RANDAO

RANDAO (Random Number DAO) is a cryptoeconomic primitive that generates verifiably random numbers on the Ethereum blockchain by aggregating secret commitments from validators. Each validator submits a hash of a secret number during a commit phase, and later reveals the secret in a reveal phase. The final random output is the XOR (exclusive OR) combination of all revealed secrets, making it unpredictable and resistant to manipulation as long as at least one participant is honest. This process is executed once per epoch (every 6.4 minutes) to produce the randomness used for critical protocol functions.

The primary use of RANDAO's output is in the block proposer selection algorithm. The random seed determines which validator is chosen to propose the next block, ensuring a fair and unpredictable distribution of this right. It is also a key ingredient in the committee assignment process, where validators are randomly shuffled into smaller committees to attest to block validity. This randomness is essential for the security of the protocol, as it prevents attackers from predicting or influencing future leadership, thereby protecting against targeted attacks and ensuring liveness.

RANDAO's security model is based on cryptoeconomic incentives. Validators have a strong financial incentive to participate correctly: submitting a commitment and later revealing the preimage. Failure to reveal a committed value results in a small penalty, while attempting to manipulate the output by withholding a reveal is economically irrational, as a single honest participant's reveal ensures the final output remains random. This design makes RANDAO a bias-resistant and unpredictable source of entropy, forming a trustless backbone for Ethereum's consensus layer.

While highly secure, the basic RANDAO design has a known vulnerability: a last-revealer bias. The last validator to reveal their secret can see the aggregate of all previous reveals. If the outcome is unfavorable to them, they could choose to withhold their reveal, sacrificing a small penalty to force a different, more favorable random output in the next round. To mitigate this, Ethereum uses RANDAO with VDF (Verifiable Delay Function). A VDF would impose a mandatory time delay on the final output, eliminating the last-revealer's advantage by making the computation of the result slower than the time available to decide to withhold.

RANDAO is a foundational example of blockchain-native randomness, distinct from traditional oracle-based solutions. Its output is generated entirely on-chain through protocol rules and validator participation, requiring no external trust. This makes it ideal for core consensus mechanics. For applications requiring randomness within smart contracts (e.g., gaming, lotteries), developers often use RANDAO as a seed, sometimes combined with other techniques like Chainlink VRF (Verifiable Random Function) to achieve application-level randomness that is both secure and user-verifiable.

The name RANDAO is a compound of RANdom number and DAO. It was first formally proposed in 2015 by Ethereum researchers, including Vitalik Buterin, as a cryptoeconomic primitive for generating unpredictable and unbiasable randomness on-chain. The design was a direct response to the need for a secure, decentralized alternative to traditional Verifiable Random Functions (VRFs) or trusted oracles, which were either too computationally expensive or introduced centralization risks for applications like blockchain lotteries and proof-of-stake consensus.

The core innovation of RANDAO lies in its mechanism, which is a specific implementation of a commit-reveal scheme. In this scheme, many participants first submit a cryptographic commitment to a secret number. After all commitments are collected, participants then reveal their secrets. The final random value is generated by combining all revealed values. This process ensures that the outcome cannot be manipulated by any single participant, as they cannot know others' inputs before committing their own, and cannot change their revealed value after seeing others'. This mechanism embodies the DAO aspect by being governed by the collective actions of its participants without a central authority.

RANDAO's most significant application is within the Ethereum consensus layer, where it is integrated into the Beacon Chain as a source of randomness for critical functions. Here, it is used to randomly select the committee of validators for proposing and attesting to blocks, a process essential for the security and fairness of Ethereum's proof-of-stake protocol. The specific implementation is enhanced with BLS signatures for efficiency and is often combined with a VDF (Verifiable Delay Function) in a system called RANDAO+VDF to prevent last-revealer manipulation and provide future randomness, making it a cornerstone of Ethereum's cryptoeconomic security.

RANDAO, short for Random Number DAO, is a cryptoeconomic mechanism embedded in the Ethereum consensus layer that generates a collective random seed. Each time a validator is selected to propose a block, they must publish a randomness commitment by hashing a secret number. In a subsequent step, they reveal this secret, which is then mixed into the accumulating RANDAO value. This process ensures that no single participant can predict or control the final output, as it depends on the unrevealed secrets of all future block proposers.

The core security of RANDAO relies on a commit-reveal scheme and economic incentives. A validator commits to their contribution by submitting hash(secret, nonce) and later reveals the secret. If they fail to reveal, they are penalized, making withholding economically irrational. The final random value for an epoch is the XOR (exclusive OR) of all revealed secrets, creating a single, cumulative beacon chain randomness. This design makes the output unpredictable because the final contributor cannot know the aggregate value before they must submit their own reveal, and bias-resistant because influencing the result requires controlling a majority of block proposals.

RANDAO's output, specifically the RANDAO mix stored in the beacon state, serves as a foundational randomness beacon for the Ethereum ecosystem. Its primary application is in validator committee assignment and shard block proposer selection in Ethereum's proof-of-stake system, ensuring fair and unpredictable distribution of these critical duties. Furthermore, smart contracts on the execution layer can access this randomness via the BLOCKHASH opcode or precompiles like beacon_randao, enabling decentralized applications (dApps) for gaming, lotteries, and NFT minting to leverage its robust properties.

While highly secure, basic RANDAO has a known vulnerability: the last-revealer bias. The final participant in an epoch sees the aggregate value before revealing their secret and could theoretically withhold their contribution if the result is unfavorable. To mitigate this, Ethereum employs RANDAO with VDF (Verifiable Delay Function). A VDF imposes a mandatory, sequential time delay on the final output, preventing the last revealer from having any advantage, as they cannot compute the final value faster than the VDF's fixed computation time, thus guaranteeing unbiasability.

RANDAO with VDF is a hybrid cryptographic construction designed to produce unpredictable and unbiasable randomness for Ethereum's proof-of-stake consensus. The core RANDAO mechanism aggregates commitments from validators, but its output could be manipulated by the last participant to reveal their number. To neutralize this threat, the output of RANDAO is fed into a Verifiable Delay Function (VDF), a computation that is intrinsically sequential and cannot be parallelized, creating a forced time delay before the final random value is known. This delay eliminates any last-revealer advantage, as the outcome is already cryptographically sealed before any participant can act on it.

The integration works in a two-step process. First, the RANDAO committee generates a seed value r through its commit-reveal scheme. This seed is immediately used as the input to a VDF, which begins its fixed-duration computation (e.g., expected to take minutes or hours). The VDF's output, VDF(r), becomes the final, provably random value used for critical protocols like validator committee assignment and block proposer selection. Because computing the VDF takes significant, predictable time, any validator who reveals their RANDAO contribution cannot foresee the final output in time to decide whether to withhold it—the manipulation window is closed.

This evolution addresses the predictability attack, where a malicious last-revealer could simulate the VDF outcome based on known inputs and then choose to abort their reveal if the result was unfavorable, effectively censoring the random output. With the VDF in place, the attacker cannot compute the result faster than the honest network. The design ensures public verifiability: anyone can quickly verify that VDF(r) is correct using a short proof, but no one can compute it faster than the mandated delay. This property is crucial for maintaining the liveness and fairness of the protocol.

Implementing RANDAO with VDFs represents a significant advancement in cryptographic sortition, providing the strong, manipulation-resistant randomness required for modern proof-of-stake blockchains. It transforms a game-theoretically vulnerable mechanism into a robust source of public entropy. While RANDAO provides the initial entropy gathering from a distributed set of participants, the VDF acts as a cryptographic mixer and temporal firewall, ensuring the final output is not influenced by any single entity. This combination is a foundational primitive for applications beyond consensus, including on-chain gaming, lotteries, and randomized governance processes.