RandomX is a proof-of-work (PoW) algorithm that is optimized for general-purpose CPUs. RandomX uses random code execution (hence the name) together with several memory-hard techniques to minimize the efficiency advantage of specialized hardware.
RandomX utilizes a virtual machine that executes programs in a special instruction set that consists of integer math, floating point math and branches. These programs can be translated into the CPU's native machine code on the fly (example: program.asm). At the end, the outputs of the executed programs are consolidated into a 256-bit result using a cryptographic hashing function (Blake2b).
RandomX can operate in two main modes with different memory requirements:
- Fast mode - requires 2080 MiB of shared memory.
- Light mode - requires only 256 MiB of shared memory, but runs significantly slower
Both modes are interchangeable as they give the same results. The fast mode is suitable for "mining", while the light mode is expected to be used only for proof verification.
Full specification is available in specs.md.
Design description and analysis is available in design.md.
Between May and August 2019, RandomX was audited by 4 independent security research teams:
- Trail of Bits (28 000 USD)
- X41 D-SEC (42 000 EUR)
- Kudelski Security (18 250 CHF)
- QuarksLab (52 800 USD)
The first audit was generously funded by Arweave, one of the early adopters of RandomX. The remaining three audits were funded by donations from the Monero community. All four audits were coordinated by OSTIF.
Final reports from all four audits are available in the audits directory. None of the audits found any critical vulnerabilities, but several changes in the algorithm and the code were made as a direct result of the audits. More details can be found in the final report by OSTIF.
RandomX is written in C++11 and builds a static library with a C API provided by header file randomx.h. Minimal API usage example is provided in api-example1.c. The reference code includes a randomx-benchmark
and randomx-tests
executables for testing.
Build dependencies: cmake
(minimum 3.5) and gcc
(minimum version 4.8, but version 7+ is recommended).
To build optimized binaries for your machine, run:
git clone https://github.com/tevador/RandomX.git
cd RandomX
mkdir build && cd build
cmake -DARCH=native ..
make
To build portable binaries, omit the ARCH
option when executing cmake.
On Windows, it is possible to build using MinGW (same procedure as on Linux) or using Visual Studio (solution file is provided).
Precompiled randomx-benchmark
binaries are available on the Releases page.
RandomX was primarily designed as a PoW algorithm for Monero. The recommended usage is following:
- The key
K
is selected to be the hash of a block in the blockchain - this block is called the 'key block'. For optimal mining and verification performance, the key should change every 2048 blocks (~2.8 days) and there should be a delay of 64 blocks (~2 hours) between the key block and the change of the keyK
. This can be achieved by changing the key whenblockHeight % 2048 == 64
and selecting key block such thatkeyBlockHeight % 2048 == 0
. - The input
H
is the standard hashing blob with a selected nonce value.
RandomX was successfully activated on the Monero network on the 30th November 2019.
If you wish to use RandomX as a PoW algorithm for your cryptocurrency, please follow the configuration guidelines.
Note: To achieve ASIC resistance, the key K
must change and must not be miner-selectable. We recommend to use blockchain data as the key in a similar way to the Monero example above. If blockchain data cannot be used for some reason, use a predefined sequence of keys.
The table below lists the performance of selected CPUs using the optimal number of threads (T) and large pages (if possible), in hashes per second (H/s). "CNv4" refers to the CryptoNight variant 4 (CN/R) hashrate measured using XMRig v2.14.1. "Fast mode" and "Light mode" are the two modes of RandomX.
CPU | RAM | OS | AES | CNv4 | Fast mode | Light mode |
---|---|---|---|---|---|---|
Intel Core i9-9900K | 32G DDR4-3200 | Windows 10 | hw | 660 (8T) | 5770 (8T) | 1160 (16T) |
AMD Ryzen 7 1700 | 16G DDR4-2666 | Ubuntu 16.04 | hw | 520 (8T) | 4100 (8T) | 620 (16T) |
Intel Core i7-8550U | 16G DDR4-2400 | Windows 10 | hw | 200 (4T) | 1700 (4T) | 350 (8T) |
Intel Core i3-3220 | 4G DDR3-1333 | Ubuntu 16.04 | soft | 42 (4T) | 510 (4T) | 150 (4T) |
Raspberry Pi 3 | 1G LPDDR2 | Ubuntu 16.04 | soft | 3.5 (4T) | - | 20 (4T) |
Note that RandomX currently includes a JIT compiler for x86-64, ARM64 and RISCV64. Other architectures have to use the portable interpreter, which is much slower.
SChernykh is developing GPU mining code for RandomX. Benchmarks are included in the following repositories:
- CUDA miner - NVIDIA GPUs.
- OpenCL miner - only for AMD Vega and AMD Polaris GPUs (uses GCN machine code).
The code from the above repositories is included in the open source miner XMRig.
Note that GPUs are at a disadvantage when running RandomX since the algorithm was designed to be efficient on CPUs.
Most Intel and AMD CPUs made since 2011 should be fairly efficient at RandomX. More specifically, efficient mining requires:
- 64-bit architecture
- IEEE 754 compliant floating point unit
- Hardware AES support (AES-NI extension for x86, Cryptography extensions for ARMv8)
- 16 KiB of L1 cache, 256 KiB of L2 cache and 2 MiB of L3 cache per mining thread
- Support for large memory pages
- At least 2.5 GiB of free RAM per NUMA node
- Multiple memory channels may be required:
- DDR3 memory is limited to about 1500-2000 H/s per channel (depending on frequency and timings)
- DDR4 memory is limited to about 4000-6000 H/s per channel (depending on frequency and timings)
Due to the way the algorithm works, mining malware is much easier to detect. RandomX Sniffer is a proof of concept tool that can detect illicit mining activity on Windows.
Efficient mining requires more than 2 GiB of memory, which also disqualifies many low-end machines such as IoT devices, which are often parts of large botnets.
Web mining is infeasible due to the large memory requirement and the lack of directed rounding support for floating point operations in both Javascript and WebAssembly.
RandomX uses only operations that are guaranteed to give correctly rounded results by the IEEE 754 standard: addition, subtraction, multiplication, division and square root. Special care is taken to avoid corner cases such as NaN values or denormals.
The reference implementation has been validated on the following platforms:
- x86 (32-bit, little-endian)
- x86-64 (64-bit, little-endian)
- ARMv7+VFPv3 (32-bit, little-endian)
- ARMv8 (64-bit, little-endian)
- PPC64 (64-bit, big-endian)
- RISCV64 (64-bit, little-endian)
RandomX generates multiple unique programs for every hash, so FPGAs cannot dynamically reconfigure their circuitry because typical FPGA takes tens of seconds to load a bitstream. It is also not possible to generate bitstreams for RandomX programs in advance due to the sheer number of combinations (there are 2512 unique programs).
Sufficiently large FPGAs can mine RandomX in a soft microprocessor configuration by emulating a CPU. Under these circumstances, an FPGA will be much less efficient than a CPU or a specialized chip (ASIC).
- tevador - author
- SChernykh - contributed significantly to the design of RandomX
- hyc - original idea of using random code execution for PoW
- Other contributors
RandomX uses some source code from the following 3rd party repositories:
- Argon2d, Blake2b hashing functions: https://github.com/P-H-C/phc-winner-argon2
The author of RandomX declares no competing financial interest.
If you'd like to use RandomX, please consider donating to help cover the development cost of the algorithm.
Author's XMR address:
845xHUh5GvfHwc2R8DVJCE7BT2sd4YEcmjG8GNSdmeNsP5DTEjXd1CNgxTcjHjiFuthRHAoVEJjM7GyKzQKLJtbd56xbh7V
Total donations received: ~3.86 XMR (as of 30th August 2019). Thanks to all contributors.