1

Good randomness is hard to find

XKCD

Games for Extracting Randomness

Weizmann Institute of Science

Israel

Moni NaorRan Halprin

SOUPS, July 2009

3

Good randomness is hard to findRandomness: necessary in many computational tasks Especially in Cryptography!Especially in Cryptography!

Randomness Generation - major point-of-failure in cryptography applications:

The Debian Linux kernel (used in the Ubuntu distribution) Removed a refresh command, leaving only PID Generated only 215 unique keys from 2006 to 2008

4

Sources of Randomness “Secret” data: Network Card ID, Processor ID etc.

Adversary may have had access to hardware

Real time data: HD access, click times, mouse positions HD doesn’t always exist (PDAs, SSD Disks.) System might not be in direct use

Physical sources: Lava lamps, cloud patterns, atmospheric noise

Can be manipulated (even by accident) or copied Cumbersome and expensive

User Request: “please hit many keys”, “please swish mouse”

Not necessarily terrible. This work – mostly complementary

•QWERTY effect•Keyboard buffer fills quickly

5

It is Only Human to be BiasedSequences and numbers generated by humans

are far from being “truly” random Problem: humans are notoriously bad at supplying

randomness upon request Humans randomness recognition is biased Similar results in randomness generation Humans assess human-generated randomness as more

random than statistically good randomness

Think of a number between 1 and 10 Think of a number between 1 and 20

…7?…17?

Hot HandGambler’s fallacy Flip BiasIdea: use humans actions in a game as a source!

6

Why Games?1. The competitive nature of the game makes humans act more

randomly when playing games Compare: when just asked to act randomly Demonstrated in an experiment by Rapoport and Budescu 1992.

2. Playing games is more entertaining to users than simply “supplying entropy”, Meaning they will probably be willing

Participate in the process Supply more data.

Von Ahn’s “Games with a purpose”

7

Matching Pennies

Winner!

Player 1 (misleader) Wins on or

Player 2 (guesser)Wins on or

zero-sum mixed strategy game

8

Experiments in Psychology [RB92] Humans behave more randomly

when playing Matching Pennies Than when asked to generate a sequence

Humans play against each other Look at a player’s “moves” Black is 0, Red is 1

Results in binary sequences (one for each player) Consider tuples (2-tuples, 3-tuples, 4-tuples…)

110011001001101110101

Count how many appearances of each, detect sequential dependencies

11

Experiments in Psychology

4.2%5.0%

5.4%

5.3%

5.5%

5.5%

6.2%

6.1%

6.1%6.3%

7.3%

7.2%

7.4%

7.4%

7.5%

7.6%(1,1,1,1)

(0,0,0,0)

(0,1,1,1)

(1,1,1,0)

(1,1,0,1)

(1,0,1,1)

(1,0,0,0)

(0,0,0,1)

(0,0,1,0)

(0,1,0,0)

(0,0,1,1)

(1,1,0,0)

(0,1,1,0)

(1,0,0,1)

(0,1,0,1)

(1,0,1,0)

2.2%

4.3%

5.3%

5.3%

5.8%

5.9%

7.6%

7.7%6.4%

6.5%

7.6%

8.3%

9.9%

10.0% 4.3%3.0%(1,1,1,1)

(0,0,0,0)

(0,1,1,1)

(1,1,1,0)

(1,1,0,1)

(1,0,1,1)

(1,0,0,0)

(0,0,0,1)

(0,0,1,0)

(0,1,0,0)

(0,0,1,1)

(1,1,0,0)

(0,1,1,0)

(1,0,0,1)

(0,1,0,1)

(1,0,1,0)

All four identical: 9.2%Alternations 15%

All four identical: 5.2%Alternations: 19.9%

4-tuples for Matching Pennies 4-tuples for Instructed Generation

Both expected 12.5%

12

But is it good enough?

Still not quite random

Only a single bit is generated

Can apply extractors•Combinatorial tool allowing us to smooth the randomness

•Crypto needs many bits to bootstrap – say 128Need games where more bits are generated per round

13

Our Contributions

The idea of using games to induce randomness for crypto

Suggest a particular game “Mice and Elephants” Test it

Suggest how to incorporate randomness extraction from games into a system Robust Pseudo-Random Generator OS Independent

14

Games Used for Extraction: Desiderata Encourages players it to use strategy with high

min-entropy

There exists a way to bound from below the min entropy used by the player in an observed interaction

Measurement of randomness

15

More Desiderata Fun: Should be at least somewhat interesting

Entertain players long enough so that they will willingly play enough to produce long sequences.

Easy: not require extensive skills from the players Should be reasonably short Should not require no expensive or large hardware

high resolution screen or a fast processor

16

Who is Our Adversary? The user is not malicious

Lazy? Incompetent? But not actively trying to subvert the system

There is an external adversary and we are trying to protect the user from it Generate a long and robust pseudo-random sequence

There is a second chance to check the user

17

Hide and Seek

n

…21

Hider (Misleader(

Seeker (Guesser)

18

Hide and Seek

n

…21

19

Hide and Seek Natural extension of Matching Pennies

Zero sum Mixed Strategy

Game produces log2(n) bits of raw data per move

But how random is this data? Estimate empirically

20

Mice and Elephant

• Human positions r mice• Computer positions elephant• Repeat until a mouse is crushed

21

Mice and Elephant

• Obstacles positioned at most popular locations- Lowers repetition rate- Adds visual interest

22

Elephant and obstacle positions Usually randomly copy a recently played move Occasionally random

Human cannot predict even a “bad” PRG! Adversary can know computer randomness Doesn’t help much in determining the human’s moves

Each pixel - a cell in the grid. Board: 512 x 256 pixels Derives log2512 + log2256 = 17 bits of raw

data per click

Mice and Elephant

23

Min-EntropyProbability distribution X over {0,1}n

H1(X) = - log maxx Pr[X = x]

X is a k-source if H1(X) ¸ k i.e., Pr[X = x] · 2-k for all x

Represents the probability of the most likely value of X

¢(X,Y) = a |Pr[X=a] – Pr[Y=a]|Statistical distance of distributions:

Example: • Un – uniform distribution on {0,1}n

H1(Un) = n

0.50.250.1250.125

H1(X) = min{log 2, log 4, log 8} = 1

Example

24

ExtractorsUniversal procedure for “purifying” an imperfect source

Definition:

Ext: {0,1}n £ {0,1}d ! {0,1}ℓ is a (k,)-extractor if for every k-source X result is close to random

¢(Ext(X, Ud), Uℓ) ·

d random bits

“seed”EXT

k-source of length n

ℓ almost-uniform bits

x

s

Strong: output close to random even after seeing the seed

26

Results: Humans playing patterns

Tested 482 players, who played a total of 24,008 clicks

Recruited mostly online Did not know experiment’s objective

Clear bias for corners and edges But maximal represented point has

only 7 clicks If each click is independent: min-

entropy ~11.7 per click However, humans are not

stateless distributions…

27

Results: Humans playing patterns

First order difference (log scale) Clear preference for nearby region and axis of previous click Maximal represented point – 24. Estimated min-entropy is

~9.96 per click

29

How to use the game When entropy is needed - start a game Repeat play until sufficient entropy is gathered

At least according to an estimate Award points according to game

Detect “bad entropy” moves Have a “dynamic score” to punish such moves

Second Chance

30

Robust PRG: A Cryptographic Pseudo Random Generator next() with an outputs a block refresh() that gets “fresh” entropy, and an refreshes state

Robust Pseudo-Random Generators [Barak-Halevi 05’]

next()

Output1

State1 State2 refresh()

entropy

state3next()

Output2

State3

EXT

31

Forward secure Backward secure Immune to adversary control of entropy Can combine different entropy sources

Strongest link triumphs

Robust Pseudo-Random Generators [Barak-Halevi 05’]

next()

Output1

State1 State2 refresh()

entropy

state3next()

Output2

State3

EXT

After break-in: past outputs of the system should still be indistinguishable from random

After break-in, following the next “refresh” all outputs should be indistinguishable from random

33

A Complete Construction

34

A Complete Construction

35

Further Work and Open Problems

Comparison to non-game inputs Different games:

anti-ESP game Camera, accelerometer games

Different populations Complete system test Human accuracy and Fitts’ law

Thank You

•Non-gamers •casual gamers •heavy gamers

36

Good randomness is hard to find

XKCD