[HN Gopher] Librandombytes - a public domain library for generat... ___________________________________________________________________ Librandombytes - a public domain library for generating randomness Author : tkhattra Score : 50 points Date : 2023-01-26 18:46 UTC (4 hours ago) (HTM) web link (randombytes.cr.yp.to) (TXT) w3m dump (randombytes.cr.yp.to) | benj111 wrote: | When are we going to get a distributed peer to peer randomness | service. | | I could roll a die in return for $random crypto currency. | | Obviously the amount could vary depending on the amount of | randomness. So me thinking of a random number would get less than | a die roll which would get less than this comment. | dspillett wrote: | _> When are we going to get a distributed peer to peer | randomness service._ | | The problem with that is how do you trust the source if you | need "cryptographically secret" random numbers. One of the | sources could poison the well with bad entropy and increase by | a small but significant amount the chance of guessing your | keys. | | OK, so you could the data from many sources, but that would add | latency so not an option where performance matters and even | then if someone gains control of a significant portion of the | distributed system (just by standing up lots of hosts) the | issue persists. | | You could also do a bunch of statistical tests, but again that | is work that will harm performance and if you are going to that | sort of effort anyway you could setup your own random sources | (a couple of active Linux boxes, on older Linux kernels running | haveged, on newer ones the latter part isn't needed | (https://github.com/jirka-h/haveged/issues/57)) and use those | tests to make sure those sources are statically safe. | | So such a service isn't really needed, and where it might be | isn't likely to be trusted, so it could exist but as a play- | thing not a serious service. | | On my little home server, not a particularly up to date CPU | etc, running 5.10, I can pull >3Gbit/sec from /dev/random. | Heck, the Pi400 that is currently my router can hand out | ~230Mbit/sec or entropy. | beardog wrote: | If your values don't need to be secret, you can use the latest | bitcoin header.[1] | | Similar to centralized random beacons like the NIST[2] and | Chile beacons. | | 1: https://eprint.iacr.org/2015/1015.pdf | | 2: https://csrc.nist.gov/projects/interoperable-randomness- | beac... | Nalta wrote: | that sounds like a great idea! I'll return 3 when peers ask me | for a random number, and then I'll start seeing if that seed | shows us in any prominent RSA private keys | remram wrote: | Is there an actual license file somewhere? Not only is the title | of the page not necessarily authoritative enough, but public- | domain dedication is not a thing in many countries, which is why | CC-0 exists. | LarryMullins wrote: | > _but public-domain dedication is not a thing in many | countries, which is why CC-0 exists._ | | Has there ever been a real instance of this distinction | actually mattering? Has a German software company ever gotten | into _real_ trouble because they used American public domain | code without a locally valid license? | | It seems like an academic objection for lawyers to wring their | hands about. Risk adverse organizations with investors will | demand licenses for software like SQLite because a few thousand | dollars to eliminate a minuscule remote risk is basically | nothing to a software business. But does your average German | FOSS hacker bother to buy a license to SQLite? Would that | really be a rational use of their own money? I doubt it. | cryptonector wrote: | SQLite3 is in every phone and every laptop and... Do Apple, | Google, etc. have to do something special in order to use | SQLite3 in Germany? Have there been any court cases about | this? Have there been any fines issued or paid over this? IMO | the whole Germany-doesn't-have-public-domain thing is just | FUD. | LarryMullins wrote: | SQLite offers to sell licenses to organizations that worry | about it, Apple and Google have probably bought such | licenses to cover their asses in Germany just in case. | adamgordonbell wrote: | Not sure. But I think SQLite won't look at contributions from | non-public domain countries. I mean, they aren't really open | to contributions anyhow, but being public domain was | mentioned to me by Richard as a mistake they made that | they've had to deal with. | LarryMullins wrote: | > _being public domain was mentioned to me by Richard as a | mistake they made that they 've had to deal with_ | | This doesn't sound right. Did he explain to you why he | thinks he's stuck with it? He has the legal right to | release SQLite other some other license _and does so_ when | companies pay him for it. | | Generally speaking, nothing about putting code in the | public domain precludes collaborating with other | developers. SQLite's caution against accepting | contributions (even when the contributor is another | American willing to sign over their contribution to the | public domain) probably has more to do with Oracle being | notoriously litigious and nasty. Not accepting | contributions reduces the risk of one day being sued by | Oracle, since it reduces the risk that Oracle IP might | accidentally show up in SQLite. This would be a concern | _regardless_ of what sort of license SQLite used. | | If you're not worried about that sort of thing, there is | nothing which prevents an American FOSS developer from | accepting public domain contributions from other | developers. | [deleted] | remram wrote: | On some level, no open-source license matters, you are not | going to get in trouble for stealing some rando's GitHub | repository. In fact they would never find out. | | However if this aspect is important enough to you that you | put it in the very title of your site, you should probably do | it in a way that actually works for people. | loeg wrote: | DJB has also written about the public domain: | http://cr.yp.to/publicdomain.html | LarryMullins wrote: | > _However if this aspect is important enough to you that | you put it in the very title of your site, you should | probably do it in a way that actually works for people._ | | I assert that public domain does work for _people_ , even | Germans in practice. It doesn't work for risk averse | _corporations_. | remram wrote: | The point of a license is entirely to mitigate risk. I | trust open-source developers to not go after me and my | meager projects, but still I appreciate when they take | the 2min needed to slap a legal-like document on their | library. | | When you refuse to do that, and decide to spend way more | than 2min explaining your belief that this might not be | required (though you are not a lawyer, have no court | decisions to back it up, and have otherwise done a | limited review of a few countries), you are making the | conscious decision to go out of your way to increase the | risk on me. I don't appreciate that, but does that really | make me "risk-averse"? | LarryMullins wrote: | American FOSS developers who put their code in the public | domain are taking those 2 minutes to slap a legal-like | document on their code. A short document telling other | programmers that the code is public domain clearly | communicates the intent and wishes of the author to other | developers. | | They're giving something to the world for free, with no | strings attached, clearly communicated. But despite that, | some people will complain because it wasn't done in | precisely the correct way to keep corporate lawyers in a | notoriously legalistic and pedantic foreign country | happy. | dragonwriter wrote: | Any legal-like document that mitigates risk for one parry | does so by restricting another party. | | So, its natural that people will choose _not_ to do more | of than they see as necessary to deal with speculative | risks raised by third-parties who are often either not | attorneys, or attorneys for people whose interests are | not aligned with those whose action is sought, based on | some foreign legal system with which thr actor is | unfamiliar. | | If you don't like what you are being offered for free, | you are, of course, at liberty to move along. | tptacek wrote: | This is a whole can of worms with Bernstein. But the library is | pretty trivial, so if this really worries you, just use | `getrandom`. | | The actual source files are all labeled "public domain". That's | all you're going to get from him. | loeg wrote: | > public-domain dedication is not a thing in many countries | | See the author's other page with thoughts on this subject: | http://cr.yp.to/publicdomain.html | orlp wrote: | https://cr.yp.to/publicdomain.html | | I'm not taking a stance, I'm just the messenger. | remram wrote: | Interesting. It is on purpose then, for equal or worse. | | Maybe he's right, maybe he's wrong. What he's not is a judge | or lawyer, so I'll keep with the status quo of licensing. | loeg wrote: | What he isn't is a German. He's an American and the public | domain is healthy and well established here. | jcrites wrote: | Are there any methods of generating randomness on common | platforms -- Linux (raw or VM), Windows, MacOS -- that are | suitable for use as a cryptographic one-time pad? | | The definition of this library function seems to suggest that | it's suitable: | | > librandombytes aims for the following stringent randomness | goal: no feasible computation will ever be able to tell the | difference between the output bytes and true randomness | (independent uniformly distributed random bytes). | | However my understanding is that PRNGs are not a suitable source | of randomness for one time pads; that this would reduce OTP | encryption to being something like an ad hoc stream cipher. | | So some implementations that might look random wouldn't actually | provide a suitable bitstream for this purpose: the bits in the | output would be correlated, if in a complex, cryptographically | obscure way. (But bits in a one-find pad should all be entirely | random and uncorrelated.) | | Is that accurate? | | Do modern PCs have an efficient way to produce meaningful amounts | of true stochastic random data suitable for use with OTP | encryption (such as the RDRAND instruction)? What are some good | abstractions for producing a stream of random data suitable for | use with OTP cryptography? | | Edit: this is a question for the sake of curiosity. I realize | that practical systems have many threat vectors and that OTP is | not a panacea, or even necessarily an improvement. | loeg wrote: | > this would reduce OTP encryption to being something like an | ad hoc stream cipher. | | What do you think a stream cipher is? CTR-mode stream ciphers | are just a PRF stream (which a CSPRNG provides) XOR'd with your | data, and maybe concatenated with a MAC. | | If your PRNG generates the same output twice, your OTP is | hosed. Your CTR-mode is also hosed. So, a CSPRNG must not | produce the same output twice. | | Also, what Thomas said. OTP is not a thing. | tptacek wrote: | "OTP cryptography" is for the most part not a thing. If you | were running a spy ring and literally giving each of your | agents a paper pad with numbers on them, you could print them | from `getrandom` output; the `getrandom` bytes wouldn't be how | that system was attacked. ___________________________________________________________________ (page generated 2023-01-26 23:00 UTC)