[Cryptography] real random numbers

John Denker jsd at av8n.com
Thu Sep 12 13:04:50 EDT 2013

Executive summary:

The soundcard on one of my machines runs at 192000 Hz.  My beat-up 
old laptop runs at 96000.  An antique server runs at "only" 48000. 
There are two channels and several bits of entropy per sample.
That's /at least/ a hundred thousand bits per second of real 
industrial-strength entropy -- the kind that cannot be cracked, 
not by the NSA, not by anybody, ever.

Because of the recent surge in interest, I started working on a 
new version of turbid, the software than manages the soundcard 
and collects the entropy.  Please give me another week or so.

The interesting point is that you reeeeally want to rely on the
laws of physics.  Testing the output of a RNG can give an upper 
bound on the amount of entropy, but what we need is a lower bound, 
and only physics can provide that.  The physics only works if 
you /calibrate/ the noise source.  A major selling point of turbid
is the calibration procedure.  I'm working to make that easier for 
non-experts to use.

Concerning "radioactive" sources:

My friend Simplicio is an armchair cryptographer.  He has a proposal 
to replace triple-DES with quadruple-rot13.  He figures that since it
is more complicated and more esoteric, it must be better.

Simplicio uses physics ideas in the same way.  He thinks radioactivity 
is the "One True Source" of randomness.  He figures that since it is
more complicated and more esoteric, it must be better.

In fact, anybody who knows the first thing about the physics involved
knows that quantum noise and thermal noise are two parts of the same
elephant.  Specifically, there is only one physical process, as shown
by figure 1 here:
Quantum noise is the low-temperature asymptote, and thermal noise is
the high-temperature asymptote of the /same/ physical process.

So ... could we please stop talking about "radioactive" random number
generators and "quantum" random number generators?  It's embarrassing.

It is true but irrelevant that somebody could attempt a denial-of-service
attack against a thermal-noise generator by pouring liquid nitrogen
over it.  This is irrelevant several times over because:
 a) Any decrease in temperature would be readily detectable, and the 
  RNG could continue to function.  Its productivity would go down by
  a factor of 4, but that's all.
 b) It would be far more effective to pour liquid nitrogen over other
  parts of the computer, leading to complete failure.
 c) It would be even more effective (and more permanent) to pour sulfuric 
  acid over the computer.
 d) Et cetera.

The point is, if the attacker can get that close to your computer, you 
have far more things to worry about than the temperature of your noise 
source.  Mathematical cryptographers should keep in mind the proverb 
that says: If you don't have physical security, you don't have security.

To say the same thing in more positive terms:  If you have any halfway-
reasonable physical security, a thermal noise source is just fine, 
guaranteed by the laws of physics.

In practice, the nonidealities associated with "radioactive" noise are 
far greater than with thermal noise sources ... not to mention the cost 
and convenience issues.

As I have been saying for more than 10 years, several hundred thousand 
bits per second of industrial-strength entropy is plenty for a wide
range of practical applications.  If anybody needs more than that, we
can discuss it ... but in any case, there are a *lot* of services out 
there that would overnight become much more secure if they started 
using a good source of truly random bits.

The main tricky case is a virtual private server hosted in the cloud.
You can't add a real soundcard to a virtual machine.  My recommendation 
for such a machine is to use a high-quality PRNG and re-seed it at 
frequent intervals.  This is a chicken-and-egg situation:
 a) If you have /enough/ randomness stored onboard the VPS, you can 
  set up a secure pipe to a trusted randomness server somewhere else,
  and get more randomness that way.
 b) OTOH if the VPS gets pwned once, it might be pwned forever, because 
  the bad guys can watch the new random bits coming in, at which point
  the bits are no longer random.
 c) On the third hand, if the bad guys drop even one packet, ever,
  you can recover at that point.
 d) I reckon none of this is worth worrying about too much, because
  at some point the bad guys just strong-arm the hosting provider
  and capture your entire virtual machine.

More information about the cryptography mailing list