Paper 2015/1015

On Bitcoin as a public randomness source

Joseph Bonneau, Jeremy Clark, and Steven Goldfeder


We formalize the use of Bitcoin as a source of publicly-verifiable randomness. As a side-effect of Bitcoin's proof-of-work-based consensus system, random values are broadcast every time new blocks are mined. We can derive strong lower bounds on the computational min-entropy in each block: currently, at least 68 bits of min-entropy are produced every 10 minutes, from which one can derive over 32 near-uniform bits using standard extractor techniques. We show that any attack on this beacon would form an attack on Bitcoin itself and hence have a monetary cost that we can bound, unlike any other construction for a public randomness beacon in the literature. In our simplest construction, we show that a lottery producing a single unbiased bit is manipulation-resistant against an attacker with a stake of less than 50 bitcoins in the output, or about US$12,000 today. Finally, we propose making the beacon output available to smart contracts and demonstrate that this simple tool enables a number of interesting applications.

Available format(s)
Publication info
Preprint. MINOR revision.
Contact author(s)
jbonneau @ cs stanford edu
2015-10-19: received
Short URL
Creative Commons Attribution


      author = {Joseph Bonneau and Jeremy Clark and Steven Goldfeder},
      title = {On Bitcoin as a public randomness source},
      howpublished = {Cryptology ePrint Archive, Paper 2015/1015},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.