feat(contract-dev): edit random numbers guide to fit style guide and use Tolk code #2115
+74
−94
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,164 +5,146 @@ sidebarTitle: "Random numbers" | |
|
|
||
| import { Aside } from '/snippets/aside.jsx'; | ||
|
|
||
| Generating random numbers is a common smart contract task for applications such as gaming, trait generation for non-fungible tokens (NFTs), and decentralized lotteries. TON provides built-in functions like [`random.uint256()`](/tolk/features/standard-library#random-uint256), but their results can be predicted by validators unless additional techniques are used. | ||
|
|
||
| ## Why on-chain randomness is challenging | ||
|
|
||
| Deterministic programs use pseudorandom number generators (PRNGs) to produce sequences that appear random but are actually deterministic, based on an initial seed value. Running the same program with the same seed will always produce the same sequence of numbers. If true randomness is required, the seed must come from an external entropy source that cannot be predicted or manipulated by adversaries. | ||
|
|
||
| Smart contracts on TON use pseudorandom number generators (PRNGs) seeded with values derived from the blockchain state, such as block seeds generated by validators. While this prevents regular users from predicting random values before block production, validators themselves can influence randomness in two ways: | ||
|
|
||
| 1. Generate different seeds when creating blocks. | ||
| 1. Choose which blocks to include external messages in. | ||
|
|
||
| This limitation means all approaches to on-chain randomness involve trade-offs between speed, security, and decentralization guarantees. | ||
|
|
||
| ## Comparison of approaches | ||
|
|
||
| | Factor | [Single-block](#single-block-randomness) | [Block skipping](#multi-block-randomness-via-block-skipping) | [Commit-reveal](#external-randomness-via-the-commit-reveal-scheme) | | ||
| | ------------------------------------ | ---------------------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------------ | | ||
| | Speed | Fast | Slow | Very slow | | ||
| | Implementation complexity | Low | Medium | High | | ||
| | Resistance to user manipulation | High | High | High | | ||
| | Resistance to validator manipulation | Low | Medium | High | | ||
| | Cost (gas + storage) | Low | Medium | High | | ||
|
|
||
| <Aside | ||
| type="caution" | ||
| > | ||
| When choosing an approach, consider the value at risk and required time-to-finality. For high-stakes applications such as lotteries with significant funds, use commit-reveal. Audit implementations through formal verification when possible. | ||
| </Aside> | ||
|
kay-is marked this conversation as resolved.
kay-is marked this conversation as resolved.
|
||
|
|
||
| ## Single-block randomness | ||
|
|
||
| The [`random.initialize()`](/tolk/features/standard-library#random-initialize) function initializes the random number generator with a seed derived from the transaction's logical time. This provides basic entropy from blockchain state. | ||
|
|
||
| ### How it works | ||
|
|
||
| Call `random.initialize()` once before using [`random.uint256()`](/tolk/features/standard-library#random-uint256) or [`random.range()`](/tolk/features/standard-library#random-range-limit) functions. The logical time adds variability to the seed, making it harder for observers to predict the outcome without executing the transaction. | ||
|
kay-is marked this conversation as resolved.
|
||
|
|
||
| Code example: | ||
|
kay-is marked this conversation as resolved.
Outdated
|
||
|
|
||
| ```tolk title="Tolk" | ||
| random.initialize(); | ||
| // Generates values from 0 to 99 | ||
| var randomNumber = random.range(100); | ||
| ``` | ||
|
|
||
| ### Security model | ||
|
|
||
| The single-block approach prevents attacks from regular users who cannot predict logical time. | ||
|
|
||
| However, it is **vulnerable to colluding validators** who can generate seeds or choose message inclusion blocks. | ||
|
|
||
| ### Speed | ||
|
|
||
| The single-block approach is fast, as it executes inside a single transaction. | ||
|
|
||
| ### Use cases | ||
|
|
||
| - Non-critical applications like gaming or cosmetic features. | ||
| - NFT trait randomization. | ||
| - Scenarios where validator trust is assumed. | ||
|
kay-is marked this conversation as resolved.
|
||
|
|
||
| <Aside | ||
| type="caution" | ||
| > | ||
| Validators can predict single-block randomness. Do not use `random.initialize()` for high-value applications such as financial lotteries or significant asset distribution. | ||
| </Aside> | ||
|
|
||
| ## Multi-block randomness via block skipping | ||
|
|
||
| Instead of using randomness from the current block, the contract waits for several blocks to pass before using their entropy. This approach sends messages across multiple blocks, making it harder for a single validator to control the final outcome. | ||
|
|
||
| ### How it works | ||
|
|
||
| The contract initiates an operation, then waits for responses that arrive several blocks later. The random seed from future blocks, which the initiating validator does not control, determines the result. | ||
|
kay-is marked this conversation as resolved.
|
||
|
|
||
| ### Security model | ||
|
|
||
| Block skipping is resistant to attacks from regular users and more resistant to single validators than single-block randomness. | ||
|
|
||
| However, it is still **vulnerable to determined validators** who represent 1/250 of the network, as they can still choose optimal timing to influence outcomes in blocks they generate. | ||
|
kay-is marked this conversation as resolved.
Outdated
|
||
|
|
||
| ### Speed | ||
|
|
||
| Block skipping is significantly slower than single-block randomness, as it requires waiting for multiple blocks to be produced and finalized. | ||
|
|
||
| ### Use cases | ||
|
|
||
| - Medium-stakes applications like lottery systems with moderate value. | ||
| - Scenarios requiring better security than single-block randomness. | ||
|
|
||
| ## External randomness via the commit-reveal scheme | ||
|
|
||
| Multiple participants commit to secret values by publishing hashes, then reveal those values in a later phase. The final randomness is derived from combining all revealed values, ensuring no single party can determine the outcome alone. When properly implemented, this approach provides cryptographically secure randomness suitable for high-value applications. | ||
|
|
||
| ### How it works | ||
|
|
||
| 1. **Commit phase**: Each participant generates a random number off-chain and submits its hash to the contract. | ||
| 1. **Reveal phase**: After all commitments are received, participants disclose their original numbers. | ||
| 1. **Combination**: The contract combines the revealed numbers (e.g., by XOR or sum) to produce the final random value. | ||
|
Comment on lines
+100
to
+102
Contributor
There was a problem hiding this comment. Bind commitments to the participant and round. Hashing only the random number is copyable and replayable; with XOR aggregation, duplicated commitments can also cancel out. The guide should require domain-separated commitments and canonical aggregation. Suggested wording-1. **Commit phase**: Each participant generates a random number off-chain and submits its hash to the contract.
+1. **Commit phase**: Each participant generates a secret off-chain and submits a domain-separated hash that binds the secret to the participant address, contract address, and round identifier.
1. **Reveal phase**: After all commitments are received, participants disclose their original numbers.
-1. **Combination**: The contract combines the revealed numbers (e.g., by XOR or sum) to produce the final random value.
+1. **Combination**: The contract validates each reveal, rejects duplicates or mismatched commitments, orders accepted reveals canonically, and hashes the transcript to produce the final random value. - On-chain verification of commitments.
+- Domain separation and replay protection for commitments.
+- Duplicate commitment handling.
- Penalty mechanisms for non-reveals or invalid reveals.
- Timeout handling for missing participants.Also applies to: 120-124 🤖 Prompt for AI Agents
Collaborator
Author
There was a problem hiding this comment. Hey @novusnota or @delovoyhomie, can one of you confirm this? It sounds reasonable, but my crypto skills aren't strong enough to check this without substantial effort 🫣
Contributor
There was a problem hiding this comment.
|
||
|
|
||
| ### Security model | ||
|
|
||
| The commit-reveal scheme is the most secure on-chain randomness approach, as it relies on cryptographic commitments and multiple independent participants. It prevents any single participant from unilaterally determining the final value. | ||
|
|
||
| Yet, **validators can still influence timing or censor messages**, but they cannot determine the final random value without colluding with participants. | ||
|
kay-is marked this conversation as resolved.
Outdated
kay-is marked this conversation as resolved.
Outdated
|
||
|
|
||
| Commit-reveal schemes require careful incentive design. Participants may refuse to reveal if the outcome is unfavorable. Use penalties or collateral to enforce honest behavior. | ||
|
|
||
| ### Speed | ||
|
|
||
| The commit-reveal scheme is very slow compared to other approaches, as it involves multiple phases and requires waiting for several blocks to complete the process. The time to finality can range from minutes to hours depending on the number of participants and block times. | ||
|
|
||
| ### Implementation requirements | ||
|
|
||
| - On-chain verification of commitments. | ||
| - Penalty mechanisms for non-reveals or invalid reveals. | ||
| - Timeout handling for missing participants. | ||
|
|
||
| ### Use cases | ||
|
|
||
| - High-value applications like lotteries or auctions with significant funds at stake. | ||
| - Decentralized gaming with financial stakes. | ||
| - Systems requiring Byzantine fault tolerance. | ||
|
|
||
|
kay-is marked this conversation as resolved.
|
||
| ## Best practices | ||
|
|
||
| - Always call `random.initialize()` before using `random.uint256()` or `random.range()` to prevent users from predicting random values. | ||
|
kay-is marked this conversation as resolved.
Outdated
|
||
| - Keep randomness out of external message receivers. External messages remain vulnerable even with `random.initialize()`. | ||
| - Use hybrid or off-chain entropy for critical applications. Combine on-chain randomness with off-chain entropy, like external randomness oracles, when significant value is at risk. | ||
| - Test randomness behavior across different blocks on testnet. Verify that contracts behave correctly when randomness is manipulated within validator capabilities. | ||
|
|
||
| ## How block random seeds work | ||
|
|
||
| Understanding the underlying mechanism helps evaluate security trade-offs. | ||
|
|
||
| ### Seed generation by validators | ||
|
|
||
| Each block's random seed is generated by the validator (or [collator](/ecosystem/nodes/cpp/mytonctrl/collator)) creating that block. The [validator node code](https://github.com/ton-blockchain/ton/blob/f59c363ab942a5ddcacd670c97c6fbd023007799/validator/impl/collator.cpp#L1590) generates 32 random bytes using cryptographically secure primitives: | ||
|
kay-is marked this conversation as resolved.
|
||
|
|
||
| ```cpp title="C++" | ||
| prng::rand_gen().strong_rand_bytes(rand_seed->data(), 32); | ||
| ``` | ||
|
|
||
|
|
@@ -176,19 +158,23 @@ The block seed is not used directly in contracts. Instead, it is [hashed with th | |
| contract_seed = SHA256(block_seed || contract_address) | ||
| ``` | ||
|
|
||
| This ensures each contract in the same block receives its own random seed, preventing cross-contract randomness correlation. | ||
|
|
||
| ### Random number generation | ||
|
|
||
| The [`RANDU256`](/tvm/instructions#f810-randu256) TVM instruction implements the actual random number generation. | ||
|
|
||
| The process is as follows: | ||
|
kay-is marked this conversation as resolved.
Outdated
|
||
|
|
||
| 1. Take the current seed `r` (32 bytes). | ||
| 1. Compute a hash with `SHA512(r)`. | ||
| 1. Use the first 32 bytes as the new seed. | ||
| 1. Return the remaining 32 bytes as the random number. | ||
|
|
||
| Subsequent calls continue this chain, producing a deterministic sequence from the initial seed. | ||
|
|
||
| <Aside | ||
| type="caution" | ||
| > | ||
| The random sequence is deterministic once the initial seed is known, so anyone who knows both the block seed and contract address can predict random values generated during a transaction. Regular users cannot predict these values before block production, but validators generating the block can, since they control the block seed. | ||
| </Aside> | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.