100 sats \ 5 replies \ @VzxPLnHqr 20 Nov 2023 \ on: A Provably Fair Off-Chain Lottery (and DLC) Protocol bitcoin
Good idea! As a step towards making it trustess, you might want to check out "oblivious signing"1 which uses adaptor signatures and something called oblivious transfer to achieve a trustless off-chain coinflip and which can probably be generalized into a lottery.
I also implemented a simple demonstration/test2 of the underlying ecc math that makes oblivious signing work and which you might also find helpful.

Footnotes
  1. https://telaviv2019.scalingbitcoin.org/files/scriptless-lotteries-on-bitcoin-from-oblivious-transfer.pdf
  2. https://github.com/VzxPLnHqr/secp256k1-scala/blob/main/Oblivious.test.scala
write
preview
10 sats \ 4 replies \ @conduition OP 20 Nov 2023
Neat! i can see how this works for a two-player coin flip, but i'm not sure how one might generalize it for n players.
Notice how in Lloyd's coin-flip lottery, one of the Pick transactions would need to be chosen arbitrarily by Alice. Bob might be able to claim the output of the Pick TX depending on his choice of bit, and depending which Pick transaction Alice chose.
The problem with protocols that involve more than 2 agents is that everyone has to assume everyone else is colluding with each other. If you add a third player (Carol) who also receives an oblivious signature from Alice, then how can Bob be sure that Carol isn't colluding with Alice? If the two collude, then Carol can simply tell Alice which Pick transaction to publish so that Carol wins the 3-way lottery, thus taking Bob's money.
For an n-player lottery to work fairly, it has to be impossible for anybody to predict or dictate the outcome in advance, as long as at least one player is honest.
reply
0 sats \ 3 replies \ @VzxPLnHqr 20 Nov 2023
Ok, I am shooting from the hip here quickly (so what follows could very well be wrong), but let's try this:
  1. do you see how it is easy to extend a 1 of 2 oblivious transfer (oblivious signing in our case) to a 1 of n?
  2. if so, then Alice funds the output with amount U and can sell sell a ticket to each Bob for an amount slightly more than U / n (it is slightly more so that, in expectation she can earn a profit).
  3. if one of the Bob's wins they will, naturally, move/claim the utxo
  4. if more than one Bob wins, they will have a fee fight
I think for large enough n and slow enough ticket sales, these issues are surmountable, no?
reply
0 sats \ 2 replies \ @conduition OP 21 Nov 2023
The issue is that none of your Bobs can trust each other not to collude with Alice. If even one player colludes with Alice, they can steal everyone else's money by simply telling Alice which Pick transaction to publish.
reply
0 sats \ 0 replies \ @VzxPLnHqr 22 Nov 2023
I added a test demonstrating 1 of n oblivious signing. It does not quite solve the problem you point out, but it gets closer (notice how Alice can privately shuffle the messages and yet Bob still receives one and only one valid signature, while Alice still remains oblivious as to which one he receives).
reply
0 sats \ 0 replies \ @VzxPLnHqr 21 Nov 2023
Thanks for engaging on this. I hope it is helpful and we each further our own understanding of these concepts. I see what you are saying, and you very well might be correct.
Still, it feels like there is probably some way to do it with oblivious signing that would satisfy your objection.
reply