reply on: A Provably Fair Off-Chain Lottery (and DLC) Protocol \ stacker news ~bitcoin

0 sats \ 3 replies \ @VzxPLnHqr 20 Nov 2023 \ parent \ on: A Provably Fair Off-Chain Lottery (and DLC) Protocol bitcoin

Ok, I am shooting from the hip here quickly (so what follows could very well be wrong), but let's try this:

do you see how it is easy to extend a 1 of 2 oblivious transfer (oblivious signing in our case) to a 1 of n?
if so, then Alice funds the output with amount U and can sell sell a ticket to each Bob for an amount slightly more than U / n (it is slightly more so that, in expectation she can earn a profit).
if one of the Bob's wins they will, naturally, move/claim the utxo
if more than one Bob wins, they will have a fee fight

I think for large enough n and slow enough ticket sales, these issues are surmountable, no?

0 sats \ 2 replies \ @conduition OP 21 Nov 2023

The issue is that none of your Bobs can trust each other not to collude with Alice. If even one player colludes with Alice, they can steal everyone else's money by simply telling Alice which Pick transaction to publish.

0 sats \ 0 replies \ @VzxPLnHqr 22 Nov 2023

I added a test demonstrating 1 of n oblivious signing. It does not quite solve the problem you point out, but it gets closer (notice how Alice can privately shuffle the messages and yet Bob still receives one and only one valid signature, while Alice still remains oblivious as to which one he receives).

0 sats \ 0 replies \ @VzxPLnHqr 21 Nov 2023

Thanks for engaging on this. I hope it is helpful and we each further our own understanding of these concepts. I see what you are saying, and you very well might be correct.

Still, it feels like there is probably some way to do it with oblivious signing that would satisfy your objection.