How do I pick a shared random number?

Question

Let's suppose I have three friends, all remote. We want to randomly and fairly pick one person to be the first player in a game. In order to do so, we'll each be assigned a unique number in {1, 2, 3, 4} and then roll a fair four-sided die (1d4). This works in person because we can all verify that the correct die was rolled only once, but not remotely. Suppose I am the one to roll the die - the others all have to trust that I'm not lying. Or perhaps I record a video of me rolling the die. This still doesn't work because I could simply have rolled until I got the result I wanted, then use that video.

One way I thought of doing this was to have a service that would generate a number. Each person would verify to the service that they would accept the result, then after all of us have done so, the service will generate a random number for us. Then we could retrieve the random number, which would be the same for us all. The issues with this is that we must trust the third-party service.

Is there a simple, trustless way to generate small random numbers by hand (with dice)? Such that even if some subset of people are malicious, they can't affect the outcome in a meaningful way? I suppose we can rule out collusion, or perhaps limit collusion to m of n people (i.e., 2 of 4 people can collude without affecting the outcome but not more than that).

I'm specifically looking for solutions that will work with "small" numbers - numbers found on standard dice. Less than 20 would be ideal, but if the only viable solution needs a d100 that would probably work.

One possible way is to have some black-box (or complicated enough) random number generator that takes three long strings as inputs and generates a random number. You can put such a random generator online, and et each round, each of you can just input one long string. — Vezen BU, Apr 18 '23 at 03:42
Related question: https://math.stackexchange.com/questions/239202/how-to-perform-a-fair-coin-toss-experiment-over-phone — Mark H, Apr 18 '23 at 07:21
Very complicated random number generation is technically out of scope, unless there is no simpler approach. Plus sourcing the random number isn't necessarily trustable. The end result is picking one of a small number of choices, so any random number that comes from a good generator will end up mod n, so I can just wait until the random number generator maps to the result I want. — SamE, Apr 18 '23 at 14:46

score 3 · Answer 1 · answered Apr 18 '23 at 04:09

3

One method is to have everyone simultaneously generate their own random number - for example, everyone rolls a 4-sided die - and you take the sum of all the random numbers modulo 4 (or equivalently you count down the list equal to the sum, looping back to the start each time). Then as long as no-one has perfect information of what everyone else's numbers will be ahead of time, even if they cheat they can't really affect the outcome. It's also robust to collusion, because if $n-1$ people decide on their combined result the final outcome is still completely decided by the remaining person.

answered Apr 18 '23 at 04:09

ConMan

27,579

1

Isn't the last person to say their dice roll always in complete control of the outcome? – Mark H Apr 18 '23 at 05:16
@MarkH The players would have to reveal their values near simultaneously, so that there is no time for someone to cheat. – Jaap Scherphuis Apr 18 '23 at 07:43
@MarkH yes this was my thought as well. Can't necessarily guarantee the timing of submission, so revealing simultaneously doesn't work. I suppose asynchronicity should be a requirement in the original question. – SamE Apr 18 '23 at 14:42
@MarkH Perhaps the user named "ConMan" was aware of this weakness, and intended to convince everyone the method was fair so he could exploit it! – Mike Earnest Apr 18 '23 at 15:28
I was indeed assuming that there is synchronicity in revealing the results, although everything still holds as long as the last person to reveal their result is unable to change it once they know everyone else's - for example, using your example of rolling a die on camera, if everyone throws their dice at roughly the same time then it doesn't matter if it's actual live footage or a recording since they can't know which result to show ahead of time. – ConMan Apr 18 '23 at 23:15

score 1 · Accepted Answer · answered Apr 18 '23 at 05:44

I believe the problem can be solved with MPC (multi-party computation) techniques. Here is a protocol that I think works when the majority of people are honest (i.e., at most $\left\lfloor\frac{n-1}2\right\rfloor$ collusions out of $n$ people). I haven't got time to verify for now. Maybe I will update this answer to prove its security later.

Protocol

Each person $i$ generates two secret numbers from $\mathbb Z_m$ (suppose we want $m$ possible outcomes). One is used as the seed ($s_i$), and the other is used as the mask ($m_i$).
Each person $i$ sends out one message with the initial value $s_i+m_i$ and passes it to the next person.
On receiving one message:
1. If the message is sent from herself, Person $i$ extracts the value and subtracts it by $m_i$. Denote her final value by $v_i$.
2. If not, Person $i$ adds the value by $s_i$ and passes the message to the next person.
Person $i$ compares her $v_i$ with everyone else's $v_j$. If they are all the same, Person $i$ votes that Person $v_i$ is the first player.
If Person $v_i$ receives votes from all the people, she is the first player.

Analysis (NOT formal proof)

Ideally, each person's $v_i$ should equal to $\sum_{i=1}^ns_i$. Hence, they can reach a consensus if each person obeys the protocol. Since each honest person has a say in the final result, $v_i$ should be uniformly random. Next, we consider subversive people.

Since the majority of people are honest, there must exist two honest people who are adjacent. Let's say they are $i$ and $i+1$. Regardless of how others behave (e.g., whether they are benign or malicious), the two people can keep their local seeds and masks secret (even if other people exchange information). The reason is that messages are handed to People $(i+1)$ by People $i$. Even if other people intercept messages before People $i$ and after People $(i+1)$, they can only compute the sum $s_i+s_{i+1}$ and cannot infer $s_i$ or $s_{i+1}$ alone. Moreover, they cannot tell $s_i$ nor $m_i$ from the initial value.

Additional Notes

The order of message passing is important: Each message should be passed in a circular manner (although a minority of people may disobey the rule). Such an order can be established by leader election. After the election, the leader delegates her leadership to a second person and then a third person, and so on, until every person has a fixed position in the circle.
Once the beginner is agreed, she is purely randomly chosen. It does not mean that each run of the protocol will result in a consensus. In fact, the protocol may indefinitely fail to reach a consensus if some people continue to undermine it.

Trying to parse this... A couple questions though. First, in Protocol.3.1, is this true if messages have been passed n times? Second, in Protocol.5, is it enough that a majority of people vote for Person $v_i$? — SamE, Apr 18 '23 at 14:51
Oh, another question. Third, should both $s_i$ and $m_i$ be in $\Bbb{Z}_m$? Wouldn't it be enough to do the process with $\Bbb{Z}_n$ such that n is arbitrarily large, then end with taking $v_i \pmod m$? — SamE, Apr 18 '23 at 14:58
@SamE I think your first two points are right but I cannot decipher the third well. For the first point, yep, each message should ideally be passed to each person once to guarantee the consensus of the sum. Second, yeah, we can weaken 4. and 5. to the agreement from the majority, as there must be one honest person who also agrees. Third, I don't see the difference whether $s_i$ and $m_i$ are taken from $\mathbb Z_m$ or a larger $\mathbb Z_n$, as long as $n$ is a multiple of $m$. In fact, generating a random number from $\mathbb Z_m$ is easier since it costs fewer random bits . — dromniscience, Apr 18 '23 at 17:42
Thank you! For the third point, what I am wondering is if selecting either $s_i$ or $m_i$ from something much larger than $m$ is helpful in obscuring my selection of either. However, I realized that it doesn't matter, but now I think that the values $s_i + m_i$ or $s_{i+1} + v_i$ that gets passed along need to be in $\Bbb{Z}_m$, is that right? As in, everything calculated needs to be $\pmod m$? — SamE, Apr 18 '23 at 19:21

How do I pick a shared random number?

2 Answers2