π
Original date posted:2016-05-20
π Original message:== Background
OP_PRANDOM is a new op code for Bitcoin that pushes a pseudo-random number
to the top of the stack based on the next N block hashes. The source of the
pseudo-random number is defined as the XOR of the next N block hashes after
confirmation of a transaction containing the OP_PRANDOM encumbered output.
When a transaction containing the op code is redeemed, the transaction
receives a pseudo-random number based on the next N block hashes after
confirmation of the redeeming input. This means that transactions are also
effectively locked until at least N new blocks have been found.
== Rational
Making deterministic, verifiable, and trustless pseudo-random numbers
available for use in the Script language makes it possible to support a
number of new smart contracts. OP_PRANDOM would allow for the simplistic
creation of purely decentralized lotteries without the need for complicated
multi-party computation protocols. Gambling is also another possibility as
contracts can be written based on hashed commitments, with the winner
chosen if a given commitment is closest to the pseudo-random number.
OP_PRANDOM could also be used for cryptographically secure virtual asset
management such as rewards in video games and in other applications.
== Security
Pay-to-script-hash can be used to protect the details of contracts that use
OP_PRANDOM from the prying eyes of miners. However, since there is also a
non-zero risk that a participant in a contract may attempt to bribe a miner
the inclusion of multiple block hashes as a source of randomness is a must.
Every miner would effectively need to be bribed to ensure control over the
results of the random numbers, which is already very unlikely. The risk
approaches zero as N goes up.
There is however another issue: since the random numbers are based on a
changing blockchain, its problematic to use the next immediate block hashes
before the state is βfinal.β A safe default for accepting the blockchain
state as final would need to be agreed upon beforehand, otherwise you could
have multiple random outputs becoming valid simultaneously on different
forks.
A simple solution is not to reveal any commitments before the chain height
surpasses a certain point but this might not be an issue since only one
version will eventually make it into the final chain anyway -- though it is
something to think about.
== Outro
I'm not sure how secure this is or whether its a good idea so posting it
here for feedback
Thoughts?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20160520/951fcc41/attachment.html>;
Matthew Roberts [ARCHIVE] /
npub12fβ¦k0jt6
2023-06-07 17:50:54
in reply to nevent1qβ¦j92s
Author Public Key
npub12ftsvulestm9ztkjkgkl7cfurm6u6dau835evhcs3jwxyctn4y6qsk0jt6Seen on
wss://relay.noswhere.comPublished at
2023-06-07 17:50:54Event JSON
{
"id": "ece69594abb584b9796515189ac1730580465b229250bd990062fcb2bb8e0715",
"pubkey": "52570673f982f6512ed2b22dff613c1ef5cd37bc3c69965f108c9c626173a934",
"created_at": 1686160254,
"kind": 1,
"tags": [
[
"e",
"bfc4a6cf67c142fa452617fc9aee29b5337b5198d13bd22094049bf77aa4fad0",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "π
Original date posted:2016-05-20\nπ Original message:== Background\n\nOP_PRANDOM is a new op code for Bitcoin that pushes a pseudo-random number\nto the top of the stack based on the next N block hashes. The source of the\npseudo-random number is defined as the XOR of the next N block hashes after\nconfirmation of a transaction containing the OP_PRANDOM encumbered output.\nWhen a transaction containing the op code is redeemed, the transaction\nreceives a pseudo-random number based on the next N block hashes after\nconfirmation of the redeeming input. This means that transactions are also\neffectively locked until at least N new blocks have been found.\n\n\n== Rational\n\nMaking deterministic, verifiable, and trustless pseudo-random numbers\navailable for use in the Script language makes it possible to support a\nnumber of new smart contracts. OP_PRANDOM would allow for the simplistic\ncreation of purely decentralized lotteries without the need for complicated\nmulti-party computation protocols. Gambling is also another possibility as\ncontracts can be written based on hashed commitments, with the winner\nchosen if a given commitment is closest to the pseudo-random number.\nOP_PRANDOM could also be used for cryptographically secure virtual asset\nmanagement such as rewards in video games and in other applications.\n\n\n== Security\n\nPay-to-script-hash can be used to protect the details of contracts that use\nOP_PRANDOM from the prying eyes of miners. However, since there is also a\nnon-zero risk that a participant in a contract may attempt to bribe a miner\nthe inclusion of multiple block hashes as a source of randomness is a must.\nEvery miner would effectively need to be bribed to ensure control over the\nresults of the random numbers, which is already very unlikely. The risk\napproaches zero as N goes up.\n\nThere is however another issue: since the random numbers are based on a\nchanging blockchain, its problematic to use the next immediate block hashes\nbefore the state is βfinal.β A safe default for accepting the blockchain\nstate as final would need to be agreed upon beforehand, otherwise you could\nhave multiple random outputs becoming valid simultaneously on different\nforks.\n\nA simple solution is not to reveal any commitments before the chain height\nsurpasses a certain point but this might not be an issue since only one\nversion will eventually make it into the final chain anyway -- though it is\nsomething to think about.\n\n\n== Outro\n\nI'm not sure how secure this is or whether its a good idea so posting it\nhere for feedback\n\nThoughts?\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20160520/951fcc41/attachment.html\u003e",
"sig": "c82e9cb489a1833a3eccadea8e6ef1618002b17c7f165a5e3bbb83690e35fb643e63a9a07ad9d1ff0f5629f6f0eb4638559585b0dc555fbff72c676ea117a6ec"
}