Deterministic Sortition (DS in short) is the non-interactive process used in the Succinct Attestation protocol to select the Block Generator for the Proposal phase, and the members of the Voting Committees for the Validation and Ratification phases.
ToC
The Deterministic Sortition (
The algorithm takes as inputs the round number
The algorithm assigns one credit at a time to a randomly selected provisioner using the Deterministic Extraction (
Each provisioner can be assigned one or more credits, depending on their stakes. Specifically, the extraction algorithm follows a weighted distribution that favors provisioners with higher stakes. In other words, the higher the stake, the higher the probability of being assigned a credit.
To balance out this probability each provisioner weight is initially set to the value of its stake, and then reduced by 1 Dusk each time the provisioner is assigned a credit (if the weight is lower than 1 Dusk, it is set to 0). This way, the probability for a provisioner to be extracted diminishes with every assigned credit.
As such, on average, eligible provisioners will participate in committees with a frequency and power proportional to their stakes.
The extraction procedure assigns credits based on a pseudo-random number called Score, which is generated deterministically using the SHA31 hash function [1].
Formally:
where
The use of a hash value based on the above parameters allows to generate a unique score value for each single credit being assigned, ensuring the randomness of the extraction process.
The use of the modulo operation guarantees a provisioner is extracted within a single iteration over the provisioner set (see the
The Seed value is used to ensure the pseudo-randomicity and unpredictability of the score.
This value is included in the block header and is updated in each block by the block generator.
Specifically, the
Formally:
As such,
Note that
We describe the Deterministic Sortition algorithm through the DS procedure, which creates a Voting Committee by pseudo-randomly assigning credits to eligible provisioners. In turn, DS uses the Deterministic Extraction (DE) procedure, which performs a single extraction.
Parameters
-
$R$ : consensus round -
$S$ : consensus step -
$Credits$ : number of credits to assign -
$\boldsymbol{P} = [\mathcal{P}_0,\dots,\mathcal{P}_n]$ : provisioner list
Algorithm
- Start with empty committee
- Set each provisioner's weight equal to the amount of its stake
- Set total weight
$W$ to the sum of all provisioner's weights - Assign credit
$i$ as follows:- Compute
$Score$ - Order provisioners by ascending public key
- Extract provisioner
$\mathcal{P}$ with DE - Add
$\mathcal{P}$ to committee, if necessary - Assign credit to
$\mathcal{P}$ - Compute
$d$ as the minimum between$1$ Dusk and$\mathcal{P}$ 's weight - Subtract
$d$ from$\mathcal{P}$ 's weight - Subtract
$d$ from total weight$W$ - If total weight reaches 0, output the partial committee
- Compute
- Output committee
Procedure
$\mathcal{C} = \emptyset$ -
$\texttt{for } \mathcal{P} \texttt{ in } \boldsymbol{P} :$ $w_\mathcal{P} = S_\mathcal{P}.Amount$
$W = \sum_{i=0}^{|\boldsymbol{P}|-1} w_{\mathcal{P}_i} : \mathcal{P}_i \in \boldsymbol{P}$ -
$\texttt{for } c = 0\text{ }\dots\text{ }credits{-}1$ :$Score_c^{R,S} = Int(Hash_{SHA3}( Seed_{R-1}||S||c)) \mod W$ $\boldsymbol{P}' = SortByPK(\boldsymbol{P})$ -
$\mathcal{P}_c = \text{ }$ DE$(Score_c^{R,S}, \boldsymbol{P}')$ -
$\texttt{if } \mathcal{P}_c \notin \mathcal{C}$ :$m_{\mathcal{P}_c}^\mathcal{C} = (\mathcal{P}_c,0)$ $\mathcal{C} = \mathcal{C} \cup m_{\mathcal{P}_c}^\mathcal{C}$
$m_{\mathcal{P}_c}^\mathcal{C}.Power = m_{\mathcal{P}_c}^\mathcal{C}.Power+1$ $d = min(w_{P},1)$ $w_{\mathcal{P}_c} = w_{\mathcal{P}_c} - d$ $W = W - d$ -
$\texttt{if } W \le 0$ $\texttt{output } \mathcal{C}$
$\texttt{output } \mathcal{C}$
Parameters
-
$Score$ : score for current credit assignation -
$\boldsymbol{P} = [\mathcal{P}_0,\dots,\mathcal{P}_n]$ : array of provisioners ordered by public key
Algorithm
- For each provisioner
$\mathcal{P}$ in$\boldsymbol{P}$ - if
$\mathcal{P}$ 's weight is higher than$Score$ ,- output
$\mathcal{P}$
- output
- otherwise,
- subtract
$\mathcal{P}$ 's weight from$Score$
- subtract
- if
Procedure
-
$\texttt{for } \mathcal{P} = \boldsymbol{P}[0] \dots \boldsymbol{P}[|\boldsymbol{P}|-1]$ :-
$\texttt{if } w_\mathcal{P} \ge Score$ $\texttt{output } \mathcal{P}$
-
$\texttt{\texttt{else}}:$ $Score = Score - w_\mathcal{P}$
-
[1]: "SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions", Boneh et al., 2004, https://doi.org/10.6028/NIST.FIPS.202
[2]: "Short Signatures from the Weil Pairing", Dworkin, 2015, https://doi.org/10.1007%2Fs00145-004-0314-9
Footnotes
-
We will use SHA3 to denote SHA3-256. ↩