[Cryptography] Aside on random numbers (was Re: Opening Discussion: Speculation on "BULLRUN")
Perry E. Metzger
perry at piermont.com
Fri Sep 6 10:03:09 EDT 2013
On Fri, 6 Sep 2013 01:04:31 -0400 John Kelsey <crypto.jmk at gmail.com>
> > I'm starting to think that I'd probably rather type in the
> > results of a few dozen die rolls every month in to my critical
> > servers and let AES or something similar in counter mode do the
> > rest.
> > A d20 has a bit more than 4 bits of entropy. I can get 256 bits
> > with 64 die rolls, or, if I have eight dice, 16 rolls of the
> > group. If I mistype when entering the info, no harm is caused.
> > The generator can be easily tested for correct behavior if it is
> > simply a block cipher.
> If you're trying to solve the problem of not trusting your entropy
> source, this is reasonable, but it doesn't exactly scale to normal
No, clearly not, but it works fine for a key generation ceremony for
a valuable key or the like. It might also be fine in other limited
That said, I came up with a fine way to automate this in the shower,
which I'm documenting here in case it inspires someone.
Naively, one could take a picture of the dice and OCR it. However,
one doesn't actually need to OCR the dice -- simply hashing the
pixels from the image will have at least as much entropy if the
position of the dice is recognizable from the image. (You have to
assume your hash function is reasonable but the rest of your
infrastructure needs to assume that anyway in all likelihood.) So,
simply take pictures of each of N rolls of multiple dice and hash
them all together.
One could write an app to do this, but of course the phone is
not exactly a secure platform to begin with...
Perry E. Metzger perry at piermont.com
More information about the cryptography