Repository files navigation

RNG in a deterministic system is very difficult

A DAO (decentralised autonomous organisation) that anyone can participate in, and the random number is generated byall participants together!First of all, we need to create a RANDAO contract in the blockchain,which defines the participation rules.Then the basic process of generating a random number can be divided intothree phases:

Anyone who want to participate in the random number generation needs tosend a transaction to the contract C with m ETH as pledge in a specifiedtime period (e.g, 6 block period, approximately 72s), accompanied by theresult of sha3(s), s is the secret number respective picked byparticipant.

After the first phase, anyone who submitted sha3(s) successfully needsto send a transaction with the secret number s in the first stage tocontract C within a specified time period. Contract C will check if s isvalid by running sha3 against s and comparing the result with previouscommitted data. Valid s will be saved to the collection of seeds to finallygenerate the random number.

1. After all secret numbers have been successfully collected, contract Cwill calculate the random number from the function f(s1,s2,...,sn), the result will be written to the storage of C, and the result willbe sent to all other contracts that requested the random number before.
2. Contract C will send back the pledge to the participants in the firstphase, and the profit is divided into equal parts and sent to allparticipants as an additional bonus. The profit comes from the fees that is paid byother contracts that consume the random number.

In order to ensure the RNG can't be manipulated, as well as forsafety and efficiency, the contract C has the following additional rules:

1. The first phase, if two or more of the same sha3(s) are submitted insequence, only the first one is accepted.

2. The first phase, there is a requirement for minimum number ofparticipants, if it fails to collect enough sha3(s) within the timeperiod, then RNG at this block height will fail.

3. If a participant submits the sha3(s) and it is accepted by contract C,he must reveal the s in the second phase.

   3.1 If the participant fails to reveal s in the second phase, then the mETH sent in the first phase will be confiscated without providing a return.

   3.2 If one or more s isn't revealed in the second phase, RNG at thisblock height will fail. Confiscated ETHs will be divided equally andsend to other participants who revealed s at the second phase. The feespaid by other contracts will be refunded.

The RNG cycle is very short, and could be for example 20 cycles in one hour, if onecycle's profit is 0.001% , the monthly rate of return is up to0.00001 * 20 * 24 * 30 = 0.144.Targeting to 14.4% monthly rate of return, and RNG has n participants onaverage, the running costs of contract isn * 3 * 500 * gasPrice + Ccost. (Ccost is gas consumed by contract internally, includingcomputing and storage, etc. )Assuming each random numbers has r time requests on average, the callprice is p ETH, the income isr * p. So each participant will get(rp - 1500n * gasPrice - Ccost) / n from one time participation.The current gasPrice is 10 szabo, and estimate of contract consumptionis 1500n gas, so estimate of net income is(rp / n - 0.03) ETH.Assuming each RNG has 10 participations, and the pledge is 1000ETH, theminimum required income is 0.4 ETH, which over 0.001% profit in thiscase. So if the RNG is requested only once, the service price is 0.4 ETH,and if it is requested 10 times, the price is just 0.04 ETH for eachrequest.

The RANDAO acts as an infrastructure in the Ethereum system. It is called byother contracts. Contracts for different purposes require differentrandom numbers: some need high security, such as lottery; some needsteady responses and the request should be responded immediately, thesecontracts are normally low-value; some need a callback,they want to receive a notification with random numbers when numbers areready.

Obviously it's impossible to meet different requirements in variousscenarios with only one RNG contract, so a lot of contracts will becreated with different initial parameters, but the basic rules are the same.

For example, if we need high security, we can substantially increase thepledge of the first phase. Thus, the cost of leading to failure of RNGprocess by not revealing s is greatly increased. And for the contractswithout much interest involved, the minimum number of participants andthe pledge can be lower.

Let's look at an example of a dApp betting on odd or even numbers, we'll show how toadjust the contract's parameters to meet the desired security level, bymaking the cost of cheating higher than expected earnings.Assuming the bet is 1000 ETH, the betting contract calls a RNG contractC1, if C1 failed to generate a random number at requested block height,then betting contract waits for the next random number of C1, untilthere is one generated.

Let's build the RNG contract C1, and set the pledged ETH of C1 to 2000. Thegambler G plays the betting dApp but also participates in the contract. When hefinds himself in a disadvantageous position before he reveals his secretnumber, he can choose not to reveal s, so that the RNG failed and he gotanother chance. But he will lose the 2000 pledged ETH, so although he can get1000 ETH expected return, it is still a bad deal.However, G can reduce his losses on C1 by some means, such as participating inC1 using two accounts, sending two sha3(s). if in a disadvantageousposition, G will keep only one account's secret, and if only oneparticipant expect G participate to in C1, G will only lose 1000 ETH in C1,but G will get 1000 ETH as expected return, which is a worthy try.

This issue can be fixed by confiscating the pledged ETH, and not return themto participants as bonus. so a contract with 1000 pledged ETH will meetthe requirement of the betting dApp.

Besides confiscation, another scheme can prevent such attacks byintroducing an additional system: RANDAO membership.To become a member you must pay dues, anyone paid their dues is amember. Members have different levels according to the dues they paid.Membership does not belong to a contract, but instead functions like a passport toparticipate in some RANDAO contracts. If a breach of any contract happens,that person's membership will be ended and the dues will be confiscated.Now we can add an additional agreement to C1, C1 will only acceptnumbers committed by members whose level of investment is high enough (membershipdues over 1000 ETH). This will ensure that nobody has a financial motive to try an attack.

QA:

Q: Why not let the miners participate in RNG? Why not use tx hash, nonceand other blockchain data?A: Miners have the ability to manipulate these blockchain data, and thuscan indirectly affect RNG. If RNG contains blockchain data, it will givethe miners capacity to construct random numbers in their favor.

Q: the miners can ignore certain transactions that contain random numberthey dislike, how to deal with that?A: That's why we need a time window period. A reasonable period shouldbe greater than 6 blocks, we believe that nobody can produce 6 blocks insuccession. So if the participant is honest, and he send numbersimmediately as long as each time window open, he doesn't need to worryabout being excluded.

Q: Why use all numbers of all participants, rather than a subset?A: The rule to pick a subset is deterministic, so participants will tryto take specified position of the collection by various means, if theysucceed, they will know in advance what the random number is generatingfrom subsets. If the rule to pick a subset is randomised, then we still have the problem of true randomisation.

Q: Where does pledged dues go?A: It will be donated to a charity, or RANDAO to maintain funding.

Note: f(s1, s2, ..., sn) is a function with multiple inputs, forexample r = s1 xor s2 xor s3 ... xor sn, or r = sha3(sn + sha3(sn-1 + ... (sha3(s2 + s1))))