fair coin toss with no extortion and no need to trust a third party

[socrates1024]

Can you describe the process in a plainer way, like to a redneck.  It appears that 3 equal inputs ended up in one of the input addresses.  It solved the unequal contribution issue but from where does the external coin flip/lottery component comes from?

I can try... but it is a little tricky, so it may take a few attempts before we get a great description.

Two people each bet 1 coin, commit to random numbers, and also post an additional 1 coin security deposit. When they both reveal their committed random numbers, the numbers are xor'ed and one of them is chosen as a winner, and gets both coins, and both players get their security deposit back. The only tricky thing is that you need some way to make sure both players actually *do* reveal their random number, rather than just disappearing. This is why the security deposit is important - the *only* way to get your security deposit back is to reveal your random number and finish the game - if you don't do this, the other player gets the security deposit *and* the prize.

How was that? Clear?

[gmaxwell]

Now, can you CoinSwap-ify your protocol so that in the case where everyone plays honestly the fact that they just used a coinflip is not visible in the blockchain?

[User705]

Can you describe the process in a plainer way, like to a redneck.  It appears that 3 equal inputs ended up in one of the input addresses.  It solved the unequal contribution issue but from where does the external coin flip/lottery component comes from?

I can try... but it is a little tricky, so it may take a few attempts before we get a great description.

Two people each bet 1 coin, commit to random numbers, and also post an additional 1 coin security deposit. When they both reveal their committed random numbers, the numbers are xor'ed and one of them is chosen as a winner, and gets both coins, and both players get their security deposit back. The only tricky thing is that you need some way to make sure both players actually *do* reveal their random number, rather than just disappearing. This is why the security deposit is important - the *only* way to get your security deposit back is to reveal your random number and finish the game - if you don't do this, the other player gets the security deposit *and* the prize.

How was that? Clear?

So the random numbers are part of the blockchain transaction?  How would it work with 3 people?

[socrates1024]

So the random numbers are part of the blockchain transaction?  How would it work with 3 people?

For N people, every draws a random number between 0 and N-1, you add up all the numbers, and mod by N to determine the winner. The result is uniformly distributed between 0 and N-1, if even one party chooses their number randomly.

[agorism]

If 2 people collude, they can always take the 3rd person's money.

We need to enable op_mod

https://bitcointalk.org/index.php?topic=418769.0

[agorism]

Here is my attempt to build a script that accomplishes the goal without using disabled op_codes.
Any advice for me?

signature can look like these:
sigA sigB 1
sigA B A 0
sigB B A 0

op_if
   2 <pubkey1> <pubkey2> 2 op_checkmultisigverify
op_else
   op_2dup op_sha256 hash(A) op_equalverify sha256 hash(B) op_equalverify op_add op_RIPE160 0a '7ff2' 8x('00')
   op_lessthan
   op_if
      <pubkey1>
   op_else
      <pubkey2>
   op_endif
   op_checksig
op_endif

63
  52 <pubkey1> <pubkey2> 52 ad
67
  6e a8 <hash(A)> 88 a8 <hash(B)> 88 93 a6 0a 7f f2 00 00 00 00 00 00 00 00
  9f
  63
    <pubkey1>
  67
    <pubkey2>
  68
  ac
68

[syskall]

Hey guys, I was referred here by gmaxwell. I have come up with a similar protocol although I'm not sure it is implementable in Bitcoin script. One noticeable difference is that mine was designed to support arbitrary odds/payouts. I haven't had time to study the protocol proposed here in detail but it seems quite similar to mine (will comment here when I do). https://bitcointalk.org/index.php?topic=893077.0

By the way, has anyone worked on an implementation of this? I'm not sure the increased security would make up for the inconvenience of having to wait for block confirmations for the average gambler (except maybe for large bets).