FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » How to generate cryptographically-secure random big-integers?
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
How to generate cryptographically-secure random big-integers? [message #170213] Wed, 20 October 2010 06:57 Go to next message
seeWebInstead is currently offline  seeWebInstead
Messages: 14
Registered: October 2010
Karma: 0
Junior Member
I need to generate a random integer uniformly distributed from 0 to
165704257009980305087908956205223296585688096305918417966291411066008093135 190411324365527113804568013399264982255120906812142560021321323875432044092 494966970218269418334085525290028472777766273110227504712320
The following code:
srand(time());
$random = (rand()%9); ...etc...
:is no good because time returns 1287555603 currently, and it would
be relatively easy for somebody who has access to my source code to
try all possible values for the time seed, a 10-digit integer, and
thus crack my cryptosystem. I'm doing personal research to try to
find something that is truly random for two hundred and ten
independently random cryptographically secure digits. My current
idea is to call the microsecond-time function a moderately large
number of times in succession, subtract adacent values (result
usually 4, often 5, rarely any other value), build a Markovian
model for the sequence, and then apply interval refinement directly
to the interval where I want the value until the length of the
interval is small enough to specify a single integer. But before I
go to a lot of effort to develop this idea, maybe one of you has an
idea for some method somebody else already did that I could use
instead?

P.S. Here's a sample run of the microsecond-time differences:
33 6 4 4 4 5 4 4 6 4 4 5 5 5 4 4 5 4 4 4 4 5 4 4 4 4 4 4 5 4 4 4 5 4 5 4 4 4 4 5 4 4 4 5 4 4 6 5 4 4 4 5 4 4 4 4 4 4 4 5 5 4 4 5 5 4 4 5 4 4 4 4 4 5 4 4 4 4 5 4 4 5 5 4 5 3 5 4 4 4 4 5 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 5 6 4 7 4 4 4 4 5 4 4 4 4 4 4 4 3 5 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 4 4 4 4 5 4 4 4 4 7 5 3 5 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 4 4 4 5 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 8 4 4 4 4 4 5 3 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 3 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 4 3 5 4 4 4 4 3 4 5 3 4 5 3 4 5 4 3 5 4 3 5 4 3 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 3 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 3 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 10 5 4 4 4 4 4 4 4 4 4 5 4 4 4 5 4 4 4 5 4 4 4 5 4 4 5 4 4 5 4 4 5 4 4 4 5 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4 4 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4 4 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4 4 4 4 5 5 4 4 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4 4 4 4 4 5 4 4 5 4 4 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4 4 4 4 4 5 4 4 4 4 5 4 4 4 5 4 4 4 4 5 4 4 4 5 4 4 4 4 5 4 4 4 5
and here's the corresponding null-context tally:
Array
(
[3] => 14
[4] => 570
[5] => 106
[6] => 4
[7] => 2
[8] => 1
[10] => 1
[33] => 1
)
Unfortunately, adjacent differences are highly correlated, as you
can see by visual examination of the raw differences, so the
null-context tally is not a good model for the data. Only a small
number of sequences of data are likely, hence only a small number
of the values from 0 to the maximum integer would actually be
likely to appear, and somebody could guess them all and thus crack
my cryptosystem. Instead, I'll need to dynamically choose a set of
non-null left-contexts, which is messy to optimize, especially in
real time as I'm bootstrapping a cryptosystem to a remote site, and
then compile a set of tallies for each left context being used, and
then consider each difference in the appropriate left context i.e.
use the appropriate tally for converting that difference into an
interval refinement.
Re: How to generate cryptographically-secure random big-integers? [message #170215 is a reply to message #170213] Wed, 20 October 2010 09:29 Go to previous messageGo to next message
alvaro.NOSPAMTHANX is currently offline  alvaro.NOSPAMTHANX
Messages: 277
Registered: September 2010
Karma: 0
Senior Member
El 20/10/2010 8:57, Robert Maas, http://tinyurl.com/uh3t escribió/wrote:
> I need to generate a random integer uniformly distributed from 0 to
> 165704257009980305087908956205223296585688096305918417966291411066008093135 190411324365527113804568013399264982255120906812142560021321323875432044092 494966970218269418334085525290028472777766273110227504712320
> The following code:
> srand(time());

You only need to set a seed for PHP versions older than 4.2.0.

> $random = (rand()%9); ...etc...

As soon as you start using rand() you realize that its output is far
from random:

http://www.boallen.com/random-numbers.html

I've found mt_rand() quite more appropriate.


> :is no good because time returns 1287555603 currently, and it would
> be relatively easy for somebody who has access to my source code to
> try all possible values for the time seed, a 10-digit integer, and
> thus crack my cryptosystem. I'm doing personal research to try to
> find something that is truly random for two hundred and ten
> independently random cryptographically secure digits. My current
> idea is to call the microsecond-time function a moderately large
> number of times in succession, subtract adacent values (result
> usually 4, often 5, rarely any other value), build a Markovian
> model for the sequence, and then apply interval refinement directly
> to the interval where I want the value until the length of the
> interval is small enough to specify a single integer. But before I
> go to a lot of effort to develop this idea, maybe one of you has an
> idea for some method somebody else already did that I could use
> instead?

The rest of your message involve mathematical issues that go beyond my
reach, sorry <:-) However, why exactly are you building your own
cryptosystem when there're so many libraries out there?




--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--
Re: How to generate cryptographically-secure random big-integers? [message #170216 is a reply to message #170215] Wed, 20 October 2010 09:36 Go to previous messageGo to next message
The Natural Philosoph is currently offline  The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
Senior Member
Álvaro G. Vicario wrote:
> El 20/10/2010 8:57, Robert Maas, http://tinyurl.com/uh3t escribió/wrote:
>> I need to generate a random integer uniformly distributed from 0 to
>> 165704257009980305087908956205223296585688096305918417966291411066008093135 190411324365527113804568013399264982255120906812142560021321323875432044092 494966970218269418334085525290028472777766273110227504712320
>>
>> The following code:
>> srand(time());
>
> You only need to set a seed for PHP versions older than 4.2.0.
>
>> $random = (rand()%9); ...etc...
>
> As soon as you start using rand() you realize that its output is far
> from random:
>
> http://www.boallen.com/random-numbers.html
>
> I've found mt_rand() quite more appropriate.
>
>
>> :is no good because time returns 1287555603 currently, and it would
>> be relatively easy for somebody who has access to my source code to
>> try all possible values for the time seed, a 10-digit integer, and
>> thus crack my cryptosystem. I'm doing personal research to try to
>> find something that is truly random for two hundred and ten
>> independently random cryptographically secure digits. My current
>> idea is to call the microsecond-time function a moderately large
>> number of times in succession, subtract adacent values (result
>> usually 4, often 5, rarely any other value), build a Markovian
>> model for the sequence, and then apply interval refinement directly
>> to the interval where I want the value until the length of the
>> interval is small enough to specify a single integer. But before I
>> go to a lot of effort to develop this idea, maybe one of you has an
>> idea for some method somebody else already did that I could use
>> instead?
>
> The rest of your message involve mathematical issues that go beyond my
> reach, sorry <:-) However, why exactly are you building your own
> cryptosystem when there're so many libraries out there?
>
>
security by obscurity?

with A->D converters so cheap, why not build a dongle and sample thermal
noise? from some bit of semiconductor..

Nice product there. USB random sequence generator...
>
>
Re: How to generate cryptographically-secure random big-integers? [message #170217 is a reply to message #170213] Wed, 20 October 2010 09:51 Go to previous messageGo to next message
Erwin Moller is currently offline  Erwin Moller
Messages: 228
Registered: September 2010
Karma: 0
Senior Member
On 10/20/2010 8:57 AM, Robert Maas, http://tinyurl.com/uh3t wrote:
> I need to generate a random integer uniformly distributed from 0 to
> 165704257009980305087908956205223296585688096305918417966291411066008093135 190411324365527113804568013399264982255120906812142560021321323875432044092 494966970218269418334085525290028472777766273110227504712320
> The following code:
> srand(time());
> $random = (rand()%9); ...etc...
> :is no good because time returns 1287555603 currently, and it would
> be relatively easy for somebody who has access to my source code to
> try all possible values for the time seed, a 10-digit integer, and
> thus crack my cryptosystem. I'm doing personal research to try to
> find something that is truly random for two hundred and ten
> independently random cryptographically secure digits. My current
> idea is to call the microsecond-time function a moderately large
> number of times in succession, subtract adacent values (result
> usually 4, often 5, rarely any other value), build a Markovian
> model for the sequence, and then apply interval refinement directly
> to the interval where I want the value until the length of the
> interval is small enough to specify a single integer. But before I
> go to a lot of effort to develop this idea, maybe one of you has an
> idea for some method somebody else already did that I could use
> instead?
>
> P.S. Here's a sample run of the microsecond-time differences:
> 33 6 4 4 4 5 4 4 6 4 4 5 5 5 4 4 5 4 4 4 4 5 4 4 4 4 4 4 5 4 4 4 5 4 5 4 4 4 4 5 4 4 4 5 4 4 6 5 4 4 4 5 4 4 4 4 4 4 4 5 5 4 4 5 5 4 4 5 4 4 4 4 4 5 4 4 4 4 5 4 4 5 5 4 5 3 5 4 4 4 4 5 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 5 6 4 7 4 4 4 4 5 4 4 4 4 4 4 4 3 5 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 4 4 4 4 5 4 4 4 4 7 5 3 5 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 4 4 4 5 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 8 4 4 4 4 4 5 3 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 3 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 4 3 5 4 4 4 4 3 4 5 3 4 5 3 4 5 4 3 5 4 3 5 4 3 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 3 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 3 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4
4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 10 5 4 4 4 4 4 4 4 4 4 5 4 4 4 5 4 4 4 5 4 4 4 5 4 4 5 4 4 5 4 4 5 4 4 4 5 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4 4 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4 4 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4 4 4 4 5 5 4 4 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4 4 4 4 4 5 4 4 5 4 4 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4 4 4 4 4 5 4 4 4 4 5 4 4 4 5 4 4 4 4 5 4 4 4 5 4 4 4 4 5 4 4 4 5
> and here's the corresponding null-context tally:
> Array
> (
> [3] => 14
> [4] => 570
> [5] => 106
> [6] => 4
> [7] => 2
> [8] => 1
> [10] => 1
> [33] => 1
> )
> Unfortunately, adjacent differences are highly correlated, as you
> can see by visual examination of the raw differences, so the
> null-context tally is not a good model for the data. Only a small
> number of sequences of data are likely, hence only a small number
> of the values from 0 to the maximum integer would actually be
> likely to appear, and somebody could guess them all and thus crack
> my cryptosystem. Instead, I'll need to dynamically choose a set of
> non-null left-contexts, which is messy to optimize, especially in
> real time as I'm bootstrapping a cryptosystem to a remote site, and
> then compile a set of tallies for each left context being used, and
> then consider each difference in the appropriate left context i.e.
> use the appropriate tally for converting that difference into an
> interval refinement.


Hi Robert,

I noticed you used:
srand(time());
But the manual says:
===================================================================
Note: As of PHP 4.2.0, there is no need to seed the random number
generator with srand() or mt_srand() as this is now done automatically.
===================================================================
But the manual is not very clear on the exact implementation it uses
when you do not call srand().

But there are a few other approaches you could consider:
1) /dev/random
And in case you are on Linux, have a look at /dev/random/
http://en.wikipedia.org/wiki//dev/random
It says: "It allows access to environmental noise collected from device
drivers and other sources.", which sounds promising, as in impossible
for the man-in-the-middle to predict.

2) Use one of these online random generators, based on nuclear fission.
But this is probably a bad idea since that communication can be heard by
the man-in-the-middle.

3) If you are really serious about randomness, you could buy one of
these cards that generate true random numbers.
Possible /dev/random can do the same. I never looked into it any deeper
than this. ;-)

Another approach (I don't like) that was mentioned in the user
contributions on the PHP manual was: request some webpage and measure
the time needed (micros) to fetch it. And use that number as the seed.

One last thing: Why not use mt_rand()? It seems to be better:
http://nl2.php.net/manual/en/function.mt-rand.php

Regards,
Erwin Moller

Disclaimer: I am not random number generator expert.


--
"There are two ways of constructing a software design: One way is to
make it so simple that there are obviously no deficiencies, and the
other way is to make it so complicated that there are no obvious
deficiencies. The first method is far more difficult."
-- C.A.R. Hoare
Re: How to generate cryptographically-secure random big-integers? [message #170218 is a reply to message #170216] Wed, 20 October 2010 09:53 Go to previous messageGo to next message
Erwin Moller is currently offline  Erwin Moller
Messages: 228
Registered: September 2010
Karma: 0
Senior Member
On 10/20/2010 11:36 AM, The Natural Philosopher wrote:
> Álvaro G. Vicario wrote:
>> El 20/10/2010 8:57, Robert Maas, http://tinyurl.com/uh3t escribió/wrote:
>>> I need to generate a random integer uniformly distributed from 0 to
>>> 165704257009980305087908956205223296585688096305918417966291411066008093135 190411324365527113804568013399264982255120906812142560021321323875432044092 494966970218269418334085525290028472777766273110227504712320
>>>
>>> The following code:
>>> srand(time());
>>
>> You only need to set a seed for PHP versions older than 4.2.0.
>>
>>> $random = (rand()%9); ...etc...
>>
>> As soon as you start using rand() you realize that its output is far
>> from random:
>>
>> http://www.boallen.com/random-numbers.html
>>
>> I've found mt_rand() quite more appropriate.
>>
>>
>>> :is no good because time returns 1287555603 currently, and it would
>>> be relatively easy for somebody who has access to my source code to
>>> try all possible values for the time seed, a 10-digit integer, and
>>> thus crack my cryptosystem. I'm doing personal research to try to
>>> find something that is truly random for two hundred and ten
>>> independently random cryptographically secure digits. My current
>>> idea is to call the microsecond-time function a moderately large
>>> number of times in succession, subtract adacent values (result
>>> usually 4, often 5, rarely any other value), build a Markovian
>>> model for the sequence, and then apply interval refinement directly
>>> to the interval where I want the value until the length of the
>>> interval is small enough to specify a single integer. But before I
>>> go to a lot of effort to develop this idea, maybe one of you has an
>>> idea for some method somebody else already did that I could use
>>> instead?
>>
>> The rest of your message involve mathematical issues that go beyond my
>> reach, sorry <:-) However, why exactly are you building your own
>> cryptosystem when there're so many libraries out there?
>>
>>
> security by obscurity?
>
> with A->D converters so cheap, why not build a dongle and sample thermal
> noise? from some bit of semiconductor..

Already exists: when you use /dev/random on Linux, it can use noise.
(See link in my other reply)
:-)

Regards,
Erwin Moller


>
> Nice product there. USB random sequence generator...
>>
>>


--
"There are two ways of constructing a software design: One way is to
make it so simple that there are obviously no deficiencies, and the
other way is to make it so complicated that there are no obvious
deficiencies. The first method is far more difficult."
-- C.A.R. Hoare
Re: How to generate cryptographically-secure random big-integers? [message #170219 is a reply to message #170213] Wed, 20 October 2010 10:00 Go to previous messageGo to next message
Adam Harvey is currently offline  Adam Harvey
Messages: 25
Registered: September 2010
Karma: 0
Junior Member
On Tue, 19 Oct 2010 23:57:08 -0700, Robert Maas, http://tinyurl.com/uh3t
wrote:
> I need to generate a random integer uniformly distributed from 0 to
>
165704257009980305087908956205223296585688096305918417966291411066008093135 190411324365527113804568013399264982255120906812142560021321323875432044092 494966970218269418334085525290028472777766273110227504712320
> The following code:
> srand(time());
> $random = (rand()%9); ...etc...
> :is no good because time returns 1287555603 currently, and it would be
> relatively easy for somebody who has access to my source code to try all
> possible values for the time seed, a 10-digit integer, and thus crack my
> cryptosystem. I'm doing personal research to try to find something that
> is truly random for two hundred and ten independently random
> cryptographically secure digits. My current idea is to call the
> microsecond-time function a moderately large number of times in
> succession, subtract adacent values (result usually 4, often 5, rarely
> any other value), build a Markovian model for the sequence, and then
> apply interval refinement directly to the interval where I want the
> value until the length of the interval is small enough to specify a
> single integer. But before I go to a lot of effort to develop this idea,
> maybe one of you has an idea for some method somebody else already did
> that I could use instead?

It requires 5.3 and OpenSSL, but the openssl_random_pseudo_bytes() seems
like it would do pretty much what you want.

Adam
Re: How to generate cryptographically-secure random big-integers? [message #170220 is a reply to message #170217] Wed, 20 October 2010 10:08 Go to previous messageGo to next message
The Natural Philosoph is currently offline  The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
Senior Member
Erwin Moller wrote:
> On 10/20/2010 8:57 AM, Robert Maas, http://tinyurl.com/uh3t wrote:
>> I need to generate a random integer uniformly distributed from 0 to
>> 165704257009980305087908956205223296585688096305918417966291411066008093135 190411324365527113804568013399264982255120906812142560021321323875432044092 494966970218269418334085525290028472777766273110227504712320
>>
>> The following code:
>> srand(time());
>> $random = (rand()%9); ...etc...
>> :is no good because time returns 1287555603 currently, and it would
>> be relatively easy for somebody who has access to my source code to
>> try all possible values for the time seed, a 10-digit integer, and
>> thus crack my cryptosystem. I'm doing personal research to try to
>> find something that is truly random for two hundred and ten
>> independently random cryptographically secure digits. My current
>> idea is to call the microsecond-time function a moderately large
>> number of times in succession, subtract adacent values (result
>> usually 4, often 5, rarely any other value), build a Markovian
>> model for the sequence, and then apply interval refinement directly
>> to the interval where I want the value until the length of the
>> interval is small enough to specify a single integer. But before I
>> go to a lot of effort to develop this idea, maybe one of you has an
>> idea for some method somebody else already did that I could use
>> instead?
>>
>> P.S. Here's a sample run of the microsecond-time differences:
>> 33 6 4 4 4 5 4 4 6 4 4 5 5 5 4 4 5 4 4 4 4 5 4 4 4 4 4 4 5 4 4 4 5 4
>> 5 4 4 4 4 5 4 4 4 5 4 4 6 5 4 4 4 5 4 4 4 4 4 4 4 5 5 4 4 5 5 4 4 5 4
>> 4 4 4 4 5 4 4 4 4 5 4 4 5 5 4 5 3 5 4 4 4 4 5 4 4 4 4 4 4 4 4 5 4 4 4
>> 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 5 6 4 7 4 4 4 4 5 4 4 4 4 4
>> 4 4 3 5 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 4 4 4 4 5 4 4 4 4 7 5 3 5 4 4 4
>> 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 4 4 4 5 4 4 4 4 4 4 4 4
>> 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4
>> 4 4 4 4 4 4 4 4 4 5 4 4 8 4 4 4 4 4 5 3 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4
>> 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4
>> 4 4 4 4 4 3 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 4 3 5 4 4 4 4 3 4 5 3 4
>> 5 3 4 5 4 3 5 4 3 5 4 3 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 3 4 5 4
>> 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
>> 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4
>> 4 4 4 4 4 4 5 3 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4
>> 4 4 4
> 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 10 5 4 4 4 4 4 4 4 4 4 5 4 4 4 5
> 4 4 4 5 4 4 4 5 4 4 5 4 4 5 4 4 5 4 4 4 5 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4
> 4 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4 4 4 4 4 5 4
> 4 4 4 5 4 4 4 4 5 4 4 4 4 5 5 4 4 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4 4 4 4 5
> 4 4 4 4 4 5 4 4 5 4 4 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4 4 4 4 4 5
> 4 4 4 4 5 4 4 4 5 4 4 4 4 5 4 4 4 5 4 4 4 4 5 4 4 4 5
>> and here's the corresponding null-context tally:
>> Array
>> (
>> [3] => 14
>> [4] => 570
>> [5] => 106
>> [6] => 4
>> [7] => 2
>> [8] => 1
>> [10] => 1
>> [33] => 1
>> )
>> Unfortunately, adjacent differences are highly correlated, as you
>> can see by visual examination of the raw differences, so the
>> null-context tally is not a good model for the data. Only a small
>> number of sequences of data are likely, hence only a small number
>> of the values from 0 to the maximum integer would actually be
>> likely to appear, and somebody could guess them all and thus crack
>> my cryptosystem. Instead, I'll need to dynamically choose a set of
>> non-null left-contexts, which is messy to optimize, especially in
>> real time as I'm bootstrapping a cryptosystem to a remote site, and
>> then compile a set of tallies for each left context being used, and
>> then consider each difference in the appropriate left context i.e.
>> use the appropriate tally for converting that difference into an
>> interval refinement.
>
>
> Hi Robert,
>
> I noticed you used:
> srand(time());
> But the manual says:
> ===================================================================
> Note: As of PHP 4.2.0, there is no need to seed the random number
> generator with srand() or mt_srand() as this is now done automatically.
> ===================================================================
> But the manual is not very clear on the exact implementation it uses
> when you do not call srand().
>
> But there are a few other approaches you could consider:
> 1) /dev/random
> And in case you are on Linux, have a look at /dev/random/
> http://en.wikipedia.org/wiki//dev/random
> It says: "It allows access to environmental noise collected from device
> drivers and other sources.", which sounds promising, as in impossible
> for the man-in-the-middle to predict.
>
That is useful.

Wish I had known that 3 days ago when I needed a table of random bytes..
Re: How to generate cryptographically-secure random big-integers? [message #170221 is a reply to message #170218] Wed, 20 October 2010 10:10 Go to previous messageGo to next message
The Natural Philosoph is currently offline  The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
Senior Member
Erwin Moller wrote:
> On 10/20/2010 11:36 AM, The Natural Philosopher wrote:
>> Álvaro G. Vicario wrote:
>>> El 20/10/2010 8:57, Robert Maas, http://tinyurl.com/uh3t escribió/wrote:
>>>> I need to generate a random integer uniformly distributed from 0 to
>>>> 165704257009980305087908956205223296585688096305918417966291411066008093135 190411324365527113804568013399264982255120906812142560021321323875432044092 494966970218269418334085525290028472777766273110227504712320
>>>>
>>>>
>>>> The following code:
>>>> srand(time());
>>>
>>> You only need to set a seed for PHP versions older than 4.2.0.
>>>
>>>> $random = (rand()%9); ...etc...
>>>
>>> As soon as you start using rand() you realize that its output is far
>>> from random:
>>>
>>> http://www.boallen.com/random-numbers.html
>>>
>>> I've found mt_rand() quite more appropriate.
>>>
>>>
>>>> :is no good because time returns 1287555603 currently, and it would
>>>> be relatively easy for somebody who has access to my source code to
>>>> try all possible values for the time seed, a 10-digit integer, and
>>>> thus crack my cryptosystem. I'm doing personal research to try to
>>>> find something that is truly random for two hundred and ten
>>>> independently random cryptographically secure digits. My current
>>>> idea is to call the microsecond-time function a moderately large
>>>> number of times in succession, subtract adacent values (result
>>>> usually 4, often 5, rarely any other value), build a Markovian
>>>> model for the sequence, and then apply interval refinement directly
>>>> to the interval where I want the value until the length of the
>>>> interval is small enough to specify a single integer. But before I
>>>> go to a lot of effort to develop this idea, maybe one of you has an
>>>> idea for some method somebody else already did that I could use
>>>> instead?
>>>
>>> The rest of your message involve mathematical issues that go beyond my
>>> reach, sorry <:-) However, why exactly are you building your own
>>> cryptosystem when there're so many libraries out there?
>>>
>>>
>> security by obscurity?
>>
>> with A->D converters so cheap, why not build a dongle and sample thermal
>> noise? from some bit of semiconductor..
>
> Already exists: when you use /dev/random on Linux, it can use noise.
> (See link in my other reply)
> :-)

Yup. Another damned useful factoid archived in grey matter.

Why is it always the same half dozen posters who always come up with

'wow, I wish I had known that' or 'that really is well thought out and
elegant' etc..

as opposed to certain regulars who never seem to say anything worth
reading..;-)

>
> Regards,
> Erwin Moller
>
>
>>
>> Nice product there. USB random sequence generator...
>>>
>>>
>
>
Re: How to generate cryptographically-secure random big-integers? [message #170222 is a reply to message #170217] Wed, 20 October 2010 10:28 Go to previous messageGo to next message
webmaster is currently offline  webmaster
Messages: 5
Registered: October 2010
Karma: 0
Junior Member
"Erwin Moller"
<Since_humans_read_this_I_am_spammed_too_much(at)spamyourself(dot)com> wrote in
message news:4cbebb8d$0$81484$e4fe514c(at)news(dot)xs4all(dot)nl...
<snip>
> 1) /dev/random
> And in case you are on Linux, have a look at /dev/random/
> http://en.wikipedia.org/wiki//dev/random
> It says: "It allows access to environmental noise collected from device
> drivers and other sources.", which sounds promising, as in impossible for
> the man-in-the-middle to predict.

Permission to emit a lengthy Bill & Ted style "woooooooooooooooooooah"?

--
+mrcakey
Re: How to generate cryptographically-secure random big-integers? [message #170223 is a reply to message #170222] Wed, 20 October 2010 11:02 Go to previous messageGo to next message
Erwin Moller is currently offline  Erwin Moller
Messages: 228
Registered: September 2010
Karma: 0
Senior Member
On 10/20/2010 12:28 PM, +mrcakey wrote:
> "Erwin Moller"
> <Since_humans_read_this_I_am_spammed_too_much(at)spamyourself(dot)com> wrote in
> message news:4cbebb8d$0$81484$e4fe514c(at)news(dot)xs4all(dot)nl...
> <snip>
>> 1) /dev/random
>> And in case you are on Linux, have a look at /dev/random/
>> http://en.wikipedia.org/wiki//dev/random
>> It says: "It allows access to environmental noise collected from device
>> drivers and other sources.", which sounds promising, as in impossible for
>> the man-in-the-middle to predict.
>
> Permission to emit a lengthy Bill& Ted style "woooooooooooooooooooah"?
>

Permission granted. :-)

But please clarify a little what it means to this poor chap from the
Netherlands. I have no clue who Bill & Ted are. ;-)
So I don't know if the 'wooooah' means:
1) "bullshit advice"
or
2) "yes! /dev/random rocks!"
or even
3) "you clearly have no clue what you are talking about"

In case of 1 or 3 I kindly point to my disclaimer under my post. ;-)

Regards,
Erwin Moller

> --
> +mrcakey
>
>


--
"There are two ways of constructing a software design: One way is to
make it so simple that there are obviously no deficiencies, and the
other way is to make it so complicated that there are no obvious
deficiencies. The first method is far more difficult."
-- C.A.R. Hoare
Re: How to generate cryptographically-secure random big-integers? [message #170224 is a reply to message #170220] Wed, 20 October 2010 11:11 Go to previous messageGo to next message
Erwin Moller is currently offline  Erwin Moller
Messages: 228
Registered: September 2010
Karma: 0
Senior Member
On 10/20/2010 12:08 PM, The Natural Philosopher wrote:
> Erwin Moller wrote:
>> On 10/20/2010 8:57 AM, Robert Maas, http://tinyurl.com/uh3t wrote:
>>> I need to generate a random integer uniformly distributed from 0 to
>>> 165704257009980305087908956205223296585688096305918417966291411066008093135 190411324365527113804568013399264982255120906812142560021321323875432044092 494966970218269418334085525290028472777766273110227504712320
>>>
>>> The following code:
>>> srand(time());
>>> $random = (rand()%9); ...etc...
>>> :is no good because time returns 1287555603 currently, and it would
>>> be relatively easy for somebody who has access to my source code to
>>> try all possible values for the time seed, a 10-digit integer, and
>>> thus crack my cryptosystem. I'm doing personal research to try to
>>> find something that is truly random for two hundred and ten
>>> independently random cryptographically secure digits. My current
>>> idea is to call the microsecond-time function a moderately large
>>> number of times in succession, subtract adacent values (result
>>> usually 4, often 5, rarely any other value), build a Markovian
>>> model for the sequence, and then apply interval refinement directly
>>> to the interval where I want the value until the length of the
>>> interval is small enough to specify a single integer. But before I
>>> go to a lot of effort to develop this idea, maybe one of you has an
>>> idea for some method somebody else already did that I could use
>>> instead?
>>>
>>> P.S. Here's a sample run of the microsecond-time differences:
>>> 33 6 4 4 4 5 4 4 6 4 4 5 5 5 4 4 5 4 4 4 4 5 4 4 4 4 4 4 5 4 4 4 5 4
>>> 5 4 4 4 4 5 4 4 4 5 4 4 6 5 4 4 4 5 4 4 4 4 4 4 4 5 5 4 4 5 5 4 4 5 4
>>> 4 4 4 4 5 4 4 4 4 5 4 4 5 5 4 5 3 5 4 4 4 4 5 4 4 4 4 4 4 4 4 5 4 4 4
>>> 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 5 6 4 7 4 4 4 4 5 4 4 4 4 4
>>> 4 4 3 5 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 4 4 4 4 5 4 4 4 4 7 5 3 5 4 4 4
>>> 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 4 4 4 5 4 4 4 4 4 4 4 4
>>> 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4
>>> 4 4 4 4 4 4 4 4 4 5 4 4 8 4 4 4 4 4 5 3 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4
>>> 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4
>>> 4 4 4 4 4 3 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 4 3 5 4 4 4 4 3 4 5 3 4
>>> 5 3 4 5 4 3 5 4 3 5 4 3 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 3 4 5 4
>>> 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
>>> 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4
>>> 4 4 4 4 4 4 5 3 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 4 4 4 4 4 4
>>> 4 4 4
>> 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 4 4 4 4 4 10 5 4 4 4 4 4 4 4 4 4 5 4 4 4
>> 5 4 4 4 5 4 4 4 5 4 4 5 4 4 5 4 4 5 4 4 4 5 4 4 4 5 4 4 4 4 5 4 4 4 4
>> 5 4 4 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4 4 4 4
>> 4 5 4 4 4 4 5 4 4 4 4 5 4 4 4 4 5 5 4 4 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4
>> 4 4 4 5 4 4 4 4 4 5 4 4 5 4 4 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4 4 4 4 5 4
>> 4 4 4 4 5 4 4 4 4 5 4 4 4 5 4 4 4 4 5 4 4 4 5 4 4 4 4 5 4 4 4 5
>>> and here's the corresponding null-context tally:
>>> Array
>>> (
>>> [3] => 14
>>> [4] => 570
>>> [5] => 106
>>> [6] => 4
>>> [7] => 2
>>> [8] => 1
>>> [10] => 1
>>> [33] => 1
>>> )
>>> Unfortunately, adjacent differences are highly correlated, as you
>>> can see by visual examination of the raw differences, so the
>>> null-context tally is not a good model for the data. Only a small
>>> number of sequences of data are likely, hence only a small number
>>> of the values from 0 to the maximum integer would actually be
>>> likely to appear, and somebody could guess them all and thus crack
>>> my cryptosystem. Instead, I'll need to dynamically choose a set of
>>> non-null left-contexts, which is messy to optimize, especially in
>>> real time as I'm bootstrapping a cryptosystem to a remote site, and
>>> then compile a set of tallies for each left context being used, and
>>> then consider each difference in the appropriate left context i.e.
>>> use the appropriate tally for converting that difference into an
>>> interval refinement.
>>
>>
>> Hi Robert,
>>
>> I noticed you used:
>> srand(time());
>> But the manual says:
>> ===================================================================
>> Note: As of PHP 4.2.0, there is no need to seed the random number
>> generator with srand() or mt_srand() as this is now done automatically.
>> ===================================================================
>> But the manual is not very clear on the exact implementation it uses
>> when you do not call srand().
>>
>> But there are a few other approaches you could consider:
>> 1) /dev/random
>> And in case you are on Linux, have a look at /dev/random/
>> http://en.wikipedia.org/wiki//dev/random
>> It says: "It allows access to environmental noise collected from
>> device drivers and other sources.", which sounds promising, as in
>> impossible for the man-in-the-middle to predict.
>>
> That is useful.
>
> Wish I had known that 3 days ago when I needed a table of random bytes..

Oh. Bad luck. :-(
And how did you solve it then? Just go with mt_rand?

Personally, I have never been in need of a *real* RNG, the pseudorandom
numbers have always been good enough for my purposes.

Regards,
Erwin Moller

--
"There are two ways of constructing a software design: One way is to
make it so simple that there are obviously no deficiencies, and the
other way is to make it so complicated that there are no obvious
deficiencies. The first method is far more difficult."
-- C.A.R. Hoare
Re: How to generate cryptographically-secure random big-integers? [message #170225 is a reply to message #170223] Wed, 20 October 2010 12:25 Go to previous messageGo to next message
webmaster is currently offline  webmaster
Messages: 5
Registered: October 2010
Karma: 0
Junior Member
"Erwin Moller"
<Since_humans_read_this_I_am_spammed_too_much(at)spamyourself(dot)com> wrote in
message news:4cbecc33$0$81475$e4fe514c(at)news(dot)xs4all(dot)nl...
> On 10/20/2010 12:28 PM, +mrcakey wrote:
>> "Erwin Moller"
>> <Since_humans_read_this_I_am_spammed_too_much(at)spamyourself(dot)com> wrote in
>> message news:4cbebb8d$0$81484$e4fe514c(at)news(dot)xs4all(dot)nl...
>> <snip>
>>> 1) /dev/random
>>> And in case you are on Linux, have a look at /dev/random/
>>> http://en.wikipedia.org/wiki//dev/random
>>> It says: "It allows access to environmental noise collected from device
>>> drivers and other sources.", which sounds promising, as in impossible
>>> for
>>> the man-in-the-middle to predict.
>>
>> Permission to emit a lengthy Bill& Ted style "woooooooooooooooooooah"?
>>
>
> Permission granted. :-)
>
> But please clarify a little what it means to this poor chap from the
> Netherlands. I have no clue who Bill & Ted are. ;-)
> So I don't know if the 'wooooah' means:
> 1) "bullshit advice"
> or
> 2) "yes! /dev/random rocks!"
> or even
> 3) "you clearly have no clue what you are talking about"
>
> In case of 1 or 3 I kindly point to my disclaimer under my post. ;-)
>
> Regards,
> Erwin Moller

Ah, hoe gaat het met u? Bill & Ted is probably the best silly movie ever. A
dude from the future helps two stupid college students go round collecting
important figures from history to help them pass their exams so they can
carry on forming their band which in turn goes on to form the basis of
future civilizations. I'd highly recommend it. It's most bodacious!

And it was 2)! - #t=2m43s

--
+mrcakey
Re: How to generate cryptographically-secure random big-integers? [message #170228 is a reply to message #170225] Wed, 20 October 2010 13:29 Go to previous messageGo to next message
Erwin Moller is currently offline  Erwin Moller
Messages: 228
Registered: September 2010
Karma: 0
Senior Member
On 10/20/2010 2:25 PM, +mrcakey wrote:
> "Erwin Moller"
> <Since_humans_read_this_I_am_spammed_too_much(at)spamyourself(dot)com> wrote in
> message news:4cbecc33$0$81475$e4fe514c(at)news(dot)xs4all(dot)nl...
>> On 10/20/2010 12:28 PM, +mrcakey wrote:
>>> "Erwin Moller"
>>> <Since_humans_read_this_I_am_spammed_too_much(at)spamyourself(dot)com> wrote in
>>> message news:4cbebb8d$0$81484$e4fe514c(at)news(dot)xs4all(dot)nl...
>>> <snip>
>>>> 1) /dev/random
>>>> And in case you are on Linux, have a look at /dev/random/
>>>> http://en.wikipedia.org/wiki//dev/random
>>>> It says: "It allows access to environmental noise collected from device
>>>> drivers and other sources.", which sounds promising, as in impossible
>>>> for
>>>> the man-in-the-middle to predict.
>>>
>>> Permission to emit a lengthy Bill& Ted style "woooooooooooooooooooah"?
>>>
>>
>> Permission granted. :-)
>>
>> But please clarify a little what it means to this poor chap from the
>> Netherlands. I have no clue who Bill& Ted are. ;-)
>> So I don't know if the 'wooooah' means:
>> 1) "bullshit advice"
>> or
>> 2) "yes! /dev/random rocks!"
>> or even
>> 3) "you clearly have no clue what you are talking about"
>>
>> In case of 1 or 3 I kindly point to my disclaimer under my post. ;-)
>>
>> Regards,
>> Erwin Moller
>
> Ah, hoe gaat het met u?

Zeer goed, dank je wel. ;-)
Waar heb jij geleerd zo uitstekend nederlands te praten?

> Bill& Ted is probably the best silly movie ever. A
> dude from the future helps two stupid college students go round collecting
> important figures from history to help them pass their exams so they can
> carry on forming their band which in turn goes on to form the basis of
> future civilizations. I'd highly recommend it. It's most bodacious!
>
> And it was 2)! - #t=2m43s

Oh yes, now I saw Bill & Ted on youtube I vaguely remember seeing it
before, long ago. I guess I wasn't completely sober, since the movie
didn't complete its way into my memorybanks apparently. But that suits
that movie just fine. ;-)
It is a lot like Wayne's World, but made a few years earlier.
Keanu Reeves was still a teenager.
And woooooah, are we getting off topic here!
Thanks for posting. ;-)

Regards,
Erwin Moller

>
> --
> +mrcakey
>
>


--
"There are two ways of constructing a software design: One way is to
make it so simple that there are obviously no deficiencies, and the
other way is to make it so complicated that there are no obvious
deficiencies. The first method is far more difficult."
-- C.A.R. Hoare
Re: How to generate cryptographically-secure random big-integers? [message #170230 is a reply to message #170216] Wed, 20 October 2010 17:35 Go to previous messageGo to next message
seeWebInstead is currently offline  seeWebInstead
Messages: 14
Registered: October 2010
Karma: 0
Junior Member
> From: The Natural Philosopher <t...@invalid.invalid>
> with A->D converters so cheap, why not build a dongle and sample
> thermal noise? from some bit of semiconductor..

The cryptographically-secure big-integer (string of digits for use
by bcmath) must be generated on the remote PHP/MySQL server
(independently on each of several such servers where my software
will be installed, same PK system on each server but different user
services and associated databases on each). They support *only* PHP
scripting, no Lisp or C or device interface etc., but more
importantly I don't have physical access there to install any new
hardware such as you suggest.
Re: How to generate cryptographically-secure random big-integers? [message #170231 is a reply to message #170218] Wed, 20 October 2010 18:15 Go to previous messageGo to next message
seeWebInstead is currently offline  seeWebInstead
Messages: 14
Registered: October 2010
Karma: 0
Junior Member
> From: Erwin Moller <Since_humans_read_this_I_am_spammed_too_m...@spamyourself.com>
> ... when you use /dev/random on Linux, it can use noise.

I tried it here on FreeBSD Unix, and indeed it does *something*. (I
haven't tested it for randomness myself.) I'd need to write a test
PHP script to determine whether it exists and is accessible from a
PHP script on the remote hosting services.

There doesn't seem to be any 'man' page for it, so I did Google
search, and found: http://en.wikipedia.org/wiki//dev/random#FreeBSD
"In 2004, Landon Curt Noll tested the FreeBSD 5.2.1 version of
/dev/random and found that it was not a cryptographically strong random
number generator because its output had multiple uniformity flaws
according to the Billion bit test. Similar flaws were found in the
Linux 2.4.21-20, Solaris 8 patch 108528-18, and Mac OS X 10.3.5
implementations of /dev/random."
That's not acceptable for my use.

The WikiPedia page links to a nice article describing the
million-bit tests that were performed, which mentions several
cryptographically-secure pseudo-random number generators, each of
which then begs the question how to generate a random seed. In fact
since I only need one (1) big integer on each system, and the seed
must be at least as large as the entire amount of random data I
need, and must itself be truly random, nevermind the PRNG that uses
the seed, just use the seed itself as the random big-integer I
need. So how do I generate a 210-digit truly-random seed??

The million-bit article also mentions one true random number
generator, namely 'LavaRnd'. Unfortunately LavaRnd requires
equipment to take a digital photo of a physically chaotic
apparatus, which is not feasible in pure PHP and not likely to be
supplied on all the PHP/MySQL hosting sites I'll be using.
Re: How to generate cryptographically-secure random big-integers? [message #170232 is a reply to message #170231] Wed, 20 October 2010 18:38 Go to previous messageGo to next message
Luuk is currently offline  Luuk
Messages: 329
Registered: September 2010
Karma: 0
Senior Member
On 20-10-10 20:15, Robert Maas, http://tinyurl.com/uh3t wrote:
> There doesn't seem to be any 'man' page for it,

man 4 random

--
Luuk
Re: How to generate cryptographically-secure random big-integers? [message #170233 is a reply to message #170231] Wed, 20 October 2010 19:19 Go to previous messageGo to next message
Hamish Campbell is currently offline  Hamish Campbell
Messages: 15
Registered: September 2010
Karma: 0
Junior Member
On Oct 21, 7:15 am, seeWebInst...@rem.intarweb.org (Robert Maas,
http://tinyurl.com/uh3t) wrote:
> ... I only need one (1) big integer on each system, and the seed
> must be at least as large as the entire amount of random data I
> need, and must itself be truly random...

* RECURSION
Re: How to generate cryptographically-secure random big-integers? [message #170234 is a reply to message #170232] Thu, 21 October 2010 06:58 Go to previous messageGo to next message
seeWebInstead is currently offline  seeWebInstead
Messages: 14
Registered: October 2010
Karma: 0
Junior Member
>> There doesn't seem to be any 'man' page for it,
> From: Luuk <L...@invalid.lan>
> man 4 random

Ah. Just "man random" gave the C library function, at which point I
gave up. Thanks, indeed specifying the chapter number as 4 gives
what I wanted. Unfortuately, since /dev/random has been shown to
not be cryptographically secure, and besides it relies on a shared
resource, hence *could* be spied-upon to see the state just before
or after I use it, I'll avoid it.

BTW: A few minutes ago, using PHP interactive mode, I finished
writing toplevel code (about 43 lines) to:
- Sample the PHP system microsecond time several hundred times and
store the values in an array.
- Compute the array of differences between consecutive values.
- Tally the totals of each different time-diff as an associative array.
- Generate the running totals starting from 0 past each time-diff.
- Use interval refinement to narrow the overall interval down to
narrower and narrower intervals per each successive (backwards)
sample until there's only one integer remaining in the interval.
(I use the time-difference samples backwards because the very first
of the time differences is usually anomalously large, presumably
because that's when it needs to swap in all the pages of
software into the cache, or when it compiles the script, or whatever.
Hence that first sample isn't as random as the rest.)

Note: Interval refinement here uses the zero-order model, ignoring
correlation between adjacent samples. Since each set of
system-clock samples (each run of this algorithm) has a different
histogram, the cut points for interval refinement will be different
each time, and as a result the global expectation to an outsider is
that the whole interval will be nearly uniformly covered, even if
any single run is biassed. So for my immediate purposes, this
should be good enough.

So next I need to break the pieces of code into function
definitions with meaningful names and nice interfaces, including a
toplevel function to do the whole job in one call, and store all
the functions in a library file, and finally incorporate a call to
the toplevel function from the bootstrap script that is run from a
HTML form.
Re: How to generate cryptographically-secure random big-integers? [message #170235 is a reply to message #170233] Thu, 21 October 2010 07:11 Go to previous messageGo to next message
seeWebInstead is currently offline  seeWebInstead
Messages: 14
Registered: October 2010
Karma: 0
Junior Member
>> ... I only need one (1) big integer on each system, and the seed
>> must be at least as large as the entire amount of random data I
>> need, and must itself be truly random...
> From: Hamish Campbell <hn.campb...@gmail.com>
> * RECURSION

Yup, that's the point I was making: A pseudo-random number
generator is of no use for generating truly random numbers, because
the seed must be as large as all the output you'll ever want
generated, so you get into infinite regress if you even try to use
a PRNG for this kind of purpose.

See my just-previous post for report of completion of first draft
of code to use zero-order Markov model for interval refinement. One
thing I forgot to say then, and will add now: It takes only about 3
or 4 milliseconds to generate enough microsecond-time samples to
generate enough entropy to refine an interval whose length is 210
decimal digits down to a single integer. (The big-integer
arithmetic probably consumes a lot more time; I haven't bothered to
time it yet. I really don't care if it takes as long as a full
minute because I need to do this process only once per PHP/MySQL
hosting site that I port my code to.)
Re: How to generate cryptographically-secure random big-integers? [message #170986 is a reply to message #170217] Mon, 13 December 2010 20:09 Go to previous messageGo to next message
seeWebInstead is currently offline  seeWebInstead
Messages: 14
Registered: October 2010
Karma: 0
Junior Member
> From: Erwin Moller <Since_humans_read_this_I_am_spammed_too_m...@spamyourself.com>
>> I need to generate a random integer uniformly distributed from 0 to
>> 165704257009980305087908956205223296585688096305918417966291411066008093135 190411324365527113804568013399264982255120906812142560021321323875432044092 494966970218269418334085525290028472777766273110227504712320

Note: This is used to covertly bootstrap confidential public-key
parameters (i.e. the private exponent) across an insecure link to a
remote PHP/MySQL hosting service. All subsequent public-key
activity by my scripts there *depend* on that random number *not*
being discernable by anyone whatsoever. Any "random" number
generator not well enough documented as to where the information
comes from and who can possibly view it, is unacceptable for this
purpose.

(Regarding an idea I rejected a priori:)
> I noticed you used:
> srand(time());
> But the manual says:
> ===================================================================
> Note: As of PHP 4.2.0, there is no need to seed the random number
> generator with srand() or mt_srand() as this is now done automatically.
> ===================================================================
> But the manual is not very clear on the exact implementation it uses
> when you do not call srand().

Indeed, not documented that it's *really* random and unobservable
by anyone else. In fact typically such system-provided random
number generates are really pseudo-random, and if somebody knows
the algorithm they can repeatedly sample it and notice any gap, and
deduce that some other user got in there to take the gap-value, and
thus this user can *know* which pseudo-random value the *other*
user got.

> But there are a few other approaches you could consider:
> 1) /dev/random

Not generally available on free PHP/MySQL hosting sites, and not
documented as absolutely secure in any case.

> And in case you are on Linux, have a look at /dev/random/
> http://en.wikipedia.org/wiki//dev/random
> It says: "It allows access to environmental noise collected from device
> drivers and other sources.", which sounds promising, as in impossible
> for the man-in-the-middle to predict.

Ditto, not available, not documented as secure.

> 2) Use one of these online random generators, based on nuclear fission.
> But this is probably a bad idea since that communication can be heard by
> the man-in-the-middle.

I have no access to the PHP/MySQL hosting services I'm using,
except via FTP and my own PHP scripts. Definitely no way to attach
a hardware device to their server located unknown location. Let me
check with ARIN:
nslookup blackapplehost.com => 69.162.86.3 => Limestone Networks (Dallas, TX)
nslookup netii.net => 208.43.151.204 => SoftLayer Technologies (Dallas, TX)
Wow, both of them in the same city!! All other PHP/MySQL hosting
services in other places have ceased working, including
freeweb7.com which was working a month ago off-and-on but has been
off the past couple weeks, but seems to have come back online today:
nslookup freeweb7.com => 75.126.176.160 => SoftLayer Technologies (Dallas, TX)
Weird!!

> 3) If you are really serious about randomness, you could buy one
> of these cards that generate true random numbers.

What good would that do? I have no physical access to any of the
PHP/MySQL hosting services in Dallas.

> Another approach (I don't like) that was mentioned in the user
> contributions on the PHP manual was: request some webpage and measure
> the time needed (micros) to fetch it. And use that number as the seed.

Not possible because the PHP/MySQL hosting services don't allow
external network connections from PHP scripts. Also, that's too
slow. Sampling microsecond time a few hundred times takes only
about 5 microseconds per call, total just a few milliseconds, and
gives me all the entropy I need to shrink the inverval down by 210
orders of magnitude (676 bits of entropy).

> One last thing: Why not use mt_rand()? It seems to be better:
> http://nl2.php.net/manual/en/function.mt-rand.php

"It uses a random number generator with known characteristics using
the ; Mersenne Twister, which will produce random numbers four
times faster than what the average libc rand() provides."

which begs the question where it gets the starting seed from. No
guarantee the seed is truly random and secure. Most likely it uses
the system clock (just once or twice) as the seed, which has only a
narrow range of possible seed values at one time when hostile
forces might be observing my activities and trying to deduce what
seed value I used via mt_rand. By comparison, no way they can guess
(within reasonable time, like a million years) what exact sequence
of hundreds of system-microsecond-time sample-differences I'm using
per the algorithm I described earlier.

Anyway, I've finished covertly bootstrapping private exponents for
public-key cryptosystems onto all the PHP/MySQL servers I'm
currently using for NewEco, and using these installed cryptosystems
I've uploaded additional parameters to some of the servers, and I'm
now implementing public-key server-to-server SOAP RPC over HTTP as
a way to pass signed+encrypted messages from one server to another
as part of my distributed NewEco application. For a high-level
description of the PK-SS-SOAP-RPC process, see:
http://www.rawbw.com/~rem/Pub/EcoWeb/newInterNetCooperative.php?see=pksat
which is part of http://TinyURL.Com/NewEco
I haven't yet written a spec for the details of how it will work,
but basically:
- User selects task and amount of funds to put into escrow (done for test).
- Escrow account is created, and that amount of funds moved from
user's main accout to escrow account.
- XML messages is created, containing voucher for funds and service
request, and is signed by originating host (#1) and encrypted for
destination host (#2), and written to local file (done)
- HTTP redirection from sending host#1 to receiving host#2, with
query string telling name of local (host#1) file (next to implement)
To implement later:
- Receiving host (#2) issues call-back to retrieve the message, decrypt
it, verify signature, parse XML.
- Host#2 executes request, keeping track of time consumed.
- Host#2 generates XML message containing receipt and results, signs#2,
encrypts#1.
- Host#2 issues call-forward to deposit the return-message on host#1.
- HTTP redirection from host#2 to host#1, with query string telling
name of local (host#1) return-message file.
- Host#1 fetches message, decrypts, verifies signature, parses XML,
refunds "change" to user and credits "charge" to master account
or other service provider, delivers results to user.

Note: Call-back is needed because host#1 can't initiate any
non-local InterNet connections, so host#1 can't act as HTTP client
talking directly to host#2 as with traditional SOAP over HTTP, and
HTTP redirection works only for GET method, so the message can't be
transmitted via redirection, and bandwidth is costly on cellphones,
so POST form can't be used to transmit the entire message from
host#1 via client to host#2.

By the way, does anybody reading this thread know of anyone other
than myself who is implementing, or who might like to implement,
public-key server-to-server SOAP RPC over HTTP?
Re: How to generate cryptographically-secure random big-integers? [message #170987 is a reply to message #170224] Mon, 13 December 2010 20:28 Go to previous message
seeWebInstead is currently offline  seeWebInstead
Messages: 14
Registered: October 2010
Karma: 0
Junior Member
> From: Erwin Moller <Since_humans_read_this_I_am_spammed_too_m...@spamyourself.com>
> Personally, I have never been in need of a *real* RNG, the
> pseudorandom numbers have always been good enough for my purposes.

If you are sampling data for statistical tests, either for
scientific research, or engineering quality control, and you want
others to be able to duplicate your studies and thus verify your
results or detect mistakes you made in your algorithms, then a PRNG
is exactly what you need.

But for cryptographic purposes, for seeding your randomly-generated
crypto-parameters, where you want it to be practically IMPOSSIBLE
for anyone else to duplicate your results and thus crack your
cryptosystem, a PRNG is most definitely *not* what you want, unless
you use a truly random seed feeding into the PRNG, in which case
all you needed was the seed to begin with, any PRNG that follows is
entirely moot (obfuscation) that adds nothing to your security.

I presume that in your past work you've never needed to generate a
cryptographically secure random number that outsiders couldn't
guess, because you *wanted* others to be able to duplicate your
research per my first paragraph above.
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: Anyone here follows the mailing list php-general(at)lists(dot)php(dot)net?
Next Topic: Having trouble writing/copying/renaming file to sub-directory
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Dec 01 00:28:18 GMT 2024

Total time taken to generate the page: 0.02252 seconds