting a quorum certificate,
can be used for detecting withholding behaviours. If a node
i.e., no less than 2f +1 signatures on this block. R AND C HAIN
broadcasts a valid block with solution index i after another
still keeps Nakamoto consensus as a fallback solution. If
valid block with solution index j < i, other nodes can know
there are multiple forks without quorum certificates, nodes
that the node withholds the block with i.
mine on the longest fork. A block can be considered finalised
2. Adding finality with a sufficiently long sequence of succeeding blocks, even
without a quorum certificate. This resembles the Streamlet
Finality [71] is a property for Byzantine consensus that,
blockchain [55].
previously agreed proposals cannot be reverted. R AND C HAIN
does not satisfy finality due to the probabilistic consensus Herding-based consensus. There have been a family of
guarantee of Nakamoto consensus. In some scenarios, we consensus protocols based on herding. Herding is a social
require a DRB to satisfy finality. For example, considering phenomenon where people make choices according to other
a leader election scheme where a group of nodes elect a people’s preference. In herding-based consensus, nodes keep
leader with a random output from R AND C HAIN as input, if exchanging their votes with each other and decide the proposal
the used random output is reverted before the end of leader with most votes. Existing research [76], [77] shows that,
11with overwhelming probability, nodes will eventually agree 7. C OMPARISON WITH EXISTING DRB PROTOCOLS
on a proposal by herding in a short time period. In addition, In this section, we compare R AND C HAIN with existing
herding-based consensus introduces much less communication DRB protocols. There are three paradigms of constructing
overhead than traditional Byzantine consensus. Decentralised Randomness Beacons (DRBs), namely 1) DRB
To achieve agreement in R AND C HAIN, we can apply the from external randomness source, 2) DRB from Distributed
herding-based consensus as follows. Upon a new block, nodes Randomness Generation (DRG), and 3) DRB from iteratively
execute a herding-based consensus on it. If a block is the only sequential functions. R AND C HAIN– which is constructed from
block in a long time period, then nodes will agree on this block SeqPoW and Nakamoto consensus – does not belong to any
directly. If there are multiple blocks within a short time period, of them. Compared to existing paradigms, R AND C HAIN is
then nodes will agree on the most popular block among them simple, secure, scalable, energy-efficient and decentralised
with overwhelming probability. This approach has also been while relying on weak assumptions.
discussed in Bitcoin Cash community, who seeks to employ
DRBs from external randomness source. Some DRBs
Avalanche [77] as a finality layer for Bitcoin Cash [78].
extract randomness from real-world randomness source, in-
cluding financial data [13] and public blockchains [11], [14],
3. Making SeqPoW mining non-outsourceable
[15]. Such DRBs introduce little communication overhead.
R AND C HAIN does not prevent outsourcing: the adversary However, these DRB protocols’ security relies on the random-
can solve others’ SeqPoW puzzles. If the adversary controls ness source’s security. For example, if the randomness source
massive processors with high clock rate, then it can mine for is biasible, then these DRB protocols are likely to be biasible
all nodes simultaneously and know SeqPoW solutions of all as well. In addition, clients and/or servers should access the
nodes earlier than others. Such adversary can always frontrun randomness source from trustworthy communication channels.
other nodes, or even bias random outputs by selectively Otherwise, an adversary who hijacks the channels can bias the
publishing its preferred ones. randomness arbitrarily.
To prevent outsourcing, we can adopt the idea of VRF-based DRG-based DRBs. A large number of DRB protocols are
mining [79]. Verifiable Random Function (VRF) – which can constructed by executing a Distributed Randomness Gener-
be seen as a public key version of hash functions – takes ation (DRG) protocol in rounds. DRG allows a group of
the prover’s secret key sk and an input x, and outputs a nodes to generate a random output or a batch of random
random string y. The prover can also generates a proof π outputs. It has a well-known variant called multi-party coin
that, 1) y is a valid output of x, and 2) y is generated tossing/flipping [82]–[85], where the random output is only
κ
by the owner of sk. We replace H(pkkSi+1 ) ≤ 2T with a binary bit. DRG can be constructed from various crypto-
κ
VRFHash(sk, Si+1 ) ≤ 2T in SeqPoW’s difficulty mechanism, graphic primitives, such as commitments [12], [17], threshold
where VRFHash(·) is a VRF [80]. As correct nodes do not signatures [3], [7], [18], VRFs [2], [10], [19]–[21], secret shar-
share their secret keys to others, the adversary cannot execute ing [1], [8], [9], [22], [23] and homomorphic encryption [24].
VRFHash(·) for others. While this modification adds negli- There are some issues in DRG-based DRBs. First, if the
gible overhead to SeqPoWVDF , it greatly increases the proof DRG relies on a leader, then a leader should be elected
size of SeqPoWSloth , as the proof should carry all VRF outputs for every round. The leader is elected either by a trusted
and proofs for proving no prior solution satisfies the difficulty. third party or running a leader election protocol. Existing
More efficient SeqPoW constructions with uniqueness are research [86] shows that constructing leader election protocols
considered as future work. is challenging. Boneh et al. [87] propose two leader election
constructions, which however rely on an RB in return. Second,
4. Dynamic difficulty if the network is not synchronous, then the DRG-based DRB
PoW-based blockchains employ difficulty adjustment mech- should rely on a pacemaker [88] for liveness. The pacemaker is
anism for stabilising the block rate, i.e., the average number responsible to inform nodes when to start a new round. With-
of new blocks in a time unit. This is particularly useful out synchrony and pacemaker, a node cannot know whether
when churn [81] is high and/or the network size is frequently other nodes have received its message, and nodes may not
changing. Although we analyse R AND C HAIN while assuming agree on the round number. When this happens, the system will
a fixed difficulty and a fixed set of nodes, R AND C HAIN lose liveness. Last, a DRG-based DRB inherits the assumption,
can support dynamic difficulty adjustment with little change. security and performance from its used DRG. If the DRG does
First, similar to PoW-based blockchains, R AND C HAIN can not scale, then DRBs based on this DRG cannot scale as well.
include a timestamp to each block, so that R AND C HAIN Existing research [9], [89] shows that existing DRG protocols
can infer historical block rate using timestamps. In addition, either rely on strong assumptions, fail to be unpredictable,
R AND C HAIN includes the number i of iterations running or suffer from high communication complexity of more than
SeqPoW.Solve(·), and i can also infer the historical block O(n2 ). This makes DRG-based DRBs hard to scale.
rate. If historical values of i are large, then this means that DRBs from iteratively sequential functions. DRBs can
mining is too hard and the difficulty should be reduced, and also be constructed from iteratively sequential functions f (·).
vice versa. Given a random seed, f (·) can produce random outputs
12You can also read
