"The Application and Principle Analysis of VRF in Blockchain" is caused by a public chain called Tarax Network that our team is doing. Because of the scene positioning, we want to find a low-power way to reach consensus. Then POW is definitely not a way to consider, and POS is easy to think of. Then consider that whether it is POW or POS, they want to randomly find a node to package the block without being predicted, and make this block be recognized by the entire network.
Simple Application Server
USD1.00 New User Coupon
* Only 3,000 coupons available.
* Each new user can only get one coupon(except users from distributors).
* The coupon is valid for 30 days from the date of receipt.
So in the matter of random selection, VRF is the most direct way to do a lottery based on verifiable random selection.
Of course, POW does not only have the function of randomly selecting points and packaging, but also some game and human considerations. In the current POS scheme, it is not OK to select points randomly, instead of randomly selecting points. Naturally It will also redesign the game and humanity issues from other aspects.
But let's solve the problems one by one, leaving aside the content of the game, first study and study VRF.
Application and principle analysis of VRF in blockchain
We look at this matter with two questions:
1. What is a verifiable random function?
2. How do some current chain schemes use verifiable random functions?
What is a verifiable random function
The verifiable random function can be regarded as a random oracle, which means that I can get a random number output through any input:
1. For different Input, the value of Output is random and evenly distributed within the range of value.
2. For the same Input, the Output it gets must be the same.
However, the verifiable random function has one more non-interactive zero-knowledge proof than the random oracle, which can be used for the correctness of the random number output, indicating that the random number is indeed generated by someone.
Verifiable random function It contains four functions.
1. Generate a key, generate a public key private key pair, this will not be discussed in detail later
2. Generate random number output
3. Calculate zero knowledge proof
4. Verify random number output
The process of generating a random number and its proof is executed on this machine, and the input is a private key and a value. The output is the random number and its zero-knowledge proof.
After other nodes receive the input and the proof, combine the public key of the node that generated the random number to verify the random number.
So through these four functions and their output, how do we randomly select points?
Verifiable random function draw
The simplest way to analyze the application and principle of VRF in the blockchain. After we have generated this random number value through VRF above, we can determine whether we have been drawn by setting a recognized threshold of the entire network. For example, we all agree with a value of 100 As the threshold, if I get to 101 randomly in a certain round, I will be allowed to proceed to the next step.
However, this simplest solution cannot prevent witch attacks. Therefore, most of the current VRF lottery schemes will allocate votes based on equity, and then design the lottery algorithm.
Let's take a look at the most common scheme now, which is to calculate the result of the lottery through the binomial distribution.
First of all, we have generated the value through the private key. This value can actually be regarded as a large positive integer. Assuming it is 256bit, its value range should be between 0 and 2 to the 256th power. Correspondingly, it is divided by the 256th power of 2 to get a value between 0 and 1.
Put this value into the cumulative distribution of the binomial distribution for comparison, and you can get the corresponding value (see PPT for details).
If this value is greater than zero, it is equivalent to drawing a lottery for the next step.
Combining this value with the sum generated by the previous VRF and broadcasting it to others, any other received users combined with the broadcaster’s public key and a value known to the entire network can verify whether the following two conditions are true:
1. Is the utilization verification correct?
2. Use the binomial distribution function to obtain whether j'is equal to j
Assuming that both conditions are true, it proves that the result of the lottery is correct and credible.
So far, the process from lottery generation to verification is complete.
Through the description of the above process, it is not difficult to see that the VRF-based lottery mechanism has several advantages:
1. First of all, the lottery process does not need to communicate with others, and the lottery result can be obtained directly on this machine, and this x input is recognized by everyone, and the output value for the same x is fixed, so it cannot pass multiple times Try to change the lottery result
2. After a node receives the lottery information from other nodes, it can use the attached certificate to prove the correctness of the random number, and ensure that it is indeed calculated by the owner of the private key. Therefore, the result of this draw cannot be forged.
3. VRF is mainly used to derive a pseudo-random number. The part of the lottery is mainly responsible for a binomial distribution function. By constructing the parameters of the binomial distribution, we can easily control the winning equity that needs to be drawn. The number is adapted to different scenarios that require lottery.
After talking about the lottery algorithm based on VRF, let's take a look at what this lottery algorithm brings to the blockchain consensus.
Changes brought to consensus by VRF lottery
Let’s start with a concrete example.
Ouroboros is Cardano's consensus algorithm. It is very interesting. At the beginning it proposed a consensus process scheme, but this scheme is provably safe and does not involve the realization of every part. Later, it will gradually add implementation details in the update of the thesis version and in the specific implementation plan.
So far, his theoretical version has been iterated in three versions, namely Ouroboros, Praos and Genesis. In the second version of Praos, the part of VRF is introduced as the extraction of nodes proposed in the block.
First, let’s talk about the consensus process of Ouroboros:
Before the start of each epoch, in the previous round of epoch, a random seed and a number of Stake Holders will be determined as the participating nodes of this round of epoch. According to the random seed, the slot leader of all slots in this round will be obtained. , They are packaged in turn.
In the last round, Random Seed's handover was generated by an interactive PVSS scheme. Give a simple example to illustrate that it is similar to that if two people who cannot communicate in real time to guess a punch, if one person receives the result of the punch of the other, he can send a winning punch to win. It’s not fair, so now, we first replace our punch with a card, and then we cover it. Everyone doesn’t know what the punch is, but we can guarantee that everyone has chosen this punch. Up. The results will be announced in turn afterwards.
After the Random Seed is generated, the Follow the Satoshi algorithm is used to obtain the slot leader of each slot. Follow the Satoshi can be regarded as a random oracle, and Random Seed and the equity value of each StakeHolder can be used to give each The slot randomly assigns a stake holder as the slot leader, and this result is known to each node before the start of this epoch, and they can calculate it by themselves.
Then there will be a problem: I can know the packaging node of a block in advance, then the attacker can attack the packaging node in advance to achieve the purpose of its attack.
After analyzing the application and principle of VRF in the blockchain, in Praos, which is the second version of Ouroboros, it introduced VRF to replace this Follow the Satoshi solution. We just learned about the process and characteristics of VRF lottery It can be known that after the introduction of VRF, the slot leader of each round of the slot is only known by this node. After he is released, other nodes can verify whether he really has this role, so as to avoid the attacks mentioned above.
But this also brings new problems. As mentioned above, Follow the Satoshi can randomly assign a slot leader to each slot, but VRF is a probability-based lottery method, at this point, there is no way to achieve certainty. It may happen that a slot leader is not drawn in a certain round or multiple slot leaders are drawn. Therefore, in Praos, an additional program has been added to deal with this situation.
Comparing these two schemes, VRF introduces two abnormal situations in addition to the unpredictable security upgrade of the slot leader. But are these two abnormal situations new problems introduced by VRF? Let's think about it.
In fact, this problem must be solved whether it is the Follow the Satoshi or the VRF solution, because even if I can guarantee that each slot has a slot leader, I can't guarantee whether the slot leader can make a package in this slot. The solution to verify the fork is a problem that will be considered as long as it is a chain. If a slot leader is attacked, and a large number of repeated packaging in its own slot will also cause fork problems.
Therefore, when there are no new problems that attract people, increasing the anonymity of the packaged nodes is actually a security upgrade to the system.
Then let's take a look at other consensus algorithms that use or rely heavily on VRF.
The idea is generally to draw lots with verifiable random functions to reduce the number of participating consensus nodes or certain roles.
1. Algorand first selects the packer, and then selects the committee after the packer. The committee uses BA* to select the block.
2. In Dfinity, depositing deposits raises the threshold and reduces the number of participating nodes, then select the packager, select the notary after the packager is selected, sort the block weights, and select the block.
3. In VBFT, the Ontology consensus algorithm, the packager is selected first, after the package, the voter is selected to vote on these packages, and then the confirmer is selected, the votes are counted, and the block is selected.
In addition to the consensus algorithm, there are actually some projects that use VRF in other aspects. For example, in the efficient distributed distribution of IOST, VRF is used to elect the leader node. However, unlike the offline lottery scheme mentioned above, the election here will broadcast the result after the random number is obtained through the VRF, and then other nodes will perform statistics to obtain the smallest random value as the sharding leader node. It is an interactive way of election.
a few questions
After sharing VRF and some of its current applications, there are several questions that we need to think about together:
1. Is VRF necessary to draw lots?
2. Are there other application scenarios?
Open sourced a VRF implementation
https://github.com/pinqy520/vrf.js
Currently used in the implementation of Tarax consensus algorithm
