real random

[Phil Carmody]

Bill Cunningham a ecrit :
Can anyone show me a skeleton code for *real* random numbers? Not
just
using srand and rand that sometimes depends on the clock.

Bill


This is a good one.

Except for one minor problem - Unless I'm mistaken, the code you posted
(and I've snipped for space) is either derived from, or a direct copy
of, the Mersenne Twister - It's no more "real random" than rand() - it
just has a better period (usually - If you read up on the material that
usually comes with the full distribution package, you'll find multiple
caveats about "poison" parameter/seed-sets that can absolutely murder
the period length) before it starts repeating. And like every other
software RNG, the sequence that will be produced from a given
parameter/seed-set is 100% predictable.

I understood the original poster as asking for a good random number
generator.

Look at the original post's emphasis on "...*real* random numbers" -
He's asking for the impossible.

If he wants something else, not using software, I thought he
would have said so.

Oh, it looks like he wants software, all right - Just software that no
programmer on the planet is capable of writing due to the limitations
imposed by the current state of the art.[/QUOTE]

If only that software had in some way an ability to access
hardware...

Phil

 

[websnarf]

In



How many non sequiturs can we manage?

Any claim to the production of random numbers that neglects to mention
Fortuna is, excluding everything they have to say on the matter.
Unless you literally reproduce their work (which only I came even
close to) in the text posted. Fortuna is the last word on the
production of high quality random numbers, and their insights drive
home the point that its possible, practical, cheap and, of course,
reduces to an observer problem, which, of course, they obsess over
since their focus is on security.

Algorithms have several characteristics:

1) finiteness;
2) definiteness;
3) input;
4) output;
5) effectiveness.

If you regard Fortuna as being a single transition from one number to
another, it hardly qualifies as a sequence generator.

Da fu? I didn't characterize Fortuna at all. I am recommending that
the OP go read up on it if he wants an example of what it takes to
make an extremely highly quality source of random numbers. Fortuna
represents the limits of how far you can go to produce randomness if
you really need to. What I was describing is the middle ground that
requires assumptions (like that someone isn't intercepting the
keystrokes or simulating the RDTSC instruction, etc, etc) that are
usually easily satisfiable.

Are you literally saying that Fortuna is not an algorithm?

[...] If you regard
it as a generator of a stream of numbers, it is not finite.

What? Its an entropy management system (encoded as, yes, an
algorithm) which feeds a PRNG.

Therefore, it is not an algorithm.

Oh what a strange world it must be inside of your head.

They have a sequence of entropic pools, they draw from them in a
specific sequence dictated by ... wait for it ... an *ALGORITHM*.

[...] Furthermore, it fails to meet the
fifth criterion, that of effectiveness (in Knuth's sense - i.e. that
it is sufficiently basic that the results can in principle be done
exactly by a human being with paper and pencil such that they get
exactly the same result as the computer, which can't be the case for
any process that involves gathering arbitrary data at runtime).

Oh, all heil the furher Knuth! If I draw a grid of lines toss the
pencil upon it, and count the number of lines it crosses, then I will
have a source of entropy. How's that for being pedantic to a flaw?

The Fortuna pool chooser is an algorithm. You have to be demented to
think otherwise.

And I am not getting paid to write code here, so if your complaint is
that I didn't give comprehensive pseudo code for how to do it, go fly
a kite because neither did you.

Less pickily: what I actually said was: "No algorithm can produce a
truly random number sequence. You need a genuine source of entropy,
such as a plasma lamp, a video camera pointing at (say) busy traffic,
a radioactive source, or perhaps weather data. Better still, two or
more such sources, mixed together."

You forgot to mention that you needed a CPU. (Oh and BTW, weather is
not unpredictable.)

By saying what you wrote above, you are saying you need something
special that you don't already have right in front of you. If you
have a Pentium (or some high resolution timer), a keyboard and a mouse
(the mouse is optional, but a heck of a lot better than the keyboard),
then you already have all you need to produce random numbers. You
just need to apply an algorithm to that. Plasma lamps and other
sources for exotic entropy are totally unnecessary. Heck you don't
even need to proceed any further than turning on your system's
microphone if your system has one and you are really going for broke.

By suggesting Fortuna (which gathers genuine entropy as it goes), you
are agreeing with me.

No, because I don't make reference to exotic devices (neither does
Fortuna) for their entropy, while you do.

If you have to be wrong, be polite. If you can't be polite, be right.
(Better still, be both, but we're all human.) Your predilection for
being impolite /and/ wrong is not good for you.

It must be interesting to live in such a totally unaccountable
universe. Remember you came after me this time. And you must know by
now your obstinacy is extremely unimpressive to me.

?

Are you claiming that numbers /are/ random? [snip]

No! I am not making the kind of error you imagine that I am. Just
fricking *READ*. I am talking about a problem in generation, not
about an imagined quality of numbers. You're just illiterate of
something.

There's something that's making you imagine that I don't have a
superior understanding of this problem than you do. But clearly its
not in my content so you have invent some ghost and pretend that I am
making some error I am not.

How you define it is up to you, and irrelevant to this discussion. The
acid test of practical randomness is not determinism, but
predictability.

And these are different in this context how?

And even as such, you continue to miss the point. Its about *WHO* can
predict or determine. If I have a number from 1 to 10 in my head,
then to *YOU* its random, to *ME* it is not. Randomness is about
point of view, not some neurotic distinction between two words that
mean almost the same thing.

Look up "irony" when you get a minute.

I'm not the one who needs to look up the definition of words.

Numbers are not of themselves either random or non-random. It is
processes for generating numbers that are either random or
non-random. Furthermore, you appear to have misread my article
completely. I didn't say you can't have a true RNG. I said you can't
have a true RNG *algorithm*.

That doesn't even make sense. A generator *IS* an algorithm.

Perhaps what you meant is that something that lives only on the CPU
with entirely predetermined initial state can't produce randomness.
But the truth is, using clock() and fgets() by itself is *almost* good
enough (the problem is that the OS may only accept I/O on timer
interrupts, which alias calls to clock() in ways that undermine its
potential usage for entropy). But you're not making an argument
anything like that.

An algorithm needs only be a way of doing something on a computing
device. So if you take timer offsets between mouse movements or
keyboard clicks, then one is augmenting the device to include a mouse,
timer and CPU, but what you do with it after that point is still an
algorithm.

[...] I pointed out, rather clearly I thought,
that you need a genuine source of entropy if you're going to have a
truly random process. And in blunders Mr Hsieh, saying "Ha! You're
wrong to claim X! The truth is actually X!"

I don't in any way claim that you need lava lamps or other strange
things to produce random numbers (I claimed opposite). Nor do I claim
that RNG or Fortuna is not an algorithm. I hardly see how this
distinction fits in your delusion about how I was responding to you.

If you imagine that there is actually agreement between what we are
saying, and that my distinction is artificial, you would have had to
have mentioned the observer phenomena (which is critical), and/or
Fortuna (which is well known and state of the art, so of course it had
to mentioned). You would also have to accept the definition I gave.
Did you do that? How could we be in implicit agreement if that
weren't the case?

In short, learn to read.

Oh right. You think I am making a claim that number themselves have a
randomness property from what I wrote, and yet *I* am the one who
needs to learn to read. You expose yourself for the fraud that you
are.

[Poker sites are viable.] How could that be possible if you can't
generate random numbers?

I can generate random numbers just fine, thanks - by using a genuine
source of entropy.

Yeah apparently *YOU* need a lava lamp or the weather channel to do
it.

If you actually understood Fortuna, you would also understand why all
of the examples you cites are not such good sources: they are too
slow. Keyboard, mouse and a Pentium (or really any processor with a
hi res timer) and you are done.

 

[Phil Carmody]

Also if you get it wrong but think it is right you leave the door open
for hackers.

I worked on smart cards years ago and the level of checking and testing
required to ensure that the system worked correctly and had no holes was
larger that the initial development. The Unit testing was the largest
single phase of the project.


The crypto random number generator had a patented and very secret HW
system in it. It was not just software.

Looks like you threw Kerkhoffs principle in the bin. I hope your
customers were aware of this. I lie - I hope you had no customers,
as you were apparently peddling snake oil.

Phil

 

[Seebs]

They are random to *YOU* (and to hackers, and to any outsider).

I don't think they're random. Randomness isn't a feature of observations
so far...

Randomness is about point of view.

I don't buy that. I agree that there is a functionally useful concept
similar to randomness ("sufficiently random"), but the OP very clearly
emphasized the word "real", as in "*real* random numbers".

That, to me, suggests things that are believed to be genuinely impossible
to predict *for anyone*, not merely impossible to predict without additional
information that some party might have.

If you can't do it, then you can't say one is random and the other is
not. That's the whole point. If you can't *DETERMINE* the
difference, then they are equally random.

Not so. If I can't determine the difference, all that means is I can't
determine the difference.

The sequence "2 4 6 8" does not become random just because you're talking
to an idiot.

-s

 

[Don Bruder]

If only that software had in some way an ability to access
hardware...

Phil

Well, yeah... But that's an interface problem

But seriously, yeah, software retrieves the randoms from the hardware
generator, but for reasons I can't explain clearly, I get the fairly
strong feeling that's not QUITE what he had in mind.

 

[Nick Keighley]

Looks like you threw Kerkhoffs principle in the bin. I hope your
customers were aware of this. I lie - I hope you had no customers,
as you were apparently peddling snake oil.

is this the security by obscurity thingy?

Do the NSA and military follow this principle?
How do they do?

 

[Nick Keighley]

Look at the original post's emphasis on "...*real* random numbers" -
He's asking for the impossible.


Oh, it looks like he wants software, all right - Just software that no
programmer on the planet is capable of writing due to the limitations
imposed by the current state of the art.

not by physics and mathematics?

<snip>

 

[Nick Keighley]

Gordon Burditt <[email protected]> wrote:

Burditt the de-attributer strikes again

there's theoretical deterministic and can-actually-be-determined.

If I've got 22.5 liters of gas I've got about 1e23 molecules of that
gas.
This makes computing its behaviour pretty hard.

If I refuse to tell you its temperature, pressure, vessel shape
and the initial position of every one of those 1e23 molecules then you
are stuffed.

"Too complicated to predict" can be sufficient if you're in a closed system
(e.g. the universe),

I don't think you have to make it that hard. The butterflys and all
that

and you can prove that no computation capabable of
being carried out within that system could predict the next sequence of
output [of an algorithm] with greater than 50% probability. Within that
system, the operative quality of randomness if no different than quantum
randomness. And there are pure mathematical thermodynamic models which meet
such conditions.

This is why, in cryptography, the key characteristic of concern is
unpredictability. "Random" is an overloaded term; "true randomness" doubly
so. Basically, unpredictability in this context is related to
uncomputability and irreducibility. The latter two certainly don't require
quantum phenomena, and the implied constraint of non-causality as an
essential element.

Google Gregory Chaitin's work. I realize the above explanation leaves some
critical gaps; in particular, the leap from uncomputability to
thermodynamics. sci.crypt and other forums would be better capable of
filling in the gaps and correcting my errors of language and theory.

To the OP, none of this is meant to subvert the wise advice of others in
this thread.

 

[Nick Keighley]

yep, this is a flaw of PRNGs...

er, no.

That's like saying "the problem with boats is that they float"

 

[Chris H]

Patented AND very secret? How does that work?

I would have thought that the customers for secure random number
generators would want to know exactly how it worked.

It was wrapped up in cryptography, national security and the Banks...

I am sure they said there was a patent on it but how that would work
with it not being published I am not sure. It was a genuine HW solid
state random generator.

 

[Chris H]

Well, some parts might be patented while other parts could be secret.
agreed

Obviously no part can be both

Yes. I can't remember how they managed the patents or precisely what was
patented.

Also since I do not work there any more (it was over a decade and a half
a go) and I don't have my notes (security was VERY strict. ) this is
from memory.

(well, obvious to anyone who doesn't work in
the marketing department).

Marketing has the power to re-write the laws of the land, nature and
physics )))

OTOH, the vendors of insecure not-so-random number generators clearly
wouldn't want the (potential) customers to know how they worked.

This is also true. The whole smart card industry was VERY paranoid at
the time.

As was said to me imagine what would happen if both Mastercard and Visa
were hacked within a few weeks of each other... it would bring the
western world to a halt...

That is the premise in "Fight Club" where they want to blow up the
credit card computers. The "end of civilisation" etc

As it was the government was also interested as thus random number
generator was used in a crypto system.

 

[Chris H]

(satire...) "but, how can anyone think the US is not the entire world?..."

Because Pailn has told the world she can see Russia from here house?
)))

 

[Nick Keighley]

Sometimes I think you argue just for the joy of it.
Not that that's a bad thing...

websnarf <[email protected]> writes:

Look.  People crack DVDs, HDMI, etc, even when there is little
monetary incentive. The reason is because there is no way to keep the
debugger out of a mainstream system -- i.e., they can't hide the
details, as much as they would want to.  Its the nature of the problem
that makes it crackable.  Yet poker sites; where there is a *LOT* of
monetary incentive remain relative unhacked (I won't claim totally,
but certainly many have been in long term operation, and are
profitable and "fair".)  How could that be possible if you can't
generate random numbers?  You think black hat hackers are less
incentivised by money than they are by mere copyright infringement?

[...]

It's possible either because the sites do use truly random numbers
(generated by something other than just an algorithm), or because
they use pseudo-random numbers that are sufficiently unpredictable
for their purposes.

They use peer based PRNG seeding.  At least the very public paper for
one online site that I read that explained it.  I even tried to find a
flaw in their system, but they had actually thought of my objections
and covered them perfectly.  There's no other method that's anywhere
near as practical or even as secure that I can think of.  I have a
hard time believing that any site uses any different strategy.

I could just imagine these sites trying to rig up some cosmic ray
detector or lava lamps or whatever.  Barely enough entropy for a
hundred rolls of the dice -- meanwhile, they are trying to deal maybe
a thousand hands per second.  And what happens if the device fails?
That's just so truly not worth it.  peer + server based accumulative
entropy is the only sensible way to go: the amount entropy scales with
the number of users; its perfect.

Nobody said you "can't generate random numbers".

Are you reading the same thread as I am?

yes and most people said something along the lines of

"Deterministic computers can't generate actual random numbers."

We should quote Von Neumann at this point

"Anyone attempting to generate random numbers by deterministic
means is, of course, living in a state of sin."
-- John Von Neumann

By adding an entropy source you are no longer completly deterministic
and you don't have an algorithm in Knuth's sense.

"There is no such code without hardware that involves quantum-
mechanical behavior to generate the randomness. "

well I don't agree with the QM bit

"No algorithm can produce a truly random number sequence."
yup

"Deterministic computers can't generate actual random numbers."

yup (I'm bound to agree with myself!)

"No, nobody can show you such code, whether as a skeleton, or a fully
developed package. Because there is no such thing - True random
numbers
from pure software are currently considered impossible."
yup

Though in rereading the thread I must admit I missed William Ahern's
reply which is passable (though he still thinks a special device is
needed -- you don't need more than what a Pentium, a mouse/keyboard
and an end user already gives you, of course.)

[...]  You just can't generate truly random numbers by a deterministic process.  But
for some purposes you might not need to.

I don't even know what you are talking about here.  I already gave the
definition of random.

you redefined random

 Your first sentence is just tautological with
the definition.  "Truly random" is like "true logic" or "dark black"
or "quickly fast" or something like that ... what is the word "truly"
even doing there?

to distinguish actually random from pseudo random.
(my mobile phone is Cosmic Black according to the marketing info)

In the second, you are just questioning the motives of the OP.  But I
have chosen not to, so there's no point in you directing that comment
towards me.

I'm not sure we need to question his motives, but I think he thought
"real random numbers" was a meaningful term.

If you are just talking about random, then you are really talking
about the entropy kind of random.  PRNG's are a particular device for
helping generate unbiased streams from a typically entropic source
(for repeatable testing, its often desirable to make the seed
deterministic) but the OP made no mention of that, and therefore its
fair to assume that was not what he was asking for.

really? why?

More likely he knew srand + rand didn't produce completly "random"
numbers and wondered how he laid his hands on such things.

Laymen use "random" in a rather... er, random fashion. Listen
to how teenagers use it.

 

[William Hughes]

Asking people in comp.lang.c for "real random numbers" is like asking
a chiropractor for the recipe for coca cola.  There simply is no
expertise whatsoever in the typical people in this news group on that
question.

Not surprisingly you get nonsense like: "No algorithm can produce a
truly random number sequence" which is tantamount to religious
evangelism.

No, it is just a simple truth using language you
do not like. If by algorithm we mean "deterministic algorithm"
the statement is true. If by algorithm we mean "any method"
the statement is false.

Your discussion of randomness is not very clear
and at times inaccurate (e.g. a deterministic algorithm
need not be public).

You fail to distinguish between theory and practice
(e.g. increasing clock resolution, to what extent
does this make prediction fundamentally harder)
when you talk about entropy generation.

Trusting the entropy provided by a network is naive
in the extreme.

Your definition of a "true" random sequence as
a cryptographically secure sequence, is questionable.
You should at least discuss the difference between
a psuedo-random sequence generated from a cryptographically
secure sequence by frequent seeding
and a cryptographically secure sequence.

Your language even when correct is imprecise
(e.g. using asymptotically when you mean eventually).

C minus. Subtract one grade for gratuitous insults.

You fail

- William Hughes

 

[Michael Foukarakis]

    I have /dev/random yes. But it's treated as a device.

read() it.

A lot like MS's windows key number or
genuie key number.

Those are far from random.

 

[Nobody]

(b) is _vital_. Most people who use and recommend MTs tend to simply
be wowwed by its period,

The main benefit of MT isn't so much the period as the absence of
correlation between successive values. This is important in Monte Carlo
simulations, where any correlation could introduce errors into the
resulting statistical distribution.

and are completely ignorant about correct
use. They'll seed it with some low entropy source, and then generate
many thousands of incredibly predictable values. The correlation is
so strong that most time I see use of an MT I *presume* ignorance
about PRNGs.

MT wasn't designed for cryptography (and isn't suitable for it), so there
isn't much point in using a high-entropy seed. Usually, it's either seeded
with a user-specified seed (if you want repeatability), or a seed derived
from the clock (if you just want successive runs to produce different
results).

 

[robertwessel2]

The main benefit of MT isn't so much the period as the absence of
correlation between successive values. This is important in Monte Carlo
simulations, where any correlation could introduce errors into the
resulting statistical distribution.

Actually the correlation between successive values is approximately
100%. It's just that it's really, really, really well obscured.

 

[Keith Thompson]

well I don't agree with the QM bit

Hmm. If there's a piece of hardware somewhere in the universe that
*doesn't* involve involves quantum-mechanical behavior, I'd like to
see it.

(I think I know what the original statement meant, but it's too early
in the morning to figure out how to restate it accurately.)

 

[BGB / cr88192]

Then you agree that chaotic systems are deterministic but
unpredictable (because Wikipedia currently gets this right).


Your own reference, Wikipedia, said at the time that I looked at it
(and no, I didn't change it to support my argument!): "...even though
they are deterministic, chaotic systems show a strong kind of
unpredictability not shown by other deterministic systems".

this is messing with words I think...


since it is deterministic, knowing the state, initial conditions, rules, ...
one could easily simulate a chaotic system to the same point, and find that
they have the same state.

AKA: a deterministic system is repeatable...

so, it is "predictable" in that one can recreate the state knowing
sufficient information.
however, it is not "predictable" in the more intuitive sense, AKA, that a
person can simply observe the output and a partial view of the present
state, and expect to make correct predictions.

Yes, a chaotic process remains deterministic. No, it can't be
predicted (in the long term), no matter how much finite information
you have.

if one knows either:
the complete present state;
the complete initial state (as well as the current "time"), one can recreate
the present state.

then it is possible to predict...


granted, it is not possible to gain this information via simple observation
(unless of course it is a PRNG with a very weak period...).

They can be, but usually they aren't.

aren't chaotic, or aren't deterministic?...

No, but even so, what looks random to one (sufficiently clever) person
may be known to another (equally clever) person to be deterministic,
simply because he has more information.

neither of these changes the state of the matter though.

one person is correct, the other is incorrect, but this does not change what
is the case of the matter...


the casual obersver may confuse a small fixed permutation for a random
sequence as well, does not mean they are correct though...

 

[robertwessel2]

Ok, so let us say that you have to scenarios.  In one you use your
keyfob as the seed for a PRNG and use its output as your random
stream.  In the second you use something like a cosmic background
radiation detector or whatever you imagine is going to give you a
truly random seed.

Now give me an algorithm for determining the difference between those
two outputs.  I.e., if I hand you one of the two streams (which I will
choose by a secret coin flip), you have to tell me which one I gave
you (assuming I could keep you from observing your own keyfob).  You
may use any resource you like including the NSA, and the manufacturer
of your keyfob.

The algorithm is trivial. Whether it's practical or not is a
different issue. Consider a simple security token that just runs DES
in CTR mode against the timestamp value. The total internal states is
thus on the order of 88 bits (56 bit DES key, plus a 32 bit timestamp
counter). Assuming a six digit display, each display produces a bit
under 20 bits of information about that state (let's call it an even
20 bits for simplicity). By simple exhaustive search, after four
displayed numbers, I can narrow down the internal state to one of
(approximately) 256 possibilities. With the a fifth number, I have
approximately a 4095 in 4096 chance of detecting your real random
source (or any other source other than the proper security token
algorithm), since most random values will quickly lead an impossible
internal state.

As to practical... A search through a 2**88 state space is within the
scope of current technological possibility if you have a trillion or
so in spare change (and clearly there is at least one organization on
the planet that *can* pony up that kind of bread if it gets
sufficiently motivated).

This assumes that you have no better way to tackle this than a brute
force search. For example the algorithm for RSA's older SecureID
tokens has been decisively broken.

On the flip side I would assume a good token today would use something
stronger than single DES (which doesn't change the theoretical
approach, just makes it even less practical).