5 CRYPTOGRAPHIC SORTITION Cryptographic sortition is an algorithm for choosing

# 5 cryptographic sortition cryptographic sortition is

• Notes
• 18

This preview shows page 5 - 7 out of 18 pages.

5 CRYPTOGRAPHIC SORTITION Cryptographic sortition is an algorithm for choosing a ran- dom subset of users according to per-user weights; that is, given a set of weights w i and the weight of all users W = ˝ i w i , the probability that user i is selected is propor- tional to w i / W . The randomness in the sortition algorithm comes from a publicly known random seed ; we describe later how this seed is chosen. To allow a user to prove that they were chosen, sortition requires each user i to have a public/private key pair, ( pk i , sk i ) . Sortition is implemented using verifiable random func- tions (VRFs) [ 39 ]. Informally, on any input string x , VRF sk ( x ) returns two values: a hash and a proof. The hash is a hashlen - bit-long value that is uniquely determined by sk and x , but is indistinguishable from random to anyone that does not know sk . The proof π enables anyone that knows pk to check that the hash indeed corresponds to x , without having to know sk . For security, we require that the VRF provides these properties even if pk and sk are chosen by an attacker. 5.1 Selection procedure Using VRFs, Algorand implements cryptographic sortition as shown in Algorithm 1. Sortition requires a role parameter that distinguishes the different roles that a user may be se- lected for; for example, the user may be selected to propose a block in some round, or they may be selected to be the member of the committee at a certain step of BA . Algorand specifies a threshold τ that determines the expected number of users selected for that role. It is important that sortition selects users in proportion to their weight; otherwise, sortition would not defend against Sybil attacks. One subtle implication is that users may be chosen more than once by sortition (e.g., because they have a high weight). Sortition addresses this by returning the j parameter, which indicates how many times the user was 5
procedure Sortition( sk , seed , τ , role , w , W ): hash , π ⟩ ← VRF sk ( seed || role ) p τ W j 0 while hash 2 hashlen < h ˝ j k = 0 B ( k ; w , p ) , ˝ j + 1 k = 0 B ( k ; w , p ) do j ++ return hash , π , j Algorithm 1: The cryptographic sortition algorithm. chosen. Being chosen j times means that the user gets to participate as j different “sub-users.” To select users in proportion to their money, we consider each unit of Algorand as a different “sub-user.” If user i owns w i (integral) units of Algorand, then simulated user ( i , j ) with j ∈ { 1 ,..., w i } represents the j th unit of currency i owns, and is selected with probability p = τ W , where W is the total amount of currency units in Algorand. As shown in Algorithm 1, a user performs sortition by computing hash , π ⟩ ← VRF sk ( seed || role ) , where sk is the user’s secret key. The pseudo-random hash determines how many sub-users are selected, as follows. The prob- ability that exactly k out of the w (the user’s weight) sub-users are selected follows the binomial distribution, B ( k ; w , p ) = ( w k ) p k ( 1 p ) w k , where ˝ w k = 0 B ( k ; w , p ) = 1 . Since B ( k 1 ; n 1 , p ) + B ( k 2 ; n 2 , p ) = B ( k 1 + k 2 ; n 1 + n 2 , p ) , splitting a user’s weight (currency) among Sybils does not affect the number of selected sub-users under his/her control.

#### You've reached the end of your free preview.

Want to read all 18 pages?

• Spring '19
• NA
• hash function, Cryptographic hash function, Algorand

### What students are saying

• As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

Kiran Temple University Fox School of Business ‘17, Course Hero Intern

• I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

Dana University of Pennsylvania ‘17, Course Hero Intern

• The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

Jill Tulane University ‘16, Course Hero Intern