Pomegra Wiki

Verifiable Random Functions in Consensus

A verifiable random function (VRF) is a cryptographic tool that lets a validator prove they were randomly selected to propose or validate the next block—without exposing their private key. The validator computes a pseudorandom output and a proof, both deterministic functions of their private key and a public input. Anyone can verify the proof against the validator’s public key, confirming the output is legitimate and unpredictable; no one can forge a different output for the same input. This solves a critical problem in proof-of-stake consensus: how to choose leaders fairly and verifiably without a trusted lottery machine.

Why random selection matters

In a proof-of-stake system, the network must choose who proposes the next block or validates transactions. If selection is predictable, a malicious actor can:

  • Attack a specific upcoming leader in advance (DDoS, bribery, compromise).
  • Frontrun the selection and prepare a conflicting block.
  • Abstain strategically, disrupting liveness.

If selection is centralized (a lottery operator), the operator becomes a point of failure and temptation. A decentralized network needs a way for each validator to learn they are selected—and prove it to others—without any party manipulating the draw or computing the outcome in advance.

How a VRF works at a high level

A VRF is built on elliptic-curve cryptography (similar to Bitcoin’s ECDSA but with additional properties). The process has four steps:

  1. Hashing: The validator hashes a public input (e.g., block height 123) using a hash function defined by their private key. This produces a unique output only they can compute.

  2. Proof generation: The validator also computes a zero-knowledge proof that they performed the hash correctly using their (secret) private key, without revealing the key.

  3. Publishing: The validator broadcasts both the output and the proof (but never the private key).

  4. Verification: Any network participant hashes the validator’s public key and the input using the VRF’s verification algorithm. If the proof is valid, they can confirm the output is correct without ever seeing the private key.

The mathematical magic: it is computationally infeasible to forge a valid proof for a different output, and it is impossible to compute the output without the private key. Yet the output itself is deterministic—the same validator will always get the same number for the same input—making it an ideal lottery.

Separation of randomness and stake

In many proof-of-stake systems, a validator’s chance of selection is proportional to their stake. The VRF output is used to draw names from a weighted pool:

  • Each validator runs the VRF with the current seed.
  • The network calculates a threshold for each validator: threshold = (stake / total stake) × max output.
  • If a validator’s VRF output falls below their threshold, they are selected.
  • Higher-stake validators have higher thresholds, so they are selected more often.

This design prevents stake concentration from enabling selection manipulation. A large stakeholder cannot make themselves leader in every round; the VRF ensures unpredictability. And they cannot prevent smaller stakers from being selected, because the selection depends on each validator’s private key.

The role of the seed

The VRF input (seed) is usually derived from past consensus: the previous block hash, epoch number, or a combination. This ensures:

  • No pre-computation: Validators cannot calculate future VRF outputs until the seed is known.
  • Independence: Each round uses a fresh seed, preventing replay attacks.
  • Inclusion of history: The past block determines the next leader, anchoring consensus firmly to the chain’s actual progression.

If a validator wanted to influence their own selection, they would need to control the seed—but the seed is the prior block, which they did not produce (unless they were also the prior leader). This creates a clean separation of power.

Why not just flip a coin?

A simple approach: each validator flips a coin (commits to a random number, later reveals it). But this has problems:

  • Liveness risk: A validator can commit but then fail to reveal, stalling the network.
  • Malleability: A validator can choose whether to reveal based on whether they win, biasing the draw.
  • Complexity: Requires a two-phase protocol, increasing latency.

A VRF avoids these pitfalls. The validator computes the output instantly from the seed; there is no “reveal” phase. And the output is pinned to their private key and the seed, so they cannot influence it retroactively.

Practical implementations

Cardano (Ouroboros Praos): Uses a VRF called “Praos-VRF” to select slot leaders. Each stake pool runs the VRF at the start of each slot (1-second intervals) and learns instantly whether it is selected. If selected, it proposes a block; if not, it waits.

Algorand: Employs a VRF where each user learns they are selected by running the VRF locally. This allows the network to be truly permissionless—no central list of validators. A user cannot predict when they will be selected until they compute the VRF.

Polkadot: Uses VRFs to select block producers and parachain validators, ensuring no collusion among validators can predict or bias the draw.

Security considerations

VRF security rests on a few assumptions:

  • Private key secrecy: If a validator’s private key leaks, an attacker can forge proofs for any output. Key management is critical.
  • Cryptographic hash strength: The underlying hash must be collision-resistant and one-way. Industry-standard curves (BLS12, NIST P-256) are assumed secure.
  • Seed unpredictability: If the seed is predictable, validators might manipulate it by censoring blocks. This is why the seed is locked to past consensus.

In practice, these assumptions have held under scrutiny. No practical attacks on correctly-implemented VRFs are known.

VRFs vs. other randomness schemes

A VRF differs from:

  • Commit-reveal: Requires two phases; vulnerable to strategic non-reveal.
  • Threshold encryption: Requires a quorum of parties to decrypt the random value; adds complexity and latency.
  • Time-based randomness: Using block hashes or timestamps; predictable and vulnerable to manipulation.
  • Trusted hardware: Relies on physical security rather than math; less portable across networks.

For real-time, high-frequency leader election, VRFs are the current standard.

See also

Wider context