On Sep 6, 2013, at 10:03 AM, Perry E. Metzger wrote:
> 
> Naively, one could take a picture of the dice and OCR it. However,
> one doesn't actually need to OCR the dice -- simply hashing the
> pixels from the image will have at least as much entropy if the
> position of the dice is recognizable from the image....
> 
> One could write an  app to do this, but of course the phone is
> not exactly a secure platform to begin with...
Ah, but that highlights an essential difference between OCR'ing the image and 
just hashing it:  I can easily check, with my own eyes, that the OCR app is 
really doing what it claims to be doing.  I have no hope of checking the 
hash-based app.  A whole class of attacks is closed off by the OCR technique.

It's not that there aren't other attacks.  The phone could, for example, leak 
the generated values, sending them off to Big Brother.  That kind of attack 
would, if done correctly, be virtually impossible to detect.  On the other 
hand, it's not nearly as valuable as a biased generation attack - Big Brother 
would receive streams of random die tosses with little context about what the 
resulting values would be used for or how they would be used.  Appropriately 
targeted attacks might work - "I know Metzger regenerates his keys on the 3rd 
of every month at about 8:00 AM, so let's use the values he scans at around 
that time as guesses for his base random values" - but we're talking quite a 
bit of difficulty here - and the more people use the app, and the more often 
they make it a habit to toss and scan dice and just discard the results, the 
more difficult it becomes.
                                                        -- Jerry

_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Reply via email to