combining entropy

Bill Stewart bill.stewart at
Tue Oct 28 18:27:05 EDT 2008

>This isn't enough.  Somehow, you have to state that the values emitted
>on demand in any given round i (where a round consists of exactly one
>demand on all N member and produces a single output result) cannot
>receive any input from any other members.  Otherwise, if N=2 and member
>0 produces true random values that member 1 can see before it responds
>to the demand it received, then member 1 can cause the final result to
>be anything it likes.

In the case of malicious members who can snoop the inputs,
Mal can get any result he wants if the combining function is XOR
(or, with slightly more work, if it's a non-cryptographic checksum.)
But if your combining function is a cryptographic hash,
it's computationally difficult to do.

However, even a hash isn't always enough - consider the case
where the application of the random numbers only uses k of the N bits,
and the attacker has enough time to try out 2**k (waving hands roughly here)
different cases.  So you may still need to design your protocols carefully.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list