Topic: Are transaction hashes predictable? (Read 3695 times)

True.  If you had 30 minutes of hashing post-block, it would pretty much guarantee no blocks would be tossed in the name of the lottery.  Chances are, another block would be found in those 30 minutes, so no miner would hold it while quadrillion-hashing it to find out whether it contains the correct hash.

The downside is, you'd have to set a specific block number or date/time interval as the "lottery" block.  I would like to see a solution where the block that a transaction is included in is the block that determines whether that person is a winner.  It'd be more or less as "instant win" as one could get with a lottery based on the block chain.  Simply browsing over to blockexplorer, then clicking on the transaction hash and comparing it to the block hash would be ideal.

You could also hash the end block hash a few quadrillion times to make it impossible for miners to predict the result in a reasonable timeframe.

Hmmmm... not sure that I agree, but let's see what the calculations say.

If a miner bought 1,000 tickets for 1 BTC each on a 1 in 10,000 chance jackpot, then he technically has a 1 in 10 chance of the next block matching one of his tickets.  Now also say he has 10 GH/s of hashing power, so he has about 1 in 800 chance of finding the next block.  In total then, his chances of himself finding a block that matches one of his tickets is 1 in 8,000.

In order for him to toss his block and find another one, the jackpot would need to be at least 50 * 8,000, or 400,000 BTC.  Otherwise, it wouldn't be worth it given his chances - he would rather take the 50 BTC from finding a block.

Even if he had 100 GH/s of hashing power, the jackpot would need to be at least 50 * 800, or 40,000 BTC, in order for him to toss his block.

If he had bought half the tickets AND had 100 GH/s of hashing power, the jackpot would need to be at least 50 * 160, or 8,000 BTC, in order for him to toss his block.

That last scenario might be what you were envisioning.  I don't think the jackpot has to necessarily be greater than the odds, but it just depends on how much hashing power the miner in question has.  I suppose the NAV would have to be low enough to ensure that it wouldn't be worth tossing a block even to the person with the greatest amount of hashing power, no matter how many tickets are bought.  To protect against Tycho using his 3500 GH/s of hashing power maliciously, for instance, the jackpot would need to be less than 228 BTC with 1 in 10,000 odds.

Tell me if I'm wrong, but this makes sense to me at any rate.

The only issue would come from lottery where reward rolls over if their is no jackpot winner but the tickets are good for one drawing only (like all traditional real world state lottos).  In that instance it is possible for each ticket to have a greater than 1 NAV (i.e. a 1 BTC ticket could be worth 1.2 BTC).  A creative miner then could submit a large number of tickets and attempt to mine blocks until he wins. 

Still even then it would require a significant amount of hashing power to be a plausible attack and would only be viable when the lotto award is greater than average chance to win (i.e. 1 in 10,000 chance to win jackpot on 1 BTC ticket but jackpot is estimated to be 11,800 BTC). 

I don't think it becomes an issue no matter what size the lottery is.

Think about it.  If the prize is 100,000 BTC, and the tickets are 1 BTC each, then for a lottery that is set up properly, there'll be a less than 1/100,000 chance that the block hash will match a transaction hash that a miner might try to match (say, their own entry).  So a miner would have to come across a block that both matches the difficulty criteria AND matches the 1/100,000 chance in order to win on their own ticket.  And no one is going to throw away a 50 BTC block on the off chance that they might find another block with the right 1/100,000 hash.

As long as the ticket cost is less than the block reward, there's no reason to worry about a miner purposefully trying to alter the outcome of a lottery.

Your methods mostly stop the users from cheating. There would be nothing that prevents the operator from cheating either by not submitting blocks or even sharing the secret password/key with a small percentage of people. I tried that method to. Ultimately I ended up moving to using mega million numbers for the "cheat proof" element.

Using block hashes is good enough AS LONG as the reward is smaller than the block reward. Even if the prize was bigger it would make more sense for someone to mine for 50 BTC than to throw away a block for a slim chance of winning 100 BTC. BUT as the prize gets really big it becomes an issue. 

I have a simple way to make it nearly impossible for anyone to cheat (including operators of large mining pools).


X = "Secret Password"
Y = hash("Secret Password")
Z = hash(hash("Secret Password"))


1) The person conducting the lottery makes up X and keeps it secret.  (Make sure it is a very long password).  
2) The person conducting the lottery keeps Y secret.
3) The person conducting the lottery posts Z publicly.  Z is not yet used for anything.
4) Specify to everyone who is going to be betting what block hash will be used.
5) Bets are taken.  (No more bets are taken before or after this step).
6) Wait for the block to be created and wait for 6-12 blocks after that.
7) Use Y and the block hash to produce a random number that is used to determine the result of the lottery.
8) The person conducting the lottery publicly posts Y (and optionally X).  If the hash of Y doesn't produce Z, the person conducting the lottery is shown to be cheating.  (However, the person conducting the lottery could just run away with your BTC without needing to make a fake X/Y/Z, so this is not something I need to protect against).



If the hashing method and secret password are sufficiently strong, then I only weakness I see is that if the person conducting the lottery is also the operator of a large mining pool the he could choose to forfeit valid blocks to alter the results of the lottery.






After writing this post, I realized there might be an even easier way -- use asymmetric encryption.
-Keep the private key private and the public key public.
-Encrypt the block hash with private key.
-Verify the result with public key.
-Use the same key set every time (since your private key will not be revealed).

You seem to have missed the rest of the discussion. 

They could simply generate a ton of transactions until their hash matched.

Right, we're on the same page with that one then.

Nothing wrong if the number of the block that will be taken as reference is decided in advance and you close the bet before the block that precedes the chosen block is issued.
The block hash cannot be manipulated to match a given bet.
But someone can place a bet that matches a block he found right before submitting the block on the network.
If bets are tied to transactions, there is a good way to rule this out : stipulate that valid bets are bets which transaction was already confirmed at the time the reference block was found.
In that case, you don't even need a reference block. The first block that matches any of the previously confirmed transactions designates the winner.

How could someone use a nonce as a ticket?  The nonce is created by the miner finding the block, and doesn't require said miner to actually purchase a ticket by sending coins to an address.  This makes no sense to me.

So what's wrong with simply using last 5 of transaction hash = last 5 of block hash in a future block?

A simple way of being sure that no-one including the operator can cheat by using the information of the target pattern is to use a pattern that hasn't yet been generated at the time the betting takes place.
The process that generates the value of reference must be random and not easily controllable by any one.
You can use for instance the N last bytes of a future block hash.
Or the hash of the close price of some large stock index.
 

Nnonce is the ticket.   000000 is the proof

Actually.... that's a good point.  As long as the entry fee is lower than the block reward, it should be fine.  No one is going to throw away a block when they have equal chances of winning just by buying another ticket.

Real-world data is a nice touch.  Easily verifiable, indisputable, and no one can modify it.

You need to use MegaMillions or Powerball values in the hash. Then you rely on an already never-been-hacked ultra-secure method to generate the winning number. If they hacked the lottery, $300 million is gonna be their goal, not our chump change.

e:^^damn, beat to the punch again.
2nd e: beat to the punch twice. goodness. my speed reading is only in my mind, apparently.

The higher the prize the more someone may try cheating by manipulating what blocks they submit. I decided to add real world data from the mega millions lottery to eliminate any cheating for my lottery. Cheating block hashes would be pretty hard though. It would have to be worth the effort as they would be throwing away 50 BTC every time they didn't submit the block AND they would be racing to do it before someone else submitted one. It would be tricky. Not impossible though. 

You can't find perfect hash without hashing.  There is no shortcut.  If there was I could find solution to every single block in a millisecond.

The only way an attacker can attack the lottery is by mining.  When mining against a block you hash a nonce, check it, if valid publish, if not valid try another nonce.  On average it takes quadrillions of attempts to find a solution to the block.

There is no shortcut.  Even if a miner knew that hash x gets him 1000 BTC he can't find x without randomly trying hashes until he finds it.

Hashes by definition are one way transactions (something) -> (hash).  You can't go (hash)->(something).  If you can then SHA-256 is broken and Bitcoin is in serious trouble.

Just thought of something though - a person wouldn't necessarily have to mine x number of blocks in a row in order to "cheat" with this scheme, they just have to find the perfect hash in the future block selected that would match their transaction hash to win the lottery.

Eh, I don't like it.  Even basing it on both block hashes and transaction hashes, it's still full of holes and messy as all getout.

That doesn't fix the problem at all.  I just look back 6 or 8 blocks for entries I made before submitting a block instead of looking back 1 block.