[XR0CSWV3h3kZWg]

There is a lot of hate for the trusted party set up of this, which seems reasonable.

It seems like you could create a dead man's switch using arbitrary participants. You distribute a secret to every participant and then to attempt to activate the dead man's switch they raise k to the power s mod p and pass it to the next participant. As long as you act as a participant each time and raise the passed value to some invalid s then the answer that is arrived at won't be the final secret.

As long as you participate every round the wrong answer will be arrived at, but as soon as you don't participate the right answer will be arrived at.

Any singular party refusing to cooperate would destroy the deadman's switch so malicious activation would be tough.

Designing it so it can tolerate failures would be the hard part.

EDIT: I am wrong, this isn't that great. It's really hard to hide information that can be recovered without a secret being revealed.

[danShumway]

So, sort of like a secret generating linked list, where one node (you) are a bad actor?

What prevents the participant right before you from simply circumventing you or secretly passing to the next participant directly?

It also seems that once someone receives the correct answer for their step in the chain, they no longer need anyone beneath them?

(A) -> (B) -> (C) -> (you) -> (D)

Once C has participated in this one time, why do they need A or B?

[XR0CSWV3h3kZWg]

Good point. You'd likely want to also encode something that opaque to who exactly has participated, only really show whether this is the last step and a way for individuals to tell if they have already added their secret.

The really bad part would be that if the poisoner happens to be the last step then the final step would produce the secret before handing it to be poisoned.

[girvo]

I built exactly what you’ve described, using semi-homomorphic encryption (addition of integers, used plainly as we were under the noise threshold of participants). Luckily for me though, I got to punt on some of the really hard questions of trust — the nodes that were communicating are adversarial, but the outside “organising” network was the government and “us” (company I worked for). It’s a really fun problem. I highly recommend taking a crack at it, or even just reading the literature regarding digital voting — you need to prove that one vote was cast for a given person, and no more, without ever tying back any specific vote to said person, and with a huge range of attack vectors!

[carver]

Was this a traceable ring signature[1], or something different?

[1] https://en.wikipedia.org/wiki/Ring_signature#Applications_an...

[XR0CSWV3h3kZWg]

Neat! Thanks for sharing.

[eridius]

What's the stop the other parties from simply running a round without you in order to find out what the secret is?