Download Presentation
## Good randomness is hard to find

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Games for Extracting Randomness**Ran Halprin Moni Naor Weizmann Institute of Science Israel SOUPS, July 2009**Good randomness is hard to find**Randomness: necessary in many computational tasks Especially in Cryptography! • Randomness Generation - major point-of-failure in cryptography applications: • The Debian Linux kernel (used in the Ubuntu distribution) • Removed a refresh command, leaving only PID • Generated only 215 unique keys from 2006 to 2008**Sources of Randomness**• “Secret” data: Network Card ID, Processor ID etc. • Adversary may have had access to hardware • Real time data: HD access, click times, mouse positions • HD doesn’t always exist (PDAs, SSD Disks.) • System might not be in direct use • Physical sources: Lava lamps, cloud patterns, atmospheric noise • Can be manipulated (even by accident) or copied • Cumbersome and expensive • User Request: “please hit many keys”, “please swish mouse” • QWERTY effect • Keyboard buffer fills quickly Not necessarily terrible. This work – mostly complementary**It is Only Human to be Biased**Sequences and numbers generated by humans are far from being “truly” random • Problem: humans are notoriously bad at supplying randomness upon request • Humans randomness recognition is biased • Similar results in randomness generation • Humans assess human-generated randomness as more random than statistically good randomness …7? • Think of a number between 1 and 10 • Think of a number between 1 and 20 …17? • Hot Hand • Gambler’s fallacy • Flip Bias Idea: use humans actions in a game as a source!**Why Games?**• The competitive nature of the game makes humans act more randomly when playing games • Compare: when just asked to act randomly • Demonstrated in an experiment by Rapoport and Budescu 1992. • Playing games is more entertaining to users than simply “supplying entropy”, • Meaning they will probably be willing • Participate in the process • Supply more data. Von Ahn’s “Games with a purpose”**Matching Pennies**Winner! Player 2 (guesser) Wins on or Player 1 (misleader) Wins on or zero-sum mixed strategy game**Experiments in Psychology [RB92]**• Humans behave more randomly • when playing Matching Pennies • Than when asked to generate a sequence • Humans play against each other • Look at a player’s “moves” • Black is 0, Red is 1 • Results in binary sequences (one for each player) • Consider tuples (2-tuples, 3-tuples, 4-tuples…) 110011001001101110101 Count how many appearances of each, detect sequential dependencies**Experiments in Psychology**4-tuples for Matching Pennies 4-tuples for Instructed Generation All four identical: 9.2% Alternations 15% All four identical: 5.2% Alternations: 19.9% Both expected 12.5%**But is it good enough?**• Still not quite random • Only a single bit is generated • Can apply extractors • Combinatorial tool allowing us to smooth the randomness • Crypto needs many bits to bootstrap – say 128 • Need games where more bits are generated per round**Our Contributions**• The idea of using games to induce randomness for crypto • Suggest a particular game “Mice and Elephants” • Test it • Suggest how to incorporate randomness extraction from games into a system • Robust Pseudo-Random Generator • OS Independent**Games Used for Extraction: Desiderata**• Encourages players it to use strategy with high min-entropy • There exists a way to bound from below the min entropy used by the player in an observed interaction Measurement of randomness**More Desiderata**• Fun: Should be at least somewhat interesting • Entertain players long enough so that they will willingly play enough to produce long sequences. • Easy: not require extensive skills from the players • Should be reasonably short • Should not require no expensive or large hardware • high resolution screen or a fast processor**Who is Our Adversary?**• The user is not malicious • Lazy? • Incompetent? • But not actively trying to subvert the system • There is an external adversary and we are trying to protect the user from it • Generate a long and robust pseudo-random sequence There is a second chance to check the user**Hide and Seek**1 2 … Hider (Misleader( Seeker (Guesser) n**Hide and Seek**1 2 … n**Hide and Seek**• Natural extension of Matching Pennies • Zero sum • Mixed Strategy • Game produces log2(n)bits of raw data per move • But how random is this data? • Estimate empirically**Mice and Elephant**• Human positions r mice • Computer positions elephant • Repeat until a mouse is crushed**Mice and Elephant**• Obstacles positioned at most popular locations • Lowers repetition rate • Adds visual interest**Mice and Elephant**• Elephant and obstacle positions • Usually randomly copy a recently played move • Occasionally random • Human cannot predict even a “bad” PRG! • Adversary can know computer randomness • Doesn’t help much in determining the human’s moves • Each pixel - a cell in the grid. Board: 512 x 256 pixels • Deriveslog2512 + log2256 = 17bits of raw data per click**Min-Entropy**Probability distribution X over {0,1}n H1(X) = - log maxx Pr[X = x] Represents the probability of the most likely value of X • Example: • Un– uniform distribution on {0,1}n • H1(Un) = n X is ak-source if H1(X) ¸ k i.e., Pr[X = x]·2-k for all x Example 0.5 0.25 Statistical distance of distributions: 0.125 0.125 ¢(X,Y) = a|Pr[X=a] – Pr[Y=a]| H1(X) = min{log 2, log 4, log 8} = 1**Extractors**Strong: output close to random even after seeing the seed Universal procedure for “purifying” an imperfect source Definition: Ext: {0,1}n£{0,1}d!{0,1}ℓ is a (k,)-extractor if for everyk-source X resultis close to random ¢(Ext(X, Ud), Uℓ)· k-source of length n x “seed” EXT drandom bits s ℓalmost-uniform bits**Results: Humans playing patterns**• Tested 482 players, who played a total of 24,008 clicks • Recruited mostly online • Did not know experiment’s objective • Clear bias for corners and edges • But maximal represented point has only 7 clicks • If each click is independent: min-entropy ~11.7 per click • However, humans are not stateless distributions…**Results: Humans playing patterns**• First order difference (log scale) • Clear preference for nearby region and axis of previous click • Maximal represented point – 24. Estimated min-entropy is ~9.96 per click**How to use the game**• When entropy is needed - start a game • Repeat play until sufficient entropy is gathered • At least according to an estimate • Award points according to game • Detect “bad entropy” moves • Have a “dynamic score” to punish such moves Second Chance**Robust Pseudo-Random Generators[Barak-Halevi 05’]**entropy EXT Robust PRG: • A Cryptographic Pseudo Random Generator • next() with an outputs a block • refresh() that gets “fresh” entropy, and an refreshes state next() refresh() next() State1 State2 state3 State3 Output1 Output2**Robust Pseudo-Random Generators[Barak-Halevi 05’]**entropy EXT • Forward secure • Backward secure • Immune to adversary control of entropy • Can combine different entropy sources • Strongest link triumphs next() refresh() next() State1 State2 state3 State3 Output1 Output2 After break-in: past outputs of the system should still be indistinguishable from random After break-in, following the next “refresh” all outputs should be indistinguishable from random**Further Work and Open Problems**• Comparison to non-game inputs • Different games: • anti-ESP game • Camera, accelerometer games • Different populations • Complete system test • Human accuracy and Fitts’ law • Non-gamers • casual gamers • heavy gamers Thank You