OK, I -think- this is obvious, but I'm not 100% certain. Is it possible to verify that a remote random number generator is actually random? Consider this scenario: A group wishes to meet at a location chosen randomly from a list of possible locations. They don't want anyone, in the group or out, to know for certain where the meeting will be held. Now of course they could simply gather together in one location and roll a die (for instance) and go to that location. BUt what if they could roll the die on the internet, say. Any announcement r ostensible video could be faked. BUT, are there protocols that allow remote viewers/users of the random process to be sure (or reasonably sure) that a remote process is actually random? Actually, this may not be imppossible, particularly with TOR, but rather than take a stab in the dark I'm interested in seeing what's already known about this. Not, of course, that I'm planning any meetings in tthe near future. Call it purely an academic interest. -TD _________________________________________________________________ Play Flexicon: the crossword game that feeds your brain. PLAY now for FREE. http://zone.msn.com/en/flexicon/default.htm?icid=flexicon_hmtagline

Everybody commits to a value (e.g. broadcasts the SHA1 hash of a large random value); everybody reveals their values (and checks that they match everybody else's commitments); now add all the values modulo whatever your number of choices is, and you have a shared verifiably random number. Now, there is one way to cheat this, which is to copy someone else's commitment (even without yet knowing their value) and then copy their value when it is revealed, thereby possibly forcing the choice to be even or whatever. So everyone should also check that all the commitments are different. Hal

On 2/19/07, Tyler Durden wrote:

... Is it possible to verify that a remote random number generator is actually random?

remote or not doesn't add much to the difficulty of the question: "is it _truly_ random?" lots of statistical tests to confirm that a given distribution of bits IS NOT, but nothing to prove IT IS. and by IS NOT, i mean sufficiently improbable to be random, thus considered not random. even a true hw rng could throw all bits set given enough chances. it's easy for a remote peer to fool such statistical tests: check the output of AES-CBC keyed with all zeros. there is almost no actual entropy (in the keys) yet the output appears to be random, and you would (in theory) not be able to distinguish without the key used. if you look at the various hw rng daemons they often to some FIPS sanity checks on the input but leave it at that. the idea is that failed hardware will start producing FIPS failures and can be detected.