Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Good randomness is hard to find XKCD. Games for Extracting Randomness Weizmann Institute of Science Israel Moni NaorRan Halprin SOUPS, July 2009.

Similar presentations


Presentation on theme: "1 Good randomness is hard to find XKCD. Games for Extracting Randomness Weizmann Institute of Science Israel Moni NaorRan Halprin SOUPS, July 2009."— Presentation transcript:

1 1 Good randomness is hard to find XKCD

2 Games for Extracting Randomness Weizmann Institute of Science Israel Moni NaorRan Halprin SOUPS, July 2009

3 3 Good randomness is hard to find Randomness : necessary in many computational tasks Especially in Cryptography! Randomness Generation - major point-of-failure in cryptography applications : The Debian Linux kernel (used in the Ubuntu distribution) Removed a refresh command, leaving only PID Generated only 2 15 unique keys from 2006 to 2008

4 4 Sources of Randomness “Secret” data: Network Card ID, Processor ID etc. Adversary may have had access to hardware Real time data: HD access, click times, mouse positions HD doesn’t always exist (PDAs, SSD Disks.) System might not be in direct use Physical sources: Lava lamps, cloud patterns, atmospheric noise Can be manipulated (even by accident) or copied Cumbersome and expensive User Request: “please hit many keys”, “please swish mouse” Not necessarily terrible. This work – mostly complementary QWERTY effect Keyboard buffer fills quickly

5 5 It is Only Human to be Biased Sequences and numbers generated by humans are far from being “truly” random Problem: humans are notoriously bad at supplying randomness upon request Humans randomness recognition is biased Similar results in randomness generation Humans assess human-generated randomness as more random than statistically good randomness Think of a number between 1 and 10 Think of a number between 1 and 20 … 7? …17? Hot Hand Gambler’s fallacy Flip Bias Idea: use humans actions in a game as a source!

6 6 Why Games? 1. The competitive nature of the game makes humans act more randomly when playing games Compare: when just asked to act randomly Demonstrated in an experiment by Rapoport and Budescu Playing games is more entertaining to users than simply “supplying entropy”, Meaning they will probably be willing Participate in the process Supply more data. Von Ahn’s “Games with a purpose”

7 7 Matching Pennies Winner! Player 1 (misleader) Wins on or Player 2 (guesser) Wins on or zero-sum mixed strategy game

8 8 Experiments in Psychology [RB92] Humans behave more randomly when playing Matching Pennies Than when asked to generate a sequence Humans play against each other Look at a player’s “moves” Black is 0, Red is 1 Results in binary sequences (one for each player) Consider tuples (2-tuples, 3-tuples, 4-tuples…) Count how many appearances of each, detect sequential dependencies

9 9 Experiments in Psychology Alternate with 53% (expect 50%) Alternate with 59% (expect 50%) 2-tuples for Matching Pennies2-tuples for Instructed Generation

10 10 Experiments in Psychology All three identical 21% (expect 25%) All three identical 15.5% (expect 25%) 3-tuples for Matching Pennies3-tuples for Instructed Generation

11 11 Experiments in Psychology All four identical: 9.2% Alternations 15% All four identical: 5.2% Alternations: 19.9% 4-tuples for Matching Pennies 4-tuples for Instructed Generation Both expected 12.5%

12 12 But is it good enough? Still not quite random Only a single bit is generated Can apply extractors Combinatorial tool allowing us to smooth the randomness Crypto needs many bits to bootstrap – say 128 Need games where more bits are generated per round

13 13 Our Contributions The idea of using games to induce randomness for crypto Suggest a particular game “Mice and Elephants” Test it Suggest how to incorporate randomness extraction from games into a system Robust Pseudo-Random Generator OS Independent

14 14 Games Used for Extraction: Desiderata Encourages players it to use strategy with high min-entropy There exists a way to bound from below the min entropy used by the player in an observed interaction Measurement of randomness

15 15 More Desiderata Fun: Should be at least somewhat interesting Entertain players long enough so that they will willingly play enough to produce long sequences. Easy: not require extensive skills from the players Should be reasonably short Should not require no expensive or large hardware high resolution screen or a fast processor

16 16 Who is Our Adversary? The user is not malicious Lazy? Incompetent? But not actively trying to subvert the system There is an external adversary and we are trying to protect the user from it Generate a long and robust pseudo-random sequence There is a second chance to check the user

17 17 Hide and Seek n … 21 Hider (Misleader( Seeker (Guesser)

18 18 Hide and Seek n … 21

19 19 Hide and Seek Natural extension of Matching Pennies Zero sum Mixed Strategy Game produces log 2 (n) bits of raw data per move But how random is this data? Estimate empirically

20 20 Mice and Elephant Human positions r mice Computer positions elephant Repeat until a mouse is crushed

21 21 Mice and Elephant Obstacles positioned at most popular locations - Lowers repetition rate - Adds visual interest

22 22 Elephant and obstacle positions Usually randomly copy a recently played move Occasionally random Human cannot predict even a “bad” PRG! Adversary can know computer randomness Doesn’t help much in determining the human’s moves Each pixel - a cell in the grid. Board: 512 x 256 pixels Derives log log = 17 bits of raw data per click Mice and Elephant

23 23 Min-Entropy Probability distribution X over {0,1} n H 1 (X) = - log max x Pr[X = x] X is a k -source if H 1 (X) ¸ k i.e., Pr[X = x] · 2 -k for all x Represents the probability of the most likely value of X ¢ (X,Y) =  a | Pr[X=a] – Pr[Y=a] | Statistical distance of distributions : Example: U n – uniform distribution on {0,1} n H 1 (U n ) = n H 1 (X) = min{log 2, log 4, log 8} = 1 Example

24 24 Extractors Universal procedure for “purifying” an imperfect source Definition: Ext: {0,1} n £ {0,1} d ! {0,1} ℓ is a (k,  ) -extractor if for every k -source X result is close to random ¢ (Ext(X, U d ), U ℓ ) ·  d random bits “seed” E XT k -source of length n ℓ almost-uniform bits x s Strong: output close to random even after seeing the seed

25 25 Mice and Elephant Each pixel is a cell in the grid, board is 512 x 256 pixels Derives log log = 17 bits of raw data per click How do we measure “randomness”? Min-entropy definition: number of bits needed to describe the probability of the most probable result

26 26 Results: Humans playing patterns Tested 482 players, who played a total of 24,008 clicks Recruited mostly online Did not know experiment’s objective Clear bias for corners and edges But maximal represented point has only 7 clicks If each click is independent: min- entropy ~ 11.7 per click However, humans are not stateless distributions…

27 27 Results: Humans playing patterns First order difference (log scale) Clear preference for nearby region and axis of previous click Maximal represented point – 24. Estimated min-entropy is ~ 9.96 per click

28 28 Results: Humans playing patterns Second order difference (log scale) - Clear preference for nearby region to both previous clicks. Biases flatten out from this level

29 29 How to use the game When entropy is needed - start a game Repeat play until sufficient entropy is gathered At least according to an estimate Award points according to game Detect “bad entropy” moves Have a “dynamic score” to punish such moves Second Chance

30 30 Robust PRG: A Cryptographic Pseudo Random Generator next() with an outputs a block refresh() that gets “fresh” entropy, and an refreshes state Robust Pseudo-Random Generators [Barak-Halevi 05’] next() Output 1 State 1 State 2 refresh() entropy state 3 next() Output 2 State 3 E XT

31 31 Forward secure Backward secure Immune to adversary control of entropy Can combine different entropy sources Strongest link triumphs Robust Pseudo-Random Generators [Barak-Halevi 05’] next() Output 1 State 1 State 2 refresh() entropy state 3 next() Output 2 State 3 E XT After break-in: past outputs of the system should still be indistinguishable from random After break-in, following the next “refresh” all outputs should be indistinguishable from random

32 32 Robust Pseudo-Random Generators Forward security : after break-in, past outputs of the system generated, should still be indistinguishable from random Backward security (break-in recovery): after break-in, and following the next “refresh” all outputs should be indistinguishable from random to that adversary. Immunity to adversarial entropy : even if adversary gains complete control over the refresh entropy, The output of the system should still be indistinguishable from a random

33 33 A Complete Construction

34 34 A Complete Construction

35 35 Further Work and Open Problems Comparison to non-game inputs Different games: anti-ESP game Camera, accelerometer games Different populations Complete system test Human accuracy and Fitts’ law Thank You Non-gamers casual gamers heavy gamers

36 36 Good randomness is hard to find XKCD


Download ppt "1 Good randomness is hard to find XKCD. Games for Extracting Randomness Weizmann Institute of Science Israel Moni NaorRan Halprin SOUPS, July 2009."

Similar presentations


Ads by Google