Good randomness is hard to find
description
Transcript of Good randomness is hard to find
1
Good randomness is hard to find
XKCD
Games for Extracting Randomness
Weizmann Institute of Science
Israel
Moni NaorRan Halprin
SOUPS, July 2009
3
Good randomness is hard to findRandomness: necessary in many computational tasks Especially in Cryptography!Especially in Cryptography!
Randomness Generation - major point-of-failure in cryptography applications:
The Debian Linux kernel (used in the Ubuntu distribution) Removed a refresh command, leaving only PID Generated only 215 unique keys from 2006 to 2008
4
Sources of Randomness “Secret” data: Network Card ID, Processor ID etc.
Adversary may have had access to hardware
Real time data: HD access, click times, mouse positions HD doesn’t always exist (PDAs, SSD Disks.) System might not be in direct use
Physical sources: Lava lamps, cloud patterns, atmospheric noise
Can be manipulated (even by accident) or copied Cumbersome and expensive
User Request: “please hit many keys”, “please swish mouse”
Not necessarily terrible. This work – mostly complementary
•QWERTY effect•Keyboard buffer fills quickly
5
It is Only Human to be BiasedSequences and numbers generated by humans
are far from being “truly” random Problem: humans are notoriously bad at supplying
randomness upon request Humans randomness recognition is biased Similar results in randomness generation Humans assess human-generated randomness as more
random than statistically good randomness
Think of a number between 1 and 10 Think of a number between 1 and 20
…7?…17?
Hot HandGambler’s fallacy Flip BiasIdea: use humans actions in a game as a source!
6
Why Games?1. The competitive nature of the game makes humans act more
randomly when playing games Compare: when just asked to act randomly Demonstrated in an experiment by Rapoport and Budescu 1992.
2. Playing games is more entertaining to users than simply “supplying entropy”, Meaning they will probably be willing
Participate in the process Supply more data.
Von Ahn’s “Games with a purpose”
7
Matching Pennies
Winner!
Player 1 (misleader) Wins on or
Player 2 (guesser)Wins on or
zero-sum mixed strategy game
8
Experiments in Psychology [RB92] Humans behave more randomly
when playing Matching Pennies Than when asked to generate a sequence
Humans play against each other Look at a player’s “moves” Black is 0, Red is 1
Results in binary sequences (one for each player) Consider tuples (2-tuples, 3-tuples, 4-tuples…)
110011001001101110101
Count how many appearances of each, detect sequential dependencies
11
Experiments in Psychology
4.2%5.0%
5.4%
5.3%
5.5%
5.5%
6.2%
6.1%
6.1%6.3%
7.3%
7.2%
7.4%
7.4%
7.5%
7.6%(1,1,1,1)
(0,0,0,0)
(0,1,1,1)
(1,1,1,0)
(1,1,0,1)
(1,0,1,1)
(1,0,0,0)
(0,0,0,1)
(0,0,1,0)
(0,1,0,0)
(0,0,1,1)
(1,1,0,0)
(0,1,1,0)
(1,0,0,1)
(0,1,0,1)
(1,0,1,0)
2.2%
4.3%
5.3%
5.3%
5.8%
5.9%
7.6%
7.7%6.4%
6.5%
7.6%
8.3%
9.9%
10.0% 4.3%3.0%(1,1,1,1)
(0,0,0,0)
(0,1,1,1)
(1,1,1,0)
(1,1,0,1)
(1,0,1,1)
(1,0,0,0)
(0,0,0,1)
(0,0,1,0)
(0,1,0,0)
(0,0,1,1)
(1,1,0,0)
(0,1,1,0)
(1,0,0,1)
(0,1,0,1)
(1,0,1,0)
All four identical: 9.2%Alternations 15%
All four identical: 5.2%Alternations: 19.9%
4-tuples for Matching Pennies 4-tuples for Instructed Generation
Both expected 12.5%
12
But is it good enough?
Still not quite random
Only a single bit is generated
Can apply extractors•Combinatorial tool allowing us to smooth the randomness
•Crypto needs many bits to bootstrap – say 128Need games where more bits are generated per round
13
Our Contributions
The idea of using games to induce randomness for crypto
Suggest a particular game “Mice and Elephants” Test it
Suggest how to incorporate randomness extraction from games into a system Robust Pseudo-Random Generator OS Independent
14
Games Used for Extraction: Desiderata Encourages players it to use strategy with high
min-entropy
There exists a way to bound from below the min entropy used by the player in an observed interaction
Measurement of randomness
15
More Desiderata Fun: Should be at least somewhat interesting
Entertain players long enough so that they will willingly play enough to produce long sequences.
Easy: not require extensive skills from the players Should be reasonably short Should not require no expensive or large hardware
high resolution screen or a fast processor
16
Who is Our Adversary? The user is not malicious
Lazy? Incompetent? But not actively trying to subvert the system
There is an external adversary and we are trying to protect the user from it Generate a long and robust pseudo-random sequence
There is a second chance to check the user
17
Hide and Seek
n
…21
Hider (Misleader(
Seeker (Guesser)
18
Hide and Seek
n
…21
19
Hide and Seek Natural extension of Matching Pennies
Zero sum Mixed Strategy
Game produces log2(n) bits of raw data per move
But how random is this data? Estimate empirically
20
Mice and Elephant
• Human positions r mice• Computer positions elephant• Repeat until a mouse is crushed
21
Mice and Elephant
• Obstacles positioned at most popular locations- Lowers repetition rate- Adds visual interest
22
Elephant and obstacle positions Usually randomly copy a recently played move Occasionally random
Human cannot predict even a “bad” PRG! Adversary can know computer randomness Doesn’t help much in determining the human’s moves
Each pixel - a cell in the grid. Board: 512 x 256 pixels Derives log2512 + log2256 = 17 bits of raw
data per click
Mice and Elephant
23
Min-EntropyProbability distribution X over {0,1}n
H1(X) = - log maxx Pr[X = x]
X is a k-source if H1(X) ¸ k i.e., Pr[X = x] · 2-k for all x
Represents the probability of the most likely value of X
¢(X,Y) = a |Pr[X=a] – Pr[Y=a]|Statistical distance of distributions:
Example: • Un – uniform distribution on {0,1}n
H1(Un) = n
0.50.250.1250.125
H1(X) = min{log 2, log 4, log 8} = 1
Example
24
ExtractorsUniversal procedure for “purifying” an imperfect source
Definition:
Ext: {0,1}n £ {0,1}d ! {0,1}ℓ is a (k,)-extractor if for every k-source X result is close to random
¢(Ext(X, Ud), Uℓ) ·
d random bits
“seed”EXT
k-source of length n
ℓ almost-uniform bits
x
s
Strong: output close to random even after seeing the seed
26
Results: Humans playing patterns
Tested 482 players, who played a total of 24,008 clicks
Recruited mostly online Did not know experiment’s objective
Clear bias for corners and edges But maximal represented point has
only 7 clicks If each click is independent: min-
entropy ~11.7 per click However, humans are not
stateless distributions…
27
Results: Humans playing patterns
First order difference (log scale) Clear preference for nearby region and axis of previous click Maximal represented point – 24. Estimated min-entropy is
~9.96 per click
29
How to use the game When entropy is needed - start a game Repeat play until sufficient entropy is gathered
At least according to an estimate Award points according to game
Detect “bad entropy” moves Have a “dynamic score” to punish such moves
Second Chance
30
Robust PRG: A Cryptographic Pseudo Random Generator next() with an outputs a block refresh() that gets “fresh” entropy, and an refreshes state
Robust Pseudo-Random Generators [Barak-Halevi 05’]
next()
Output1
State1 State2 refresh()
entropy
state3next()
Output2
State3
EXT
31
Forward secure Backward secure Immune to adversary control of entropy Can combine different entropy sources
Strongest link triumphs
Robust Pseudo-Random Generators [Barak-Halevi 05’]
next()
Output1
State1 State2 refresh()
entropy
state3next()
Output2
State3
EXT
After break-in: past outputs of the system should still be indistinguishable from random
After break-in, following the next “refresh” all outputs should be indistinguishable from random
33
A Complete Construction
34
A Complete Construction
35
Further Work and Open Problems
Comparison to non-game inputs Different games:
anti-ESP game Camera, accelerometer games
Different populations Complete system test Human accuracy and Fitts’ law
Thank You
•Non-gamers •casual gamers •heavy gamers
36
Good randomness is hard to find
XKCD