From: Matthew Roberts <matthew@roberts•pm>
To: bitcoin-dev@lists•linuxfoundation.org
Subject: [bitcoin-dev] BIP: OP_PRANDOM
Date: Fri, 20 May 2016 05:57:46 -0500 [thread overview]
Message-ID: <CAAEDBiEB_RXBjrLB8kDb52bJOwZK-arVeHA_9LyoDgAraLKHNg@mail.gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2553 bytes --]
== Background
OP_PRANDOM is a new op code for Bitcoin that pushes a pseudo-random number
to the top of the stack based on the next N block hashes. The source of the
pseudo-random number is defined as the XOR of the next N block hashes after
confirmation of a transaction containing the OP_PRANDOM encumbered output.
When a transaction containing the op code is redeemed, the transaction
receives a pseudo-random number based on the next N block hashes after
confirmation of the redeeming input. This means that transactions are also
effectively locked until at least N new blocks have been found.
== Rational
Making deterministic, verifiable, and trustless pseudo-random numbers
available for use in the Script language makes it possible to support a
number of new smart contracts. OP_PRANDOM would allow for the simplistic
creation of purely decentralized lotteries without the need for complicated
multi-party computation protocols. Gambling is also another possibility as
contracts can be written based on hashed commitments, with the winner
chosen if a given commitment is closest to the pseudo-random number.
OP_PRANDOM could also be used for cryptographically secure virtual asset
management such as rewards in video games and in other applications.
== Security
Pay-to-script-hash can be used to protect the details of contracts that use
OP_PRANDOM from the prying eyes of miners. However, since there is also a
non-zero risk that a participant in a contract may attempt to bribe a miner
the inclusion of multiple block hashes as a source of randomness is a must.
Every miner would effectively need to be bribed to ensure control over the
results of the random numbers, which is already very unlikely. The risk
approaches zero as N goes up.
There is however another issue: since the random numbers are based on a
changing blockchain, its problematic to use the next immediate block hashes
before the state is “final.” A safe default for accepting the blockchain
state as final would need to be agreed upon beforehand, otherwise you could
have multiple random outputs becoming valid simultaneously on different
forks.
A simple solution is not to reveal any commitments before the chain height
surpasses a certain point but this might not be an issue since only one
version will eventually make it into the final chain anyway -- though it is
something to think about.
== Outro
I'm not sure how secure this is or whether its a good idea so posting it
here for feedback
Thoughts?
[-- Attachment #2: Type: text/html, Size: 3317 bytes --]
next reply other threads:[~2016-05-20 10:57 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-20 10:57 Matthew Roberts [this message]
2016-05-20 11:34 ` Johnson Lau
2016-05-20 14:30 ` James MacWhyte
2016-05-20 15:05 ` Matthew Roberts
2016-05-20 18:32 ` Eric Martindale
2016-05-22 13:30 ` Jeremy
2016-05-24 14:30 ` Sergio Demian Lerner
2016-05-24 14:36 ` Sergio Demian Lerner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAAEDBiEB_RXBjrLB8kDb52bJOwZK-arVeHA_9LyoDgAraLKHNg@mail.gmail.com \
--to=matthew@roberts$(echo .)pm \
--cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox