Toward a Minimal Post-Quantum VRF for L2 Sequencers (Complementary to Hybrid Encrypted Mempools)
Recent discussions around Hybrid Encrypted Mempools (HEM) highlight a fundamental split in how Ethereum treats randomness and adversarial models. This post explores a complementary cryptographic primitive—a minimal deterministic, PQ-verifiable VRF—targeted specifically at single-operator or small-committee trust domains such as L2 sequencers, AA bundlers, and zk-prover assignment.
The intent is not to compete with threshold-based L1 beacon work, but to clarify where a lightweight primitive may be the correct tool for the job.
1. Adversarial Model: L1 vs. L2
For a global L1 randomness beacon, the adversarial choice space is:
Choices_L1 ≈ 2^kfor a committee of size k, since proposers may withhold contributions.
Unpredictable RANDAO reduces this to roughly:
Choices_threshold ≈ k + 1This reduction is meaningful only when:
adversaries are multi-party,
participation is permissionless,
withholding is economically rational.
In contrast, typical L2 trust domains behave very differently:
sequencer sets are often a single operator (or 2–5 nodes),
operators already control batch ordering,
latency budgets are sub-millisecond,
sequential consistency is critical,
liveness failures are catastrophic.
Thus the effective adversarial choice space is:
Choices_L2 ≈ 1Once we accept this, the cryptographic requirements shift substantially.
Threshold/DKG solutions may introduce more fragility than security improvement in such settings.
2. Why Threshold VRFs and DKG May Be Overkill for L2
Hybrid Encrypted Mempools propose a threshold-based mechanism designed to eliminate reveal optionality and improve state-root unpredictability. It is a powerful design for global adversarial models.
However, threshold schemes in L2 contexts introduce:
DKG or silent-setup rotation complexity,
dependence on >t online committee members,
multi-point liveness failures,
latency overhead incompatible with L2 pipelines,
the need to re-encrypt for each rotation.
These failure modes are often incompatible with deterministic sequencing and proof pipelines used by L2 rollups.
This motivates looking at a much simpler primitive that matches the trust model of L2 operators.
3. A Minimal PQ-Ready VRF for Small Trust Domains
This construction is intentionally simple.
It is not threshold-unbiasable, not a randomness beacon, and not designed to solve adversarial multi-party entropy.
Its purpose is:
deterministic reproducibility of L2 state transitions,
fast, operator-local commitments,
PQ-verifiable historical auditability,
zero DKG, zero committee, zero liveness coupling.
Given:
a private high-entropy seed s
(derived from a sealed or trusted entropy source; implementation-defined),a public message msg (batch ID, domain separator).
VRF-like output:
Y = H(s, msg)where H is a deterministic hash chain composed of standard symmetric primitives
(e.g., keccak256 → SHAKE256 → BLAKE2s → keccak512).
The exact pipeline is implementation-defined and treated as a PRF.
Auxiliary proof components:
commitment
πcontaining minimal metadata (including a hash commitment to the chain),classical verifiable signature:
σ_cl = Sign_secp256k1(Y)post-quantum signature:
σ_pq = Sign_MLDSA65(Y || π)
Verification:
Verify PQ signature:
MLDSA65.Verify(pub_pq, Y || π, σ_pq)Recompute:
Y' = H(s, msg)(Optional) check
σ_clfor EVM compatibility.Accept iff:
Y' == Y
Properties:
deterministic
curve-free
symmetric-hash-only
no threshold cryptography
no liveness coupling
PQ-auditable
latency <1ms possible
This is closer to a verifiable PRF than a classical VRF, but it satisfies L2 operational needs.
4. Relationship to Hybrid Encrypted Mempools
These two primitives address disjoint threat models:
HEM provides:
elimination of selective reveal by users,
resistance to encrypted-transaction MEV vectors,
L1-level unpredictability for state roots,
compatibility with unbiasable beacon aspirations,
threshold properties needed in global, multi-party environments.
Deterministic PQ-VRF provides:
reproducible sequencing randomness,
deterministic batch → proof → settlement behavior,
PQ-verifiable history independent of classical cryptography,
zero committee, zero DKG,
best-fit behavior for single-operator domains.
Thus the two primitives are complementary, not competing.
HEM stabilizes global adversarial randomness.
A minimal PQ-VRF stabilizes local deterministic roles.
5. Potential Relevance for L2s / AA / zk-prover Networks
Many L2 systems implicitly require:
reproducibility > unbiasability,
determinism > entropy,
auditability > unpredictability,
simplicity > global coordination,
PQ longevity > classical curve assumptions.
A lightweight primitive with a sealed seed, deterministic behavior, and PQ-verifiable commitments may be the simplest correct solution.
In particular:
sequencer rotation
batch ID selection
zk-prover assignment
aggregator/bundler scheduling
may not justify threshold randomness at all.
6. Open Questions (for discussion)
(1)
Are there theoretical results suggesting that single-operator domains should still adopt threshold randomness—even if their adversarial model collapses to a single actor?
(2)
Can encrypted state-root unpredictability from HEM be safely used by L2s, or should L2 randomness remain architecturally decoupled from L1 due to the timing and liveness constraints of rollup pipelines?
(3)
Is a deterministic PQ-verifiable VRF strictly inferior to threshold VRFs in domains where biasability is irrelevant, but reproducibility and historical verifiability are required?
(4)
Could a unified PRF-based design cover both roles if combined with encrypted-mempool unpredictability, or are the problem domains fundamentally orthogonal?
7. Summary
This post proposes a minimal VRF-like primitive for environments where:
committees introduce unnecessary fragility,
unbiasability is irrelevant,
deterministic ordering is essential,
PQ auditability is required,
latency budgets are extremely tight,
and trust domains are inherently centralized.
It is not a replacement for threshold randomness or Hybrid Encrypted Mempools.
It is a complement designed for a different adversarial model.
Feedback from the community—especially on the long-term convergence (or divergence) of threshold vs deterministic constructions—would be greatly appreciated.
