[Cryptography] who cares about actual randomness?

Bill Stewart bill.stewart at pobox.com
Thu Feb 6 01:25:03 EST 2014

> >> Now that hindsight is possible, one can look at the results.  Did
> >> FreeBSD ever find an application that had a genuine need for entropy
> >> rather than unguessable numbers?
> > How about you and me get together for a nice friendly
> > game of poker.
> >
> > I'll bring the cards.

Poker's a special case, because it's less about manipulating the cards
and more about predicting the behaviour of the other players.
(Or maybe it's less about predicting the cards and more about 
manipulating the players, but that's only if you're good at it, which 
they say I'm not.)

There's the usual quote from Von Neumann that anyone who considers 
arithmetical methods of producing random digits is, of course, in a 
state of sin.  (But then, sin and poker are activities that are 
seldom found in the same place... )

My standard assumption for when you care, other than for seeding 
PRNGs, is One-Time Pads.
Are you willing to send the next Venona message collection with your 
unguessable numbers?
(Yeah, these days, you probably are, because we've got enough crypto 
algorithms that are
strong enough to resist both bit-twiddling and mathematical attacks,
and at least for the next few decades I'm guessing that quantum 
computers are going to be
less of a realistic possibility than getting widely-deployed trustable HWRNGs.)

For poker, there are protocols for jointly picking mutually 
unguessable numbers (e.g. Diffie-Hellman variants), of course.  For 
servers, if the players we can't trust are Intel and the NSA, even 
though they've been telling us they're sitting on opposite sides of 
the table, then the comment that seeding PRNGs on virtual machines is 
actually a provisioning problem is a good one, and I do like the 
"cloud VMs connect to a known-friendly server to get random seed 
material" approach.

More information about the cryptography mailing list