How Verifiable Randomness Works

Randomness is hard on blockchains. Everything is deterministic. Everyone can see everything. How do you flip a coin that no one can predict?

The naive answer (use the block hash) doesn’t work. Miners can manipulate it. They can discard blocks with unfavorable randomness.

Verifiable random functions (VRFs) solve this. The randomness is unpredictable before it’s revealed, but once revealed, anyone can verify it was computed correctly.

How VRFs Work

A VRF takes a secret key and an input, and produces two things: a random output and a proof.

The output looks random. Without the secret key, you can’t predict it. But the proof lets anyone verify that this specific output corresponds to this specific input and public key.

VRF(secret_key, input) → (random_output, proof)
Verify(public_key, input, output, proof) → true/false

The magic: unpredictable before, verifiable after.

Applications

Leader selection: Each validator runs a VRF with their key and the current slot number. The output determines if they’re selected to produce a block. No one can predict who will be selected until they reveal their output.

Lottery: Same principle. Each participant computes a VRF. Lowest output wins. Can’t manipulate because you can’t change your key, and you can’t predict others’ outputs.

Gaming: Verifiable card shuffles, dice rolls, random encounters. Players can verify the game was fair without trusting the operator.

The Polkadot Approach

Polkadot uses VRFs for block production in its BABE protocol. Each slot, validators check if they’re eligible to produce a block by running a VRF.

But there’s a subtlety. VRF outputs could be revealed after seeing other validators’ outputs. To prevent last-revealer attacks, there’s also a fallback random selection that’s finalized before the epoch starts.

Commit-Reveal Alternative

Before VRFs, we used commit-reveal schemes. Everyone commits a hash of their random number. After all commits, everyone reveals. The final randomness is the XOR of all reveals.

This works but has problems:

  • The last revealer can abort if they don’t like the outcome
  • It requires multiple rounds
  • Missing participants break the protocol

VRFs are simpler and more robust.

The Fundamental Limit

You can’t have randomness that’s both unpredictable and available instantly. There’s always a moment between when someone knows the randomness and when everyone knows it.

The best you can do is minimize that window and make manipulation costly. VRFs do this well: the revealer can at most choose to reveal or not reveal. They can’t change the value.

For most applications, that’s enough.

← Back to all posts