Internet-Draft | Verifiable Random Selection | April 2023 |
Eastlake | Expires 18 October 2023 | [Page] |
This document describes a method for making random selections in such a way that the unbiased nature of the choice is publicly verifiable. It focuses on the selection of the voting members of the IETF Nominations Committee (NomCom) from the pool of eligible volunteers; however, similar or, in some cases, identical techniques could be and have been applied to other cases.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 18 October 2023.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Under the IETF rules, each year a set of people are randomly selected from among eligible volunteers to be the voting members of the IETF nominations committee (NomCom). The NomCom nominates members of the Internet Engineering Steering Group (IESG), the Internet Architecture Board (IAB), and other bodies as described in [RFC8713]. The number of eligible volunteers in the early years of the use of the NomCom mechanism was around 50 but in recent years has been around 200.¶
It is highly desirable that the random selection of the voting NomCom be done in an unimpeachable fashion so that no reasonable charges of bias or favoritism can be brought. This is as much for the protection of the selection administrator (currently, the appointed non-voting NomCom Chair) from suspicion of bias as it is for the protection of the IETF.¶
A method such that public information will enable any person to verify the randomness of the selection meets this criterion. This document specifies such a method.¶
This method, in the form it appeared in RFC 2777, was also used by IANA in February 2003 to determine the ACE prefix for Internationalized Domain Names ("xn--") [RFC5890] so as to avoid claim jumping.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
A selection of NomCom members publicly verifiable as unbiased or similar selection could follow the three steps given in the subsections below: Determination of the Pool, Publication of the Algorithm, and Publication of the Selection.¶
First, determine the pool from which the selection is to be made as provided in [RFC8788] or its successor.¶
Currently, volunteers are solicited by the selection administrator. Their names are then checked for eligibility. The full list of eligible volunteers MUST be made public early enough that a reasonable amount of time can be given to resolve any disputes as to who should be in the pool before a deadline at which the pool is frozen. Although no one can be added after this deadline, the initial selection of someone included in the list who should not have been can be easily handled as described below.¶
The exact algorithm to be used, including the future public sources of randomness, is made public. For example, the members of the final list of eligible volunteers are ordered by publicly numbering them, some public future sources of randomness such as government run lotteries are specified, and an exact algorithm is specified whereby eligible volunteers are selected based on a hash function [RFC4086] of these future sources of randomness, such as the agorithm in this document.¶
When the pre-specified sources of randomness produce their output, those values plus a summary of the execution of the algorithm for selection should be announced so that anyone can verify that the correct randomness source values were used and the algorithm properly executed. The algorithm SHOULD be run to select, in an ordered fashion, a larger number than are actually necessary so that if any of those selected need to be passed over or replaced for any reason, an ordered set of additional alternate selections is available. Under some circumstances, additional rounds of extended selection may be useful as specified in Section 5.¶
A cut off time for any complaint that the algorithm was run with the wrong inputs or not faithfully executed MUST be specified to finalize the output and provide a stable selection.¶
The crux of the unbiased nature of the selection is that it is based in an exact, predetermined fashion on random information which will be revealed in the future and thus cannot be known to the person specifying the algorithm. That random information will be used to control the selection. The random information MUST be such that it will be publicly and unambiguously revealed in a timely fashion.¶
The random sources MUST NOT include anything that any reasonable person would believe to be under the control or influence of the selection administrator or the IETF or its components, such as IETF meeting attendance statistics, numbers of documents issued, or the like.¶
Examples of good information to use are winning lottery numbers for specified runnings of specified public lotteries. Particularly for major government run lotteries, great care is taken to see that they occur on time (or with minimal delay) and produce random quantities. Even in the very unlikely case one was to have been rigged, it would almost certainly be in connection with winning money in the lottery, not in connection with IETF use. Other possibilities are such things as the daily balance in the US Treasury on a specified day, the volume of trading on the New York Stock exchange on a specified day, etc. (However, the reference code given below will not handle integers that are too large.) Sporting events can also be used. Experience has indicated that individual stock prices and/or volumes are a poor source of unambiguous data due trading suspensions, company mergers, delistings, splits, multiple markets, etc. In all cases, great care MUST be taken to specify exactly what quantities are being used for randomness and what will be done if their issuance is cancelled, delayed, or advanced.¶
It is important that the last source of randomness, chronologically, produce a substantial amount of the entropy needed. If most of the randomness has come from the earlier of the specified sources, and someone has even limited influence on the final source, they might do an exhaustive analysis and exert such influence so as to bias the selection in the direction they wanted. Thus, it is RECOMMENDED that the last source be an especially strong and unbiased source of a large amount of randomness such as a major government run lottery.¶
It is best not to use too many different sources. Every additional source increases the probability that one or more sources might be delayed, cancelled, or just plain screwed up somehow, calling into play contingency provisions or, worst of all, creating an unanticipated situation. This would either require arbitrary judgment by the selection administrator, defeating the randomness of the selection, or a re-run with a new set of sources, causing much delay in what, for the IETF NomCom, needs to be a time bounded process. Three would be a good number of randomness sources. More than five is way too many.¶
Some of the sources of randomness produce data that is not uniformly distributed. This is certainly true of volumes, prices, and horse race results, for example. However, use of a strong mixing function [RFC4086] will extract the available entropy and produce a hash value whose bits and whose remainder modulo a small divisor, only deviate from a uniform distribution by an insignificant amount.¶
What we are doing is selecting N items without replacement from a population of P items. The number of different ways to do this is as follows, where "!" represents the factorial function:¶
P! ------------- N! * (P - N)!¶
To do this in a completely random fashion requires as many random bits as the logarithm base 2 of that quantity. Some sample calculated approximate number of random bits for the completely random selection of 10 items, such as NomCom members, from various pool sizes are given below:¶
Completely Random Selection of Ten Items From Pool | ||||||||
---|---|---|---|---|---|---|---|---|
Pool size | 40 | 60 | 80 | 100 | 125 | 150 | 175 | 200 |
Bits needed | 30 | 36 | 41 | 44 | 47 | 50 | 52 | 54 |
Using a smaller number of bits means that not all of the possible sets of ten selected items would be available. For a substantially smaller amount of entropy, there could be a significant correlation between the selection of two different members of the pool, for example. However, as a practical matter, for pool sizes likely to be encountered in IETF NomCom membership selection, 42 bits of entropy should be more than adequate. Even if more bits are needed for complete randomness, 42 bits of entropy will assure only an insignificant deviation from completely random selection for the difference in probability of selection of different pool members, the correlation between the selection of any pair of pool members, and the like.¶
The current US Power Ball and Mega Millions lottery drawings have 23.5 bits of entropy each in the five selected regular numbers and about 6 bits of entropy each in the Power Ball / Mega Ball. A four-digit daily numbers game drawing that selects four decimal digits has a bit over 13 bits of entropy.¶
An MD5 [RFC1321] hash has 128 bits of output and therefore can preserve no more than that number of bits of entropy. However, this is much more than what is likely to be needed for IETF NomCom membership selection. There have also been defects noted in MD5 for cryptographic usage [RFC6151] but these are not significant here. The hash function is just being used to, effectively, compress, deskew, and derive selections from the random input. For example, it would not hurt this process if a hash function was used for which it was relatively easy to compute a pre-image.¶
It is important that a precise algorithm be given for canonicalizing and mixing the random sources being used and making the selection based thereon. Sources suggested above produce either a single positive number (i.e., NY Stock Exchange volume in thousands of shares) or a small set of positive numbers (many lotteries provide 6 numbers in the range of 1 through 70 or the like, a sporting event could produce the scores of two teams, etc.). A suggested precise algorithm is as follows:¶
For each source producing one or more numeric values, each value is canonicalized by representing the value as a decimal number terminated by a period (or with a period separating the whole from the fractional part), without leading zeroes except for a single leading zero if the integer part is zero, and without trailing zeroes on the fractional part after the period. Some examples follow:¶
Input | Canonicalized |
---|---|
0 | 0. |
0.0 | 0. |
42 | 42 |
7.0 | 7. |
013. | 13. |
.420 | 0.42 |
12.34 | 12.34 |
1.2340 | 1.234 |
Any ambiguity in the above procedure is resolved by consulting the reference code below.¶
Use of alphanumeric random sources is NOT RECOMMENDED due to the much greater difficulty in canonicalizing them in an independently repeatable fashion; however, if the administrator of the selection process chooses to ignore this advice and use an ASCII or similar Roman alphabet source or sources, all white space, punctuation, accents, and special characters should be removed and all letters set to upper case. This will leave only an unbroken sequence of letters A-Z and digits 0-9 which can be treated as a canonicalized single number above and suffixed with a "./". The administrator MUST NOT use even more complex and harder to canonicalize quantities such as complex numbers or UNICODE international text.¶
There may be reasons why one or more of the selected members of the pool need to be eliminated and further selections made. This is particularly true given the strong recommendation above that, in case of doubt or not-yet-resolved eligibility dispute, possible pool members should be left in the pool with the understanding that, in the event they are initially selected, they can be later eliminated should it be decided they are not eligible. For the IETF NomCom, there are two types of reasons for elimination as follows:¶
Elimination due to simple rule enforcement by the administrator. Examples would be someone that did not meet the eligibility requirements or whose inclusion would violate the rule limiting the number of voters with the same sponsor or all but one occurrence of someone included multiple times due to a name change or similar confusion. When there are such eliminations in the initial selectees, the administration simply goes further down the ordered list produced with the initial randomness sources until there are the desired number of selectees who are not eliminated by such decisions. The administrator SHOULD announce who has been eliminated and the reason for the administrator's decision to eliminate them.¶
Eliminations due to a selectee, that is, agreement from the selectee to serve cannot be obtained by the administrator before a deadline established by the administrator. For example, either the selectee declines to serve or, despite all reasonable efforts, the selectee is not adequately contactable.¶
(The elimination of someone due to non-contactability may work a hardship for that individual if it was due to no fault of their own and they wanted to serve. But there is no reasonable alternative if a NomCom voting membership of volunteers with a confirmed agreement to serve is to be finalized in a timely manner. Since someone so eliminated will, as provided below, be replaced by another randomly selected pool member, there is no problem from the point of view of NomCom composition.)¶
It will frequently be the case that, after the initial selection from the pool and the handling of any Type A eliminations as above, there will be a small number of Type B eliminations. If no further actions were taken, there will be an insufficient number of people selected and not eliminated. If selection were extended in this case by just going further down the ordered list, as with Type A eliminations, this would give initially selected persons the ability to, by declning to serve, in effect, transfer their voting NomCom membership to a known different person since the entire initial ordered list is, at that point, publicly known. Some perceive this as a problem, so it is resolved by the administrator iteratively using what is essentially a miniature version of the initial selection as follows:¶
Unfortunately, multiple extension cycles may be required so the selection administration should allow enough time for up to 5 or so of them. For example, in the selection of the 2022/2023 NomCom, 3 extensions would have been required: The pool was huge with 267 members, the largest ever. In the initial selection, one of the 10 potential selectees was Type B eliminated because confirmation of their willingness to serve could not be obtained in a timely fashion. In the 1st extended selection, the 11th potential selectee was Type B eliminated because they declined to serve and the 12th was Type A eliminated because there were already two selectees with the same sponsor. In the 2nd extended selection, the 13th potential selected also declined to serve. In the 3rd extended selection, the 14th potential selectee became the final voting member of the Nomcom when they confirmed their willingness to serve.¶
In the real world, problems can arise in following the steps and flow outlined in the sections above. Some problems that have actually arisen are described below with recommendations for handling them.¶
Every reasonable effort should be made to see that the published pool, from which selection is made, is of certain and eligible persons. However, especially with compressed schedules or perhaps someone whose claim that they volunteered and are eligible has not been resolved by the deadline, or a determination that someone is not eligible which occurs after the publication of the pool, or the like, there may still be uncertainties.¶
The best way to handle this is to maintain the announced schedule in so far as possible, INCLUDE in the published pool all those whose eligibility is uncertain and to keep the published pool list numbering IMMUTABLE after its publication. If one or more people in the pool are later selected by the algorithm and random input but it has been determined they are ineligible, they can be skipped and subsequently selected persons used. (This is referred to above as a Type A elimination.) Thus, the uncertainty only effects one selection and in general no more than a maximum of U selections where there are U uncertain pool members.¶
Other courses of action are far worse. Actual insertion or deletion of entries in the pool after its publication changes the length of the list and totally scrambles who is selected, possibly changing every selection. Insertion into the pool raises questions of where to insert: at the beginning, end, alphabetic order, ... Any such choices by the selection administrator after the random numbers are known destroys the public verifiability of unbiased choice. Even if done before the random numbers are known, such dinking with the list after its publication just smells bad. There MUST be clear fixed firm public deadlines and someone who challenges their absence from the pool after the published deadline MUST have their challenge automatically denied for tardiness even if their delay is not the fault of the challenger.¶
The best good faith efforts have been made to specify precise and unambiguous sources of randomness. These sources have been made public in advance and there has not been objection to them. However, it has happened that when the time comes to actually get and use this randomness, the real world has thrown a curve ball and it isn't quite clear what data to use. Problems have particularly arisen in connection with individual stock prices, volumes, and financial exchange rates or indices. If volumes that were published in thousands are published in hundreds, you have a rounding problem. Prices that were quoted in fractions or decimals can change to the other. If you take care of every contingency that has come up in the past, you might be hit with a new one. When this sort of thing happens, it is generally too late to announce new sources, an action which could raise suspicions of its own as well as causing delay. About the only course of action is to make a reasonable choice within the ambiguity and depend on confidence in the good faith of the selection administrator. With care, such cases should be extremely rare.¶
Based on these experiences, it is again recommended that public lottery numbers or the like be used as the random inputs and financial volumes or prices avoided.¶
>> Example needs to also cover the Section 5 Extension provisions. <<¶
Assume the eligible volunteers published in advance of selection are the numbered list of 30 past NomCom Chairs appearing below in Appendix A.¶
Assume the following (fake example) ordered list of randomness sources:¶
2.1 The Kingdom of Alphaland State Lottery daily number for 1 November 2022 treated as a single four-digit integer.¶
2.2 (a) The People's Democratic Republic of Betastani State Lottery six winning numbers for 1 November 2022 and then (b) the seventh "extra number" for that day as if it was a separate random source.¶
Hypothetical randomness publicly produced:¶
Source 1: 9319¶
Source 2a: 9, 61, 26, 34, 42, 41¶
Source 2b: 55¶
Resulting seed string:¶
9319./9.26.34.41.42.61./55./¶
The table below gives the hex of the MD5 of the above key string bracketed with a two-byte string that is successively 0x0000, 0x0001, 0x0002, through 0x0010 (16 decimal). The divisor for the number size of the remaining pool at each stage is given and the index of the selectee as per the original number of those in the pool.¶
index | hex value of MD5 | div | selected |
---|---|---|---|
1 | 5A0EE2F8849A8C8DFC93BE36FE2D674A | 30 | -> 15 <- |
2 | E390DA3449C586B6BBD9F56B23B86E25 | 29 | -> 11 <- |
3 | D053FC140209EADB8340C185B8EC58FD | 28 | -> 10 <- |
4 | 0C9DC84909A82D2203959EE54A8B1867 | 27 | -> 6 <- |
5 | BD92A498AEF2E60E7867E5B7B434892F | 26 | -> 30 <- |
6 | 28E9021C3788F54BF0FD6835BCD1E3C2 | 25 | -> 27 <- |
7 | FF6C6197802654B3B1B341DD754A4BE0 | 24 | -> 1 <- |
8 | 991135A2767FB80D4CEBB736CD7E3BAE | 23 | -> 9 <- |
9 | 4E18F325603FF603FC24F43459C2CFAC | 22 | -> 25 <- |
10 | 4A0AA0F72441B6345E69FCDD4C378558 | 21 | -> 18 <- |
11 | 4E9EBC623E2930D4DD61B0FDEC3B2875 | 20 | -> 16 <- |
12 | 8780D26F8C724EB09CDD155C3B66AF17 | 19 | -> 24 <- |
13 | FFF90A6A23BE02D07BA2FA18E6275791 | 18 | -> 5 <- |
14 | 39FBCDC0CC4F0147CDEABC31D28D36A9 | 17 | -> 28 <- |
15 | 6F6C2DC3A682E11CF3BC90C682C9104C | 16 | -> 22 <- |
Resulting first ten selected, in order selected:¶
1. L. Dondeti (15) | 6. V. Kuarsingh (27) |
2. R. Draves (11) | 7. J. Case (1) |
3. P. Roberts (10) | 8. T. Ts'o (9) |
4. D. Eastlake (6) | 9. P. Yee (25) |
5. R. Salz (30) | 10. T. Walsh (18) |
Should one of the above turn out to be ineligible or uncontactable or decline to serve, the next would be J. Halpern, number 16.¶
Careful choice should be made of randomness inputs so that there is no reasonable suspicion that they are under the control of the administrator. Guidelines given above to use a small number of inputs with a substantial amount of entropy from the last should be followed. And equal care needs to be given that the algorithm selected is faithfully executed with the designated inputs values.¶
Publication of the results and something like a one-week window for the community of interest to duplicate the calculations should give a reasonable assurance against implementation tampering.¶
This document requires no IANA actions.¶
This code makes use of the MD5 reference code from [RFC1321] ("The MD5 Message-Digest Algorithm"). The portion of the code below dealing with multiple floating point numbers was written by Matt Crawford. The original code in RFC 2777 could only handle pools of up to 255 members and was extended to 2**16-1 by Erik Nordmark. This code has been extracted from this document, compiled, and tested. While no flaws have been found, it is possible that when used with some compiler on some system under some circumstances some flaw will manifest itself.¶
For reference purposes, here is a list of the IETF Nominations Committee member selection techniques and chairs so far:¶
Num | YEAR | CHAIR | SELECTION METHOD |
---|---|---|---|
1 | 1993/1994 | Jeff Case | Clergy |
2 | 1994/1995 | Fred Baker | Clergy |
3 | 1995/1996 | Guy Almes | Clergy |
4 | 1996/1997 | Geoff Huston | Spouse |
5 | 1997/1998 | Mike St.Johns | Algorithm |
6 | 1998/1999 | Donald Eastlake 3rd | RFC 2777 |
7 | 1999/2000 | Avri Doria | RFC 2777 |
8 | 2000/2001 | Bernard Aboba | RFC 2777 |
9 | 2001/2002 | Theodore Ts'o | RFC 2777 |
10 | 2002/2003 | Phil Roberts | RFC 2777 |
11 | 2003/2004 | Rich Draves | RFC 2777 |
12 | 2004/2005 | Danny McPherson | RFC 3797 |
13 | 2005/2006 | Ralph Droms | RFC 3797 |
14 | 2006/2007 | Andrew Lange | RFC 3797 |
15 | 2007/2008 | Lakshminath Dondeti | RFC 3797 |
16 | 2008/2009 | Joel M. Halpern | RFC 3797 |
17 | 2009/2010 | Mary Barnes | RFC 3797 |
18 | 2010/2011 | Tom Walsh | RFC 3797 |
19 | 2011/2012 | Suresh Krishnan | RFC 3797 |
20 | 2012/2013 | Matt Lepinski | RFC 3797 |
21 | 2013/2014 | Allison Mankin | RFC 3797 |
22 | 2014/2015 | Michael Richardson | RFC 3797 |
23 | 2015/2016 | Harald Alvestrand | RFC 3797 |
24 | 2016/2017 | Lucy Lynch | RFC 3797 |
25 | 2017/2018 | Peter Yee | RFC 3797 |
26 | 2018/2019 | Scott Mansfield | RFC 3797 |
27 | 2019/2020 | Victor Kuarsingh | RFC 3797 |
28 | 2020/2021 | Barbara Stark | RFC 3797 |
29 | 2021/2022 | Gabriel Montenegro | RFC 3797 |
30 | 2022/2023 | Rich Salz | RFC 3797 |
Clergy = Names were written on pieces of paper, placed in a receptacle, and a member of the clergy picked the NomCom members.¶
Spouse = Same as Clergy except chair's spouse made the selection.¶
Algorithm = Algorithmic selection based on similar concepts to those documented in RFC 2777 and herein.¶
RFC 2777 = Algorithmic selection using the algorithm and reference code provided in RFC 2777 (but not the fake example sources of randomness).¶
RFC 3797 = Algorithmic selection using the algorithm and reference code provided in RFC 3797 (but not the fake example sources of randomness).¶
The primary differences between this documenet and [RFC3797], the previous version, are the following:¶
The suggestions and comments on this document from the following persons are gratefully acknowledged:¶
TBD¶
Acknowledgements for RFC 3797: Matt Crawford and Erik Nordmark made major contributions to this document. Comments by Bernard Aboba, Theodore Ts'o, Jim Galvin, Steve Bellovin, and others have been incorporated.¶