[Cryptography] Aside on random numbers (was Re: Opening Discussion: Speculation on BULLRUN)
On Fri, 6 Sep 2013 01:04:31 -0400 John Kelsey crypto@gmail.com wrote: I'm starting to think that I'd probably rather type in the results of a few dozen die rolls every month in to my critical servers and let AES or something similar in counter mode do the rest. A d20 has a bit more than 4 bits of entropy. I can get 256 bits with 64 die rolls, or, if I have eight dice, 16 rolls of the group. If I mistype when entering the info, no harm is caused. The generator can be easily tested for correct behavior if it is simply a block cipher. If you're trying to solve the problem of not trusting your entropy source, this is reasonable, but it doesn't exactly scale to normal users. No, clearly not, but it works fine for a key generation ceremony for a valuable key or the like. It might also be fine in other limited contexts. That said, I came up with a fine way to automate this in the shower, which I'm documenting here in case it inspires someone. Naively, one could take a picture of the dice and OCR it. However, one doesn't actually need to OCR the dice -- simply hashing the pixels from the image will have at least as much entropy if the position of the dice is recognizable from the image. (You have to assume your hash function is reasonable but the rest of your infrastructure needs to assume that anyway in all likelihood.) So, simply take pictures of each of N rolls of multiple dice and hash them all together. One could write an app to do this, but of course the phone is not exactly a secure platform to begin with... Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Aside on random numbers (was Re: Opening Discussion: Speculation on BULLRUN)
On Sep 6, 2013, at 10:03 AM, Perry E. Metzger pe...@piermont.com wrote: Naively, one could take a picture of the dice and OCR it. However, one doesn't actually need to OCR the dice -- simply hashing the pixels from the image will have at least as much entropy if the position of the dice is recognizable from the image. [...] One could write an app to do this, but of course the phone is not exactly a secure platform to begin with... http://gamesbyemail.com/News/DiceOMatic -wps ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Aside on random numbers (was Re: Opening Discussion: Speculation on BULLRUN)
On Sep 6, 2013, at 10:03 AM, Perry E. Metzger wrote: Naively, one could take a picture of the dice and OCR it. However, one doesn't actually need to OCR the dice -- simply hashing the pixels from the image will have at least as much entropy if the position of the dice is recognizable from the image One could write an app to do this, but of course the phone is not exactly a secure platform to begin with... Ah, but that highlights an essential difference between OCR'ing the image and just hashing it: I can easily check, with my own eyes, that the OCR app is really doing what it claims to be doing. I have no hope of checking the hash-based app. A whole class of attacks is closed off by the OCR technique. It's not that there aren't other attacks. The phone could, for example, leak the generated values, sending them off to Big Brother. That kind of attack would, if done correctly, be virtually impossible to detect. On the other hand, it's not nearly as valuable as a biased generation attack - Big Brother would receive streams of random die tosses with little context about what the resulting values would be used for or how they would be used. Appropriately targeted attacks might work - I know Metzger regenerates his keys on the 3rd of every month at about 8:00 AM, so let's use the values he scans at around that time as guesses for his base random values - but we're talking quite a bit of difficulty here - and the more people use the app, and the more often they make it a habit to toss and scan dice and just discard the results, the more difficult it becomes. -- Jerry ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography