This is a method of emulation of OP_RAND opcode on Bitcoin through a trustless interactive game between transaction counterparties. The game result is probabilistic and doesnโt allow any party to cheat, increasing their chance of winning on any protocol step. The protocol is organized in a way unrecognizable to any external party and doesnโt require any specific scripts or Bitcoin protocol updates.
OP_RAND allows two (currently) users to create the set of transactions, the UTXO of the final one of which can be spent with some probability by each counterparty. For that, OP_RAND uses:
- Commitments: The protocol allows the challenger to create commitments on random values, only one of each is used for the final address formation. An acceptor also mast create the commitment for their final public key, but without the knowledge if that can be spent.
- Zero-Knowledge Proofs: For proving the correctness of all actions (with hiding the secret data) between challenger and acceptor it uses Noir circuits with Barretenberg backend.
- Bitcoin Script: OP_RAND doesn't require and update of the Bitcoin protocol or appearance of new op codes
- Interactive Protocol: Two-party commit-reveal scheme
- ๐ฒ True Randomness: Cryptographically secure 50/50 outcomes
- ๐ Trustless: No third parties or oracles required
- ๐ต๏ธ Private: Commitment selection hidden until revelation
- โ Verifiable: All parties can verify proof correctness
- ๐ Fast: Efficient zero-knowledge proof generation and verification
- ๐ฐ Economic: Winner-takes-all incentive mechanism
- ๐ป Stealthy: Appears as normal Bitcoin transactions
The project consists of several key components:
op-rand-types- Fundamental data structures and commitment typesop-rand-prover- Zero-knowledge proof generation and verification using Barretenbergop-rand-transaction-builder- Bitcoin transaction construction utilities
apps/cli- Full-featured command-line interface for protocol interaction
circuits/crates/challenger_circuit- ZK circuit for challenger proofscircuits/crates/acceptor_circuit- ZK circuit for acceptor proofscircuits/crates/common- Shared cryptographic utilities
# Clone the repository
git clone https://github.com/distributed-lab/op_rand
cd op_rand
# Build the project
cargo build --release
# Install the CLI globally
cargo install --path apps/cliop-rand-cli --helpCreate a config.toml file:
# Your Bitcoin private key (WIF format)
private_key = "cVt4o7BGAig1UXywgGSmARhxMdzP5qvQsxKkSsc1XEkw3tDTQFpy"
# Esplora API endpoint
esplora_url = "https://blockstream.info/testnet/api"
# Bitcoin network (testnet, regtest, bitcoin)
network = "testnet"
โ ๏ธ Security Warning: Never use mainnet private keys with real funds in development environments.
# Create a 100,000 satoshi challenge
op-rand-cli create-challenge --amount 100000 --locktime 144
# This creates:
# - challenger.json (share with acceptor)
# - private_challenger.json (keep secret)# Inspect the challenge first
op-rand-cli info --challenge-file challenger.json
# Accept the challenge by selecting a commitment
op-rand-cli accept-challenge \
--challenge-file challenger.json \
--selected-commitment 0
# This creates:
# - acceptor.json (send back to challenger)# Finalize and broadcast the challenge
op-rand-cli complete-challenge \
--challenger-file challenger.json \
--challenger-private-file private_challenger.json \
--acceptor-file acceptor.json
# Returns: Transaction ID and reveals the random outcome# The winner can spend the locked funds
op-rand-cli try-spend \
--challenge-tx "transaction_hex_from_previous_step" \
--challenger # or --acceptor depending on who won- CLI Reference - Complete command-line interface documentation
- Research Paper - "Emulating OP_RAND in Bitcoin" by Rarimo Protocol
- Commitment Phase: Challenger generates cryptographic commitments to secret values
- Challenge Creation: Zero-knowledge proof demonstrates commitment validity
- Acceptance Phase: Acceptor blindly selects one commitment and provides their own proof
- Revelation Phase: Challenger reveals selected commitment, determining the winner
- Settlement Phase: Winner can claim the locked Bitcoin funds
- Unpredictability: Neither party can predict the outcome
- Fairness: Each party has exactly 50% probability of winning
- Binding: Commitments cannot be changed after creation
- Hiding: Commitment selection remains private until revelation
- Verifiability: All proofs can be independently verified
The protocol uses two main ZK circuits:
- Challenger Circuit: Proves knowledge of commitment secrets without revealing them
- Acceptor Circuit: Proves valid signature and commitment selection
op_rand/
โโโ apps/
โ โโโ cli/ # Command-line interface
โโโ crates/
โ โโโ types/ # Core data structures
โ โโโ prover/ # ZK proof system
โ โโโ transaction-builder/ # Bitcoin transaction utilities
โโโ circuits/
โ โโโ crates/
โ โโโ challenger_circuit/ # Challenger ZK circuit
โ โโโ acceptor_circuit/ # Acceptor ZK circuit
โ โโโ common/ # Shared circuit utilities
โโโ target/ # Build artifacts
Developed by Distributed Lab
- ๐ CLI Documentation
- ๐ Research Paper
- Support of P2TR addresses
- Implement flexible probability (better than 1/n)
Special thanks to passport-zk-circuits-noir contributors for secp256k1 circuits which were instrumental in implementing the cryptographic primitives for this project.
Build trustless randomness on Bitcoin with cryptographic guarantees.