On 11/12/15 12:48, Michael Rogers wrote: > At the limit, if you run n! rounds there will be at least one round > where a victim reveals last - the attacker has no influence on that > round, and therefore no influence on the hashed output of all n! rounds.
Sorry, on second thoughts this doesn't work - the attacker's influence on the hashed output of multiple rounds is equal to their influence on the last round, so there's no advantage to running more than one round per output. Another thought about commit-reveal: if each colluding attacker can influence one bit of the output (i.e. choose between two possible outputs) and there are n participants, are there any use cases where it's good enough to simply produce n+b bits of output containing at least b bits of entropy? (In other words, are there any use case where the output just needs to contain a certain amount of entropy, as opposed to being uniformly distributed?) Cheers, Michael
0x9FC527CC.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
