This is a cryptography problem I haven't solved yet.[1] Maybe there is some background research in distributed computing that I don't know about yet.<p>The State of Utopia is a distributed, AI-run, Utopian state, and has certain scarce resources such as citizenships and money that in the interest of fairness must sometimes be granted by lottery, since there is no such thing as half a citizenship for example, or it might have a Universal Basic Income level that it sets in an experiment and only has money to give to a certain number of people, and it doesn't scale to trying to run the experiment on everyone at once.<p>However, absent trust, there is a problem with attackers who want to compromise the entire system to choose their own lottery winner - for example so they can set up a corrupt black market where they choose the lottery winners and require payment for their choice. Or they can just choose themselves as winners.<p>How could the population of Utopia trust the random number which represents the lottery winner (for example that the winner is entrant number 562,354? For example, if you are a citizen of Utopia and there are 1 million entrants for something valuable that is given by distributed lottery, how can you be assured you have an equal chance of winning it as the other 999,999 people?<p>One scheme could be to pick the closing stock prices (to the penny) of some leading stocks on a given day that hasn't occurred yet, such as next Wednesday's closing penny prices on ten different stocks. However, this form of "entropy" is still not totally distributed because perhaps someone could influence that specific ledger, adjusting the final pennies to their satisfaction? Perhaps state actors could infiltrate and corrupt any specific source of entropy? They could infiltrate and corrupt the stock market. It's not really zero-trust. Cryptographically speaking, it's something that could theoretically be controlled.<p>Hence we began to propose a DISTRIBUTED ONE TIME PAD that operates on the following basis:<p>1. Everyone chooses a one time pad of the required number of bits to account for the amount of entropy required. For example if there are 8 billion possible people, then 33 bits are required to choose one at random.<p>2. Everyone encrypts their chosen OTP with AES-256-GCM, for example using this application[1]. They choose the password of their choice. They disclose the encrypted version and retain their private key secretly.<p>3. Once these are ALL published a public ledger is published with everyone's encrypted text.<p>4. Once the ledger is published, everyone must reveal their private key for the published OTP.<p>5. With all the passwords now revealed, they are all decrypted all at once.<p>The 33 bits of the plaintext OTP's are then applied via xor operations to arrive at the final random solution.<p>Since xor is commutative, if any of the OTP's are random it can be considered that it is applied at the last step, and "fully" determines the final chosen number. In other words, if any - even a single one - of the OTP's was random then the whole scheme is random, since it can be considered that that was the last one to be applied to the rest of the batch. (you can reorder xor operations with the same result). That means as an individual citizen, you "fully determine", the final winner, and the same is true for every other citizen on an equal basis. It is guaranteed to be really as random as any of the OTP's.<p>I got that far but then I got stuck.<p>Where this fails: if any of the passwords are not revealed then those can be withheld in order to influence the final result.<p>continued in a comment.