Random Number Generators, the Diehard Tests and the Mayor of Douglassville

[T3sl4co1l]

I thought a reversible process is by definition time-symmetric. This means that if you filmed a process on camera and played it back to someone, they wouldn't be able to tell by looking if the film was running forward or backwards because both cases would make perfect sense.

Yes -- elementary processes such as electron-electron "collision"; all the elementary forces where you'd draw a Feynman diagram (at least for QED and the like).  Which are also space-time invariant, so for example, a particle going forwards is bounced backwards (i.e., turned into what we would call an antiparticle) on interacting with a pair of photons (pair production/annihilation), but it's the same as a scattering process (one particle interacting with a force particle).

So it's not only conservative in time, but in space, and in both at the same time, which is a pleasing symmetry.  At least for QED and the like.

This type of interaction is what I mean by particles exchanging information.  Apologies if that was not clear.

The Brownian motion is a good example of this. It makes perfect sense no matter which way you are playing the film.

Radioactive decay and some other quantum phenomena on the other hand are definitely not time symmetric and you can always tell which way the film is running.

For example if you see a film of X-ray particles impacting a photosensitive film you can definitely tell if the motion was running backwards. You do not expect blotches of developed film to condense back into an X-ray and fly away from the paper. The process is not time-symmetric and not reversible, even though it is (largely) predictable.

Ah, but these are all bulk phenomena*!  So the entropy is exactly the kind of emergent property as I was talking about.   The photon strikes the film grain, causing ultimately the entire grain to decompose and develop as a black speck.  There's essentially no way to reverse such a chain of events, because so many particles have dissipated the information of that photon coming in.

(Brownian motion being a property of fluids at constant entropy, we shouldn't expect to see a time direction.)

*Arguably, radioactive decay is bulk in a sense (the nucleus contains a great many particles, at quite high energy: it is a system all its own!), but anyway, fusion is a known atomic process as well, so it would be foolish to say that a nucleus losing an alpha particle is only a time-forward phenomenon!

Now, seeing a whole ensemble of, say, Pu-238 losing alpha particles, and only losing them as time goes on, would be quite suspicious; but as each particle is emitted, it bumps into other atoms, transferring various amounts of energy and momentum, and kicking phonons around in the lattice (literally, making it hot), so in this system as well, there is a massive preponderance of more interactions as time goes on, and entropy rising, and the dilution of information (the information about the decay of any one atom is all but imperceptible on the bulk level; almost all you know is it's hot and gives off helium!).

If we could know the state of each atom and each electron in the resistor we could theoretically tell what the next outcome would be.

The Heisenberg Uncertainty principle tells us that we can't actually look into a state of an electron without influencing it. So we are still cryptographically safe on that front.

That's relevant to measuring atoms, but I was thinking (probably not too explicitly stated) about modifying the state, probably using an observation and deconvolutional method.  Apply a random input, what does the output do?  Repeat, well, about a trillion times, run an algorithm or whatever as needed, see if it improves, see if you can discover a controllable aspect of the output (again, besides bulk temperature).

(A comparable process has already been achieved, on a much simpler scale: reconstructing visual or spacial (2D/3D) images from propagating or scattered light.  Using a sufficiently accurate optical system and a similarly detailed scattering matrix and inversion, the light path can be reversed.  A photon might scatter through millions of crystal domains in a translucent solid, so this achievement alone is not trivial.  At least, that's what I recall they were claiming -- science reporting being what it is.)

In any case, even for a relatively small (nano-scale) system, I've got to imagine the computational burden is already bordering on impossible, which even assuming the statistics could work out (which QM does indeed put rather tough limits on, for this sort of thing!), basically means you must invert cryptographic hashes in real time...

Which is to say, at least at today's level, absolutely fucking yes, it's cryptographically secure.

What I am after are the algorithms that test randomness in the RNGs. Apparently some of these are good and some of these are subtly tampered with in a way that they may fail a true RNG but pass a less than perfect RNG. My question from the beginning was about these algorithms.

Can these algorithms be influencing the development of true RNGs to be predictable in some very subtle way.

For example if you insist that the your RNG produces ones and zeroes in the exact 50% ratio even in short periods then you throw away the vast majority of your entropy.

As for algorithms, again -- you can always make low entropy into high, almost trivially; but reversing the process is nontrivial, bordering on impossible (indeed, physically impossible for macroscopic systems).

If you had a sequence of numbers and no other information, how long would it take you to discover what system(s) underly that sequence?  Even if you knew it was something (say, a Mersenne Twister sequence, which is used by MATLAB for example), how long would it take before you could confirm it?*

(*In this case, at least the bit length of the state variable.  Which is usually >256 bits for this example; I forget what exactly is typical.)

And keep in mind that confirmation includes removing all the possible steps that have been applied to it after the number generation itself.  For example, if the sequence follows a normal distribution, it might be reasonable to suppose someone called normrnd(mu, sigma) a bunch of times.  But even just for that: for each time it was executed, which function call was made first?  (Generating a normal random value requires two random inputs, essentially one for magnitude, one for phase.)  Or was one single call made, and two halves used?  Was it chopped up or scrambled or hashed first?  Maybe your sequence of numbers has a flat distribution; if it happened to consist of a series of hashes (yet still ultimately arising from the same source in question), how would you know?  How long would it take to prove it?

So finally, the point is: there is no such thing as true random, in a physical sense, because it would take this trans-astronomical amount of computational power to determine the set of all possible algorithms that could generate the given sequence (even given constraints, like that they be relatively simple algorithms and thus likely to have been written by humans, and likely to cause trouble in still other relatively-simple algorithms).  And that the set (even with those constraints) is probably too large to be of any value anyway.

The only things that make cryptography vulnerable today are obvious bugs and backdoors (from social engineering to bad implementations), and the fact that, in the great scheme of things, we haven't even begun to scratch the surface of computational or convolutional complexity, so it's relatively easy to guess our relatively simple constants, or algorithms.  The universe is a humbling place, I suppose...

Tim

[HAL-42b]

The only things that make cryptography vulnerable today are obvious bugs and backdoors (from social engineering to bad implementations), and the fact that, in the great scheme of things, we haven't even begun to scratch the surface of computational or convolutional complexity, so it's relatively easy to guess our relatively simple constants, or algorithms.  The universe is a humbling place, I suppose...

Indeed, but that is for another thread.

[VK3DRB]

In the physical world, randomness has never been proven. Same with free will and predetermination. There is no evidence that something just happens without cause.

[dannyf]

Your statement would be perfect with a knowledge qualifier.

[Brumby]

People - Let me know when you've got a handle on the Lottery results.

Absolutely!
http://www.dailymail.co.uk/femail/article-2025069/Joan-Ginther-Maths-professor-hits-multi-million-scratchcard-lottery-jackpot-4-times.html

Interesting case.  An advanced 'pattern matching' effort could explain it.  We may never know.

http://www.dailymail.co.uk/news/article-412386/University-lottery-syndicate-wins-5m-jackpot-devising-formula.html

These guys just had their turn.  I had a guy working for me once who was addicted to gambling.  It became a bit of a problem, impacting his work, so I took him aside.  He was very keen to show me his 'system' - which turned out very much like these guys.  It's statistical flim-flam which makes NO difference to the probabilities of winning.

Just numbers out of a hat (or box).

[helius]

The Gambler's Fallacy presents one possible way to distinguish true random sequences from pseudorandom ones. In a true random sequence, history has no influence on the output of the random oracle: if you just flipped a coin that landed heads 12 times, the chance that the next flip is heads remains 1/2. In a pseudorandom generator, the history of past outputs and the future outputs are always related. The trick is to design a statistic that extracts that correlation from an apparently random sequence. For instance, you could look for regions where bias accumulates, and whether it is later removed. A truly random sequence spends vanishingly little time at zero bias point.

[timb]

People - Let me know when you've got a handle on the Lottery results.

Absolutely!
http://www.dailymail.co.uk/femail/article-2025069/Joan-Ginther-Maths-professor-hits-multi-million-scratchcard-lottery-jackpot-4-times.html

http://www.dailymail.co.uk/news/article-412386/University-lottery-syndicate-wins-5m-jackpot-devising-formula.html

There was an episode of NUMB3R5 about this. A bunch of former lottery winners that had burned through their winnings started robbing gas stations and taking nothing but one particular type of scratch off ticket. They were scratching thousands of them to try and decode the serial number information. The idea being that, once they had that the could determine the serial of the "Big Winner" ticket. Then they used someone inside the lottery commission to provide the location of that ticket.

All a bit far fetched, but the serial number part is actually plausible. If you had enough tickets and input the serial number and the winning status of them all, you could certainly figure out the how the serials were generated.

It sounds like the lady in the first article was doing this. She was up to something, that's for sure. Or else she has two penises that have been been struck by lighting twelve times without a cloud in the sky.

Personally, I don't see why the serials on scratchers aren't just randomly numbered. The lottery commission could then keep a database of which serial numbers correspond to which winners. That's how I had always assumed it was done, but apparently, at least according to an article I read, it's not. There's some sort of algorithm used to encode the unique ticket number plus status of each playable line, square or whatever (the part you scratch). That generates the serial number, which can be decoded on the fly with the right key.

[zapta]

In the physical world, randomness has never been proven. Same with free will and predetermination. There is no evidence that something just happens without cause.

Proofs exist in philosophy, logic and math. Finite observations of the real world and generalizations base on them are useful but are not 'proofs'.

[GK]

I'm pretty sure that objection comes from someones religious sensibilities being offended; you know, there is no evidence that something just happens without cause, thus God must be the ultimate cause. Though if nothing happens without cause then God must also have a cause, so if you maintain that nothing can happen without cause you're left with an infinite regression and invoking God as a convenient stop at any stage in that regression is clearly a violation of your own rules.

Unless of course you just blithely object that nothing happens without cause except of course for God, who (hallelujah!) did just happen to have happened without cause (presumably having just randomly poofed into existence from nothingness), thus making God the First Cause; the standard proof for the veracity of this illogical exception of course being that it simply is the obvious and revealed truth! praise Jesus!

I've yet to hear a good argument as to why this exception must be valid. I'm pretty sure it was Bertrand Russell who astutely pointed out that if everything must have a cause with the exception of one special thing, then that special thing might just as well be the Universe as much as God; at least we have reasonable evidence that the former exists.
 


     

[Kjelt]

So finally, the point is: there is no such thing as true random, in a physical sense, because it would take this trans-astronomical amount of computational power to determine the set of all possible algorithms that could generate the given sequence (even given constraints, like that they be relatively simple algorithms and thus likely to have been written by humans, and likely to cause trouble in still other relatively-simple algorithms).  And that the set (even with those constraints) is probably too large to be of any value anyway.

In theory you are right, a true random number generators output might be described by some algorithm.

In practice it is still very usable also for crypto: since you have no algorithm that predicts the next number, only the sequence of past numbers.
The next number will still be truely random. When it is known some device might recalculate the algorithm that would have predicted that outcome which as you state would take a lot of time, so useless to break the system. If you do have an algorithm that would predict the coming numbers, that would make that rng useless for security.

Another consideration, in most cryptographic applications the random number is transmitted in the clear to the other party, it's use is mostly to block replay attacks.

[IconicPCB]

One would need to have the EPOCH in order to remove any ambiguity about the randomness of an algorithms output.

Some polynomial solutions are optimal length solutions where the epoch contains all the elements of a given length ( number of bits).
 

For more see linear feedback shift registers

[dannyf]

There are two separate things in this discussion.

1. Is this world fundamentally random? Ie, if we knew everything there is to know, could we have described the world in a fully deterministic way?

I think existing body of science would suggest the answer is no. But then we know for sure that the existing body of science is wrong, in the sense that they will be superceded or corrected by better theories to be invented in the future.

2. Even if you could describe the world deterministically, do you want to do that?

I think the answer is no in most cases, as doing so would require so much information and processing that it is hardly worthwhile for most cases.

In the end, randomness is an optimal way for us to ignore secondary factors and focus on the key issues that help us further our understanding of the world around us.

It is the incorrectly correct way to approach complex systems. "Incorrectly" in the sense that it fails to factor in all that are impactdul. "correct" in the sense that it is a sensible approach that gets us 90 percent there on 10 percent efforts.

[helius]

With respect to 1., the laws of quantum mechanics are actually completely deterministic. The wavefunctions are related by operators that have an exact and unambiguous meaning. It's no accident that they were based on a theory of classical physics that had a high level of generality (Hamiltonian circuits). Indeed, the concept of quantum computing would be nonsensical if the operations were somehow unpredictable. What causes apparent random observations of quantum states is that the macroscopic system (us) has so much entropy that our exact interaction with the quantum system appears probabilistic. When we interact with objects at our own familiar scale (in classical mechanics), the behavior is deterministic again, but this is simply an outcome of the Law of Large Numbers: we really have no way to predict the behavior of the ensemble of interacting particles, but there are so many quadrillions of those interactions that we can predict their average.

[dannyf]

The wavefunctions are related by operators that have an exact and unambiguous meaning.

I don't if that's the best argument for or against randomness. A random variable can have fully deterministic distribution function (the equivalent of the wave functions), but that "deterministicness" of the distribution function does not mean the random variable described by this deterministic distribution function is "deterministic".

If anything, quantum theory would suggest strongly at the fundamental random nature of the world - how do you describe an object moving from one discrete position to another discrete position (as measured in multiples of planck constant)? particles' positions can only be described in terms of probability + dimension....

I tend to agree with you that the seemingly deterministic way we use to describe the world is due to the law of large numbers -> fundamentally random acts produce apparently and statistically non-random behaviors.

[GK]

I'm pretty sure that modern physics is pretty firm on the immutability of Heisenberg's uncertainty principle as much as it is on, say, the laws of thermodynamics, so unless you're an omniscient being capable of comprehending the universe either in part or in whole without physical observation, your predictive abilities aren't going to be wholly deprived of chance due to any fundamental determinism in the laws that govern the universe.

[HAL-42b]

I'm pretty sure that modern physics is pretty firm on the immutability of Heisenberg's uncertainty principle as much as it is on, say, the laws of thermodynamics, so unless you're an omniscient begin capable of comprehending the universe either in part or in whole without physical observation, your predictive abilities aren't going to be wholly deprived of chance due to any fundamental determinism in the laws that govern the universe.

I agree completely. The existence of entropy and non determinism is beyond doubt and I am only interested in it's practical applications in cryptography. I did not expect this most rudimentary fact to be disputed, especially on this forum.

[dannyf]

The existence of entropy and non determinism is beyond doubt

That statement is a logic fallacy: if "non-determinism is beyond doubt", is that statement itself beyond doubt? If yet, ....

At most you can say that it is beyond doubt ***currently***, leaving the possibility that it may not be so beyond doubt after all.

[HAL-42b]

Nice bait, unless you are serious of course, in which case I'm sorry for causing further confusion   

[MT]

Current law of physics only apply to "this" universe i'm told.

So assume universe = god then god has his head up his own arse and we all are deep into his/her shit!
His/her mouth is the "black hole/s" and the butt hole is the "creation" of the "big bang".
Assume multiverses = infinite number of god who each one of them have his/her head up the other god's arse'es infinite number of times!
Both of these two loops need something to make them loop, enter "random fluctuations", like flatulent gases caused by pea soup= dark energy!




Whenever life gets you down, Mrs.Brown
And things seem hard or tough
And people are stupid, obnoxious or daft
And you feel that you've had quite enough

Just remember that you're standing on a planet that's evolving
And revolving at nine hundred miles an hour
That's orbiting at nineteen miles a second, so it's reckoned
A sun that is the source of all our power

The sun and you and me and all the stars that we can see
Are moving at a million miles a day
In an outer spiral arm, at forty thousand miles an hour
Of the galaxy we call the 'milky way'

Our galaxy itself contains a hundred billion stars
It's a hundred thousand light years side to side
It bulges in the middle, sixteen thousand light years thick
But out by us, it's just three thousand light years wide

We're thirty thousand light years from galactic central point
We go 'round every two hundred million years
And our galaxy is only one of millions of billions
In this amazing and expanding universe

The universe itself keeps on expanding and expanding
In all of the directions it can whizz
As fast as it can go, the speed of light, you know
Twelve million miles a minute and that's the fastest speed there is

So remember, when you're feeling very small and insecure
How amazingly unlikely is your birth
And pray that there's intelligent life somewhere up in space
'Cause there's bugger all down here on Earth

[vlad777]

But you choose  constraints to be "fair" .
(you choose  constraints that describe randomness)

[T3sl4co1l]

Remember, QM works out perfectly well if you suppose that particles retain a given state since their creation or last interaction.  That is, suppose when an entangled pair of photons are created, that their spins are known and fixed, we just can't inspect them, because they're so small, the only way we have to observe them is direct interaction.  So observationally, QM wins, despite such an assumption.  The system still obeys QM, because QM is a probabilistic description, and of course we can't make any different observations, even if these states were already present.

Except for one thing, Bell's Theorem.

The direct consequence of this is, if you perform correlation measurements of entangled pairs (specifically with spin), you would predict a linear angle dependency on that correlation (that is, that two detectors register each particle in the same state).  But the QM prediction goes as cos(angle).

Tim

[HAL-42b]

After a long while I found the answer to my own question.

Long story short, an algorithm that checks for randomness is only effective to compare pseudorandom number generators, not true random generators. If the algorithm can't tell the difference between PRNG and a true RNG then the PRNG can be considered cryptographically secure. (Many many qualifiers apply)

The above statement is mostly based on Yao's Test (Andrew Chi-Chih Yao - 1982)

This in itself does not sound like much but if you have a lot of patience you can go trough the following course



This is the most accessible course on cryptography I've seen to date. Can't thank Professor Dan Boneh and the Stanford University enough for making it public. (Yao's test is mentioned somewhere in unit 2 or 3.)

[helius]

Long story short, an algorithm that checks for randomness is only effective to compare pseudorandom number generators, not true random generators. If the algorithm can't tell the difference between PRNG and a true RNG then the PRNG can be considered cryptographically secure. (Many many qualifiers apply)

PRNGs are only cryptographically secure by construction, not by statistical testing. The same qualities that make a PRNG appear to be truly random (like equal distribution) make them cryptographically weak.

[Kjelt]

Indeed any algorithm can per definition never be cryptographically secure since it is fully deterministic. You can only build a crypto secure rng based on a true RNG which has real entropy. A crypto secure rng is truely unpredictable.
What a die hard test really tests if it can find any predictability in the generated sequence. If it can not it passes this test which still does not guarantee it is crypto secure, it only proofs that who ever has come up with those tests does find the sequence unpredictable.
Someone else who defines another different test might find a predictable sequence.

[helius]

The main problem is that there is an "ambiguous middle term" at play here, when we speak of a sequence's predictability. What the Diehard tests do is treat sequences as black boxes: given no information on where the sequence came from, can you predict an item (or just a bit of an item) in the sequence? This is a kind of metric of worth for statistical randomness, where the primary criteria is to minimize the bias of the random function (which would skew statistical results). In cryptography, the assumption is that your attacker knows the code you're using, so he is not viewing the random sequence as a black box at all. He is using a different concept of predictability based on reversing the random function. A PRNG can pass the first kind of test and fail the second, because they use the same word "predictable" in completely different ways.