Are transaction hashes predictable? - page 2.

dooglus

legendary

Activity: 2940

Merit: 1330

Quote from: SgtSpike on November 14, 2011, 01:21:12 PM

I'd rather be able to tell someone instantly whether they were a winner or not.

If you can tell someone instantly whether they won or not, you could tell your buddy whether he was about to win or not before he made his entry. It seems like you can't have instant decidability as well as having it be impossible for you to cheat.

DeathAndTaxes

donator

Activity: 1218

Merit: 1079

Gerald Davis

Quote from: SgtSpike on November 14, 2011, 01:21:12 PM

So it'd have to be something more like 6 or 8 blocks in the future, to ensure no one can hold blocks to try and win. But, that's not really ideal... I'd rather be able to tell someone instantly whether they were a winner or not.

Well you just need to work out the math. Essentially you want the "gain" from withholding a block and continuing to look for a block that wins the lottery to be < that gain from just submitting a block. If there is no economic incentive to rig the drawing then likely it won't be rigged. If there is an economic incentive to rig the drawing then it will be rigged.

SgtSpike

legendary

Activity: 1400

Merit: 1005

Quote from: DeathAndTaxes on November 14, 2011, 01:07:38 PM

Quote from: SgtSpike on November 14, 2011, 01:00:36 PM

Well, with #1, I was thinking that someone could attempt to find the secret. I suppose if it's long enough though, it'd be secure.

Passing is the solution.

If you just hashed a secret it would be easy to find.

If you only hash the secret and it is number "123" it would be trivial to hash every single number until you find it.

By padding you make that impossible.
"The winning ticket is: 123 This is some random data to make brute forcing the secret impossible 37849374238947389437438942738943"

The entropy of that random sequence at the end makes brute forcing the hash impossible.

Quote

If the last two chars of the transaction hash + the last two chars of the next block hash = 3f, you win.

That certainly works as long as the prize isn't so large that once could withhold blocks and try to force a particular result. Given block rewards are 50BTC that provide a large incentive for someone to not cheat. If the prize is 100 BTC then is no reason to withhold a block attempting to get a larger payout from prize pool (essentially gambling your block against cheating the lottery). On the other hand if the prize was 100,000 BTC then the block reward would be insufficient to prevent cheating.

So it'd have to be something more like 6 or 8 blocks in the future, to ensure no one can hold blocks to try and win. But, that's not really ideal... I'd rather be able to tell someone instantly whether they were a winner or not.

DeathAndTaxes

donator

Activity: 1218

Merit: 1079

Gerald Davis

Quote from: SgtSpike on November 14, 2011, 01:00:36 PM

Well, with #1, I was thinking that someone could attempt to find the secret. I suppose if it's long enough though, it'd be secure.

Passing is the solution.

If you just hashed a secret it would be easy to find.

If you only hash the secret and it is number "123" it would be trivial to hash every single number until you find it.

By padding you make that impossible.
"The winning ticket is: 123 This is some random data to make brute forcing the secret impossible 37849374238947389437438942738943"

The entropy of that random sequence at the end makes brute forcing the hash impossible.

Quote

If the last two chars of the transaction hash + the last two chars of the next block hash = 3f, you win.

That certainly works as long as the prize isn't so large that once could withhold blocks and try to force a particular result. Given block rewards are 50BTC that provide a large incentive for someone to not cheat. If the prize is 100 BTC then is no reason to withhold a block attempting to get a larger payout from prize pool (essentially gambling your block against cheating the lottery). On the other hand if the prize was 100,000 BTC then the block reward would be insufficient to prevent cheating.

SgtSpike

legendary

Activity: 1400

Merit: 1005

Quote from: DeathAndTaxes on November 14, 2011, 12:50:38 PM

Quote from: SgtSpike on November 14, 2011, 12:46:00 PM

Quote from: DeathAndTaxes on November 14, 2011, 12:28:59 PM

Quote from: SgtSpike on November 14, 2011, 12:15:42 PM

How would people know that I didn't just change the Secret if someone won so that the person wouldn't win?

The published hash of secret.

Quote from: pc on November 13, 2011, 08:54:33 PM

Come up with a random Secret, hash it, and publish Hash(Secret).

After you announce a winner & the secret people can hash the secret themselves and compare it to the hashed secret you provided at the beginning of the "game".

So there is no risk of you changing the secret. The risk comes from you giving away the secret. "Pst. try transactions until you get one which matches this secret and we will split the prize".

Got it. So I certainly wouldn't want to give away the secret or the hashing method of the secret, but the hashed result of the secret allows people to verify that I'm not cheating them...

Well two clarifications
1) you DO want to give away the hashing method. You know Bitcoin uses SHA-256 hashes but that doesn't let you cheat. You can't just finds a nonce from a required hash. If you don't give away the exact hashing method then nobody can verify your work

2) You CAN still cheat. You can't cheat by changing the secret after the fact but you CAN cheat by giving someone else (or yourself) the secret so they can only submit a winning ticket.

Well, with #1, I was thinking that someone could attempt to find the secret. I suppose if it's long enough though, it'd be secure.

Eh, good point on #2. That kind of puts the whole idea back to square 1.

What about something like this:

If the last two chars of the transaction hash + the last two chars of the next block hash = 3f, you win.

DeathAndTaxes

donator

Activity: 1218

Merit: 1079

Gerald Davis

Quote from: SgtSpike on November 14, 2011, 12:46:00 PM

Quote from: DeathAndTaxes on November 14, 2011, 12:28:59 PM

Quote from: SgtSpike on November 14, 2011, 12:15:42 PM

How would people know that I didn't just change the Secret if someone won so that the person wouldn't win?

The published hash of secret.

Quote from: pc on November 13, 2011, 08:54:33 PM

Come up with a random Secret, hash it, and publish Hash(Secret).

After you announce a winner & the secret people can hash the secret themselves and compare it to the hashed secret you provided at the beginning of the "game".

So there is no risk of you changing the secret. The risk comes from you giving away the secret. "Pst. try transactions until you get one which matches this secret and we will split the prize".

Got it. So I certainly wouldn't want to give away the secret or the hashing method of the secret, but the hashed result of the secret allows people to verify that I'm not cheating them...

Well two clarifications
1) you DO want to give away the hashing method. You know Bitcoin uses SHA-256 hashes but that doesn't let you cheat. You can't just finds a nonce from a required hash. If you don't give away the exact hashing method then nobody can verify your work

2) You CAN still cheat. You can't cheat by changing the secret after the fact but you CAN cheat by giving someone else (or yourself) the secret so they can only submit a winning ticket.

SgtSpike

legendary

Activity: 1400

Merit: 1005

Quote from: DeathAndTaxes on November 14, 2011, 12:28:59 PM

Quote from: SgtSpike on November 14, 2011, 12:15:42 PM

How would people know that I didn't just change the Secret if someone won so that the person wouldn't win?

The published hash of secret.

Quote from: pc on November 13, 2011, 08:54:33 PM

Come up with a random Secret, hash it, and publish Hash(Secret).

After you announce a winner & the secret people can hash the secret themselves and compare it to the hashed secret you provided at the beginning of the "game".

So there is no risk of you changing the secret. The risk comes from you giving away the secret. "Pst. try transactions until you get one which matches this secret and we will split the prize".

Got it. So I certainly wouldn't want to give away the secret or the hashing method of the secret, but the hashed result of the secret allows people to verify that I'm not cheating them...

DeathAndTaxes

donator

Activity: 1218

Merit: 1079

Gerald Davis

Quote from: SgtSpike on November 14, 2011, 12:15:42 PM

How would people know that I didn't just change the Secret if someone won so that the person wouldn't win?

The published hash of secret.

Quote from: pc on November 13, 2011, 08:54:33 PM

Come up with a random Secret, hash it, and publish Hash(Secret).

After you announce a winner & the secret people can hash the secret themselves and compare it to the hashed secret you provided at the beginning of the "game".

So there is no risk of you changing the secret. The risk comes from you giving away the secret. "Pst. try transactions until you get one which matches this secret and we will split the prize".

SgtSpike

legendary

Activity: 1400

Merit: 1005

Quote from: pc on November 13, 2011, 08:54:33 PM

You might be able to do something instant-like like this:

Come up with a random Secret, hash it, and publish Hash(Secret).
People submit transactions to you. You only validate a winner after a few confirmations (so it's not quite "instant")
If Hash(Secret+TransactionHash) starts with the Magic Numbers (00 or whatever), then the transaction wins.
You can then publish the Secret, so people can verify that the winning transaction in fact qualifies, and that no prior transaction qualified.

You'd need to handle if more than one winning transaction was found in the same block, perhaps by splitting the pot among them.

How would people know that I didn't just change the Secret if someone won so that the person wouldn't win?

pc

sr. member

Activity: 253

Merit: 250

You might be able to do something instant-like like this:

Come up with a random Secret, hash it, and publish Hash(Secret).
People submit transactions to you. You only validate a winner after a few confirmations (so it's not quite "instant")
If Hash(Secret+TransactionHash) starts with the Magic Numbers (00 or whatever), then the transaction wins.
You can then publish the Secret, so people can verify that the winning transaction in fact qualifies, and that no prior transaction qualified.

You'd need to handle if more than one winning transaction was found in the same block, perhaps by splitting the pot among them.

bitlotto

hero member

Activity: 672

Merit: 500

BitLotto - best odds + best payouts + cheat-proof

I was trying at one time to make a lottery where the winner would be instant if they had a certain string at the beginning of the hash. Until I realized that the user could just re-do the transactions over and over without broadcasting it until they got what they wanted. That's pretty much why for BitLotto no one knows the winning string till after all the transactions are in. That way no one knows what to manipulate it to.

theymos

administrator

Activity: 5166

Merit: 12850

Quote from: SgtSpike on November 11, 2011, 06:20:22 PM

The block hashes and transaction hashes are both hexidecimal. Are there any characters that would be more likely to appear at the beginning or the end, just based on the algorithms used? I know that certain letters/numbers at the beginning of bitcoin addresses can be harder to find, because they show up less often as results in the algorithm used to create a public bitcoin address, so I am wondering if there is any similar quirks to the hashing of blocks or transactions...?

Block hashes must start with a certain number of zeroes, and the first digits after the zeroes will also be non-random. Probably the bits at the end are random, though I would hash the hash to make sure.

Each bit of cryptographic hash output is supposed to (ideally) have an equal chance of being a 1 or a 0.

casascius

vip

Activity: 1386

Merit: 1136

The Casascius 1oz 10BTC Silver Round (w/ Gold B)

Realistically, I am not sure that most people necessarily care that their gambling games are cryptographically provable as random. I mean, that's nice and all, and don't stop providing cryptographic proof just because I said this. But proof should be an advanced feature that is visible as no more than an "advanced" hyperlink in these games, so the geeks among us can check it out. The irony I see, I suppose, is that those of us who are geeky enough to understand the cryptographic proof, already understand that gambling is a losing proposition, and will probably do it just enough to check out the site and not much further.

But I have always said that PokerStars will make Bitcoin big if they ever do poker. That, in spite of the fact that there's already quite a few little one-man poker sites that accept Bitcoin, that probably won't make much of a difference by themselves.

The difference I suppose, is that PokerStars has an enormous marketing budget.

Secondarily, PokerStars presumably has good controls against collusion. That doesn't mean collusion is impossible, but a one-man poker stop is never going to have as sophisticated controls just by nature.

dooglus

legendary

Activity: 2940

Merit: 1330

Quote from: dooglus on November 11, 2011, 05:05:52 PM

Since the coins used in a transaction are randomly selected by the client, you may well be able to get a hash beginning with the required byte if you have enough private keys with funds on them, and enough patience.

Even simpler, you can keep attempting to spend the same amount from the same private key(s), but send the change to a different new address each time. That's enough to change the transaction hash.

SgtSpike

legendary

Activity: 1400

Merit: 1005

Quote from: theymos on November 11, 2011, 05:56:05 PM

Transaction hashes could be used if you have some secret data that you combine with the hash. Then the lottery manager can manipulate things, though.

Block hashes can be used for randomness pretty safely after you hash them again to remove the leading zeroes. If you have a lottery that pays out much more than the block reward you might want to combine the hashes of several consecutive blocks (and maybe also their Merkle roots), since miners could try "re-rolling" a few times.

Makes sense. A winning ticket could be the combination of characters from the current and next block hash, plus characters from the transaction hash itself.

One other question then...

The block hashes and transaction hashes are both hexidecimal. Are there any characters that would be more likely to appear at the beginning or the end, just based on the algorithms used? I know that certain letters/numbers at the beginning of bitcoin addresses can be harder to find, because they show up less often as results in the algorithm used to create a public bitcoin address, so I am wondering if there is any similar quirks to the hashing of blocks or transactions...?

theymos

administrator

Activity: 5166

Merit: 12850

Transaction hashes could be used if you have some secret data that you combine with the hash. Then the lottery manager can manipulate things, though.

Block hashes can be used for randomness pretty safely after you hash them again to remove the leading zeroes. If you have a lottery that pays out much more than the block reward you might want to combine the hashes of several consecutive blocks (and maybe also their Merkle roots), since miners could try "re-rolling" a few times.

casascius

vip

Activity: 1386

Merit: 1136

The Casascius 1oz 10BTC Silver Round (w/ Gold B)

I might have misunderstood the question.

If you want to gamble on the hash of the incoming transaction, it is easily exploitable. One can calculate the hash of the payment they are about to make, and simply avoid sending it to the network if it doesn't meet the winning criteria. They can try again, using different inputs or reordering them, rolling the dice repeatedly until they get the transaction hash prefix they want.

The fact that the Bitcoin client sends the transaction immediately without confirming the hash with the user isn't much of a defense to this. This confirmation step would be trivial to add by someone looking to exploit it.

SgtSpike

legendary

Activity: 1400

Merit: 1005

Cool, thanks for the info.

DeathAndTaxes

donator

Activity: 1218

Merit: 1079

Gerald Davis

Quote from: SgtSpike on November 11, 2011, 05:06:37 PM

So, if I understand you correctly, the transaction hash is created when the transaction is created, not when the transaction is included in a block? Therefore, whoever is creating the transaction can just try different combinations until the hash matches what they want?

Correct. Transactions have a transaction hash. Blocks have a block hash. For a block hash to be valid it has to be below the target which is determined by difficulty. When we are hashing a block we are looking for a "small enough" block hash. The transaction hashes and the merkle tree of all transactions in the block have already been determined.

SgtSpike

legendary

Activity: 1400

Merit: 1005

Quote from: DeathAndTaxes on November 11, 2011, 04:48:39 PM

Quote from: SgtSpike on November 11, 2011, 04:39:42 PM

Just curious... are transaction hashes predictable at all?

This is really a sub-question of a much broader question, which is, could the transaction hash be used to determine the winner of a lottery? In other words, if I said, the first person to send 1 BTC to this address, and gets a transaction hash beginning with 3f, is there any way a person could abuse it to where they only actually complete the transaction if the hash begins with that 3f?

The way you worded it is unclear. Who is abusing what? Why would someone only want the transaction if it begins with 3f?

If you are saying you are making a lottery and the winner is someone who sends 1 BTC and the hash begins with 3f then yes that is very exploitable.

You can't predict a hash but you can randomly attempt hashes from a pool of private keys until you find one which begins with 3f and then submit that one.

Sorry, I really did a terrible job with wording that. But, you got it right with your guess.

So, if I understand you correctly, the transaction hash is created when the transaction is created, not when the transaction is included in a block? Therefore, whoever is creating the transaction can just try different combinations until the hash matches what they want?

Topic: Are transaction hashes predictable? - page 2. (Read 3695 times)