This isn't enough. Somehow, you have to state that the values emitted on demand in any given round i (where a round consists of exactly one demand on all N member and produces a single output result) cannot receive any input from any other members. Otherwise, if N=2 and member 0 produces true random values that member 1 can see before it responds to the demand it received, then member 1 can cause the final result to be anything it likes.
In the case of malicious members who can snoop the inputs, Mal can get any result he wants if the combining function is XOR (or, with slightly more work, if it's a non-cryptographic checksum.) But if your combining function is a cryptographic hash, it's computationally difficult to do. However, even a hash isn't always enough - consider the case where the application of the random numbers only uses k of the N bits, and the attacker has enough time to try out 2**k (waving hands roughly here) different cases. So you may still need to design your protocols carefully. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
