Good randomness is hard to find Games for Extracting Randomness Ran Halprin Moni Naor Weizmann Institute of Science Israel SOUPS, July 2009

Download Report

Transcript Good randomness is hard to find Games for Extracting Randomness Ran Halprin Moni Naor Weizmann Institute of Science Israel SOUPS, July 2009

Good randomness is hard to find
1
Games for Extracting Randomness
Ran Halprin
Moni Naor
Weizmann Institute of Science
Israel
SOUPS, July 2009
Good randomness is hard to find
Randomness: necessary in many computational tasks
Especially in Cryptography!
Randomness Generation - major point-of-failure in
cryptography applications:


The Debian Linux kernel (used in the Ubuntu distribution)

Removed a refresh command, leaving only PID

Generated only 215 unique keys from 2006 to 2008
3
Sources of Randomness

“Secret” data: Network Card ID, Processor ID etc.


Real time data: HD access, click times, mouse positions



HD doesn’t always exist (PDAs, SSD Disks.)
System might not be in direct use
Physical sources: Lava lamps, cloud patterns, atmospheric
noise



Adversary may have had access to hardware
Can be manipulated (even by accident) or copied
Cumbersome and expensive
User Request: “please hit many keys”, “please swish
mouse”
Not necessarily terrible. This work –
complementary
•QWERTY effect
mostly•Keyboard buffer fills
quickly
4
It is Only Human to be Biased
Sequences and numbers generated by humans
are far from being “truly” random
Problem: humans are notoriously bad at supplying
randomness upon request
 Humans randomness recognition is biased
…7?
 Similar
results
in
randomness
generation
Think of a number between 1 and 10
 Humans
human-generated
as more
…17?
Think ofassess
a number
between 1 andrandomness
20
random than statistically good randomness

Idea: use humans actions in a
Hot Hand
Gambler’s fallacy
game as Flip
a source!
Bias
5
Why Games?
1.
The competitive nature of the game makes
humans act more randomly when playing games


2.
Compare: when just asked to act randomly
Demonstrated in an experiment by Rapoport and
Budescu 1992.
Playing games is more entertaining to users than
simply “supplying entropy”,

Meaning they will probably be willing


Participate in the process
Supply more data.
Von Ahn’s “Games with a purpose”
6
Matching Pennies
Winner!
Player 1 (misleader)
Wins on
or
Player 2 (guesser)
Wins on
or
zero-sum mixed strategy game
7
Experiments in Psychology [RB92]



Humans behave more randomly
 when playing Matching Pennies
 Than when asked to generate a sequence
Humans play against each other
 Look at a player’s “moves”
 Black is 0, Red is 1
Results in binary sequences (one for each player)
 Consider tuples (2-tuples, 3-tuples, 4-tuples…)
110011001001101110101
Count how many appearances of each, detect sequential dependencies
8
Experiments in Psychology
4-tuples for Matching Pennies
(1,1,1,1)
7.6%
4.2%
(0,0,0,0)
7.5%
(0,1,1,1)
(1,1,1,1)
5.0%
5.4%
5.3%
7.4%
5.5%
(0,0,0,1)
9.9%
5.3%
5.3%
(1,0,0,0)
8.3%
(0,0,1,0)
7.4%
5.5%
(0,0,1,1)
5.8%
(0,1,0,0)
(0,0,1,1)
7.2%
6.2%
(0,1,1,0)
(1,0,0,1)
(1,0,1,0)
4.3%
(1,1,0,1)
(0,0,0,1)
(0,1,0,0)
(0,1,0,1)
4.3%
(1,0,1,1)
(1,0,0,0)
(1,1,0,0)
2.2% 3.0%
(0,1,1,1)
(1,1,1,0)
(1,1,0,1)
(0,0,1,0)
10.0%
(0,0,0,0)
(1,1,1,0)
(1,0,1,1)
4-tuples for Instructed Generation
(1,1,0,0)
7.6%
(1,0,0,1)
6.1%
7.3%
6.3%
6.1%
6.5%
(0,1,0,1)
7.6%
6.4%
(1,0,1,0)
All four identical: 9.2%
Alternations 15%
5.9%
(0,1,1,0)
7.7%
All four identical: 5.2%
Alternations: 19.9%
Both expected 12.5%
11
But is it good enough?

Still not quite random
Can apply extractors
•Combinatorial tool allowing us to smooth the randomness

Only a single bit is generated
•Crypto needs many bits to bootstrap – say 128
Need games where more bits are generated per round
12
Our Contributions


The idea of using games to induce randomness for
crypto
Suggest a particular game “Mice and Elephants”


Test it
Suggest how to incorporate randomness extraction
from games into a system


Robust Pseudo-Random Generator
OS Independent
13
Games Used for Extraction: Desiderata


Encourages players it to use strategy with high
min-entropy
There exists a way to bound from below the min
entropy used by the player in an observed
interaction
Measurement of randomness
14
More Desiderata

Fun: Should be at least somewhat interesting




Entertain players long enough so that they will willingly
play enough to produce long sequences.
Easy: not require extensive skills from the players
Should be reasonably short
Should not require no expensive or large hardware

high resolution screen or a fast processor
15
Who is Our Adversary?

The user is not malicious




Lazy?
Incompetent?
But not actively trying to subvert the system
There is an external adversary and we are trying to
protect the user from it

Generate a long and robust pseudo-random sequence
There is a second chance to check the user
16
Hide and Seek
1 2…
Hider
(Misleader(
Seeker
(Guesser)
n
17
Hide and Seek
1 2…
n
18
Hide and Seek

Natural extension of Matching Pennies


Zero sum
Mixed Strategy

Game produces log2(n) bits of raw data per move

But how random is this data?

Estimate empirically
19
Mice and Elephant
• Human positions r mice
• Computer positions elephant
• Repeat until a mouse is crushed
20
Mice and Elephant
• Obstacles positioned at most popular locations
- Lowers repetition rate
- Adds visual interest
21
Mice and Elephant

Elephant and obstacle positions



Human cannot predict even a “bad” PRG!



Usually randomly copy a recently played move
Occasionally random
Adversary can know computer randomness
Doesn’t help much in determining the human’s moves
Each pixel - a cell in the grid. Board: 512 x 256 pixels

Derives log2512 + log2256 = 17 bits of raw data per
click
22
Min-Entropy
Probability distribution X over {0,1}n
H1(X) = - log maxx Pr[X = x]
Represents the probability of the most likely value of X
Example:
• Un – uniform distribution on {0,1}n
-k for all x
)
=
n
XH
is 1
a (U
k-source
if
H
(X)
¸
k
i.e.,
Pr[X
=
x]
·
2
n
1
Example
0.5
0.25
0.125
Statistical distance of distributions:
0.125
¢(X,Y)
= a |Pr[X=a]
Pr[Y=a]
H
2, log 4, –log
8} = 1 |
1(X) = min{log
23
Extractors
Strong:
output
close toforrandom
even an
after
seeing the
seed
Universal
procedure
“purifying”
imperfect
source
Definition:
Ext: {0,1}n £ {0,1}d ! {0,1}ℓ is a (k,)-extractor if for
every k-source X result is close to random
¢(Ext(X, Ud), Uℓ) · 
k-source of length n
x
“seed”
d random bits
s
EXT
ℓ almost-uniform bits
24
Results: Humans playing patterns

Tested 482 players, who played a
total of 24,008 clicks






Recruited mostly online
Did not know experiment’s objective
Clear bias for corners and edges
But maximal represented point
has only 7 clicks
If each click is independent: minentropy ~11.7 per click
However, humans are not
stateless distributions…
26
Results: Humans playing patterns

First order difference (log scale)
 Clear preference for nearby region and axis of previous click
 Maximal represented point – 24. Estimated min-entropy is ~9.96
per click
27
How to use the game


When entropy is needed - start a game
Repeat play until sufficient entropy is gathered



At least according to an estimate
Award points according to game
Detect “bad entropy” moves

Second Chance
Have a “dynamic score” to punish such moves
29
Robust Pseudo-Random Generators
[Barak-Halevi 05’]
entropy
EXT
State1
next()
Output1
State2
next()
State3 refresh()
state3
Output2
Robust PRG:
 A Cryptographic Pseudo Random Generator
 next() with an outputs a block
 refresh() that gets “fresh” entropy, and an refreshes state
30
Robust Pseudo-Random Generators
[Barak-Halevi 05’]
entropy
EXT
State1
next()
Output1




State2
next()
State3 refresh()
state3
Output2
After break-in,
break-in: following
past outputs
the of
next
the
system should
“refresh”
all outputs
still be
should
indistinguishable
be
from random
indistinguishable
from random
Forward secure
Backward secure
Immune to adversary control of entropy
Can combine different entropy sources
 Strongest link triumphs
31
A Complete Construction
33
A Complete Construction
34
Further Work and Open Problems


Comparison to non-game inputs
Different games:





anti-ESP game
Camera, accelerometer games
Different populations
Complete system test
Human accuracy and Fitts’ law
•Non-gamers
•casual gamers
•heavy gamers
Thank You
35
Good randomness is hard to find
36