log☇︎
1232 entries in 0.974s
assbot: Proof That Mycelium Knows How To Make A Better RNG For Its Entropy Dongle. And Isn't. | Contravex: A blog by Pete Dushenski
pete_dushenski: RebeccaBitcoin: i read the logs. have you read http://contravex.com/2014/07/17/proof-that-mycelium-knows-how-to-make-a-better-rng-for-its-entropy-dongle-and-isnt/ ?
mircea_popescu: BingoBoingo http://contravex.com/2014/07/17/proof-that-mycelium-knows-how-to-make-a-better-rng-for-its-entropy-dongle-and-isnt/http:// << this link is broken
asciilifeform: Cryptography master McGee / said, 'no use I've for this RNG, / I can eat bags of bits, / mix 'em up when I shits, / I know they'll emerge pattern-free.'
BingoBoingo: mircea_popescu: I'm moe dumfounded that he didn't just fck the rng to favor him
BingoBoingo: God is actually just the old Debian RNG flaw, n always ===== 6
mircea_popescu: well, i built a rng oscillator. go me.
BingoBoingo: do you read this thing like i do, ie, a nsa-sponsored attempt to survive the "everyone has cardano rng on board" apocalypse by making good entropy sources still circumventable ? << I read either that or some kernel afficianado who would buy a unix pacemaker
mircea_popescu: sciilifeform do you read this thing like i do, ie, a nsa-sponsored attempt to survive the "everyone has cardano rng on board" apocalypse by making good entropy sources still circumventable ?
mircea_popescu: all these people derping about "quantum-computing-strong hashes" and whatnot are starting to get on my motherfucking nerves. yo idiots! are you aware that every rng out there actually uses some sort of quantum noise ? WHAT THE FUCK ARE HASHES GOING TO DO WHEN I KNOW ALL THE SEEDS!
asciilifeform: http://yarchive.net/comp/linux/dev_random.html#update_5 << linus on rng, for anyone who hasn't already read.
asciilifeform: rng designers very often succumb to the temptation to 'inflate' their output using a hash
asciilifeform: dignork: hash is a good way to close your own eyes on problems with the rng
BingoBoingo: reeses: rng whitening http://www.epmonthly.com/www.epmonthly.com/features/current-features/oxygen-is-a-drug-act-accordingly/ Rassah alf
penguirker: New blog post: http://bitcoinpete.com/2014/07/17/proof-that-mycelium-knows-how-to-make-a-better-rng-for-its-entropy-dongle-and-isnt/
decimation: I was echoing ascii's distinction between prng and rng
mircea_popescu: the idea was that you can replace the platform's rng, in extremis, by rolling dice.
asciilifeform: they've used this kind of 'rng' for decades.
asciilifeform not really awake enough for a good flaemfest. but will point out that mechanical rng setups are prone to wear effects.
benkay: hee hee hee i got the rng flamewards going again
asciilifeform: nitpick: anything you can 'seed' is not an rng.
decimation: re: rolling dice to generate RSA keypair << this is not straightforward at all, and in general you are going to end up seeding some kind of RNG to produce your primes to test
Rassah: benkay: this is what one calls a "strawman" argument. // actually this is what is being suggested that people do to create secure paper wallets. I am suggesting that ours is comparable. At the least because people who use that method don't check the RNGs of the systems they use, and at the most because we don't actually use an RNG chip, and use our own source of randomness.
asciilifeform: it was the rng << snore. big fat surprise.
BingoBoingo: mircea_popescu: Well, it was born knowing it would be the RNG. The problem is do the devs make shims or does Linuxen fix itself
mircea_popescu: http://arstechnica.com/security/2014/07/only-a-few-days-old-openssl-fork-libressl-is-declared-unsafe-for-linux/ << look at that, it was the rng.
benkay: <Rassah> so tech knowledge enough to be able to check how the software works, and maybe hardware knowledge to know what chips are being used in the schematic // well if its chips and an rng, asciilifeform's likely to tell you that unless you can inspect the chips (which you can't), you can't make claims about the RNG.
Rassah: options are. So, yeah, it's not perfect (with RNG nothing ever is). But it'll help
asciilifeform: Rassah: the skew we're talking about isn't rng output skew - the kind that can be addressed with von neuman's algo, etc. it's the actual physical effect you're using.
asciilifeform: Rassah: ergo: if i have a sufficiently precise graph of the temperature of your unit over time, i can infer something about the sram and which cells are responsible for the bulk of the input to rng.
Rassah: It may reduce entropy, but it inreases he number of attack vectors, doesn't it? Attacker would need both the hardware based RNG and the salt to compromise it
asciilifeform: Rassah: why are you using whitening (hashing) in rng? and 'because everyone does' is not acceptable answer. ☟︎
Rassah: So, we won't be relying on Atmel's RNG, and will be reading their SRAM directly
asciilifeform: Rassah: what, if anything, does your product do to verify that rng is actually functioning 'as rated' before bits are used in anger?
asciilifeform: Rassah: generated only from SRAM << your code reads a standalone sram? or atmel claims to produce rng output this way inside a black box micro ?
asciilifeform: people gotta understand the importance of rng on a gizmo that doesn't import - only generates own - keys.
asciilifeform: pankkake: re: 'mycelium' << the nice thing is that i don't even need to purchase and cut open the unit to piss on it. you can't fit a user-auditable rng in a keychain. simple physical fact. ☟︎☟︎
asciilifeform: benkay: there is nothing especially secret about the rng.
benkay: asciilifeform, mircea_popescu: where's the post detailing cardano rng construction?
GinAddict1: old on purpose or by chance? i.e. worried about some RNG in recent chips?=
asciilifeform: justusranvier: let's try degenerate case. 'mr x owes mr y the following amount, in satoshis...' [followed by a 100MB turd from rng]
jurov: the rng is hidden on the chip
ThickAsThieves: satanic, as in, the rng is more like png?
punkman: mike_c: my rng is really bad
bitcoinpete: but i bet intel's rng is still good
mircea_popescu: pankkake: it's not necessarily weaker << it's in fact weak to very bad rng. it has in displayed this in the wild, on some machines for which rng = 9
asciilifeform: BingoBoingo: tri2.jpg << rng container at bottom left hand corner of photo.
decimation: RNG analysis
asciilifeform: TheNewDeal: http://www.loper-os.org/?p=1475 << mp, other friends, and an rng
asciilifeform: TheNewDeal: i built the rng. yes, it is only one of the components.
TheNewDeal: I thought MPEX's NSA was developing some RNG
decimation: the next problem: they have an auditable RNG, but how do you know they are actually using it?
asciilifeform: decimation: there is no arcane secret in building a decent analogue rng.
asciilifeform: decimation: pretty much everyone fucks the goat right off the starting line - by using a vlsi rng
asciilifeform: decimation: rng design that involves the purchase of an active volcano is probably expensive too.
asciilifeform: even for simulation purposes (actually the original source of my interest in rng design, years ago) lfsr is crap. you get creeping periodicities.
asciilifeform: decimation: LFSRs suck. and virtually every academic treatise on rng design assumes a very impoverished physical entropy source.
asciilifeform: joecool: i don't generate keys on card << still has rng, for signature nonces.
joecool: asciilifeform: i don't generate keys on card for the rng issue, need to upload from laptop, but yeah sure no way to enter pin outside the laptop
asciilifeform: joecool: 2) vlsi - thus non-inspectable - rng and cryptographic functionality.
punkman: there's also a bunch of GPIO pins, could hook up an RNG or a geiger counter
asciilifeform: i really can't fathom the purpose of buying a mystery meat hardware rng. if you're willing to eat mystery meat, why not use the vlsi turd found in current cpu? ☟︎
asciilifeform: as if it took actual thinking to build a simple analogue rng.
jurov: lol andreas schildbach is just leaking "Mycelium Entropy" rng for printing paper wallets
rithm: i use 1 as my rng
mod6: ye ole behind-the-curtain rng
asciilifeform: (a satanic rng, as spoken of here, is any and all rng where the circuit is contained on a vlsi die and cannot be audited with commonly-available equipment)
asciilifeform: artifexd, jurov: 'trezor' uses arm's satanic rng for ecdsa signing nonce. if this bothers you (it bothers me) - don't use.
jurov: Cortex M3 rng
jurov: in any case there's rng on STM chip used for ecdsa
Naphex: its pretty basic to just use a custom RNG then Math.random in js
Naphex: hey just implement your own RNG, go for http://en.wikipedia.org/wiki/Mersenne_twister and /dev/urandom / random
BingoBoingo: Lemme guess this is also the android RNG problem
danielpbarron: don't you also need cryptographically secure RNG to do the signing?
Naphex: you can if you want use the rng to generate a priv key, but you can just as well upload one
danielpbarron: i assumed that a built-in RNG on the card meant that the key was generated on the card
Naphex: so you can use whatever rng and store/transmit it securely
Naphex: anyway regarding smart cards and rng, for bitcoin is not that much worry-some cause you can just store your private key on it and use that to sign the transactions
GAit: i specified the attaccks or problems. RNG is one
asciilifeform: the only weirdo analogue piece in my current work is the rng, and, as you might expect, it doesn't simulate.
fluffypony: kakobrekla: the Android Java RNG hack
mircea_popescu: (incidentally, the rng of the java thing is particularly atrocious. piuk (blockchaininfo) made some fixes on a fork)
asciilifeform: TestingUnoDosTre: rng.
asciilifeform: BingoBoingo: the simplest test of rng bias involves exactly this kind of calculation
asciilifeform: i can't wait for this fellow's Amazing RNG Improvement ideas.
fluffypony: robwhiz22: the rng project is basically based on buttcoin:sharpie density
asciilifeform: as if an rng were a nuke, or any other rarity
robwhiz22: mircea_popescu, are you working on an RNG project? Do you have a link?
robwhiz22: BingoBoingo, I didn't critique it. I don't know anything about any RNG project. I was just answering mircea_popescu's question, in which he quoted "and conversely objects which pass randomness tests must have high algorithmic complexity" and hten said "not familiar with the 'complex objects' in question.".
kakobrekla: as to rng on trezor
danielpbarron: from what I understand, a lot of the cardano research is getting the right hardware RNG; is trezor up to the same standard?
mircea_popescu: why's you lot so worried about teh cardano anyway ? it's just a strong crypto device with impenetrable rng, what of it ?
bounce proposes to include robwhiz22 in the premium version of the rng. such noise!
asciilifeform: mike_c: 'everybody' is obsessed with the rng, but it's 1960s tech.
asciilifeform: mike_c: the rng.
asciilifeform: building rng is not hard, and is educational
asciilifeform: you'll get 'better' stats than any genuine rng.
asciilifeform: no statistical test will reveal a malicious rng
asciilifeform: artifexd: see if you can learn why the raspi rng is unsuitable for cryptography.
artifexd: I've learned that the raspberry pi has a hardware rng. My current plan is to build use that. I'll Von Neumann it if necessary. Regardless, as soon as I get one, I'll use the tools asciilifeform recommended to measure the entropy.