Tor To Use Distributed RNG To Generate Truly Random Numbers

An anonymous reader quotes a report from Softpedia: Tor developers have been working on the next iteration of the Tor network and its underbelly, the Onion routing protocol, in order to create a stronger, harder-to-crack anonymous communications system. To advance the project, the developer team schedules brainstorming and planning meetings at regular intervals. The most recent of these meetings took place last week, in Montreal, Canada. In this session, the team tested the next generation of the Tor network working on top of a revamped Onion protocol that uses a new algorithm for generating random numbers, never before seen on the Internet. The Tor Project says it created something it calls "a distributed RNG" (random number generator) that uses two or more computers to create random numbers and then blends their outputs together into a new random number. The end result is something that's almost impossible to crack without knowing which computers from a network contributed to the final random number, and which entropy each one used. Last week, two University of Texas academics have made a breakthrough in random number generation. The work is theoretical, but could lead to a number of advances in cryptography, scientific polling, and the study of various complex environments such as the climate.

pseudo+pseudo=true?

Can two pseudo random numbers actually be combined to give a truly random number?

Re:pseudo+pseudo=true?

and how can you know that the one generated on a computer that is not your own is not malicious?

and, no - i have not rtfa yet. gotta go to work.

Re:pseudo+pseudo=true?

[campuscodi]

What if you do pseudo+pseudo+pseudo+pseudo+pseudo+pseudo+pseudo+pseudo+pseudo+pseudo? The specification doesn't say they must be two sources. They said multiple sources.

Re:pseudo+pseudo=true?

That's essentially what they are doing.

By mixing deterministic pseudo-random streams you are never going to get a truly random result. What you will get though is much better quality fake random numbers that are harder to predict and the hope is that this will in turn help the whole system be more resilient to attack.

Re:pseudo+pseudo=true?

> Can two pseudo random numbers actually be combined to give a truly random number?

Of course not. But it makes it more difficult for a single entity to control the RNG's output. If the bad boys control N-1 RNGs, mixing an N-th into that foils the scheme.

(Yah, if they subvert the mixer, you've lost, but a always in this business, you never truly "win", but you've to keep trying).

Re:pseudo+pseudo=true?

[gweihir]

No. The title is bullshit. This is about generating very hard to predict pseudo-random numbers, because you have to guess a large, distributed state and distributed seeding values.

As there is zero need for "true random" numbers in crypto (you only need "not guessable fro an attacker"), this is still a significant improvement.

Side note: Whenever something "mainstream" reports about random number generation, they get it wrong. It seems that non-experts routinely have no clue what is important here and what not. As for crypto, the philosophical question what "random" means is completely immaterial. Crypto just cares whether an attacker can somehow find out the "random" number or not and how difficult it is if it is possible. There is no need for "true" random numbers anywhere in crypto.

Re:pseudo+pseudo=true?

Side note: Whenever something "mainstream" reports about random number generation, they get it wrong.

Whenever something "mainstream" reports about , they get it wrong.

This is a more useful general rule

Re:pseudo+pseudo=true?

As there is zero need for "true random" numbers in crypto (you only need "not guessable fro an attacker"), this is still a significant improvement.

It's kind of the opposite of an improvement. Now the localized task of generating a random number for crypto operations will be distributed to unknown peers, almost certain to be chosen by some kind of obscure network architecture that if documented at all outside of code will simply provide an avenue of attack (manipulating network load, other machines on the network, etc) outside of what was previously possible. Tor's RNG has never been a real issue, the fact it bounces packets through peers ensuring that if someone owns enough machines on the network they can see everything has been - this actually exacerbates the only issue Tor has had while resolving nothing.

Re:pseudo+pseudo=true?

[jimbolauski]

If the bad guys control N-1 RNG's how long would it take before they could predict the the Nth's RNG output? Is there anyway to protect from this?

Re:pseudo+pseudo=true?

It's kind of the opposite of an improvement. Now the localized task of generating a random number for crypto operations will be distributed to unknown peers, almost certain to be chosen by some kind of obscure network architecture that if documented at all outside of code will simply provide an avenue of attack (manipulating network load, other machines on the network, etc) outside of what was previously possible.

Actually as long as you also generate a random number yourself, and just xor everything together, it still can't be worse than what they're doing now.

Re:pseudo+pseudo=true?

With the local machine being the sole source of RNG, there is only one attack surface. The three-letter agency breaks into your house and installs some malware, and presto ... you're busted. With distributed RNG they have to know ahead of time which machines are going to be used for RNG and compromise all of them, including your machine, before they can hope to achieve the same success. Even if they compromise all of the remote machines ahead of time, there's still your machine introducing entropy. I think you'll find that XOR'ing a non-random number with a sufficiently random number still yields a sufficiently random number. Why? Because you can't predict the output of the XOR without knowing the inputs.

Re: pseudo+pseudo=true?

If some one breaks into your computer they are not going to compromise your prng, they can just install software that patches out whatever portions of the tor client they don't want to run. This really does nothing but make the code more complex and open more attack surfaces.

Re:pseudo+pseudo=true?

Get data from one or more sources + your own local data.. put then thru a sha.

Add to this that the sources you used may be one or more hops away from you, and all data has been encrypted each hop it made..

To figure out what random-number you used they would have to:
1. Figure out from what sources you got the data (or somehow be able to inject the data, how that now would be done since it's the client that decides where to fetch it from)
2. Figure out what order you merged the data received from multiple hosts.
3. Figure out what your local PRNG returned

Re:pseudo+pseudo=true?

if you put N thru sha256 it would be highly difficult without doing a brute-force attach on the last N. And that makes the assumption that the attacker know the order the input was merged too.

Re:pseudo+pseudo=true?

Actually not... Since it's just extra sources of, potentially bad, data into your local PRNG.. Does not matter if someone can see the code or not... If they are unable to influence *all* sources of data into your local PRNG it gives them nothing, and even then (very low probability) the security would not be worse than just using your local PRNG...

Re:pseudo+pseudo=true?

No, but if the two you are combining are chosen at random, it's much, much harder for an attacker to get at the internal state of the PRNG. Combining truly random number don't give you an more of a random result, but does province some protection against people using maliciously non-random numbers.

Re:pseudo+pseudo=true?

With the local machine being the sole source of RNG, there is only one attack surface. The three-letter agency breaks into your house and installs some malware, and presto ... you're busted.

If someone has physical access to a machine you actively use you're hosed regardless. This does nothing to resolve that and they don't need to know anything, if they have physical access to the machine they have the machine.

Re:pseudo+pseudo=true?

Actually as long as you also generate a random number yourself, and just xor everything together, it still can't be worse than what they're doing now.

You're comparing adding a point of attack to not adding a point of attack and suggesting adding a point of attack is no less secure. You shouldn't be discussing crypto save for asking questions to learn about it.

Re:pseudo+pseudo=true?

No, he's right about how RNG mathematics works. A collection of pseudo-randomly generated numbers if merged with the exclusive or operation (XOR) will be no weaker than the strongest single source of pseudo-randomness. On the other hand, it will not be stronger than the strongest single source of pseudo-randomness. The XOR merging is primarily done to make sure that the final number (the one actually used for the later cryptography) is as unpredictable as the least predictable source even when you have no idea which sources are predictable.

What you're thinking of is in the actual encryption stage, where every additional intentional key significantly decreases the security of the encryption, possibly with the creation of accidentally valid decryption keys as well.

Re:pseudo+pseudo=true?

[gweihir]

That is the idea. Although entropy-pools are much more sophisticated than using simple xor for this.

Re: pseudo+pseudo=true?

Are they claiming it is truly random? Combine several pseudo random numbers from a number of sufficiently independent sources selected at pseudorandom, from which at least some are probably not compromised (*), and you'll get a pseudo random number that is much more random and much harder to forge. I haven't don't the math but it sounds plausible.

(*) of course this is the big question with everything TOR. We in the West can only hope the NSA owns less of TOR than the PR China does and that neither controls the whole network. How do we know that?

Re:pseudo+pseudo=true?

[gweihir]

An entropy-source is not a point of attack, as long as it is not relied on exclusively. This is a threshold-thing. Get enough good entropy and you are good, no matter how much "bad" entropy you add as well. Fundamental entropy-pool design principle. You really are clueless as to how this works.

Re:pseudo+pseudo=true?

[gweihir]

Indeed. You go from one point of attack to a group, and _all_ have to be attacked successfully for the scheme to be compromised. As long as even one source delivers good entropy, you are secure with a distributed mechanism.

Re: pseudo+pseudo=true?

Hmm, there is this one theory about parallel processing with a multithreaded OS or network and truly random results. The network even adds an analog effect where some devices have a delay based on their (changing) position and contention from other devices on the same node of the network (routers with multiple devices trying to send data at the same time).

Re:pseudo+pseudo=true?

[gweihir]

Exactly. You add points of attack, but _all_ have to be compromised for the attack to succeed. If, for example, you have one of the compromised Intel CPUs with a bad RDRAND generator (not detectable except with in-dept analysis of the physical chip), then even one other system feeding you good entropy makes you secure again.

Re:pseudo+pseudo=true?

[gweihir]

What you're thinking of is in the actual encryption stage

Possibly. Talk about incompetence coupled with arrogance. Dunning-Kruger at work.

Re:pseudo+pseudo=true?

[davidwr]

Whenever something "mainstream" reports about random number generation, they get it wrong.

Not always. Okay, technically, yes, but practically, no:

When I see TV shows that explain the "ping-pong-ball"-type lotteries, where a fan blows a bunch of numbered ping-pong balls around until one "pops out," they do a decent job of stating the obvious: This is about as random as you can get, assuming the ping-pong balls are all equal enough and the air is moving around enough to make any initial conditions (which balls were where before the air started moving) that could be controlled by a human being trying to cheat the system irrelevant.

Of course, we all know that there are minuscule differences in each ping-pong ball and we all know that, except where quantum effects become noticeable, initial conditions DO matter. But the point is that, like the "butterfly effect," a change in initial conditions that is too small for a human cheater to control can radically alter the outcome.

The same goes for TV-explanations of "it's obviously random in every practical sense of the word" things like a fair coin flip, a fair draw of a card from a deck of cards that has been shuffled in a good-but-uncontrolled way many times (i.e. not a "pharaoh shuffle" or other "controlled" shuffle), and the like.

Re:pseudo+pseudo=true?

[kheldan]

Can two pseudo random numbers actually be combined to give a truly random number?

LOL, no.

I'm no mathematician, but I'm pretty sure there's no such thing as 'true random numbers'. I think the closest we can come is the Quantum Random Bit Generator from some years ago.

Re:pseudo+pseudo=true?

Is there anyway to protect from this?

Is there any way to protect from this?

FTFY

Re:pseudo+pseudo=true?

Nailed it. If you are an expert on 3 topics, and note that the media seems curiously incompetent when reporting on those three topics, but then flip the page to topics you are not as expert about- why would you assume the quality of the reporting got better? I remember reading a bunch of stories about video games back in the day, that got details wrong like crazy. Why would they get international politics correct if they can't even report on a fucking video game properly?

Re:pseudo+pseudo=true?

[cfalcon]

> On the other hand, it will not be stronger than the strongest single source of pseudo-randomness.

This seems very unintuitive. If I have a stream where every 5th bit is predictably zero, and a stream where every 7th bit is predictably one, then the second stream is the more random of the two. If I xor them together, then every 35th bit is predictably zero, but my resultant stream seems much more random than either of the two originally, right? I could predict 1/7th of the data originally, and now I can only predict 1/35th.

Re:pseudo+pseudo=true?

By mixing deterministic pseudo-random streams you are never going to get a truly random result.

Welcome to a deterministic Universe. The best we can hope for is lots of chaos, making it difficult to predict and with uniform distribution.

Time Sync

Why doesn't Tor have a network time-sync ability, a la NTP?

Re:Time Sync

To avoid fingerprinting TOR users. A flurry of NTP sync packets from a single IP address every couple days could light someone up a TOR user.

What TAILS does on boot is request a page from one of many popular websites (facebook, google, etc) then use the HTTP response to get the time. Much more discrete.

Re:Time Sync

The packets sent over TOR should be encrypted, such that they cannot be ascertained to be of a specific protocol to someone not using TOR. If you are referring within the TOR network, then using UNIX time or UTC (i.e. something without timezone information) should provide no identifying information in addition to TOR masking the external IP address of anyone more than 1 hop away from you.

It is my understanding that IP addresses within the TOR network are not necessarily chartable to physical location in the way that standard IP's are per the persistent physical locations of any ISP's network(s).

why is this needed?

[slashmydots]

Why are people still complaining about random numbers? Over 10 years ago I saw a documentary that showed off a quantum photon splitter PCI card that could go in any computer. The API let you generate random numbers based on splitting photons left or right and it was deemed closer to 50% each side than any other randomizing system ever invented. So...what happened to that? Doing quantum tasks with photons is actually relatively easy so the story was believable. I can't think of a better way in the physical universe to generate random numbers. So besides the problem of requiring volunteers running relays to have one of these custom piece of hardware, why don't they attempt to use this solution?

Re: why is this needed?

[slazzy]

They won't fit in a laptop.

Re:why is this needed?

[jonwil]

What about people running TOR nodes on computers that cant use one of these cards for whatever reason?

Re:why is this needed?

Ask the owner to type random characters until 128 bits of entropy have been collected, and extend those bits into a key stream using a stream cipher or a block cipher. Typing only needs to be performed once. If someone can break this then the cipher is broken which is a bigger problem.

Re:why is this needed?

[ledow]

Because paying for cards for every machine in the word, and mandating their use for every transaction from any machine, plus avoiding that device being compromised by a government entity, or turned into a TPM module is difficult enough.

Seriously, imagine if your bank's said, to comply with PCI DSS standards, you had to install this special card in your server.

1) That's enforced server downtime.
2) Most servers are virtual nowadays and not actually physical (and thus you can't guarantee that that "PCI card" your computer sees is even a real PCI card)
3) Are you going to trust a random piece of government- or even bank-mandated hardware in your machine reading the entire memory bus?

Nobody would touch it, even in the server-arena, let alone "every client in the world".

There are already lots of "random number generator" hardwares, everything from white-noise microphones to random instructions inside chips based on quantum noise (now obsolete and nobody really used them, except VIA chips). Nobody touched them. Where it matters, hardware exists to make it happen. Few use it.

Mandating it to every client or even every SSL-using server? Good luck. It just doesn't provide an advantage. Even those places with SSL accelerators (that just offload SSL transactions kind of like a reverse proxy) don't use them.

And the fact is that almost every weakness so far is not in the choice of random numbers but in the way those random numbers are handled later on. Except for embedded boards and no-permanent-state devices (which you should realise shouldn't be used for this kind of thing), filling up the entropy pool on any modern, network connected machine is pretty trivial.

Re:why is this needed?

The API let you generate random numbers based on splitting photons left or right and it was deemed closer to 50% each side than any other randomizing system ever invented.

Even distribution is a desired property for some random number generators but for true randomness you don't want a guaranteed even distribution.
If you have a guaranteed distribution it means that the value of a bit will depend on the value of previous bits and it becomes predictable.
A true random number generator should be able to generate an infinite sequence of the same value. If it isn't capable of that then it is not truly random.

Re: why is this needed?

[Dr_Barnowl]

You don't need special magic entropy cards, there's entropy all around most computers in the form of white noise - just use randomsound. Solves the problem on most laptops because they have a built in mic.

Re: why is this needed?

> They won't fit in a laptop.

Especially so in the new ultra-thin Apples

Re: why is this needed?

I can use this to my advantage, people have extracted encryption keys from processors by "listening" to them... you could feed your laptop white or pink noise and get it to generate numbers with some predictability I imagine.

Re: why is this needed?

No.

Re: why is this needed?

I'm willing to bet you can't use this to your advantage because you have clearly strung a bunch of domain relevant words together into an incoherent statement. Are you a Markov chain by any chance?

Re: why is this needed?

People all learned to type on the same keyboard layouts, so have we have very predictable biases when it comes to hitting keys.

Even if that wasn't the case humans just can not generate true randomess to save their lives. You could randomly remap the layout every time you mash the keys and you'd still produce preditable output.

These "generate entropy by wiggling" exercises are weak and only used if a proper RNG is otherwise not available.

Re: why is this needed?

Are you a Markov chain by any chance?

No, it's just a poor RNG.

Re:why is this needed?

Hardware manufacturers are unreliable and have repeatedly shown to have put backdoors into their products -- even makers of cryptographic hardware only.

So no, hardware generation doesn't help, except perhaps if the hardware was open source and somehow easy to verify (unlikely with random number generators).

Re: why is this needed?

In an theoretical sense this is true. But out here where the real world happens your perfectly uniform sequence of perfectly random characters will be exploited in a heartbeat.

Re:why is this needed?

[Hentes]

There's no reason to buy a separate card though, most modern cpus have builtin hardware rng.

Re:why is this needed?

[fendragon]

For some purposes (and I don't know if this applies to Tor's intended use) I've heard that real physical sources of entropy simply don't generate it fast enough, especially after their output bit rate has been reduced by whitening to remove bias and correlation.

Re: why is this needed?

Sure there's entropy in the natural environment. Problem is you have no idea how much. What looks random to you might have been carefully crafted by the enemy. Trusting the environment is a really, really bad idea in cryptography.

Re: why is this needed?

I heard a rumor that the Facebook app also uses that to determine which ad to show next.

Re: why is this needed?

[fendragon]

The best way to use keyboard input is not just to look at the characters sent but to measure the keystroke timing, preferably in microseconds or shorter, and use only the lower order bits of the time values. It still requires care to make there there isn't bias in the times when keyboard interrupts are allowed to happen, but it can potentially generate a lot more entropy.

It's still MUCH slower than background noise from a microphone or thermal noise from a resistor, but at least it uses hardware that's already there.

Re: why is this needed?

We are all Markov chains

Re: why is this needed?

[zAPPzAPP]

A keyboard is typically on a serial connection (like USB) nowadays which does not produce real hardware interrupts on a key stroke.
Timestamps may be created when the OS detects a keystroke, but that is based on how time is scheduled to the serial connection, the timekeeping process and so on.
It seems likely that there is a certain pattern involved here caused by the OS scheduler that will become visible in time.

Re: why is this needed?

[wbr1]

Not in a laptop. They are still a matrix direct to the mobo.

Re: why is this needed?

[grub]

I'm sure they will have a new USB-C dongle for that.

Re: why is this needed?

Yes.

Re:why is this needed?

That are black-boxes without any information given from the manufacturer of how it does it..

But sure, those are useful as *one* of the sources of data you feed to the PRNG you run.. The more sources the better... If one source is "corrupt" it does not make the whole PRNG to fail..

Re: why is this needed?

[geek]

Entropy is a problem in VM's, especially when they don't have actual devices attached.

Re: why is this needed?

[DrXym]

Or use your fingers. Assuming you're using the PC that needs the entropy then every time you type or move the mouse you're basically stirring the pool. On a Linux PC, you can add sources of entropy to the /dev/random including noise but anything you like. I assume anyone *that* paranoid about randomness certainly wouldn't be asking Tor to provide them with some random numbers.

Re: why is this needed?

That's not even theoretically true.

Re:why is this needed?

Why are people still complaining about random numbers? Over 10 years ago I saw a documentary that showed off a quantum photon splitter PCI card that could go in any computer. The API let you generate random numbers based on splitting photons left or right and it was deemed closer to 50% each side than any other randomizing system ever invented. So...what happened to that? Doing quantum tasks with photons is actually relatively easy so the story was believable. I can't think of a better way in the physical universe to generate random numbers. So besides the problem of requiring volunteers running relays to have one of these custom piece of hardware, why don't they attempt to use this solution?

There was an attempt to generate random numbers by measuring memory state between clock cycles. Not sure how that went.

Re: why is this needed?

MOD PARENT UP

Re:why is this needed?

[Hentes]

When your processor is compromised, everything is compromised. If you believe your cpu is malicious, the rng is the least of your worries. Guess what, your "secure" prng also runs on the cpu.

Re:why is this needed?

[gweihir]

These things are unworkable in practice. Too expensive, too unreliable and nobody wants to pay for them. OS support is typically lacking as well.

Re: why is this needed?

[kheldan]

Any method of producing 'random' numbers or bits that can be subjected to any sort of attack to influence or control it's output has to be excluded from the list of 'valid' sources. Guarantee you that anything using a microphone as input can be manipulated to produce a predictable output. Do you really want your banking transactions' encryption keys protected by such a source? I think not.

Re: why is this needed?

Or perhaps I do this for a living.... I read extensively on things like this and I would NEVER, EVER use a microphone to generate entropy. You are asking for someone to manipulate the source of the entropy to create somewhat predictable results. At minimum I will be able to restrict the pool of possible seeds to something more easily cracked even if I can't force a specific seed. But I have no interest in discussing encryption or security with people who want to play at it.

Re: why is this needed?

You are incorrect... If you use multiple sources, where each of them could be influenced, just means that to break the prng you would have to be able to influence them all... Adding one "bad" source of random to a mix does not make them all bad... Even a bad source of random can be useful since it adds to the complexity of possible positions All sources can be in..

Re: why is this needed?

Of course but if you factor in that the remote system does not have access to the code running in your country and any attacker only knows the also of the ring in the cpu it makes life alot harder to break... If the ring in the Intel cpus is bad and is the only source to generate private keys for certificates then those certificates are "easy" to break... If you mix in multiple sources for the prng then it becomes complex again for any attacker... If the Intel cpu would modify results from the sw prng it would be easy to detect by running the same code on multiple machines...

Re:why is this needed?

[lachlan76]

Note: I am not associated with the Tor project, just an interested observer. I happen to be implementing a similar protocol for something else.

Because it needs to be resistant to compromised nodes. The reason for this that hidden service connection details (though not the server IP obviously, since all of this happens through Tor channels) are stored in directory servers which are randomly assigned each day. The choices of directory server are derived from a pseudo-random string [1]

descriptor-id = SHA1(permanent-id | SHA1(time-period | descriptor-cookie | replica))

by taking taking hashes of the directory identity details and sorting, and then picking those that come after descriptor-id in the list.

The problem is that a malicious would-be directory can modify its own configuration so that its hash changes in order to gain responsibility for an arbitrary hidden service at some point in the future, since the descriptor-id values are predictable. This doesn't give them complete control, but they could perform DoS and traffic counting.

What was proposed last year, then, was to add a random element to the data being hashed so that it could not be predictable [2]. In order to prevent there being a single point of failure (both from a reliability and security point of view), it was proposed to use a distributed random number generator. The way that this works is that while the master directory servers agree on the list of relays, they also generate a random value and use a bit-commitment protocol [3] to commit to it before the final value is generated in order that the last server to vote can't just keep generating random values until it finds one that gives it control of a given service.

The way that this happens, then, is that during the first half of the day the directories will include committed values with their votes on the network status. During this time everyone should get a copy of the committed value, which is generated by hashing a random string [2]. Then, during the second half of the day, they reveal their chosen random values. The others can then hash the received value and compare it with what they were given before in order to make sure that they have not changed their random value in response to the other random values.

At the end of all this the revealed values get hashed together in a particular order and the resulting value is published and put into the descriptor-id by server operators and clients. You can't use one of those idQuantique etc. cards and call it a day because there's nothing to stop a compromised server from emitting random values that are favourable to an attacker, whereas this approach will still be unpredictable so long as at least one of the master directory servers is honest and takes part.

[1] Tor Rendezvous Specification
[2] Tor Proposal 250: Random Number Generation During Tor Voting
[3] Commitment scheme

Re:why is this needed?

Here's a a nice USB one with lots of interesting information http://www.bitbabbler.org/

Re: why is this needed?

The scheduling is done in millisecond resolutions, which is low for interrupts but high for human time scales. Timing and ordering of the keys pressed are both part of the entropy.

Re:why is this needed?

A fully compromised CPU is a bad thing and difficult to do. A partially compromised CPU that gets signaled to output known RNG values is much easier.

Current Opportunity

[andrewbaldwin]

Just use the daily finance / economic forecasts and predictions of the impacts on personal budgets, jobs, immigration.... that are being spouted by both sides of the current BREXIT** debate.

This can be generalised to any politician's promises but the current round are particularly egregious.

** Referendum for UK to leave/remain in the EU

Re:Current Opportunity

Well, it is hard to automate that.
Picking stock price fluctuation is probably better. If anyone finds a pattern they can exploit then they will have a much more lucrative target than you.

White Noise

[Dr_Barnowl]

I ran into entropy problems when signing a lot of JAR files in a build process - turns out modern computers with their large RAM that caches disk etc don't generate as much entropy as they used to.

The solution I used was the randomsound daemon, which samples white noise from your mic to inject into your entropy pool.

Why not just use that? There's a crapload of white noise in most server rooms, even near most consumer PCs (just tape a mic next to one of the cooling vents). Actual genuine entropy rather than this card-shuffled pseudo entropy - making things complex just obscures things further, it doesn't really create randomness.

Re:White Noise

[Viol8]

I suppose one argument against is that any white noise from a device not designed to generate pure white noise could be baised in some way and while this wouldn't make it predictable it could narrow its range of truly random values.

However I agree that its still better than the pseudo random stuff we use now. Its not like an analogue white noise generator would be hard to build and include in a CPU which could then be A->D'd by the chip and an instantanious value made available via a register.

Re:White Noise

True random number generation is actually very easy... it's just expensive. All you need is two very, very precisely matched resistors. Natural fluctuations in heat entropy will cause their resistance to slightly vary. That differential is your randomness, it's just expensive to match resistors so precisely as well as the circuit to measure such tiny fluctuations.

Re: White Noise

Wouldn't the differential be predictable if the component tolerances were known? It wouldn't be hard to establish a standard deviation and these resisters would presumably be packagef together as one unit so environmental differences could be ruled out.

Re:White Noise

You can generalize all of the above approaches: look at noise from analog data.

Re:White Noise

That's a rather convoluted way of capturing Johnson noise...

Re:White Noise

[Archangel+Michael]

I would think that in a modern world, that sound is one of the most predictable sets one can choose from. Our world is filled with white noise that is actually cyclic in nature, which produces random noise, but with very little variation, which makes the sample set much smaller than you would think. This is why sound engineers can filter ambient sounds from audio to isolate the actual sounds they want to hear.

My guess, is that the best way to generate truly random numbers is to combine several sources together, from a larger pool of available sources, in such a manner that it makes it almost impossible to guess. This is the approach being used here (from my understanding).

Re: White Noise

>could be baised
Or bayesed

Re:White Noise

[gweihir]

And then you have a machine with a digital input that is actually fed digital music. And, oops, you are screwed. The problem here is that for one user that knows what he is doing, this is fine. As a general solution, this falls flat on its face. The actual solution would be something like the Intel RDRAND instruction, but unfortunately that is a compromised design that you cannot trust. ("Compromised Design" means they can swap out the actual secure implementation for a compromised one and the design prevents detection of this attack.)

Re:White Noise

[CAIMLAS]

Virtualized platforms also have a hard time with entropy, as their hardware is emulated.

There are several daemons you can use, eg. haveged or randomsound, or entropyd. You can also use network broadcast traffic to seed entropy (can't recall how at the moment), and various other sources. What's needed, I think, is a means to source all of these to generate entropy so this becomes less of a problem.

Re:White Noise

[Agripa]

I do not know why they would have to be precisely matched but semiconductor junctions have more excess noise and less stringent requirements for amplification and measuring the differential noise while rejecting external common mode influences applies just as well to them. With a resistance based noise source, you have to be careful that you are not actually measuring the voltage or current noise of the amplifier and if you are going to do that, then you do not need the resistance based source.

Truly Random?

So distributing the PRNG among a number of trusted contributors and then mixing the results might improve the entropy, and arguably increases amount of trust you can have in the randomness of the results, but it doesn't mean that it isn't non-deterministic and "truly" random.

Is it a fairly decent improvement over the way TOR currently generates random number? Sure! Is it a smart idea? Absolutely! Is it actually random? Hell no!

bullshit crowdsourcing is bullshit

Right. Because Tor users are so trustworthy I'm going to trust a network of assholes not to give me shit entropy sources.

Re: bullshit crowdsourcing is bullshit

Multiple, unrelated, sources of "shit" data is still adding to the entropy... Remember it will never be weaker than your local prng and it would require an attacker to have control over ALL sources you get entropy from... Including your local prng.

nope

nsa will just develop fake tor nodes that spike the rng to cripple it... it'll be worse

I can just see

[maroberts]

Someone putting a number of RNG systems onto TOR so they control providing the "random" number.

Re:I can just see

the system can already be gamed by certain entities with near limitless black budgets; simply buy enough nodes to have the desired probability at controlling every node of a route. some fear that this has already taken place, despite the (rather weak, tbh) attempts at preventing 'ownership' of the network.

and this is not really any different than bitcoin, which is similarly a peer-distributed 'product'. if you control enough miners (or conspire with others to do so), you can set transaction fees by declining those that don't pay enough; greatly increasing everyone's transaction time (extending the time it takes to find someone willing to accept your transaction into the chain) unless the parties involved agree to pay your desired rate for 'faster service'.

New != good

"...that uses a new algorithm for generating random numbers, never before seen on the Internet."

That should start ringing alarm bells right there.

Are they certain that using a local RNG is a source of vulnerability? Has /dev/random suddenly become predictable? What evidence do they have for this assertion?

Are they not just swapping a lock that's been secure for decades for a brand shiny new one of unknown strength because it's new and has a cool paper and they fancied coding something hip and fresh?

It is additional hardware

[aepervius]

That alone warrant that it will never be a consumer product, unless provided ad-hoc on main boards. Remember tor is used by normal average consumer (with respect of using such specialized hardware).

They say "never done before" like that's good...

In the world of crypto, I'd much rather be using something that's been around long enough to be thoroughly analysed. Every so often someone pops up with something new and exciting and different, then six months later gets shot down by the experts who describe exactly how to break it.

Telling us "even the authors can't predict what will come out of it" doesn't raise my confidence, either. I'd be a lot happier with a statement like "rigorous analysis shows that the random numbers generated will be uniformly distributed", or something like that.

Real crypto work is hard, and random number generation is part of the hard.

Get off my Lawn

[Apostalypse]

What happened to "Randomize timer"?

Re:Get off my Lawn

BASIC script kiddies. They got upset that it didn't actually randomize the timer.

Re:Get off my Lawn

You still can, but it's a terrible way to securely generate random numbers.

Central Limit Theorem issue?

If they compound all these together, aren't they going to push the useful range of the randomized number into a small subpopulation centered on the mean via CLT?

Re:Central Limit Theorem issue?

If they compound x,y in U(0,1) as (x+y)/2 then yes.
If they compound them as x+y - floor(x+y), then no.

I prefer accelerometer based RNG

[rebelwarlock]

"Shake laptop to generate private key."

Re:I prefer accelerometer based RNG

Not terribly random without some whitening going on, humans only have so many degrees of freedom when they are shaking something with both hands.

Re:I prefer accelerometer based RNG

humans only have so many degrees of freedom when they are shaking something

[citation needed]

Re:They say "never done before" like that's good..

Now, you can sabotage the randomness of the underlying crypto by breaking random number generation on any one of two computers. Alternatively, you can MITM attack one of the computers random number generation which was previously impossible because of thoroughly on-board RNG algorithms.

In a few years, most computers will have an RDRAND. It is not clear how good AMD is with this instruction and there are rumors about Intel having backdoors into the internals of RDRAND in some manner. There are some people who do not believe this is a good source for random numbers for other reasons, but you can always include that and possibly post-processing for your pseudo-random number algorithm.

Distributed RNG?

[U2xhc2hkb3QgU3Vja3M]

What the hell is a distributed ranger?

Sent from FF XI.

Re:Distributed RNG?

[Diss+Champ]

A distributed ranger is one what was left sitting on a railroad crossing until a freight train arrived.

Too easy, the key is always

42

The generation of random numbers...

[ameline]

The generation of random numbers is too important to be left to chance.

comedic - my TRNG idea!

I had the idea to create a transparent pressure sensitive skin and cover the windshield of my car with it. An onboard computer reads the impact of each insect - the hash of the x/y and pressure of the hit is then hashed and the result is used as the next seed value for a mersenne twister based rng.

I sorta did this in the 1980s

[Solandri]

My parents had gotten the conference calling feature with our new phone service, and my friends and I decided to try a pen and paper RPG session over the phone, instead of having to meet up at one person's house. We ran into an obstacle with the dice rolls. The players wanted to make their own dice rolls - they felt that their characters' fate should be in their hands and thus they should be the ones to roll the dice. I was GM and worried that players would cheat on the dice rolls if I couldn't see the dice.

At first I tried having them making a bunch of pre-rolls. I would write down the results, and could go down the list every time a roll was needed. They complained this wasn't interactive enough. Apparently part of the thrill of the game for them was knowing they needed to make a good roll when their character was in a bad situation. The pre-rolls destroyed that aspect of the game for them - no more tension as to whether or not the dice would save them.

After some more thought, I had them roll a die and tell me the result. Then I flipped a coin. Heads, their die roll stood. Tails I used 7 minus their die roll (we were playing Traveller, which only used d6), which inverted the result of their roll. They got the satisfaction of controlling their own fate by rolling their own dice, and I was satisfied there was no cheating going on.

Re:I sorta did this in the 1980s

[JesseMcDonald]

... I had them roll a die and tell me the result. Then I flipped a coin. Heads, their die roll stood. Tails I used 7 minus their die roll (we were playing Traveller, which only used d6), which inverted the result of their roll. They got the satisfaction of controlling their own fate by rolling their own dice, and I was satisfied there was no cheating going on.

While this solved the immediate problem of being able to trust the players, it fails to provide any guarantee to the players that you aren't cheating when it comes to the coin-flip. You know their dice roll before you report the coin result, so you could easily manipulate the outcome (to an extent; you can only choose between N and 7-N).

I'm not quite sure how to reduce this to something you could easily do by hand, but there is a way around this issue when computers are involved. Instead of a dice roll, generate a large random number. The other party does the same. The two of you exchange hashes of your random values—at this point neither of you know what the other chose, and you can't change your own value later because the hash would be different. Now you can exchange the actual random values (validating the hashes) and XOR them together. The final dice roll is the XOR result modulo the number of sides.

Re:I sorta did this in the 1980s

> After some more thought, I had them roll a die and tell me the result. Then I flipped a coin. Heads, their die roll stood. Tails I used 7 minus their die roll (we were playing Traveller, which only used d6), which inverted the result of their roll.

That wouldn't reduce all cheating; it only reduces cheating of claimed extreme values.

E.g. if someone needs 3 or more to succeed, they just tell you they rolled a 3. Then you randomly keep the 3 or use 7-3=4, automatically succeeding either way regardless your coin flip, even though if played fairly, they should fail 1/3 of the time.

It would have been better if you had rolled a d6 and added it to their claimed roll, then subtract 6 from the result if it exceeds 7.

Re:I sorta did this in the 1980s

[Agripa]

Cryptography can be used to generate shared random numbers for multiple parties.

https://en.wikipedia.org/wiki/...

Re:I sorta did this in the 1980s

[Khashishi]

GM = God. It doesn't matter if God cheats.

Re:I sorta did this in the 1980s

[JesseMcDonald]

GM = God. It doesn't matter if God cheats.

Then why bother with the players' input at all? Just have the GM choose the result. While the GM may be the ultimate authority, the players clearly do care about the GM's ability to influence the result, or they would just let the GM roll the dice for them.

Anyway, the principle is applicable to situations other than role-playing games where it is important that neither side has the ability to cheat. For example, online blockchain-based lottery systems like SatoshiDice are based on a similar principle, with one random number coming from the hash of a future block on the blockchain (and thus potentially influenced by miners) and the other locked in ahead of time by the operator.

THERE IS NO SUCH THING AS RANDOM

[axewolf]

And you should care why

the philosophical question what "random" means is completely immaterial

Yes, just like ALL philosophical questions, isn't that right?
We just need to get our job done and then EVERYTHING is just fine! We don't have to worry about anything else, ever. Curiosity killed the cat. Blinders on, job done, life good. This is how our ancestors went from common apes to homo sapiens. And anyway, what makes it doesn't keep it!

Or you could not be fucking retarded.
It may be tempting to go with the flow, but the tradeoff is the loss of your humanity: that which made us human, that which makes us human: true curiosity, imagination, and critical thought.

The truest definition of "random" is "originating from dimensions beyond comprehension", but the common feeling of what "random" means is covered in several layers of ignorance over this. The problem with that is that the ability of people to comprehend generally varies wildly and this ability is always being improved secretly. So it's really a useless idea, and as with all useless things that get used, it is very detrimental.

Everything comes from something else.
This idea is absolutely the central pillar of THE MEANING OF LIFE: uncovering the particular dimensions that give existence to the things that please your senses and consciousness and understanding them and then in turn uncovering the particular dimensions comprising those and so on. This is the origin of true power. Everything that everyone has ever done is an attempt to follow this principle.
Unfortunately when most people are unable, after thorough investigation, to justify particular aspects of themselves in terms of finer dimensions they rarely draw the conclusion that that aspect of themselves is false and detrimental. This is because their emotion overwhelms their reason. This phenomenon is caused by the lack of resources which make a human most human: generally; freedom. This is the origin of the lesser kind of power that dominates our lives today.

I mean who can really disagree with this? It's the truth that rams you in the face every day, but how often do you take it by the horns?

Hardware RNG is like 50 bucks

[cfalcon]

Hardware RNGs are like 50 bucks. Wikipedia even has a compare page, and you can go higher if you need to. It is unusual to need a shockingly large amount of random bits to begin with, after all.

https://en.wikipedia.org/wiki/...

So this TOR thing is nice, especially because computers baseline can generate psuedorandom numbers pretty darned quickly, and merging them is better than not merging them. But if you, personally, care, using a hardware RNG and having it seed and combine with your prng (such as Linux will do) seems like it is ideal.

Re:Hardware RNG is like 50 bucks

Can someone PLEASE tell me why this isn't hasn't been an executable instruction in all our computers since the dark ages?
I don't get it: Intel spends trillions keeping the noise out of the chip and they can't just let a little back in when we want it?

Re:Hardware RNG is like 50 bucks

It exists, but no one trusts it. No one is going to use an RNG source unless they can prove its trust. Yet another feature going unused in your CPU.

From TFA

[krkhan]

Not even Tor devs can predict the output of the new distributed RNG

No shit Sherlock. No devs of any RNG should be able to predict the output when it's in the deployed. And Tor devs is not a team of Avengers.

Re:They say "never done before" like that's good..

Yes, real crypto is hard, but do you understand why one time pads are proven to be unbeatable, when used correctly? It is because correctly combining a source that can't be distiguished from random with a completely nonrandom message produces something that can't be distinguished from random either. With binary data a simple bitwise XOR already has this effect. If any of the sources has a bit the attacker can't predict in a certain position the resulting XOR'ed bit in that position can't be predicted by the attacker either. That is why the result of combining several sources of random data is as least as reliable as the best source, It does not degrade to the weakest source, it does the opposite.

seems unnecessary

[Khashishi]

People keep talking about getting the "perfect" random number. Since when is the random number the weakest link in security?
Just throw some mouse, keyboard, microphone input into your pseudorandom number generator, and it's impractical to break.

government assistance

[peawormsworth]

I believe that every town should have their own entropy source. It should probably be an offline source. Where the citizens can come and obtain large amounts of entropy onto say a DVD or USB stick. This source should be protected by armed authorities. Our leaders and lawmakers should be working to empower individuals with high security and best practices to ensure individual privacy. This is the type of government I want.