Re: [Eligibility-discuss] On 3797 alternatives

[Eric Rescorla <ekr@rtfm.com>]

On Thu, Jun 1, 2023 at 8:43 AM Michael StJohns <msj@nthpermutation.com>
wrote:

> Hi -
>
> Verifiably random is somewhat of an oxymoron.   We can do statistical
> measurements of data streams, and come to conclusions about how close they
> meet a given criteria, but that’s a far cry from verifiable.  We can, using
> similar models usually prove a source to be non random even if we can’t
> label it as predictable, but the opposite is harder.
>
> What I think we want is/are sources that meet some set of statistical
> tests for randomness and that are shown to be resistant to externally
> applied bias/interference.   The former is pretty simple - take the output
> and run it through the tests.
>
> The latter is more about "trustworthiness" than "verifiable randomness".
> WRT to the sources used to seed the last dozen or so selections, we assume
> the trustworthiness because of the nature of the sources and the fact that
> we combine a number of those sources, but I'd be hard pressed to say that
> any single given source is "verifiably random" in either meeting
> statistical tests or resistance to externally applied bias.
>

It's important to distinguish here between random and uniformly distributed.

As an example, imagine we have a randomness source X that produces 1-bit
values X_1, X_2, .... By hypothesis, this passes the relevant statistical
tests.

Now consider a source Y that is constructed as follows:

Y_i =  {  0 if i is odd
              X_i if i is even }

Y will not pass many statistical tests because it is non-uniformly
distributed, but
it of course contains entropy at 1/2 the rate of X. Fortunately procedures
like
those we use (hashing the inputs) are designed to use the available entropy
while accepting the non-random bits. This is good because some of these
sources are not uniform (e.g., the US national debt). [0]

As a result of this, statistical tests are generally not a good guide to
whether
a given entropy source is appropriate.

-Ekr

[0] As an aside, even lottery numbers are not entirely uniform as a
bitstream
unless you encode them properly.






> That said, the current model is probably good enough if we're willing to
> wait a few days for each result.
>
> Moving on to drand and it's ilk. It should be pretty easy to show they
> meet the statistical tests. The sole question really to be answered is
> whether the source is trustworthy and resistant to being biased.  Given
> that drand is a co-generated random bit stream, I'd say that answer could
> be readily ascertained by anyone who wanted to look a bit.  Some of the
> other public sources might be a bit harder to verify.
>
>
> Later, Mike
>
>
> On Wed, May 31, 2023 at 18:01 Rob Sayre <sayrer@gmail.com> wrote:
>
>>
>>
>> On Wed, May 31, 2023 at 2:31 PM Donald Eastlake <d3e3e3@gmail.com> wrote:
>>
>>> On Wed, May 31, 2023 at 2:43 PM Rob Sayre <sayrer@gmail.com> wrote:
>>> >
>>> > I'm not really here to sell drand, but it does meet the requirements
>>> on paper: "the source is announced before the ceremony starts...".
>>>
>>> No, in my opinion it does not. The title of the document starts with
>>> "Publicly Verifiable ...". Perhaps I should change the name to
>>> "Publicly Persuasive...". Would a member of the public believe drand
>>> is as honest as a major government run lottery? I think not.
>>>
>>
>> I'm not sure what "publically persuasive" would mean. I don't really see
>> why a "major government run lottery" would be more believable here, but
>> it's of course totally subjective.
>>
>>
>>>
>>> > Presumably you'd pick a drand iteration number from the future, and
>>> use that. The draft is a little confusing in using stock tickers, because
>>> "Section 3.1: Sources of Randomness" of RFC3797* says not to do that...
>>>
>>> And that section gives specific reasons why not.
>>>
>>
>> Yes.
>>
>>
>>>
>>> > While I agree that entropy "sources exist", the debate here is
>>> guidance on picking a verifiable one.
>>>
>>> I think it needs to be not just mechanically verifiable but also
>>> persuasively random.
>>>
>>
>> Yeah, it can be taken pretty far, even aside from quantum computing:
>> https://www.cloudflare.com/learning/ssl/lava-lamp-encryption/
>>
>> The penultimate section is my favorite:
>>
>> Do all Cloudflare offices have the lava lamp wall?
>> ---
>> The other two main Cloudflare offices are in London and Singapore, and
>> each office has its own method for generating random data from real-world
>> inputs. London takes photos of a double-pendulum system mounted in the
>> office (a pendulum connected to a pendulum, the movements of which are
>> mathematically unpredictable). The Singapore office measures the
>> radioactive decay of a pellet of uranium (a small enough amount to be
>> harmless).
>>
>> At the bottom there, you get "LavaRand"*, which covers "Randomness
>> Mixing". I don't think the IETF really needs to purchase a double-pendulum
>> for this task, though. This stuff is persuasively random, but not
>> verifiable.
>>
>> thanks,
>> Rob
>>
>> *
>> https://blog.cloudflare.com/lavarand-in-production-the-nitty-gritty-technical-details/
>> --
>> Eligibility-discuss mailing list
>> Eligibility-discuss@ietf.org
>> https://www.ietf.org/mailman/listinfo/eligibility-discuss
>>
> --
> Eligibility-discuss mailing list
> Eligibility-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/eligibility-discuss
>