Is there a way to use the block chain as entropy in random number generator?

10

1

I want to create a transparent gambling/lotto site and use the block chain as entropy for lotto numbers, dice rolls, that kind of thing. Would the transaction hash of the latest transaction be the best way to do this? How often are transaction hashes created? How would you, programmatically, access them?

browep

Posted 2011-08-30T21:50:40.397

Reputation: 654

Question was closed 2011-09-21T00:51:01.393

1why off-topic? from the FAQ: " practical, answerable questions based on actual problems that you face". Seems pretty on-topic unless I am missing something.browep 2011-09-01T21:01:37.980

because it would be impractical to use Bitcoin for entropy in a gambling site. There are other easier ways to do this today. http://www.random.org/

ripper234 2011-09-02T06:55:24.667

1wouldn't "impractical" be up to me? The question is not about how to implement a gambling site, it's about using the blockchain as entropy. The use of it is irrelevant, it's still a valid question. And random.org doesn't solve all my problems.browep 2011-09-02T21:08:15.227

2This feels slightly off topic.ripper234 2011-08-30T23:06:10.250

1

It may be a valid question, but it's not a particularly bitcoinish one--smells more like programming technique to me, which should go on Stack Overflow.

eMansipater 2011-09-06T20:23:10.237

Answers

7

The Bitcoin Lottery used an SHA256 hash of the two most recent blocks to generate random data and to my recollection there were not too many complaints about that method they chose. In any case it's only good for 256 bits of questionably random data every 10 minutes (20 if you don't reuse blocks) so there are probably better entropy sources, such as the setup they've built over at random.org

David Perry

Posted 2011-08-30T21:50:40.397

Reputation: 13 848

2And here, "questionably random" means that given a suitably large reward and a suitably motivated miner this would absolutely be gamed.eMansipater 2011-09-06T20:25:38.097

1Actually a correct random implementation with Mersenne Twister would suffice. If people get paid, they don't care much about how do you generate the numbers. Joe Six Pack wants his price, not to know.flaab 2012-10-25T08:39:48.253

1

If I may answer with my stack overflow hat on...

Here's how I'd draw a random number in way that no participant can influence the result of.

Invite each player to pick a random number, x, and publish the hash(x). Once each hash has been published, each player should then reveal their x. With those x's, add them all together and hash the result. Use that final hash as the random value.

UPDATE: To work around the attack described in the comment below, use two rounds.

  1. Each player selects a randon number, x, and reveals hash(x).
  2. When all hashes have been revealed, each player reveals x.
  3. All x's are combined and hashed. y=hash(all x)
  4. Each player selects a new random number, z, and reveals hash(y+z).
  5. When all of the second round of hashes have been revealed, each player reveals z.
  6. All z's are combined and hashed. The result is used as the random value.

If the player has a prepared hash collision, they could only use it to select their prefered y value. This doesn't help because they would now need a way to find a collision where both inputs have the same prefix (y) which won't be known in advance. If you can do that in a timely manner, we all need a new hash function.

(I welcome comments. Its possible I've missed something else.)

billpg

Posted 2011-08-30T21:50:40.397

Reputation: 1 900

An attacker could find a hash collision where hash(a) = hash(b), publish the common hash value, and then observe the other players' revealed numbers before choosing whether to reveal a or b.JGWeissman 2011-09-16T22:26:19.490

@JGWeissman - I missed that. Thank you. I've updated the protocol to work around that issue. (Or maybe I've made it worse.)billpg 2011-09-22T18:37:08.250

Now an attacker with a hash collision on a and b can reveal in step 4 that hash(y+z) is the common hash of a and b, and then in step 5 choose to reveal either that z = a-y or that z = b-y.JGWeissman 2011-09-22T19:51:27.233

So, in step 4, require also that each player reveals hash(z).JGWeissman 2011-09-22T19:52:24.343

Ah, by + I meant concatenation, rather than addition. Anyway, I suggest we move this discussion to a different SE. I've taken the liberty of opening this Q. http://crypto.stackexchange.com/questions/767/how-to-fairly-produce-a-random-number-between-game-players-wihout-trusted-third-p

billpg 2011-09-23T23:47:32.730

@JFWeissman. There is no known collision attack for SHA-256. As long as a cryptographically secure hash is being used your attack is theoretical only.DeathAndTaxes 2011-10-09T03:15:08.183

1

Only sort of. The transaction hash is specifically chosen because it is smaller than some number X (--> difficulty factor), so it isn't fully random. However, it has a lot of entropy in the sense that it contains input from a lot of different, not predictable transactions. So you could use this hash as a seed for your RNG.

If you just want to generate lotto numbers and dice rolls, I'd say it's more important that you find a good random number generator (RNG) - you won't reseed that often anyway.

If you wanted to use the hash as the random number directly, there's a problem: you only get one hash every ~10 minutes. Not all that many random numbers.

Mononofu

Posted 2011-08-30T21:50:40.397

Reputation: 495

See my Python implementation to derive a random probability from a predetermined block height. This enables untrusted parties to use the Bitcoin blockchain as a cryptographic beacon, by just agreeing to a future block height.

See also On Bitcoin as a public randomness source and this related video.

Daniel Himmelstein 2017-11-29T19:20:51.043

0

You could scrape data from http://bitcoincharts.com/bitcoin/ to get the hashes of transactions that had just been submitted. It wouldn't super easy to do, but it'd be a constant source of fairly random data.

tysat

Posted 2011-08-30T21:50:40.397

Reputation: 1 421