tmsr - Search: rng

1200+ entries in 0.674s

a111: Logged on 2016-04-13 09:03 punkman: https://eprint.iacr.org/2016/367 "we demonstrate various weaknesses of the random number generator (RNG) in the OpenSSL cryptographic library"

punkman: https://eprint.iacr.org/2016/367 "we demonstrate various weaknesses of the random number generator (RNG) in the OpenSSL cryptographic library" ☟︎☟︎

shinohai: https://bitcointalk.org/index.php?topic=1431060.0 <<< more RNG lolz

asciilifeform: http://btcbase.org/log/2016-04-10#1449706 << no rng ☝︎

deedbot-: [Qntra] Weak RNG Assists Man's Lottery Fortune - http://qntra.net/2016/04/weak-rng-assists-mans-lottery-fortune/

BingoBoingo: ;;later tell shinohai pls to write up lottery rng shennaniganz

mircea_popescu: asciilifeform so your resistence is chiefly based on, "nsa is incompetent, never got an actual intellect behind the effort to fuck up my miserable rng source"

asciilifeform: and even when you install own os, remember that there is no rng.

asciilifeform: it isn't a breakage. iq does not test the 'rng' (eysenck's 'psychoticism')

asciilifeform: aka not enough rng.

asciilifeform: include rng.

asciilifeform: mircea_popescu: rng is tricky bit on those

asciilifeform: (for n00bz: pistol is connected to a recognizer box, shoots you in the head in all universes where rng did not shit out the solution)

mircea_popescu: so i have to leave pc overnight / rng on for ten minutes to make a key ? big whoop, i make a key a year if that, and i'm an intensive user.

asciilifeform: (incidentally, the problem of an inner cipher introducing known-plaintextisms is solved routinely by splitting the payload into xor-able halves, using rng, and enciphering each ~half~ with different cipher, rather than box-in-box composition) ☟︎

asciilifeform: and actually how my rng worx.

asciilifeform: mircea_popescu: it is useful the way that the rng xor is useful

phf: it is also filled with the kind of things that will give asciilifeform a severe twitch: guy takes hardware rng, runs it on raspberry pi gpio, whiteness the result, and then xors in /dev/urandom. you know, for the kids!

mircea_popescu: your bias-less rng shits out n/2 ones. they go against a message containing 3/4n ones. they will flip n/2 items in the message, 3/4 of which being 1s and 1/4 being 0s. you thus end up with 3/8 old ones + 1/8 ex-zeroes for a grand total of exactly 1/2 whoa. ☟︎

asciilifeform: (answer, for the thick, is that your rng, if it works correctly, is EXACTLY as likely to shit out a string that xors yours to 'kill stalin at midnight with table leg' as an equivalent length string of zeros, or any other.)

asciilifeform: funnily enough, last year there was some derp who shat into mircea_popescu's comment section with 'otp doesn't work because rng might burp out N zeros and then what'

asciilifeform: mircea_popescu is looking at his rng bias.

asciilifeform: the mircea_popescu side of the game can only be won if 1) rng is biased 2) he knows how

asciilifeform: 2) i xor over each of them with 1MB from a cardano rng.

mircea_popescu: han byte n-1. The larger of the two indicates the message encrypted ; the difference between these counts indicate your confidence (or the rng's bias).

asciilifeform: just as in the old thread where we demonstrate that trng XOR hitler's rng is still trng.

mircea_popescu: you pick one of two lengthy, structured plaintexts i provide, you encrypt them with a biasless, purely random rng, and i decide which of the two you picked.

asciilifeform: another is to have anything other than a true physical rng generating the pad.

danielpbarron: it probably suffers from the same problem as catan : bad rng

punkman: http://log.bitcoin-assets.com/?date=06-02-2016#1397806 << I saw mention of nist public rng thing ☝︎

asciilifeform: the weak link of ancient otp was always the rng.

mircea_popescu: "This is interesting because nowhere do they address the central engineering issue -- that a fixed p,q is not secure yet a variable one requires another RNG to seed the RNG." << except the part where a prng IS NOT A RNG

ascii_butugychag: l0l mircea_popescu has the rng! could be swimming in rngola

ascii_butugychag: 'pushes the problem down to your rng' which 'of course' can never work

mircea_popescu: whoever sits closer to the rng in the sky prints all the money.

asciilifeform: for the rng experiment in particular, 'bus pirate' (~$20) works just as well as $1k scope

ben_vulpes: should i come up with my own hairbrained scheme to do so or ask how best to get entropy out of this rng directly from you?

asciilifeform: (rng!)

BingoBoingo: Because maybe his brain rot was likely to make him spill the wrong history of the RNG

asciilifeform: mircea_popescu: i dont think even my rng gives 4096*typical-miller-rabin-retries bits of entropy in 0.5s

asciilifeform: mircea_popescu et al: maslennikov has a lulzy chapter on how rng for key generation was done (late '80s, imported 'pc xt' in kgb, but no trng naturally). answer: chix playing 'tetris'

asciilifeform: (and 'rng with whitening' which IS a prng)

asciilifeform: this is quite like the 'rng whitening'.

asciilifeform: the design of gpg rng subsystem assumes extreme entropy-starvation. this is plain as daylight from 10 minutes of reading the src.

ascii_field: rng is quite rotten

ascii_field: btw i had a fella ask me about rng at a job interview thing

ascii_field: and the conversation, from first packet onwards, must be indistinguishable from rng garbage to the enemy.

mircea_popescu: whereas if done on camera, much less rng, much less variation

ascii_field: there are 3 separate rng subsystems in gpg 1.4 - but more on this later)

assbot: Logged on 31-10-2015 21:45:55; mircea_popescu: re asciilifeform mpi : the actual extraction, and especially auditing of the rng is a very worthy project.

mircea_popescu: re asciilifeform mpi : the actual extraction, and especially auditing of the rng is a very worthy project. ☟︎

mircea_popescu: this sort of thing is what i MEAN when i say "understand rng".

ascii_field: rng is merely ~one~ way to perform the function that it is for

mircea_popescu: rng is imo least understood part of the box. a sort of equivalent of magnetism in physics.

ascii_field: (re: how rng-ness is not a mathematical property of the bits, etc.)

mircea_popescu: http://log.bitcoin-assets.com/?date=29-10-2015#1310766 << the problem is wider than just "what's a good rng" or even acceptable conceptually "As rng". such as, "why is one there ?" ☝︎

assbot: Logged on 25-11-2013 03:41:29; asciilifeform: the essential, non-negotiable property of an rng suitable for crypto is that its output must not be readily available to the enemy.

assbot: Logged on 29-10-2015 09:30:04; mircea_popescu: A LOT more research is needed before the cult will be happy with the cult's own understanding of what RNG even fucking means (ie, stands for) in a computing environment.

mircea_popescu: anyway, all this aside : digging out the whole rng story is a huge hot core of useful, important inquiry.

mircea_popescu: (also, the RNG content of a computer is not strictly found in a box labeled such).

mircea_popescu: davout yeah the rng.

davout: the RNG in the computer?

davout: i'm not saying that being a calculator should be the alpha and omega of computing, just that for crypto purposes it's probably better to not think of a RNG as something acceptable

mircea_popescu: so we're stuck figuring out the rng issues.

mircea_popescu: A LOT more research is needed before the cult will be happy with the cult's own understanding of what RNG even fucking means (ie, stands for) in a computing environment. ☟︎

assbot: Logged on 18-09-2015 20:57:58; mircea_popescu: any program which allows for the attacker to read in any sense the rng is not necessarily owning the box, but necessarily not part of the not-owning-the-box set either

mircea_popescu: RNG!

ascii_field: Algorithm 4, we can unmask the 4-byte values returned in a status VSC response to reveal ”raw” RNG bytes from the hardware side. Since this is done pre-authentication, any attacker can generate this from any locked drive.'

ascii_field: 'Another, even better, way that can be executed pre-authentication was found later. In fact, when looking deeper into the firmware code we noticed every time the status VSC is called, the raw RNG bytes are masked with a static value. This static 4-byte value, 0x271828af, is xored with the 4-byte RNG output. Further this value is xored with the last 4-byte SY N value before sending the value to the host computer. Using the

ascii_field: hint that the RNG of the JMS583S is not cryptographically safe, showing clear patterns in Figure 4.'

asciilifeform: (rng sure as fuck - can)

mircea_popescu: "The Monte-Carlo approach to engineering, if you will, but with humans doing a really bad job of playing RNG." << how mp's view of VC world sounds, without any of the bile.

mircea_popescu: ascii_field *I* am to find machine with hardware rng ?

ascii_field: now mircea_popescu, find a fast machine with hardware rng and run n = 21474837. then, shoot it into pgp.mit.edu ...

ascii_field: (goes without saying, don't run on a box where pgp is used for anything else. it will strain your rng to all hell)

ascii_field: aha, let's Run Moar Ecc! in real time! with average pc rng !

mircea_popescu: so "rng boilerplate" MAY be a usable solution, but MUST NOT be dependend on going forward.

mircea_popescu: but you never will have a rng in that sense.

ascii_field: what i was trying to say is that if your rng bits are not independent of one another, you don't have an rng.

mircea_popescu: any program which allows for the attacker to read in any sense the rng is not necessarily owning the box, but necessarily not part of the not-owning-the-box set either ☟︎

ascii_field: obviously if you use the ~same~ rng bits to generate key as you also made available to someone else, then you're dead

ascii_field: if your rng is worth half a pence

mircea_popescu: basic systems security is "attacker should not be able to read the machien rng".

mircea_popescu: rng bits are always key bits.

ascii_field: *rng bits are

ascii_field: if your rng key bits 'are key bits' you're sunk

mircea_popescu: however, rng is no good because now you leak rng bits, which ARE key bits.

punkman: phf: and in 2006 it had that nice rng bug

ascii_field: that if hugh everett were alive today, he might build a machine that tests rng output for being the privkey to a fat btc balance, and shoots him in the head if it fails

asciilifeform: thestringpuller: if non-memorable, then just take favourite rng and encode output in such a way that it can be re-entered via a keyboard

asciilifeform: otp has precisely three weaknesses even in principle: generation of key (solved by civilized rng); reuse of key (solved by erasing each bit immediately after it is used in a xor); capture of key by enemy (in common with any other cipher! and solved with grenade pin)

mircea_popescu: ascii_field "natura" in there is "the immediately observable", not the subatomic. there's a reason cardano rng uses electrons not whores moaning.

asciilifeform: or, on one occasion, 10MB of rng output

asciilifeform: also gotta point out that the $redacted analogue ic on the rng was prolly baked in a cn fab

mircea_popescu: asciilifeform you lose, i got your own damned rng chips here.

mircea_popescu: asciilifeform just an exotic way to rng, is in the end what he was trying to build

assbot: Logged on 01-08-2015 21:15:24; Apocalyptic: asciilifeform, I avoids to have access to an rng at any further point

asciilifeform: re: rng:

asciilifeform: not like there aren't rng available now

Apocalyptic: asciilifeform, proper rng ?