Ethereum 2.0: Randomness

In this article, we will talk about random numbers and how to achieve randomness in Ethereum 2.0. What is RANDAO? What is VDF (verifiable delay function)? How do they work together?
The beacon chain How do you decide which validators are the way to propose a block, and which verifiers should attest the offer? How does the beacon chain make this decision at any given time between the 1,024 segmentation chain in the Ethereum 2.0 system and the thousands of active verifiers? The beacon chain needs randomness!

Randomness in computers

The computer is unable to generate true random numbers. You can understand this: A computer is a machine that always produces the same output given the same input. They are computational machines, just as a calculator can't add 2 and 2 to get 5 (unless it's a prank or the machine is badly damaged). In order to generate a reasonable random number, the computer will depend on the seed: the starting point of the calculation, the input used to get the output. The seed can be the movement of the mouse cursor on the screen, or it can be all the contents of the Wikipedia database. Above the seed, the computer performs mathematical operations and ends up with a number that humans cannot predict. Even now, if you visit the BitAddress (open source JavaScript Bitcoin Wallet Tool) website (, when you move the mouse, you will notice that the "seed" will change accordingly, this is The website is "collecting randomness" through the irregular movement of your mouse, see the picture below:
Note: Continue to move the mouse, when the percentage in the figure reaches 100%, you can generate a bitcoin wallet
If we always apply the same mathematical method when generating seeds, how can we call it random? Most importantly, when enough hard-to-repeat seeds are put together, the resulting random numbers are quite random: people can't repeat the exact same mouse motion trajectory in a 5 megapixel screen area, so this To some extent it is reliable. If you add some other values, such as the time of day, or use a lava lamp to generate a pseudo-random number like Cloudflare (see the image below), maybe there is still a number of goals scored by a sports team in the past, so you get A fairly random seed.
Note: Cloudflare is a cloud service provider that provides security services and provides customers with a free SSL service. Because it has to handle massive amounts of encrypted traffic, it needs to use a large number of random numbers. These random numbers are all generated by a pseudo random number generator (PRNG). The random number generated by the pseudo-random number generator can be predicted and cracked. So how to reduce the predictability of random numbers? Cloudflare disclosed its approach to using lava lamps. The name of the lava lamp stems from the slow flow of wax droplets of indefinite shape inside, reminiscent of the flow of lava. Cloudflare uses a camera to monitor lava lamps, take video and photos, convert them into unpredictable random bit streams, and use it to generate keys.

Randomness in blockchain

But there are no mouse, sensor or sports game results in the blockchain. More importantly, even if a node reaches a random number, the random number must be the same as the random number of all other nodes in the blockchain, otherwise the chain will split: in the same blockchain, if the same The random number of the block is different, which will result in a fork. So how does the blockchain deal with randomness? Some blockchains rely on block hashes to handle randomness. Because the hash value is unknown, random, but the same on all nodes, the hash value can be used as a source of randomness for gambling that is basically plausible.
However, if the block reward is less than the reward that the miner manipulated the block hash (the current Ethereum block reward is 2ETH), then the miner has full economic incentives for malicious behavior. More seriously, in a Proof of Entitlement (PoS) system, since it is almost impossible to calculate time or energy to generate a block, the miner (verifier) ​​can easily continue to generate thousands of blocks until they get a favorite. Hash the value and submit this hash value. This also applies to the certifier's choice. If the current verifier responsible for producing a block can be manipulated in some way, the block hash becomes a seed that can again select the verifier (or another verifier client controlled by the verification). By having the verifier continue to be the verifier of the proposed block, the verifier can always propose the block and keep the other verifiers out of the main profit! Obviously, we need more robust blockchain randomness, especially in the Ethereum 2.0 system!

A brief overview of RANDAO

Imagine if there are many people in the room, everyone imagines a number in their minds. In order to get a random number, we asked these people to say their numbers one by one. The sum of all these numbers is the random number we want.
This is the essence of RANDAO. The RANDAO mechanism is that when a user becomes a verifier by storing (pledge) 32 ETH, the user will select a random number chosen by himself. When you need to publish a random number for a block, add all the random numbers in the system to get a brand new random number. Note: The above process is only a simplification process and will not be discussed in detail in this article. If you need a special article on Ethereum 2.0 RANDAO, please let the author (@bitfalls) via Twitter. But even in this case, the last published number will have a certain degree of impact on the final random number. The last person can choose to remain silent and change the final random number in one way or another: the last person in the room remembers the number that was previously published by everyone, so that you can know plus (or not On) The final random number result after the number he provided. If a number is more favorable to the last person than other numbers, then the last person has the incentive to do some degree of manipulation, no matter how high or low. For this problem, Ethereum 2.0 will be solved by VDF (verifiable delay function)!


The VDF is called the Verifiable Delay Function. The implication is that it takes a long time to calculate. If we have a certain number X, then assume that the sixth-order VDF function of this number X is: (((((X(2))))))))))))) . In this case, if X=5, the final result is:
As the calculation continues, the results of the calculation will become larger and larger. A complex VDF will take a long time to calculate because the computational process is very complicated for any computer. So what does this mean? First, the delay in calculating the final number is verifiable. We know which computer operations are necessary to achieve the result, and can determine the time it takes for the machine to reach the result with reasonable accuracy. Second, if you want to calculate the third-level results, then the computer must first calculate the results of the first and second levels – we can't do this in parallel on multiple computers, because each new input depends on The previous output, and each output requires a predetermined calculation time.

If we now use the random number in RANDAO instead of the number X in the VDF example above, and if the exponent of the function is not six but thousands, and the function is not a square root (^2) but a more complex function, then we You will get a completely different function that will make the result of RANDAO completely different, and it will take a while to calculate this result, no matter how many computers you have.

By introducing this delay and making the calculation time longer than the time that the verifier can benefit by affecting a random number, we can eliminate the last-level randomness deviation—that is, eliminate the verifier's ability to generate RANDAO. The last point of influence. In the Ethereum 2.0 phase, this VDF was defined as 102 minutes long – more than an hour and a half. The Ethereum Foundation is currently working with blockchain projects such as Filecoin to fund the development of an open source ASIC optimized for this calculation – a tiny computer designed to perform this calculation. The machine will run with enthusiasts, cryptocurrency items and other blockchain platforms and even verifiers, with a small advantage that can respond to VDF checks in the first place without requiring more power than a typical microcomputer full node. cost. Such a highly specialized machine ensures that anyone else who tries to develop a better ASIC to regain the last impact must increase its efficiency by a factor of 100. Developing such a device would be costly unless there is some kind of significant profit that could completely destroy Ethereum, and we know that it is impossible to succeed. In the Ethereum 2.0 phase, each time 64 blocks are generated (approximately 6.4 minutes, which is called an epoch), the Beacon Chain will upset the certifiers and redistribute them to all points. In the chain.

A RANDAO is published for each time period (epoch), which means we can run a new VDF function every time period (epoch). This means that there will be 16 VDF functions per hour, and there will be 16 random numbers. This randomness will then become the seed for selecting the next set of verifiers, which ensures fairness.

Randomness in Nimbus

In the Nimbus client, we are in line with the Ethereum 2.0 specification. Our RANDAO implementation has been compliant with the 0.5.1 version of the Ethereum 2.0 specification. We need to make sure our tests match the official tests. It is still too early to talk about VDF. VDF is still in the research phase, and once it is added to the specification, it will take some time for the client to catch up with it. The method of communicating with the remote VDF device must be devised, with minor modifications to the staking reward, making it more prone to block producers running VDF, and so on. Now, given that RANDAO is sufficiently random for Ethereum's early needs, it will serve as a base layer for disrupting verifiers and providing other randomness.
Ethereum 2.0 will generate a reasonable random number every 6.4 minutes, the randomness of which is sufficient to ensure the security of huge value. Ethereum's VDF will only fail if someone builds a VDF ASIC that is 100 times more efficient than any ASIC provided by the Ethereum community, or when all VDF ASICs worldwide are offline. Even if this happens, the security brought by the underlying RANDAO can minimize the impact, so that Ethereum is enough to ensure the security of the wealth on the chain.
Reference link: | Bruno Skvorc Compilation | Jhonny