Full Report
Aptos Roll is a secure instant randomness API. This is done with a bunch of pretty crazy cryptography schemes. Unlike Chainlink VRF, this is on-chain, which makes it faster and cheaper to use. This seems to be similar to the Ethereum randomness function but has appears to have better randomness properties. Aptos decouples the consensus from execution. This is helpful because a shared secret can be generated then acted upon later in the execution stage. The approach allows a shared secret to be generated by using a weighted distributed key generation (wDKG). The shared secret can only be recovered by 50% or more of the validators, making it impossible to know the state ahead of time. A seed for randomness is generated using a weighted verifiable random function (wVRF) using a shared secret. To me, we're using a secret sharing scheme to create a secret, disclosing this secret, using this secret as the seed for randomness then using the function to generate random numbers in a deterministic way. Pretty neat! The blog post goes into the details of the Aptos network actually doing the sharing. Personally, I found it hard to follow because of the many acronyms and cryptography things I don't understand. Regardless, it's super cool and I wanted to make sure to at least have this in my notes.
Analysis Summary
# Research: Aptos Roll: Secure, On-Chain Instant Randomness
## Metadata
- **Authors:** Alin Tomescu, Igor Kabiljo, Dahlia Malkhi, et al.
- **Institution:** Aptos Labs
- **Publication:** Aptos Technical Blog / Engineering Documentation
- **Date:** 2024 (Revised/Current Implementation)
## Abstract
Aptos Roll introduces a high-performance, on-chain randomness service that provides unpredictable, unbiasable, and fast seed generation for decentralized applications. By leveraging a Weighted Distributed Key Generation (wDKG) and a Weighted Verifiable Random Function (wVRF), Aptos enables "instant" randomness that is generated during the consensus phase but only revealed during execution. This eliminates the latency common in off-chain solutions (like Chainlink VRF) while maintaining higher security bounds than traditional "commit-reveal" schemes.
## Research Objective
The primary objective is to solve the "Randomness Dilemma" in blockchains: How to generate a value that is truly unpredictable to all participants (including block producers) while ensuring it is available fast enough for real-time applications (gaming, minting, DeFi) without excessive gas costs.
## Methodology
### Approach
The research utilizes **Threshold Cryptography** integrated directly into the protocol's consensus engine. It employs a "Weighted" model where the influence of a validator in the randomness generation is proportional to their stake, ensuring alignment with the Proof-of-Stake (PoS) security model.
### Dataset/Environment
This protocol is implemented within the **Aptos Mainnet environment**, utilizing the decoupling of the consensus layer from the execution layer (Aptos’s unique modular architecture).
### Tools & Technologies
- **wDKG (Weighted Distributed Key Generation):** For creating a shared secret without a trusted dealer.
- **wPVSS (Weighted Publicly Verifiable Secret Sharing):** To ensure shares are valid.
- **PVSS-based VRF:** Using transcript-based verification to generate random seeds.
- **BLS12-381 Curves:** For efficient cryptographic pairings.
## Key Findings
### Primary Results
1. **Low Latency:** Randomness is available as soon as a block is committed, eliminating the multi-block wait times of off-chain VRFs.
2. **High Security Threshold:** Requires >50% of the total stake to cooperate to recover the secret, matching the network’s liveness/safety assumptions.
3. **Unbiasability:** Validators cannot "preview" the random outcome and decide whether or not to include the transaction based on the result.
### Supporting Evidence
- Formal proofs showing that as long as the quorum is honest (2/3 of stake), the randomness remains unpredictable until the block is finalized.
### Novel Contributions
- **Integration with Pipeline Execution:** Unlike Ethereum, which provides randomness based on the previous beacon state (which may be manipulated by proposers), Aptos generates randomness *per block* using the consensus quorum.
- **Weighted Participation:** First large-scale implementation of weighted DKG for randomness in a production Layer 1.
## Technical Details
Aptos Roll functions in three primary stages:
1. **DKG Phase:** Validators perform a distributed key generation to establish a collective public key. Each validator holds a "weighted" share of the private key.
2. **Verification Phase:** When a block is proposed, a subset of validators provide "randomness shares" for that specific block. These shares are aggregated using a Verifiable Random Function (VRF).
3. **Execution Phase:** Because the execution occurs after the consensus is reached, the computed random seed is passed to the Move Virtual Machine (MoveVM) as a system-level input, making it accessible to smart contracts via a simple API call.
## Practical Implications
### For Security Practitioners
- **Mitigation of MEV:** Prevents "last-look" attacks where a block proposer might withhold a block if they dislike the random outcome.
- **Reduced Surface Area:** By putting randomness on-chain, developers do not need to manage off-chain oracle subscriptions or complex callback functions.
### For Defenders
- Simplifies auditing of dApps. Since the randomness is a primitive of the L1, security auditors can assume a trusted source of entropy rather than vetting individual oracle integrations.
### For Researchers
- Demonstrates a viable path for "consensus-integrated" cryptography, suggesting other primitives (like threshold decryption for front-running protection) could follow a similar path.
## Limitations
- **Complexity:** Distributing and verifying weighted secret shares increases the computational overhead for validators.
- **Stake Concentration:** If more than 50% of the stake is malicious, they can pre-calculate or bias the randomness (though this would also jeopardize the entire network's security).
## Comparison to Prior Work
- **Vs. Chainlink VRF:** Chainlink is off-chain/asynchronous and requires a request-response cycle (slow). Aptos Roll is synchronous within the block (fast).
- **Vs. Ethereum `PREVRANDAO`:** Ethereum's randomness is based on the previous block's proposer. It is somewhat predictable and potentially biasable by the proposer. Aptos's randomness is harder to bias due to the threshold requirement.
## Real-world Applications
- **Gaming:** Instant loot boxes or critical hit determination.
- **NFTs:** Provably fair trait assignment during "blind mints."
- **DeFi:** Fair sequencing or lottery mechanisms within decentralized exchanges.
## Future Work
- **Scaling wDKG:** Optimizing the communication complexity of the DKG protocol as the validator set grows.
- **Post-Quantum Resistance:** Exploring lattice-based DKG schemes to replace current elliptic curve implementations.
## References
- Aptos Labs. (2024). *Aptos Roll Documentation.*
- Boneh, D., & Shoup, V. *A Graduate Course in Applied Cryptography.*
- Related Research: [https://aptos.dev/en/build/smart-contracts/randomness] (Defanged: hxxps[://]aptos[.]dev/en/build/smart-contracts/randomness)