[tromp]

> Not random

The least significant bits of a bitcoin PoW hash behave pretty randomly. You could either bet on a fixed future block height, or on the first block past a given future timestamp...

[lern_too_spel]

This just relies on the pseudorandomness of SHA-256. You can skip a lot of waste and use SHA-256 directly.

[tromp]

No; it relies on practically nobody being able to control what the SHA-256 is applied to.

[lern_too_spel]

That's actually very easy to control. Just pay a high transaction fee. The nonce comes from a PRNG that doesn't have to pass many randomness checks. Your proposal really is no more random than a counter based SHA256 PRNG except with an awfully high sample latency.