[Cryptography] who cares about actual randomness?

Bear bear at sonic.net
Thu Feb 6 22:47:53 EST 2014 

On Thu, 2014-02-06 at 07:09 -0500, Jerry Leichter wrote:

> Suppose a number of us are getting ready to play poker.  None of us trusts any of the others.  We all do trust the provider and operator of the following machine:  It scans US currency, recording the serial number, and destroys the bill.  (OK, that's illegal; maybe it just locks it securely inside, to be returned to a bank later.)  When a button is pushed, it takes all the serial numbers scanned, in the order they were seen, hashes with SHA-256, and uses the result to initialize a "good" PRNG that will control the cards in the game.  The machine is configured to generate no more than 100,000 hands before it shuts itself down and must be re-initialized with fresh bills.
> 
> To start a game, each of us in turn will pull a bill from our wallet and scan it through the machine, in any order we please.  Then we push the button and start to play.
> 
> Will you join us?  (Again, we're *assuming* that all of us trust the provider and operator of the machine:  We trust that it really does what's claimed, and it leaks no information to anyone.)
> 
> I would argue that there is essentially no identifiable physical entropy present in this scenario but, nonetheless, there's no good reason for you *not* to play.
>                                                         -- Jerry

This essentially duplicates the "mental poker" protocol in which each
participant provides his/her own RNG, committing in advance to its 
output, and an agreed-on combination of all is used for the game. 

This works because each player's RNG (or OTP, if one or more of the 
participants wants to go there) is unpredictable *to the other players* 
and therefore the output of combining them is provably unpredictable 
to all the players.  

Your scenario achieves this by having each participant provide a 
part of the seed for an RNG, and being satisfied that it is a large 
enough part that the remainder cannot be 'brute forced' from the 
output. If the condition is true, it assures that the RNG is not
predictable to any players, even though each knows the "random" 
bits they contributed themselves.

But you knew that.

More information about the cryptography mailing list