# [Cryptography] real random numbers

John Denker jsd at av8n.com
Thu Sep 12 13:04:50 EDT 2013

Executive summary:

The soundcard on one of my machines runs at 192000 Hz.  My beat-up
old laptop runs at 96000.  An antique server runs at "only" 48000.
There are two channels and several bits of entropy per sample.
That's /at least/ a hundred thousand bits per second of real
industrial-strength entropy -- the kind that cannot be cracked,
not by the NSA, not by anybody, ever.

Because of the recent surge in interest, I started working on a
new version of turbid, the software than manages the soundcard
and collects the entropy.  Please give me another week or so.

The interesting point is that you reeeeally want to rely on the
laws of physics.  Testing the output of a RNG can give an upper
bound on the amount of entropy, but what we need is a lower bound,
and only physics can provide that.  The physics only works if
you /calibrate/ the noise source.  A major selling point of turbid
is the calibration procedure.  I'm working to make that easier for
non-experts to use.

========================================

My friend Simplicio is an armchair cryptographer.  He has a proposal
to replace triple-DES with quadruple-rot13.  He figures that since it
is more complicated and more esoteric, it must be better.

Simplicio uses physics ideas in the same way.  He thinks radioactivity
is the "One True Source" of randomness.  He figures that since it is
more complicated and more esoteric, it must be better.

In fact, anybody who knows the first thing about the physics involved
knows that quantum noise and thermal noise are two parts of the same
elephant.  Specifically, there is only one physical process, as shown
by figure 1 here:
http://www.av8n.com/physics/oscillator.htm
Quantum noise is the low-temperature asymptote, and thermal noise is
the high-temperature asymptote of the /same/ physical process.

generators and "quantum" random number generators?  It's embarrassing.

It is true but irrelevant that somebody could attempt a denial-of-service
attack against a thermal-noise generator by pouring liquid nitrogen
over it.  This is irrelevant several times over because:
a) Any decrease in temperature would be readily detectable, and the
RNG could continue to function.  Its productivity would go down by
a factor of 4, but that's all.
b) It would be far more effective to pour liquid nitrogen over other
parts of the computer, leading to complete failure.
c) It would be even more effective (and more permanent) to pour sulfuric
acid over the computer.
d) Et cetera.

The point is, if the attacker can get that close to your computer, you
have far more things to worry about than the temperature of your noise
source.  Mathematical cryptographers should keep in mind the proverb
that says: If you don't have physical security, you don't have security.

To say the same thing in more positive terms:  If you have any halfway-
reasonable physical security, a thermal noise source is just fine,
guaranteed by the laws of physics.

In practice, the nonidealities associated with "radioactive" noise are
far greater than with thermal noise sources ... not to mention the cost
and convenience issues.

As I have been saying for more than 10 years, several hundred thousand
bits per second of industrial-strength entropy is plenty for a wide
range of practical applications.  If anybody needs more than that, we
can discuss it ... but in any case, there are a *lot* of services out
there that would overnight become much more secure if they started
using a good source of truly random bits.

The main tricky case is a virtual private server hosted in the cloud.
You can't add a real soundcard to a virtual machine.  My recommendation
for such a machine is to use a high-quality PRNG and re-seed it at
frequent intervals.  This is a chicken-and-egg situation:
a) If you have /enough/ randomness stored onboard the VPS, you can
set up a secure pipe to a trusted randomness server somewhere else,
and get more randomness that way.
b) OTOH if the VPS gets pwned once, it might be pwned forever, because
the bad guys can watch the new random bits coming in, at which point
the bits are no longer random.
c) On the third hand, if the bad guys drop even one packet, ever,
you can recover at that point.
d) I reckon none of this is worth worrying about too much, because
at some point the bad guys just strong-arm the hosting provider
and capture your entire virtual machine.