Re: [Eligibility-discuss] On 3797 alternatives
Eric Rescorla <ekr@rtfm.com> Thu, 01 June 2023 19:48 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: eligibility-discuss@ietfa.amsl.com
Delivered-To: eligibility-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6A6AC151B04 for <eligibility-discuss@ietfa.amsl.com>; Thu, 1 Jun 2023 12:48:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.892
X-Spam-Level:
X-Spam-Status: No, score=-1.892 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20221208.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jx1Hr8zphb1o for <eligibility-discuss@ietfa.amsl.com>; Thu, 1 Jun 2023 12:48:01 -0700 (PDT)
Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AA3CC151710 for <eligibility-discuss@ietfa.amsl.com>; Thu, 1 Jun 2023 12:48:01 -0700 (PDT)
Received: by mail-yb1-xb2c.google.com with SMTP id 3f1490d57ef6-bacfb7acdb7so1331303276.0 for <eligibility-discuss@ietfa.amsl.com>; Thu, 01 Jun 2023 12:48:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20221208.gappssmtp.com; s=20221208; t=1685648880; x=1688240880; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=aldGpG3qIj8LR/02YSOU0sbGV0JWVropr2G+ciTtdu8=; b=kGHEBNHFvwOKhRYjBjWJlAduQng49AKMGK8TZYRsfTCsnR9t6ndtSF+mejYFmQNvCL Bx/5pMpRBZ4HbcqHZKvyH+vUduaGCzrOb3CCs7U8jcOCrnfDSPp7mjg0LjFezY/pF/CW nMXEenPEJt7XSUD4j7yM6MpOc7hJUsvU+hwgvl+7pc1K2kXEdYLE117u5fIW5ATa6YVM ELMCNxkLvFF1hVhvOkmsb1BdlN8hFZdte8Vr+hOHmGLv8ERGoXPBw9TMSfg5H8KUxK33 CqpyPyeNBy6FMBYDSzsTSJkKgFA51Am6adixKfKKWxW7hTswvCYrEffcp7VqthnkRj0I k0cw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685648880; x=1688240880; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=aldGpG3qIj8LR/02YSOU0sbGV0JWVropr2G+ciTtdu8=; b=YwhgnZdGxyQWh0KGdGE0pyz16adJh+NGmj9yi0arkFrEDXfKVlK8pqKmJqqdwRfTSU MRrCd5GG4rEcZ7K7PYzTeWR+F9G49YFvwsNstAowXv9WAHdgnGFU4LF/VlqQd6pD34ZX 75J32WIRKoLw315fPG6lmFUP3fuxFUvnx7O42i14ly1ZyfAz0U4lZIh4CT0zdor+rXuA /sPOxYaQCSMh+jL81vyXtWoPzrqcKBaY+Zsu3RaBsdzS23vZIN79eZ4O8AY4rGfKTTa+ YX3Lj9iKBgkG5Jz5ENsdXY4RyWPjxrVPwJg4RRh3rZOAUyOD2kJwL73iRw2TxVER/QR3 j9Vg==
X-Gm-Message-State: AC+VfDyR0EoQ/ieUxv9pUS49E7wuOqHfD9PgHCYnkwzmivBMZV3qA2Ui aYkI5ap21AvfCfp4w8stWjp7JkVKXTDqdweUU0/UPA==
X-Google-Smtp-Source: ACHHUZ7ztfjkZdJ2a2AEt24M5dGTEbF49KgBadEVsrrILFiCAXG75lAU86d1Z4eyYchCLg3rr46W2POGTvS7xJ+QQZo=
X-Received: by 2002:a25:6808:0:b0:bad:c64:4e0d with SMTP id d8-20020a256808000000b00bad0c644e0dmr884337ybc.35.1685648880134; Thu, 01 Jun 2023 12:48:00 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6Szvewhk0_z5DVqTJ37qR6eHxBw0Am2MnycxsS=a9x_bzw@mail.gmail.com> <4b2070b2-21e7-4887-b9a2-1049b930d0be@betaapp.fastmail.com> <CAChr6SyLNfEHxSCaj+w_j4Zzxf0vLudqzfpsGO7kDd1jO1AFLg@mail.gmail.com> <CAF4+nEGAsAvD4Vzy7BVOKVE+5wnGspP+QC+_bYKEWfYihVYdsA@mail.gmail.com> <CAChr6Swg5An=n9gAo1dYA=U_DY-Qd5h48Aq6Wqhf=QUae9pB7Q@mail.gmail.com> <416a8625-1c05-54eb-c90a-fb88c3aa01dc@nthpermutation.com>
In-Reply-To: <416a8625-1c05-54eb-c90a-fb88c3aa01dc@nthpermutation.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 01 Jun 2023 12:47:23 -0700
Message-ID: <CABcZeBPRErHHnvz_k_gabpK3dBXqu7-NWOn8=cgg_XToTGXDXQ@mail.gmail.com>
To: Michael StJohns <msj@nthpermutation.com>
Cc: Rob Sayre <sayrer@gmail.com>, Donald Eastlake <d3e3e3@gmail.com>, eligibility-discuss@ietfa.amsl.com
Content-Type: multipart/alternative; boundary="000000000000b7802b05fd16b639"
Archived-At: <https://mailarchive.ietf.org/arch/msg/eligibility-discuss/TVdDn_Pu7MzIWoO9JbQQedvrJHM>
Subject: Re: [Eligibility-discuss] On 3797 alternatives
X-BeenThere: eligibility-discuss@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF eligibility procedures <eligibility-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/eligibility-discuss>, <mailto:eligibility-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/eligibility-discuss/>
List-Post: <mailto:eligibility-discuss@ietf.org>
List-Help: <mailto:eligibility-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/eligibility-discuss>, <mailto:eligibility-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jun 2023 19:48:04 -0000
On Thu, Jun 1, 2023 at 8:43 AM Michael StJohns <msj@nthpermutation.com> wrote: > Hi - > > Verifiably random is somewhat of an oxymoron. We can do statistical > measurements of data streams, and come to conclusions about how close they > meet a given criteria, but that’s a far cry from verifiable. We can, using > similar models usually prove a source to be non random even if we can’t > label it as predictable, but the opposite is harder. > > What I think we want is/are sources that meet some set of statistical > tests for randomness and that are shown to be resistant to externally > applied bias/interference. The former is pretty simple - take the output > and run it through the tests. > > The latter is more about "trustworthiness" than "verifiable randomness". > WRT to the sources used to seed the last dozen or so selections, we assume > the trustworthiness because of the nature of the sources and the fact that > we combine a number of those sources, but I'd be hard pressed to say that > any single given source is "verifiably random" in either meeting > statistical tests or resistance to externally applied bias. > It's important to distinguish here between random and uniformly distributed. As an example, imagine we have a randomness source X that produces 1-bit values X_1, X_2, .... By hypothesis, this passes the relevant statistical tests. Now consider a source Y that is constructed as follows: Y_i = { 0 if i is odd X_i if i is even } Y will not pass many statistical tests because it is non-uniformly distributed, but it of course contains entropy at 1/2 the rate of X. Fortunately procedures like those we use (hashing the inputs) are designed to use the available entropy while accepting the non-random bits. This is good because some of these sources are not uniform (e.g., the US national debt). [0] As a result of this, statistical tests are generally not a good guide to whether a given entropy source is appropriate. -Ekr [0] As an aside, even lottery numbers are not entirely uniform as a bitstream unless you encode them properly. > That said, the current model is probably good enough if we're willing to > wait a few days for each result. > > Moving on to drand and it's ilk. It should be pretty easy to show they > meet the statistical tests. The sole question really to be answered is > whether the source is trustworthy and resistant to being biased. Given > that drand is a co-generated random bit stream, I'd say that answer could > be readily ascertained by anyone who wanted to look a bit. Some of the > other public sources might be a bit harder to verify. > > > Later, Mike > > > On Wed, May 31, 2023 at 18:01 Rob Sayre <sayrer@gmail.com> wrote: > >> >> >> On Wed, May 31, 2023 at 2:31 PM Donald Eastlake <d3e3e3@gmail.com> wrote: >> >>> On Wed, May 31, 2023 at 2:43 PM Rob Sayre <sayrer@gmail.com> wrote: >>> > >>> > I'm not really here to sell drand, but it does meet the requirements >>> on paper: "the source is announced before the ceremony starts...". >>> >>> No, in my opinion it does not. The title of the document starts with >>> "Publicly Verifiable ...". Perhaps I should change the name to >>> "Publicly Persuasive...". Would a member of the public believe drand >>> is as honest as a major government run lottery? I think not. >>> >> >> I'm not sure what "publically persuasive" would mean. I don't really see >> why a "major government run lottery" would be more believable here, but >> it's of course totally subjective. >> >> >>> >>> > Presumably you'd pick a drand iteration number from the future, and >>> use that. The draft is a little confusing in using stock tickers, because >>> "Section 3.1: Sources of Randomness" of RFC3797* says not to do that... >>> >>> And that section gives specific reasons why not. >>> >> >> Yes. >> >> >>> >>> > While I agree that entropy "sources exist", the debate here is >>> guidance on picking a verifiable one. >>> >>> I think it needs to be not just mechanically verifiable but also >>> persuasively random. >>> >> >> Yeah, it can be taken pretty far, even aside from quantum computing: >> https://www.cloudflare.com/learning/ssl/lava-lamp-encryption/ >> >> The penultimate section is my favorite: >> >> Do all Cloudflare offices have the lava lamp wall? >> --- >> The other two main Cloudflare offices are in London and Singapore, and >> each office has its own method for generating random data from real-world >> inputs. London takes photos of a double-pendulum system mounted in the >> office (a pendulum connected to a pendulum, the movements of which are >> mathematically unpredictable). The Singapore office measures the >> radioactive decay of a pellet of uranium (a small enough amount to be >> harmless). >> >> At the bottom there, you get "LavaRand"*, which covers "Randomness >> Mixing". I don't think the IETF really needs to purchase a double-pendulum >> for this task, though. This stuff is persuasively random, but not >> verifiable. >> >> thanks, >> Rob >> >> * >> https://blog.cloudflare.com/lavarand-in-production-the-nitty-gritty-technical-details/ >> -- >> Eligibility-discuss mailing list >> Eligibility-discuss@ietf.org >> https://www.ietf.org/mailman/listinfo/eligibility-discuss >> > -- > Eligibility-discuss mailing list > Eligibility-discuss@ietf.org > https://www.ietf.org/mailman/listinfo/eligibility-discuss >
- Re: [Eligibility-discuss] NomCom selection Fwd: N… Lars Eggert
- Re: [Eligibility-discuss] NomCom selection Fwd: N… Robert Sparks
- Re: [Eligibility-discuss] NomCom selection Fwd: N… Salz, Rich
- Re: [Eligibility-discuss] NomCom selection Fwd: N… Eric Rescorla
- Re: [Eligibility-discuss] NomCom selection Fwd: N… Salz, Rich
- Re: [Eligibility-discuss] NomCom selection Fwd: N… Eric Rescorla
- Re: [Eligibility-discuss] NomCom selection Fwd: N… Brian E Carpenter
- Re: [Eligibility-discuss] NomCom selection Fwd: N… Michael Richardson
- Re: [Eligibility-discuss] NomCom selection Fwd: N… Brian E Carpenter
- Re: [Eligibility-discuss] NomCom selection Fwd: N… Barry Leiba
- Re: [Eligibility-discuss] NomCom selection Fwd: N… Donald Eastlake
- Re: [Eligibility-discuss] NomCom selection Fwd: N… Robert Sparks
- Re: [Eligibility-discuss] NomCom selection Fwd: N… Lars Eggert
- Re: [Eligibility-discuss] NomCom selection Fwd: N… Paul Hoffman
- Re: [Eligibility-discuss] NomCom selection Fwd: N… Joel Halpern
- Re: [Eligibility-discuss] NomCom selection Fwd: N… Eric Rescorla
- Re: [Eligibility-discuss] NomCom selection Fwd: N… Paul Hoffman
- Re: [Eligibility-discuss] NomCom selection Fwd: N… Joel Halpern
- Re: [Eligibility-discuss] NomCom selection Fwd: N… Paul Hoffman
- Re: [Eligibility-discuss] NomCom selection Fwd: N… Paul Hoffman
- [Eligibility-discuss] On 3797 alternatives Martin Thomson
- Re: [Eligibility-discuss] NomCom selection Fwd: N… Donald Eastlake
- Re: [Eligibility-discuss] NomCom selection Fwd: N… Salz, Rich
- Re: [Eligibility-discuss] On 3797 alternatives Donald Eastlake
- Re: [Eligibility-discuss] On 3797 alternatives Martin Thomson
- Re: [Eligibility-discuss] On 3797 alternatives Salz, Rich
- Re: [Eligibility-discuss] On 3797 alternatives Eric Rescorla
- Re: [Eligibility-discuss] On 3797 alternatives Martin Thomson
- Re: [Eligibility-discuss] On 3797 alternatives Salz, Rich
- Re: [Eligibility-discuss] On 3797 alternatives Eric Rescorla
- Re: [Eligibility-discuss] On 3797 alternatives Rob Sayre
- Re: [Eligibility-discuss] On 3797 alternatives Salz, Rich
- Re: [Eligibility-discuss] On 3797 alternatives Martin Thomson
- Re: [Eligibility-discuss] On 3797 alternatives Eric Rescorla
- Re: [Eligibility-discuss] On 3797 alternatives Rob Sayre
- Re: [Eligibility-discuss] On 3797 alternatives Salz, Rich
- Re: [Eligibility-discuss] On 3797 alternatives Christian Huitema
- Re: [Eligibility-discuss] On 3797 alternatives Eric Rescorla
- Re: [Eligibility-discuss] On 3797 alternatives Eric Rescorla
- Re: [Eligibility-discuss] On 3797 alternatives Donald Eastlake
- Re: [Eligibility-discuss] On 3797 alternatives Rob Sayre
- Re: [Eligibility-discuss] On 3797 alternatives Rob Wilton (rwilton)
- Re: [Eligibility-discuss] On 3797 alternatives Salz, Rich
- Re: [Eligibility-discuss] On 3797 alternatives Michael StJohns
- [Eligibility-discuss] list address (was: Re: On 3… Stephen Farrell
- Re: [Eligibility-discuss] On 3797 alternatives Michael Richardson
- Re: [Eligibility-discuss] On 3797 alternatives Salz, Rich
- Re: [Eligibility-discuss] On 3797 alternatives Eric Rescorla
- Re: [Eligibility-discuss] list address (was: Re: … Rob Sayre
- Re: [Eligibility-discuss] On 3797 alternatives Michael StJohns
- Re: [Eligibility-discuss] On 3797 alternatives Martin Thomson
- Re: [Eligibility-discuss] On 3797 alternatives Salz, Rich
- Re: [Eligibility-discuss] On 3797 alternatives Michael Richardson
- Re: [Eligibility-discuss] On 3797 alternatives Donald Eastlake
- Re: [Eligibility-discuss] On 3797 alternatives Martin Thomson