Author

Topic: Are nonces predictable? (Read 271 times)

jr. member
Activity: 108
Merit: 1
March 28, 2019, 07:52:01 AM
#10
Given all answers, I think it will be better to use random.org :/ thanks, everyone
copper member
Activity: 1666
Merit: 1901
Amazon Prime Member #7
March 26, 2019, 10:33:53 PM
#9
You guys could point me a better option though.. The idea behind this game is to select a winner (or more) from a list of particpants. The game would announce something like: "we are at block 568903 - result at 569000 (using nonces as seeds from block 568996 to 569000)"
Using multiple blocks would avoid nonces comming from only a miner, right?

This was answered above
I'm not sure whether including multiple nonces would up the security level that much (ie. since an attacker would know the other nonces, they could adjust their nonce-"space" accordingly).

The miner of block 569000 (in your example) could mine trying to use a nonce that results in an outcome in its favor.

If you published the hash of the block numbers, plus extra "random text" you could avoid this attack vector because only you will know which blocks will be used until you disclose the result. You must include the additional text otherwise someone could brute force the block numbers.
legendary
Activity: 3122
Merit: 2178
Playgram - The Telegram Casino
March 26, 2019, 01:20:12 PM
#8
Nonce seems to be "random" enough, but few block analysis mention otherwise. Quoting from https://bitcoin.stackexchange.com/q/24650,

Edited: Apr 18

I wrote a small program to collect some statistical data. From recent Dogecoin block #186,299 to #145,000 (the last mandatory update)

total 41,300 blocks

    number of odds = 3,891 (9.42%)
    number of evens = 37,409 (90.58%)
        ratio of odd to even is about 1:10
    Among the evens, the number of multiples of 256 = 35,106
        85% of total
        93.866% of evens

Update: 4/20

I recently also checked the nonces from block 552,780 to 253,898 of Litecoin.

totally 298,883 blocks.

    number of odds = 42,963 (14.374521%)
    number of evens = 255,920 (85.625479%)
    Among the evens, the number of multiples of 256 = 225,746
        75.529890% of total


I wonder if this could be a self-fulfilling prophecy? As in in the early days some large miners may have done some analysis and found that something like 60% of the nonces were even, which could totally be explained by statistical variance of course but still some large miners may have decided to just look for even nonces based on these findings. This obviously skews the statistics more in favor of even nonces, because more hashrate is only looking for those nonces now. After some time you may find that 90% of the nonces turn out to be even as more and more miners stop looking at odd nonces like some kind of perpetually reinforced superstitious bias. I mean statistics don't lie. Wink

The most probable answer is already given in the quoted StackOverflow thread, namely that most Scrypt mining back in the day was done using GPUs that are big-endian (ie. the way that the GPUs in question worked favored even numbers over odd numbers) [1]. So in theory one should be able to find a correlation between the shift from GPUs to ASICs and an increased equilibrium of odd and even nonces.

[1] https://bitcoin.stackexchange.com/a/24893
legendary
Activity: 1246
Merit: 1000
March 26, 2019, 01:02:08 PM
#7
Nonce seems to be "random" enough, but few block analysis mention otherwise. Quoting from https://bitcoin.stackexchange.com/q/24650,

Edited: Apr 18

I wrote a small program to collect some statistical data. From recent Dogecoin block #186,299 to #145,000 (the last mandatory update)

total 41,300 blocks

    number of odds = 3,891 (9.42%)
    number of evens = 37,409 (90.58%)
        ratio of odd to even is about 1:10
    Among the evens, the number of multiples of 256 = 35,106
        85% of total
        93.866% of evens

Update: 4/20

I recently also checked the nonces from block 552,780 to 253,898 of Litecoin.

totally 298,883 blocks.

    number of odds = 42,963 (14.374521%)
    number of evens = 255,920 (85.625479%)
    Among the evens, the number of multiples of 256 = 225,746
        75.529890% of total


I wonder if this could be a self-fulfilling prophecy? As in in the early days some large miners may have done some analysis and found that something like 60% of the nonces were even, which could totally be explained by statistical variance of course but still some large miners may have decided to just look for even nonces based on these findings. This obviously skews the statistics more in favor of even nonces, because more hashrate is only looking for those nonces now. After some time you may find that 90% of the nonces turn out to be even as more and more miners stop looking at odd nonces like some kind of perpetually reinforced superstitious bias. I mean statistics don't lie. Wink
legendary
Activity: 1135
Merit: 1166
March 26, 2019, 12:41:11 PM
#6
You guys could point me a better option though.. The idea behind this game is to select a winner (or more) from a list of particpants. The game would announce something like: "we are at block 568903 - result at 569000 (using nonces as seeds from block 568996 to 569000)"
Using multiple blocks would avoid nonces comming from only a miner, right?

I think there are two commonly used approaches:  The first is to use the block hash instead of the nonce.  This way, it is way harder for a miner to manipulate it - but they still can if the game is worth really a lot of money.  Basically when they have solved a block but do not like the outcome of the game, they can decide to not publish the block and try again.  But that loses them a block reward - so is only worth it if your game is about more money than that.

The second is using a hash commitment - like what @ETFBitcoin proposed above.  You can have all participants of the game create random numbers and publish the hashes.  Then you base your game outcome on some combination of the numbers themselves (which the players have to reveal after everyone published their hash).  This ensures that noone knows the outcome (or can manipulate it) before the hashes are revealed, but also noone can change their number afterwards since that would invalidate the commitment.
jr. member
Activity: 108
Merit: 1
March 26, 2019, 12:20:30 PM
#5
Nonce seems to be "random" enough, but few block analysis mention otherwise. Quoting from https://bitcoin.stackexchange.com/q/24650,

Edited: Apr 18

I wrote a small program to collect some statistical data. From recent Dogecoin block #186,299 to #145,000 (the last mandatory update)

total 41,300 blocks

    number of odds = 3,891 (9.42%)
    number of evens = 37,409 (90.58%)
        ratio of odd to even is about 1:10
    Among the evens, the number of multiples of 256 = 35,106
        85% of total
        93.866% of evens

Update: 4/20

I recently also checked the nonces from block 552,780 to 253,898 of Litecoin.

totally 298,883 blocks.

    number of odds = 42,963 (14.374521%)
    number of evens = 255,920 (85.625479%)
    Among the evens, the number of multiples of 256 = 225,746
        75.529890% of total


Depending on your game and whether money is involved, using nonces isn't good idea. Set a number before game started and hash it with salting to keep fairness is better idea IMO.

Good info..

You guys could point me a better option though.. The idea behind this game is to select a winner (or more) from a list of particpants. The game would announce something like: "we are at block 568903 - result at 569000 (using nonces as seeds from block 568996 to 569000)"
Using multiple blocks would avoid nonces comming from only a miner, right?

This way we would have deterministic results from the algorithm.. The problem is the seed origin.. so I thought that nonces could be usefull..

Any thoughts?

hypothetically I could forge game results.. by using nonces, I couldn't
legendary
Activity: 3122
Merit: 2178
Playgram - The Telegram Casino
March 26, 2019, 10:33:51 AM
#4
I guess given a proper mangling of the input even a single nonce should be sufficient for most purposes (eg. the SHA256 of a predetermined public server seed + nonce should be unpredictable enough for a single random outcome. A much slower cryptographic hash would likely be preferable though). I'm not sure whether including multiple nonces would up the security level that much (ie. since an attacker would know the other nonces, they could adjust their nonce-"space" accordingly). But like I said, I'm not sure whether such an attack would be viable to begin with.
jr. member
Activity: 108
Merit: 1
March 26, 2019, 10:09:08 AM
#3
So making a sum with like 5 block nonces would avoid this possible attack vector I suppose.. I just want to make sure that no one can predict results in a collective game.. Just getting some thoughts
legendary
Activity: 3122
Merit: 2178
Playgram - The Telegram Casino
March 26, 2019, 09:40:56 AM
#2
While you can't predict which nonce is going to be the correct one (ie. a valid nonce for successfully mining a block) a miner could in theory only search for the correct nonce within a given subset of nonces and not necessarily lessen their chance for finding the correct one (eg. the chance to find a valid nonce within the subset of even numbers is as high as the chance of finding a valid nonce within the subset of odd numbers). So at least in theory a miner can manipulate which nonces hit the blockchain. Not sure how viable such an attack would be in practice though.
jr. member
Activity: 108
Merit: 1
March 26, 2019, 09:30:18 AM
#1
In a hipotetic game that uses nonces as seed I mean.. would it be OK to use nonces for this purpose?
Jump to: