WO2018104728A1

WO2018104728A1 - Random number generation

Info

Publication number: WO2018104728A1
Application number: PCT/GB2017/053671
Authority: WO
Inventors: Ho QUAN; Adam ZANJANI
Original assignee: Quanta Technology Ltd
Priority date: 2016-12-05
Filing date: 2017-12-05
Publication date: 2018-06-14
Also published as: GB201620691D0; GB2571015A; GB201905898D0

Abstract

A Random Number Generating (RNG) system and method are used in a global lottery system. Each Approved Participant (ARP) generates a natural random number (Input Number) by a Certified RNG script and hashes the Input Number to form an Input Hash that is then submitted to a smart contract. An Operator (QRP) of the system and method also goes through a similar process. All Input Numbers are then submitted to the smart contract as natural numbers, which are then hashed to verify that they are the same as the Input Hashes. If all is correct, the smart contract aggregates all of the Input Numbers to form an Aggregate Number, which it then hashes to produce an Aggregate Hash. The winning number of the lottery consists of the last 8 bytes of the Aggregate Hash. The RNG system and method thus provide a hybrid of an Operator RNG with a crowdsourcing input, in certifiable form.

Description

Random Number Generation

Field of the invention

The present invention relates to random number generation.

Background to the Invention A Random Number Generator (RNG) is used as a cornerstone of online gambling products. An RNG is used to shuffle cards for online card games or generate roulette results or any other source of randomness needed for a game of chance.

A number of countries offer online gambling licensing. As part of the process of obtaining a licence, it is a requirement to have a proposed RNG tested and certified by an approved testing authority. The testing authority tests the RNG for statistical randomness. These tests are done on large samples. In order for the RNG to be approved, generally speaking, the results have to be unpredictable, non-repeatable and uniformly distributed. Once the RNG has been tested and it meets the randomness requirements, the code is 'fingerprinted' - this means that the operator cannot change the code. At that point the RNG is certified (Certified RNG). The assumption is that the operator gets a licence and runs the same Certified RNG for their games. However, the player has to trust that the operator is actually using the

Certified RNG. In some instances, this may not be the case. Identifying a breach of licensing rules may be tricky for a regulator. In fact, it is very difficult to check that an operator is actually running a Certified RNG. However, what if it could be done in real-time? Also what if every 'roll of a dice' could be checked not only by a regulator but also by the players? This is the notion of 'Provably Fair'.

Provably Fair is a new gambling industry standard where players have the opportunity to check how a random result was arrived at. There is a trend, especially in cryptocurrency based gambling, to promote provable fairness. We aim to provide, in preferred embodiments of the invention, an RNG system that is 100% Provably Fair. Every result that the system produces can be checked by players or any third party observer.

In addition to being Provably Fair, we aim to use 'crowdsourcing' in the generation of a random number. This is based on the idea that in a gambling ecosystem there is the gambling services operator (the Operator) that takes the risk and the players that play against the Operator. In our view, random number generation is a separate service that doesn't necessarily have to be exclusively provided by the Operator.

To a certain extent, the principle that the Operator is in a position to generate random numbers is a position of conflict as the incentives of an Operator will never be aligned with the players.

Hence, the 'tendering' of a random number generation process to a crowd is a way of reducing that apparent conflict between the Operator and the Players.

This tender notion was first suggested in the Randao Protocol

https: / / github.com/ randao/ randao. An extract of the Randao Protocol is found below as an Appendix. In summary, the Randao Protocol invites participants to think of a random number, which we can refer to as the 'Randao Input Number'. That number is cryptographically hashed and becomes the 'Randao Input Hash'. The hashed number is submitted to a 'smart contract' (described below but in essence is a piece of immutable self-executing distributed code). The smart contract then requests the participants to submit the Randao Input Number. The smart contract then hashes the Randao Input Number (based on the same hashing algorithm that the participants used) and checks that the resulting hashes match the respective Randao Input Hashes submitted by the participants. If they are the same, then the smart contract aggregates the Randao Input Numbers to produce a new number (Randao Aggregate Number). That Randao Aggregate Number is then hashed to produce the Randao Aggregate Hash. It is the Randao Aggregate Hash that is the final random number to be used within an Operator's gambling game.

The Randao protocol makes the discovery of a random number a 'democratic' process and at the same time it is Provably Fair. The Randao protocol is Provably Fair as the process can be reversed and checked by all observers. The 'democratic' aspect relates to the fact that anyone can participate in suggesting numbers to the Randao Protocol.

However there are certain limitations with the Randao Protocol. The main limitation is that a regulated gambling operator will be unable

(in its current form) to have the Randao Protocol certified and therefore unable to use Randao Protocol as a source of random numbers for its gambling games. This is due to a few reasons.

The first is that the Randao Protocol does not explicitly create a role for a gambling operator in the current form of the protocol. The second is that it is impossible to create a testing environment for the Randao Protocol that can mimic its real-life use in a way that random numbers can be generated for testing purposes. This is because the users of the Randao Protocol suggest an arbitrary number as the Input Number. As a result it is not possible to compile any bulk statistics if the Randao Input Number is a number arbitrarily chosen by a person at some point in time.

The third limitation is that there are some vulnerabilities with the Randao Protocol in its current form. One vulnerability is the possibility of collusion. If all the Randao Protocol participants know each other then they can agree on the Randao Input Numbers before they are submitted and therefore predict the final result. To stop this from occurring at least one of the participants needs to be honest or accountable.

There is thus a technical requirement for a method and system of improved security. The present invention

Preferred embodiments of the present invention aim to provide a method and a system for random number generation that can be improved in the foregoing respects.

According to one aspect of the present invention, there is provided a method of generating a random number, the method comprising the steps of: generating a plurality of random numbers, each number being generated by a different user; generating a further random number by an operator of the method; and aggregating all of the random numbers to provide a final random number.

Preferably, each random number is generated by a Certified RNG method or system. Preferably, the RNG is fingerprinted so that its code cannot be changed.

Preferably, the method is embodied in a smart contract.

Preferably, each random number is hashed by the users and operator and the hashes provided to the smart contract.

Preferably, each random number is also provided to the smart contract as a natural number.

Preferably, the smart contract hashes each natural number received and compares those hashed numbers with the hashed numbers received from the users and operator, to verify the natural numbers received.

Preferably, the method is based on Blockchain. Preferably, the method forms part of a gambling method.

The invention extends to a method of gambling that includes a method of generating a random number according to any of the preceding aspects of the invention.

In another aspect, the invention provides a system for generating a random number, the system being configured to: generate a plurality of random numbers, each number being generated by a different user; generate a further random number by an operator of the method; and aggregate all of the random numbers to provide a final random number. Such a system may be configured to perform a method according to any of the preceding aspects of the invention.

For a better understanding of the invention, and to show how embodiments of the same may be carried into effect, reference will now be made, by way of example, to the accompanying diagrammatic drawings, which illustrate phases in the operation of a random number generating system and in which:

Figure 1 illustrates a security phase; Figure 2 illustrates a submission phase Figure 3 illustrated a reveal phase; Figure 4 illustrates a verification phase

Figure 5 illustrates a final phase of aggregating and hashing; and

Figure 6 illustrates an alternative final phase of aggregating and hashing.

It is to be understood that the various features that are described in the following and/ or illustrated in the drawings are preferred but not essential.

Combinations of features described and/ or illustrated are not considered to be the only possible combinations. Unless stated to the contrary, individual features may be omitted, varied or combined in different combinations, where practical.

The illustrated random number generating system is referred to as the Quanta RNG system and aims to improve upon previously proposed systems and methods of random number generation.

The Quanta RNG system adopts a Quanta RNG Protocol, which is a fully Certified RNG crowdsourced random number generation process to be used by regulated gambling Operators.

It has three elements:

1) a crowdsourcing protocol for random numbers similar in outline to the Randao Protocol;

2) all participants are forced to run a Certified RNG to generate "input" numbers and hashes - this means participants do not have any discretion over the random numbers generated;

3) full participation of a Regulated Operator in submitting random numbers into the Quanta RNG Protocol.

The Quanta RNG differs from Randao in the following ways:

• Quanta RNG participants have to be registered to participate. This creates accountability. Thus, in the event that there is a question of potential collusion, that can be addressed.

• Quanta RNG participants are not permitted to select an arbitrary number of their own. All Quanta RNG participants have to run a computer script. The script initiates a Certified RNG algorithm that generates a random number. It is those random numbers that are submitted to the Quanta RNG smart contract. This has a layering effect of randomness. Each participant generates a random number using a recognised algorithm. Therefore, not one random number is generated but many. This makes the final number even more unpredictable. · The Quanta RNG system involves one bona fide and regulated actor, the gambling operator, which participates in the Quanta RNG process. This ensures that collusion is statistically impossible.

As the Quanta RNG Protocol utilises one or more Certified RNG algorithm for crowdsourcing to generate a random number, its random number generation process may be certified by an approved testing house as a Certified RNG. Utilisation of Provably Fair and crowdsourced RNG can provide a new generation of RNGs for gambling operators to use.

The Quanta RNG system is apt for use on distributed ledgers or blockchain technology, whether public or private networks (Blockchain) but can be used for other systems.

One of the advantages of an application of the Quanta RNG system using Blockchain is to take advantage of the immutable nature of Blockchains.

The bitcoin blockchain is a financial application of blockchain technology. The blockchain secures the financial assets namely bitcoins as everyone in the network has an identical instance of the blockchain ledger. This means any unauthorised changes to the ledger by a network participant is rejected by the rest of the network. Changes to the blockchain ledger requires an authorisation process which in essence consists of a proposed transaction (Proposed Transaction) going to the network which is then 'mined' and - once authorised - processed by all the network participants. In bitcoin, a payment instruction consists of a ledger update. In an example to illustrate the process, Alice sends bitcoins to Bob. Alice wants to send 1 bitcoin to Bob. Alice Proposes a Transaction to the bitcoin network. The Proposed Transaction is mined then - once authorised (Authorised

Transaction) it is broadcast to the network. Each node in the bitcoin network receives the Proposed Transaction and now needs to update their blockchain ledger (Node Blockchain).

Authorised Transactions consist of computer script that interacts with the client application of a Node Blockchain. This means that the ledger update does not occur manually. The net benefit of this process is that an Authorised Transaction is immutable code. This notion of creating immutable code that runs on a decentralised network was developed further with the Ethereum protocol. Ethereum allows for the generation of any type of Turing Complete script into a Proposed Transaction which - once authorised - runs

simultaneously on all the nodes in the Ethereum Blockchain network.

The Quanta RNG system and method may leverage the immutability and flexibility of the Ethereum protocol to have the Quanta RNG itself written as a script running on the network - in other words as a 'smart contract'. With the embodiment of Quanta RNG as a smart contract, this enhances the transparency and provable fairness of the RNG process.

The Quanta RNG system may be seen as an innovative hybrid RNG system that mixes a random number generation process by an operator with a crowdsourcing mechanism. It may be not only the first to have a crowdsourced random number generation process Certified by an approved testing house. In addition, Quanta RNG Protocol may be the first to be Certified as a smart contract system. Referring to the drawings, we give an example of a Quanta RNG system for use in a global lottery system based on smart contract technology. A buyer of a lottery ticket purchases a ticket from Quanta Technology (the Operator). Once the ticket sales have been completed, a Quanta RNG smart contract starts its work.

Figure 1 - Security Phase (or Security Round)

All participants in the Quanta RNG need to register with Quanta Technology. Once the participants have been registered (Approved Participants - ARP) then their usernames (i.e. public keys) on an Ethereum network are validated by Quanta Technology. For the sake of explanation, four Approved Participants (ARP) are shown in Figure 1, interacting with a Quanta RNG Smart Contract (equivalent in outline to a Randao Smart Contract).

Figure 2 - Submission Phase

Each Approved Participant (ARP) presses a button on a webpage (or Randao feature in a Quanta Game Wallet) to run a Certified RNG script. This generates a natural random number (Input Number) - A to D in the example of Figure 2. A hash fuction SHA3 is automatically performed on the Input Number to generate an Input Hash. The Approved Participant then inputs a password to sign the transaction to submit the Input Hash to the Quanta RNG smart contract.

Thus, the Quanta RNG smart contract receives a set of Input Hashes from the Approved Participants. Also, the Operator itself, Quanta Technology (QRP), goes through the above process, using a Certified RNG script to generate a number Q (in this example), and submits an Input Hash to the Quanta RNG smart contract.

The Quanta RNG smart contract then closes the submission round.

Figure 3 - Reveal Phase The Quanta RNG smart contract then requests users to submit their

Input Numbers (as natural numbers). Quanta Technology (QRP) similarly submits its own natural Input Number. Quanta Technology will be the last to reveal its natural Input Number, to prevent Participants from predicting the final result. Figure 4— Verification Phase

Once the Input Numbers have been received by the Quanta RNG smart contract then the Quanta RNG runs hashes on the Input Numbers and verifies that the output numbers are the same as the Input Hashes.

Figure 5 - Final Phase - aggregating and hashing If all is correct from the Verification Phase, then the Quanta RNG smart contract aggregates into one string number all of the Input Numbers submitted in chronological order to form an Aggregate Number. It then hashes the Aggregate Number to produce an Aggregate Hash. The winning number of the lottery consists of the last 8 bytes of the Aggregate Hash. Figure 6 - Final Phase - aggregating and hashing - alternative

Figure 6 illustrates an alternative final phase as used for a Winning Ticket Selection in a lottery.

The RNG process produces a Final Number. All winning tickets are selected by using this Final Number.

To select winning tickets, the lottery smart contract uses an MOD operation and SHA3 as below. MOD is a Modulo operation that always produces a single result. SHA3 is a cryptographic hash function that converts any large number into a consistent 256-bit number that is thus suited for matching to ticket numbers

Final number (1) = SHA3( Final Number )

The formula for deciding the jackpot winning ticket is as follows.

If the last digit of the Final number (1) that was produced by "SHA3 of Final Number" is 'Ο', , '3' or '8', there is a Jackpot prize in this round of the lottery. Jackpot ticket number = Final number (1) MOD number of tickets sold.

The formula for deciding the winning tickets of "1st prize" is below. Whether or not there is a Jackpot prize in the round, the Lottery contract always uses the formula below to calculate Final number (2):

Final number (2) = SHA3( Final number (1) ) "1st prize Ticket number" = Final number (2) MOD number of tickets sold. If the "1st prize Ticket number" is identical to "Jackpot Ticket number", the "1st prize Ticket number" is determined by repeating the calculation formula as below until getting a unique "1^st prize Ticket number"

Final number (3) =SHA3( Final number (2) ) 1st prize Ticket number = Final number (3) MOD number of tickets sold

The formula for deciding the winning tickets of 2nd prize to 4th prize is the same as the formula for deciding 1st prize:

Final number (i) =(SHA3( Previous Final number ))

"The next prize Ticket number" = Final number (i) MOD number of tickets sold. If the "The next prize Ticket number" is identical to any "Previous Winning Ticket number", the "The next prize Ticket number" is determined by repeating the calculation formula as below until a unique winning ticket number is obtained.

Final number (i+1) = (SHA3( Final number (i) )

The next prize Ticket number = Final number (i+1) MOD number of tickets sold.

A variation of the above is as follows:

Phase 1: A lottery house (Quanta operator) submits an encrypted random number (using sha3 to encrypt a real random number) to a Randao smart contract. The random number is generated by using crypto.randombytes library in a Randao admin wallet.

Phase 2: Participants submit their encrypted random number (using sha3 to encrypt the real random number) to the Randao smart contract. The Random number is automatically generated by using crypto.randombytes library via Randao function in a Quanta Game Wallet. This wallet will submit this encrypted random number to the Randao smart contract automatically.

Participants need to send some Ether currency to the Randao smart contract as a pledge. Phase 3: Participants reveal their real random number via a Randao function in the Quanta Game Wallet. The Lottery house (Quanta operator) hashes the real numbers to verify them against the hashes received in Phase 2. If verified, the process continues. The order in which the random numbers arrive and the physical locations of the participants are not relevant to the Randao smart contract. Participants can be at different physical locations.

Phase 4: The Lottery house (Quanta operator) reveals the real random numbers via the Randao admin wallet. The Randao smart contract aggregates all real random numbers of both the participants and the Lottery house (Quanta operator) and produces the final random number by using an XOR 'bitwise exclusive or' operator (function) on all of the random numbers.

The minimum number of Approved Participants is 1. Other functions may be used to aggregate the real random numbers. Thus, embodiments of the invention as described above and illustrated in the drawings provide methods of and systems for random number generation that answer the very important technical requirement of improved security.

In this specification, the verb "comprise" has its normal dictionary meaning, to denote non-exclusive inclusion. That is, use of the word "comprise" (or any of its derivatives) to include one feature or more, does not exclude the possibility of also including further features. The word "preferable" (or any of its derivatives) indicates one feature or more that is preferred but not essential.

The reader's attention is directed to all and any priority documents identified in connection with this application and to all and any papers and documents which are filed concurrently with or previous to this specification in connection with this application and which are open to public inspection with this specification, and the contents of all such papers and documents are incorporated herein by reference. All or any of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and/ or all or any of the steps of any method or process so disclosed, may be combined in any combination, except combinations where at least some of such features and/ or steps are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise. Thus, unless expressly stated otherwise, each feature disclosed is one example only of a generic series of equivalent or similar features. The invention is not restricted to the details of the foregoing embodiment(s). The invention extends to any novel one, or any novel combination, of the features disclosed in this specification (including any accompanying claims, abstract and drawings), or to any novel one, or any novel combination, of the steps of any method or process so disclosed.

Appendix

Extract from RAND AO Github (dated 25 November 2016)

https: / / github.com/ randao/ randao

A DAO (decentralised autonomous organisation) that anyone can participate in, and the random number is generated by all participants together! First of all, we need to create a RANDAO contract in the blockchain, which defines the participation rules. Then the basic process of generating a random number can be divided into three phases:

The first phase: collecting valid sha3(s) Anyone who want to participate in the random number generation needs to send a transaction to the contract C with m ETH as pledge in a specified time period (e.g, 6 block period, approximately 72s), accompanied by the result of sha3(s), s is the secret number respective picked by participant.

The second phase: collecting valid s

After the first phase, anyone who submitted sha3(s) successfully needs to send a transaction with the secret number s in the first stage to contract C within a specified time period. Contract C will check if s is valid by running sha3 against s and comparing the result with previous committed data. Valid s will be saved to the collection of seeds to finally generate the random number.

The third phase: calculating a random number, refund pledged ETH and bonus 1. After all secret numbers have been successfully collected, contract

C will calculate the random number from the function f(sl,s2,...,sn), the result will be written to the storage of C, and the result will be sent to all other contracts that requested the random number before.

2. Contract C will send back the pledge to the participants in the first phase, and the profit is divided into equal parts and sent to all participants as an additional bonus. The profit comes from the fees that is paid by other contracts that consume the random number.

Claims

1. A method of generating a random number, the method comprising the steps of: generating a plurality of random numbers, each number being generated by a different user; generating a further random number by an operator of the method; and aggregating all of the random numbers to provide a final random number.

2. A method according to claim 1 , wherein each random number is generated by a Certified RNG method or system.

3. A method according to Claim 2, wherein the RNG is fingerprinted so that its code cannot be changed.

4. A method according to any of the preceding claims, embodied in a smart contract.

5. A method according to claim 4, wherein each random number is hashed by the users and operator and the hashes provided to the smart contract.

6. A method according to claim 5, wherein each random number is also provided to the smart contract as a natural number.

7. A method according to claim 6, wherein the smart contract hashes each natural number received and compares those hashed numbers with the hashed numbers received from the users and operator, to verify the natural numbers received.

8. A method according to any of the preceding claims, wherein the method is based on Blockchain.

9. A method according to any of the preceding claims, wherein the method forms part of a gambling method.

10. A method of gambling that includes a method of generating a random number according to any of the preceding claims.

11. A method of generating a random number, substantially as hereinbefore described with reference to the accompanying drawings.

12. A system for generating a random number, the system being configured to: generate a plurality of random numbers, each number being generated by a different user; generate a further random number by an operator of the method; and aggregate all of the random numbers to provide a final random number.

13. A system according to claim 12 and configured to perform a method according to any of claims 1 to 11.