Is there a way to use the block chain as entropy in random number generator?



I want to create a transparent gambling/lotto site and use the block chain as entropy for lotto numbers, dice rolls, that kind of thing. Would the transaction hash of the latest transaction be the best way to do this? How often are transaction hashes created? How would you, programmatically, access them?


Posted 2011-08-30T21:50:40.397

Reputation: 654

Question was closed 2011-09-21T00:51:01.393

1why off-topic? from the FAQ: " practical, answerable questions based on actual problems that you face". Seems pretty on-topic unless I am missing something. – browep – 2011-09-01T21:01:37.980

because it would be impractical to use Bitcoin for entropy in a gambling site. There are other easier ways to do this today.

– ripper234 – 2011-09-02T06:55:24.667

1wouldn't "impractical" be up to me? The question is not about how to implement a gambling site, it's about using the blockchain as entropy. The use of it is irrelevant, it's still a valid question. And doesn't solve all my problems. – browep – 2011-09-02T21:08:15.227

2This feels slightly off topic. – ripper234 – 2011-08-30T23:06:10.250


It may be a valid question, but it's not a particularly bitcoinish one--smells more like programming technique to me, which should go on Stack Overflow.

– eMansipater – 2011-09-06T20:23:10.237



The Bitcoin Lottery used an SHA256 hash of the two most recent blocks to generate random data and to my recollection there were not too many complaints about that method they chose. In any case it's only good for 256 bits of questionably random data every 10 minutes (20 if you don't reuse blocks) so there are probably better entropy sources, such as the setup they've built over at

David Perry

Posted 2011-08-30T21:50:40.397

Reputation: 14 120

3And here, "questionably random" means that given a suitably large reward and a suitably motivated miner this would absolutely be gamed. – eMansipater – 2011-09-06T20:25:38.097

1Actually a correct random implementation with Mersenne Twister would suffice. If people get paid, they don't care much about how do you generate the numbers. Joe Six Pack wants his price, not to know. – flaab – 2012-10-25T08:39:48.253


If I may answer with my stack overflow hat on...

Here's how I'd draw a random number in way that no participant can influence the result of.

Invite each player to pick a random number, x, and publish the hash(x). Once each hash has been published, each player should then reveal their x. With those x's, add them all together and hash the result. Use that final hash as the random value.

UPDATE: To work around the attack described in the comment below, use two rounds.

  1. Each player selects a randon number, x, and reveals hash(x).
  2. When all hashes have been revealed, each player reveals x.
  3. All x's are combined and hashed. y=hash(all x)
  4. Each player selects a new random number, z, and reveals hash(y+z).
  5. When all of the second round of hashes have been revealed, each player reveals z.
  6. All z's are combined and hashed. The result is used as the random value.

If the player has a prepared hash collision, they could only use it to select their prefered y value. This doesn't help because they would now need a way to find a collision where both inputs have the same prefix (y) which won't be known in advance. If you can do that in a timely manner, we all need a new hash function.

(I welcome comments. Its possible I've missed something else.)


Posted 2011-08-30T21:50:40.397

Reputation: 1 950

An attacker could find a hash collision where hash(a) = hash(b), publish the common hash value, and then observe the other players' revealed numbers before choosing whether to reveal a or b. – JGWeissman – 2011-09-16T22:26:19.490

@JGWeissman - I missed that. Thank you. I've updated the protocol to work around that issue. (Or maybe I've made it worse.) – billpg – 2011-09-22T18:37:08.250

Now an attacker with a hash collision on a and b can reveal in step 4 that hash(y+z) is the common hash of a and b, and then in step 5 choose to reveal either that z = a-y or that z = b-y. – JGWeissman – 2011-09-22T19:51:27.233

So, in step 4, require also that each player reveals hash(z). – JGWeissman – 2011-09-22T19:52:24.343

Ah, by + I meant concatenation, rather than addition. Anyway, I suggest we move this discussion to a different SE. I've taken the liberty of opening this Q.

– billpg – 2011-09-23T23:47:32.730

@JFWeissman. There is no known collision attack for SHA-256. As long as a cryptographically secure hash is being used your attack is theoretical only. – DeathAndTaxes – 2011-10-09T03:15:08.183


Only sort of. The transaction hash is specifically chosen because it is smaller than some number X (--> difficulty factor), so it isn't fully random. However, it has a lot of entropy in the sense that it contains input from a lot of different, not predictable transactions. So you could use this hash as a seed for your RNG.

If you just want to generate lotto numbers and dice rolls, I'd say it's more important that you find a good random number generator (RNG) - you won't reseed that often anyway.

If you wanted to use the hash as the random number directly, there's a problem: you only get one hash every ~10 minutes. Not all that many random numbers.


Posted 2011-08-30T21:50:40.397

Reputation: 517

See my Python implementation to derive a random probability from a predetermined block height. This enables untrusted parties to use the Bitcoin blockchain as a cryptographic beacon, by just agreeing to a future block height.

See also On Bitcoin as a public randomness source and this related video.

– Daniel Himmelstein – 2017-11-29T19:20:51.043


You could scrape data from to get the hashes of transactions that had just been submitted. It wouldn't super easy to do, but it'd be a constant source of fairly random data.


Posted 2011-08-30T21:50:40.397

Reputation: 1 421