Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Development & Technical Discussion
Merits 11 from 4 users
Topic OP
PSA: Coders making ad hoc “random” schemes are like kids playing with matches.
by
nullius
on 26/03/2021, 05:05:11 UTC
⭐ Merited by BlackHatCoiner (6) ,aliashraf (2) ,Quickseller (2) ,goldkingcoiner (1)
Please, stop the superstitious nonsense.  To adapt a classic DJB quote, think about this for a moment:  Whoever uses physical dice or coin flips to generate the seed for a Bitcoin wallet seems simultaneously to believe that:

  • An OS kernel’s CSPRNG which is designed by actual cryptographers, who have actually studied cryptography, is insufficiently secure because it is somehow not “truly random”.
  • It is secure to use a tiny seed to generate an unbounded tree of pseudorandom private keys in your BIP 32 HD wallet.

“For a cryptographer, this doesn’t even pass the laugh test.”

To generate random numbers for cryptographic keys, Bitcoin seeds, etc., you should use your OS kernel’s system calls for accessing the OS kernel’s random device.  If you do not trust your OS kernel to give you random numbers, then your OS is altogether untrustworthy; you should switch to a better OS before it betrays you, beats you up, and steals your lunch money.

And whatever you do, you should NOT cook up your own ad hoc “random” scheme unless:

  • You have spent quality time studying the relevant theory.
  • You are not confused by such terminology as a discrete uniform distribution from a bounded integer range.
  • You know the basic difference between min-entropy and Shannon entropy.
  • You understand the extract-and-expand model of generating secret key material from an input with the wrong distribution; and you know how properly to extract the randomness you need from, e.g., a string of 6-sided dice rolls, or a shuffled deck of 52 playing cards.
  • You can point out flaws with other people’s ad hoc schemes on this forum, on Reddit, on StackExchange, in the issue trackers of Github projects coded by people who should NOT be writing cryptographic implementation code...  (Whether or not you waste your time doing so is up to you; but you need to be able to see the flaws.)
  • Many other things that I am too lazy to list.

If you do not heed my advice, then you will probably wind up coding some Rube Goldberg style randomness contraption riddled with modulo bias and similar bugs.  You will be fooling yourself with security theatre that results in a false sense of security.  Whether or not you ever suffer negative consequences for this, or by how much, will thenceforth be a matter of dumb luck.

Coders who make their own ad hoc randomness schemes are like kids playing with matches.  If that sounds harsh, well—sorry, but I’m not sorry.  I am warning you not to get burned.


Here lie dragons of terrific complexity, subtle in their souls and heavy on maths.

To understand such things, you need to start by being born with a genius-level IQ, and then study for years.  I myself admittedly have but a bare grasp of these concepts:  I know enough to know how little I know!

In that, I have an advantage over those who have no idea of how little they really know.

If I myself want to make my own randomness from physical sources, here is the plan that I would probably follow:

  • Research existing randomness extractors designed by real cryptographers.
  • Give up on reading papers that I lack the deep mathematical knowledge to understand, and decide to use the extractor specified in HKDF.
  • Ram my head into the maths to try to figure out how best to apply the randomness extractor to my sources of randomness.
  • Give up, and use urandom.  Not from laziness, but from sufficient wisdom not to shoot myself in the foot.

HTH.