public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
* [bitcoin-dev] BIP: OP_PRANDOM
@ 2016-05-20 10:57 Matthew Roberts
  2016-05-20 11:34 ` Johnson Lau
  0 siblings, 1 reply; 8+ messages in thread
From: Matthew Roberts @ 2016-05-20 10:57 UTC (permalink / raw)
  To: bitcoin-dev

[-- Attachment #1: Type: text/plain, Size: 2553 bytes --]

== Background

OP_PRANDOM is a new op code for Bitcoin that pushes a pseudo-random number
to the top of the stack based on the next N block hashes. The source of the
pseudo-random number is defined as the XOR of the next N block hashes after
confirmation of a transaction containing the OP_PRANDOM encumbered output.
When a transaction containing the op code is redeemed, the transaction
receives a pseudo-random number based on the next N block hashes after
confirmation of the redeeming input. This means that transactions are also
effectively locked until at least N new blocks have been found.


== Rational

Making deterministic, verifiable, and trustless pseudo-random numbers
available for use in the Script language makes it possible to support a
number of new smart contracts. OP_PRANDOM would allow for the simplistic
creation of purely decentralized lotteries without the need for complicated
multi-party computation protocols. Gambling is also another possibility as
contracts can be written based on hashed commitments, with the winner
chosen if a given commitment is closest to the pseudo-random number.
OP_PRANDOM could also be used for cryptographically secure virtual asset
management such as rewards in video games and in other applications.


== Security

Pay-to-script-hash can be used to protect the details of contracts that use
OP_PRANDOM from the prying eyes of miners. However, since there is also a
non-zero risk that a participant in a contract may attempt to bribe a miner
the inclusion of multiple block hashes as a source of randomness is a must.
Every miner would effectively need to be bribed to ensure control over the
results of the random numbers, which is already very unlikely. The risk
approaches zero as N goes up.

There is however another issue: since the random numbers are based on a
changing blockchain, its problematic to use the next immediate block hashes
before the state is “final.” A safe default for accepting the blockchain
state as final would need to be agreed upon beforehand, otherwise you could
have multiple random outputs becoming valid simultaneously on different
forks.

A simple solution is not to reveal any commitments before the chain height
surpasses a certain point but this might not be an issue since only one
version will eventually make it into the final chain anyway -- though it is
something to think about.


== Outro

I'm not sure how secure this is or whether its a good idea so posting it
here for feedback

Thoughts?

[-- Attachment #2: Type: text/html, Size: 3317 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2016-05-24 14:37 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-05-20 10:57 [bitcoin-dev] BIP: OP_PRANDOM Matthew Roberts
2016-05-20 11:34 ` Johnson Lau
2016-05-20 14:30   ` James MacWhyte
2016-05-20 15:05   ` Matthew Roberts
2016-05-20 18:32     ` Eric Martindale
2016-05-22 13:30       ` Jeremy
2016-05-24 14:30         ` Sergio Demian Lerner
2016-05-24 14:36           ` Sergio Demian Lerner

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox