1 / 31

Good randomness is hard to find

Good randomness is hard to find. XKCD. Games for Extracting Randomness. Ran Halprin. Moni Naor. Weizmann Institute of Science Israel. SOUPS, July 2009. Good randomness is hard to find. Randomness : necessary in many computational tasks Especially in Cryptography!

burian
Download Presentation

Good randomness is hard to find

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Good randomness is hard to find XKCD

  2. Games for Extracting Randomness Ran Halprin Moni Naor Weizmann Institute of Science Israel SOUPS, July 2009

  3. Good randomness is hard to find Randomness: necessary in many computational tasks Especially in Cryptography! • Randomness Generation - major point-of-failure in cryptography applications: • The Debian Linux kernel (used in the Ubuntu distribution) • Removed a refresh command, leaving only PID • Generated only 215 unique keys from 2006 to 2008

  4. Sources of Randomness • “Secret” data: Network Card ID, Processor ID etc. • Adversary may have had access to hardware • Real time data: HD access, click times, mouse positions • HD doesn’t always exist (PDAs, SSD Disks.) • System might not be in direct use • Physical sources: Lava lamps, cloud patterns, atmospheric noise • Can be manipulated (even by accident) or copied • Cumbersome and expensive • User Request: “please hit many keys”, “please swish mouse” • QWERTY effect • Keyboard buffer fills quickly Not necessarily terrible. This work – mostly complementary

  5. It is Only Human to be Biased Sequences and numbers generated by humans are far from being “truly” random • Problem: humans are notoriously bad at supplying randomness upon request • Humans randomness recognition is biased • Similar results in randomness generation • Humans assess human-generated randomness as more random than statistically good randomness …7? • Think of a number between 1 and 10 • Think of a number between 1 and 20 …17? • Hot Hand • Gambler’s fallacy • Flip Bias Idea: use humans actions in a game as a source!

  6. Why Games? • The competitive nature of the game makes humans act more randomly when playing games • Compare: when just asked to act randomly • Demonstrated in an experiment by Rapoport and Budescu 1992. • Playing games is more entertaining to users than simply “supplying entropy”, • Meaning they will probably be willing • Participate in the process • Supply more data. Von Ahn’s “Games with a purpose”

  7. Matching Pennies Winner! Player 2 (guesser) Wins on or Player 1 (misleader) Wins on or zero-sum mixed strategy game

  8. Experiments in Psychology [RB92] • Humans behave more randomly • when playing Matching Pennies • Than when asked to generate a sequence • Humans play against each other • Look at a player’s “moves” • Black is 0, Red is 1 • Results in binary sequences (one for each player) • Consider tuples (2-tuples, 3-tuples, 4-tuples…) 110011001001101110101 Count how many appearances of each, detect sequential dependencies

  9. Experiments in Psychology 4-tuples for Matching Pennies 4-tuples for Instructed Generation All four identical: 9.2% Alternations 15% All four identical: 5.2% Alternations: 19.9% Both expected 12.5%

  10. But is it good enough? • Still not quite random • Only a single bit is generated • Can apply extractors • Combinatorial tool allowing us to smooth the randomness • Crypto needs many bits to bootstrap – say 128 • Need games where more bits are generated per round

  11. Our Contributions • The idea of using games to induce randomness for crypto • Suggest a particular game “Mice and Elephants” • Test it • Suggest how to incorporate randomness extraction from games into a system • Robust Pseudo-Random Generator • OS Independent

  12. Games Used for Extraction: Desiderata • Encourages players it to use strategy with high min-entropy • There exists a way to bound from below the min entropy used by the player in an observed interaction Measurement of randomness

  13. More Desiderata • Fun: Should be at least somewhat interesting • Entertain players long enough so that they will willingly play enough to produce long sequences. • Easy: not require extensive skills from the players • Should be reasonably short • Should not require no expensive or large hardware • high resolution screen or a fast processor

  14. Who is Our Adversary? • The user is not malicious • Lazy? • Incompetent? • But not actively trying to subvert the system • There is an external adversary and we are trying to protect the user from it • Generate a long and robust pseudo-random sequence There is a second chance to check the user

  15. Hide and Seek 1 2 … Hider (Misleader( Seeker (Guesser) n

  16. Hide and Seek 1 2 … n

  17. Hide and Seek • Natural extension of Matching Pennies • Zero sum • Mixed Strategy • Game produces log2(n)bits of raw data per move • But how random is this data? • Estimate empirically

  18. Mice and Elephant • Human positions r mice • Computer positions elephant • Repeat until a mouse is crushed

  19. Mice and Elephant • Obstacles positioned at most popular locations • Lowers repetition rate • Adds visual interest

  20. Mice and Elephant • Elephant and obstacle positions • Usually randomly copy a recently played move • Occasionally random • Human cannot predict even a “bad” PRG! • Adversary can know computer randomness • Doesn’t help much in determining the human’s moves • Each pixel - a cell in the grid. Board: 512 x 256 pixels • Deriveslog2512 + log2256 = 17bits of raw data per click

  21. Min-Entropy Probability distribution X over {0,1}n H1(X) = - log maxx Pr[X = x] Represents the probability of the most likely value of X • Example: • Un– uniform distribution on {0,1}n • H1(Un) = n X is ak-source if H1(X) ¸ k i.e., Pr[X = x]·2-k for all x Example 0.5 0.25 Statistical distance of distributions: 0.125 0.125 ¢(X,Y) = a|Pr[X=a] – Pr[Y=a]| H1(X) = min{log 2, log 4, log 8} = 1

  22. Extractors Strong: output close to random even after seeing the seed Universal procedure for “purifying” an imperfect source Definition: Ext: {0,1}n£{0,1}d!{0,1}ℓ is a (k,)-extractor if for everyk-source X resultis close to random ¢(Ext(X, Ud), Uℓ)· k-source of length n x “seed” EXT drandom bits s ℓalmost-uniform bits

  23. Results: Humans playing patterns • Tested 482 players, who played a total of 24,008 clicks • Recruited mostly online • Did not know experiment’s objective • Clear bias for corners and edges • But maximal represented point has only 7 clicks • If each click is independent: min-entropy ~11.7 per click • However, humans are not stateless distributions…

  24. Results: Humans playing patterns • First order difference (log scale) • Clear preference for nearby region and axis of previous click • Maximal represented point – 24. Estimated min-entropy is ~9.96 per click

  25. How to use the game • When entropy is needed - start a game • Repeat play until sufficient entropy is gathered • At least according to an estimate • Award points according to game • Detect “bad entropy” moves • Have a “dynamic score” to punish such moves Second Chance

  26. Robust Pseudo-Random Generators[Barak-Halevi 05’] entropy EXT Robust PRG: • A Cryptographic Pseudo Random Generator • next() with an outputs a block • refresh() that gets “fresh” entropy, and an refreshes state next() refresh() next() State1 State2 state3 State3 Output1 Output2

  27. Robust Pseudo-Random Generators[Barak-Halevi 05’] entropy EXT • Forward secure • Backward secure • Immune to adversary control of entropy • Can combine different entropy sources • Strongest link triumphs next() refresh() next() State1 State2 state3 State3 Output1 Output2 After break-in: past outputs of the system should still be indistinguishable from random After break-in, following the next “refresh” all outputs should be indistinguishable from random

  28. A Complete Construction

  29. A Complete Construction

  30. Further Work and Open Problems • Comparison to non-game inputs • Different games: • anti-ESP game • Camera, accelerometer games • Different populations • Complete system test • Human accuracy and Fitts’ law • Non-gamers • casual gamers • heavy gamers Thank You

  31. Good randomness is hard to find XKCD

More Related