[HN Gopher] Librandombytes - a public domain library for generat...
___________________________________________________________________
Librandombytes - a public domain library for generating randomness
Author : tkhattra
Score : 50 points
Date : 2023-01-26 18:46 UTC (4 hours ago)
(HTM) web link (randombytes.cr.yp.to)
(TXT) w3m dump (randombytes.cr.yp.to)
| benj111 wrote:
| When are we going to get a distributed peer to peer randomness
| service.
|
| I could roll a die in return for $random crypto currency.
|
| Obviously the amount could vary depending on the amount of
| randomness. So me thinking of a random number would get less than
| a die roll which would get less than this comment.
| dspillett wrote:
| _> When are we going to get a distributed peer to peer
| randomness service._
|
| The problem with that is how do you trust the source if you
| need "cryptographically secret" random numbers. One of the
| sources could poison the well with bad entropy and increase by
| a small but significant amount the chance of guessing your
| keys.
|
| OK, so you could the data from many sources, but that would add
| latency so not an option where performance matters and even
| then if someone gains control of a significant portion of the
| distributed system (just by standing up lots of hosts) the
| issue persists.
|
| You could also do a bunch of statistical tests, but again that
| is work that will harm performance and if you are going to that
| sort of effort anyway you could setup your own random sources
| (a couple of active Linux boxes, on older Linux kernels running
| haveged, on newer ones the latter part isn't needed
| (https://github.com/jirka-h/haveged/issues/57)) and use those
| tests to make sure those sources are statically safe.
|
| So such a service isn't really needed, and where it might be
| isn't likely to be trusted, so it could exist but as a play-
| thing not a serious service.
|
| On my little home server, not a particularly up to date CPU
| etc, running 5.10, I can pull >3Gbit/sec from /dev/random.
| Heck, the Pi400 that is currently my router can hand out
| ~230Mbit/sec or entropy.
| beardog wrote:
| If your values don't need to be secret, you can use the latest
| bitcoin header.[1]
|
| Similar to centralized random beacons like the NIST[2] and
| Chile beacons.
|
| 1: https://eprint.iacr.org/2015/1015.pdf
|
| 2: https://csrc.nist.gov/projects/interoperable-randomness-
| beac...
| Nalta wrote:
| that sounds like a great idea! I'll return 3 when peers ask me
| for a random number, and then I'll start seeing if that seed
| shows us in any prominent RSA private keys
| remram wrote:
| Is there an actual license file somewhere? Not only is the title
| of the page not necessarily authoritative enough, but public-
| domain dedication is not a thing in many countries, which is why
| CC-0 exists.
| LarryMullins wrote:
| > _but public-domain dedication is not a thing in many
| countries, which is why CC-0 exists._
|
| Has there ever been a real instance of this distinction
| actually mattering? Has a German software company ever gotten
| into _real_ trouble because they used American public domain
| code without a locally valid license?
|
| It seems like an academic objection for lawyers to wring their
| hands about. Risk adverse organizations with investors will
| demand licenses for software like SQLite because a few thousand
| dollars to eliminate a minuscule remote risk is basically
| nothing to a software business. But does your average German
| FOSS hacker bother to buy a license to SQLite? Would that
| really be a rational use of their own money? I doubt it.
| cryptonector wrote:
| SQLite3 is in every phone and every laptop and... Do Apple,
| Google, etc. have to do something special in order to use
| SQLite3 in Germany? Have there been any court cases about
| this? Have there been any fines issued or paid over this? IMO
| the whole Germany-doesn't-have-public-domain thing is just
| FUD.
| LarryMullins wrote:
| SQLite offers to sell licenses to organizations that worry
| about it, Apple and Google have probably bought such
| licenses to cover their asses in Germany just in case.
| adamgordonbell wrote:
| Not sure. But I think SQLite won't look at contributions from
| non-public domain countries. I mean, they aren't really open
| to contributions anyhow, but being public domain was
| mentioned to me by Richard as a mistake they made that
| they've had to deal with.
| LarryMullins wrote:
| > _being public domain was mentioned to me by Richard as a
| mistake they made that they 've had to deal with_
|
| This doesn't sound right. Did he explain to you why he
| thinks he's stuck with it? He has the legal right to
| release SQLite other some other license _and does so_ when
| companies pay him for it.
|
| Generally speaking, nothing about putting code in the
| public domain precludes collaborating with other
| developers. SQLite's caution against accepting
| contributions (even when the contributor is another
| American willing to sign over their contribution to the
| public domain) probably has more to do with Oracle being
| notoriously litigious and nasty. Not accepting
| contributions reduces the risk of one day being sued by
| Oracle, since it reduces the risk that Oracle IP might
| accidentally show up in SQLite. This would be a concern
| _regardless_ of what sort of license SQLite used.
|
| If you're not worried about that sort of thing, there is
| nothing which prevents an American FOSS developer from
| accepting public domain contributions from other
| developers.
| [deleted]
| remram wrote:
| On some level, no open-source license matters, you are not
| going to get in trouble for stealing some rando's GitHub
| repository. In fact they would never find out.
|
| However if this aspect is important enough to you that you
| put it in the very title of your site, you should probably do
| it in a way that actually works for people.
| loeg wrote:
| DJB has also written about the public domain:
| http://cr.yp.to/publicdomain.html
| LarryMullins wrote:
| > _However if this aspect is important enough to you that
| you put it in the very title of your site, you should
| probably do it in a way that actually works for people._
|
| I assert that public domain does work for _people_ , even
| Germans in practice. It doesn't work for risk averse
| _corporations_.
| remram wrote:
| The point of a license is entirely to mitigate risk. I
| trust open-source developers to not go after me and my
| meager projects, but still I appreciate when they take
| the 2min needed to slap a legal-like document on their
| library.
|
| When you refuse to do that, and decide to spend way more
| than 2min explaining your belief that this might not be
| required (though you are not a lawyer, have no court
| decisions to back it up, and have otherwise done a
| limited review of a few countries), you are making the
| conscious decision to go out of your way to increase the
| risk on me. I don't appreciate that, but does that really
| make me "risk-averse"?
| LarryMullins wrote:
| American FOSS developers who put their code in the public
| domain are taking those 2 minutes to slap a legal-like
| document on their code. A short document telling other
| programmers that the code is public domain clearly
| communicates the intent and wishes of the author to other
| developers.
|
| They're giving something to the world for free, with no
| strings attached, clearly communicated. But despite that,
| some people will complain because it wasn't done in
| precisely the correct way to keep corporate lawyers in a
| notoriously legalistic and pedantic foreign country
| happy.
| dragonwriter wrote:
| Any legal-like document that mitigates risk for one parry
| does so by restricting another party.
|
| So, its natural that people will choose _not_ to do more
| of than they see as necessary to deal with speculative
| risks raised by third-parties who are often either not
| attorneys, or attorneys for people whose interests are
| not aligned with those whose action is sought, based on
| some foreign legal system with which thr actor is
| unfamiliar.
|
| If you don't like what you are being offered for free,
| you are, of course, at liberty to move along.
| tptacek wrote:
| This is a whole can of worms with Bernstein. But the library is
| pretty trivial, so if this really worries you, just use
| `getrandom`.
|
| The actual source files are all labeled "public domain". That's
| all you're going to get from him.
| loeg wrote:
| > public-domain dedication is not a thing in many countries
|
| See the author's other page with thoughts on this subject:
| http://cr.yp.to/publicdomain.html
| orlp wrote:
| https://cr.yp.to/publicdomain.html
|
| I'm not taking a stance, I'm just the messenger.
| remram wrote:
| Interesting. It is on purpose then, for equal or worse.
|
| Maybe he's right, maybe he's wrong. What he's not is a judge
| or lawyer, so I'll keep with the status quo of licensing.
| loeg wrote:
| What he isn't is a German. He's an American and the public
| domain is healthy and well established here.
| jcrites wrote:
| Are there any methods of generating randomness on common
| platforms -- Linux (raw or VM), Windows, MacOS -- that are
| suitable for use as a cryptographic one-time pad?
|
| The definition of this library function seems to suggest that
| it's suitable:
|
| > librandombytes aims for the following stringent randomness
| goal: no feasible computation will ever be able to tell the
| difference between the output bytes and true randomness
| (independent uniformly distributed random bytes).
|
| However my understanding is that PRNGs are not a suitable source
| of randomness for one time pads; that this would reduce OTP
| encryption to being something like an ad hoc stream cipher.
|
| So some implementations that might look random wouldn't actually
| provide a suitable bitstream for this purpose: the bits in the
| output would be correlated, if in a complex, cryptographically
| obscure way. (But bits in a one-find pad should all be entirely
| random and uncorrelated.)
|
| Is that accurate?
|
| Do modern PCs have an efficient way to produce meaningful amounts
| of true stochastic random data suitable for use with OTP
| encryption (such as the RDRAND instruction)? What are some good
| abstractions for producing a stream of random data suitable for
| use with OTP cryptography?
|
| Edit: this is a question for the sake of curiosity. I realize
| that practical systems have many threat vectors and that OTP is
| not a panacea, or even necessarily an improvement.
| loeg wrote:
| > this would reduce OTP encryption to being something like an
| ad hoc stream cipher.
|
| What do you think a stream cipher is? CTR-mode stream ciphers
| are just a PRF stream (which a CSPRNG provides) XOR'd with your
| data, and maybe concatenated with a MAC.
|
| If your PRNG generates the same output twice, your OTP is
| hosed. Your CTR-mode is also hosed. So, a CSPRNG must not
| produce the same output twice.
|
| Also, what Thomas said. OTP is not a thing.
| tptacek wrote:
| "OTP cryptography" is for the most part not a thing. If you
| were running a spy ring and literally giving each of your
| agents a paper pad with numbers on them, you could print them
| from `getrandom` output; the `getrandom` bytes wouldn't be how
| that system was attacked.
___________________________________________________________________
(page generated 2023-01-26 23:00 UTC)