looks like they are using cosmos type PoS, but they modified it to be more scalable using a random subset of validators for each round.
Using a random subset this way is more scalable, but it is less secure.
First off, using a random subset increases the probability that the attackers will eventually have >2/3rds control for a round.
Secondly, their randomness is produced by the block proposer signing over the previous round of randomness.
This means the block producer gets at least one reroll by failing to sign.
If the signature scheme is not deterministic, then that means it is nearly free for the block producer to do re-rolls of the randomness.
If the block producer doesn't like the randomness, it just signs again and again until it comes up with a signature that produces the randomness it wants.
Doing 2^n signatures gives control over n bits of the randomness being produced.
If the signature scheme is deterministic (I had thought deterministic signatures were impossible, that you needed to fold some salt into the signature to prevent attackers from being able to probabilistically derive your private key), but if it is deterministic, then that means the attackers, once they gain control, they can predict the randomness far into the future. So they can do bonding and unbonding txs to change the set of pubkeys owned by validators to always be in the winning position.
Using a random subset this way is more scalable, but it is less secure.
First off, using a random subset increases the probability that the attackers will eventually have >2/3rds control for a round.
Secondly, their randomness is produced by the block proposer signing over the previous round of randomness.
This means the block producer gets at least one reroll by failing to sign.
If the signature scheme is not deterministic, then that means it is nearly free for the block producer to do re-rolls of the randomness.
If the block producer doesn't like the randomness, it just signs again and again until it comes up with a signature that produces the randomness it wants.
Doing 2^n signatures gives control over n bits of the randomness being produced.
If the signature scheme is deterministic (I had thought deterministic signatures were impossible, that you needed to fold some salt into the signature to prevent attackers from being able to probabilistically derive your private key), but if it is deterministic, then that means the attackers, once they gain control, they can predict the randomness far into the future. So they can do bonding and unbonding txs to change the set of pubkeys owned by validators to always be in the winning position.