BitLotto - and obtaining random numbers from within the Bitcoin network

[bitlotto]

Currently BitLotto uses a Canadian Lottery 6/49 lottery to get 6 numbers that are used to find a winner. Ideally it would be nice to get these numbers from Bitcoin instead. The first draw would not change with such short notice but with proper discussion BitLotto would be open to using an alternate source of random numbers. Using Bitcoin would be perfect if possible. The criteria would be either six numbers 1-49 (each number only drawn once) or six numbers 1-16 but each number can occur 3 times max...  that would match the current system pretty close. Any ideas? Problems using these numbers? How random? It has to be something that can't be predicted or manipulated. (Of course I'd change it for a draw where no one has entered yet and if a few have the option to get their money back. Just wanted to see what some of you more technical people had to say? Thanks. Perhaps somehow setting a certain date, then whatever block comes next and somehow getting random numbers from it....

[1715030529]

1715030529

[1715030529]

1715030529

[1715030529]

1715030529

[theymos]

1. Post the hash of a random number publicly. It is not important that your random number is random, only that it is secret.
2. Pick some block number when the lottery will end. Take the hash of that block and hash it with the random number picked earlier. This is the random data you will use for the draw.
3. Post your random number.

This is immune to manipulation by players. The owner has some ability to manipulate the result, but it's very difficult. You'd need to solve a block at that exact position with a difficulty much higher than normal. You can make owner manipulation even more difficult (almost impossible) by taking winning number 1 from <end block>, number 2 from <end block>+1, etc. This would be better randomness than the Canadian lottery, probably.

[bitlotto]

1. Post the hash of a random number publicly. It is not important that your random number is random, only that it is secret.
2. Pick some block number when the lottery will end. Take the hash of that block and hash it with the random number picked earlier. This is the random data you will use for the draw.
3. Post your random number.

The problem though is that system depends on me being honest. (I am) BUT, everyone else would have to take it on faith that I will keep it secret. I need something where I can't manipulate it. Right now, that's what depending on another lottery does. It's beyond my control what numbers come up. What would be the worst thing I could do IF I didn't keep the number secret?

[theymos]

It's not easy to influence, even if there is no random number. The attacker would have to have more than 50% of the Bitcoin network's CPU to have any reasonable chance of influencing the result.

[bitlotto]

How about something really simple.
how exploitable and random would:

-setting a time - say June 1 00:00 UTC
-taking the first digit (after the zeros) from the next 6 blocks hash value (I guess it could be more, if a number repeated 3 times the next occurrence would be skipped)
-could the network be flooded with bad/fake blocks or something?

Thank you for your expertise!

[theymos]

That's similar. You'd want to take the digits from the end, though, since the first digits after the 0 are not completely random. Or hash the hash to get a random number again.

If someone gets lucky, they might be able to change one of these digits, but even two would be almost impossible.

[bitlotto]

That's similar. You'd want to take the digits from the end, though, since the first digits after the 0 are not completely random. Or hash the hash to get a random number again.

If someone gets lucky, they might be able to change one of these digits, but even two would be almost impossible.

Got ya. So if I use the last digit it's all good. So when you say lucky how hard would it be to get the last digit to match what the person wanted?

[theymos]

Got ya. So if I use the last digit it's all good. So when you say lucky how hard would it be to get the last digit to match what the person wanted?

First they need to get the block. Then, there's a 1 in 16 chance (or 1 in 10 chance if you're using decimal) that they get the right number. Probably they'll have to re-do the block a few times. So if you're really lucky, you might get one number, but getting two blocks in a row is very difficult by itself, and getting the correct number two times in a row is even more difficult.

[bitlotto]

Got ya. So if I use the last digit it's all good. So when you say lucky how hard would it be to get the last digit to match what the person wanted?

First they need to get the block. Then, there's a 1 in 16 chance (or 1 in 10 chance if you're using decimal) that they get the right number. Probably they'll have to re-do the block a few times. So if you're really lucky, you might get one number, but getting two blocks in a row is very difficult by itself, and getting the correct number two times in a row is even more difficult.

Thanks. By getting a block I'm assuming solving it right?  So in your humble opinion is using the last digits a good idea for a lottery? (do you think it fits as a good source of data that's not feasible to manipulate)

[theymos]

By getting a block I'm assuming solving it right?

Yes.

I wouldn't use it if changing one or two numbers is ever meaningful. If the attacker needs to get all six numbers, it's good.

[bitlotto]

Thank you so much for your help. Here is my plan for the draws after the first;

Once 00:00 UTC Wednesday comes the next 7 blocks to be created will be used for the numbers in the draw.
The first one after 00:00 will be block 1 (It will be the block with the earliest time on Wednesday).
The remaining blocks follow. Once the 7th block is created the last digit of the hash is looked at. Convert it into
a number 1-16 and starting at the end of the hash count the digits backwards to find a new value.
Use that value to continue counting backwards landing on a new digit. The value of the digit is now used on block 1. Count backwards in block 1's hash from the end as many times as the number found in block 7 dictates. Get the new value and continue counting backwards one more time.
The value you land on the second time is the first number in the lottery and the number of times you start counting back in block 2. In each block you are counting back twice to get the lottery number. The 7th block is not used to get a lottery number. In no way should a single value be used more than 3 times in the lottery. If by counting back in a block a forth occurrence will occur the value nearest to the left that doesn't cause a number to be used 4 times is used. These 6 numbers are now used exactly as the Lottery 6/49 numbers would be used.  

By using multiple spots in each hash, and starting at the end after all the blocks are completed, it would be
practically impossible for anyone to manipulate, alter, or predict the results.

[theymos]

Whoever solves the 7^th block still has the ability to choose between the 16 different starting values (assuming they have infinite CPU power), though I think mixing like that is better than not.

[bitlotto]

Whoever solves the 7^th block still has the ability to choose between the 16 different starting values (assuming they have infinite CPU power), though I think mixing like that is better than not.

Man this random stuff is a tricky bit. I'm starting to think that counting backwards twice doesn't add anything that counting back once does. I'm starting to think that time may be the key. Let's say we look at the time attached to each block. Only looking at the seconds and add them all up for the first 7 blocks. Then only look at the last digit. If it's zero think of it as 10, everything else that's what you count from the back of all the hashes. For the person to manipulate it they would either have to solve all 7 blocks with known times before anyone else sends in a block or after seeing the 6th block quickly solve the 7th to get what they want. Since blocks come in at least 5 and hour they would have almost no time to do it. They would not only have to solve a block really quick but make sure the time matches what they need. And submit it before someone else sends in the 7th.

Or even, look at blocks 1 -7 and look for the biggest time difference between 2 blocks. Add the seconds of the two and use the last digit for counting back the hashes. That may be harder to control as people will continue to solve blocks and harder to control time between as you never know when one will appear....

All I really need is something that would be so improbable and hard to manipulate that the person would have to spend -10's of millions- to manipulate, you would have to be crazy to spend that much to win BitLotto.

theymos, thank you for hashing  this out with me!  I owe you!!!

[theymos]

Using time probably won't work. Whoever creates the block can specify the block time within a large range. They can even put the timestamp before the last block's timestamp.

You could just hash the block hash 200 trillion times or something to get the final hash. There's no way a miner could do that while mining.

[bitlotto]

Using time probably won't work. Whoever creates the block can specify the block time within a large range. They can even put the timestamp before the last block's timestamp.

You could just hash the block hash 200 trillion times or something to get the final hash. There's no way a miner could do that while mining.

LOL. Ya, I'm sure it would work. Not really simple though. 

[bitlotto]

I think I got it. I could just take all the blocks in one hour after 00:00 and get all the hashes. Combine them in one long string and hash that....   THAT would be hard to manipulate! There would be too many unplanned blocks popping up to figure out what you would need to "fake" the final one and not near enough time.

[theymos]

That should be pretty secure. Whoever gets the last block has the opportunity to do 1-3 "re-rolls" if he is really lucky. I'd hash the final hash a few trillion times just to be safe.

Some potential problems:
- It's possible that no blocks will be solved in an hour. It's happened before.
- The block time can go past 0:00, then go before 0:00 in the next block, and then go forward again. Which time is used?

Also, it's possible that a series of blocks are replaced by other blocks if the network is segmented or there is an attack going on. The blocks used to calculate the winner could be replaced after the funds are awarded. To make this less likely, you should wait at least 120 blocks after the blocks are solved before awarding anything. Reversals of that size will only happen in response to major events that you will almost certainly hear about.

[bitlotto]

That should be pretty secure. Whoever gets the last block has the opportunity to do 1-3 "re-rolls" if he is really lucky. I'd hash the final hash a few trillion times just to be safe.

Some potential problems:
- It's possible that no blocks will be solved in an hour. It's happened before.
- The block time can go past 0:00, then go before 0:00 in the next block, and then go forward again. Which time is used?

Also, it's possible that a series of blocks are replaced by other blocks if the network is segmented or there is an attack going on. The blocks used to calculate the winner could be replaced after the funds are awarded. To make this less likely, you should wait at least 120 blocks after the blocks are solved before awarding anything. Reversals of that size will only happen in response to major events that you will almost certainly hear about.

Once a block is 'in the system' the time is set though right? I could just use the first block whose time is after 00 (ignore that one in case manipulated) and use the next one as 'Block 1'.
Waiting till 120 after is a good idea. I guess I could add the rule that at least 4 blocks in the hour are needed or add another hour. Man, this is tricky. Thanks for your help. When the coins come in I have a few with your name on it!

[theymos]

Once a block is 'in the system' the time is set though right?

Yes.

[bitlotto]

Idea #5245, first block that has a time after 00 sets the system going. The next 3 blocks hashes are used. Look at the next few blocks at the last digit. Keep track of the last digit. Use the next blocks until a 'letter' appears at the end and 'number' appear at the end. Once it does, add all the blocks hashes together, hash it to get a final hash for the draw. That should be pretty hard to fake....I think...