This projects is about using drand's randomness for a round to decrypt messages encrypted towards this specific round, i.e. an encryption where anybody can decrypt after a certain round.
Let $n$ be the number of participants in the drand network.
Let $t$ be the threshold parameters at which the distributed key generation have been setup.
Let $F_r$ be the scalar field and $(\mathbb{G_1},\mathbb{G_2},\mathbb{G_t})$ be the pairing-equipped groups each using coordinates in $F_q$.
We call $e: (\mathbb{G_1},\mathbb{G_2}) \rightarrow \mathbb{G_t}$ the pairing map which has the bilinearity property.
We note all operations in the additive notation.
We denote by $G_1$ (resp. $G_2$ and $G_t$) a random generator of $\mathbb{G_1}$ (resp. $\mathbb{G_2}$ and $\mathbb{G_t}$).
Let $l$ be the length of the message the client wishes to encrypt.
Drand generates BLS signatures in a threshold way.
Let $P$ be the public key associated with the network, and $s$ the distributed secret key associated
$$ P = sG_1 $$
Each node holds a share $s_i$ of $s$, which can be reconstructed using Lagrange interpolation, where $L_i(x)$ is the i-th Lagrange basis polynomial:
$$ s = (\sum_{i}^t s_i L_i(x))(0) $$
At each epoch $\rho$, the drand networks generates a BLS signature over the message $e$ mapped in $F_q$ - More specifically, each nodes generates a partial BLS signature in the following way:
$$ \pi_i = s_i H_1(\rho) \in \mathbb{G_2} $$
while $H_1: F_q \rightarrow \mathbb{G_2}$ is a secure hash function. Then the final signature $\pi$ is interpolated using the Lagrange basis polynomials $L_i(x)$: