DEV Community

Zeke
Zeke

Posted on

A verifiable Bitcoin randomness beacon, 50 sats per draw

#bitcoin #lightning #cryptography #webdev

Randomness is one of those things you don't think about until you need to trust it. And then you think about it a lot.

Pick a lottery, a game seed, a sampling job, a DLC oracle input. Anything where the output has money or fairness riding on it. The usual options ain't great. A single server tells you "trust me, this was random." A blockchain hash is only random after the block is mined, and the miner can see your bet before they publish. A VRF binds the output to one key holder, which is a single point of trust by another name.

What you actually want is a draw where nobody can predict the result before it closes, nobody can change it after, and anybody can verify it offline. That's what the PowForge /draw beacon does. Multi-party entropy, Schnorr-signed, 50 sats per fetch.

How an epoch works

Time is sliced into 5-minute windows. The current epoch ID is just:

const epoch_id = Math.floor(Date.now() / (300 * 1000));
Enter fullscreen mode Exit fullscreen mode

During an epoch, anyone can contribute. You solve a small SHA-256 proof-of-work challenge (18 bits, takes a second on a laptop) and POST your contribution. It costs nothing and your x-only Schnorr pubkey gets bound into the contribution hash, so you can prove your entropy was included.

When the window closes and at least 5 unique contributors have submitted, the oracle aggregates everything deterministically. The beacon formula is public:

sha256("DRAW" || epoch_id || sha256(epoch_id || sorted_contribution_hashes_concat))
Enter fullscreen mode Exit fullscreen mode

Sorted concatenation matters. It means the order contributors arrive doesn't change the output, but a single byte from any one of them shifts the whole 32-byte beacon. The oracle then signs the beacon with a BIP-340 Schnorr key and seals the epoch. After that, the result is fixed forever and nobody, including the oracle, can change it.

Try it from curl

Contributing requires mining the PoW, so the curl path for that one's easier with the npm client below. Reading a sealed beacon is straight L402:

# Step 1: request the beacon, oracle returns 402 + a Lightning invoice
curl -si https://attest.powforge.dev/api/v1/draw/5933907

# HTTP/1.1 402 Payment Required
# WWW-Authenticate: L402 invoice="lnbc500...", macaroon="AgE..."

# Step 2: pay the invoice with any Lightning wallet (50 sats)
# you receive a payment preimage, 32 bytes hex

# Step 3: retry with the macaroon and preimage
curl -s https://attest.powforge.dev/api/v1/draw/5933907 \
  -H "Authorization: L402 <macaroon>:<preimage>"
Enter fullscreen mode Exit fullscreen mode

The response gives you beacon_random (the 32-byte entropy) and signature (BIP-340 Schnorr). Verify it against the oracle pubkey and you're done.

npm client

There's a thin client that handles the PoW mining and L402 dance for you:

npm install @powforge/attest-client
Enter fullscreen mode Exit fullscreen mode 
const { AttestClient } = require('@powforge/attest-client');
const client = new AttestClient();

// Contribute entropy to the current epoch (free, mines PoW automatically)
const contrib = await client.contributeDrawEntropy(
  'your64hexschnorrpubkeyhere...'  // your x-only Schnorr pubkey
);
console.log('contributed to epoch:', contrib.epoch_id);

// Fetch the sealed beacon for a closed epoch (pays 50 sats via L402)
const beacon = await client.getDrawBeacon(contrib.epoch_id, l402Token);
console.log('beacon_random:', beacon.beacon_random);
console.log('signature:    ', beacon.signature);
Enter fullscreen mode Exit fullscreen mode

That's the whole API surface. Contribute is free, fetch costs 50 sats and gives you a signed value any Bitcoin-native verifier can check.

Why you can trust the output

Three properties carry the whole thing:

Multi-party by construction. The oracle can't produce a beacon alone. Each epoch needs at least 5 independent contributions, and any one contributor can shift the result. Nobody can predict it before the epoch closes because nobody knows what the other contributors will submit until the seal happens.

Schnorr verifiable offline. The signature is BIP-340. You don't need to ask the oracle anything after you hold the signed bytes. Check signature against beacon_random and the oracle pubkey using any secp256k1 library. Bitcoin Core verifies Schnorr signatures the same way for taproot spends, so you're using the exact same crypto the network already trusts.

Deterministic replay. Anyone holding the full contribution list can recompute the beacon from scratch using the formula above. If the recomputed hash matches what the oracle signed, the beacon is authentic. No black box. No "trust the API." Just hashes and signatures.

The oracle pubkey to verify against:

2bc78390c94d8bbb96ac3e6940462ba2812418d871e701c1a845fdb1dfd4a0e5
Enter fullscreen mode Exit fullscreen mode

Where to point it

On-chain lotteries, game seeds, DLC oracle inputs, sampling for research, cryptographic commitments where you need to prove the seed wasn't picked after the fact. Anywhere a centralized RNG would make you nervous.

Free to contribute. 50 sats to fetch the signed result. Live now at powforge.dev/draw.

If you build something on top of it, send a link. I want to see what people use this for.

Top comments (0)