Pentaskill: SHA256 Implemented

in gaming •  8 months ago 

So yesterday I found this file for implementing a very basic SHA256 hash:

I was like:

There's no way it could be that easy.

So I imported this file into my Pentaskill project and it works just fine... now when I want to SHA256 something I just have to call sha256(string). Any string within the parenthesis will be correctly hashed.

Here's the gist:

The game chooses a "random" password for you. I'm currently accomplishing this by stringing together seven Math.random() numbers.

let password = Math.random().toString() + Math.random() + Math.random()
        + Math.random() + Math.random() + Math.random() + Math.random()

This creates a temporary password that looks like this:


The game has five choices.

'skill1' || 'skill2' || 'skill3' || 'skill4' || 'skill5'

The password is appended to the skill you select:


This information is then hashed with SHA256 and posted to the blockchain.

The idea here is that now your opponent has no idea what skill you picked. Once both players post their hashes to the blockchain the client automatically reveals the original password. Both clients then reverse engineer the passwords back into the skills chosen.

This is accomplished by creating the five possible SHA256 hashes that could be created with the password. The hash that matches the one posted to the blockchain is the skill that the opponent picked.

function decipher(password, hash){
    // Use temporary password provided by villain to confirm skill selection.
    // returns 'skill1' || 'skill2' || 'skill3' || 'skill4' || 'skill5'
    for(let s = 1; s <= 5; s++){
        let skill = 'skill' + s
        if( sha256(skill+password) === hash ){
            return skill
    console.error('Player cheated or bug: skill not found in decipher()');
    return undefined


Is this secure? Truth be told, I have no idea. I'm hoping my game will gain some traction within the community and other more experienced programmers will help me out with some of this stuff.

However, it is already common knowledge that basic random number generators like Math.random() are not truly random and can be hacked. At the same time, blocks on Steem only get posted once every three seconds and random numbers are based on time down to the millisecond, so I think this would make it a lot harder to guess what seed the algorithm was using. In addition, it won't be that hard to change how random passwords are created in the future.

Possible for password reveal cheating?

Another question I have to ask myself is:

Is it possible that someone could figure out multiple passwords that have the same SHA256 hash?

If this was possible it means that hackers could post a hash to the blockchain and then change their skill selection after the fact. However, I don't think this is possible probable and, if it is, there are various signals on the blockchain that would indicate cheating such as using the same password more than one time and the client waiting longer than it should to reveal the password.

I can add more security later. For now, this feels like a 'good-enough' solution.


Another really important aspect of this development is that it now opens up the door to continue my decentralized @lottoshi lottery. Essentially, once i figure out how to connect to a few trustworthy Bitcoin nodes I can use the unhackable random number generation that is the product of POW mining to run a decentralized and provably fair lottery.

Thus far I've been all talk but I hope that soon™ I'll be able to bring some real value to this platform.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Yes it is possible that two different words have the same hash, otherwise the hash function would be a 1 to 1 function ( so invertible), but if the hash function is set properly it is very difficult to find two different words with the same hash, but not impossible.
not probable is different from impossible!! :)

Indeed, although considering the 16^64 possibilities hopefully that puts me in the clear.

Yes sure 16^64 is an unimaginably large number, so you can stay pretty quiet :)
But in any case do a lot of tests