Bitcoin Forum
June 19, 2024, 03:34:37 AM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
  Home Help Search Login Register More  
  Show Posts
Pages: [1]
1  Bitcoin / Development & Technical Discussion / Re: Trust minimized random seed on: April 04, 2022, 09:52:37 PM
Thank you for you responses.

You all have valid points. I'll try to entertain myself with these questions further.

Quote from: odolvlobo on April 04, 2022, 09:21:19 PM

The problem here is that the algorithm for creating a seed using known values could be selected in order to generate a predetermined value. I think a better way might to announce the algorithm before its data is known. For example, a hash of the next 256 block IDs. Note that this is not complete trustworthy because miners could potentially manipulate the block IDs, but the cost of doing that would be huge, so it is unlikely to happen.


Good point. Would the following be a computationally sound approach?

Pick a generator G as defined on secpk256k1. Hash the `x` coordinate of G to get the x coordinate of the next curve point creating a new NUMS point. Repeat the process to get 100 NUMS points. Once quantum computers are around and we find the discrete logs of these NUMS points, we should (?) be fairly sure we could not have known them today when we defined the algorithm.
2  Bitcoin / Development & Technical Discussion / Trust minimized random seed on: April 04, 2022, 07:55:57 PM
I posted a question on https://crypto.stackexchange.com/questions/99478/p256-seed-problem, but I figured this might be a better place for such discussion.

The question is how do you generate a seed for which everyone knows it couldn't have been set up with a malicious intent.
It's very easy to trust yourself in picking it, but picking a global seed seems a hard problem. As the question on crypto stackexchange describes, I've been reading about cryptography and elliptic curves and found out some don't trust P256 seed choice which is defined in https://csrc.nist.gov/csrc/media/publications/fips/186/3/archive/2009-06-25/documents/fips_186-3.pdf on page 89 to be

SEED = c49d3608 86e70493 6a6678e1 139d26b7 819f7e90

The issue seems to be how to agree on a seed in a trust-minimized way.

This is what made me wonder if computational energy from Bitcoin could be used.

Suppose we do the following. We define the max Bitcoin block number e.g. 730445 which is the latest Bitcoin block. The starting point is the Bitcoin genesis block. We now repeat the process:

1. Hash the block hash to obtain X
2. seed += X[0]
3. Compute the next block height as X % 730445
4. Repeat 1 until we have a long enough seed.

Suppose Satoshi was an evil mastermind who predicted this. Even so, they couldn't have known what the next hash contribution will be given a large enough interval because this would have required them to guess the hash of the blockhash at height 720921 since hash(genesis) % 730445 = 720921.

This would generate a seed based on randomized energy contribution to the Bitcoin over the last decade.

I have made a prototype of this https://controlc.com/71836119 which yields 0db5a6b3f17115c58a074eea763768d5. Would you trust 0db5a6b3f17115c58a074eea763768d5 as a seed?
Pages: [1]
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!