Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id B51998B0 for ; Fri, 20 May 2016 10:57:47 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-io0-f170.google.com (mail-io0-f170.google.com [209.85.223.170]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 1B1C919B for ; Fri, 20 May 2016 10:57:47 +0000 (UTC) Received: by mail-io0-f170.google.com with SMTP id t40so49180576ioi.0 for ; Fri, 20 May 2016 03:57:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=roberts-pm.20150623.gappssmtp.com; s=20150623; h=mime-version:date:message-id:subject:from:to; bh=1mNx+CKa8L6Aopv88sLH4ZX1tzjl5Dzea4RDk4pFhnA=; b=0mrdCwJU8idRZpTLyYaTkLFpo6v+vvWb1ZE/+MssF4li5x4mcQXtEXF6pztYTtO+hJ hq+I9Qwwvpu+apTxyLc1gV6EpmzpU6y21akPhJbaCbWNl+P4GJ/uLQi7rckCnAY/GRrf ewifgCpmPIuVQwIoZFyNUfjIV7AwIZydZyHXOMh4tWHwUQIexYKzI0jVDgP+I18D3u1G /BS9KM/DFFIBIzkoC1Vos1yZXIFHbkkwQaZenLob3kzTrnN/grY6GIgpuGIsW3KW02dX sdp3RfqS1OeBYbns9pBTIMPGZKFbCOpu384BWKMh66y7qG74LWtyMsI4sERM3jKdh/V1 YSpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to; bh=1mNx+CKa8L6Aopv88sLH4ZX1tzjl5Dzea4RDk4pFhnA=; b=g5cxcYg2PiM8NaNuJAuRbHi87qFZLxWWUZaRMnXwGYLIA1NftqMU5dxnSkAVicHeuC ybWiAjCIh7ogg/pnXRro2vqQQkM+cwZqNKvIgya/Z9hy4GltbYSxTUW10C3Xn5dsF+7O uuWpLPASMzptWZjbe49H9zBiu6NAz6iKJ64fssfQPuYpq/5ZTLC3cn87SYjSk7Pm8Czu P8jnv/DBp/5xeD9Tlizhsawhbx5hXmeEYEvUcdI/EYkv/hyvLx4EbLkzmGXbLDthz1pp ZSGPOOLAWCaCJ4AfQ/qcfQvf+AhxC2LZZ4PPNpkrbgpss8tQHI2iqkPuJcEjla1CCMbB AbGw== X-Gm-Message-State: AOPr4FVzcUWht6W3iSmgnPgwOjziuccZ5gGYRlDusmEyy03IO2wFWdjwXB5gFqhFWQ6EnxSOgWxeBBBhVHTO9Q== MIME-Version: 1.0 X-Received: by 10.107.154.130 with SMTP id c124mr2537714ioe.169.1463741866321; Fri, 20 May 2016 03:57:46 -0700 (PDT) Received: by 10.107.198.10 with HTTP; Fri, 20 May 2016 03:57:46 -0700 (PDT) X-Originating-IP: [115.70.56.56] Date: Fri, 20 May 2016 05:57:46 -0500 Message-ID: From: Matthew Roberts To: bitcoin-dev@lists.linuxfoundation.org Content-Type: multipart/alternative; boundary=001a1140f6bafc741c053343f5b8 X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SUBJ_ALL_CAPS autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Fri, 20 May 2016 11:25:21 +0000 Subject: [bitcoin-dev] BIP: OP_PRANDOM X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 May 2016 10:57:47 -0000 --001a1140f6bafc741c053343f5b8 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable =3D=3D Background OP_PRANDOM is a new op code for Bitcoin that pushes a pseudo-random number to the top of the stack based on the next N block hashes. The source of the pseudo-random number is defined as the XOR of the next N block hashes after confirmation of a transaction containing the OP_PRANDOM encumbered output. When a transaction containing the op code is redeemed, the transaction receives a pseudo-random number based on the next N block hashes after confirmation of the redeeming input. This means that transactions are also effectively locked until at least N new blocks have been found. =3D=3D Rational Making deterministic, verifiable, and trustless pseudo-random numbers available for use in the Script language makes it possible to support a number of new smart contracts. OP_PRANDOM would allow for the simplistic creation of purely decentralized lotteries without the need for complicated multi-party computation protocols. Gambling is also another possibility as contracts can be written based on hashed commitments, with the winner chosen if a given commitment is closest to the pseudo-random number. OP_PRANDOM could also be used for cryptographically secure virtual asset management such as rewards in video games and in other applications. =3D=3D Security Pay-to-script-hash can be used to protect the details of contracts that use OP_PRANDOM from the prying eyes of miners. However, since there is also a non-zero risk that a participant in a contract may attempt to bribe a miner the inclusion of multiple block hashes as a source of randomness is a must. Every miner would effectively need to be bribed to ensure control over the results of the random numbers, which is already very unlikely. The risk approaches zero as N goes up. There is however another issue: since the random numbers are based on a changing blockchain, its problematic to use the next immediate block hashes before the state is =E2=80=9Cfinal.=E2=80=9D A safe default for accepting t= he blockchain state as final would need to be agreed upon beforehand, otherwise you could have multiple random outputs becoming valid simultaneously on different forks. A simple solution is not to reveal any commitments before the chain height surpasses a certain point but this might not be an issue since only one version will eventually make it into the final chain anyway -- though it is something to think about. =3D=3D Outro I'm not sure how secure this is or whether its a good idea so posting it here for feedback Thoughts? --001a1140f6bafc741c053343f5b8 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
=09 =09 =09 =09

=3D=3D Background

OP_PRANDOM is a new op code for Bitcoin that pushes a pseudo-random number to the top of the stack based on the next N block hashes. The source of the pseudo-random number is defined as the XOR of the next N block hashes after confirmation of a transaction containing the OP_PRANDOM encumbered output. When a transaction containing the op code is redeemed, the transaction receives a pseudo-random number based on the next N block hashes after confirmation of the redeeming input. This means that transactions are also effectively locked until at least N new blocks have been found.


=3D=3D Rational

Making deterministic, verifiable, and trustless pseudo-random numbers available for use in the Script language makes it possible to support a number of new smart contracts. OP_PRANDOM would allow for the simplistic creation of purely decentralized lotteries without the need for complicated multi-party computation protocols. Gambling is also another possibility as contracts can be written based on hashed commitments, with the winner chosen if a given commitment is closest to the pseudo-random number. OP_PRANDOM could also be used for cryptographically secure virtual asset management such as rewards in video games and in other applications.


=3D=3D Security

Pay-to-script-hash can be used to protect the details of contracts that use OP_PRANDOM from the prying eyes of miners. However, since there is also a non-zero risk that a participant in a contract may attempt to bribe a miner the inclusion of multiple block hashes as a source of randomness is a must. Every miner would effectively need to be bribed to ensure control over the results of the random numbers, which is already very unlikely. The risk approaches zero as N goes up.

There is however another issue: since the random numbers are based on a changing blockchain, its problematic to use the next immediate block hashes before the state is =E2=80=9Cfinal.=E2=80=9D A safe default for accepting t= he blockchain state as final would need to be agreed upon beforehand, otherwis= e you could have multiple random outputs becoming valid simultaneously on different forks.

A simpl= e solution is not to reveal any commitments before the chain height surpass= es a certain point but this might not be an issue since only one version will eventually make it into the final chain anyway -- though it is somethi= ng to think about.


=3D=3D Outro

I'm not sure how secure this is or whether its a good idea so posting it here for feedback

Thoughts?

--001a1140f6bafc741c053343f5b8--