Score:0

Proof of score in a public game with a public contract leaderboard

es flag

Game:

Users stack blocks to form an unstable tower. Each time a new block is successfully laid, the game creates a score_string which is meant as proof of the user's current score. Assume each user has a unique public key that is known to the leaderboard, and that the user can sign their score_string when submitting to the leaderboard contract. Assume the game is running locally on the user's device and can be fully inspected.

Leaderboard:

  • A publicly-accessible contract
  • Source code is public
  • May store private variables
  • Has a public function submitScore(), which accepts a score_string

Is it possible to generate the score_string such that the user cannot guess the score_string that would be produced by successfully laying the next block? Or at minimum, block n+2?

Assuming this is not possible offline, what is the simplest way to achieve this with the use of an API maintained by the game's author?

Disclaimer: I'm from web dev world and the best I can come up with is an api that applies an anti-scraping/automation strategy. Basically, it requests a bunch of browser and request info and relies on inference to identify attacks. I think you'd have somewhat more freedom to create signal for this inference using the game code (i.e. faking lots of human-generated xy mouse coord history would be a PITA), but I'm wondering if anyone from crypto world can derive a more principled solution.

knaccc avatar
es flag
I think this is a game of skill, where someone has to carefully place each block? What is to prevent the user from just modifying the client to pretend each block has been placed perfectly?
James Moffet avatar
es flag
@knaccc that's exactly what I'm asking, see the comment at the bottom about transmitting a short time-step history of human-created xy mouse coords (generated in the course of interacting with the game) which would be hard to fake convincingly by modifying the client. That's an inelegant solution, but it does put up a barrier (which could probably be overcome by a good DNN, but whatever). I'm wondering if there's a more principled way to approach this problem by having the client create a secret that is more elegant than a history of mouse coords
knaccc avatar
es flag
Why would it be hard to fake mouse movements convincingly? I think that fundamentally, you have to admit defeat. There is no way to ensure you can trust the client, in which case there is no amount of cryptography that can help with faked high scores.
James Moffet avatar
es flag
It would be impossible to fake millisecond-scale human-generated game cursor behavior convincingly without a large database of actual time series data generated by human players. It's too complex and signal-laden to generate convincingly on a first-principles basis. This is more or less the principle on which anti-web-scraping measures are based. If you try to scrape something like crunchbase.com with browser automation, you'll quickly find imitating a human to be a non-trivial problem. Would love to find a better solution, maybe there isn't one
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.