
NIST Randomness Beacon - dfc
http://www.nist.gov/itl/csd/ct/nist_beacon.cfm
======
swordswinger12
One possible application of this that NIST didn't discuss is mentioned in a
new paper on accountable Bitcoin mixes:
[http://eprint.iacr.org/2014/077.pdf](http://eprint.iacr.org/2014/077.pdf)

They use signed contracts combined with a novel mixing fee mechanism based on
public randomness to ensure honest behavior by rational Bitcoin mixes. If
you're interested in Bitcoin the full paper is worth a read.

~~~
randomwalker
I'm one of the authors. It's interesting that you cite our paper as an
application of the NIST beacon. Perhaps a better reason to cite our paper is
that we actually design a beacon using the Bitcoin blockchain itself (Section
4.4), because the NIST beacon has many problems.

~~~
dfc
Besides trusting NIST what are the other problem[s]?

~~~
randomwalker
The other major one is reliability (but that is encompassed by sufficiently
broad interpretations of "trusting NIST.") Also, for our specific application
it's not clear how to assign precise timestamps to Bitcoin blocks that
everyone can agree on; this is necessary to be able to use a beacon that is
external to the block chain.

~~~
dfc
Thanks for responding. I never thought about bitcoin+time problems. Are there
any efforts/research into how to address the bitcoin+timestamp problem?

------
nknighthb
Ahahahaha no. You can only "prove to anybody that [you] used truly random
numbers not known before a certain point in time" if this supposed "anybody"
trusts that NIST isn't just sending out pre-generated numbers.

~~~
anigbrowl
You probably shouldn't use it for crypto, but this would be a big help in
scientific and industrial contexts where you can just point to NIST instead of
having to come up with answers about the quality of your random data source.
Say for example you want to showcase some algorithm that you say performs 10%
better than chance (in some field where that confers a significant time/$
advantage), this gives you a meaningful benchmark to measure against. And
since all the random data is stored, it makes certification of scientific
papers much more repeatable since they can just show longs of when the NIST
server was accessed in the materials & methods section of a paper. There are
many applications of a good random beacon besides crypto.

~~~
michaelmior
Forget how random the numbers are if your source of randomness is literally
being broadcast publicly, it doesn't matter.

~~~
Sanddancer
Things like Monte Carlo simulations can, and have used public random numbers
over the years -- the Rand Corporation's book of one million random digits [1]
was used for this purpose. A public entropy source means that in verifying
something, you can demonstrate that there was nothing up your sleeve when you
used the points you did.

[1]
[http://www.rand.org/pubs/monograph_reports/MR1418.html](http://www.rand.org/pubs/monograph_reports/MR1418.html)

~~~
danielweber
I remember finding that book in the college library and sitting down to "read"
it. I was fascinated that someone would make such a thing.

------
mpyne
Very neat, though it's a pity that the warning about crypto in the lower-right
is so hard to notice.

I mean, people weren't going to trust NIST on this anyways but if you're going
to warn about crypto then it should probably be more prominent.

~~~
dfc
The dearth of documentation is also a pity.

~~~
marshray
If only they had a web interface as handy as
[http://www.random.org/integers/?mode=advanced](http://www.random.org/integers/?mode=advanced)

~~~
dfc
At least the UI is better than a book from RAND.

------
midas007
Who in their right mind would trust anything NIST offers considering Dual DRBG
EC? Best bet is to use many entropy sources including local hardware (ie sound
card audio input) mixed in a fortuna entropy pool.

~~~
dfc
The metrology folks at NIST are top notch. I think they have been awarded four
Nobels in physics in the last twenty years.

~~~
Karunamon
Unfortunately, that attests greatly to their credentials and precisely nil to
their trustworthiness. For all we know there are NSL gag orders in effect.

~~~
dfc
I am not sure what you are talking about. Do you know what metrology is?

If there is a NSL gag order in effect for the work recognized by the 2012
Physics Nobel how did the committee hear about the work? You think the
scientific community just took Haroche and Wineland's word and never looked
into their results?

~~~
midas007
Please, allow me to paraphrase 'pg: pedigree is for suckers.

These data points have absolutely nothing to do with practical, trustworthy
crypto standard processes or confidence in their ability to due-diligence
systems.

~~~
dfc
Please allow me to paraphrase dfc, "confusing metrology with crypto is for
suckers."

To recap; you started this thread with "Who in their right mind would trust
anything NIST offers." I responded by pointing out that there is a very
talented group of people working on metrology at NIST and that some of these
individuals have been awarded Nobels. What is the connection between
trustworthy crypto standards and metrology?

~~~
midas007
Maybe you're not reading the same words...

Nobel snobels, still has nothing to do with crypto.

Thank you for arguing my original position for me.

~~~
dfc
You did not limit your criticism to the crypto group at NIST. Your comment was
about "anything" that came out of NIST. I am not sure how I argued your
original position by saying that the metrology work that comes out of NIST is
top notch. How did I support your claim by arguing and presenting evidence of
the opposite?

~~~
midas007
You presented my argument in argumentative manner as something different. None
of this has nothing to do with NIST's reputation for evaluating crypto systems
and guiding standards. So please give up trying to say how great their weighs
and standards are, because again, a Nobel in physics has nothing to do with
crypto.

~~~
dfc
I just read the bit in your profile about wanting to get to zero karma in
2014. It never occurred to me I was an unwitting conspirator in your race to
the bottom. Had I known this I never would have "presented [your] argument in
argumentative manner."

~~~
midas007
Ad hominem attacks and claims of moral superiority also have nothing to do
with NIST allowing Dual EC DRBG to be backdoored and this entropy source being
suspicious.

~~~
astrange
I don't know why you'd accuse a source of public randomness of having a
_backdoor_. It has a _front door_.

------
UweSchmidt
Regarding other RNG products they comment: "However, demonstrably
unpredictable values are not possible to obtain in any classical physical
context."

What's wrong with any hardware RNG that produces 0's and 1's straight from
physics, if these also pass the relevant statistical tests?

~~~
hahainternet
Physics is predictable

~~~
UweSchmidt
To clarify:

What's wrong with any hardware RNG that produces 0's and 1's straight from
observing natural phenomena like "thermal noise, the photoelectric effect, and
other quantum phenomena", as wikipedia puts it[1].

How can they do better than that; specifically, what do they mean with
"demonstrably unpredictable values"?

[1]
[http://en.wikipedia.org/wiki/Hardware_random_number_generato...](http://en.wikipedia.org/wiki/Hardware_random_number_generator)

~~~
sp332
From the quote you already posted: "in any _classical_ physical context".
They're not talking about anything quantum.

~~~
UweSchmidt
Got it, thanks!

------
motters
Why would anyone trust a public random source? It may be truly random, but it
can also be completely recorded such that if anyone uses this as a random
source and the timestamp is known then the encryption can be broken.

~~~
Perseids
You cannot use that randomness for private key or private data generation,
true. But there are less common usage scenarios that need unpredictable
randomness that is guaranteed to be generated only after a certain point in
time. For two party protocols you can exchange nonces to prove that both
parties are participating in this exact moment, but those don't scale to
thousands of mutually distrustful parties. An example for that is the proposed
Bitcoin protocol change that is already cited by swordswinger12 which prevents
attackers from hoarding Bitcoin blocks.

------
Houshalter
What would happen if, just by random chance, the numbers ended up in a pattern
that isn't "random". Like it returned 4 a thousand times in a row or something
like that. What's the worse case scenario?

------
felipelalli
Why they say "DO NOT USE BEACON GENERATED VALUES AS SECRET CRYPTOGRAPHIC
KEYS"?

~~~
josephagoss
Because you can't know for certain that the values are random and thus it's a
terrible idea to use them in cryptography.

~~~
mpyne
Beyond the randomness thing (which you're right about, although NIST _is_
claiming that they're actually random), the problem is that they're not
secret.

Given that you'd probably want to avoid using for any crypto use (not just
secret parameters) unless you can be sure that using this randomness for a
public parameter doesn't break the cryptosystem (or USG isn't in your threat
model). Given that few of us are experts in cryptology it would seem like the
safe thing to do is to avoid for crypto use at all.

------
efalcao
can anyone help me understand why the chain of signed/hashed values is
important? Is it all about tampering?

