From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 43E83323 for ; Fri, 20 May 2016 18:42:06 +0000 (UTC) X-Greylist: delayed 00:09:47 by SQLgrey-1.7.6 Received: from mail.ericmartindale.com (mail.ericmartindale.com [192.237.162.6]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 876C717F for ; Fri, 20 May 2016 18:42:05 +0000 (UTC) Received: from authenticated-user (unknown [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.ericmartindale.com (Postfix) with ESMTPSA id 55A2EA0235 for ; Fri, 20 May 2016 18:32:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ericmartindale.com; s=mail; t=1463769137; bh=DAsDwNAbZi1YkmY9FlQ88IR52NU9gpme5Tegvz3UXR8=; h=References:In-Reply-To:From:Date:Subject:To:From; b=HbwdyEUU/KAoJrh21wy5a7WXkteIKDhY8pByUHk1mbSkn4rsj+ic4Hz8hFfYufoyq j44Sok/8WdFI/uw6d0gKrOM2SE02Fo/P3LgRERDPOWfSWSuQ/VhmXWQ4mzdQ5SNSaq 7QYFqWcNH4qlm6/AQgE6dTdwG9hGUKzEI3PFVU3I= Received: from authenticated-user (unknown [127.0.0.1]) for ; Fri, 20 May 2016 11:32:17 -0700 (PDT) X-Gm-Message-State: AOPr4FUx3wBWGo4+rJxDPvDis1l8VH50YBmuo8mfMllhu3r0afuPRt8R2+GSnH95oNxuLSyK0W7mTS//8KqCpQ== X-Received: by 10.36.73.146 with SMTP id e18mr3994895itd.80.1463769136953; Fri, 20 May 2016 11:32:16 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Eric Martindale Date: Fri, 20 May 2016 18:32:07 +0000 X-Gmail-Original-Message-ID: Message-ID: To: Matthew Roberts , Bitcoin Protocol Discussion , Johnson Lau Content-Type: multipart/alternative; boundary=001a11445ee87115ff05334a4fc6 X-Spam-Status: No, score=-3.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, HTML_MESSAGE, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] BIP: OP_PRANDOM X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 May 2016 18:42:06 -0000 --001a11445ee87115ff05334a4fc6 Content-Type: text/plain; charset=UTF-8 Matthew, You should take a look at OP_DETERMINISTICRANDOM [1] from the Elements Project. It aims to achieve a similar goal. Code is in the `alpha` branch [2]. [1]: https://www.elementsproject.org/elements/opcodes/ [2]: https://github.com/ElementsProject/elements/blob/alpha/src/script/interpreter.cpp#L1252-L1305 On Fri, May 20, 2016 at 8:29 AM Matthew Roberts via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > Good point, to be honest. Maybe there's a better way to combine the block > hashes like taking the first N bits from each block hash to produce a > single number but the direction that this is going in doesn't seem ideal. > > I just asked a friend about this problem and he mentioned using the hash > of the proof of work hash as part of the number so you have to throw away a > valid POW if it doesn't give you the hash you want. I suppose its possible > to make it infinitely expensive to manipulate the number but I can't think > of anything better than that for now. > > I need to sleep on this for now but let me know if anyone has any better > ideas. > > > > On Fri, May 20, 2016 at 6:34 AM, Johnson Lau wrote: > >> Using the hash of multiple blocks does not make it any safer. The miner >> of the last block always determines the results, by knowing the hashes of >> all previous blocks. >> >> >> == Security >> >> Pay-to-script-hash can be used to protect the details of contracts that >> use OP_PRANDOM from the prying eyes of miners. However, since there is also >> a non-zero risk that a participant in a contract may attempt to bribe a >> miner the inclusion of multiple block hashes as a source of randomness is a >> must. Every miner would effectively need to be bribed to ensure control >> over the results of the random numbers, which is already very unlikely. The >> risk approaches zero as N goes up. >> >> >> > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --001a11445ee87115ff05334a4fc6 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Matthew,

You should take a look at OP_D= ETERMINISTICRANDOM [1] from the Elements Project.=C2=A0 It aims to achieve = a similar goal.

Code is in the `alpha` branch [2].

On Fri, May 20, 2016 at 8:29 AM Matthew = Roberts via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
Good point, to be honest.= Maybe there's a better way to combine the block hashes like taking the= first N bits from each block hash to produce a single number but the direc= tion that this is going in doesn't seem ideal.

I jus= t asked a friend about this problem and he mentioned using the hash of the = proof of work hash as part of the number so you have to throw away a valid = POW if it doesn't give you the hash you want. I suppose its possible to= make it infinitely expensive to manipulate the number but I can't thin= k of anything better than that for now.

I need to sleep o= n this for now but let me know if anyone has any better ideas.



On Fri, May 20, 2016 at 6:34 AM, Johnson Lau <jl2012@xbt.hk> wrote:
Using the hash of multiple blocks does not make it any safer. The = miner of the last block always determines the results, by knowing the hashe= s of all previous blocks.

=

=3D=3D Security

Pay-to-script-hash can be used to protect the details of contracts that use OP_PRANDOM from the prying eyes of miners. However, since there is also a non-zero risk that a participant in a contract may attempt to bribe a miner the inclusion of multiple block hashes as a source of randomness is a must. Every miner would effectively need to be bribed to ensure control over the results of the random numbers, which is already very unlikely. The risk approaches zero as N goes up.



_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--001a11445ee87115ff05334a4fc6--