Cryptographic coin flipping, now in Keybase

213 点作者 aston大约 6 年前

22 条评论

I'd be curious if people on HN would want a zero knowledge survey and voting system inside Keybase, and if so, what would it look like?The background: we talk about it sometimes as a solution to a real problem: in certain teams and workplaces, people can be afraid to give honest feedback (who dares to submit an "anonymous" survey to HR?), but Keybase may be in a unique position to let people in a group give written feedback, vote on something important, or rate an experience. Without any risk of exposing identity, short of writing something identifiable in a text field.I'd be curious, personally, to see management get a yearly vote of [no] confidence, for example. Is that crazy?Keep in mind we are mostly focused right now on user experience and performance improvements. But we allocate a certain amount of time to cryptographic features that just aren't possible in other software, such as this coin flip thing. We've been talking about voting and surveys, too.

评论 #19364430 未加载

评论 #19363609 未加载

评论 #19362656 未加载

评论 #19362373 未加载

评论 #19363250 未加载

评论 #19384106 未加载

评论 #19365314 未加载

评论 #19364348 未加载

mr_puzzled大约 6 年前

Has Keybase lost it's way? I thought they were onto something cool and maybe could explore an enterprise play with private chats, filesharing and git for teams or something like that. Basically make money by selling to teams. But Keybase seems to have stagnated, existing apps are still quite buggy, not enough new developments recently. The facepalm moment for me was when they announced they were supported by the Stellar foundation. I lost all hope then and there. I get that you guys are buddies with the Stellar folk, you think Stellar is cool etc but an objective analysis leads to only one answer : don't do it you'll regret. Maybe add it as a feature (stellar integration) but don't go all in. Speaking of Stellar, still no integration after 1 year?? Focus on what you have and start making money. So, what went wrong malgorithms?(Sorry if this sounds harsh or rude, there's no point in sugar coating the truth. Hopefully the keybase teams reads this criticism and does a little soul searching.)

评论 #19362470 未加载

评论 #19361650 未加载

评论 #19361438 未加载

评论 #19363638 未加载

评论 #19363166 未加载

评论 #19362022 未加载

floren大约 6 年前

I use Keybase daily and really like it, but of course the more I use it the more I fear it'll go away. Are they actually making any money off it yet, or will they eventually run out and fail to switch over to paid accounts in time before the company evaporates?

oh_sigh大约 6 年前

Is this a problem with commitment schemes?I want a heads to come up. I add a couple of hacked members to the group, so there are 3 honest members, and lets say 3 coordinated dishonest members.Everyone shares their commitment hash, and the dishonest members share their actual commitments amongst themselves. Once everyone has the commitment hashes, the 3 honest members broadcast their commitment. The three dishonest members now have everyone's commitments, but honest members only have other honest member commitments. Dishonest members compute the ultimate value - if it turns up heads, then they just share their commitments with everyone, and the final answer is heads.If it turns up tails, then the dishonest members compute possible permutations of various dishonest members dropping out and never sending their commitments. So maybe if dishonest member 1 drops out, the resultant value from just the group of 5 would be heads. So dishonest member 2 and 3 share their commitments and dishonest member 1 goes offline.So, this system will work when it is composed of only people you trust, but will not work when it may be composed of people you don't trust. And if you trust everyone in it, why go through this process in the first place? And if you decide that when someone drops out and doesn't share their commitment, you just have to rerun the algorithm, then you have just given a very easy way to give the dishonest people a way to spike your coin flipper, so that no one can ever get a value out of it, or the dishonest members can just keep dropping out until they encounter a round where the final value is determined to be heads.

评论 #19364873 未加载

评论 #19365924 未加载

wildmanx大约 6 年前

>> Who invented commitment schemes?> ~My wife~ Not sure.Seriously? You work professionally in the crypto space and don't know where this is from? Or don't feel it's important to attribute such fundamental ideas to the appropriate people? If you really don't know, a quick google would have educated you. But what I fear to be more likely is that you apparently just don't give a damn.For anybody remotely interested, look up Manuel Blum's work, e.g. "Coin flipping by telephone" presented at CRYPTO 1981. ACM Turing Award.Or Rivest, Shamir, Adleman, "Mental Poker". Oh, those guys also got the ACM Turing Award.

评论 #19365832 未加载

评论 #19367615 未加载

RawaHorse大约 6 年前

This may not be the intended use of your application, but I organize a local bdsm group (if unfamiliar, do not Google this at work), and we appreciate the security offered very much.We can even think of a few "fun" uses of this new feature.

评论 #19361696 未加载

kannanvijayan大约 6 年前

There's a slight variation on this that I had pondered for designing a distributed election algorithm. I'm sure the idea is not novel, but it would be nice to know what work has been done on it.The goal is to fairly select some candidate from a set of candidates. Each candidate `Ci` generates a UUID `Ui`. The hash of their UUID `hash(Ui)` is published by each candidate. Once all hashes have been collected, each candidate reveals the verifiable original UUID to all the others.Each candidate then concatenates these UUIDs together (after normalizing the sequence in some way - e.g. sorting), and produce a selector code: `H = hash(U1 ++ U2 ++ ... ++ Uk)`. Finally, the selected candidate is simply the one whose UUID is the closest to `H` under some distance metric.I tinkered a bit with adapting it for situations where the candidate set could shrink during the selection process (i.e. a candidate drops out), but didn't really pursue it much.

评论 #19363307 未加载

评论 #19364439 未加载

评论 #19362532 未加载

rodrigosetti大约 6 年前

I like the UI, but I find the blog post example - flip a coin to see who will donate a kidney - a little distasteful.

评论 #19365442 未加载

tuxxy大约 6 年前

I don't really understand why they use HMAC-SHA256. Why do many schemes decide to do this needlessly when they can use SHA3 or Blake2b?

评论 #19362267 未加载

评论 #19361955 未加载

评论 #19362570 未加载

tosh大约 6 年前

this is brilliant AND super useful.also love the details like “flip again”

评论 #19361205 未加载

lavrov大约 6 年前

It seems like a VRF might be a more natural choice than a commitment scheme for verifiable randomness, since it doesn't require any honesty assumption for participants, and Keybase already manages keys (though maybe it would be a problem if participants could change keys midway through the ceremony).

insomniacity大约 6 年前

@malgorithms - Could you consider buying or integrating Cryptpad? [1]It would give you an office suite play very very quickly - I can only see it as a winner.[1] <a href="https://github.com/xwiki-labs/cryptpad" rel="nofollow">https://github.com/xwiki-labs/cryptpad</a>

ummonk大约 6 年前

I've thought about trustless lotteries quite a bit, and haven't really came up with a solution that works without using head-to-head brackets.>A bad actor can't change the outcome of a flip but could prevent it from resolving.The post glosses over this but it can get pretty bad. E.g. 99 actors have revealed their seeds and then the 100th decides whether to reveal or not, based on whether they or their confederates will be the winner after that final reveal.

chowells大约 6 年前

I see a flaw with that prng scheme. Since AES is reversible, the 128-bit blocks that make up the output cannot repeat. The output is a permutation of distinct 128-bit blocks. Early in the sequence that only matters a tiny bit, but the longer it goes, the more that tells you about possible upcoming values.

评论 #19364093 未加载

评论 #19362190 未加载

yincrash大约 6 年前

@malgorithms, what are the colored bars from each participant? Is it a colored representation of the hashes?

评论 #19362039 未加载

LK83大约 6 年前

I got lost on the line "If the final answer is odd, the flip is TAILS." For example: Alice flips 1 for tails. Barb/Charlie/Danika flip 0. Why is the answer tails when most of the people flipped 0 for heads? Why use XOR instead of just taking the most common answer?

评论 #19361330 未加载

评论 #19361281 未加载

评论 #19361354 未加载

Grue3大约 6 年前

Seems like overkill. Just declare your guesses and use a third party to generate coin flip/dice roll. In fact this functionality is built-in in a number of chat clients.

latchkey大约 6 年前

How is this different from provably fair? <a href="https://dicesites.com/provably-fair" rel="nofollow">https://dicesites.com/provably-fair</a>

emmelaich大约 6 年前

> The Keybase app can deal M cards into N labeled hands. I don't know what you would do with that, but enjoy.Is he being coy here? I mean - poker, right?

lrvick大约 6 年前

I'll add my usual reminder here that keybase is a proprietary walled garden that made up its own crypto standards and protocols on many levels leading to dangerous design flaws like this one: <a href="https://github.com/keybase/keybase-issues/issues/1946" rel="nofollow">https://github.com/keybase/keybase-issues/issues/1946</a>

评论 #19366969 未加载

stackzero大约 6 年前

How does this address the last revealer problem?

评论 #19363703 未加载

imcotton大约 6 年前

echo -n