Blockchain getting startedEthereum source code analysis ethereum random number generation method 2.
Incentive
The RNG cycle is very short. For example, if there are 20 generation cycles in one hour, if the profit without a cycle is 0.001%, the profit in one month will reach 0.00001.202430 = 0.144. To achieve a profit of 14.4% per month, and RNG has n participants on average, the cost of running smart Contract C is n3500Gasprice + ccost. (ccost is the gas consumption within the contract, including computing and storage) assuming that each random value has an average of R requests, the cost of each request is P Eth, then the revenue is RP. Therefore, each participant receives RP-1500nGasprice-ccost)/n. The current gasprice is 10 Szabo, the contract consumption is about 1500n gas, so the approximate net income is (RP/n-0.03) eth. assume that each RNG has 10 participants and the mortgage is 1000eth. Therefore, if RNG requests only once, the fee for one request is 0.4 eth. If the request is 10 times, then the price of a request will be reduced to 0.04eth.
The randao acts as an infrastructure in the ethereum system. it is called by other contracts. contracts for different purposes require different random numbers: Some need high security, such as lottery; some need steady responses and the request shocould be responded immediately, these contracts are normally low-value; some need a callback, they want to receive a notification with random numbers when numbers are ready.
Obviusly it's impossible to meet different requirements in varous scenarios with only one RNG contract, so a lot of contracts will be created with different initial parameters, but the basic rules are the same.
Randao serves as the infrastructure of the ethereum system. Called by other contracts. Different contracts require different random values for different purposes: Some require highly encrypted values, such as lucky draws, and some require stable responses and immediate responses, the value of these contracts is not high; some require callback functions, and notifications must be received when the random value has been generated.
Obviously, a single RNG contract cannot satisfy all different requests. Therefore, many smart contracts are created using different initial values, but their basic rules are the same.
For example, if we need high security, we can substantially increase the pledge of the first phase. thus, the cost of leading to failure of RNG process by not revealing S is greatly increased. and for the contracts without much interest involved, the minimum number of participants and the pledge can be lower.
Let's look at an example of a dapp betting on odd or even numbers, we'll show how to adjust the contract's parameters to meet the desired security level, by making the cost of cheating higher than expected earnings. assuming the bet is 1000 Eth, the betting contract CILS a RNG contract C1, if C1 failed to generate a random number at requested block height, then betting contract waits for the next random number of C1, until there is one generated.
For example, if you need high security, we can greatly increase the first-stage mortgage. In this way, the failure probability will be greatly reduced if S is not provided. For contracts with insufficient funds, the minimum number of participants and the mortgage can be reduced.
Let's look at a dapp example. This example is used to bet on odd and even numbers. We will show how to adjust the contract parameters to match the appropriate security level, the cost of counterfeiting is greatly higher than the profit. Assume that the bet is 1000eth. The bet contract calls the RNG contract C1. If C1 fails to generate a random number at the height of the requested block, the bet contract will wait for the next random number of C1, until one is successfully generated.
Let's build the RNG contract C1, and set the pledged ETH of C1 to 2000. the gambler g plays the betting dapp but also participates in the contract. when he finds himself in a disadvantageous position before he reveals his secret number, he can choose not to reveal s, so that the RNG failed and he got another chance. but he will lose the 2000 pledged Eth, so although he can get 1000 ETH expected return, it is still a bad deal. however, G can reduce his losses on C1 by some means, such as particle ating in C1 using two accounts, sending two sha3 (s ). if in a disadvantageous position, G will keep only one account's secret, but G will get 1000 ETH as expected return, which is a worthy try.
Let's build RNG smart contract C1 and set the mortgage value to 2000. GAMBLER g participates in dapp bet and RNG smart contract. He found that he was in a bad state before submitting S. He can choose not to submit his own s, so that RNG will fail and he will get the next opportunity. But he will lose the ETH mortgage, even though he can get a ETH bet, so this is not a good deal. However, Gambler g can use other methods to reduce losses. For example, G can use two accounts to participate in RNG and send two sha3 (s ). if it is in an unfavorable status, G will make an account do not submit s, so if there is only one other account except G, G will only lose 1000eth on G1, but if G wins, it can get 1000eth, so it is worth a try.
This issue can be fixed by confiscating the pledged Eth, and not return them to Fig as bonus. So a contract with 1000 pledged ETH will meet the requirement of the betting dapp.
In this case, we can fix the problem by revoking all the mortgages and not returning them as rewards. Therefore, a 1000 mortgage contract will meet the requirements of XXX.
Besides confiscation, another scheme can prevent such attacks by introducing an additional system: randao membership. to become a member you must pay dues, anyone paid their dues is a member. members have different levels according to the dues they paid. membership does not belong to a contract, but instead functions like a passport to fig in some randao contracts. if a breach of any contract happens, that person's membership will be ended and the dues will be confiscated. now we can add an additional agreement to C1, C1 will only accept numbers committed by members whose level of investment is high enough (membership dues over 1000 ETH ). this will ensure that nobody has a financial motive to try an attack.
In addition to confiscation, there is also a solution that can block this ***, that is, randao membership. To become a member, you must pay the member fee. Members are divided into different levels based on the amount of fees paid by members. The membership system is not a smart contract, but a passport-like form to participate in some randao contracts. In the event of a breach, the membership of this Member will be terminated and the membership will be confiscated. Now we can add an additional protocol to the smart contract C1. C1 only accepts members who will participate with members greater than a certain value. In this way, no one will have financial motives to launch ***.
QA: Quest and answer
Q: Why not let the miners particle in RNG? Why not use TX hash, nonce and other blockchain data? A: miners have the ability to manipulate these blockchain data, and thus can indirectly affect RNG. If RNG contains blockchain data, it will give the miners capacity to construct random numbers in their favor.
Q: Why not let miners participate in RNG? Why not use txhash, nonce, or other blockchain data? A: miners have the ability to manipulate the blockchain data, which may affect RNG. If RNG contains blockchain data, the miner is given the ability to construct random numbers based on his own behaviors.
Q: The miners can ignore certain transactions that contain random number they dislike, how to deal with that? A: That's why we need a time window period. A reasonable period shocould be greater than 6 blocks, we believe that nobody can produce 6 blocks in succession. so if the specified object is honest, and he sends numbers immediately as long as each time window open, he doesn't need to worry about being excluded.
Q: How can miners handle transactions that contain random numbers? A: That's why we need time intervals. A reasonable interval is greater than six blocks. No one in our task can generate six blocks consecutively. So if the participant is loyal and sends the number within the time window, he is worried that the miner will be excluded.
Q: Why use all numbers of all participant ants, rather than a subset? A: The rule to pick a subset is deterministic, So particle will try to take specified position of the collection by various means, if they succeed, they will know in advance what the random number is generating from subsets. if the rule to pick a subset is randomised, then we still have the problem of true randomisation.
Q: Why use all values of all participants instead of their subsets? A: The rules for selecting a subset are deterministic, so participants will try to collect the specified set location in various ways. If they succeed, they will know the random number generated from the subset in advance. If the rules for selecting a subset are random, the real randomization problem still exists.
Q: Where does pledged dues go? A: It will be donated to a charity, or randao to maintain funding. Q: Where is the confiscated fee. Donate to a charity, or randao will maintain a fund.
Note: F (S1, S2 ,..., SN) is a function with multiple inputs, for example R = S1 XOR S2 XOR S3... XOR Sn, or R = sha3 (Sn + sha3 (sn-1 +... (sha3 (s2 + S1 ))))
Blockchain getting started tutorial ethereum source code analysis ethereum random number generation method 2