(Top posted, so sue me, my text explains itself without the history). Thats a big cc list. I think you could create a beacon with bitcoin hash chain by having miners reveal a preimage for 6 old, consecutive blocks where the newest of the 6 old blocks is itself 6-blocks confirmed. (ie reveal preimage on blocks 7-12. The xor of those preimages defines a rolling beacon (new output every block, just with reference to blocks 7-12 relative to the current block depth). The security against insider foreknowledge is not fantastic, as its relating to the trustworthiness of the 6 random miners (which have probabilty of winning relating to hashpower, which doesnt always relate to trustworthiness). Adam On Mon, Nov 11, 2013 at 05:42:54PM +0100, CodesInChaos wrote:

On Sun, Nov 10, 2013 at 9:54 AM, Andy Isaacson wrote:

...

For example, suppose you use the low bits of the bitcoin blockchain hash. An attacker with 10% of the hash power could probabilistically attack such a system by chosing blocks with a specific value in those bits;

This can be avoided by running a sequential computation based on that hash. For example by hashing it 2^40 times. Obvious downside is that verifying that the computation was performed correctly is just as expensive (but parallelizable).

Perhaps there is a function that's sequential and slow in one direction and fast in the reverse direction.