Single secret leader election protocols

Single secret leader election is a cryptographic primitive that is very useful for PoS. It allows the PoS protocol to select exactly one block proposer per slot, with the property that only the proposer knows when they are going to propose.

It's easy to get one of those properties without the other. If you want only the proposer to know when they will propose, you can require them to reveal a pre-committed secret only if some function f(secret, time, previous_block) returns True. The commitment mechanism (eg. a pre-published hash) prevents the proposer from manipulating the secret, and the function can be targeted to on average make one proposer eligible per some unit of time. However, such a mechanism will often lead to either 0 or 2+ proposers being selected, which leads to problems. If you want exactly one proposer per slot, you can just have a protocol that openly selects one from a list, but then everyone will know ahead of time who the proposer will be, which makes DoS attacks against proposers easier.

Getting both properties at the same time turns out to be quite tricky, but doable. The general idea is that every proposer makes an encrypted commitment to their secret. In every block, some of the encryptions are simultaneously re-encrypted and shuffled, eg. if the pre-list was [A, B, C, D, E] the post-list might be [C', E', A', D', B'], where A' is a re-encryption of A and so on (the encryption protocol allows anyone to re-encrypt without the decryption key, and a re-encryption cannot be distinguished from a completely different encrypted message). A special-purpose zero knowledge proof verifies that this re-encrypting and shuffling was done correctly. In each slot, a random encryption is selected, and the publisher must reveal themselves by publishing their secret and proving that it matches the encrypted commitment.

See the ethresear.ch post and link to papers here: https://ethresear.ch/t/provable-single-secret-leader-election/7971