1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
|
Return-Path: <eric@ericmartindale.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 43E83323
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 20 May 2016 18:42:06 +0000 (UTC)
X-Greylist: delayed 00:09:47 by SQLgrey-1.7.6
Received: from mail.ericmartindale.com (mail.ericmartindale.com
[192.237.162.6])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 876C717F
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 20 May 2016 18:42:05 +0000 (UTC)
Received: from authenticated-user (unknown [127.0.0.1])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by mail.ericmartindale.com (Postfix) with ESMTPSA id 55A2EA0235
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 20 May 2016 18:32:17 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ericmartindale.com;
s=mail; t=1463769137;
bh=DAsDwNAbZi1YkmY9FlQ88IR52NU9gpme5Tegvz3UXR8=;
h=References:In-Reply-To:From:Date:Subject:To:From;
b=HbwdyEUU/KAoJrh21wy5a7WXkteIKDhY8pByUHk1mbSkn4rsj+ic4Hz8hFfYufoyq
j44Sok/8WdFI/uw6d0gKrOM2SE02Fo/P3LgRERDPOWfSWSuQ/VhmXWQ4mzdQ5SNSaq
7QYFqWcNH4qlm6/AQgE6dTdwG9hGUKzEI3PFVU3I=
Received: from authenticated-user (unknown [127.0.0.1])
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 20 May 2016 11:32:17 -0700 (PDT)
X-Gm-Message-State: AOPr4FUx3wBWGo4+rJxDPvDis1l8VH50YBmuo8mfMllhu3r0afuPRt8R2+GSnH95oNxuLSyK0W7mTS//8KqCpQ==
X-Received: by 10.36.73.146 with SMTP id e18mr3994895itd.80.1463769136953;
Fri, 20 May 2016 11:32:16 -0700 (PDT)
MIME-Version: 1.0
References: <CAAEDBiEB_RXBjrLB8kDb52bJOwZK-arVeHA_9LyoDgAraLKHNg@mail.gmail.com>
<CBBB62CD-2E30-4C9F-962E-3F340B29EDA7@xbt.hk>
<CAAEDBiE08h=+8ntQ=mMyA0jaxj2H_6r2k0u4GdOhEkFNYEAhYQ@mail.gmail.com>
In-Reply-To: <CAAEDBiE08h=+8ntQ=mMyA0jaxj2H_6r2k0u4GdOhEkFNYEAhYQ@mail.gmail.com>
From: Eric Martindale <eric@ericmartindale.com>
Date: Fri, 20 May 2016 18:32:07 +0000
X-Gmail-Original-Message-ID: <CAAf19WpiJDeVxi12mR8xFdjZttVYNRbsgYZzLxn2SLZDJYJHDQ@mail.gmail.com>
Message-ID: <CAAf19WpiJDeVxi12mR8xFdjZttVYNRbsgYZzLxn2SLZDJYJHDQ@mail.gmail.com>
To: Matthew Roberts <matthew@roberts.pm>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>,
Johnson Lau <jl2012@xbt.hk>
Content-Type: multipart/alternative; boundary=001a11445ee87115ff05334a4fc6
X-Spam-Status: No, score=-3.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,
HTML_MESSAGE, RP_MATCHES_RCVD, T_DKIM_INVALID,
UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Subject: Re: [bitcoin-dev] BIP: OP_PRANDOM
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 20 May 2016 18:42:06 -0000
--001a11445ee87115ff05334a4fc6
Content-Type: text/plain; charset=UTF-8
Matthew,
You should take a look at OP_DETERMINISTICRANDOM [1] from the Elements
Project. It aims to achieve a similar goal.
Code is in the `alpha` branch [2].
[1]: https://www.elementsproject.org/elements/opcodes/
[2]:
https://github.com/ElementsProject/elements/blob/alpha/src/script/interpreter.cpp#L1252-L1305
On Fri, May 20, 2016 at 8:29 AM Matthew Roberts via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> Good point, to be honest. Maybe there's a better way to combine the block
> hashes like taking the first N bits from each block hash to produce a
> single number but the direction that this is going in doesn't seem ideal.
>
> I just asked a friend about this problem and he mentioned using the hash
> of the proof of work hash as part of the number so you have to throw away a
> valid POW if it doesn't give you the hash you want. I suppose its possible
> to make it infinitely expensive to manipulate the number but I can't think
> of anything better than that for now.
>
> I need to sleep on this for now but let me know if anyone has any better
> ideas.
>
>
>
> On Fri, May 20, 2016 at 6:34 AM, Johnson Lau <jl2012@xbt.hk> wrote:
>
>> Using the hash of multiple blocks does not make it any safer. The miner
>> of the last block always determines the results, by knowing the hashes of
>> all previous blocks.
>>
>>
>> == Security
>>
>> Pay-to-script-hash can be used to protect the details of contracts that
>> use OP_PRANDOM from the prying eyes of miners. However, since there is also
>> a non-zero risk that a participant in a contract may attempt to bribe a
>> miner the inclusion of multiple block hashes as a source of randomness is a
>> must. Every miner would effectively need to be bribed to ensure control
>> over the results of the random numbers, which is already very unlikely. The
>> risk approaches zero as N goes up.
>>
>>
>>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--001a11445ee87115ff05334a4fc6
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Matthew,<div><br></div><div>You should take a look at OP_D=
ETERMINISTICRANDOM [1] from the Elements Project.=C2=A0 It aims to achieve =
a similar goal.<br><br>Code is in the `alpha` branch [2].</div><div><br></d=
iv><div>[1]:=C2=A0<a href=3D"https://www.elementsproject.org/elements/opcod=
es/">https://www.elementsproject.org/elements/opcodes/</a><br>[2]:=C2=A0<a =
href=3D"https://github.com/ElementsProject/elements/blob/alpha/src/script/i=
nterpreter.cpp#L1252-L1305">https://github.com/ElementsProject/elements/blo=
b/alpha/src/script/interpreter.cpp#L1252-L1305</a></div></div><br><div clas=
s=3D"gmail_quote"><div dir=3D"ltr">On Fri, May 20, 2016 at 8:29 AM Matthew =
Roberts via bitcoin-dev <<a href=3D"mailto:bitcoin-dev@lists.linuxfounda=
tion.org">bitcoin-dev@lists.linuxfoundation.org</a>> wrote:<br></div><bl=
ockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #=
ccc solid;padding-left:1ex"><div dir=3D"ltr"><div>Good point, to be honest.=
Maybe there's a better way to combine the block hashes like taking the=
first N bits from each block hash to produce a single number but the direc=
tion that this is going in doesn't seem ideal. <br><br></div><div>I jus=
t asked a friend about this problem and he mentioned using the hash of the =
proof of work hash as part of the number so you have to throw away a valid =
POW if it doesn't give you the hash you want. I suppose its possible to=
make it infinitely expensive to manipulate the number but I can't thin=
k of anything better than that for now.<br><br></div><div>I need to sleep o=
n this for now but let me know if anyone has any better ideas.<br></div><di=
v><br><br></div></div><div class=3D"gmail_extra"><br><div class=3D"gmail_qu=
ote">On Fri, May 20, 2016 at 6:34 AM, Johnson Lau <span dir=3D"ltr"><<a =
href=3D"mailto:jl2012@xbt.hk" target=3D"_blank">jl2012@xbt.hk</a>></span=
> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;bo=
rder-left:1px #ccc solid;padding-left:1ex"><div style=3D"word-wrap:break-wo=
rd"><div>Using the hash of multiple blocks does not make it any safer. The =
miner of the last block always determines the results, by knowing the hashe=
s of all previous blocks.</div><span><div><br></div><div><blockquote type=
=3D"cite"><div dir=3D"ltr"><p style=3D"margin-bottom:0in;line-height:100%">=
<br>
</p><p style=3D"margin-bottom:0in;line-height:100%">=3D=3D Security</p><p s=
tyle=3D"margin-bottom:0in;line-height:100%">Pay-to-script-hash
can be used to protect the details of contracts that use OP_PRANDOM
from the prying eyes of miners. However, since there is also a
non-zero risk that a participant in a contract may attempt to bribe a
miner the inclusion of multiple block hashes as a source of
randomness is a must. Every miner would effectively need to be bribed
to ensure control over the results of the random numbers, which is
already very unlikely. The risk approaches zero as N goes up.</p></div></bl=
ockquote></div><br></span></div></blockquote></div><br></div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>
--001a11445ee87115ff05334a4fc6--
|
