Oh yeah...that's nice and simple. 'Obvious', I guess. it has the nice feature too of being relatively subversion-proof, insofar as someone (or even many people) penetrating the group can not really influence the outcome. Meanwhile, there's no real external routine to trust (ie, you can check what everyone else promised and what their secret value was and what the modulo-math should be). So it's all verifiable without a 'higher authority'. Nice. Do such applications actually exist? -TD
From: "Hal Finney" <hal.finney@gmail.com> To: "Tyler Durden" <camera_lumina@hotmail.com> CC: cypherpunks@jfet.org Subject: Re: Confirming Random numbers? Date: Mon, 19 Feb 2007 09:01:21 -0800
Everybody commits to a value (e.g. broadcasts the SHA1 hash of a large random value); everybody reveals their values (and checks that they match everybody else's commitments); now add all the values modulo whatever your number of choices is, and you have a shared verifiably random number.
Now, there is one way to cheat this, which is to copy someone else's commitment (even without yet knowing their value) and then copy their value when it is revealed, thereby possibly forcing the choice to be even or whatever. So everyone should also check that all the commitments are different.
Hal
_________________________________________________________________ Refi Now: Rates near 39yr lows! $430,000 Mortgage for $1,399/mo - Calculate new payment http://www.lowermybills.com/lre/index.jsp?sourceid=lmb-9632-17727&moid=7581