So yesterday I found this file for implementing a very basic SHA256 hash:

https://geraintluff.github.io/sha256/

I was like:

There's no way it could be that easy.

So I imported this file into my Pentaskill project and it works just fine... now when I want to SHA256 something I just have to call sha256(string). Any string within the parenthesis will be correctly hashed.

---

Here's the gist:

The game chooses a "random" password for you. I'm currently accomplishing this by stringing together seven Math.random() numbers.

let password = Math.random().toString() + Math.random() + Math.random()
        + Math.random() + Math.random() + Math.random() + Math.random()

This creates a temporary password that looks like this:

0.26136931224506330.45915930834004650.434700530100574860.49199955500146950.265132226698565840.7101468499170840.5592527954009965

The game has five choices.

'skill1' || 'skill2' || 'skill3' || 'skill4' || 'skill5'

The password is appended to the skill you select:

skill30.26136931224506330.45915930834004650.434700530100574860.49199955500146950.265132226698565840.7101468499170840.5592527954009965

This information is then hashed with SHA256 and posted to the blockchain.
d167f134306a5562d4e6bd3dcf8baf62efc7b529795e15685ab5f79298db6900

The idea here is that now your opponent has no idea what skill you picked. Once both players post their hashes to the blockchain the client automatically reveals the original password. Both clients then reverse engineer the passwords back into the skills chosen.

This is accomplished by creating the five possible SHA256 hashes that could be created with the password. The hash that matches the one posted to the blockchain is the skill that the opponent picked.

function decipher(password, hash){
    // Use temporary password provided by villain to confirm skill selection.
    // returns 'skill1' || 'skill2' || 'skill3' || 'skill4' || 'skill5'
    for(let s = 1; s <= 5; s++){
        let skill = 'skill' + s
        if( sha256(skill+password) === hash ){
            return skill
        }
    }
    console.error('Player cheated or bug: skill not found in decipher()');
    return undefined
}

Security

Is this secure? Truth be told, I have no idea. I'm hoping my game will gain some traction within the community and other more experienced programmers will help me out with some of this stuff.

However, it is already common knowledge that basic random number generators like Math.random() are not truly random and can be hacked. At the same time, blocks on Steem only get posted once every three seconds and random numbers are based on time down to the millisecond, so I think this would make it a lot harder to guess what seed the algorithm was using. In addition, it won't be that hard to change how random passwords are created in the future.

Possible for password reveal cheating?

Another question I have to ask myself is:

Is it possible that someone could figure out multiple passwords that have the same SHA256 hash?

If this was possible it means that hackers could post a hash to the blockchain and then change their skill selection after the fact. However, I don't think this is possible probable and, if it is, there are various signals on the blockchain that would indicate cheating such as using the same password more than one time and the client waiting longer than it should to reveal the password.

I can add more security later. For now, this feels like a 'good-enough' solution.

@lottoshi

Another really important aspect of this development is that it now opens up the door to continue my decentralized @lottoshi lottery. Essentially, once i figure out how to connect to a few trustworthy Bitcoin nodes I can use the unhackable random number generation that is the product of POW mining to run a decentralized and provably fair lottery.

Thus far I've been all talk but I hope that soon™ I'll be able to bring some real value to this platform.