One more security layer for RANDAO contract

[chiro-hiro]

I have been created a smart contract which was generate a uncontrollable number:
https://github.com/tad88dev/thedivine

Would you use it as a security improvement at the reveal round ?

[u2]

It's a interesting project.But I have not found the relationship with the reveal round?

[chiro-hiro]

In reveal round you call TheDivine.GetPower() to get a number, and combine to RANDAO result before funding all participants.

It will keep miner, attacker is not able to manipulate.

[chiro-hiro]

  function calculate(Campaign storage _c) private {
    for (uint i = 0; i < _c.paddresses.length; i++) {
      _c.random ^= _c.participants[_c.paddresses[i]].secret;
    }
  }

Look at calculate function, if all participants send 0x000000000000000000000.... to your contract your result isn't RANDOMIZE at all.
The weakness is you need 1 HONEST PARTICIPANT. And The Divine will be come "1 honest participant".

[u2]

Firstly, I will refactoring this piece of code, there is some security problem.

  function calculate(Campaign storage _c) private {
    for (uint i = 0; i < _c.paddresses.length; i++) {
      _c.random ^= _c.participants[_c.paddresses[i]].secret;
    }
  }

And then, why we don't add something like block[N].hash or block[N].difficulty? In our README, we have explained it.

Q: Why not let the miners participate in RNG? Why not use tx hash, nonce and other blockchain data? A: Miners have the ability to manipulate these blockchain data, and thus can indirectly affect RNG. If RNG contains blockchain data, it will give the miners capacity to construct random numbers in their favor.

[u2]

Vitalik has thrown out his randao++ idea, it looks more reasonable.But firstly, we need to finish this.

https://www.reddit.com/r/ethereum/comments/4mdkku/could_ethereum_do_this_better_tor_project_is/d3v6djb

[chiro-hiro]

I'm agree that we shouldn't trust the miner. And The Divine was created to protect us from miner manipulate.

[chiro-hiro]

        WorldTree = uint256(sha3(WorldTree,
            block.timestamp,
            msg.sender,
            block.difficulty));

The Divine is more legit when the number of users are lager. And it become more legit for each time we call GetPower().

[u2]

In the reveal round, only the revealer know the secret, and this is the only one factor which can effect the result.
But in your design, the miner has the ability to effect the result.
After you reveal your secret, your secret, your address,WorldTree and the block.difficulty is clear, and now the timestamp is the determinant, this means that the miner is the last one who has the ability to effect the result!
And I don't think more elements including, means more RANDOMIZE.

[u2]

Yes, the weakness is that we need at least 1 HONEST PARTICIPANT, but I take this as the precondition.

if all participants send 0x000000000000000000000.... to your contract your result isn't RANDOMIZE at all.

Yes, this is also randomize.

[chiro-hiro]

All participants are send malicious secrets, your result is able to calculate and it no more a random number.

[u2]

We just need one honest participant.

[chiro-hiro]

In the reveal round, only the revealer know the secret, and this is the only one factor which can effect the result.

If miner was mine this block he will know secret too.

But in your design, the miner has the ability to effect the result.
After you reveal your secret, your secret, your address,WorldTree and the block.difficulty is clear, and now the timestamp is the determinant, this means that the miner is the last one who has the ability to effect the result!
And I don't think more elements including, means more RANDOMIZE.

I've suppose to remove block.timestamp that is my stupid.

We just need one honest participant.

RNG should trusted anyone or anything instead of participant.

[u2]

Yes, the RANDAO has two weakness:

1. At least one honest participant
2. The last one revealer cheating.

But it is the most reasonable design we can think by now.

[chiro-hiro]

I have removed block.timestamp and explain why was block.difficulty.

I hope that The Divine may be an improvement for RANDAO, let's us work together.

Block difficulty is removed, everything relating to miner is removed

[chiro-hiro]

Here is the concept to make The Divine and Randao working together.

• Each time participants do a commitment: Randao call to The Divine and store number to A[]
• In reveal round:
  • Let X = sha3(X1,X2,....Xn)
  • Let K = A[X % A.length] //Make sure that miner don't know which to manipulate.
  • Result = sha3(randao.Random, K)

[u2]

Sorry, I do not get the meaning of X1, X2, Xn ?

[chiro-hiro]

Sorry, I do not get the meaning of X1, X2, Xn ?

It's participant secrets. Sorry, i wasn't make it clear.

Here is my latest concept:
https://docs.google.com/document/d/1quNacg6A-Cm9QFUJx5HzMmrqjIULRbt2hsF6sx6Hm8E/edit

[u2]

Round 1: Collect hash of hash of secrets from participants
Collect from participants: SHA-32(Yi)

Round 2: Reveal secret
Let k = SHA-3(Yi)
Let q = k % m
Result = SHA-3(Yi, A[q])

Firstly, why we need sha3^2?
And what's the meaning for the m?

[chiro-hiro]

This concept is about save all random value in the past and lookup later.
sha3^2(x) mean sha3(sha3(x))
It's about hash collision, we just make sure that they will not break 2 round of sha3.

m is total number of random number have store in the past.

I have created a pull request which is based on “anyone can make a change”.