[Cryptography] All dice are loaded?

John Kelsey crypto.jmk at gmail.com
Fri Aug 8 10:44:38 EDT 2014 

> On Aug 7, 2014, at 5:21 PM, Dave Horsfall <dave at horsfall.org> wrote:
> 
> It's somewhat common to throw a set of dice to generate a "good enough" 
> random number, or at least a seed.

For DRBG seeding and related stuff like password selection via diceware, a small bias doesn't matter all that much.  Suppose 6 ends up having probability 10% too high--1/6+1/60.  In terms of min-entropy, this gives you

original: -lg(1/6) ~= 2.58 bits of min-entropy per roll. 
new: -lg(1/6 + 1/60) ~= 2.45 bits of min-entropy per roll.

With 30 dice rolls (what Diceware recommends) you only lose a couple bits of entropy.  That is, your final password should have min-entropy of 2.58*30=77.4 bits, but due to the flawed dice it has a min-entropy of 2.45*30=73.5 bits.  The most likely password (the one that is generated by rolling all sixes for every roll) becomes very slightly more likely, but still not likely enough that it makes a password cracker's job noticably easier.  

>  However, they appear to have a slight 
> bias in favour of "6", due to the pattern of the dimples.

It seems like this would be different in different dice or different manufacturers.  I mean, the only difference between the faces that's inherent in the design of standard 6-sided dice is that the faces of the higher numbers are very slightly lighter than the faces of the lower numbers, but I'd intuitively expect differences in the precise shape of the dice or manufacturing variation to matter more.  

> It seems that someone actually did the experiment back in 1966, with about 
> 10,000 rolls, and found a "statistically significant" bias in favour of 
> "6" being uppermost.

I rather strongly suspect there's a file drawer effect going on here--the many times someone ran the experiment for a given kind of dice and found no statistically significant difference, this was sufficient confirmation for a casino or classroom exercise, but nobody would bother publishing that as a result.  But who knows?

> -- Dave

--John

More information about the cryptography mailing list