[Search] [txt|pdf|bibtex] [Tracker] [WG] [Email] [Nits]

Versions: 00 01 02 03 04 rfc2777                                        
Network Working Group                             Donald E. Eastlake 3rd
INTERNET-DRAFT                                              October 1998
                                                      Expires April 1999

                  Publicly Verifiable Random Selection
                  -------- ---------- ------ ---------

                          Status of this Memo

   This draft, file name draft-eastlake-selection-00.txt, is intended to
   become an Informational RFC.  Distribution of this document is
   unlimited. Comments should be sent to the author.

   This document is an Internet-Draft.  Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working groups.  Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months.  Internet-Drafts may be updated, replaced, or obsoleted by
   other documents at any time.  It is not appropriate to use Internet-
   Drafts as reference material or to cite them other than as a
   ``working draft'' or ``work in progress.''

   To view the entire list of current Internet-Drafts, please check the
   "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
   Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern
   Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific
   Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).


   This document describes a method for making random selections in such
   a way that the unbiased nature of the choice is publicly verifiable.
   As an example, the selection of the voting members of the IETF
   Nominations Committee from the pool of eligible volunteers is used.
   Similar techniques would be applicable to other cases.

Donald E. Eastlake 3rd                                          [Page 1]

INTERNET-DRAFT        Verifiable Random Selection           October 1998

Table of Contents

      Status of this Memo........................................1

      Table of Contents..........................................2

      1. Introduction............................................3

      2. General Flow of Publicly Verifiable Process.............4
      2.1 Determination of the Pool..............................4
      2.2 Publication of the Algorithm...........................4
      2.3 Publication of Selection...............................4
      3. Sources of Randomness...................................5
      4. A Sample Precise Algorithm..............................5
      5. Fully Worked Example....................................6
      6. Security Considerations.................................8

      7.  Reference Code.........................................9

      Author's Address..........................................13
      File name and Expiration..................................13

Donald E. Eastlake 3rd                                          [Page 2]

INTERNET-DRAFT        Verifiable Random Selection           October 1998

1. Introduction

   Under the current IETF rules, each year 10 persons are randomly
   selected from among the eligible persons who volunteer to be the
   voting members of the nominations committee (NomCom) to nominate
   members of the Internet Engineering Steering Group (IESG) and the
   Internet Architecture Board (IAB) [RFC 2282].  The number of eligible
   volunteers in recent years has varied in the approximate range of 40
   to 60.

   It is highly desireable that the random selection of the voting
   NomCom be done in a unimpeachable fashion so that no charges of bias
   or favoratism can be brought.  This is for the protection of the IETF
   from bias and protection of the adminstrator of the selection
   (currently, the appointed non-voting NomCom chair) from suspicion of

   A method such that public information will enable any person to
   verify the randomness of the selection meets this criterion.  This
   document gives an examaple of such a method.

Donald E. Eastlake 3rd                                          [Page 3]

INTERNET-DRAFT        Verifiable Random Selection           October 1998

2. General Flow of Publicly Verifiable Process

   In general, a selection of NomCom members publicly verifiable as
   unbiased or similar selection could follow the three steps given

2.1 Determination of the Pool

   First, you need to determine the pool from which the selection is to
   be made.

   Volunteers are solicited by the appointed (non-voting) NomCom chair.
   Their names are then passed through the IETF Secretariat to check
   eligibility.  (Current eligibility criteria relate to IETF meeting
   attendence, records of which are maintained by the Secretariat.) The
   full list of eligible volunteers is made public early enough that
   there is a reasonable time to resolve any disputes as to who should
   be in the pool, probably a week to ten days before the selection.

2.2 Publication of the Algorithm

   The exact algorithm to be used, including the public sources of
   randomness, is made public.  For example, the members of the final
   list of eligible volunteers are ordered by numbering them, several
   public future sources of randmoness such as government run lotteries
   are specified, and an exact algorithm is specified whereby elegible
   volunteers are selected based on a strong hash function [RFC1750] of
   these future sources of randmoness.

2.3 Publication of Selection

   When the prespecified sources of randomness produce their output,
   those values plus a summary of the execution of the algorithm for
   selection should be announced so that anyone can verify that the
   correct randomness source values were used and the algorithm properly
   executed.  To finalize the output and provide a stable NomCom, a cut
   off time should be specified such that any complaint that the
   algorithm was run with the wrong inputs or not faithfully executed
   must be made before that cut off.

Donald E. Eastlake 3rd                                          [Page 4]

INTERNET-DRAFT        Verifiable Random Selection           October 1998

3. Sources of Randomness

   The crux of the unbiased nature of the selection is that it is based
   exactly on random information which will be revealed in the future
   and thus can not be known to the person specifying the algorithm by
   which that random information will be used to select the NomCom
   members.   The random information must be such that it will be
   publicly revealed in a timely fashion.

   Examples of such information are lottery winning numbers for
   specified runnings of specified lotteries.  Particularly for
   government run lotteries, great care is usually taken to see that
   they produce random quantities.  Even in the unlikely case one were
   to have been rigged, it would almost certainly be in connection with
   winning money in the lottery, not in connection with IETF use.

   Other possibilities are such things as the closing price of a stock
   on a particular day, daily balance in the US Treasury on a specified
   day, the volume of trading on the New York Stock exchange on a
   specified day, etc. (However, the reference code given below will not
   handle integers that are too large.) Sporting events can be used but
   only with care to specify exactly what quantities are being presumed
   random and what will be done if they are cancelled or delayed.

   The random sources should not include anything that any reasonable
   person would believe to be under the control or influence of the IETF
   or its components, such as IETF meeting attendance statistics,
   numbers of documents issued, or the like.

4. A Sample Precise Algorithm

   It is important that a precise algorithm be given for mixing the
   random sources specified and making the selection based thereon.
   Suggested sources above each produce either a single positive number
   (i.e., US Treasury balance) or a small set of positive numbers (many
   lotteries provide 6 numbers in the range of 1 through 40 or the like,
   a sporting event could produce the scores of two teams, etc.).
    A sample precise algorithm is as follows:

   For each source producing multiple numeric values, represent each as
   a decimal number terminated by a period (or with a period separating
   the whole from the fractional part) and without leading zeroes
   (except for a single leading zero if the integer is zero) or trailing
   zeroes after the period, order then from smallest to the largest and
   concantenate them followed by a "/".  For each source producing a
   single number, simply represent it as above with a trailing "/"..  At
   this point you have a string for each source, say s1, s2, ...

Donald E. Eastlake 3rd                                          [Page 5]

INTERNET-DRAFT        Verifiable Random Selection           October 1998

   Concatente these strings in a pre-specified order and represent each
   character as its ASCII code producing s1/s2/.../.

   You can then produce a sequence of random values derived from a
   strong mixing of these sources by calculating the MD5 hash [RFC1321]
   of this string prefixed and suffixed with a zero byte for the first
   value, the string prefixed and suffixed by a 0x01 byte for the second
   value, etc.  Treat each of these derived random values as a positive
   multiprecision integer.  If there are N eligible volunteers, select
   the first voting member by dividing the first derived random value by
   N and using the remainder plus one as the position of the selectee in
   the ordered list.  Select the second voting member by dividing the
   second derived random value by N-1 and using the remainder plus one
   as the position of the selectee in the list with the first selectee
   eliminated.  Etc.

   It is recommended that alphanumeric random sources be avoided due to
   the greater difficulty in canonicalizing them in an independently
   repeatable fashion; however, if any are used, all white space,
   punctuation, and special characters should be removed and all letters
   set to upper case. This will leave only an unbroken sequence of
   letters A-Z and digits 0-9 which can be treated as a canonicalized
   number above and suffixed with a "/".

5. Fully Worked Example

   Ordered list of 25 eligible volunteers:

         1. John         11. Pollyanna       21. Pride
         2. Mary         12. Pendragon       22. Sloth
         3. Bashful      13. Pandora         23. Envy
         4. Dopey        14. Faith           24. Anger
         5. Sleepy       15. Hope            25. Kasczynski
         6. Grouchy      16. Charity
         7. Doc          17. Love
         8. Sneazy       18. Longsuffering
         9. Handsome     19. Chastity
        10. Cassandra    20. Smith

Donald E. Eastlake 3rd                                          [Page 6]

INTERNET-DRAFT        Verifiable Random Selection           October 1998

   Ordered list of randomness sources:
       1. Massachusetts Mass Millions lottery six winning numbers
   (ignoring the seventh "extra" number) for 1 October 1998.
       2. Numbers of the winning horses at Hialeia for all races for the
   first day on or after x October 1998 on which at least two races are
       3. The Massachusetts State Lottery daily number for 1 October
   1998 treated as a single four digit integer.
       4. Closing price of Example Company stock for the first business
   day after x October 1998 when it trades.

   Randomness publicly produced:
       Source 1:  9, 18, 26, 34, 41, 45
       Source 2:  2, 5, 12, 8, 10
       Source 3:  9319
       Source 4:  13 11/16

   Resulting key string:

   The table below gives the hex of the MD5 of the above key string
   bracketed with a byte whose value is successively 0x00, 0x01, 0x02,
   through 0x09.  The divisor for the number size of the remaining pool
   at each stage is given and the index of the selectee as per the
   original number of those in the pool.

   index        hex value of MD5        div  selected
    1  746612D0A75D2A2A39C0A957CF825F8D  25  -> 12 <-
    2  95E31A4429ED5AAF7377A15A8E10CD9D  24  ->  6 <-
    3  AFB2B3FD30E82AD6DC35B4D2F1CFC77A  23  ->  8 <-
    4  06821016C2A2EA14A6452F4A769ED1CC  22  ->  3 <-
    5  94DA30E11CA7F9D05C66D0FD3C75D6F7  21  ->  2 <-
    6  2FAE3964D5B1DEDD33FDA80F4B8EF45E  20  -> 24 <-
    7  F1E7AB6753A773EFE46393515FDA8AF8  19  -> 11 <-
    8  700B81738E07DECB4470879BEC6E0286  18  -> 19 <-
    9  1F23F8F8F8E5638A29D332BC418E0689  17  -> 15 <-
   10  61A789BA86BF412B550A5A05E821E0ED  16  -> 22 <-

   Resulting selection, in order selected:

         1. Pendragon (12)     6. Anger (24)
         2. Grouchy (6)        7. Pollyanna (11)
         3. Sneazy (8)         8. Chastity (19)
         4. Bashful (3)        9. Hope (15)
         5. Mary (2)          10. Sloth (22)

Donald E. Eastlake 3rd                                          [Page 7]

INTERNET-DRAFT        Verifiable Random Selection           October 1998

6. Security Considerations

   Careful choice of should be made of randomness inputs so that there
   is no reasonable suspicion that they are under the control of the
   administrator.  And equal care needs to be given that the algorithm
   selected is faithfully executed with the designated inputs values.
   Publication of the results and a week or so window for the community
   of interest to duplicate the calculations should give a reasonable
   assurance against implementation tampering.

Donald E. Eastlake 3rd                                          [Page 8]

INTERNET-DRAFT        Verifiable Random Selection           October 1998

7.  Reference Code

   This code makes use of MD5 reference code from RFC 1321.

   #include <limits.h>
   #include <stdio.h>
   #include <stdlib.h>
   #include <string.h>

   #include "global.h"
   #include "MD5.h"

   /* local prototypes */
   int longremainder ( unsigned char divisor,
                       unsigned char dividend[16] );
   int getinteger ( char *string );

   /* limited to 16 inputs of up to sixteen integers each */
   main ()
   int            i, j,  k, k2, err, keysize, pool, selection;
   unsigned char    unch, uc16[16], remaining;
   char        *selected;
   long int     temp, array[16];
   MD5_CTX    ctx;
   char        buffer[257], key [525];

   pool = getinteger ( "Type size of pool:\n" );
   if ( pool > 255 )
       printf ( "Pool too big.\n" );
       exit ( 1 );
   selected = (char *) malloc ( pool );
   if ( !selected )
       printf ( "Out of memory.\n" );
       exit ( 1 );
   selection = getinteger ( "Type number of items to be selected:\n" );
   if ( selection > pool )
       printf ( "Pool too small.\n" );
       exit ( 1 );
   if ( selection == pool )
       printf ( "All of pool is selected.\n" );
       exit ( 0 );

Donald E. Eastlake 3rd                                          [Page 9]

INTERNET-DRAFT        Verifiable Random Selection           October 1998

   for ( i = 0, keysize = 0; i < 16; ++i )
       if ( keysize > 500 )
           printf ( "Too much input.\n" );
           exit ( 1 );
       /* get the "random" inputs. echo back to user so the user may
          be able to tell if truncation or other glitches occur.  */
       printf ( "Type #%d randomness or 'end' followed by new line.\n"
           "Up to 16 integers or the word 'float' followed by the\n"
           "before and after decimal point parts.\n", i+1 );
       gets ( buffer );
       j = sscanf ( buffer,
           &array[0], &array[1], &array[2], &array[3],
           &array[4], &array[5], &array[6], &array[7],
           &array[8], &array[9], &array[10], &array[11],
           &array[12], &array[13], &array[14], &array[15] );
       if ( j == EOF )
           exit ( j );
       if ( !j )
           if ( buffer[0] == 'e' )
               j = sscanf ( buffer, "float %ld %ld",
                   &array[0], &array[1] );
               if ( j != 2 )
                   printf ( "Bad format.\n" );
                   {    /* print for user check */
                   err = printf ( "%ld.%ld\n", array[0], array[1] );
                   if ( err <= 0 ) exit ( 1 );
                   keysize += sprintf ( &key[keysize], "%ld.%ld/",
                                        array[0], array[1] );
           {    /* sort values, not very efficient */
           for ( k2 = 0; k2 < j - 1; ++k2 )
               for ( k = 0; k < j - 1; ++k )
                   if ( array[k] > array[k+1] )
                       temp = array[k];
                       array[k] = array[k+1];
                       array[k+1] = temp;
           for ( k = 0; k < j; ++k )

Donald E. Eastlake 3rd                                         [Page 10]

INTERNET-DRAFT        Verifiable Random Selection           October 1998

               {    /* print for user check */
               err = printf ( "%ld ", array[k] );
               if ( err <= 0 ) exit ( 1 );
               keysize += sprintf ( &key[keysize], "%ld.", array[k] );
           err = printf ( "\n" );
           if ( err <= 0 ) exit ( 1 );
           keysize += sprintf ( &key[keysize], "/" );
   printf ( "key is:\n %s\n\n", key );
   for ( i = 0; i < pool; ++i )
       selected [i] = i + 1;
   printf ( "index        hex value of MD5        div  selected\n" );
   for (    unch = 0, remaining = pool;
           unch < selection;
           ++unch, --remaining )
       MD5Init ( &ctx );
       MD5Update ( &ctx, &unch, 1 );
       MD5Update ( &ctx, (unsigned char *)key, keysize );
       MD5Update ( &ctx, &unch, 1 );
       MD5Final ( uc16, &ctx );
       k = longremainder ( remaining, uc16 );
   /* printf ( "Remaining = %d, remainder = %d.\n", remaining, k ); */
       for ( j = 0; j < pool; ++j )
           if ( selected[j] )
               if ( --k < 0 )
                   printf ( "%2d  "
   "%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X  "
   "%2d  -> %2d <-\n",
   unch+1, uc16[0],uc16[1],uc16[2],uc16[3],uc16[4],uc16[5],uc16[6],
   uc16[15], remaining, selected[j] );
                   selected[j] = 0;
   printf ( "\nDone, type any character to exit.\n" );
   getchar ();

   /* prompt for an integer input */
   int getinteger ( char *string )
   int        i, j;
   char    tin[257];

Donald E. Eastlake 3rd                                         [Page 11]

INTERNET-DRAFT        Verifiable Random Selection           October 1998

   while ( 1 )
   printf ( string );
   printf ( "(or 'exit' to exit) " );
   gets ( tin );
   j = sscanf ( tin, "%d", &i );
   if (    ( j == EOF )
       ||    ( !j && ( ( tin[0] == 'e' ) || ( tin[0] == 'E' ) ) )
       exit ( j );
   if ( j == 1 )
       return i;
   }    /* end while */

   /* get remainder of dividing a 16 byte unsigned int
      by a small positive number */
   int longremainder ( unsigned char divisor,
                       unsigned char dividend[16] )
   int i;
   long int kruft;

   if ( !divisor )
       return -1;
   for ( i = 0, kruft = 0; i < 16; ++i )
       kruft = ( kruft << 8 ) + dividend[i];
       kruft %= divisor;
   return kruft;

Donald E. Eastlake 3rd                                         [Page 12]

INTERNET-DRAFT        Verifiable Random Selection           October 1998


   RFC 1321 - "The MD5 Message-Digest Algorithm", R. Rivest. April 1992.

   RFC 1750 - "Randomness Recommendations for Security", D. Eastlake,
   3rd, S.  Crocker & J. Schiller. December 1994.

   RFC 2282 - "IAB and IESG Selection, Confirmation, and Recall Process:
   Operation of the Nominating and Recall Committees", J. Galvin.
   February 1998.

Author's Address

   Donald E. Eastlake, 3rd
   318 Acton Street
   Carlisle, MA 01741

   tel:    +1-978-287-4877
   fax:    +1-978-371-7148
   email:  dee3@us.ibm.com

File name and Expiration

   This file is draft-eastlake-selection-00.txt.

   It expires April 1999.

Donald E. Eastlake 3rd                                         [Page 13]