VRF stands for Verifiable Random Function and is a provably fair and verifiable random number generator (RNG) that enables smart contracts to access random values without compromising security or availability. For each request, VRF generates one or more random values and cryptographic proof of how those values were determined. The proof is published and verified on-chain before any consuming applications can use it.
Why randomness on blockchain?
There are many scenarios blockchain applications will require randomness. For example,
- Building blockchain based games and NFTs
- Allocating tasks and resources on the blockchain
- Randomly picking samples for consensus mechanisms
Imagine a scenario in that a gamefi developer is building a blockchain based poker game. This developer will have to convince its users that this poker game is fair. The deck of cards used in the game is shuffled randomly, and the game cannot be manipulated by any party, including the game developer. One way to do that is to show the users through the game smart contract that the random numbers are generated by a trustworthy oracle provider, rather than some black box algorithm that can potentially be manipulated. These random numbers should be unpredictable and also verifiable as well. This way, the game can gain the trust of the community, and in turn, make it more appealing to users.
Randomness has to be unpredictable to ensure that it cannot be manipulated or influenced in any way. If a random number generator (RNG) is predictable, it can be exploited by attackers to gain an advantage in various scenarios, such as blockchain gaming. To ensure Binance Oracle is generating unpredictable randomness, we rely on the two unpredictable key factors:
Secret key from the oracle
Binance Oracle adopted a public key version of a keyed crytopgraphic hash algorithm described by Goldberg in this paper for VRF. A secret key is used in this algorithm which is only known to the oracle. The hashing function looks like this
where is the secret key of the oracle, is the input to the VRF algorithm consisting the consumer's input and block hash and is the randomness.
The block-hash is unknown before the block is packaged and confirmed by the miners, and can only be determined after the block is generated. That implies even a malicious oracle can't generate the randomness upfront before the block hash is confirmed. The block hash is included in the as an input string to the VRF algorithm.
Both the block hash (included in ) and the secret key are used to generate randomness, guaranteeing the unpredictable nature of Binance Oracle VRF.
It is important for randomness to be verifiable so that users can ensure that the outcome of a random event was not manipulated or biased in favor of one party. This is particularly important in areas such as gambling or voting, where trust in the integrity of the system is essential. By making the randomness verifiable, users can have confidence that the system is fair and unbiased. This is especially important in decentralized systems, where there is no central authority to ensure fairness.
The randomness generated by Binance Oracle can be verified in L1 by using a proof that comes together with the randomness. And with a verifying function in the smart contract, consumers can ensure the randomness generated is correct. The verify function looks like this
where is the public key of the oracle, is the input to the VRF algorithem consisting the consumer's input and block hash, is the proof and is the randomness.
The VRF algorithem used in Binance Oracle has the properties of full uniqueness, full collision resistance and full pseudorandomness.
For any seed and valid VRF public key, there is exactly one VRF output which can be proved to come from that seed, in the sense that the proof will pass verifyVRFProof.
Full collision resistance
It's cryptographically infeasible to find two seeds with same VRF output from a fixed, valid VRF key
Absent the proofs that the VRF outputs are derived from a given seed, the outputs are computationally indistinguishable from randomness.
For the proof of the above properties, please refer to Appendix B in this paper