Published on: 2016-05-24T14:36:35+00:00
The email conversation posted discusses the issue of using random numbers in Bitcoin. A proposed solution is the use of the Bitcoin Beacon paper, which suggests deciding a random bit on the majority 1s or 0s of least significant bits taken from last block hashes. The protocol πbeacon is also examined, which outputs unpredictable and publicly verifiable randomness. The paper shows that πbeacon can be instantiated via Bitcoin under sensible assumptions, but provides an impossibility result that stems from the similarity between the Bitcoin model and Santha-Vazirani sources for cases in which the adversary has an infinite budget. The email also discusses the potential security risks of using multiple block hashes as a source of randomness, which can be mitigated by every miner needing to be bribed to control the results of the random numbers. Additionally, Eric Martindale mentions OP_DETERMINISTICRANDOM from the Elements Project as a possible solution. Finally, Jeremy Rubin suggests adding OP_XOR back and then using something like Blum's fair coin-flipping over the phone for these use cases.A protocol named πbeacon is examined in a paper by Iddo Bentov, Ariel Gabizon, and David Zuckerman that outputs unpredictable and publicly verifiable randomness. Bitcoin can be used to instantiate πbeacon under sensible assumptions. However, an impossibility result exists in case the adversary has an infinite budget as it stems from the similarity between the Bitcoin model and Santha-Vazirani sources. A hybrid protocol that combines trusted parties and a Bitcoin-based beacon is also provided. In a discussion on bitcoin-dev mailing list, Eric Martindale suggests taking a look at OP_DETERMINISTICRANDOM from the Elements Project as it aims to achieve a similar goal. Matthew Roberts explores the idea of using multiple block hashes as a source of randomness, but Johnson Lau points out that this does not make it any safer since the miner of the last block always determines the results. To protect the details of contracts using OP_PRANDOM from miners, pay-to-script-hash can be used, but there is still a non-zero risk of participants attempting to bribe a miner.The discussion on the bitcoin-dev mailing list revolves around the security of using OP_PRANDOM to generate random numbers. It is argued that OP_PRANDOM is not secure and adds extra validation overhead on a block composed of transactions spending an OP_PRANDOM output from different blocks. The suggestion is made to add OP_XOR back and use Blum's fair coin-flipping over the phone. However, there are limitations and issues with this approach. Another option suggested is to use OP_DETERMINISTICRANDOM from the Elements Project. There is also a discussion on the security aspect of using multiple block hashes as a source of randomness and how Pay-to-script-hash can be used to protect the details of contracts using OP_PRANDOM. The risk of a participant attempting to bribe a miner to control the results of the random numbers is considered low as the number of required bribes goes up.A suggestion was made to Matthew Roberts to take a look at OP_DETERMINISTICRANDOM from the Elements Project, as it aims to achieve a similar goal. The code for this can be found in the alpha branch. In response to this, Johnson Lau stated that using the hash of multiple blocks does not make it any safer and that the miner of the last block always determines the results. However, to protect the details of contracts that use OP_PRANDOM from the prying eyes of miners, Pay-to-script-hash can be used, and the inclusion of multiple block hashes as a source of randomness is a must. The risk approaches zero as N goes up. Matthew Roberts mentioned a possible solution where the hash of the proof of work hash could be used as part of the number, but he needs to sleep on it for now.The context is a discussion of the security of using multiple block hashes as a source of randomness. It is suggested that combining block hashes by taking the first N bits from each block hash to produce a single number may be a better approach than the current direction. Another suggestion is to use the hash of the proof of work hash as part of the number, making it infinitely expensive to manipulate the number. However, there is a non-zero risk of a participant in a contract attempting to bribe a miner, so the inclusion of multiple block hashes as a source of randomness is necessary. Every miner would effectively need to be bribed to ensure control over the results of the random numbers. Using Pay-to-script-hash can protect the details of contracts that use OP_PRANDOM from miners' prying eyes. The risk approaches zero as N goes up.In a discussion on the bitcoin-dev mailing list, Johnson Lau questioned the usefulness of using the hash of multiple blocks to secure transactions. He argued that since the miner of the last block ultimately determines the results, knowing the hashes of previous blocks doesn't make it any safer.
Updated on: 2023-08-01T18:23:34.670639+00:00