If we are confident we want RANDAO for sharding and pure PoS should we consider including it in sharding phase 1?
- Simplicity and forward compatibility: The scheme is fairly simple to implement. It feels the costs of moving to RANDAO midway through the sharding roadmap (disruption) outweigh those of implementing it upfront (delayed initial launch).
- Design flexibility: Moving away from blockhashes expands the sharding design space. RANDAO is “offchain-friendly”, for example allowing low-variance 5-second periods with small proposer lookahead.
- Reuse and network effects: RANDAO in sharding phase 1 would lay the groundwork for the pure PoS block proposal mechanism, and allow the wider dApp ecosystem to access a high-quality semi-enshrined alternative to blockhashes.
In short, I really don’t think we need fancy threshold signature randomness or low-influence functions or any other fancy math
It would be interesting to get feedback from projects going in other directions (e.g. Dfinity, Cardano, Algorand). One rebuttal may be that RANDAO doesn’t have “guaranteed output delivery” (GOD) at every period. A single participant skipping (i.e. not revealing his preimage) would cause all shards to freeze for 5 seconds. This central point of failure may be a DoS vector, or at least a quality-of-service liability, especially in the context of a bribing attacker.
One mitigation is to heavily penalise skipping, but that may introduce a griefing/discouragement vector. Another mitigation is to XOR n > 1 preimages at every round, but that increases grinding opportunities and messaging overhead.
Another direction I’m exploring is to have a hybrid scheme which is RANDAO by default, and if a participant skips then a committee can quickly fill the gap (e.g. with a threshold scheme to force-reveal the preimage) to nullify both the grinding and bribing attacks.