[messaging] collaborative random number generation

Michael Rogers michael at briarproject.org
Sat Dec 12 05:25:05 PST 2015

On 11/12/15 12:48, Michael Rogers wrote:
> At the limit, if you run n! rounds there will be at least one round
> where a victim reveals last - the attacker has no influence on that
> round, and therefore no influence on the hashed output of all n! rounds.

Sorry, on second thoughts this doesn't work - the attacker's influence
on the hashed output of multiple rounds is equal to their influence on
the last round, so there's no advantage to running more than one round
per output.

Another thought about commit-reveal: if each colluding attacker can
influence one bit of the output (i.e. choose between two possible
outputs) and there are n participants, are there any use cases where
it's good enough to simply produce n+b bits of output containing at
least b bits of entropy? (In other words, are there any use case where
the output just needs to contain a certain amount of entropy, as opposed
to being uniformly distributed?)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x9FC527CC.asc
Type: application/pgp-keys
Size: 1731 bytes
Desc: not available
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20151212/b88174a6/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20151212/b88174a6/attachment.sig>

More information about the Messaging mailing list