[Cryptography] who cares about actual randomness?
Bill Stewart
bill.stewart at pobox.com
Thu Feb 6 01:25:03 EST 2014
> >> Now that hindsight is possible, one can look at the results. Did
> >> FreeBSD ever find an application that had a genuine need for entropy
> >> rather than unguessable numbers?
> > How about you and me get together for a nice friendly
> > game of poker.
> >
> > I'll bring the cards.
Poker's a special case, because it's less about manipulating the cards
and more about predicting the behaviour of the other players.
(Or maybe it's less about predicting the cards and more about
manipulating the players, but that's only if you're good at it, which
they say I'm not.)
There's the usual quote from Von Neumann that anyone who considers
arithmetical methods of producing random digits is, of course, in a
state of sin. (But then, sin and poker are activities that are
seldom found in the same place... )
My standard assumption for when you care, other than for seeding
PRNGs, is One-Time Pads.
Are you willing to send the next Venona message collection with your
unguessable numbers?
(Yeah, these days, you probably are, because we've got enough crypto
algorithms that are
strong enough to resist both bit-twiddling and mathematical attacks,
and at least for the next few decades I'm guessing that quantum
computers are going to be
less of a realistic possibility than getting widely-deployed trustable HWRNGs.)
For poker, there are protocols for jointly picking mutually
unguessable numbers (e.g. Diffie-Hellman variants), of course. For
servers, if the players we can't trust are Intel and the NSA, even
though they've been telling us they're sitting on opposite sides of
the table, then the comment that seeding PRNGs on virtual machines is
actually a provisioning problem is a good one, and I do like the
"cloud VMs connect to a known-friendly server to get random seed
material" approach.
More information about the cryptography
mailing list