Random Number Generator (RNG)

A multi-phase protocol where participants first commit to a secret value (e.g., by submitting its hash) and later reveal the original value. The final random number is derived from the combination of all revealed secrets.

• Process: 1. Commit phase: Users submit hash(secret, salt). 2. Reveal phase: Users disclose their secret and salt. 3. Aggregation: The random result is computed from all valid revealed secrets (e.g., random = secret1 XOR secret2).
• Security: Prevents last-revealer manipulation, as the initial commitment binds them to an unknown value.
• Drawback: Requires multiple rounds and participant cooperation, which can be slow and vulnerable to denial-of-service if a participant refuses to reveal.

A decentralized approach where many participants contribute randomness, which is aggregated through a smart contract. Often combined with a Verifiable Delay Function (VDF) to prevent last-contributor manipulation.

• RANDAO Mechanism: Each participant sends a number, and the contract combines them using XOR or hashing. The last contributor has significant influence.
• VDF Role: A VDF imposes a mandatory, non-parallelizable time delay on the final output. This prevents the last contributor from predicting the outcome before the commit phase ends, neutralizing their advantage.
• Example: Ethereum's beacon chain uses RANDAO (with a VDF planned) to select block proposers and committees.

A distributed key generation scheme where a random number is generated by a decentralized group of nodes, with no single party ever knowing the complete secret key. The result is a single, verifiable signature that serves as the random output.

• How it works: A private key is split into shares among a group of nodes. To generate randomness, a threshold number of nodes collaborate to produce a signature on a common message (e.g., a round ID).
• Security: The random output is unbiased and unpredictable unless a threshold of nodes colludes. The public signature is verifiable by all.
• Advantage: Produces a single, efficient on-chain result without multi-round reveals. Used by networks like DFINITY's Internet Computer for consensus randomness.

Using a future or past block hash (e.g., blockhash(blockNumber)) as a source of entropy. This is a simple but cryptographically insecure method vulnerable to miner/validator manipulation.

• The Problem: Block producers (miners/validators) can potentially withhold a block or manipulate transaction ordering if they don't like the resulting random number that their block hash will produce, leading to a miner-extractable value (MEV) opportunity.
• Common Misuse: block.timestamp is also highly predictable and manipulable.
• Guidance: Not suitable for high-value applications. Should only be used for trivial randomness (e.g., gaming NFTs with low stakes) where manipulation risk is acceptable.

Decentralized lotteries and prediction markets rely on RNGs to select winners in a transparent and tamper-proof manner. Using an on-chain RNG or an oracle-based VRF allows the winning number to be generated after all tickets are sold, making the draw provably fair. This eliminates the need for a trusted central authority and allows anyone to cryptographically verify the integrity of the draw.

In Proof-of-Stake (PoS) and other consensus mechanisms, RNGs are used to pseudo-randomly select the next block validator or committee members from the set of eligible nodes. This process, often called leader election, must be unpredictable to prevent malicious coordination and ensure network security. Techniques like RANDAO (in Ethereum) or Verifiable Random Functions (VRFs) are commonly used.

Cryptographic security fundamentally depends on high-quality randomness. RNGs are used to generate:

• Private keys and wallet addresses
• Nonces for digital signatures
• Initialization vectors for encryption A weak or predictable RNG at this stage can lead to catastrophic key compromise. Hardware security modules (HSMs) and operating system entropy sources are often used to seed secure RNGs.

In sharded blockchain architectures, RNGs assign nodes to specific shards dynamically. This random assignment is crucial for security, as it prevents an attacker from concentrating their stake or computational power in a single shard to attack it. Periodic re-shuffling of validators between shards using a secure RNG maintains security guarantees across the entire network.

Decentralized Autonomous Organizations (DAOs) use RNGs to ensure fairness in processes like:

• Randomized voting order to prevent last-vote manipulation.
• Lottery-based allocation of grants or resources from a treasury.
• Selecting contributors for audits or bounties from a large pool. This introduces an element of Sybil resistance and impartiality into governance mechanics where pure voting may be insufficient.

A commit-reveal scheme is a two-phase protocol where participants first submit a hashed commitment of their chosen number, then later reveal the original number. The final random value is derived from the combination of all revealed inputs.

• Mechanism: Prevents last-revealer manipulation by hiding initial choices.
• Drawback: Requires multiple participants and transactions, making it slower and more complex for some applications.

RANDAO is a decentralized randomness beacon built into the Ethereum consensus mechanism. It aggregates random numbers submitted by Ethereum validators in each epoch. The final randomness is generated by XORing or hashing these contributions.

• Source: Leverages the economic security of Ethereum's validator set.
• Property: Biasable if a validator withholds their reveal, but economically disincentivized.

The Witnet decentralized oracle network provides a randomness retrieval pattern where multiple nodes independently generate random values off-chain. These values are aggregated and delivered on-chain, with mechanisms to punish nodes that deviate from the protocol.

• Approach: Uses a decentralized network of nodes for generation and aggregation.
• Security: Relies on cryptographic sortition and economic incentives for honesty.

Using a future block hash (e.g., blockhash(block.number + 1)) as a randomness source is a simple, native on-chain method. However, it is considered insecure for high-value applications because miners or validators have limited influence over the hash and could potentially manipulate outcomes by withholding blocks.

• Pros: Extremely simple and gas-efficient.
• Cons: Vulnerable to miner extractable value (MEV) and manipulation, especially in Proof of Work systems.

Using on-chain data (like block hashes or timestamps) as an RNG source is inherently insecure because it is publicly visible and can be manipulated by miners or validators. An attacker can influence the outcome by choosing whether to publish a block based on its resulting hash, a classic prediction attack. This makes such RNGs unsuitable for high-value applications.

A commit-reveal scheme is a cryptographic technique to generate fair random numbers by separating the submission and revelation of values. A participant first commits to a secret (e.g., by submitting a hash of it), then later reveals it. The final random number is derived from all revealed secrets, preventing last-mover advantage. However, it requires multiple participants and is vulnerable to non-revelation attacks if a participant refuses to reveal their secret.

A Verifiable Random Function (VRF) is a cryptographic primitive that produces a random output and a cryptographic proof. The proof allows anyone to verify that the output was correctly generated from a given input and a secret key, without revealing the key. This makes VRFs a secure source of provable randomness for leader election in consensus protocols (e.g., Algorand) and on-chain lotteries, as the result is unpredictable and publicly verifiable.

Even with secure sources, RNG implementation can be biased. Common flaws include:

• Modulo Bias: Using randomOutput % n on a non-power-of-two n creates uneven probability distribution.
• Front-Running: If a random result triggers a valuable action, bots can observe the transaction in the mempool and front-run it.
• Seed Manipulation: If the initial seed is weak or predictable, all subsequent randomness is compromised. Secure design must account for these implementation-level attacks.

Attackers may exploit the economic incentives around an RNG. In a validator-based RNG, a validator might withhold a block (sacrificing block rewards) if the resulting random number would cause them a larger loss in a connected application (like a lottery). This creates a rational manipulation scenario. Defenses include using RANDAO-style schemes where many participants contribute entropy, or imposing heavy slashing penalties for non-participation.

A two-phase protocol where participants first commit to a secret value (e.g., by publishing its hash) and later reveal the original value. The final random number is derived from the combination of all revealed secrets. This prevents last-mover advantage but requires honest participation and can be slow.

• Phase 1: Commit: Publish hash(secret, salt).
• Phase 2: Reveal: Publish the original secret and salt.
• Common Use: Early blockchain RNGs, multi-party randomness beacons.

The origin of unpredictability fed into an RNG. In blockchain, high-quality entropy is critical and often derived from cryptographically secure sources.

• On-chain Sources: Block hashes, timestamps (weak), validator signatures.
• Off-chain/Oracle Sources: Atmospheric noise, hardware devices, multiple independent APIs.
• Key Challenge: Protecting the entropy source from manipulation or bias before it enters the deterministic RNG algorithm.

A security property of an RNG where future outputs cannot be predicted even if past outputs and the internal state are known. This is achieved by periodically refreshing the RNG's internal state with fresh entropy. Without it, a pseudo-random number generator (PRNG) becomes predictable after its state is compromised.

• Contrast with Pseudorandomness: A PRNG with a known seed is fully predictable.
• Solution: Regularly reseed the RNG with external entropy.

RNGs determine outcomes in provably fair systems. In NFT collections, they assign traits during minting. In on-chain games, they decide combat results, loot drops, or critical hits.

• Requirement: Must be tamper-proof and verifiable to ensure user trust.
• Common Implementation: Using an oracle-delivered VRF after a user transaction to generate the random result.
• Example: A game using Chainlink VRF to fairly determine the rarity of a minted character.