Game:
Users stack blocks to form an unstable tower. Each time a new block is successfully laid, the game creates a score_string which is meant as proof of the user's current score. Assume each user has a unique public key that is known to the leaderboard, and that the user can sign their score_string when submitting to the leaderboard contract. Assume the game is running locally on the user's device and can be fully inspected.
Leaderboard:
- A publicly-accessible contract
- Source code is public
- May store private variables
- Has a public function submitScore(), which accepts a score_string
Is it possible to generate the score_string such that the user cannot guess the score_string that would be produced by successfully laying the next block? Or at minimum, block n+2?
Assuming this is not possible offline, what is the simplest way to achieve this with the use of an API maintained by the game's author?
Disclaimer: I'm from web dev world and the best I can come up with is an api that applies an anti-scraping/automation strategy. Basically, it requests a bunch of browser and request info and relies on inference to identify attacks. I think you'd have somewhat more freedom to create signal for this inference using the game code (i.e. faking lots of human-generated xy mouse coord history would be a PITA), but I'm wondering if anyone from crypto world can derive a more principled solution.