Drand - A Distributed Randomness Beacon Daemon

<p align="center"><img src="logo.png" width="220" /></p> <p align="center"> <a href="https://github.com/drand/drand/actions?query=branch%3Amaster" title="Tests"><img src="https://github.com/drand/drand/actions/workflows/tests.yaml/badge.svg?branch=master" /></a> <a href="https://codecov.io/gh/drand/drand" title="Coverage"><img src="https://codecov.io/gh/drand/drand/branch/master/graph/badge.svg" /></a> <a href="https://goreportcard.com/report/github.com/drand/drand" title="Go Report Card"><img src="https://goreportcard.com/badge/github.com/drand/drand" /></a> <a href="https://pkg.go.dev/github.com/drand/drand" title="go.dev reference"><img src="https://img.shields.io/badge/go.dev-reference-007d9c?logo=go&logoColor=white" /></a> <a href="https://golang.org/" title="golang version"><img src="https://img.shields.io/badge/golang-%3E%3D1.19-orange.svg" /></a> </p> <p align="center"> Drand (pronounced "dee-rand") is a distributed randomness beacon daemon written in <a href="https://golang.org/">Golang</a>. </p> <p align="center"> Linked drand nodes collectively produce <strong>publicly verifiable</strong>, <strong>unbiased</strong> and <strong>unpredictable</strong> random values at fixed intervals using bilinear pairings and threshold cryptography. </p> <p align="center"> Drand was first developed within the <a href="https://github.com/dedis">DEDIS organization</a>, and as of December 2019, is now under the drand organization. </p> <!-- START doctoc generated TOC please keep comment here to allow auto update --> <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->

Table of Contents

• Goal and Overview
  • Public Randomness
• Installation
  • Official release
  • Manual installation
  • Via Golang
  • Via Docker
• Usage
  • Run Drand locally
  • Create a Drand deployment
  • Fetching Public Randomness
  • Using HTTP endpoints
  • JavaScript client
• Documentation
• What's Next?
• Development
• Acknowledgments
• Coverage
• Tracing
• License

<!-- END doctoc generated TOC please keep comment here to allow auto update -->

Goal and Overview

The need for digital randomness is paramount in multiple digital applications ([e]voting, lottery, cryptographic parameters, embedded devices bootstrapping randomness, blockchain systems etc) as well in non-digital such as statistical sampling (used for example to check results of an election), assigning court cases to random judges, random financial audits, etc. However, constructing a secure source of randomness is anything but easy: there are countless examples of attacks where the randomness generation was the culprit (static keys, non-uniform distribution, biased output, etc). drand aims to fix that gap by providing a Randomness-as-a-Service network (similar to NTP servers for time, or Certificate Authority servers for CAs verification), providing continuous source of randomness which is:

• Decentralized: drand is a software ran by a diverse set of reputable entities on the Internet and a threshold of them is needed to generate randomness, there is no central point of failure.
• Publicly verifiable & unbiased: drand periodically delivers publicly verifiable and unbiased randomness. Any third party can fetch and verify the authenticity of the randomness and by that making sure it hasn't been tampered with.

A drand network is operated by a group of organizations around the world that includes Cloudflare, EPFL, Kudelski Security, Protocol Labs, Celo, UCL, and UIUC. You can learn more by visiting the League of Entropy website, where you can also see the random values being generated by the network in real time.

Public Randomness

Generating public randomness is the primary functionality of drand. Public randomness is generated collectively by drand nodes and publicly available. The main challenge in generating good randomness is that no party involved in the randomness generation process should be able to predict or bias the final output. Additionally, the final result has to be third-party verifiable to make it actually useful for applications like lotteries, sharding, or parameter generation in security protocols.

A drand randomness beacon is composed of a distributed set of nodes and has two phases:

• Setup: Each node first generates a long-term public/private key pair. Then all of the public keys are written to a group file together with some further metadata required to operate the beacon. After this group file has been distributed, the nodes perform a distributed key generation (DKG) protocol to create the collective public key and one private key share per server. The participants NEVER see/use the actual (distributed) private key explicitly but instead utilize their respective private key shares for the generation of public randomness.
• Generation: After the setup, the nodes switch to the randomness generation mode. Any of the nodes can initiate a randomness generation round by broadcasting a message which all the other participants sign using a t-of-n threshold version of the Boneh-Lynn-Shacham (BLS) signature scheme and their respective private key shares. Once any node (or third-party observer) has gathered t partial signatures, it can reconstruct the full BLS signature (using Lagrange interpolation). The signature is then hashed using SHA-256 to ensure that there is no bias in the byte representation of the final output. This hash corresponds to the collective random value and can be verified against the collective public key.

Installation

Official release

Please go use the latest drand binary in the release page.

Manual installation

Drand can be installed via Golang or Docker. By default, drand saves the configuration files such as the long-term key pair, the group file, and the collective public key in the directory $HOME/.drand/.

The docker image can also be built manually by running docker build --build-arg version=$(git describe --tags) --build-arg gitCommit=$(git rev-parse HEAD) -t drandorg/go-drand:latest . in the project root folder Additional instructions for running a node or network using docker can be found in the docker directory

Via Golang

Make sure that you have a working Golang installation and that your GOPATH is set.

Then install drand via:

git clone https://github.com/drand/drand
cd drand
make install

Via Docker

The setup is explained in docker/README.md.

Usage

Run Drand locally

To run a local demo, you can simply run:

make demo

The script spins up a few drand local processes, performs resharing and other operations and will continue to print out new randomness every Xs (currently 6s). For more information, look at the demo README.

A drand beacon provides several public services to clients. A drand node exposes its public services on a gRPC endpoint as well as a REST JSON endpoint, on the same port. The latter is especially useful if one wishes to retrieve randomness from a JavaScript application. Communication is meant to be protected through TLS by using a reverse-proxy to perform TLS termination.

Create a Drand deployment

Consult full instructions at DEPLOYMENT

Fetching Public Randomness

To get the latest public random value, run

drand get public --round <i> <group.toml>

where <group.toml> is the group identity file of a drand node. You can specify the round number when the public randomness has been generated. If not specified, this command returns the most recent random beacon.

The JSON-formatted output produced by drand is of the following form:

{
  "round": 367,
  "signature": "b62dd642e939191af1f9e15bef0f0b0e9562a5f570a12a231864afe468377e2a6424a92ccfc34ef1471cbd58c37c6b020cf75ce9446d2aa1252a090250b2b1441f8a2a0d22208dcc09332eaa0143c4a508be13de63978dbed273e3b9813130d5",
  "previous_signature": "afc545efb57f591dbdf833c339b3369f569566a93e49578db46b6586299422483b7a2d595814046e2847494b401650a0050981e716e531b6f4b620909c2bf1476fd82cf788a110becbc77e55746a7cccd47fb171e8ae2eea2a22fcc6a512486d",
  "randomness": "d7aed3686bf2be657e6d38c20999831308ee6244b68c8825676db580e7e3bec6"
}

Here Signature is the threshold BLS signature on the previous signature value Previous and the current round number. Randomness is the hash of Signature, to be used as the random value for this round. The field Round specifies the index of Randomness in the sequence of all random values produced by this drand instance. The message signed is therefore the concatenation of the round number treated as a uint64 and the previous signature. At the moment, we are only using BLS signatures on the bls12-381 curves and the signature is made over G1.

(Note that this command expects access to a drand group member, this won't work with the current League of Entropy nodes, since they are not exposing their GRPC endpoints directly.)

Using HTTP endpoints

This is the recommended way of using drand randomness, but don't forget to validate the beacons' signatures against the group public key.

One may want to get the distributed key or public randomness by issuing a GET to a H