1

I have thought up a method for generating random numbers between a client and a server which I hope is fair:

  • The client and server decide on a range in advance, $0$ trough $n-1$.

  • The server generates a $256$ bit random number $m$ (in the range $0$ to $\operatorname{floor}(\frac{2^{256} }{ n}) · n$) and hashes it with SHA-256 to give $m'$. $m'$ is then sent to the client.

  • The client generates a $256$ bit random number $o$ (as above) and sends it to the server.

  • The server can now calculate a fair random number $p = m + o \pmod n$.

  • The server sends $m$ and $p$ to the client.

  • The client can now check $\operatorname{SHA256}(m) = m'$ and $p = o + m \pmod n$.

Am I overlooking anything?

Paŭlo Ebermann
  • 22,946
  • 7
  • 82
  • 119
t123
  • 147
  • 6

1 Answers1

5

Yes, your scheme is fine.

Nitpick: I think you mean that your goal is to generate a random number in the range $0\ldots n-1$ (not $0\ldots n$). Also, to avoid bias, you need to generate $m$ as a random number in the range $0 \ldots (\lfloor 2^{256}/n \rfloor \cdot n)-1$ (not $0\ldots \lfloor 2^{256}/n \rfloor \cdot n$).

This problem is known as secure coin flipping, and it has been studied in great depth before. For solutions and analysis, look at the following questions on this site:

Community
  • 1
D.W.
  • 36,982
  • 13
  • 107
  • 196