
Web server offers true random numbers via fluctuations of the quantum vacuum - rickyconnolly
http://www.jwz.org/blog/2012/04/random-numbers-via-fluctuations-of-the-quantum-vacuum/
======
marshray
I see a few people mentioning applications of this in cryptography and I feel
that this is harmful.

You do _not_ need exotic hardware to collect entropy to generate crypto keys.
You need a correctly designed cryptographically secure PRNG which has had time
to accumulate 100 or so bits of entropy (i.e., unknowability to the attacker).
It's nice if it can be freshened every now and then with more entropy, but
that really only should make a difference if you lose a backup tape and by
some miracle the private key wasn't on there already. After it's warmed up, it
should never need to block due to 'depleted entropy'. No one has ever broken
such a CSPRNG. This is how the OpenSSL, OpenBSD, and FreeBSD /dev/randoms
work.

On the other hand, what does tend to get broken regularly are overcomplicated
and overengineered RNGs like this beast.

The one on the new Intel chips is handy, but it's largely overkill. We only
need 100 bits now and then, not a steady rate at Gb/s (which can shut off
abruptly when an attacker sharing your cloud hardware node decides to starve
you of them). It's also not something that we can review for backdoors, so we
should be reluctant to use it as the sole source of entropy.

A quantum vacuum random server is great like the way an internet-connected
coffee pot is great. Fun, but not useful in production.

~~~
tptacek
One wouldn't want to give the impression that CSPRNG design is a solved
problem, but I think you're right: exotic "true random" entropy sources
definitely don't target the real challenges.

~~~
JoachimSchipper
Are you aware of any instances of the OS /dev/Xrandom failing in an
exploitable way, assuming proper initialization? I'm sure that people still
mess up, but there are a lot of problems that are solved in that sense.

~~~
tptacek
There's a well-known and very good Black Hat talk from I think 2007 that
attacked cold-start entropy on embedded devices, but you could rephrase that
as an entropy estimation problem.

------
mike-cardwell
If you have a modernish machine running Linux, find out if it has a TPM
(Trusted Platform Module) built in. If it does, you can use an application
called "Trousers" to take advantage of its built in hardware random number
generator. It will directly feed random data into /dev/random

If you don't have a TPM, you can get one of these usb sticks:
<http://www.entropykey.co.uk/> and it will also feed /dev/random with large
amounts of real random data.

~~~
teamnyble
Can anyone explain how this works? The entropy key site says "The Entropy Key
contains two high-quality noise generators, and an ARM Cortex CPU that
actively measures, checks and confirms all generated random numbers, before
encrypting them and sending them to the server"... but why can't we just write
high-quality noise generators in software? How is the hardware better?

~~~
DanBC
Everyone has mentioned how software is deterministic.

Hardware RNGs sometimes rely on thermal noise (which is really random) but
there are sometimes flaws with how that noise is sampled and de-skewed. Also,
they need to be monitored to cope with hardware failure. Be aware, especially
if you're using them for cryptography, that they might be a poor fit for your
purpose.

Testing Hardware RNGs

(<http://www.robertnz.net/true_rng.html>)

EDIT:

Descriptions of various forms of noise:

([http://www.eie.polyu.edu.hk/~ensurya/lect_notes/commun_cir/C...](http://www.eie.polyu.edu.hk/~ensurya/lect_notes/commun_cir/Ch3/Chapter3.htm))

And surely everyone on HN knows that part of the "snow" noise displayed on an
untuned TV is cosmic background radiation, ie "afterglow" of the big bang. I
still find that amazing.

~~~
Craiggybear
Actually, only about 5% is. The rest has more local origin.

------
acqq
People, if you need random numbers for some application of yours, you
shouldn't get them from their server, period. See alternatives in the posts
here. The most modern example, apparently the following hardware instruction
will be available in all next Intel processors:
<http://en.wikipedia.org/wiki/RdRand>

The main article is just to appreciate the pure _awesomeness_ of us being able
to actually see something that's a result of quantum fluctuations! In vacuum!

------
joblessjunkie
FermiLab has been offering HotBits for a very long time:

<http://www.fourmilab.ch/hotbits/>

The site contains some interesting discussion around randomness and how their
service works.

~~~
ScottBurson
Yes, but, uh ... Fourmilab is not Fermilab :-)

~~~
joblessjunkie
Ouch, that's a bit embarrassing...

------
noodly
Here's the original source: <http://150.203.48.55/index.php>

~~~
mapleoin
And here's a pretty stream of random colors:
<http://150.203.48.55/RainCol.php>

~~~
moontear
I wanted to post this too. Makes me feel special knowing that these are truly
random.

------
mtrimpe
I've always wondered how many probabilistic algorithms would have been
discovered which outperform deterministic ones if a high-bandwidth hardware
RNG was available on every machine.

~~~
patrickyeon
I understood that probabilistic algos only need something that "looks random
enough" and are fine using PRNGs. True randomness doesn't buy you any
improvement, as the algorithm is only counting on some of the properties of a
random source.

~~~
mbq
The game is about speed -- probabilistic algorithm use PRNGs so heavily that
their internal CPU demand may easily become the limiting factor.

------
andrewcooke
so is the paper that describes this available for free anywhere? the trail of
links from that page ends at
[http://apl.aip.org/resource/1/applab/v98/i23/p231103_s1?isAu...](http://apl.aip.org/resource/1/applab/v98/i23/p231103_s1?isAuthorized=no)

update - similar article (free) from same people
[http://www.opticsinfobase.org/view_article.cfm?gotourl=http%...](http://www.opticsinfobase.org/view_article.cfm?gotourl=http%3A%2F%2Fwww%2Eopticsinfobase%2Eorg%2FDirectPDFAccess%2F7E9122D0-A0B4-6DFC-9DAF7CF4BF5D2F30_222934%2Epdf%3Fda%3D1%26id%3D222934%26seq%3D0%26mobile%3Dno&org=)
(source
[http://www.opticsinfobase.org/oe/abstract.cfm?uri=oe-19-21-2...](http://www.opticsinfobase.org/oe/abstract.cfm?uri=oe-19-21-20665)
)

[it seems like this is actually a big deal - they are getting huge throughput]

------
Core-TX
oh noes. Not this poo again. Save money, and do the following.

\- Get a high res webcam \- Open it up and remove the filters. \- Hook up the
device. \- From time to time you'll see random white dots appear.

There you have your ultra cheap random number generator. Works best in high
radiation environments.

~~~
mike-cardwell
Do you know of any guides to do this? Are you aware of any free software to
convert the image data into a usable stream of random data?

~~~
rickyconnolly
"oh noes. Not this poo again. Save money, and do the following. \- Get a high
res webcam - Open it up and remove the filters. - Hook up the device. - From
time to time you'll see random white dots appear. There you have your ultra
cheap random number generator."

It would seem that this method would be muchmore expensive and time consuming
than a simple web query. How precisely would this save me money?

~~~
DanBC
> _How precisely would this save me money?_

It's under your control. There's no chance of an attacker serving you skewed
numbers, or of MITM, or etc etc.

That may be important. (Cryptography, for example.)

Some people don't care, they just need some random numbers. People doing
modelling like a lot of random numbers that are random enough, but they don't
care if that same set of numbers is available elsewhere, or if it's easily
repeatable.

------
tete
Hasn't Via done something similar?

Since we have millions of transistors in our systems couldn't they (their
collectors) be used to generate "truly" random numbers?

------
EGreg
Perhaps they are only truly random until they are observed. After which they
become deterministic. :)

~~~
jerf
That might sort of be funny if it weren't simply true, and not in any sort of
funny-true way, either. Random numbers generated in the past are
deterministic. Of course they are. What would non-deterministic-yet-already-
generated numbers look like?

------
eli_gottlieb
I dunno, it could be entangled...

