This projects is about using drand's randomness for a round to decrypt messages encrypted towards this specific round, i.e. an encryption where anybody can decrypt after a certain round.
Let $n$ be the number of participants in the drand network.
Let $t$ be the threshold parameters at which the distributed key generation have been setup.
Let $F_q$ be the scalar field and $(\mathbb{G_1},\mathbb{G_2},\mathbb{G_t})$ be the pairing-equipped groups each of order $F_q$.
We call $e: (\mathbb{G_1},\mathbb{G_2}) \rightarrow \mathbb{G_t}$ the pairing map which has the bilinearity property.
We note all operations in the additive notation.
We denote by $G_1$ (resp. $G_2$ and $G_t$) a random generator of $\mathbb{G_1}$ (resp. $\mathbb{G_2}$ and $\mathbb{G_t}$).
Let $l$ be the length of the message the client wishes to encrypt.
Drand generates BLS signatures in a threshold way.
Let $P$ be the public key associated with the network, and $s_i$ the share of this public key that belongs to the node $i$.
$$ P = sG_1 $$
Where $s$ is the free coefficient of the interpolated polynomials of any $t$ shares $s_i$, i.e. the distributed secret key.
At each epoch $\rho$, the drand networks generates a BLS signature over the message $e$ mapped in $F_q$ - More specifically, each nodes generates a partial BLS signature in the following way:
$$ \pi_i = s_i * H_1(\rho) \in \mathbb{G_2} $$
while $H_1: F_q \rightarrow \mathbb{G_2}$ is a secure hash function. Then the final signature $\sigma$ is interpolated using the Lagrange basis polynomials $L_i(x)$:
$$ \pi = (\sum_{i}^t \pi_i * L_i(x))(0) $$