# [Cryptography] The ultimate random source

Phillip Hallam-Baker hallam at gmail.com
Tue Feb 18 11:45:58 EST 2014

```On Tue, Feb 18, 2014 at 1:34 AM, ianG <iang at iang.org> wrote:

> On 18/02/2014 02:43 am, Phillip Hallam-Baker wrote:
>
> > But the general point about these being pretty, I was thinking of making
> > electro-mechanical sculptures for sale. A twist on kinetic art.
>
>
> At Ars Technica a few years back, some artist presented a random number
> generator made of candles and fans.  He had maybe 30 candles, and above
> each was a homemade fan that spun from the heat generated by its candle.
>  As the fan spun, the candle blinked on and off.  Each candle and fan
> combination had a different frequency...
>
> It was very pretty!  If photographed and hashed I imagine it would work
> fune, but I didn't have the heart to tell the accompanying art critics
> about the predictability of counting the frequencies.
>

One important boundary condition is that I want the operation of the random
number generator to be completely auditable so that we can tell with a very
high degree of confidence that no strange business has taken place.

So for example, lets take a cut and choose type protocol.

What I want is a machine that I can cause to perform the random number
acquisition process repeatedly without knowing whether the machine itself
is being audited or not. So we have the dice roll in a transparent box 256
times and one one occasion chosen using a process that could not be
predicted when the machine is configured we put a cover over the camera so
the dice rolls are not observed.

We check that the results are consistent with the observations from the
second camera in the other 255 cases. Thus an occasional defection attack
has only a 1 in 256 chance (i.e. 8 bits) of success.

Now imagine we repeat that process 16 times and XOR the outputs. We now
have a random number such that an attacker trying to trick us would only
have a 1 in 2^128 chance of success.

We still don't have a completely auditable system but we are getting
closer. The problem is that I can't eliminate the 'first public key
creation' problem. I can show that a system is effectively unbeatable if we
can trust an initial public key. But so far I haven't been able to get past
that point.

The objective here is to end up with a device with a public keypair that we
are assured is only in that device alone and could not be affected by the
original coding or hardware construction.

--
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140218/5aa36239/attachment.html>
```