Daniel, thank you for your nice response. Agreed that a departing staker should signal that early.

One point I want to emphasize: This mechanism uses local randomness, avoiding global randomness which has more incentive for bias. So this mechanism reduces bias in some sense.

Great observation that this mechanism can be restated using commit-reveal, allowing similar bias-reduction techniques to be applied – batching, subcommittees, avalanche, VDFs, etc.

BTW Another such technique to reduce bias in commit-reveal follows. (Maybe it deserves it’s own post.)

Definition. Reveal-forcing filter.

Consider a commit-reveal procedure, each committee member commits to their secret s_i\in \mathbb{Z} by publishing value g^{s_i}, where g generates cyclic group G of order p. At reveal-time, each member can reveal their secret in order. Each member’s contribution to randomness is the output of a n-linear map e:G^n\to G_T, where G_T is also a cyclic group of order p, and e is defined as follows.

case n=1: The contribution of the i^{\text{th}} member is g^{s_{i-1}s_{i}} which can be computed if s_{i-1} is revealed using (g^{s_{i}})^{s_{i-1}} .

member is which can be computed if is revealed using . case n=2: The contribution of the i^{\text{th}} member is e(g,g)^{s_{i-2}s_{i-1}s_{i}} which can be computed by from s_{i-1} with pairing e(g^{s_{i-2}},g^{s_{i}})^{s_{i-1}} . Similarly, from s_{i-2} .

member is which can be computed by from with pairing . Similarly, from . case n=m : The contribution of the i^{\text{th}} member is e(g,g,...,g)^{s_{i-m+1}s_{i-m+2}\cdots s_i} which can be computed using any s_k by m -linear map e(g^{s_{i-m+1}},g^{s_{i-m+2}},...,g^{s_{k-1}},g^{s_{k+1}},...,g^{s_{i}})^{s_k} .

Remark. Only ONE honest member is needed in each neighborhood. But this increases look-ahead, so perhaps it should only be used for the last revealers in current randao.