1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
|
Network Working Group D. Eastlake 3rd
Request for Comments: 3797 Motorola Laboratories
Obsoletes: 2777 June 2004
Category: Informational
Publicly Verifiable Nominations Committee (NomCom) Random Selection
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2004).
Abstract
This document describes a method for making random selections in such
a way that the unbiased nature of the choice is publicly verifiable.
As an example, the selection of the voting members of the IETF
Nominations Committee (NomCom) from the pool of eligible volunteers
is used. Similar techniques would be applicable to other cases.
Table of Contents
1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. General Flow of a Publicly Verifiable Process . . . . . . . . . 2
2.1. Determination of the Pool . . . . . . . . . . . . . . . . 2
2.2. Publication of the Algorithm. . . . . . . . . . . . . . . 3
2.3. Publication of Selection. . . . . . . . . . . . . . . . . 3
3. Randomness. . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Sources of Randomness . . . . . . . . . . . . . . . . . . 3
3.2. Skew. . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.3. Entropy Needed. . . . . . . . . . . . . . . . . . . . . . 4
4. A Suggested Precise Algorithm . . . . . . . . . . . . . . . . . 5
5. Handling Real World Problems. . . . . . . . . . . . . . . . . . 7
5.1. Uncertainty as to the Pool. . . . . . . . . . . . . . . . 7
5.2. Randomness Ambiguities. . . . . . . . . . . . . . . . . . 7
6. Fully Worked Example. . . . . . . . . . . . . . . . . . . . . . 8
7. Security Considerations . . . . . . . . . . . . . . . . . . . . 9
8. Reference Code. . . . . . . . . . . . . . . . . . . . . . . . . 10
Appendix A: History of NomCom Member Selection . . . . . . . . . . 16
Appendix B: Changes from RFC 2777. . . . . . . . . . . . . . . . . 16
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . 17
Eastlake 3rd Informational [Page 1]
^L
RFC 3797 Verifiable Random Selection June 2004
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Normative References. . . . . . . . . . . . . . . . . . . . . . 17
Informative References. . . . . . . . . . . . . . . . . . . . . 17
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 18
Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 19
1. Introduction
Under the IETF rules, each year ten people are randomly selected from
among eligible volunteers to be the voting members of the IETF
nominations committee (NomCom). The NomCom nominates members of the
Internet Engineering Steering Group (IESG) and the Internet
Architecture Board (IAB) as described in [RFC 3777]. The number of
eligible volunteers in recent years has been around 100.
It is highly desirable that the random selection of the voting NomCom
be done in an unimpeachable fashion so that no reasonable charges of
bias or favoritism can be brought. This is as much for the
protection of the selection administrator (currently, the appointed
non-voting NomCom chair) from suspicion of bias as it is for the
protection of the IETF.
A method such that public information will enable any person to
verify the randomness of the selection meets this criterion. This
document gives an example of such a method.
The method, in the form it appears in RFC 2777, was also used by IANA
in February 2003 to determine the ACE prefix for Internationalized
Domain Names [RFC 3490] so as to avoid claim jumping.
2. General Flow of a Publicly Verifiable Process
A selection of NomCom members publicly verifiable as unbiased or
similar selection could follow the three steps given below.
2.1. Determination of the Pool
First, determine the pool from which the selection is to be made as
provided in [RFC 3777] or its successor.
Volunteers are solicited by the selection administrator. Their names
are then passed through the IETF Secretariat to check eligibility.
(Current eligibility criteria relate to IETF meeting attendance,
records of which are maintained by the Secretariat.) The full list
of eligible volunteers is made public early enough that a reasonable
time can be given to resolve any disputes as to who should be in the
pool.
Eastlake 3rd Informational [Page 2]
^L
RFC 3797 Verifiable Random Selection June 2004
2.2. Publication of the Algorithm
The exact algorithm to be used, including the public future sources
of randomness, is made public. For example, the members of the final
list of eligible volunteers are ordered by publicly numbering them,
some public future sources of randomness such as government run
lotteries are specified, and an exact algorithm is specified whereby
eligible volunteers are selected based on a strong hash function
[RFC 1750] of these future sources of randomness.
2.3. Publication of Selection
When the pre-specified sources of randomness produce their output,
those values plus a summary of the execution of the algorithm for
selection should be announced so that anyone can verify that the
correct randomness source values were used and the algorithm properly
executed. The algorithm can be run to select, in an ordered fashion,
a larger number than are actually necessary so that if any of those
selected need to be passed over or replaced for any reason, an
ordered set of additional alternate selections will be available. A
cut off time for any complaint that the algorithm was run with the
wrong inputs or not faithfully executed must be specified to finalize
the output and provide a stable selection.
3. Randomness
The crux of the unbiased nature of the selection is that it is based
in an exact, predetermined fashion on random information which will
be revealed in the future and thus can not be known to the person
specifying the algorithm. That random information will be used to
control the selection. The random information must be such that it
will be publicly and unambiguously revealed in a timely fashion.
The random sources must not include anything that any reasonable
person would believe to be under the control or influence of the IETF
or its components, such as IETF meeting attendance statistics,
numbers of documents issued, or the like.
3.1. Sources of Randomness
Examples of good information to use are winning lottery numbers for
specified runnings of specified public lotteries. Particularly for
government run lotteries, great care is taken to see that they occur
on time and produce random quantities. Even in the unlikely case one
were to have been rigged, it would almost certainly be in connection
with winning money in the lottery, not in connection with IETF use.
Eastlake 3rd Informational [Page 3]
^L
RFC 3797 Verifiable Random Selection June 2004
Other possibilities are such things as the daily balance in the US
Treasury on a specified day, the volume of trading on the New York
Stock exchange on a specified day, etc. (However, the reference code
given below will not handle integers that are too large.) Sporting
events can also be used. (Experience has indicated that stock prices
and/or volumes are a poor source of unambiguous data due trading
suspensions, company mergers, delistings, splits, multiple markets,
etc.) In all cases, great care must be taken to specify exactly what
quantities are being presumed random and what will be done if their
issuance is cancelled, delayed, or advanced.
It is important that the last source of randomness, chronologically,
produce a substantial amount of the entropy needed. If most of the
randomness has come from the earlier of the specified sources, and
someone has even limited influence on the final source, they might do
an exhaustive analysis and exert such influence so as to bias the
selection in the direction they wanted. Thus it is best for the last
source to be an especially strong and unbiased source of a large
amount of randomness such as a government run lottery.
It is best not to use too many different sources. Every additional
source increases the probability that one or more sources might be
delayed, cancelled, or just plain screwed up somehow, calling into
play contingency provisions or, worst of all, creating a situation
that was not anticipated. This would either require arbitrary
judgment by the selection administrator, defeating the randomness of
the selection, or a re-run with a new set of sources, causing much
delay. Three or four would be a good number of sources. Ten is too
many.
3.2. Skew
Some of the sources of randomness produce data that is not uniformly
distributed. This is certainly true of volumes, prices, and horse
race results, for example. However, use of a strong mixing function
[RFC 1750] will extract the available entropy and produce a hash
value whose bits, remainder modulo a small divisor, etc., deviate
from a uniform distribution only by an insignificant amount.
3.3. Entropy Needed
What we are doing is selecting N items without replacement from a
population of P items. The number of different ways to do this is as
follows, where "!" represents the factorial function:
P!
-------------
N! * (P - N)!
Eastlake 3rd Informational [Page 4]
^L
RFC 3797 Verifiable Random Selection June 2004
To do this in a completely random fashion requires as many random
bits as the logarithm base 2 of that quantity. Some sample
calculated approximate number of random bits for the completely
random selection of 10 NomCom members from various pool sizes is
given below:
Random Selection of Ten Items From Pool
Pool size 20 25 30 35 40 50 60 75 100 120
Bits needed 18 22 25 28 30 34 37 40 44 47
Using an inadequate number of bits means that not all of the possible
sets of ten selected items would be available. For a substantially
inadequate amount of entropy, there could be a significant
correlation between the selection of two different members of the
pool, for example. However, as a practical matter, for pool sizes
likely to be encountered in IETF NomCom membership selection, 40 bits
of entropy should always be adequate. Even if there is a large pool
and more bits are needed for perfect randomness, 40 bits of entropy
will assure only an insignificant deviation from completely random
selection for the difference in probability of selection of different
pool members, the correlation between the selection of any pair of
pool members, etc.
An MD5 [RFC 1321] hash has 128 bits and therefore can produce no more
than that number of bits of entropy. However, this is more than
three times what is likely to ever be needed for IETF NomCom
membership selection. A even stronger hash, such as SHA-1
[RFC 3174], can be used if desired.
4. A Suggested Precise Algorithm
It is important that a precise algorithm be given for mixing the
random sources specified and making the selection based thereon.
Sources suggested above produce either a single positive number
(i.e., NY Stock Exchange volume in thousands of shares) or a small
set of positive numbers (many lotteries provide 6 numbers in the
range of 1 through 40 or the like, a sporting event could produce the
scores of two teams, etc.). A suggested precise algorithm is as
follows:
1. For each source producing multiple numeric values, represent
each as a decimal number terminated by a period (or with a
period separating the whole from the fractional part), without
leading zeroes (except for a single leading zero if the integer
part is zero), and without trailing zeroes after the period.
Eastlake 3rd Informational [Page 5]
^L
RFC 3797 Verifiable Random Selection June 2004
2. Order the values from each source from smallest to the largest
and concatenate them and suffix the result with a "/". For
each source producing a single number, simply represent it as
above with a suffix "/". (This sorting is necessary because
the same lottery results, for example, are sometimes reported
in the order numbers were drawn and sometimes in numeric order
and such things as the scores of two sports teams that play a
game has no inherent order.)
3. At this point you have a string for each source, say s1/, s2/,
... Concatenate these strings in a pre-specified order, the
order in which the sources were listed if not otherwise
specified, and represent each character as its ASCII code
[ASCII] producing "s1/s2/.../".
You then produce a sequence of random values derived from a strong
mixing of these sources by calculating the MD5 hash [RFC 1321] of
this string prefixed and suffixed with an all zeros two byte sequence
for the first value, the string prefixed and suffixed by 0x0001 for
the second value, etc., treating the two bytes as a big endian
counter. Treat each of these derived "random" MD5 output values as a
positive 128-bit multiprecision big endian integer.
Then totally order the pool of listed volunteers as follows: If there
are P volunteers, select the first by dividing the first derived
random value by P and using the remainder plus one as the position of
the selectee in the published list. Select the second by dividing
the second derived random value by P-1 and using the remainder plus
one as the position in the list with the first selected person
eliminated. Etc.
It is STRONGLY recommended that alphanumeric random sources be
avoided due to the much greater difficulty in canonicalizing them in
an independently repeatable fashion; however, if you choose to ignore
this advice and use an ASCII or similar Roman alphabet source or
sources, all white space, punctuation, accents, and special
characters should be removed and all letters set to upper case. This
will leave only an unbroken sequence of letters A-Z and digits 0-9
which can be treated as a canonicalized number above and suffixed
with a "./". If you choose to not just ignore but flagrantly flout
this advice and try to use even more complex and harder to
canonicalize internationalized text, such as UNICODE, you are on your
own.
Eastlake 3rd Informational [Page 6]
^L
RFC 3797 Verifiable Random Selection June 2004
5. Handling Real World Problems
In the real world, problems can arise in following the steps and flow
outlined in Sections 2 through 4 above. Some problems that have
actually arisen are described below with recommendations for handling
them.
5.1. Uncertainty as to the Pool
Every reasonable effort should be made to see that the published pool
from which selection is made is of certain and eligible persons.
However, especially with compressed schedules or perhaps someone
whose claim that they volunteered and are eligible has not been
resolved by the deadline, or a determination that someone is not
eligible which occurs after the publication of the pool, it may be
that there are still uncertainties.
The best way to handle this is to maintain the announced schedule,
INCLUDE in the published pool all those whose eligibility is
uncertain and to keep the published pool list numbering IMMUTABLE
after its publication. If someone in the pool is later selected by
the algorithm and random input but it has been determined they are
ineligible, they can be skipped and the algorithm run further to make
an additional selection. Thus the uncertainty only effects one
selection and in general no more than a maximum of U selections where
there are U uncertain pool members.
Other courses of action are far worse. Actual insertion or deletion
of entries in the pool after its publication changes the length of
the list and totally scrambles who is selected, possibly changing
every selection. Insertion into the pool raises questions of where
to insert: at the beginning, end, alphabetic order, ... Any such
choices by the selection administrator after the random numbers are
known destroys the public verifiability of fair choice. Even if done
before the random numbers are known, such dinking with the list after
its publication just smells bad. There should be clear fixed public
deadlines and someone who challenges their absence from the pool
after the published deadline should have their challenge
automatically denied for tardiness.
5.2. Randomness Ambiguities
The best good faith efforts have been made to specify precise and
unambiguous sources of randomness. These sources have been made
public in advance and there has not been objection to them. However,
it has happened that when the time comes to actually get and use this
randomness, the real world has thrown a curve ball and it isn't quite
clear what data to use. Problems have particularly arisen in
Eastlake 3rd Informational [Page 7]
^L
RFC 3797 Verifiable Random Selection June 2004
connection with stock prices, volumes, and financial exchange rates
or indices. If volumes that were published in thousands are
published in hundreds, you have a rounding problem. Prices that were
quoted in fractions or decimals can change to the other. If you take
care of every contingency that has come up in the past, you can be
hit with a new one. When this sort of thing happens, it is generally
too late to announce new sources, an action which could raise
suspicions of its own. About the only course of action is to make a
reasonable choice within the ambiguity and depend on confidence in
the good faith of the selection administrator. With care, such cases
should be extremely rare.
Based on these experiences, it is again recommended that public
lottery numbers or the like be used as the random inputs and stock
prices and volumes avoided.
6. Fully Worked Example
Assume the following ordered list of 25 eligible volunteers is
published in advance of selection:
1. John 11. Pollyanna 21. Pride
2. Mary 12. Pendragon 22. Sloth
3. Bashful 13. Pandora 23. Envy
4. Dopey 14. Faith 24. Anger
5. Sleepy 15. Hope 25. Kasczynski
6. Grouchy 16. Charity
7. Doc 17. Lee
8. Sneazy 18. Longsuffering
9. Handsome 19. Chastity
10. Cassandra 20. Smith
Assume the following (fake example) ordered list of randomness
sources:
1. The Kingdom of Alphaland State Lottery daily number for 1 November
2004 treated as a single four digit integer.
2. Numbers of the winning horses at Hialeia for all races for the
first day on or after 13 October 2004 on which at least two races
are run.
3. The People's Democratic Republic of Betastani State Lottery six
winning numbers (ignoring the seventh "extra" number) for 1
November 2004.
Hypothetical randomness publicly produced:
Source 1: 9319
Source 2: 2, 5, 12, 8, 10
Source 3: 9, 18, 26, 34, 41, 45
Eastlake 3rd Informational [Page 8]
^L
RFC 3797 Verifiable Random Selection June 2004
Resulting key string:
9319./2.5.8.10.12./9.18.26.34.41.45./
The table below gives the hex of the MD5 of the above key string
bracketed with a two byte string that is successively 0x0000, 0x0001,
0x0002, through 0x0010 (16 decimal). The divisor for the number size
of the remaining pool at each stage is given and the index of the
selectee as per the original number of those in the pool.
index hex value of MD5 div selected
1 990DD0A5692A029A98B5E01AA28F3459 25 -> 17 <-
2 3691E55CB63FCC37914430B2F70B5EC6 24 -> 7 <-
3 FE814EDF564C190AC1D25753979990FA 23 -> 2 <-
4 1863CCACEB568C31D7DDBDF1D4E91387 22 -> 16 <-
5 F4AB33DF4889F0AF29C513905BE1D758 21 -> 25 <-
6 13EAEB529F61ACFB9A29D0BA3A60DE4A 20 -> 23 <-
7 992DB77C382CA2BDB9727001F3CDCCD9 19 -> 8 <-
8 63AB4258ECA922976811C7F55C383CE7 18 -> 24 <-
9 DFBC5AC97CED01B3A6E348E3CC63F40D 17 -> 19 <-
10 31CB111C4A4EBE9287CEAE16FE51B909 16 -> 13 <-
11 07FA46C122F164C215BBC72793B189A3 15 -> 22 <-
12 AC52F8D75CCBE2E61AFEB3387637D501 14 -> 5 <-
13 53306F73E14FC0B2FBF434218D25948E 13 -> 18 <-
14 B5D1403501A81F9A47318BE7893B347C 12 -> 9 <-
15 85B10B356AA06663EF1B1B407765100A 11 -> 1 <-
16 3269E6CE559ABD57E2BA6AAB495EB9BD 10 -> 4 <-
Resulting first ten selected, in order selected:
1. Lee (17) 6. Envy (23)
2. Doc (7) 7. Sneazy (8)
3. Mary (2) 8. Anger (24)
4. Charity (16) 9. Chastity (19)
5. Kasczynski (25) 10. Pandora (13)
Should one of the above turn out to be ineligible or decline to
serve, the next would be Sloth, number 22.
7. Security Considerations
Careful choice of should be made of randomness inputs so that there
is no reasonable suspicion that they are under the control of the
administrator. Guidelines given above to use a small number of
inputs with a substantial amount of entropy from the last should be
followed. And equal care needs to be given that the algorithm
selected is faithfully executed with the designated inputs values.
Eastlake 3rd Informational [Page 9]
^L
RFC 3797 Verifiable Random Selection June 2004
Publication of the results and a week or so window for the community
of interest to duplicate the calculations should give a reasonable
assurance against implementation tampering.
8. Reference Code
This code makes use of the MD5 reference code from [RFC 1321] ("RSA
Data Security, Inc. MD5 Message-Digest Algorithm"). The portion of
the code dealing with multiple floating point numbers was written by
Matt Crawford. The original code in RFC 2777 could only handle pools
of up to 255 members and was extended to 2**16-1 by Erik Nordmark.
This code has been extracted from this document, compiled, and
tested. While no flaws have been found, it is possible that when
used with some compiler on some system some flaw will manifest
itself.
/****************************************************************
*
* Reference code for
* "Publicly Verifiable Random Selection"
* Donald E. Eastlake 3rd
* February 2004
*
****************************************************************/
#include <limits.h>
#include <math.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/* From RFC 1321 */
#include "global.h"
#include "MD5.h"
/* local prototypes */
int longremainder ( unsigned short divisor,
unsigned char dividend[16] );
long int getinteger ( char *string );
double NPentropy ( int N, int P );
/* limited to up to 16 inputs of up to sixteen integers each */
/* pool limit of 2**8-1 extended to 2**16-1 by Erik Nordmark */
/****************************************************************/
main ()
{
int i, j, k, k2, err, keysize, selection, usel;
Eastlake 3rd Informational [Page 10]
^L
RFC 3797 Verifiable Random Selection June 2004
unsigned short remaining, *selected;
long int pool, temp, array[16];
MD5_CTX ctx;
char buffer[257], key [800], sarray[16][256];
unsigned char uc16[16], unch1, unch2;
pool = getinteger ( "Type size of pool:\n" );
if ( pool > 65535 )
{
printf ( "Pool too big.\n" );
exit ( 1 );
}
selected = (unsigned short *) malloc ( (size_t)pool );
if ( !selected )
{
printf ( "Out of memory.\n" );
exit ( 1 );
}
selection = getinteger ( "Type number of items to be selected:\n" );
if ( selection > pool )
{
printf ( "Pool too small.\n" );
exit ( 1 );
}
if ( selection == pool )
printf ( "All of the pool is selected.\n" );
else
{
err = printf ( "Approximately %.1f bits of entropy needed.\n",
NPentropy ( selection, pool ) + 0.1 );
if ( err <= 0 ) exit ( 1 );
}
for ( i = 0, keysize = 0; i < 16; ++i )
{
if ( keysize > 500 )
{
printf ( "Too much input.\n" );
exit ( 1 );
}
/* get the "random" inputs. echo back to user so the user may
be able to tell if truncation or other glitches occur. */
err = printf (
"\nType #%d randomness or 'end' followed by new line.\n"
"Up to 16 integers or the word 'float' followed by up\n"
"to 16 x.y format reals.\n", i+1 );
if ( err <= 0 ) exit ( 1 );
gets ( buffer );
Eastlake 3rd Informational [Page 11]
^L
RFC 3797 Verifiable Random Selection June 2004
j = sscanf ( buffer,
"%ld%ld%ld%ld%ld%ld%ld%ld%ld%ld%ld%ld%ld%ld%ld%ld",
&array[0], &array[1], &array[2], &array[3],
&array[4], &array[5], &array[6], &array[7],
&array[8], &array[9], &array[10], &array[11],
&array[12], &array[13], &array[14], &array[15] );
if ( j == EOF )
exit ( j );
if ( !j )
if ( buffer[0] == 'e' )
break;
else
{ /* floating point code by Matt Crawford */
j = sscanf ( buffer,
"float %ld.%[0-9]%ld.%[0-9]%ld.%[0-9]%ld.%[0-9]"
"%ld.%[0-9]%ld.%[0-9]%ld.%[0-9]%ld.%[0-9]"
"%ld.%[0-9]%ld.%[0-9]%ld.%[0-9]%ld.%[0-9]"
"%ld.%[0-9]%ld.%[0-9]%ld.%[0-9]%ld.%[0-9]",
&array[0], sarray[0], &array[1], sarray[1],
&array[2], sarray[2], &array[3], sarray[3],
&array[4], sarray[4], &array[5], sarray[5],
&array[6], sarray[6], &array[7], sarray[7],
&array[8], sarray[8], &array[9], sarray[9],
&array[10], sarray[10], &array[11], sarray[11],
&array[12], sarray[12], &array[13], sarray[13],
&array[14], sarray[14], &array[15], sarray[15] );
if ( j == 0 || j & 1 )
printf ( "Bad format." );
else {
for ( k = 0, j /= 2; k < j; k++ )
{
/* strip trailing zeros */
for ( k2=strlen(sarray[k]); sarray[k][--k2]=='0';)
sarray[k][k2] = '\0';
err = printf ( "%ld.%s\n", array[k], sarray[k] );
if ( err <= 0 ) exit ( 1 );
keysize += sprintf ( &key[keysize], "%ld.%s",
array[k], sarray[k] );
}
keysize += sprintf ( &key[keysize], "/" );
}
}
else
{ /* sort values, not a very efficient algorithm */
for ( k2 = 0; k2 < j - 1; ++k2 )
for ( k = 0; k < j - 1; ++k )
if ( array[k] > array[k+1] )
Eastlake 3rd Informational [Page 12]
^L
RFC 3797 Verifiable Random Selection June 2004
{
temp = array[k];
array[k] = array[k+1];
array[k+1] = temp;
}
for ( k = 0; k < j; ++k )
{ /* print for user check */
err = printf ( "%ld ", array[k] );
if ( err <= 0 ) exit ( 1 );
keysize += sprintf ( &key[keysize], "%ld.", array[k] );
}
keysize += sprintf ( &key[keysize], "/" );
}
} /* end for i */
/* have obtained all the input, now produce the output */
err = printf ( "Key is:\n %s\n", key );
if ( err <= 0 ) exit ( 1 );
for ( i = 0; i < pool; ++i )
selected [i] = (unsigned short)(i + 1);
printf ( "index hex value of MD5 div selected\n" );
for ( usel = 0, remaining = (unsigned short)pool;
usel < selection;
++usel, --remaining )
{
unch1 = (unsigned char)usel;
unch2 = (unsigned char)(usel>>8);
/* prefix/suffix extended to 2 bytes by Donald Eastlake */
MD5Init ( &ctx );
MD5Update ( &ctx, &unch2, 1 );
MD5Update ( &ctx, &unch1, 1 );
MD5Update ( &ctx, (unsigned char *)key, keysize );
MD5Update ( &ctx, &unch2, 1 );
MD5Update ( &ctx, &unch1, 1 );
MD5Final ( uc16, &ctx );
k = longremainder ( remaining, uc16 );
/* printf ( "Remaining = %d, remainder = %d.\n", remaining, k ); */
for ( j = 0; j < pool; ++j )
if ( selected[j] )
if ( --k < 0 )
{
printf ( "%2d "
"%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X "
"%2d -> %2d <-\n",
usel+1, uc16[0],uc16[1],uc16[2],uc16[3],uc16[4],uc16[5],uc16[6],
uc16[7],uc16[8],uc16[9],uc16[10],uc16[11],uc16[12],uc16[13],
uc16[14],uc16[15], remaining, selected[j] );
selected[j] = 0;
Eastlake 3rd Informational [Page 13]
^L
RFC 3797 Verifiable Random Selection June 2004
break;
}
}
printf ( "\nDone, type any character to exit.\n" );
getchar ();
return 0;
}
/* prompt for a positive non-zero integer input */
/****************************************************************/
long int getinteger ( char *string )
{
long int i;
int j;
char tin[257];
while ( 1 )
{
printf ( string );
printf ( "(or 'exit' to exit) " );
gets ( tin );
j = sscanf ( tin, "%ld", &i );
if ( ( j == EOF )
|| ( !j && ( ( tin[0] == 'e' ) || ( tin[0] == 'E' ) ) )
)
exit ( j );
if ( ( j == 1 ) &&
( i > 0 ) )
return i;
} /* end while */
}
/* get remainder of dividing a 16 byte unsigned int
by a small positive number */
/****************************************************************/
int longremainder ( unsigned short divisor,
unsigned char dividend[16] )
{
int i;
long int kruft;
if ( !divisor )
return -1;
for ( i = 0, kruft = 0; i < 16; ++i )
{
kruft = ( kruft << 8 ) + dividend[i];
kruft %= divisor;
Eastlake 3rd Informational [Page 14]
^L
RFC 3797 Verifiable Random Selection June 2004
}
return kruft;
} /* end longremainder */
/* calculate how many bits of entropy it takes to select N from P */
/****************************************************************/
/* P!
log ( ----------------- )
2 N! * ( P - N )!
*/
double NPentropy ( int N, int P )
{
int i;
double result = 0.0;
if ( ( N < 1 ) /* not selecting anything? */
|| ( N >= P ) /* selecting all of pool or more? */
)
return 0.0; /* degenerate case */
for ( i = P; i > ( P - N ); --i )
result += log ( i );
for ( i = N; i > 1; --i )
result -= log ( i );
/* divide by [ log (base e) of 2 ] to convert to bits */
result /= 0.69315;
return result;
} /* end NPentropy */
Eastlake 3rd Informational [Page 15]
^L
RFC 3797 Verifiable Random Selection June 2004
Appendix A: History of NomCom Member Selection
For reference purposes, here is a list of the IETF Nominations
Committee member selection techniques and chairs so far:
YEAR CHAIR SELECTION METHOD
1993/1994 Jeff Case Clergy
1994/1995 Fred Baker Clergy
1995/1996 Guy Almes Clergy
1996/1997 Geoff Huston Spouse
1997/1998 Mike St.Johns Algorithm
1998/1999 Donald Eastlake 3rd RFC 2777
1999/2000 Avri Doria RFC 2777
2000/2001 Bernard Aboba RFC 2777
2001/2002 Theodore Ts'o RFC 2777
2002/2003 Phil Roberts RFC 2777
2003/2004 Rich Draves RFC 2777
Clergy = Names were written on pieces of paper, placed in a
receptacle, and a member of the clergy picked the NomCom members.
Spouse = Same as Clergy except chair's spouse made the selection.
Algorithm = Algorithmic selection based on similar concepts to those
documented in RFC 2777 and herein.
RFC 2777 = Algorithmic selection using the algorithm and reference
code provided in RFC 2777 (but not the fake example sources of
randomness).
Appendix B: Changes from RFC 2777
This document differs from [RFC 2777], the previous version, in three
primary ways as follows:
(1) Section 5, on problems actually encountered with using these
recommendations for selecting an IETF NomCom and on how to handle
them, has been added.
(2) The selection algorithm code has been modified to handle pools of
up to 2**16-1 elements and the counter based prefix and suffix
concatenated with the key string before hashing has been extended
to two bytes.
(3) Mention has been added that the algorithm documented herein was
used by IANA to select the Internationalized Domain Name ACE
prefix and some minor wording changes made.
Eastlake 3rd Informational [Page 16]
^L
RFC 3797 Verifiable Random Selection June 2004
(4) References have been divided into Informative and Normative.
(5) The list in Appendix A has been brought up to date.
Acknowledgements
Matt Crawford and Erik Nordmark made major contributions to this
document. Comments by Bernard Aboba, Theodore Ts'o, Jim Galvin,
Steve Bellovin, and others have been incorporated.
References
Normative References
[ASCII] "USA Standard Code for Information Interchange", X3.4,
American National Standards Institute: New York, 1968.
[RFC 1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
April 1992.
[RFC 1750] Eastlake, 3rd, D., Crocker, S. and J. Schiller,
"Randomness Recommendations for Security", RFC 1750,
December 1994.
[RFC 3174] Eastlake, 3rd, D. and P. Jones, "US Secure Hash Algorithm
1 (SHA1)", RFC 3174, September 2001.
Informative References
[RFC 3777] Galvin, J., "IAB and IESG Selection, Confirmation, and
Recall Process: Operation of the Nominating and Recall
Committees", BCP 10, RFC 3777, April 2004.
[RFC 2777] Eastlake, 3rd, D., "Publicly Verifiable Nomcom Random
Selection", RFC 2777, February 2000.
[RFC 3490] Falstrom, P., Hoffman, P. and A. Costello,
"Internationalizing Domain Names in Applications (IDNA)",
RFC 3490, March 2003.
Eastlake 3rd Informational [Page 17]
^L
RFC 3797 Verifiable Random Selection June 2004
Author's Address
Donald E. Eastlake, 3rd
Motorola Laboratories
155 Beaver Street
Milford, MA 01757 USA
Phone: +1-508-786-7554(w)
+1-508-634-2066(h)
EMail: Donald.Eastlake@motorola.com
Eastlake 3rd Informational [Page 18]
^L
RFC 3797 Verifiable Random Selection June 2004
Full Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf-
ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Eastlake 3rd Informational [Page 19]
^L
|
