Bitcoin and random numbers

A computer can produce numbers that look random. The problem is not making randomness for oneself, but making one that others accept as honest. If you run a lottery, how can participants be sure you did not pick the result in advance or regenerate the draw until you got the one that suits you?

This need, public randomness that nobody controls, comes up everywhere: lotteries, allocation of limited slots, selection of a sample to audit, online games, certain computer protocols. The naive solution, trusting the organiser, does not hold as soon as there is something at stake. An external source is needed, unpredictable and verifiable.

Bitcoin offers such a source almost by accident. This article explains why, how it is used, and why this source, attractive as it is, carries a flaw that any serious user must know before relying on it.

Why honest randomness is hard

Good shared randomness must combine three qualities. It must be unpredictable: nobody should be able to guess the result before it is fixed. It must be verifiable: once known, everyone must be able to confirm it is genuine. And it must be unmanipulable: whoever produces it must not be able to pick, among several results, the one that suits them.

These requirements often contradict each other. A die rolled in private is unpredictable but unverifiable. A number published by an authority is verifiable but requires trusting it. Drawing several times until a favourable result is an invisible manipulation. It is this last trap, the discreet replay of the draw, that wrecks most improvised solutions.

The ideal would be a public source, produced by a process nobody masters, whose result appears at a precise instant and remains consultable by all afterwards. A randomness clock, in short, fed by an impartial external phenomenon. This is precisely the role the Bitcoin blockchain×BlockchainA public, shared ledger that records every Bitcoin transaction in blocks linked together cryptographically. Each participant in the network keeps a copy.See in the lexicon → can play.

The block hash as a randomness seed

Each Bitcoin block ends with a hash×HashFunction that turns data of any size into a fixed-size fingerprint. The same input always yields the same output, but you cannot go back from output to input.See in the lexicon →, a long number obtained by condensing the block's entire content. For a block to be valid, this hash must start with a series of zeros, which miners obtain by trying billions of combinations. The final result is, to an observer, perfectly unpredictable until the block is found.

This hash has all the makings of a good die. Nobody knows it before the block is mined. Once published, it is visible to all and frozen in the chain. One can therefore agree in advance: the lottery winner will be determined by the hash of block number such-and-such, still to come. At the moment that block appears, the result reveals itself, with no organiser having had a hand on it.

Technically, you take the digits of the hash and turn them into a draw: a number between one and a thousand, the choice of a winner from a list, a ranking. Since everyone sees the same hash and applies the same public rule, each person can recompute the result and confirm it is correct. Randomness becomes a public fact, not a word given.

What this public randomness is used for

The most immediate use is the transparent lottery or draw. An association distributing prizes, a project selecting participants, a contest designating a winner can announce the rule, then let a future block decide. Each person then verifies that the result indeed follows from the announced hash×HashFunction that turns data of any size into a fixed-size fingerprint. The same input always yields the same output, but you cannot go back from output to input.See in the lexicon →.

The same idea appears in more technical contexts. Some protocols need a common, unpredictable number to assign tasks, choose a committee, order participants without favouritism. The block hash then serves as a neutral referee, accessible to all at the same instant, with no central server to corrupt.

The appeal is always the same: replacing a promise, trust me, with a proof, verify×Don't trust, verifyBitcoiner mantra. Trust no one (bank, government, exchange, influencer), verify on your own through your own node.See in the lexicon → for yourself. In a world where distrust of organisers is common, having a randomness source that nobody owns is a real asset, provided its flaw is properly managed.

The flaw: a miner can cheat, at a price

The source is not perfect, and neglecting that would be a mistake. Whoever finds a block chooses its content, and thus partly influences its hash×HashFunction that turns data of any size into a fixed-size fingerprint. The same input always yields the same output, but you cannot go back from output to input.See in the lexicon →. If they have a stake in the draw, for example a large bet on an outcome, they can, in theory, reject a valid block whose hash does not suit them and keep mining×MiningProcess of validating blocks through proof of work. Consumes electricity by design : that is what secures the network.See in the lexicon → to find another.

Giving up a found block means giving up its reward, which runs into tens of thousands of euros. Manipulation therefore has a high cost, which makes it irrational as long as the draw's stake stays below that cost. But for a lottery with enormous winnings, the attack stops being theoretical. The rule of prudence is simple: never use the hash of a single block for a draw whose stake exceeds a block's reward.

Countermeasures exist. You can combine several successive blocks, which multiplies the cost of a manipulation. You can mix the Bitcoin hash with contributions from other participants under a scheme where each commits before knowing the result. Specialised public-randomness services, designed to resist this type of attack, also exist. The block hash remains an excellent building block, to be used knowingly rather than as an infallible black box.