Theoretical Breakthrough Made In Random Number Generation

msm1267 quotes a report from Threatpost: Two University of Texas academics have made what some experts believe is a breakthrough in random number generation that could have longstanding implications for cryptography and computer security. David Zuckerman, a computer science professor, and Eshan Chattopadhyay, a graduate student, published a paper in March that will be presented in June at the Symposium on Theory of Computing. The paper describes how the academics devised a method for the generation of high quality random numbers. The work is theoretical, but Zuckerman said down the road it could lead to a number of practical advances in cryptography, scientific polling, and the study of other complex environments such as the climate. "We show that if you have two low-quality random sources -- lower quality sources are much easier to come by -- two sources that are independent and have no correlations between them, you can combine them in a way to produce a high-quality random number," Zuckerman said. "People have been trying to do this for quite some time. Previous methods required the low-quality sources to be not that low, but more moderately high quality. We improved it dramatically." The technical details are described in the academics' paper "Explicit Two-Source Extractors and Resilient Functions."

Multiplication

And the secret algorithm is... multiplication!

Note: IANAM

Re: Multiplication

Multiplication and other arithmetic operators are indeed secret as far as the average American high schooler is concerned.

Re:Multiplication

[michelcolman]

And the secret algorithm is... multiplication!

No, then zero will occur more often than other numbers.

I suppose xor ought to work if the two sources are totally unrelated. But then you have to be sure that they really are completely unrelated. For example, feed it the same source twice and all you get is zero.

So I imagine they must have done something a lot more clever than that.

Re: Multiplication

[Ol+Olsoc]

Multiplication and other arithmetic operators are indeed secret as far as the average American high schooler is concerned.

Well, a Mathematician was interrogated because some woman on a plane saw him........

doing math, which in today's America is a sign of trrsm.

Re:Multiplication

But then you have to be sure that they really are completely unrelated.

That is one of the requirements. If they aren't you can combine them into a single algorithm.

Re: Multiplication

in today's America is a sign of trrsm.

OMG, Daesh is coming after our vowels now! Seal the borders!

Re: Multiplication

And I dont see how xor turns two mediocre generators into a good one.

Re: Multiplication

[michelcolman]

It certainly won't make them worse (if they are unrelated), and if they are periodic, the new period will be the least common multiple of the originals.

Re: Multiplication

The group's name is Al-Gebra, they see j-hat as the Solution.

Re: Multiplication

[sjames]

Yes, a woman from Wales.

Re: Multiplication

[Ol+Olsoc]

Yes, a woman from Wales.

As much as people like to point out that this woman was form Wales, was she in Wales at the time she accused the Mathematician of being a terrorist?

We are so fearful in America, ready to panic over stupid shit like alarm clock innards and math symbols, and it is engouraged to be in that state of fear, as witnessed by commercials I here very day commanding that citizens call authorities if they see or hear anything (their emphasis, not mine) out of place.

They were in America, in Philadelphia - and she decided that he was a terrorist. He was not interrogated because she was from Wales, he was interrogated because someone thought that he was a terrorist and math sysmbols are suspect in America today.

If the airplane was in some other country when that happened, I might have made a reference to that country. I kinda hope we're clear on this.

Re: Multiplication

[sjames]

So did she get her math education while she was here or do you suppose she got it in Wales?

Re: Multiplication

[Ol+Olsoc]

So did she get her math education while she was here or do you suppose she got it in Wales?

She got the reaction to her stupidity in Philadelphia. Which happens to be in the US.

Re: Multiplication

[sjames]

Absolutely. We are now a fear based society. The Chicken Little of the world.

Re: Multiplication

Australia is proudly ahead though as we haven't had a terrorist event here yet it doesn't stop the fear and promos from our goverment and opposition.. More Aussies died falling out of bed and being accidently pushed while walking on the footpath in the last decade than have been killed by the reds... I mean terrorists.

Re: Multiplication

The late George Marsaglia proposed the same concept years ago. The authors Zuckerman et al. have not made it clear what is novel about this "never tried before" algorithm. So far, it's a bunch of hype and self promotion. Two separate algorithms using two separate seeds on one computer achieve the same goal. The only missing ingredient that Zuckerman has not revealed is hardware entropy, which cannot be replicated, two tests in a row. The future of random generation lies in quantum computing, but we aren't there yet.

FP

[jlechem]

FP Also I tried to read the brief and as a CS major it was above my head. Must be a math thing.

Re:FP

It could just be that it's high quality randomness.

Re:FP

[ShanghaiBill]

I read it too, and I fail to see the breakthrough. There are plenty of pseudo random number generators, such as the Mersenne Twister, with very long periods, so just occassionally XORing even a poor quality random number into the feedback loop, is enough to make it completely unpredictable.

Re: FP

Pseudo

Re:FP

[JoeMerchant]

That's more or less the basis for CryptMT...

Re:FP

...as a CS major it was above my head. Must be a math thing.

ouch. *collective groan from the mathematics and computer literate worlds*

Re:FP

[macklin01]

I read it too, and I fail to see the breakthrough. There are plenty of pseudo random number generators, such as the Mersenne Twister, with very long periods, so just occassionally XORing even a poor quality random number into the feedback loop, is enough to make it completely unpredictable.

Mersenne Twister is pretty much the standard for simulating a uniform distribution in a lot of scientific computing. These depend not only upon unpredictability (useful for avoiding biases, and clearly important in the security realm), but also upon properties of the uniform distribution.

But when we test it out, we find it's still not as great as we'd like: look at a histogram of outputs, and you'll see that until you get really large numbers of function calls, the histogram isn't particularly uniform. (In particular, numbers near the bottom and top of the range don't get called quite as often.) This means that simulation properties that rely upon uniform distributions over both long and short time periods may be thrown off, and short- and mid-time simulation results may well stem from the MT rather than from the mathematical model. Moreover, low-probability events may have artificially smaller probabilities in the simulations (because of the non-uniformity of the distributions near the bottom and top ends of the range).

Over very short numbers of function calls (a few hundred to a few thousand), the outputs can even tend to cluster in a small neighborhood. So suppose that you are simulating a tissue with many cells, and calling MT as your uniform distribution to decide if the cells divide or stay dormant (each with independent probability p, so each cell divides if PRNG/max(PRNG) < p). The math says that for a uniform distribution, you don't need to worry about what order you evaluate your decision across all the cells. But if the PRNG outputs cluster over several sequential calls, then a neighborhood of cells may simultaneously divide if they are all evaluated close to one another sequentially. In analyzing the spatial behavior of such a simulation, you may draw incorrect conclusions in smaller spatial structures that, again, derive from non-uniformity of the PRNG, rather than problems with predictability. (And then you may accept/reject a particular hypothesis or mathematical model pre-maturely.)

So, there's definitely more to it than just unpredictability, depending upon where the code is being used.

Re:FP

[TheRealMindChild]

If you are doing biological simulations, I'm pretty sure you'd want to use an actual random source, rather than psuedo-random. You even state yourself, the result isn't what you would want. Leave PRNG to things like computer game AI and song playlist randomization.

Re:FP

[Livius]

All I got out of it was a function of independent random variables, and that level of math was in my very first stats course.

I'll give them the benefit of the doubt and assume I missed something.

Re:FP

[Fwipp]

Well sure, if you're fine with your simulation being rate-limited by /dev/random.

Affordable hardware entropy sources output on the order of hundreds of kbps, which is, you know, abysmally slow for the amount of calls that are required for meaningful simulation. Without hardware entropy sources (remember, many of these are running on grad students' laptops), using 'true' randomness drops from "embarrassingly" to "unusably" slow.

Re:FP

[JanneM]

For large-scale simulations you need them to be pseudo-random, as in repeatable. If you are running a parallel simulation across hundreds or thousands of nodes, you can't send random data to all the nodes. You'd spend all your time sending that, not getting anywhere with your simulation.

Instead, what you do is that each node runs its own random generator, but seeded with the same state. That way they all have the same random source, with no need to flood the interconnect with (literally) random data.

Another reason is repeatability of course. You may often want to run the exact same simulation many times when you're developing and debugging your code.

Re:FP

[Bengie]

The Universe is just varying degrees of pseudo-random. With the Avalanche effect, even small amounts of "entropy" mixed into psuedo-random. The biggest issues with making strong random numbers isn't creating high quality 50/50 distribution of 1s and 0s, but making sure the RNG isn't susceptible to some form of malicious "entropy" from a compromised entropy source or leaking data about the state of the RNG.

Re:FP

[Darinbob]

Sure, lots of people can do that, but can they do the math behind it well enough to get a paper out of it?

Re:FP

[Darinbob]

It could be both. Remember that computer science and mathematics very often overlap with each other, especially with cryptography. If you couldn't understand it then maybe you had the wrong focus in computer science. I knew a lot of CS grad students and profs who were essentially mathematicians who couldn't program but who focused on a theoretical computer science area.

Re:FP

As far as anyone can tell, quantum noise really is completely unpredictable, no pseudo about it. There's no way to know whether your electron is going to be measured spin-up or spin-down until you measure it.

Re:FP

Over very short numbers of function calls (a few hundred to a few thousand), the outputs can even tend to cluster in a small neighborhood.

"can tend" doesn't sound like a convincing case against randomness.
A true random function should be able to produce millions of the same number in sequence. If the function guarantees an even distribution it isn't very random.

Re:FP

[K.+S.+Kyosuke]

Is there a reason why using the hardware entropy source to change the state of a quality PRNG those few hundred thousand times per second wouldn't work?

Re:FP

[K.+S.+Kyosuke]

Remember that computer science and mathematics very often overlap with each other

Yes, especially if you realize you can put all the computer science on top of the lambda calculus, which is mathematics. Then it turns out that computer science is a proper subset of mathematics. Which indeed is a specific form of overlap (although the common usage of the word "overlap" could create a mistaken impression that there is a part of computer science which isn't in mathematics).

Re:FP

[TechyImmigrant]

I read it too, and I fail to see the breakthrough. There are plenty of pseudo random number generators, such as the Mersenne Twister, with very long periods, so just occassionally XORing even a poor quality random number into the feedback loop, is enough to make it completely unpredictable.

This proof is about proving mathematically that an algorithm is a good entropy extractor. MT has no such proof. It doesn't even meet the definition of an entropy extractor and isn't cryptographically secure. For algorithms in the same class, PCGs are currently top of the pile, but they still aren't secure.

They claim to have an algorithm for a secure two input extractor (where the two inputs are independent) which can extract from low entropy source. 'low' means less than 0.5. Single input extractors suffer from an absence of proofs that they can extract from sources with min-entropy less than 0.5.

I fail to see it as new because the Barack, Impagliazzo, Wigdersen extractor from 2007 did the same trick using three sources (A*B)+C where values from A,B and C are treated as elements in a GF(2^P) field and can operate with low min-entropy inputs. This is so cheap that the extractor is smaller than the smallest entropy sources. Intel published this paper using the BIW extractor for what is probably the most efficient (bits/s/unit_area and bits/s/W) to date.

I fail to see that it is useful, because real world sources have min-entropy much higher that 0.5. Low entropy inputs is a problem mathematicians think we have, but we don't. We engineer these things to be in the 0.9..0.999 range.

On top of it, these two papers are as clear as mud. I tried and failed to identify an explicit construct and ether I'm too dumb to find it or they hid it well. I did find an implication that the first result uses a depth-4 monotone circuit that takes long bit strings and compresses them to 1 bit and the second paper extends this with a matrix multiply. That sounds both inefficient and more expensive than an additional small source needed to use the cheaper 3-input BIW extractor.

My take is that there have been two breakthroughs in extractor theory in recent years. Dodis's papers on randomness classes and extraction with cbc-mac and hmac for single input extractors and the BIW paper for three input extractors. Both useful in real world RNGs.

I may be wrong though. I've asked a real mathematician to decode the claims.

Re:FP

[TechyImmigrant]

Mersenne Twister is pretty much the standard for simulating a uniform distribution in a lot of scientific computing.

No. Permuted Congruential Generators are. There's no contest. MT is slower and doesn't pass TestU01.
MT is used for reasons of inertia.

Re:FP

[TechyImmigrant]

Is there a reason why using the hardware entropy source to change the state of a quality PRNG those few hundred thousand times per second wouldn't work?

That is a normal construct. It's even codified in SP800-90A with the additional input option on the Reseed() function.

Re:FP

[Bengie]

Quantum "random" may be random to any observer in our Universe, but that's probably because you would need perfect information about the state of the entire Universe in order to predict it perfectly. This is still pseudo-random, just very chaotic.

Re:FP

[serviscope_minor]

Mersenne Twister is pretty much the standard for simulating a uniform distribution in a lot of scientific computing

kind of is, for the reason as you say of:

MT is used for reasons of inertia.

MT19937 is pretty good. Much better than the LCGs that were popular before it. Those have some really serious pitfalls and you can hit them awfully easily. MT19937 is generally pretty good, though not perfect. It has far fewer pitfalls than LCGs and you're actually pretty unlikely to hit them (it doesn't fail TestU01, it passes almost all of the tests and fails a few). It's also fast enough that you have to try quite hard to make the RNG the limiting factor (it is possible though).

You can go wrong with MT19937, but it's hard to. That makes it pretty decent. Prior to C++11, xorshift used to be my go-to generator that didn't suck because it was a 5 line paste. These days, it's MT19937 simply because it's in the standard library and good enough for almost all tasks.

Re:FP

Except that the majority of "computer science" programs in colleges these days seem to be more "computer programming" degrees with one or two theory classes, at least based on the candidates I end up interviewing. From a design perspective, they are still better than the EE/CE degrees that think they know "software engineering" and those are still better candidates than anyone I've ever met with an MS in software engineering.

Why can't "csci" degrees have something besides python or java...and why can't EE/CE learn some basics like object oriented?

Re:FP

> Is there a reason why using the hardware entropy source to change the state of a quality PRNG those few hundred thousand times per second wouldn't work?

That's actually how /dev/urandom works: http://www.2uo.de/myths-about-urandom/ ...and yes, it's fine.

Re: FP

I challenge you to show me an example of a natural PRNG in the universe.

Re:FP

[Tough+Love]

The contribution here is to provide a solid theoretical footing for your "just occassionally XORing", which if done informally as you propose is more than likely to lead to surprising statistical defects. Not that I follow the proofs either, but I understand the value of the work.

Re:FP

[Darinbob]

Yes, which is why the majority of computer science programs are not very good these days. Back in the 80s I was already seeing a trend with companies insisting that faculty start teaching more job-ready skills, and that was when many important universities didn't even have a computer science department and it was still a part of the math department. Ie, they wanted to see the university teach C instead of Pascal for the introductory courses, things like that. However I rarely see that sort of pressure put on other departments, you don't hear complaints that math or socialogy majors aren't learning job-ready skills, but when it comes to CS they like to treat a university as an expensive trade school to stock up the entry level positions. (meanwhile in my first job after graduation I used many different programming languages and paradigms instead of only knowing one)

In my experience, you can teach the EE people to use better software engineering and they are interested in doing so; whereas the CS people have more difficulty going the other way in learning systems oriented concepts.

Re:FP

[Fwipp]

You mean other than short-range non-uniformity in the Mersenne Twister (perhaps the most commonly used quality PRNG), which this thread of comments is about?

Re: FP

Just keep calculating digits of pi?

Re: FP

The law of large numbers comes into play here. Just increase your sample size to increase the uniformity of your distribution. In the real world, we extrapolate from large samples, not tiny samples.

Monte Carlo simulators rejoice

Now all you astronomers have to worry about is small numbers statistics.

Journalistic hype

My understanding is that, while a nice development, this is FAR from a breakthrough, theoretical or otherwise - the core ideas have been widely known in the cryptography community for a long time.

What a talent!

[Verdatum]

Wow! David Zuckerman, the writer/producer of Family Guy is also a noted Computer Science professor...Man, a lot of the jokes make more sense now!

Re:What a talent!

This is a failure to make a good a random FullNameGenerator from two less good generators (FirstNameGenerator, SurnameGenerator). David is a common name. Zuckerman is a common name. David Zuckerman is not uncommon enough.

Why not hardware

[rfengr]

Why not just use analog hardware to do it; i.e. sampling of white noise?

Re:Why not hardware

Why not just use analog hardware to do it; i.e. sampling of white noise?

Because as we found from the Republican attempts to force them down our throats is that the white noise generators aren't random. They want to force us to use insecure sources of randomness because they hate the people.

Re:Why not hardware

It's much easier to use metastabillity of flip-flops to generate random bits.

Re:Why not hardware

Hardware random number generation based on stochastic random processes (e.g. Johnson noise across a resistor) is a real thing.

There is the minor difficulty that it requires that you actually add the hardware to do the sampling - sure HP didn't mind dropping a /dev/hwrng into my new $3500 laptop, but most people don't buy top-of-the-line hardware, and nobody likes hardware dongles.

The REAL difficulty is that you're now subject to all the usual threats to analog processes. We like to just *assume* that all the noise sources in our analog devices are uncorrelated because that makes our analyses tractable, but that's not the case. In other words, you want to believe that the 20th bit of the noise-sampling ADC is independently flapping in the breeze and providing 1/0 randomly and in equal measure, but that doesn't make it so. This is especially the case inside a box packed with high-speed digital circuitry, which will be coupling nonrandom, nonwhite signals into anything it can. Worst of all, these signals will tend to be correlated with the ADC: Its conversion clock, like almost every other clock signal in a modern computer, is probably either phase-locked to or derived directly from the same crystal in order to provide reliable, synchronous timing between circuits.

Re:Why not hardware

Generally speaking, you can generate perfectly random data that way... but it takes too long.

Re:Why not hardware

[GuB-42]

1- Maybe you prefer a repeatable pseudo-random sequence to real random data. Like for testing, or to make stream ciphers.
2- Hardware RNGs are often biased, they may for example output a "0" 70% of the time and a "1" 30% of the time. The output needs processing to remove the bias. Combining a biased but truly random generator with an unbiased PRNG can be an effective way to archive this.

Re:Why not hardware

CAPTCHA: tempest

Re:Why not hardware

[Bengie]

Intel has a high quality HW-RNG, but no one trusts it. That's the bigger issue with anything hardware, it can't be verified, only software can.

Re:Why not hardware

[Tyrannosaur]

I'll take the bait-

sources cited? It's been a while since I've done a project on this, but I'd like to see this evidence of 'non-randomness of white noise' you speak of

Re:Why not hardware

[Darinbob]

A problem with the hardware RNGs is that they very often don't just give you a random number on demand. They often require you to have a delay between starting and ending the operation for example, and the longer you wait the more entropy is generated. Not bad drawbacks for the occasional crypto input, but could be a problem for running simulations.

Re:Why not hardware

That's what this is useful for.

The problem with hardware entropy sources is that they're invariably biased: some patterns of bits are more likely than others.

This essentially allows you to combine multiple imperfect entropy sources to obtain a much better source.

Re:Why not hardware

[Agripa]

There are things which can be done to improve the situation. Build two (or three) symmetrical noise sources and subtract one from the other to remove common mode influences; three sources allow for redundancy and cross checking. For a simple design, a complex ADC is not required; use a comparator followed by a flip-flop or latch. Use the average DC level of the noise to set the comparator's trip point. Or use an ADC instead of the comparator so that the noise source can also be fully characterized in its raw form.

Re:Why not hardware

[TechyImmigrant]

Why not just use analog hardware to do it; i.e. sampling of white noise?

Did you read the papers? That's what it is about.

Re:Why not hardware

[mlts]

I wonder about using something like AES or a standard encryption algorithm on the stream of numbers coming from the RNG/PRNG, with the encryption key coming from a different RNG pool. This might help with the unpredictability aspect.

Here's a pair of low quality RN sources

- amount of time (in milliseconds) it takes, after a /. article appears, for the first "First Post!" or "Cows say MOO" post.

- Number of references to Trump on /. over a period of three consecutive days.

Re:Here's a pair of low quality RN sources

[mark-t]

Does that count as a reference to Trump? Does this post? Does a response to any of these questions count as such?

Re:Here's a pair of low quality RN sources

[michelcolman]

Neither of these has a uniform distribution. In the former example, lower numbers are more likely. In the latter example, higher numbers are more likely.

Re:Here's a pair of low quality RN sources

We can fix this by simply applying a permutation or hash function to it, like x^2 (mod n), or even just a block cipher with a hardcoded key.

Re:Here's a pair of low quality RN sources

[TeknoHog]

Or in the style of von Neumann, use transitions between 0 and 1 as they will come equally often. Map 01 to 0 and 10 to 1, for example.

Re:Theoretical breakthrough...

[ShanghaiBill]

Worst of all it's random number generator... exactly how hard would it be to test it?

Random number generators are notoriously hard to test. You can run as many tests as you like, and find no pattern. But that doesn't mean no pattern is there.

Theoretical breakthrough? Theoretically impressive

I'm theoretically amazed that this theoretical breakthrough was ever theorized! Theoretically speaking, if the theory espoused in this theoretical breakthrough could theoretically be accomplished in actuality (or it laypersons' terms, "fo realz") ...the theoretical applications of this un-accomplishment could theoretically change the world of theoretical cryptography in ways which at this point could ONLY BE THEORIZED.

Re:Theoretical breakthrough...

[JoeMerchant]

The longer people look without finding increases confidence...

I'll stick with this random number generator

http://dilbert.com/strip/2001-...

Re:I'll stick with this random number generator

[michelcolman]

Or this one

Re:I'll stick with this random number generator

[nintendoeats]

That is literally how security on the PS3 worked.

Re:Theoretical breakthrough...

[MobileTatsu-NJG]

A few days ago I had dinner with a friend of mine who worked on this project. Curiosity got the best of me and I said: "Level with me man, did you really create a random number generator?" And he said: "More or less."

Re:Theoretical breakthrough...

Yep, but you've always got to check the n+1 case for trivial repetition...

the problem

to be sure: http://dilbert.com/strip/2001-10-25

Re: Theoretical breakthrough...

The problem is that one can never be sure that an attacker hasn't found a pattern, but is holding it to themselves.

This is just what cryptographers have done forever

I also don't see the breakthrough. We can do the same thing by simply concatenating the previous output and the new input to the generator and hashing it.

Low reliability random vs dedicated white noise

[wierd_w]

I see this very salient question raised earlier-- why not use a dedicated white noise generator for random picks?

Most places you are going to need a good random integer are going to be in places where a dedicated diode based noise source is going to add cost to the system, and thus not be ideal. Things like an ATM machine, a cellphone, a laptop, whatever.

The cost is not in the actual component cost (a diode costs what, a few cents?) but in a standardized interface to that noise source.

Conversely, there are several very low quality sample sources that have no physical correlation with each other on such systems that can be leveraged, which have well defined methods of access, which add zero additional cost to the system.

Say for instance, microphone input + radio noise floor on a cellphone. Perhaps even data from the front and rear cameras as well. (EG, take Foo miliseconds of audio from the microphone, get an snr statistic from the radio, and have a pseudorandom shuffle done on data from the front and rear cameras. These sources are, independently, horrible sources of random. They are however, independent of each other. If this guy has found a really good way of getting good random from bad sources, then a quality random sequence can be generated quickly and cheaply this way. This would allow the device to rapidly produce quality encrypted connections without a heavy computational load, vastly improving the security of the communication, and do so without any additional OS level support, or extra hardware.)

When deriving a key pair for the likes of GPG, it can take several minutes of "random" activity on the computer to generate a sufficiently high quality entropy pool for key generation. That is far too slow to have really good, rapidly changing encryption on a high security connection. Something like this could let you generate demonstrably random AES 256 keys rapidly on the fly, and have a communication channel not even the NSA can crack.

The trick here is for them to reliably demonstrate that the rapidly produced sequences are indeed quality random sequences with no decernable pattern.

Re:Low reliability random vs dedicated white noise

[bluefoxlucid]

All those white noise sources are affected by radio signals from the outside and EMR from digital processing circuits on the same board.

Re:Low reliability random vs dedicated white noise

[wierd_w]

This will be true of all digital sources, unless you want to export part of the key synthesis to an external device that different local em biases.

If you do that, then you have to trust that source implicitly not to have a subtly poisoned distribution (See the NSA's backdoored random source that caused such controversy in the past few years.)

Perfection is likely not attainable, even with hardware RNGs. This lets you get reasonably good samplings from wholly local, but less robust sources. To effectively exploit the unifying em bias of the device, you would need to know very specific features of the device, and how ambient signals interact with it to shape the distributions, THEN introduce very strong EM signals to the system to get the predictable patterns needed to assault the resulting encryption based on those distributions.

Those imply 1) that they have physical access to the device generating the keys (why not just put a bug on?) so that they can accurately measure the signal response curves of the circuits inside, and 2) are actively monitoring the target making the communications to be able to influence the EM background to create the reference signal needed to break the encryption.

With those prerequisites, quibbling about the quality of the random is the least of the privacy concerns.

Re:Low reliability random vs dedicated white noise

[Bengie]

In theory, 256bits of entropy is enough to be impossible to break. Pretty much a lifetime of "random" numbers can be created from 256bits, it doesn't take much. The problem is our algorithms and systems are not perfect and data gets leaked for various reasons. As long as you can seed the system with something like 256bits of strong entropy, you can slowly collect additional entropy over time, even if very slowly, and just keep mixing it in. All that matters is you acquire entropy some factor faster than you leak it.

Re:Low reliability random vs dedicated white noise

When deriving a key pair for the likes of GPG, it can take several minutes of "random" activity on the computer to generate a sufficiently high quality entropy pool for key generation. That is far too slow to have really good, rapidly changing encryption on a high security connection. Something like this could let you generate demonstrably random AES 256 keys rapidly on the fly, and have a communication channel not even the NSA can crack.

You'd still need to get the keys to the receive side, unless it's meant to function as a high quality random source on the receive side.

Re:Low reliability random vs dedicated white noise

[AmiMoJo]

The problem with hardware RNGs is that it can be difficult to detect errors and difficult to trust them. If some part of the system fails and introduces bias the only practical way of detecting that is to run expensive randomness tests on the output.

Intel does include an RNG in many of its CPUs, but how far can we trust it? It seems like the NSA has had its claws in Intel for a while, extent unknown. The RNG is an obvious target for them, along with the AES instructions found in i5 and i7 series CPUs.

In comparison a software PRNG can be proven mathematically and subjected to extensive, repeatable testing before being put to use, so there is generally no need to continually test the output. And we can trust it because we can examine the implementation in detail, obvious caveats about backdoored CPUs aside.

It is possible to overcome these issues with true hardware RNGs, but for most purposes most of the time the combination of on-chip-possibly-backdoored and software PRNG is good enough.

Re:Low reliability random vs dedicated white noise

[bluefoxlucid]

The point was people are talking about PRNGs (guaranteed known distribution, can mimic high-quality random data, can provide cryptographic security e.g. in a key scheduling algorithm) or noise-based RNGs (unknown distribution, often provide poor-quality random data, can be influenced by other operations inside the machine). Noise-based RNGs aren't magically high-quality, flat-distribution, unpredictable number sources; they can be the worst random number sources available.

To effectively exploit the unifying em bias of the device, you would need to know very specific features of the device, and how ambient signals interact with it to shape the distributions, THEN introduce very strong EM signals to the system to get the predictable patterns needed to assault the resulting encryption based on those distributions.

You'd only have to know about the particular hardware (e.g. a built-in RNG on a particular Intel board) to know about the RNG's biases. If you know it spikes around a certain cluster thanks to interference by the CPU and memory bus hardware (digital clocking), you can shave a few bits off the entropy. In the most extreme case, you could *theoretically* predict the impact of EMI generated by the computer algorithm doing the key scheduling (which necessarily happens during the request for random data) and provide a higher-probability target area (ranges of likely values); most such malarkey has focused on recovering encryption keys by measuring the timing of data writes or I/O or CPU scheduling to identify how much time the encryption routines are taking on each piece of data, and use that to compute what the key might be.

Breaking encryption isn't all about turning a 128-bit RC4 key into a 0-bit NULL key; AES is considered broken because you can get it down to some 126 bits of entropy, and RC4 was considered broken beyond usability when its entropy was still in the triple-digits.

Re:Low reliability random vs dedicated white noise

[bluefoxlucid]

The problem is any set of random data generated *right* *now* has a pattern. If you know something about that pattern, you can limit the amount of entropy someone could possibly derive from a random number source.

Re:Low reliability random vs dedicated white noise

[Bengie]

Minor context addition to AES down to 126bits of entropy. Ballparking numbers. Practical attacks only remove about 2-4 bits, reducing 256bits to 252bits and 128bits to 126bits. There are some non-practical attacks that require sampling petabytes of encrypted data from the same key where you know what the underlying unencrpyted data is. Then you can theoretically reduce AES256 down to something around 100bits, which is still nearly impossible for our solar system regardless of the hypothetical far future technology we have access to.

Create a new key every few hundred TiB of data, and you're fine.

Re:Low reliability random vs dedicated white noise

[Bengie]

That's why you whiten the output, that way you can't predict the pattern without knowing all of the entropy. Whitening gets rid of the patterns. Think crypto strong hashes. Difficult to reverse. Very good whiteners in that sense.

Re:Low reliability random vs dedicated white noise

[Bengie]

What we need are hardware RNG sources that provably do not have any ability to read state from the system, only input into the system.

Re:Low reliability random vs dedicated white noise

[bluefoxlucid]

It's enough for cryptographers to tell you to worry about the entropy source you're using and not magically assume that we can break 96 bits of encryption now but your 128-bit encryption key is fine because we're like 90 billion years off cracking that and maybe 8-12 years off developing newer technology to crack it reasonably fast.

Re:Low reliability random vs dedicated white noise

[Bengie]

Breaking perfect 128bit encryption is not feasible limited to our solar system. It would require having a perfectly efficient computer and converting several Earth masses into pure energy to power that computer. 256bit is right out, can't be done in our Universe with current understanding of basic physics. The only way is to find a flaw in the encryption. AES does have some flaws, but they all require having partial control of the entropy source for generating the keys or having access to both unencrypted and encrypted version of the data, and a phenomenally large amount of data. Easily defeated by rotating your keys.

Re:Low reliability random vs dedicated white noise

[bluefoxlucid]

A flaw in the entropy will give you a 60-bit key if you can guess that much. That's how researchers recover keys from AES just by running on the same machine as an unprivileged user.

Don't look now but ...

[BarbaraHudson]

"two sources that are independent and have no correlations between them"

I TOLD you mot to look. Now thanks to the observer effect,.there IS something they both have in common! Co-relationships are now inevitable unless we can find a recipient that has nothing in common with you - anyone got a spare alien around to read the message?

Why didn't I think of that?

Some genius.

How feasible is independence?

two sources that are independent and have no correlations between them

This requirement seems already a bit far from "low-quality".

Re:How feasible is independence?

[wierd_w]

Not necessarily.

Low quality random means the distribution has biases or predictable patterns over long sequences.

Take eg, noise from a microphone. I has a distribution bias, and a few other problems that make it bad as a random source.

It is however, completely independent from data taken from a camera, which will have its own biases.

The idea here is pretty good- two biased sources that have uncorrelated biases can get you a less biased, more uniform distribution of values, and better entropy per sample.

Another source might be magnetometer data, or accellerometer data. There will be ramdom "jitter" around the data read. The data figure averages out to the reading you use normally. In this case, we dont care what direction you are moving or pointing. We are interested in the jitter, which concentrates around the bias of your heading. Naturally, it clusters around the bias, and is not uniform, making it a low quality source.

The more of these uncorrelated but low quality sources you can leverage, the more uniform and less predictable the sample distribution will be.

To give some context

[danthemanvsqz]

The importance of random numbers in Crypto is that encryption keys must be prime for most if not all of the encryption algorithms to work. It is very hard to generate large prime numbers (e.g. 4000 bits) using an exact methods but it is somewhat easy to calculate the probability that a large number is prime. So what we can do is generate a highly probable prime number by simply generating random numbers and checking to see if they are probably prime. If the random numbers you use to generate keys in this way are predictable then your keys are predictable. Thus the quality of randomness is very important to the quality of the encryption key.

Re:To give some context

[gweihir]

This is not it. In crypto, you need "secrets" that an attacker cannot easily guess. These need to be "unpredictable" for the attacker, they do not need to be "random" or even "unpredictable" for the defender. (They can then, for example, be fed into a prime-number generator, but there are numerous other uses.) For simplicity, "unpredictable" is usually called "random", but that is not strictly true. Most "random" numbers for crypto are generated using CPRNGs (Cryptographic-PSEUDO-Random-Number-Generators). These have the property that they have a state (say 256 bits) that is necessary to predict their output, and that state is kept secret. The actual bits produced are not random at all, but they are unpredictable without that state.

Now, where to get those 256 seeding-bits? The usual way is to put in a lot of bits into the CPRNG and the CPRNG distills out the entropy (for simplicity you can think of "entropy" as "amount of randomness"). If the overall entropy in what was put in is larger than 256 bits, you end up with a well-seeded CPRNG that can then produce gigabytes of unpredictable data completely suitable for crypto use.

Re:Theoretical breakthrough...

Reminds me of the joke, "I'm not going to drink anymore.....(whisper.)...or any less."

As long as Apple gets it and shuffle sucks less

[_Shorty-dammit]

As long as Apple gets it and shuffle stops jumping back to the same area many, many times a day then I'll be happy. That shit gets on my nerves, yo!

Re:As long as Apple gets it and shuffle sucks less

[michelcolman]

You don't want a true random number generator then.

Take 23 random people, and there will be a better than 50% chance that two of them will have the same birthday.

Apple actually had to make its "random" shuffle less random when people complained about hearing the same songs too often. A bit like picking 23 people but making sure they don't have a common birthday. The more random you make it, the more people will complain about it not being random enough.

Maybe your shuffle still has the old, truly random shuffle routine.

Re:As long as Apple gets it and shuffle sucks less

If it was actually a shuffle, it would take the entire list of songs, order them randomly and then play them, start to finish in that exact order. If you reach the end of that ordered list, a new ramdomly ordered list is appended. Between those two lists, you may have the same songs in close proximity. Just picking the next song randomly from all possible songs is a very bad strategy indeed.

Re:As long as Apple gets it and shuffle sucks less

The funny thing is that the problem with Apple's shuffle was... it was too random, so random that it did things people don't think are random (even if they are) like play the same song twice in a row, etc.

Apple's fix to the 'lack of randomness' in shuffle was to... reduce the randomness so that the last few songs are removed from the mix.

Re:As long as Apple gets it and shuffle sucks less

[Bengie]

That's the issue. You can't randomly pick a song, you need to randomly create a collection. The collection may be random, but the song chosen is not. Nuanced difference.

Re:As long as Apple gets it and shuffle sucks less

[_Shorty-dammit]

It *is* a shuffle. With shuffle and repeat turned on you do not hear the same song more than once. And, actually, it doesn't reshuffle when it gets to the end of the shuffled list. It plays the same shuffled order again. You have to toggle shuffle off and back on to get a new shuffle, or you have to manually select a song which also nets a new shuffle.

I usually play the same playlist at work. Currently this playlist has 4,709 songs in it, which is simply every song in my library that I have given at least one star. so I am not getting through that whole list in one shift at work, as that is too many songs to play in one day. But, every single day I start a new shuffle. And every single day it soon becomes apparent that I'm going to hear a lot of because that location in the playlist is going to be the hot zone that it goes back to quite often. At a glance I don't see a quick way in iTunes to show me how many different artists I have in my library, but looking in my media directory it looks like that number is at least 600. To me this seems like too much variety, and too much repeatability since it happens every day, for it to not be a weakness in their algorithm.

It doesn't happen occasionally. It happens every single day. Every single day I wait to find out who the artist of the day is. And if I don't feel like hearing a lot of that artist, I'll reshuffle so the hot zone gets moved to a new spot.

Re:As long as Apple gets it and shuffle sucks less

[_Shorty-dammit]

Shuffle plays the shuffled list from start to finish. Nothing is repeated until the whole list has been played, at which point the same order is repeated. You have to manually toggle shuffle off and back on to get a new order.

Random is relative and subjective

Is it really possible to define the unpredictable?

a better summary

See the blog post by a graduate student at MIT:

https://mittheory.wordpress.com/2015/08/15/purifying-spoiled-randomness-with-spoiled-randomness/

Re:a better summary

[gweihir]

Good summary. This really is _theoretical_ work.

In practice, you just put enough "dirty"/"weak" random bits into a good CPRNG, and that is it. As long as your estimate of the entropy contained is not too high, this works and is secure. The problem people having with random-number generation is that they either select a bad (C)PRNG or they mess up the entropy estimation in seeding, e.g. due to overlooking negative effects from virtualization. Some also re-use initial, stored seeds (e.g. by cloning a VM and not redoing the seeds), and that is really a beginner's mistake. These are all engineering errors because the people doing it do not understand what they are doing.

Re:Theoretical breakthrough...

[superwiz]

They do outline a construction. It's not just an existence proof.

if i understand it correctly

[superwiz]

I think their idea is to skip the bits in 1st source based on the bits in the 2nd source. So, on average, 2n bits from the 1st source and 2n bits from the 2nd source would produce n random bits.

Re:if i understand it correctly

[superwiz]

Having thought about it for a few mins, that can't be what they are saying. It would not produce random sequence from 2 sequences with cycles m and n. It would have a cycle of the length, at most, m*n. I guess that's why they talk about a monotone increasing sequence. So maybe if p_i digits from 1st seq are picked only if i in the 2nd seq is a 1 (and skipped if i in the 2nd seq is a 0)? If p_i is the i'th prime number, this would knock out any cycles (because it randomly picks or drops bit spans which are eventually relatively prime to the cycle in 1st seq). But that would eventually produce cycles within the sequence (once the primes are large enough). And now I don't quite get how the whole thing is possible at all. If you take the concept to an extreme, Then taking 1st sequence to be alternating 0's and 1's (not at all random) and applying a 2nd random source to it should produce a sequence with higher entropy than the 2nd source. Which seems absurd.

it's all noise down here

heck with that. I use brown noise in my SJW random number generator. I tried using black noise, but the numbers kept moving to and 'fro. I used to use pink noise, but it was in an elevator with some XY chromosomes, and next thing I knew, the sequencer was stuck in a loop.

uhm, no

[slew]

The importance of random numbers in Crypto is that many symmetric encryption protocols rely on efficiently generating random numbers (e.g., nonces, symmetric keys).

The quality of the random numbers you use to generate prime keys for RSA are of course important too, but generally generating primes isn't done as frequently (because testing them is relatively slow) so efficiently combining two low-entropy sources isn't as critical because you can combine sources of low-entropy and achieve high quality random number using currently known methods.

Re:uhm, no

[gweihir]

Nonces do not need to be random or unpredictable. A counter produces perfectly acceptable nonces, see, for example, the counter-mode for block ciphers. The defining characteristic of a nonce is that it gets used only once with respect to a given larger context.

Re:uhm, no

Nonces do not have to be random, but they must be unique. By generating them with a CSPRNG, the likelihood of them repeating is very low, even if they are generated at different places in a system. You can use a counter, but then different nodes may end up using the same nonce as each other.

summary

[slew]

One way to think about this is to understand how to get a unbiased number out of a biased coin? A simplistic Von-Neumann extractor.
Basically, flip the coin twice, discard HH/TT and assign HT and TH to 0 and one. This throws away alot of flips (depending on how biased the coin is) but gets you what you want if the flips are independent.

Now imagine instead of a 2x2 matrix, a really large matrix that takes in a sequence of flips that depends on the minimum entropy of the source so that you avoid throwing away flips. How do you fill the elements of this matrix?

You can watch here and learn something...

Re:summary

[superwiz]

If you know which way the coin is biased, you can predict existence (and frequency of occurring) of spans of 0's or 1's just as you would if the coin was unbiased.

Re:summary

[edtice1559]

Yes but those get discarded. That's the whole point. You only take the pairs of HT or TH which cannot be predicted. The more biased a coin is, the more flips you throw away and the slower you acquire entropy. But what you acquire is unbiased.

Re:summary

[TechyImmigrant]

VN is an unbiaser, not an entropy extractor.
It's also fragile.

Re: Theoretical breakthrough...

Let's test it with a string of zeros and a string of ones. Both are some low quality random.

May be relevant for very small embedded systems

[gweihir]

I.e. in situations where you are entropy-starved (so not on regular computers) and getting the, say, 256 bits of entropy to seed a CPRNG is hard to come by. This only applies to really small embedded systems that have no A/D converters or the like. (With an AD converter, just sample some noisy source or even an open input and you get something like > 0.1 bit entropy per sample. Needs careful design though.) Whether such a very small embedded system can the use the math needed here is a different question. In most cases, the right solution is to just sample more noise-source input.

So maybe a "theoretical breakthrough", but likely not very relevant in practice.

Re:May be relevant for very small embedded systems

I work in automotive (in security actually), and we still use very small embedded systems and will continue to do so for years to come (generally, really small embedded systems are used for dead simple applications like a door controller simpler). Good randomness is actually quite difficult even from some medium-sized microcontrollers by our standards. So, maybe this could have practical applications in the growing Internet of Things.

Re:Theoretical breakthrough...

Which is why, contrary to what the GP says, theoretical results are of such high importance. It's easy to miss patterns in apparently random numbers, so such tests are always open to question, but if you can prove certain properties about said stream theoretically then, so long as the implementation is good, that stream is 100% guaranteed to have those properties.

Forgive my ignorance here...

But when is random not random enough? Aren't random number generators sufficiently random for all intents and purposes?

Re:Forgive my ignorance here...

Not if the randomness has a pattern.

COMPUTER SCIENCE!!!

Finally, slashdot, some honest to goodness computer science. Bravo.

Two wrongs makes it right

So basically, the theory is that two bad batches of numbers can generate a good batch of numbers. I call bull.

Note how they don't show any kind of proof ... but claim that it is going to save the world.

Re:Two wrongs makes it right

Think of it as multiplying the entropy....if the entropy is high enough then combining the numbers increases total entropy.

Too many secrets

[ChadSmith4920]

Setec Astronomy

Re: This is just what cryptographers have done for

Which hinges on the quality of the hash function. None of these cryptographic hash functions can be fully proven to work. Their applications seem to be leaps and bounds beyond the best theoretical work, but only by stretching their own weak theoretical guarantees very thin.

So this work is somewhat low-level on what it says it can do, but has much firmer foundations.

Re:Theoretical breakthrough...

[sexconker]

Random number generators are notoriously pointless to test.

You know they're not actually random (I'm with Einstein on this one).
"7,7,7,7,7,7,7,7,7,7,7,7,..." is just as "random" as any other sequence.

People need to shut the fuck up about random numbers because they don't want random numbers.
They want uniformly distributed numbers that don't fit any easily-identifiable pattern.

Mersenne Twister is not cryptographicly secure.

The problem is that it outputs its internal state. Masking the output whilst maintaining its random characteristics is a difficult problem to solve ,not dissimilar to what this paper would need to solve.

Re: This is just what cryptographers have done for

Finally a good explanation from a person who seems to understand the topic. Thank you.

Just prove it ;)

[thesupraman]

Let me know when you can prove that, Nobel have a prize for you ;)
That being the problem with randomness, it is borderline impossible to prove (and if you are unlucky, easier to disprove).

The associated problem in cryptography is trustable randomness ;)
The classic case of that is the RNG embedded in most Intel chips, where Intel refuse to give
specific details, and no one would trust them anyway, so it is not used for anything really secure.
That is not a problem with Intel specifically of course, it is a problem with trusting any 3rd party.

The main issue with a quantum noise based RNG is how do you verify it - just trust the vendor? ;)

Re:Just prove it ;)

random_source1 - meshure clock-drift between 2 clocks in the system.
random_source2 - time between interrupts or similar.
random_source3 - some black-box rng like intel.
random_source4 - use some local data only available on the currently used system, like uptime, network-traffic etc.

For each random_source do sha1().
For all sha1's of random-sources do a sha1 and pick last bit from return-value and feed into a shift-register (256-bit).
Do sha256 of the shift-register and xor return-value with the current shift-register.

For each random byte that is wanted do sha256 of shift-register and feed data into the chosen PRNG (xor on values in the current internal state)

Using untrusted / non-random sources to generate a quite secure random values is fairly easy.. To prove it's true random data that comes out it's much more problematic..

Fortuna?

[TheRaven64]

We used to use Yarrow for this purpose, but it suffered from the problem that you needed to estimate the entropy of your sources. Fortuna was introduced to address this, and allows you to combine entropy sources without estimating the amount of entropy that they contain. What does this add beyond that?

Re:Theoretical breakthrough...

[butzwonker]

"7,7,7,7,7,7,7,7,7,7,7,7,..." is just as "random" as any other sequence.

But you can calculate the exact probability with which this sequence will be produced by a real random number generator, and if this probability is extremely low and nevertheless the sequence occurs, then that's reason enough to reject your pseudo-random number generator.

Re:Theoretical breakthrough...

[TechyImmigrant]

They do outline a construction. It's not just an existence proof.

They do? It didn't seem very explicit at all.
Lots of mathematics though.

Somewhere, this will occur in the wild...

function getLowQualityRandomSource1() { /// determined by fair random die roll
      return 4;
};
function getLowQualityRandomSource2() { /// determined by fair random die roll
        return 6;
};
function getHighQualityRandomSource() { /// uber-random!!!
        return getLowQualityRandomSource1() + getLowQualityRandomSouce2();
};

Re:Theoretical breakthrough...

[q4Fry]

"More" was one of his inputs and "Less" was the other.

Re:Theoretical breakthrough...

[Bengie]

There is a probability of anything happening, the question is if the probability actually matches what's predicted. For any infinitely large set of random numbers is an infinitely large set of the same number being repeated. sexconker is 100% correct once you understand they used an extremely example to prove a point.

Two Bees or Not Two Bees

[Tablizer]

"if you have two low-quality random sources...you can combine them in a way to produce a high-quality random [result]

So if you combine a Trump speech with a Palin speech, you get random Shakespeare?

Re:Two Bees or Not Two Bees

You better hope so, otherwise you'll have to combine Tums with Pepto Bismol after hearing it.

Re:Theoretical breakthrough...

[buchner.johannes]

The probability of "7,7,7,7,7,7,7,7,7,7,7,7" is the same as 1,2,3,4,5,6,7,8,9,0,1,2 or any other 13-int sequence.

You are thinking of placing sequences in categories (k consecutive numbers), for which the probability indeed decreases rapidly with k.
But that requires you to define similar sequences, which is a form of finding patterns.